Cisco Prime Infrastructure Classic View Configuration Guide for

Cisco Prime Infrastructure Classic View Configuration Guide for
Cisco Prime Infrastructure Classic View
Configuration Guide for Wireless Devices
Software Release 2.0
September 2013
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-27653-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Copyright © 2013 Cisco Systems, Inc.
All rights reserved.
CONTENTS
Preface
xxxv
Audience
Purpose
xxxv
xxxv
Conventions
xxxv
Related Publications
xxxvi
Obtaining Documentation and Submitting a Service Request
CHAPTER
1
Cisco Prime Infrastructure Overview
1-1
Cisco Unified Network Components 1-2
Cisco Wireless LAN Controller 1-2
Virtual LAN Controllers 1-3
Features Not Supported by Virtual LAN Controllers
Access Points 1-3
Embedded Access Points 1-3
Access Point Communication Protocols 1-5
Guidelines and Restrictions for Using CAPWAP
WLAN Controller Autodiscovery 1-6
The Controller Discovery Process 1-6
2
Getting Started 2-11
Menu Bar 2-11
Global Toolbar 2-12
Tools 2-12
Help 2-13
Alarm Summary 2-13
CHAPTER
3
Configuring Security Solutions
1-3
1-5
Prime Infrastructure Services 1-7
Cisco Context-Aware Service Solution 1-7
Cisco Identity Service Engine Solution 1-8
Cisco Adaptive Wireless Intrusion Prevention Service
CHAPTER
xxxvi
1-8
3-15
Cisco Unified Wireless Network Solution Security
Layer 1 Solutions 3-16
Layer 2 Solutions 3-16
3-15
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
iii
Contents
Layer 3 Solutions 3-16
Single Point of Configuration Policy Manager Solutions 3-16
Rogue Access Point Solutions 3-17
Rogue Access Point Challenges 3-17
Tagging and Containing Rogue Access Points 3-17
Securing Your Network Against Rogue Access Points 3-17
Interpreting the Security Dashboard 3-18
Security Index 3-18
Malicious Rogue Access Points 3-19
Adhoc Rogues 3-20
CleanAir Security 3-20
Unclassified Rogue Access Points 3-21
Friendly Rogue Access Points 3-21
Access Point Threats or Attacks 3-22
MFP Attacks 3-22
Attacks Detected 3-22
Recent Rogue AP Alarms 3-22
Recent Adhoc Rogue Alarm 3-22
Most Recent Security Alarms 3-22
Rogue Access Points, Ad hoc Events, and Clients 3-23
Classifying Rogue Access Points 3-23
Rogue Access Point Classification Types 3-24
Adhoc Rogue 3-26
Rogue Access Point Location, Tagging, and Containment 3-26
Detecting Access Points on a Network 3-27
Viewing Rogue Access Points by Controller 3-28
Working with Alarms 3-29
Monitoring Rogue Alarm Events 3-30
Viewing Rogue AP Event Details 3-31
Monitoring Adhoc Rogue Events 3-32
Viewing Adhoc Rogue Event Details 3-32
Security Overview 3-33
Security Vulnerability Assessment
Security Index 3-34
Top Security Issues 3-35
Switch Port Tracing 3-41
Integrated Security Solutions
3-33
3-41
Using Prime Infrastructure to Convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2
Mode 3-42
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
iv
OL-27653-02
Contents
Configuring a Firewall for Prime Infrastructure
Access Point Authorization
3-43
3-43
Management Frame Protection (MFP)
Guidelines for Using MFP 3-45
3-44
Configuring Intrusion Detection Systems (IDS)
Viewing IDS Sensors 3-46
Configuring IDS Signatures 3-46
Uploading IDS Signatures 3-48
Downloading IDS Signatures 3-49
Enabling or Disabling IDS Signatures
3-46
3-50
Enabling Web Login 3-51
Downloading Customized Web Authentication
Connecting to the Guest WLAN 3-53
Certificate Signing Request (CSR) Generation
CHAPTER
4
Performing Maintenance Operations
3-52
3-54
4-55
Information About Maintenance Operations
4-55
Performing System Tasks 4-55
Adding a Controller to the Prime Infrastructure Database 4-55
Using Prime Infrastructure to Update System Software 4-56
Downloading Vendor Device Certificates 4-57
Downloading Vendor CA Certificates 4-58
Using Prime Infrastructure to Enable Long Preambles for SpectraLink NetLink Phones
Creating an RF Calibration Model 4-59
Performing Prime Infrastructure Operations 4-60
Verifying the Status of Prime Infrastructure 4-60
Stopping Prime Infrastructure 4-60
Backing Up the Prime Infrastructure Database 4-61
Scheduling Automatic Backups 4-61
Performing a Manual Backup 4-62
Restoring the Prime Infrastructure Database 4-62
Restoring the Prime Infrastructure Database in a High Availability Environment
Upgrading WCS to Prime Infrastructure 4-63
Upgrading Prime Infrastructure in a High Availability Environment 4-64
Upgrading the Network 4-64
Reinitializing the Database 4-64
Recovering the Prime Infrastructure Password 4-65
Performing Disk Cleanup 4-65
4-59
4-63
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
v
Contents
CHAPTER
5
Monitoring Devices
5-1
Information About Monitoring
5-1
Monitoring Controllers 5-1
Searching Controllers 5-2
Viewing a List of Controllers 5-2
Configuring the Controller List Display 5-3
Monitoring System Parameters 5-3
Monitoring System Summary 5-4
Monitoring Spanning Tree Protocol 5-5
Monitoring CLI Sessions 5-7
Monitoring DHCP Statistics 5-8
Monitoring WLANs 5-9
Monitoring Ports 5-9
Monitoring General Ports 5-9
Monitoring CDP Interface Neighbors 5-14
Monitoring Controller Security 5-15
Monitoring RADIUS Authentication 5-15
Monitoring RADIUS Accounting 5-17
Monitoring Management Frame Protection 5-19
Monitoring Rogue AP Rules 5-20
Monitoring Guest Users 5-22
Monitoring Controller Mobility 5-23
Monitoring Mobility Stats 5-23
Monitoring Controller 802.11a/n 5-25
Monitoring 802.11a/n Parameters 5-25
Monitoring 802.11a/n RRM Groups 5-27
Monitoring Controllers 802.11b/g/n 5-29
Monitoring 802.11b/g/n Parameters 5-29
Monitoring 802.11b/g/n RRM Groups 5-30
Monitoring Controllers IPv6 5-32
Monitoring Neighbor Bind Counter Statistics 5-32
Monitoring mDNS Service Provider Information 5-33
Monitoring Switches 5-34
Searching Switches 5-34
Viewing the Switches 5-34
Configuring the Switch List Page 5-34
Monitoring Switch System Parameters 5-35
Viewing Switch Summary Information 5-35
Viewing Switch Memory Information 5-36
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
vi
OL-27653-02
Contents
Viewing Switch Environment Information 5-37
Viewing Switch Module Information 5-37
Viewing Switch VLAN Information 5-38
Viewing Switch VTP Information 5-38
Viewing Switch Physical Ports Information 5-38
Viewing Switch Sensor Information 5-39
Viewing Switch Spanning Tree Information 5-39
Viewing Switch Stacks Information 5-40
Viewing Switch NMSP and Location Information 5-40
Monitoring Switch Interfaces 5-41
Monitoring Switch Ethernet Interfaces 5-41
Monitoring Switch IP Interfaces 5-42
Monitoring Switch VLAN Interfaces 5-42
Monitoring Switch EtherChannel Interfaces 5-43
Monitoring Switch Clients 5-43
Monitoring Access Points 5-43
Searching Access Points 5-44
Viewing a List of Access Points 5-44
Configuring the Access Point List Display 5-45
Configuring the List of Access Points Display 5-47
Generating a Report for Access Points 5-48
Monitoring Traffic Load 5-50
Monitoring Dynamic Power Control 5-51
Monitoring Access Points Noise 5-52
Monitoring Access Points Interference 5-52
Monitoring Access Points Coverage (RSSI) 5-53
Monitoring Access Points Coverage (SNR) 5-53
Monitoring Access Points Up/Down Statistics 5-53
Monitoring the Access Points Voice Statistics 5-54
Monitoring the Access Points Voice TSM Table 5-54
Monitoring the Access Points Voice TSM Reports 5-56
Monitoring Access Points 802.11 Counters 5-56
Monitoring Access Points AP Profile Status 5-57
Monitoring Access Points Radio Utilization 5-57
Monitoring Access Points Traffic Stream Metrics 5-57
Monitoring Access Points Tx Power and Channel 5-57
Monitoring VoIP Calls 5-58
Monitoring Voice Statistics 5-58
Monitoring Air Quality 5-58
Monitoring Access Points Details 5-58
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
vii
Contents
General Tab 5-58
Interfaces Tab 5-67
CDP Neighbors Tab 5-69
Current Associated Clients Tab 5-69
SSID Tab 5-71
Clients Over Time Tab 5-71
Monitoring Access Point Radio Details 5-71
Monitoring On Demand Statistics 5-72
General Tab 5-74
CleanAir Tab 5-75
Monitoring Operational Parameters 5-76
Monitoring 802.11 MAC Counters 5-79
Monitoring View Alarms 5-80
Monitor View Events 5-81
Monitoring Third-Party Access Points 5-81
Monitoring Mesh Access Points 5-82
Mesh Statistics Tab 5-83
Mesh Links Tab 5-87
Retrieving the Unique Device Identifier on Controllers and Access Points 5-88
Monitoring Coverage Holes 5-88
Monitoring Pre-Coverage Holes 5-89
Monitoring Rogue Access Points 5-91
Detecting Rogue Devices 5-91
Classifying Rogue Access Points 5-92
Monitoring Rogue AP Alarms 5-95
Viewing Rogue AP Alarm Details 5-99
Viewing Rogue Client Details 5-103
Viewing Rogue AP History Details 5-104
Viewing Rogue AP Event History Details 5-105
Monitoring Ad hoc Rogues 5-105
Monitoring Ad hoc Rogue Alarms 5-105
Viewing Ad hoc Rogue Alarm Details 5-107
Searching Rogue Clients Using Advanced Search 5-109
Monitoring Rogue Access Point Location, Tagging, and Containment 5-109
Detecting Access Points 5-110
Monitoring Rogue Alarm Events 5-111
Viewing Rogue AP Event Details 5-111
Monitoring Ad hoc Rogue Events 5-112
Viewing Ad hoc Rogue Event Details 5-113
Troubleshooting Unjoined Access Points 5-114
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
viii
OL-27653-02
Contents
Monitoring RFID Tags 5-115
Tag Summary 5-115
Searching Tags 5-115
Viewing RFID Tag Search Results
Viewing the Tag List 5-117
Monitoring Chokepoints 5-117
Performing a Chokepoint Search
5-116
5-118
Monitoring Interferers 5-118
Monitoring AP Detected Interferers 5-118
Monitoring AP Detected Interferer Details 5-119
Monitoring AP Detected Interferer Details Location History
Configuring the Search Results Display 5-121
5-120
Monitoring Spectrum Experts 5-121
Spectrum Experts Summary 5-122
Interferers Summary 5-122
Interferers Search 5-123
Spectrum Experts Details 5-123
Monitoring WiFi TDOA Receivers
Monitoring Media Streams
5-123
5-124
Monitoring Radio Resource Management (RRM) 5-125
Channel Change Notifications 5-126
Transmission Power Change Notifications 5-126
RF Grouping Notifications 5-126
Viewing the RRM Dashboard 5-126
Monitoring Clients and Users
5-128
Monitoring Alarms 5-128
Alarms and Events Overview 5-129
Viewing List of Alarms 5-129
Filtering Alarms 5-130
Exporting Alarms 5-131
Viewing Alarm Details 5-131
Viewing Events Related to Alarms 5-132
Modifying Alarms 5-133
Specifying Email Notifications for Alarms 5-133
Modifying the Alarm Browser 5-134
Viewing the Alarm Summary 5-134
Modifying Alarm Settings 5-135
Modifying Alarm Count Refresh Rate 5-135
Configuring Alarm Severity Levels 5-135
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
ix
Contents
Working with Alarms 5-136
Monitoring Access Point Alarms 5-138
Monitoring Air Quality Alarms 5-138
Monitoring CleanAir Security Alarms 5-139
Monitoring Email Notifications 5-140
Monitoring Severity Configurations 5-140
Monitoring Cisco Adaptive wIPS Alarms 5-141
Monitoring Cisco Adaptive wIPS Alarm Details 5-142
Monitoring Events 5-143
Searching Events 5-145
Exporting Events 5-146
Monitoring Failure Objects 5-146
Monitoring Events for Rogue APs 5-146
Monitoring Events for Ad hoc Rogues 5-147
Monitoring Cisco Adaptive wIPS Events 5-148
Monitoring CleanAir Air Quality Events 5-149
Viewing Air Quality Event Details 5-149
Monitoring Interferer Security Risk Events 5-150
Viewing Interferer Security Risk Event Details 5-150
Monitoring Health Monitor Events 5-150
Viewing Health Monitor Event Details 5-151
Working with Events 5-151
Monitoring Site Maps
5-152
Monitoring Google Earth Maps
CHAPTER
6
Monitoring Maps
About Maps
5-152
6-153
6-153
Adding a Campus Map
6-154
Adding a Building to a Campus Map 6-155
Adding a Standalone Building 6-157
Adding Floor Areas 6-158
Adding Floor Areas to a Campus Building 6-158
Adding Floor Plans to a Standalone Building 6-161
Configuring Floor Settings 6-163
Import Map and AP Location Data 6-174
Monitoring Floor Area 6-175
Panning and Zooming with Next Generation Maps
Adding Access Points to a Floor Area 6-176
Placing Access Points 6-178
6-175
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
x
OL-27653-02
Contents
Using the Automatic Hierarchy to Create Maps
6-180
Using the Map Editor 6-182
Guidelines for Using the Map Editor 6-183
Guidelines for Placing Access Points 6-183
Guidelines for Inclusion and Exclusion Areas on a Floor
Opening the Map Editor 6-185
Map Editor Icons 6-186
Using the Map Editor to Draw Coverage Areas 6-186
Using the Map Editor to Draw Obstacles 6-187
Defining an Inclusion Region on a Floor 6-187
Defining an Exclusion Region on a Floor 6-189
Defining a Rail Line on a Floor 6-189
Adding an Outdoor Area
6-185
6-190
Using Chokepoints to Enhance Tag Location Reporting 6-191
Adding Chokepoints to the Prime Infrastructure Database 6-192
Adding a Chokepoint to a Prime Infrastructure Map 6-192
Positioning Chokepoints 6-194
Configuring Wi-Fi TDOA Receivers 6-194
Adding Wi-Fi TDOA Receivers to the Prime Infrastructure Database
Adding Wi-Fi TDOA Receivers to a Map 6-195
Positioning Wi-Fi TDOA Receivers 6-195
Managing RF Calibration Models 6-196
Accessing Current Calibration Models 6-197
Applying Calibration Models to Maps 6-197
Viewing Calibration Model Properties 6-197
Viewing Calibration Model Details 6-198
Creating New Calibration Models 6-198
Starting Calibration Process 6-198
Calibrating 6-201
Apply the Model to the Floor 6-201
Deleting Calibration Models 6-202
Managing Location Presence Information 6-202
Searching Maps
6-195
6-203
Using the Map Editor 6-203
Opening the Map Editor 6-204
Using the Map Editor to Draw Polygon Areas 6-204
Defining an Inclusion Region on a Floor 6-205
Defining an Exclusion Region on a Floor 6-206
Defining a Rail Line on a Floor 6-207
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
xi
Contents
Inspecting Location Readiness and Quality 6-208
Inspecting Location Readiness 6-208
Inspecting Location Quality Using Calibration Data
Inspecting VoWLAN Readiness 6-209
Troubleshooting Voice RF Coverage Issues 6-210
6-209
Monitoring Mesh Networks Using Maps 6-210
Monitoring Mesh Link Statistics Using Maps 6-210
Monitoring Mesh Access Points Using Maps 6-212
Monitoring Mesh Access Point Neighbors Using Maps 6-213
Viewing the Mesh Network Hierarchy 6-214
Using Mesh Filters to Modify Map Display of Maps and Mesh Links
Monitoring Tags Using Maps
6-217
Using Planning Mode 6-217
Accessing Planning Mode 6-217
Using Planning Mode to Calculate Access Point Requirements
Refresh Options
6-215
6-218
6-222
Creating a Network Design 6-223
Designing a Network 6-223
Importing or Exporting WLSE Map Data
6-225
Monitoring Device Details 6-226
Floor View Navigation 6-228
Understanding RF Heatmap Calculation
6-229
Monitoring Google Earth Maps 6-230
Creating an Outdoor Location Using Google Earth 6-230
Understanding Geographical Coordinates for Google Earth 6-230
Creating and Importing Coordinates in Google Earth (KML File) 6-232
Creating and Importing Coordinates as a CSV File 6-233
Importing a File into Prime Infrastructure 6-234
Viewing Google Earth Maps 6-235
Viewing Google Earth Map Details 6-235
Adding Google Earth Location Launch Points to Access Point Pages 6-236
Google Earth Settings 6-236
CHAPTER
7
Managing User Accounts
7-239
Managing the Prime Infrastructure User Accounts 7-239
Configuring the Prime Infrastructure User Accounts 7-240
Deleting the Prime Infrastructure User Accounts 7-241
Changing Passwords 7-242
Changing the Root User Password using CLI 7-242
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
xii
OL-27653-02
Contents
Monitoring Active Sessions 7-242
Viewing or Editing User Account Information 7-243
Setting the Lobby Ambassador Defaults 7-243
Viewing or Editing Group Information 7-244
Editing the Guest User Credentials 7-245
Viewing the Audit Trail 7-245
Audit Trail Details Page 7-246
Creating Guest User Accounts
7-246
Managing the Prime Infrastructure Guest User Accounts 7-247
Scheduling the Prime Infrastructure Guest User Accounts 7-248
Printing or E-mailing the Prime Infrastructure Guest User Details 7-249
Saving Guest Accounts on a Device 7-249
Editing the Guest User Credentials 7-250
Adding a New User 7-250
Adding User Names, Passwords, and Groups
Assigning a Virtual Domain 7-251
7-250
Managing Lobby Ambassador Accounts 7-252
Creating a Lobby Ambassador Account 7-252
Editing a Lobby Ambassador Account 7-254
Logging in to the Prime Infrastructure User Interface as a Lobby Ambassador
Logging the Lobby Ambassador Activities 7-255
CHAPTER
8
Configuring Mobility Groups
8-257
Information About Mobility
8-257
Symmetric Tunneling
8-261
Overview of Mobility Groups 8-261
When to Include Controllers in a Mobility Group
Messaging among Mobility Groups 8-264
Configuring Mobility Groups 8-264
Prerequisites 8-264
Setting the Mobility Scalability Parameters
Mobility Anchors
7-254
8-263
8-266
8-267
Configuring Multiple Country Codes
8-267
Configuring Controller Config Groups 8-268
Adding New Group 8-268
Configuring Config Groups 8-269
Adding or Removing Controllers from a Config Group 8-270
Adding or Removing Templates from the Config Group 8-270
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
xiii
Contents
Applying or Scheduling Config Groups
Auditing Config Groups 8-271
Rebooting Config Groups 8-272
Reporting Config Groups
8-271
8-272
Downloading Software 8-273
Downloading IDS Signatures 8-273
Downloading Customized WebAuth 8-274
CHAPTER
9
Configuring Devices
9-275
Configuring Controllers 9-275
Understanding the Controller Audit Report 9-277
Adding Controllers 9-278
Bulk Update of Controller Credentials 9-281
Removing Controllers from the Prime Infrastructure 9-282
Rebooting Controllers 9-282
Downloading Software to Controllers 9-283
Downloading Software (FTP) 9-283
Downloading Software (TFTP) 9-285
Configuring IPaddr Upload Configuration/Logs from the Controller
Downloading IDS Signatures 9-288
Downloading a Customized WebAuthentication Bundle to a Controller
Downloading a Vendor Device Certificate 9-290
Downloading a Vendor CA Certificate 9-291
Saving the Configuration to Flash 9-292
Refreshing the Configuration from the Controller 9-292
Discovering Templates from the Controller 9-292
Updating Credentials in the Prime Infrastructure 9-293
Viewing Templates Applied to a Controller 9-294
Using the Audit Now Feature 9-295
Viewing the Latest Network Audit Report 9-296
9-287
9-289
Configuring Existing Controllers 9-297
Configuring Controllers Properties 9-297
Configuring Controller System Parameters 9-299
Managing General System Properties for Controllers 9-299
Configuring Controller System Commands 9-306
Restoring Factory Defaults 9-307
Setting the Controller Time and Date 9-308
Uploading Configuration/Logs from Controllers 9-308
Downloading Configurations to Controllers 9-309
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
xiv
OL-27653-02
Contents
Downloading Software to a Controller 9-310
Downloading a Web Admin Certificate to a Controller 9-310
Downloading IDS Signatures 9-311
Downloading a Customized Web Auth Bundle to a Controller 9-311
Configuring Controller System Interfaces 9-313
Adding an Interface 9-313
Viewing Current Interface Details 9-314
Deleting a Dynamic Interface 9-315
Configuring Controller System Interface Groups 9-316
Adding an Interface Group 9-316
Deleting an Interface Group 9-317
Viewing Interface Groups 9-317
NAC Integration 9-318
Configuring Wired Guest Access 9-320
Creating an Ingress Interface 9-322
Creating an Egress Interface 9-323
Configuring Controller Network Routes 9-323
Viewing Existing Network Routes 9-323
Configuring Controller Spanning Tree Protocol Parameters 9-324
Configuring Controller Mobility Groups 9-324
Configuring Controller Network Time Protocol 9-327
Background Scanning on 1510s in Mesh Networks 9-328
Configuring Controller QoS Profiles 9-330
Configuring Controller DHCP Scopes 9-331
Configuring Controller User Roles 9-332
Configuring a Global Access Point Password 9-333
Configuring Global CDP 9-333
Configuring AP 802.1X Supplicant Credentials 9-334
Configuring Controller DHCP 9-335
Configuring Controller Multicast Mode 9-336
Configuring Access Point Timer Settings 9-337
Configuring Controller WLANs 9-338
Viewing WLAN Details 9-339
General Tab 9-339
Security Tab 9-340
QoS Tab 9-345
Advanced Tab 9-346
Configuring Mobile Concierge (802.11u) 9-351
Adding a WLAN 9-353
Deleting a WLAN 9-353
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
xv
Contents
Managing WLAN Status Schedules 9-354
Mobility Anchors 9-354
Configuring WLANs AP Groups 9-355
Adding Access Point Groups 9-356
Deleting Access Point Groups 9-357
Auditing Access Point Groups 9-358
Configuring FlexConnect Parameters 9-358
Configuring FlexConnect AP Groups 9-358
Auditing a FlexConnect Group 9-362
Configuring Security Parameters 9-362
Configuring Controller File Encryption 9-362
Configuring Controllers > IPaddr > Security > AAA 9-363
Configuring AAA General Parameters 9-363
Configuring AAA RADIUS Auth Servers 9-363
Configuring AAA RADIUS Acct Servers 9-364
Configuring AAA RADIUS Fallback Parameters 9-366
Configuring AAA LDAP Servers 9-366
Configuring AAA TACACS+ Servers 9-368
Configuring AAA Local Net Users 9-369
Configuring AAA MAC Filtering 9-370
Configuring AAA AP/MSE Authorization 9-370
Configuring AAA Web Auth Configuration 9-372
Configuring AAA Password Policy 9-373
Configuring Controllers > IPaddr > Security > Local EAP 9-373
Configuring Local EAP General Parameters 9-373
Configuring Local EAP Profiles 9-375
Configuring Local EAP General EAP-FAST Parameters 9-376
Configuring Local EAP General Network Users Priority 9-376
Configuring User Login Policies 9-377
Managing Manually Disabled Clients 9-377
Configuring Access Control Lists 9-378
Configuring IPaddr > Access Control List > listname Rules 9-378
Configuring FlexConnect Access Control Lists 9-379
Configuring CPU Access Control Lists 9-380
Configuring the IDS Sensor List 9-381
Configuring CA Certificates 9-381
Configuring ID Certificates 9-382
Configuring Controllers > IPaddr > Security > Web Auth Certificate
Configuring Wireless Protection Policies 9-383
Configuring Rogue Policies 9-384
9-383
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
xvi
OL-27653-02
Contents
Configuring Rogue AP Rules 9-385
Configuring Client Exclusion Policies 9-385
Configuring IDS Signatures 9-386
Configuring Controller Standard Signature Parameters 9-386
Configuring Custom Signatures 9-390
Configuring AP Authentication and MFP 9-390
Configuring Cisco Access Points 9-391
Sniffer Feature 9-392
Configuring 802.11 Parameters 9-393
Configuring General Parameters for an 802.11 Controller 9-393
Configuring Aggressive Load Balancing 9-394
Configuring Band Selection 9-395
Configuring Preferred Call 9-397
Configuring 802.11 Media Parameters 9-397
Configuring RF Profiles (802.11) 9-398
Configuring SIP Snooping 9-399
Configuring 802.11a/n Parameters 9-400
Configuring 802.11a/n General Parameters 9-400
Configuring 802.11a/n RRM Thresholds 9-402
Configuring 802.11a/n RRM Intervals 9-402
Configuring 802.11a/n RRM Transmit Power Control 9-402
Configuring 802.11a/n RRM Dynamic Channel Allocation 9-403
Configuring 802.11a/n RRM Radio Grouping 9-405
Configuring 802.11a/n Media Parameters 9-405
Configuring 802.11a/n EDCA Parameters 9-408
Configuring 802.11a/n Roaming Parameters 9-408
Configuring 802.11a/n 802.11h Parameters 9-409
Configuring 802.11a/n High Throughput (802.11n) Parameters 9-410
Configuring 802.11a/n CleanAir Parameters 9-410
Configuring 802.11b/g/n Parameters 9-412
Configuring 802.11b/g/n General Parameters 9-412
Configuring 802.11b/g/n RRM Thresholds 9-413
Configuring 802.11b/g/n RRM Intervals 9-414
Configuring 802.11b/g/n RRM Transmit Power Control 9-414
Configuring 802.11b/g/n RRM DCA 9-415
Configuring 802.11b/g/n RRM Radio Grouping 9-416
Configuring 802.11b/g/n Media Parameters 9-416
Configuring 802.11b/g/n EDCA Parameters 9-419
Configuring 802.11b/g/n Roaming Parameters 9-419
Configuring 802.11b/g/n High Throughput (802.11n) Parameters 9-420
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
xvii
Contents
Configuring 802.11b/g/n CleanAir Parameters 9-421
Configuring Mesh Parameters 9-422
Client Access on 1524SB Dual Backhaul 9-423
Backhaul Channel Deselection Using the Prime Infrastructure 9-424
Configuring Port Parameters 9-425
Configuring Controllers Management Parameters 9-426
Configuring Trap Receivers 9-426
Configuring Trap Control Parameters 9-427
Configuring Telnet SSH Parameters 9-429
Configuring a Syslog for an Individual Controller 9-429
Configuring Multiple Syslog Servers 9-430
Configuring WEB Admin 9-430
Downloading Web Auth or Web Admin Certificate to the Controller 9-431
Configuring Local Management Users 9-432
Configuring Authentication Priority 9-432
Configuring Location Configurations 9-432
Configuring IPv6 9-434
Configuring Neighbor Binding Timers 9-434
Configuring RA Throttle Policy 9-435
Configuring RA Guard 9-436
Configuring Proxy Mobile IPv6 9-436
Configuring PMIP Global Configurations 9-436
Configuring LMA Configurations 9-437
Configuring PMIP Profile 9-437
Configuring mDNS 9-438
Configuring AVC Profiles 9-439
Configuring NetFlow 9-440
Configuring NetFlow Monitor 9-440
Configuring NetFlow Exporter 9-441
Configuring Third-Party Controllers and Access Points 9-441
Adding a Third-Party Controller 9-442
Viewing Third-Party Controller Operational Status 9-442
Viewing the Details of Third-Party Access Points 9-443
Removing Third-Party Access Points 9-443
Viewing Third-Party Access Point Operational Status 9-444
Configuring Access Points 9-444
Setting AP Failover Priority 9-445
Configuring Global Credentials for Access Points 9-446
Configuring Ethernet Bridging and Ethernet VLAN Tagging
Ethernet VLAN Tagging Guidelines 9-448
9-447
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
xviii
OL-27653-02
Contents
Enabling Ethernet Bridging and VLAN Tagging 9-450
Autonomous to Lightweight Migration Support 9-451
Adding Autonomous Access Points to the Prime Infrastructure 9-452
Viewing Autonomous Access Points in Prime Infrastructure 9-456
Downloading Images to Autonomous Access Points (TFTP) 9-456
Downloading Images to Autonomous Access Points (FTP) 9-457
Supporting Autonomous Access Points in Work Group Bridge (WGB) mode
Configuring Access Point Details 9-457
Configuring an Ethernet Interface 9-466
Importing AP Configuration 9-466
Exporting AP Configuration 9-467
Configuring Access Points 802.11n Antenna 9-468
Configuring CDP 9-471
Configuring CDP on Access Points 9-471
Configuring Access Point Radios for Tracking Optimized Monitor Mode 9-472
Copying and Replacing Access Points 9-472
Removing Access Points 9-473
Scheduling and Viewing Radio Status 9-473
Scheduling Radio Status 9-473
Viewing Scheduled Tasks 9-474
Viewing Audit Status (for Access Points) 9-474
Filtering Alarms for Maintenance Mode Access Points 9-475
Placing an Access Point in Maintenance State 9-475
Removing an Access Point from Maintenance State 9-475
Searching Access Points 9-475
Viewing Mesh Link Details 9-476
Viewing or Editing Rogue Access Point Rules 9-477
9-457
Configuring Switches 9-477
Features Available by Switch Type 9-478
Viewing Switches 9-478
Viewing Switch Details 9-479
Modifying SNMP Parameters 9-480
Modifying Telnet/SSH Parameters 9-480
Adding Switches 9-480
Configuring SNMPv3 on Switches 9-482
Sample CSV File for Importing Switches 9-482
Configuring Switch NMSP and Location 9-483
Enabling and Disabling NMSP for Switches 9-483
Configuring a Switch Location 9-484
Configuring a Switch Port Location 9-484
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
xix
Contents
Removing Switches 9-485
Refreshing Switch Configuration
9-485
Enabling Traps and Syslogs on Switches for Wired Client Discovery 9-485
MAC Notification for Traps (Used for Non-Identity Client Discovery)
Syslog Configuration 9-486
Configuring Unknown Devices
9-486
9-487
Configuring Spectrum Experts 9-487
Adding a Spectrum Expert 9-488
Monitoring Spectrum Experts 9-488
Viewing Spectrum Experts Summary 9-488
Viewing Interferers Summary 9-489
Viewing Spectrum Experts Details 9-489
OfficeExtend Access Point 9-490
Licensing for an OfficeExtend Access Point 9-490
Configuring Link Latency Settings for Access Points 9-491
Configuring Chokepoints 9-492
Configuring New Chokepoints 9-492
Adding a Chokepoint to Prime Infrastructure Database 9-492
Adding a Chokepoint to an Prime Infrastructure Map 9-493
Removing a Chokepoint from an Prime Infrastructure Map 9-494
Removing a Chokepoint from Prime Infrastructure 9-494
Editing Current Chokepoints 9-494
Configuring Wi-Fi TDOA Receivers 9-495
Using Wi-Fi TDOA Receivers to Enhance Tag Location Reporting 9-495
Adding Wi-Fi TDOA Receivers to Prime Infrastructure and Maps 9-496
Viewing or Editing Current Wi-Fi TDOA Receivers 9-497
Removing Wi-Fi TDOA Receivers from Prime Infrastructure and Maps 9-498
Configuring Scheduled Configuration Tasks
9-498
Configuring Auto Provisioning for Controllers
Configuring Redundancy on Controllers
9-498
9-499
Configuring wIPS Profiles 9-500
Profile List 9-500
Adding a Profile 9-501
Profile Editor 9-502
Deleting a Profile 9-504
Applying a Current Profile 9-505
Configure > wIPS > SSID Group List 9-505
Global SSID Group List 9-506
SSID Groups 9-507
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
xx
OL-27653-02
Contents
Configuring ACS View Servers 9-509
Configuring ACS View Server Credentials
9-509
Configuring TFTP or FTP Servers 9-510
Adding a TFTP or FTP Server 9-510
Deleting TFTP or FTP Servers 9-511
Interactive Graphs 9-511
Interactive Graphs Overview 9-511
Interactive Graph Features 9-511
Time-based Graphs 9-512
CHAPTER
10
Managing Clients
10-513
Client Dashlets on the General Dashboard
10-515
Client Dashboard 10-515
Client Troubleshooting Dashlet 10-516
Client Distribution Dashlet 10-516
Client Authentication Type Distribution 10-517
Client Alarms and Events Summary Dashlet 10-517
Client Traffic Dashlet 10-518
Wired Client Speed Distribution Dashlet 10-518
Top 5 SSIDs by Client Count 10-518
Top 5 Switches by Switch Count 10-519
Client Posture Status Dashlet 10-519
Client Count By IP Address Type 10-519
IPv6 Assignment Distribution 10-519
User Auth Failure Count 10-519
Client Protocol Distribution 10-519
Client EAP Type Distribution 10-519
Guest Users Count 10-520
Client CCX Distribution 10-520
Top N Client Count 10-520
Client Mobility Status Distribution 10-520
Client 11u Distribution 10-520
11u Client Count 10-520
11u Client Traffic 10-520
PMIP Clients Distribution 10-520
PMIP Client Count 10-520
Top APs By Client Count 10-521
Most Recent Client Alarms 10-521
Recent 5 Guest User Accounts 10-521
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
xxi
Contents
Latest 5 logged in Guest Users 10-521
Clients Detected by Context Aware Service
10-521
Monitoring Clients and Users 10-521
Filtering Clients and Users 10-522
Viewing Clients and Users 10-524
Client Attributes 10-527
Client IPv6 Addresses 10-528
Client Statistics 10-529
Client Association History 10-529
Client Event Information 10-530
Client Location Information 10-530
Wired Location History 10-530
Wireless Location History 10-531
Client CCXv5 Information 10-531
Exporting Clients and Users 10-532
Client Troubleshooting
10-533
Tracking Clients 10-541
Notification Settings
10-542
Identifying Unknown Users 10-542
Configuring the Search Results Display
Enabling Automatic Client Troubleshooting
10-543
10-544
Viewing Client Details in the Access Point Page
Viewing Currently Associated Clients
Running Client Reports
Running ISE Reports
10-544
10-544
10-544
10-545
Specifying Client Settings
10-545
Receiving Radio Measurements for a Client 10-545
Radio Measurement Results for a Client 10-546
Viewing Client V5 Statistics
10-546
Viewing Client Operational Parameters
Viewing Client Profiles
10-549
Disabling a Current Client
10-550
Removing a Current Client
10-550
Enabling Mirror Mode
10-548
10-550
Viewing a Map (High Resolution) of a Client Recent Location
10-551
Viewing a Map (High Resolution) of a Client Current Location
10-551
Running a Client Sessions Report for the Client
10-551
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
xxii
OL-27653-02
Contents
Viewing a Roam Reason Report for the Client
Viewing Detecting Access Point Details
Viewing Client Location History
11
Using Templates
10-552
10-552
Viewing Voice Metrics for a Client
CHAPTER
10-552
10-553
11-555
Information About Templates
11-555
Accessing the Controller Template Launch Pad
Adding Controller Templates
11-555
11-556
Deleting Controller Templates
11-556
Applying Controller Templates
11-556
Configuring Controller Templates 11-558
Configuring System Templates 11-558
Configuring General Templates 11-559
Configuring SNMP Community Controller Templates 11-562
Configuring an NTP Server Template 11-563
Configuring User Roles Controller Templates 11-563
Configuring AP Username Password Controller Templates 11-564
Configuring AP 802.1X Supplicant Credentials 11-565
Configuring a Global CDP Configuration Template 11-565
Configuring DHCP Templates 11-566
Configuring Dynamic Interface Templates 11-567
Configuring QoS Templates 11-569
Configuring AP Timers Templates 11-570
Configuring an Interface Group Template 11-571
Configuring a Traffic Stream Metrics QoS Template 11-571
Configuring WLAN Templates 11-572
Configuring WLAN Templates 11-573
Security Tab 11-575
QoS Tab 11-581
Advanced Tab 11-582
Configuring Client Profiling 11-587
Configuring Mobile Concierge (802.11u) 11-588
Configuring WLAN AP Groups Templates 11-590
Adding Access Point Groups 11-591
Deleting Access Point Groups 11-592
Configuring FlexConnect Templates 11-592
Configuring FlexConnect AP Groups Templates 11-593
Configuring FlexConnect Users 11-596
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
xxiii
Contents
Configuring Security Templates 11-596
Configuring a General Security Controller Template 11-597
Configuring a File Encryption Template 11-597
Configuring a RADIUS Authentication Template 11-598
Configuring a RADIUS Accounting Template 11-600
Configuring a RADIUS Fallback Template 11-601
Configuring an LDAP Server Template 11-602
Configuring a TACACS+ Server Template 11-602
Configuring a Local EAP General Template 11-603
Configuring a Local EAP Profile Template 11-604
Configuring an EAP-FAST Template 11-606
Configuring a Network User Priority Template 11-606
Configuring a Local Network Users Template 11-607
Guest User Templates 11-608
Configuring a User Login Policies Template 11-609
Configuring a MAC Filter Template 11-610
Configuring an Access Point or MSE Authorization Template 11-610
Configuring a Manually Disabled Client Template 11-611
Configuring a Client Exclusion Policies Template 11-612
Configuring an Access Point Authentication and MFP Template 11-612
Configuring a Web Authentication Template 11-613
Configuring an External Web Auth Server Template 11-616
Configuring a Security Password Policy Template 11-616
Configuring Security - Access Control Templates 11-617
Configuring an Access Control List Template 11-617
Configuring a FlexConnect Access Control List Template 11-620
Configuring an ACL IP Groups Template 11-621
Configuring an ACL Protocol Groups Template 11-623
Configuring Security - CPU Access Control List Templates 11-624
Configuring a CPU Access Control List (ACL) Template 11-624
Configuring Security - Rogue Templates 11-625
Configuring a Rogue Policies Template 11-625
Configuring a Rogue AP Rules Template 11-626
Configuring a Rogue AP Rule Groups Template 11-628
Configuring a Friendly Access Point Template 11-628
Configuring Ignored Rogue AP Templates 11-629
Configuring 802.11 Templates 11-630
Configuring Load Balancing Templates 11-631
Configuring Band Selection Templates 11-631
Configuring Preferred Call Templates 11-632
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
xxiv
OL-27653-02
Contents
Configuring Media Stream for Controller Templates (802.11) 11-632
Configuring RF Profiles Templates (802.11) 11-633
Configuring SIP Snooping 11-635
Configuring Radio Templates (802.11a/n) 11-635
Configuring 802.11a/n Parameters Templates 11-636
Configuring Media Parameters Controller Templates (802.11a/n) 11-638
Configuring EDCA Parameters Through a Controller Template (802.11a/n) 11-640
Configuring a Roaming Parameters Template (802.11a/n) 11-641
Configuring an 802.11h Template 11-642
Configuring a High Throughput Template (802.11a/n) 11-643
Configuring CleanAir Controller Templates (802.11a/n) 11-643
Configuring 802.11a/n RRM Templates 11-644
Configuring Radio Templates (802.11b/g/n) 11-649
Configuring 802.11b/g/n Parameters Templates 11-649
Configuring Media Parameters Controller Templates (802.11b/g/n) 11-652
Configuring EDCA Parameters Controller Templates (802.11b/g/n) 11-654
Configuring Roaming Parameters Controller Templates (802.11b/g/n) 11-654
Configuring High Throughput (802.11n) Controller Templates (802.11b/g/n) 11-656
Configuring CleanAir Controller Templates (802.11 b/g/n) 11-656
Configuring 802.11b/g/n RRM Templates 11-657
Configuring Mesh Templates 11-662
Configuring Mesh Setting Templates 11-662
Configuring Management Templates 11-663
Configuring Trap Receiver Templates 11-663
Configuring Trap Control Templates 11-664
Configuring Telnet SSH Templates 11-665
Configuring Legacy Syslog Templates 11-666
Configuring Multiple Syslog Templates 11-667
Configuring Local Management User Templates 11-667
Configuring User Authentication Priority Templates 11-668
Configuring CLI Templates 11-669
Applying a Set of CLI Commands 11-669
Configuring Location Configuration Templates 11-670
Configuring IPv6 Templates 11-671
Configuring Neighbor Binding Timers Templates 11-671
Configuring RA Throttle Policy Templates 11-672
Configuring RA Guard Templates 11-672
Configuring Proxy Mobile IPv6 Templates 11-673
Configuring PMIP Global Configurations 11-673
Configuring LMA Configurations 11-674
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
xxv
Contents
Configuring PMIP Profile 11-674
Configuring mDNS Templates 11-675
Configuring AVC Profiles Templates 11-677
Configuring NetFlow Templates 11-678
Configuring NetFlow Monitor Template 11-678
Configuring NetFlow Exporter Template 11-679
Configuring AP Configuration Templates 11-679
Configuring Lightweight Access Point Templates 11-679
Configuring a New Lightweight Access Point Template 11-680
Editing a Current Lightweight Access Point Template 11-688
Configuring Autonomous Access Point Templates 11-689
Configuring a New Autonomous Access Point Template 11-689
Applying an AP Configuration Template to an Autonomous Access Point
Configuring Switch Location Configuration Templates
11-691
Configuring Autonomous AP Migration Templates 11-691
Migrating an Autonomous Access Point to a Lightweight Access Point
Editing Current Autonomous AP Migration Templates 11-693
Viewing the Migration Analysis Summary 11-694
Adding/Modifying a Migration Template 11-695
Copying a Migration Template 11-696
Deleting Migration Templates 11-696
Viewing the Current Status of Cisco IOS Access Points 11-697
Disabling Access Points that are Ineligible 11-697
CHAPTER
12
Configuring FlexConnect
11-689
11-692
12-699
Information About FlexConnect 12-699
FlexConnect Authentication Process
FlexConnect Guidelines 12-702
12-700
Configuring FlexConnect 12-702
Configuring the Switch at the Remote Site 12-703
Configuring the Controller for FlexConnect 12-704
Configuring an Access Point for FlexConnect 12-706
Connecting Client Devices to the WLANs 12-707
FlexConnect Access Point Groups 12-707
FlexConnect Groups and Backup RADIUS Servers 12-708
FlexConnect Groups and CCKM 12-709
FlexConnect Groups and Local Authentication 12-709
Configuring FlexConnect Groups 12-709
Auditing a FlexConnect Group 12-711
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
xxvi
OL-27653-02
Contents
CHAPTER
13
Alarm and Event Dictionary
What is an Event?
13-713
13-713
What is an Alarm? 13-713
Unsupported Traps 13-714
CHAPTER
14
Reports
14-715
Non Upgradable Reports from the WCS to Prime Infrastructure
CHAPTER
15
Performing Administrative Tasks
CHAPTER
16
Prime Infrastructure Services
14-715
15-717
16-719
Mobility Services 16-719
CAS 16-719
wIPS 16-719
Mobile Concierge Service 16-720
Location Analytics Service 16-720
Cisco Context-Aware Mobility Solution 16-720
Cisco Prime Infrastructure 16-721
WLAN Controllers 16-721
Access Points 16-721
Cisco 3300 Series Mobility Services Engines 16-722
Accessing Services 16-722
MSE Services Coexistence 16-722
Viewing Current Mobility Services 16-722
Adding a Mobility Services Engine 16-723
Deleting an MSE License File 16-727
Deleting a Mobility Services Engine from the Prime Infrastructure 16-727
Registering Product Authorization Keys 16-727
Installing Device and wIPS License Files 16-729
Adding a Location Server 16-729
Synchronizing Services 16-730
Keeping Mobility Services Engines Synchronized 16-730
Synchronizing the Prime Infrastructure and a Mobility Services Engine 16-731
Synchronizing Controllers with Mobility Services Engines 16-733
Working with Third-Party Elements 16-734
Setting and Verifying the Timezone on a Controller 16-734
Configuring Smart Mobility Services Engine Database Synchronization 16-735
Out-of-Sync Alarms 16-737
Viewing Mobility Services Engine Synchronization Status 16-737
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
xxvii
Contents
Viewing Synchronization History 16-738
Viewing Notification Statistics 16-738
Configuring High Availability 16-739
Pairing Matrix 16-739
Guidelines and Limitations for High Availability 16-740
Failover Scenario for High Availability 16-740
Failback 16-741
HA Licensing 16-741
Configuring High Availability on the MSE 16-741
Viewing Configured Parameters for High Availability 16-744
Viewing High Availability Status 16-744
Managing System Properties for a Mobility Services Engine 16-745
Editing General Properties for a Mobility Services Engine 16-745
Editing NMSP Parameters for a Mobility Services Engine 16-747
Viewing Active Session Details for a Mobility Services Engine 16-748
Viewing and Adding Trap Destinations for a Mobility Services Engine 16-749
Editing Advanced Parameters for a Mobility Services Engine 16-750
Rebooting the Mobility Services Engine Hardware 16-751
Shutting Down the Mobility Services Engine Hardware 16-751
Clearing the Mobility Services Engine Database 16-752
Working with Logs 16-752
Managing User and Group Accounts for a Mobility Services Engine 16-754
Monitoring Status Information for a Mobility Services Engine 16-756
Viewing Server Events for a Mobility Services Engine 16-757
Viewing Audit Logs from a Mobility Services Engine 16-757
Viewing Prime Infrastructure Alarms for a Mobility Services Engine 16-757
Viewing Prime Infrastructure Events for a Mobility Services Engine 16-758
Viewing NMSP Connection Status for a Mobility Services Engine 16-758
Managing Maintenance for Mobility Services 16-760
Viewing or Editing Mobility Services Backup Parameters 16-760
Backing Up Mobility Services Engine Historical Data 16-760
Restoring Mobility Services Engine Historical Data 16-761
Downloading Software to a Mobility Services Engine Using the Prime Infrastructure
Configuring Partner System for a Mobility Services Engine 16-762
Qualcomm PDS Configuration 16-762
MSE-Qualcomm Configuration 16-763
Managing Cisco Adaptive wIPS Service Parameters 16-763
Managing Context-Aware Service Software Parameters 16-764
Context-Aware Service General Parameters 16-765
Context-Aware Service Administration Parameters 16-766
16-761
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
xxviii
OL-27653-02
Contents
Modifying Tracking Parameters for Mobility Services 16-766
Filtering Parameters for Mobility Services 16-770
Modifying History Parameters for Mobility Services 16-773
Enabling Location Presence for Mobility Services 16-774
Importing Asset Information for Mobility Services 16-775
Exporting Asset Information for Mobility Services 16-775
Importing Civic Information for Mobility Services 16-776
Context-Aware Service Wired Parameters 16-776
Monitoring Interferers 16-779
Context-Aware Service Advanced Parameters 16-784
Modifying Northbound Notifications 16-784
Modifying Location Parameters for Mobility Services 16-785
Modifying Notification Parameters for Mobility Services 16-788
Viewing Partner Engine Status 16-789
Viewing Notification Information for Mobility Services 16-790
Viewing the Notifications Summary for Mobility Services 16-790
Viewing and Managing Notifications for Mobility Services 16-792
Viewing Notification Statistics 16-792
Mobile Concierge Service Parameters 16-793
Viewing the Configured Service Advertisements 16-793
Viewing Mobile Concierge Service Statistics 16-793
About Event Groups 16-794
Adding Event Groups 16-794
Deleting Event Groups 16-794
Working with Event Definitions 16-795
Adding Event Definitions 16-797
Deleting an Event Definition 16-801
Client Support on MSE 16-801
Searching a Wireless Client from the Prime Infrastructure on the MSE by IPv6 Address
Viewing the Clients Detected by the MSE 16-802
Upgrading from 5.0 to 6.0 or 7.0 16-808
Viewing the MSE Alarm Details 16-810
MSE License Overview 16-811
MSE License Structure Matrix 16-812
Sample an MSE License File 16-812
Revoking and Reusing an MSE License 16-813
Deploying the MSE Virtual Appliance 16-813
Adding a License File to the MSE Using the License Center 16-814
Viewing the MSE License Information using License Center 16-814
Removing a License File Using the License Center 16-815
16-801
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
xxix
Contents
Auto Switch Port Tracing and Auto Containment of Rogue APs 16-815
Configuring Auto Switch Port Tracing Criteria on the Prime Infrastructure 16-815
Configuring Auto Containing Settings on the Prime Infrastructure 16-816
Location Assisted Client Troubleshooting from the Context Aware Dashboard 16-817
MSE Analytics Reports 16-818
Monitoring Maps 16-818
Mobile Concierge Service 16-818
Licensing for Mobile Concierge 16-818
Defining a Venue 16-818
Deleting the Venue 16-819
Defining a Provider with Policies 16-820
Deleting the Provider 16-820
Defining New Policies 16-821
Deleting New Policies 16-821
Adding Service Advertisements to the Floor Map 16-822
Creating Service Advertisements from the Floor Map 16-822
Viewing the Configured Service Advertisements 16-823
Viewing Mobile Concierge Service Statistics 16-824
Viewing the MSE Summary Page for Mobile Concierge License Information 16-824
Viewing Service Advertisements Synchronization Status 16-824
Adding a Mobile Concierge Service License Using the License Center 16-825
Mobile Concierge Reports 16-825
Identity Services 16-826
Viewing Identify Services 16-826
Adding an Identity Services Engine 16-827
Removing an Identity Services Engine 16-827
CHAPTER
17
Tools
17-829
Running Voice Audits
17-829
Running Voice Diagnostic
17-829
Configuring the Location Accuracy Tools
Configuring Audit Summary
17-830
Configuring Migration Analysis
17-830
Configuring TAC Case Attachments
CHAPTER
18
wIPS Policy Alarm Encyclopedia
Security IDS/IPS Overview
17-829
17-830
18-833
18-833
Intrusion Detection—Denial of Service Attack
18-834
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
xxx
OL-27653-02
Contents
Denial of Service Attack Against Access Points 18-835
Denial of Service Attack: Association Flood 18-835
Denial of Service Attack: Association Table Overflow 18-836
Denial of Service Attack: Authentication Flood 18-837
Denial of Service Attack: EAPOL-Start Attack 18-838
Denial of Service Attack: PS Poll Flood 18-838
Denial of Service Attack: Probe Request Flood 18-839
Denial of Service Attack: Re-association Request Flood 18-839
Denial of Service Attack: Unauthenticated Association 18-840
Denial of Service Attack Against Infrastructure 18-841
Denial of Service Attack: Beacon Flood 18-842
Denial of Service Attack: MDK3-Destruction Attack 18-842
Denial of Service Attack: CTS Flood 18-843
Denial of Service Attack: Queensland University of Technology Exploit
Denial of Service attack: RF Jamming 18-844
Denial of Service: RTS Flood 18-845
Denial of Service Attack: Virtual Carrier Attack 18-846
Denial of Service Attack Against Station 18-847
Denial of Service Attack: Authentication-Failure Attack 18-848
Denial of Service Attack: Block ACK Flood 18-849
Denial of Service Attack: De-Auth Broadcast Flood 18-850
Denial of Service Attack: De-Auth Flood 18-851
Denial of Service Attack: Dis-Assoc Broadcast Flood 18-853
Denial of Service Attack: Dis-Assoc Flood 18-854
Denial of Service Attack: EAPOL-Logoff Attack 18-855
Denial of Service Attack: FATA-Jack Tool 18-855
Denial of Service Attack: Premature EAP-Failure 18-857
Denial of Service Attack: Premature EAP-Success 18-857
Denial of Service Attack: Probe Reponse Flood 18-858
Intrusion Detection—Security Penetration 18-859
ASLEAP Tool Detected 18-860
AirDrop Session Detected 18-861
AirPwn 18-862
Airsnarf Attack 18-862
Bad EAP-TLS Frames 18-864
Beacon Fuzzed Frame Detected 18-864
Brute Force Hidden SSID 18-864
DHCP Starvation Attack Detected 18-865
Chopchop Attack 18-865
Day-0 Attack by WLAN Performance Anomaly
18-843
18-867
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
xxxi
Contents
Day-0 Attack by WLAN Security Anomaly 18-868
Day-0 Attack by Device Performance Anomaly 18-869
Day-0 Attack by Device Security Anomaly 18-871
Device Broadcasting XSS SSID 18-872
Device Probing for APs 18-872
Dictionary Attack on EAP Methods 18-874
EAP Attack Against 802.1x Authentication 18-875
Fake Access Points Detected 18-875
Fake DHCP Server Detected 18-876
Fast WEP Crack Tool Detected 18-876
Fragmentation Attack 18-877
HT_Intolerant Degradation of Service 18-879
Identical Send and Receive Address 18-879
Improper Broadcast Frames 18-879
Karma Tool Detected 18-880
Hot-Spotter Tool Detected 18-880
Malformed 802.11 Packets Detected 18-882
Man-in-the-Middle Attack 18-882
Monitored Device Detected 18-883
NetStumbler Detected 18-884
NetStumbler Victim Detected 18-885
Publicly Secure Packet Forwarding (PSPF) Violation Detected
Probe Request Fuzzed Frame Detected 18-887
Probe Response Fuzzed Frame Detected 18-888
Honey Pot AP Detected 18-888
Soft AP or Host AP Detected 18-889
Spoofed MAC Address Detected 18-889
Suspicious After-Hours Traffic Detected 18-890
Unauthorized Association by Vendor List 18-890
Unauthorized Association Detected 18-891
Wellenreiter Detected 18-892
WiFi Protected Setup Pin Brute Force 18-893
WiFiTap Tool Detected 18-894
APPENDIX
A
Troubleshooting and Best Practices
A-1
Troubleshooting Cisco-compatible Extensions Version 5 Client Devices
Diagnostic Channel A-1
Configuring the Diagnostic Channel A-2
Web Auth Security on WLANs
18-886
A-1
A-2
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
xxxii
OL-27653-02
Contents
Debug Commands A-3
Debug Strategy A-3
RF Heatmap Analysis A-8
Best Practices A-8
Troubleshooting RAID Card Configuration
A-8
Applying for a Cisco.com Account with Cryptographic Access
Performing Disk Cleanup A-9
Checking on System Disk Usage
APPENDIX
B
A-9
A-10
Cisco Prime Infrastructure Server Hardening
Prime Infrastructure Password Handling
B-11
B-11
Setting Up SSL Certification B-11
Setting Up SSL Client Certification B-12
Setting Up SSL Server Certification B-13
APPENDIX
C
Certificate Signing Request (CSR) Generation for a Third-Party Certificate on Cisco Prime
Infrastructure C-15
Prerequisites
C-15
Components Used
C-15
Certificate Signing Request (CSR)
Generating a Certificate
Importing a Certificate
C-16
C-17
Importing a Certificate and a Key
Importing Signed Certificates
Viewing the list of Certificates
Deleting Certificates
C-19
Related Publications
C-19
Troubleshooting
C-16
C-17
C-18
C-18
C-19
INDEX
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
xxxiii
Contents
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
xxxiv
OL-27653-02
Preface
The preface describes the audience, purpose and conventions of the Cisco Prime Infrastructure Classic
View Configuration Guide for Wireless Devices, Release 2.0, references related publications, and
explains how to obtain other documentation and technical assistance, if necessary. This preface contains
the following sections:
•
Audience, page xxxv
•
Purpose, page xxxv
•
Conventions, page xxxv
•
Related Publications, page xxxvi
•
Obtaining Documentation and Submitting a Service Request, page xxxvi
Audience
This guide describes the Cisco Prime Infrastructure (Prime Infrastructure). It is meant for networking
professionals, who use the Prime Infrastructure to manage a Cisco Unified Network Solution. To use this
guide, you should be familiar with the concepts and terminology associated with wired and wireless
LANs.
Purpose
This guide provides the information you need to manage a Cisco Unified Network Solution using the
Prime Infrastructure.
Conventions
This publication uses the following conventions to convey instructions and information:
•
Commands and keywords are in boldface text.
•
Variables are in italicized text.
•
Document titles, new or emphasized terms, and arguments for which you supply values are in italic
font.
•
Option > Option: Used to select a series of menu options.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
-xxxv
Chapter
Note
Caution
•
Examples depict screen displays and the commandline in screen font.
•
Information you need to enter in examples is shown in boldface screen font.
Means reader take note. Notes contain helpful suggestions or references to material not contained in the
manual.
Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Related Publications
For more information about the Prime Infrastructure and related products, see the following URL:
http://www.cisco.com/cisco/web/psa/default.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
-xxxvi
OL-27653-02
CH A P T E R
1
Cisco Prime Infrastructure Overview
The Cisco Prime Infrastructure is a network management tool that supports lifecycle management of
your entire network infrastructure from one graphical interface. Prime Infrastructure provides network
administrators with a single solution for provisioning, monitoring, optimizing, and troubleshooting both
wired and wireless devices. Robust graphical interfaces make device deployments and operations simple
and cost-effective.
Prime Infrastructure provides two different graphical user interfaces (from which you can switch back
and forth by clicking the downward arrow next to your login name):
•
Lifecycle view, which is organized according to home, design, deploy, operate, report and
administer menus.
•
Classic view, which closely corresponds to the graphical user interface in the Cisco Prime Network
Control System 1.1 or Cisco Wireless Control System (WCS).
The Cisco Prime Infrastructure enables you to configure and monitor one or more controllers, switches
and associated access points. Prime Infrastructure includes the same configuration, performance
monitoring, security, fault management, and accounting options used at the controller level and adds a
graphical view of multiple controllers and managed access points.
On Linux, the Prime Infrastructure runs as a service, which runs continuously and resumes running after
a reboot.
Prime Infrastructure simplifies controller configuration and monitoring and reduces data entry errors.
Prime Infrastructure uses the industry-standard SNMP protocol to communicate with the controllers.
Prime Infrastructure also includes the Floor Plan editor, which allows you to do the following:
•
Access vectorized bitmap campus, floor plan, and outdoor area maps.
•
Add and change wall types.
•
Import the vector wall format maps into the database.
The vector files allow the Cisco Prime Infrastructure RF Prediction Tool to make better RF predictions
based on more accurate wall and window RF attenuation values.
For information on browser requirment, see Cisco Prime Infrastructure 2.0 Quick Start Guide.
This chapter describes the different components in Cisco Unified Network and contains the following
sections:
•
Cisco Unified Network Components, page 1-2
•
Access Point Communication Protocols, page 1-5
•
Prime Infrastructure Services, page 1-7
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
1-1
Chapter 1
Cisco Prime Infrastructure Overview
Cisco Unified Network Components
Cisco Unified Network Components
The Cisco Unified Wireless Network (CUWN) solution is based on Wireless LAN Controllers running
Airespace Operating System. The wireless LAN controller models include 2100, 2500, 4400,
WiSM/WiSM2 (6500 service module), 5500, 7500, 8500. In this solution, access points tunnel the
wireless traffic to the controllers through CAPWAP.
The Cisco Unified Access (UA) Wireless Solution is new architecture that provides a converged model
where you can manage your wired and wireless network configurations in the same place. This solution
includes the 3850 series switch with integrated wireless support. The solution also includes the 5760
series wireless controller, which can act as an aggregation point for many 3850 switches. This platform
is based on IOS-XE, so the command structure is similar to other IOS products. In this solution, the
wireless traffic can terminate directly on the 3850 switch, so that it can be treated in a similar mode to a
wired connection on the switch. This section describes the different components in the Cisco Unified
Network and contains the following topics:
•
Cisco Wireless LAN Controller, page 1-2
•
Virtual LAN Controllers, page 1-3
•
Access Points, page 1-3
Cisco Wireless LAN Controller
The Cisco Wireless LAN Controllers are highly scalable and flexible platforms that enables system wide
services for mission-critical wireless in medium to large-sized enterprises and campus environments.
Designed for 802.11n performance and maximum scalability, the WLAN controllers offer enhanced
uptime with the ability to simultaneously manage from 5000 access points to 250 access points; superior
performance for reliable streaming video and toll quality voice; and improved fault recovery for a
consistent mobility experience in the most demanding environments.
Prime Infrastructure supports the Cisco wireless controllers that help reduce the overall operational
expense of Cisco Unified Networks by simplifying network deployment, operations, and management.
The following WLAN controllers are supported in the Prime Infrastructure:
•
Cisco 2106 Wireless LAN Controllers
•
Cisco 2500 Series Wireless Controllers
•
Cisco 4400 Series Wireless LAN Controllers
•
Cisco 5508 Series Wireless Controllers
•
Cisco Wireless Services Modules (WiSMs) for Cisco Catalyst 6500 Series Switches
•
Cisco Wireless Services Module 2 (WiSM2) for Cisco Catalyst 6500 Series Switches
•
Cisco Flex 7500 Series Wireless Controllers
•
Cisco Flex 8500 Series Wireless Controllers
•
Cisco Service Module Wireless Controllers
•
Cisco Virtual Wirelesss Controllers
•
Cisco 5760 Series Wireless LAN Controller
•
Cisco Catalyst 3850 Series Ethernet Stackable Switch
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
1-2
OL-27653-02
Chapter 1
Cisco Prime Infrastructure Overview
Cisco Unified Network Components
Virtual LAN Controllers
The virtual wireless LAN controller is a software that can run on a hardware that is compliant with an
industry standard virtualization infrastructure. Virtual Wireless LAN Controllers provide flexibility for
users to select the hardware based on their requirement.
When you view or configure the properties of a virtual wireless LAN controller using the controller
configuration page, the Prime Infrastructure displays the value of the Device Type as VWLC (Configure
> Controllers > IP address > Properties > Settings).
Features Not Supported by Virtual LAN Controllers
Following is the list of features that are not supported by VLAN controllers:
•
Data DTLS
•
Cisco 600 Series OfficeExtend Access Points
•
Wireless rate limiting
•
Internal DHCP server
•
Mobility/guest anchor
•
Multicast-unicast mode
•
PMIPv6
•
Controller High Availability
•
Outdoor mesh access points
Note
Outdoor AP in FlexConnect mode is supported.
Access Points
Prime Infrastructure supports the industry-leading performance access points for highly secure and
reliable wireless connections for both indoor and outdoor environments. Prime Infrastructure supports a
broad portfolio of access points targeted to the specific needs of all industries, business types, and
topologies.
The following access points are supported in the Prime Infrastructure:
•
Cisco Aironet 801, 802, 1040, 1100, 1130, 1140, 1200, 1230, 1240, 1250, 1260, 1310, 1500, 1522,
1524, 1552, 2600i, 2600e, 3500i, 3500e, 3500p, 3600i, and 3600e Series Lightweight Access Points.
•
Cisco Aironet 1040, 1100, 1130, 1141, 1142, 1200, 1240, 1250, and 1260.
•
Cisco 600 Series OfficeExtend Access Points.
•
Cisco Aironet Access Points running Lightweight Access Point Protocol (LWAPP) or Control and
Provisioning of Wireless Access Points (CAPWAP) protocol.
Embedded Access Points
Prime Infrastructure supports the AP801, which is the integrated access point on the Cisco 800 Series
Integrated Services Routers (ISRs). This access point uses a Cisco IOS software image that is separate
from the router Cisco IOS software image. It can operate as an autonomous access point that is
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
1-3
Chapter 1
Cisco Prime Infrastructure Overview
Cisco Unified Network Components
configured and managed locally, or it can operate as a centrally managed access point using CAPWAP
or LWAPP protocol. The AP801 is preloaded with both an autonomous Cisco IOS software release and
a recovery image for the unified mode.
When you want to use the AP801 with a controller, you must enable the recovery image for the unified
mode on the access point by entering the service-module wlan-ap 0 bootimage unified command on
the router in privileged EXEC mode.
Note
If the service-module wlan-ap 0 bootimage unified command does not work, make sure that
the software license is current.
After enabling the recovery image, enter the service-module wlan-ap 0 reload command on the router
to shut down and reboot the access point. After the access point reboots, it discovers the controller,
downloads the full CAPWAP or LWAPP software release from the controller, and acts as a lightweight
access point.
Note
To use the CLI commands mentioned previously, the router must be running Cisco IOS Release
12.4(20)T or later. If you experience any problems, see the “Troubleshooting an Upgrade or
Reverting the AP to Autonomous Mode” section in the Integrated Services Router configuration
guide at the following URL:
http://www.cisco.com/en/US/docs/routers/access/800/860-880-890/software/configuration/gui
de/admin_ap.html
To support CAPWAP or LWAPP, the router must be activated with at least the Cisco Advanced IP
Services IOS license-grade image. A license is required to upgrade to this Cisco IOS image on the router.
See the following URL for licensing information:
http://www.cisco.com/en/US/docs/routers/access/sw_activation/SA_on_ISR.html
After the AP801 boots up with the recovery image for the unified mode, it requires an IP address to
communicate with the controller and to download its unified image and configuration from the
controller. The router can provide DHCP server functionality, the DHCP pool to reach the controller, and
setup option 43 for the controller IP address in the DHCP pool configuration. Use the following
configuration to perform this task.
ip dhcp pool pool_name
network ip_address subnet_mask
dns-server ip_address
default-router ip_address
option 43 hex controller_ip_address_in_hex
Example:
ip dhcp pool embedded-ap-pool
network 209.165.200.224 255.255.255.224
dns-server 209.165.200.225
default-router 209.165.200.226
option 43 hex f104.0a0a.0a0f /* single WLC IP address (209.165.201.0) in hex format */
The AP801 802.11n radio supports power levels lower than the 802.11n radio in the Cisco Aironet 1250
series access points. The AP801 stores the radio power levels and passes them to the controller when the
access point joins the controller. The controller uses the supplied values to limit the user configuration.
The AP801 can be used in FlexConnect mode.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
1-4
OL-27653-02
Chapter 1
Cisco Prime Infrastructure Overview
Access Point Communication Protocols
Note
For more information about AP801, see the documentation for the Cisco 800 Series ISRs at the
following URL:
http://www.cisco.com/en/US/products/hw/routers/ps380/tsd_products_support_series_home.ht
ml.
Access Point Communication Protocols
In controller software Release 5.2 or later, Cisco lightweight access points use the IETF standard Control
and Provisioning of Wireless Access Points (CAPWAP) protocol to communicate between the controller
and other lightweight access points on the network. Controller software releases prior to 5.2 use the
Lightweight Access Point Protocol (LWAPP) for these communications.
CAPWAP, which is based on LWAPP, is a standard, interoperable protocol that enables a controller to
manage a collection of wireless access points. CAPWAP is being implemented in controller software
Release 5.2 for the following reasons:
•
To provide an upgrade path from Cisco products that use LWAPP to next-generation Cisco products
that use CAPWAP
•
To manage RFID readers and similar devices
•
To enable controllers to interoperate with third-party access points in the future
LWAPP-enabled access points are compatible with CAPWAP, and conversion to a CAPWAP controller
is seamless. For example, the controller discovery process and the firmware downloading process when
using CAPWAP are the same as when using LWAPP. The one exception is for Layer 2 deployments,
which are not supported by CAPWAP.
Deployments can combine CAPWAP and LWAPP software on the controllers. The CAPWAP-enabled
software allows access points to join either a controller running CAPWAP or LWAPP. The only
exception is the Cisco Aironet 1140 Series Access Point, which supports only CAPWAP and therefore
joins only controllers running CAPWAP.
Note
The Cisco Aironet 1140 series and 3500 series access points associate only with CAPWAP controllers
that run WLC versions 7.0 or later.
This section contains the following topics:
•
Guidelines and Restrictions for Using CAPWAP, page 1-5
•
WLAN Controller Autodiscovery, page 1-6
•
The Controller Discovery Process, page 1-6
Guidelines and Restrictions for Using CAPWAP
•
CAPWAP and LWAPP controllers cannot be used in the same mobility group. Therefore, client
mobility between CAPWAP and LWAPP controllers is not supported.
•
If your firewall is currently configured to allow traffic only from access points using LWAPP, you
must change the rules of the firewall to allow traffic from access points using CAPWAP.
•
Make sure that the CAPWAP ports are enabled and are not blocked by an intermediate device that
could prevent an access point from joining the controller.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
1-5
Chapter 1
Cisco Prime Infrastructure Overview
Access Point Communication Protocols
•
Any access control lists (ACLs) in your network might need to be modified if CAPWAP uses
different ports than LWAPP.
WLAN Controller Autodiscovery
Controller Autodiscovery is limited to the Cisco WLAN Solution mobility group subnets defined by the
operator.
The Cisco Wireless LAN Controller Autodiscovery:
Note
•
Allows operators to search for a single controller by IP address.
•
Finds the controller on the network within the specified IP address range.
•
Automatically enters the controller information into the Cisco Prime Infrastructure database.
Controller Autodiscovery can take a long time in a Class C address range. Because of the large number
of addresses in a Class B or Class A range, we recommend that you do not attempt Autodiscovery across
Class B or Class A ranges.
As access points associate with a controller, the controller immediately transmits the access point
information to Cisco Prime Infrastructure, which automatically adds the access point to the database.
Once the access point information is added to the Cisco Prime Infrastructure database, operators can add
the access point to the appropriate spot on a Cisco Prime Infrastructure user interface map.
The Controller Discovery Process
In a CAPWAP environment, a lightweight access point discovers a controller by using CAPWAP
discovery mechanisms and then sends it a CAPWAP join request. The controller sends the access point
a CAPWAP join response allowing the access point to join the controller. When the access point joins
the controller, the controller manages its configuration, firmware, control transactions, and data
transactions.
Lightweight access points must be discovered by a controller before they can become an active part of
the network. The lightweight access points support the following controller discovery processes:
•
Layer 3 CAPWAP or LWAPP discovery—Can occur on different subnets from the access point and
uses IP addresses and UDP packets rather than the MAC addresses used by Layer 2 discovery.
•
Over-the-air provisioning (OTAP)—This feature is supported by Cisco 4400 series controllers. If
this feature is enabled on the controller (in the controller General page), all associated access points
transmit wireless CAPWAP or LWAPP neighbor messages, and new access points receive the
controller IP address from these messages. This feature is disabled by default and should remain
disabled when all access points are installed.
•
Locally stored controller IP address discovery—If the access point was previously associated to a
controller, the IP addresses of the primary, secondary, and tertiary controllers are stored in the
non-volatile memory of an access point. This process of storing controller IP addresses on access
points for later deployment is called priming the access point.
•
DHCP server discovery—This feature uses DHCP option 43 to provide controller IP addresses to
the access points. Cisco switches support a DHCP server option that is typically used for this
capability.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
1-6
OL-27653-02
Chapter 1
Cisco Prime Infrastructure Overview
Prime Infrastructure Services
•
DNS discovery—The access point can discover controllers through your domain name server
(DNS). For the access point to do so, you must configure your DNS to return controller IP addresses
in response to CISCO-CAPWAP-CONTROLLER.localdomain or
CISCO-LWAPP-CONTROLLER.localdomain, where localdomain is the access point domain name.
When an access point receives an IP address and DNS information from a DHCP server, it contacts
the DNS to resolve CISCO-CAPWAP-CONTROLLER.localdomain or
CISCO-LWAPP-CONTROLLER.localdomain. When the DNS sends a list of controller IP
addresses, the access point sends discovery requests to the controllers.
Prime Infrastructure Services
The IT departments within organizations are tasked with meeting increased bandwidth and performance
demands, managing a proliferation of new mobile devices, while guaranteeing network access,
availability, and regulatory compliance.
Cisco and its partners can work with IT staff to assist with migration to the Cisco Unified Network,
making it easier to manage a secure, high-performance, and integrated wired and wireless network that
incorporates rich media and diverse mobile devices, including Wi-Fi-enabled phones and tablets.
This section describes the services provided by the Prime Infrastructure and contains the following
topics:
•
Cisco Context-Aware Service Solution, page 1-7
•
Cisco Identity Service Engine Solution, page 1-8
•
Cisco Adaptive Wireless Intrusion Prevention Service, page 1-8
Cisco Context-Aware Service Solution
Context-Aware Service (CAS) provides the capability for a Wi-Fi 802.11a/b/g/n network to determine
the location of a person or object with an active Wi-Fi device, such as a wireless client or active RFID
tag and/or associated data that can be passed by the end point through the wireless infrastructure to an
upstream client.
Context-Aware Service (CAS) allows a mobility services engine (MSE) to simultaneously track
thousands of mobile assets and clients by retrieving contextual information such as location and
availability from Cisco access points.
The collected contextual information can be viewed in GUI format in the Prime Infrastructure User
Interface, the centralized WLAN management platform. Prime Infrastructure is the management system
that interfaces with the MSE and serves the user interface (UI) for the services that the MSE provides.
After the MSE installation and initial configurations are complete, the MSE can communicate with
multiple Cisco wireless LAN controllers to collect operator-defined contextual information. You can
then use the associated Prime Infrastructure to communicate with each MSE to transfer and display
selected data.
You can configure the MSE to collect data for clients, switches, rogue access points, rogue clients,
mobile stations, and active RFID asset tags.
With Context-Aware Location Services, administrators can determine the location of any 802.11-based
device, as well as the specific type or status of each device. Clients (associated, probing, and so on.),
rogue access points, rogue clients, and active tags can all be identified and located by the system. See
the Context-Aware Mobility Solution Deployment Guide for more information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
1-7
Chapter 1
Cisco Prime Infrastructure Overview
Prime Infrastructure Services
Note
One MSE can be managed by only one Prime Infrastructure, that is, a single MSE cannot be
managed by more than one Prime Infrastructure, but a single Prime Infrastructure can manage
multiple MSEs. When the number of devices to be managed exceeds the capacity of a single
MSE, you need to deploy multiple, independent MSEs.
Cisco Identity Service Engine Solution
The Cisco Identity Services Engine (ISE) is a next-generation identity and policy-based network access
platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline
their service operations.
The Cisco ISE provides a single console where authentication, authorization, posture, guest, and
profiling policies can be created and managed. In addition, policy elements can now be reused across all
services, reducing the number of tasks and overhead and bringing consistency to the enterprise.
The Cisco ISE gathers information from devices, the infrastructure, and services to enable organizations
to build richer contextual policies that can be enforced centrally across the network. The ISE tracks all
clients and devices connected to the network, acting as a single source of information for connected user
and device identity and location, as well as the health of the endpoint.
The ability to discover, identify, and monitor all IP-enabled endpoint devices gives IT teams complete
visibility of both users and “headless” devices on the corporate network.
The Cisco ISE combines AAA, posture, profiling, and guest management capabilities in a single
appliance to enforce dynamic access control. The Identity Services Engine can be deployed across the
enterprise infrastructure, supporting 802.1x wired, wireless, and VPN networks.
Prime Infrastructure manages the wired and the wireless clients in the network. When Cisco ISE is used
as a RADIUS server to authenticate clients, the Prime Infrastructure collects additional information
about these clients from Cisco ISE and provides all client relevant information to the Prime
Infrastructure to be visible in a single console.
When posture profiling is enforced in the network, the Prime Infrastructure talks to Cisco ISE to get the
posture data for the clients and displays it along with other client attributes. When Cisco ISE is used to
profile the clients or an endpoint in the network, the Prime Infrastructure collects the profiled data to
determine what type of client it is, whether it is an iPhone, iPad, an Android device, or any other device.
Cisco ISE is assisting the Prime Infrastructure to monitor and troubleshoot client information, and
displays all the relevant information for a client in a single console.
Cisco Adaptive Wireless Intrusion Prevention Service
Maintain a constant awareness of your RF environment to minimize legal liability, protect your brand
reputation, and assure regulatory compliance.
Cisco Adaptive Wireless Intrusion Prevention System (IPS) offers advanced network security for
dedicated monitoring and detection of wireless network anomalies, unauthorized access, and RF attacks.
Fully integrated with the Cisco Unified Network, this solution delivers integrated visibility and control
across the network, without the need for an overlay solution.
Cisco Adaptive Wireless Intrusion Prevention Service (wIPS) performs rogue access point, rogue client,
and ad-hoc connection detection and mitigation, over-the-air wireless hacking and threat detection,
security vulnerability monitoring, performance monitoring and self-optimization, network hardening for
proactive prevention of threats and complete wireless security management and reporting.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
1-8
OL-27653-02
Chapter 1
Cisco Prime Infrastructure Overview
Prime Infrastructure Services
Cisco wIPS is made up of the following components that work together to provide a unified security
monitoring solution:
•
Mobility services engine (MSE) running wIPS software—Serves as the central point of alarm
aggregation for all controllers and their respective wIPS monitor mode access points. Alarm
information and forensic files are stored on the mobility services engine for archival purposes.
•
A wIPS monitor mode access point—Provides constant channel scanning with attack detection and
forensics (packet capture) capabilities.
•
Local mode access point—Provides wireless service to clients in addition to time-sliced rogue
scanning.
•
Wireless LAN Controller—Forwards attack information received from wIPS monitor mode access
points to the mobility services engine and distributes configuration parameters to access points.
•
Prime Infrastructure—Provides a centralized management platform for the administrator to
configure the wIPS Service on the mobility services engine, push wIPS configurations to the
controller, and configure access points in wIPS monitor mode. Prime Infrastructure is also used to
view wIPS alarms, forensics, reporting, and to access the attack encyclopedia.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
1-9
Chapter 1
Cisco Prime Infrastructure Overview
Prime Infrastructure Services
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
1-10
OL-27653-02
CH A P T E R
2
Getting Started
Cisco Prime Infrastructure is an application used to configure, manage, and monitor the wired and
wireless networks. The Prime Infrastructure home page, is the landing page, displaying real-time
monitoring and troubleshooting data. The navigation tabs and menus at the top of the page provide
point-and-click access to all other administration features. The Prime Infrastructure home page allows
you to:
•
Create and configure Cisco Unified Network Solution coverage area layouts, configure system
operating parameters, monitor real-time Ci The sco Unified Network Solution operations, and
perform troubleshooting tasks using an HTTPS web browser page.
•
Create, modify, and delete user accounts; change passwords; assign permissions; and schedule
periodic maintenance tasks. The administrator creates new usernames and passwords and assigns
them to predefined permissions groups.
•
Perform all necessary network administration tasks from one page.
Prime Infrastructure user interface provides an integrated network administration console from which
you can manage various devices and services. These include wired and wireless devices, and clients. The
services might include authentication, authorization, profiler, location and mobility services,
monitoring, troubleshooting, and reporting. All of these devices and services can be managed from a
single console called the Prime Infrastructure home page.
This section describes the Prime Infrastructure user interface page and contains the following topics:
•
Menu Bar, page 2-11
•
Global Toolbar, page 2-12
Menu Bar
The primary form of navigation used in the Prime Infrastructure is the menu located at the top of the
Prime Infrastructure page. Administrators can monitor and perform various tasks from this menu. This
menu is an easy-access, pop-up menu that provides quick access to the submenus that are associated with
the primary menu. Hover your mouse cursor over any menu title to access the associated menu. Clicking
the menu title takes you directly to the feature page.
The following table describes the high-level task areas or menus available in Prime Infrastructure.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
2-11
Chapter 2
Table 2-1
Getting Started
Prime Infrastructure High-Level Menus
Menu
Description
Used By
Home
View dashboards. which give you a quick view of devices,
Network Engineers
performance information, and various incidents. See dashboards
and Dashlets for more information.
Monitor
Network Engineers, NOC
Monitor your network on a daily basis and perform other
Operators, and Service Operators
day-to-day or ad hoc operations related to network devices
(controllers, switches, access points, clients, tags, chokepoints,
Wi-Fi TDOA receivers) and configuration management. You can
also monitor maps, Google Earth maps, RRM, alarms, and
events.
Configure
Network Engineers, Designers, and
Configure templates, controllers, access points, switches,
Architects
chokepoints, Wi-Fi TDOA receivers, config groups, auto
provisioning, scheduled configuration tasks, profiles, ACS view
servers, and TFTP servers on your network.
Services
Manage mobility services including mobility services engines
and identity service engines.
Service Operators
Reports
Create reports, view saved report templates, and run scheduled
reports.
Network Engineers, NOC
Operators, and Service Operators
Administration
Specify system configuration settings and data collection
Network Engineers
settings, and manage access control. You can view and approve
jobs, specify health rules, and manage licenses.
Global Toolbar
The Global toolbar is always available at the bottom of the Prime Infrastructure page, providing
instantaneous access to the tools, Prime Infrastructure online Help system, and a summary of alarm
notifications. Hover your mouse cursor over the Help icon to access the available online Help (see
Figure 2-1).
Hover your mouse cursor over the Alarms Browser to display the summarized Alarms page, with a list
of recent system alarms and the ability to filter for alarms of a specific nature. You can also drill down
for detailed information on individual alarms. For more information on Alarms, see the “Alarm
Summary” section on page 2-13.
Figure 2-1
Global Toolbar
This section contains the following topics:
•
Tools, page 2-12
•
Help, page 2-13
•
Alarm Summary, page 2-13
Tools
The Tools menu provides access to the Voice Audit, Location Accuracy Tools, Configuration Audit,
Migration Analysis, and TAC Case Attachment features of the Prime Infrastructure.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
2-12
OL-27653-02
Chapter 2
Getting Started
Help
The Help menu allows you to access online help, learning modules, submit feedback, and to verify the
current version of the Prime Infrastructure. The Help icon is located in the bottom left corner of the
Global Toolbar in the Prime Infrastructure page. The Help provides quick access to the comprehensive
online Help for the Prime Infrastructure.
The following submenu options are available from the Help drop-down menu:
•
Online Help—Enables you to view online Help. The online Help is context sensitive and opens
documentation for the Prime Infrastructure window that you currently have open.
•
Learning Modules—Allows you to access short video clips of certain Prime Infrastructure features.
To learn more about the Cisco Prime Infrastructure features and functionality, go to Cisco.com to
watch multimedia presentations about the Prime Infrastructure configuration workflow, monitoring,
troubleshooting, and more. Over future releases, more overview and technical presentations will be
added to enhance your learning.
•
MSE Installation Guide—Provides links to the MSE installation section.
•
Submit Feedback—Allows you to access a page where you can enter feedback about the Prime
Infrastructure.
•
Help Us Improve Cisco Products—Allows you to enable and provide permission to automatic
collect data about how you and your organization use your Cisco wireless products, this data is
useful to improve product performance and usability. The data is automatically collected and sent
to Cisco in encrypted form. The data might contain information about your organization and it is not
be shared or used outside of Cisco.
Note
•
To get the automated feedback enabled, you must configure your Mail Server Configuration by
choosing Administration > Settings > Mail Server Configuration.
About Cisco Prime Infrastructure—Allows you to verify the version of the Prime Infrastructure that
you are running. It provides the version number, hostname, feature, AP limit, and license type.
Alarm Summary
The Alarm Summary launches the alarm summary window that displays all alarms and indicates the
number of critical, major, and minor alarms.
For information on other Prime Infrastructure user interface components such as, dashboards and
dashlets, filters, data entry features, 360° view, and search methods, see the Prime Infrastructure User
Interface Reference appendix in the Cisco Prime Infrastructure 2.0 User Guide.
For information on system requirements, licenses, setting up and starting Prime Infrastructure, see Cisco
Prime Infrastructure 2.0 Quick Start Guide.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
2-13
Chapter 2
Getting Started
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
2-14
OL-27653-02
CH A P T E R
3
Configuring Security Solutions
This chapter describes the security solutions for wireless LANs. It contains the following sections:
•
Cisco Unified Wireless Network Solution Security, page 3-15
•
Interpreting the Security Dashboard, page 3-18
•
Rogue Access Points, Ad hoc Events, and Clients, page 3-23
•
Rogue Access Point Location, Tagging, and Containment, page 3-26
•
Security Overview, page 3-33
•
Switch Port Tracing, page 3-41
•
Using Prime Infrastructure to Convert a Cisco Unified Wireless Network Solution from Layer 3 to
Layer 2 Mode, page 3-42
•
Configuring a Firewall for Prime Infrastructure, page 3-43
•
Access Point Authorization, page 3-43
•
Management Frame Protection (MFP), page 3-44
•
Configuring Intrusion Detection Systems (IDS), page 3-46
•
Configuring IDS Signatures, page 3-46
•
Enabling Web Login, page 3-51
•
Certificate Signing Request (CSR) Generation, page 3-54
Cisco Unified Wireless Network Solution Security
The Cisco Unified Wireless Network Solution bundles potentially complicated Layer 1, Layer 2, and
Layer 3 802.11 access point security components into a simple policy manager that customizes
system-wide security policies on a per wireless LAN basis. It provides simple, unified, and systematic
security management tools.
One of the challenges to wireless LAN deployment in the enterprise is Wired Equivalent Privacy (WEP)
encryption, which is a weak standalone encryption method. A more recent problem is the availability of
low-cost access points that can be connected to the enterprise network and used to mount
man-in-the-middle and denial of service attacks. Also, the complexity of add-on security solutions has
prevented many IT managers from embracing the benefits of the latest advances in wireless LAN
security.
This section contains the following topics:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-15
Chapter 3
Configuring Security Solutions
Cisco Unified Wireless Network Solution Security
•
Layer 1 Solutions, page 3-16
•
Layer 2 Solutions, page 3-16
•
Layer 3 Solutions, page 3-16
•
Single Point of Configuration Policy Manager Solutions, page 3-16
•
Rogue Access Point Solutions, page 3-17
Layer 1 Solutions
The Cisco Unified Wireless Network Solution operating system security solution ensures that all clients
gain access within an operator-set number of attempts. Should a client fail to gain access within that
limit, it is automatically excluded (blocked from access) until the operator-set timer expires. The
operating system can also disable SSID broadcasts on a per wireless LAN basis.
Layer 2 Solutions
If a higher level of security and encryption is required, the network administrator can also implement
industry-standard security solutions such as 802.1X dynamic keys with Extensible Authentication
Protocol (EAP) or Wi-Fi Protected Access (WPA) dynamic keys. The Cisco Unified Wireless Network
Solution WPA implementation includes Advanced Encryption Standard (AES), Temporal Key Integrity
Protocol + message integrity code checksum (TKIP + Michael MIC) dynamic keys, or static WEP keys.
Disabling is also used to automatically block Layer 2 access after an operator-set number of failed
authentication attempts.
Regardless of the wireless security solution selected, all Layer 2 wired communications between
controllers and access points are secured by passing data through Lightweight Access Point Protocol
(LWAPP) tunnels.
Layer 3 Solutions
The WEP problem can be further solved using industry-standard Layer 3 security solutions such as
Virtual Private Networks (VPNs).
The Cisco Unified Wireless Network Solution supports local and RADIUS Media Access Control
(MAC) filtering. This filtering is best suited to smaller client groups with a known list of 802.11 access
card MAC addresses. The Cisco Unified Wireless Network Solution also supports local and RADIUS
user/password authentication. This authentication is best suited to small to medium client groups.
Single Point of Configuration Policy Manager Solutions
When the Cisco Unified Wireless Network Solution is equipped with the Cisco Prime Infrastructure, you
can configure system-wide security policies on a per wireless LAN basis. Small office, home office
(SOHO) access points force you to individually configure security policies on each access point or use
a third-party appliance to configure security policies across multiple access points. Because the Cisco
Unified Wireless Network Solution security policies can be applied across the whole system from the
Prime Infrastructure, errors can be eliminated, and the overall effort is greatly reduced.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-16
OL-27653-02
Chapter 3
Configuring Security Solutions
Cisco Unified Wireless Network Solution Security
Rogue Access Point Solutions
This section describes security solutions for rogue access points and contains the following topics:
•
Rogue Access Point Challenges, page 3-17
•
Tagging and Containing Rogue Access Points, page 3-17
•
Securing Your Network Against Rogue Access Points, page 3-17
Rogue Access Point Challenges
Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using plain
text, other denial of service, or man-in-the-middle attacks. That is, a hacker can use a rogue access point
to capture sensitive information, such as passwords and usernames. The hacker can then transmit a series
of clear-to-send (CTS) frames, which mimics an access point informing a particular wireless LAN client
adapter to transmit and instructing all others to wait. This scenario results in legitimate clients being
unable to access the wireless LAN resources. Thus, wireless LAN service providers have a strong
interest in banning rogue access points from the air space.
The operating system security solution uses the Radio Resource Management (RRM) function to
continuously monitor all nearby access points, automatically discover rogue access points, and locate
them as described in the “Tagging and Containing Rogue Access Points” section on page 3-17.
Tagging and Containing Rogue Access Points
When the Cisco Unified Wireless Network Solution is monitored using the Prime Infrastructure, the
Prime Infrastructure generates the flags as rogue access point traps and displays the known rogue access
points by MAC address. The operator can then display a map showing the location of the access points
closest to each rogue access point. The next step is to mark them as Known or Acknowledged rogue
access points (no further action), Alert rogue access points (watch for and notify when active), or
Contained rogue access points (have between one and four access points discourage rogue access point
clients by sending the clients deauthenticate and disassociate messages whenever they associate with the
rogue access point).
Securing Your Network Against Rogue Access Points
You can secure your network against any rogue access points and disallow access point attacks for those
access points not defined in the MAC filter list.
To set up MAC filtering, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address for which you want to enter MAC filters.
Step 3
Choose Security > AAA > MAC Filtering from the left sidebar menu. The MAC Filtering page appears.
The RADIUS compatibility mode, MAC delimiter, MAC address, profile name, interface, and
description appears.
Step 4
If you want to set the same configuration across multiple devices, you can choose Add MAC Filter from
the Select a command drop-down list, and click Go. If a template exists, you can apply it. If you need to
create a template, you can click the URL to get redirected to the template creation page.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-17
Chapter 3
Configuring Security Solutions
Interpreting the Security Dashboard
Note
Step 5
The ability to join a controller without specification within a MAC filter list is only supported
on mesh access points.
To make changes to the profile name, interface, or description, click a specific MAC address in the MAC
Address column.
Interpreting the Security Dashboard
Because unauthorized rogue access points are inexpensive and readily available, employees sometimes
plug them into existing LANs and build ad hoc wireless networks without IT department knowledge or
consent. These rogue access points can be a serious breach of network security because they can be
plugged into a network port behind the corporate firewall. Because employees generally do not enable
any security settings on the rogue access point, it is easy for unauthorized users to use the access point
to intercept network traffic and hijack client sessions. Even more alarming, wireless users frequently
publish insecure access point locations, increasing the odds of having the enterprise security breached.
Rather than having a person with a scanner manually detect rogue access points, the Cisco Unified
Wireless Network Solution automatically collects information on rogue access points detected by its
managed access points (by MAC and IP address) and allows the system operator to locate, tag, and
contain them. It can also be used to discourage rogue access point clients by sending them deauthenticate
and disassociate messages from one to four access points.
For a summary of existing events and the security state of the network, click the Security dashboard
from the Prime Infrastructure home page.
This section describes the Security dashboard, dashlets and contains the following topics:
•
Security Index, page 3-18
•
Malicious Rogue Access Points, page 3-19
•
Adhoc Rogues, page 3-20
•
CleanAir Security, page 3-20
•
Unclassified Rogue Access Points, page 3-21
•
Friendly Rogue Access Points, page 3-21
•
Access Point Threats or Attacks, page 3-22
•
MFP Attacks, page 3-22
•
Attacks Detected, page 3-22
You can customize the order of information you want the Security dashboard to display. You can move
the dashlets to change the order. Use the Edit Dashlet icon to customize the information displayed in the
dashlet. You can change the dashlet title, enable refresh, and set the refresh time interval using the Edit
Dashlet icons.
Security Index
The Security Index dashlet indicates the security of the Prime Infrastructure managed network, and it is
calculated as part of daily background tasks. It is calculated by assigning weight to the various security
configurations and displaying it in visual form. The combined weighting can vary from 0 to 100 where
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-18
OL-27653-02
Chapter 3
Configuring Security Solutions
Interpreting the Security Dashboard
0 signifies the least secured and 100 is the maximum secured. The weighting comes from the lowest
scoring controller and the lowest scoring Location Server/Mobility Service Engine related security
configurations that are maintained within the Prime Infrastructure itself. The Security Index of the Prime
Infrastructure managed network is equal to the lowest scoring controller plus the lowest scoring Location
Service/Mobility Service Engine.
The security thermometer color range is represented as follows:
•
Above or equal to 80 - Green
•
Below 80 but greater than or equal to 60 - Yellow
•
Below 60 - Red
Note
Guest WLANs are excluded from the WLANs. A WLAN that has web authentication or web
passthrough enabled is identified as a guest WLAN.
The security index of the latest release is the benchmark for the required security configurations. For
example, if AES encryption was not present in an earlier version of code, the index is reduced by the
number associated with the AES encryption security configuration. Likewise, if new security
configurations are introduced, the weighting would be altered.
Note
The configurations stored in the Prime Infrastructure might not be the latest with the ones in the
controllers unless the Refresh from Controller command is run from the Prime Infrastructure.
You can run Security Index calculations from the Configuration Sync task to get the latest
configuration data from all the controllers.
Malicious Rogue Access Points
This dashlet provides information on rogue access points that are classified as Malicious. Table 3-1
describes the various parameters. For each of these parameters, a value is provided for last hour, last 24
hours, and total active. If you click an underlined number in any of the time period categories, a page
with further information appears.
Note
Malicious access points are detected as untrusted or unknown access points with a malicious intent
within the system. They also refer to access points that fit the user-defined malicious rules or have been
manually moved from the friendly access point classification.
Table 3-1
Malicious Rogue AP Details
Field
Description
Alert
Indicates the number of rogues in an alert state.
Note
Contained
An access point is moved to Alert if it is not on the neighbor
list or part of the user-configured Friendly AP list.
Indicates the number of contained rogues.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-19
Chapter 3
Configuring Security Solutions
Interpreting the Security Dashboard
Table 3-1
Malicious Rogue AP Details (continued)
Field
Description
Threat
Indicates the number of threat rogues.
Contained Pending
Indicates the number of contained rogues pending.
Note
Contained Pending indicates that the containment action is
delayed due to unavailable resources.
Adhoc Rogues
The Adhoc Rogues dashlet displays the rogues that have occurred in the last hour, last 24 hours, and the
total active. Table 3-2 describes the various parameters. If you click the number in any of these columns,
a page with further information appears.
The Adhoc Rogue state is displayed as Alert when first scanned by the controller or as Pending
when operating system identification is underway.
Note
Table 3-2
Ad hoc Rogues
Field
Description
Alert
Indicates the number of ad hoc rogues in an alert state.
Note
An access point is moved to Alert if it is not on the neighbor
list or part of the user-configured Friendly AP list.
Contained
Indicates the number of contained rogues.
Threat
Indicates the number of threat rogues.
Contained Pending
Indicates the number of contained rogues pending.
Note
Contained pending indicates that the containment action is
delayed due to unavailable resources.
CleanAir Security
This dashlet provides information on CleanAir security and provides information about the security-risk
devices active during the last hour, 24 hours, and Total Active security-risk devices on the wireless
network.
The following information is displayed:
•
Severity
•
Failure Source
•
Owner
•
Date/Time
•
Message
•
Acknowledged
To learn more about the security-risk interferers, see the “Monitoring CleanAir Security Alarms” section
on page 5-139.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-20
OL-27653-02
Chapter 3
Configuring Security Solutions
Interpreting the Security Dashboard
Unclassified Rogue Access Points
Table 3-3 describes the unclassified rogue access point parameters. For each of these parameters, a value
is provided for last hour, last 24 hours, and total active. If you click an underlined number in any of the
time period categories, a page with further information appears.
Note
An unclassified rogue access point refers to a rogue access point that is not classified as either
malicious or friendly. These access points can be contained and can be moved manually to the
friendly rogue access point list.
Table 3-3
Unclassified Rogue Access Points
Field
Description
Alert
Number of unclassified rogues in alert state. Rogue access point
radios appear as Alert when first scanned by the controller or as
Pending when operating system identification is underway.
Contained
Number of contained unclassified rogues.
Contained Pending
Number of contained unclassified rogues pending.
Friendly Rogue Access Points
This dashlet provides information on rogue access points that are classified as friendly. Table 3-4
describes the various parameters. For each of these parameters, a value is provided for last hour, last 24
hours, and total active. If you click an underlined number in any of the time period categories, a page
with further information appears.
Note
Friendly rogue access points are known, acknowledged, or trusted access points. They also refer to
access points that fit the user-defined friendly rogue access point rules. Friendly rogue access points
cannot be contained.
Table 3-4
Friendly Rogue AP Details
Field
Description
Alert
Indicates the number of rogues in an alert state.
Note
Internal
Indicates the number of internal access points.
Note
External
An access point is moved to Alert if it is not on the neighbor
list or part of the user-configured Friendly AP list.
Internal indicates that the detected access point is inside the
network and has been manually configured as Friendly Internal.
Indicates the number of external access points.
Note
External indicates that the detected access point is outside
of the network and has been manually configured as
Friendly - External.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-21
Chapter 3
Configuring Security Solutions
Interpreting the Security Dashboard
Access Point Threats or Attacks
Table 3-5 describes the AP Threats or Attacks parameters. For each of these parameters, a value is
provided for last hour, last 24 hours, and total active. If you click an underlined number in any of the
time period categories, a page with further information appears.
Table 3-5
AP Threats/Attacks
Field
Description
Fake Attacks
Number of fake attacks.
AP Missing
Number of missing access points.
AP Impersonation
Number of access point impersonations.
AP Invalid SSID
Number of invalid access point SSIDs.
AP Invalid Preamble
Number of invalid access point preambles.
AP Invalid Encryption
Number of invalid access point encryption.
AP Invalid Radio Policy
Number of invalid access point radio policies.
Denial of Service (NAV related) Number of Denial of Service (NAV related) request.
AP Detected Duplicate IP
Number of detected duplicate access point IPs.
MFP Attacks
A value is provided for Infrastructure and client MFP attacks in the last hour, last 24 hours, and total
active. If you click an underlined number in any of the time period categories, a page with further
information appears.
Attacks Detected
A value is provided for wIPS Denial of Service and wIPS Security Penetration attacks and custom
signature attacks for the past hour, past 24 hours, and total active. If you click an underline number in
any of the time period categories, a page with further information appears.
Recent Rogue AP Alarms
A value is provided for the five most recent rogue alarms. Click the number in parentheses to access the
Alarms page. Then click an item under MAC address to view alarm details.
Recent Adhoc Rogue Alarm
Displays the five most recent ad hoc rogue alarms. Click the number in parentheses to access the Alarms
page. Click an item under MAC address to view ad hoc details.
Most Recent Security Alarms
Displays the five most recent security alarms. Click the number in parentheses to access the Alarms
page.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-22
OL-27653-02
Chapter 3
Configuring Security Solutions
Rogue Access Points, Ad hoc Events, and Clients
Rogue Access Points, Ad hoc Events, and Clients
This section describes security solutions for rogue devices. A rogue device is an unknown access point
or client that is detected by managed access points in your network.
Controllers continuously monitor all nearby access points and automatically discover and collect
information on rogue access points and clients. When a controller discovers a rogue access point, it uses
the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your network.
Note
Prime Infrastructure consolidates all of the rogue access point data of the controller.
You can configure controllers to use RLDP on all access points or only on access points configured for
monitor (listen-only) mode. The latter option facilitates automated rogue access point detection in a
crowded RF space, allowing monitoring without creating unnecessary interference and without affecting
regular data access point functionality. If you configure a controller to use RLDP on all access points,
the controller always chooses the monitor access point for RLDP operation if a monitor access point and
a local (data) access point are both nearby. If RLDP determines that the rogue is on your network, you
can choose to either manually or automatically contain the detected rogue.
This section contains the following topics:
•
Classifying Rogue Access Points, page 3-23
•
Rogue Access Point Classification Types, page 3-24
•
Adhoc Rogue, page 3-26
Classifying Rogue Access Points
Classification and reporting of rogue access points occurs through the use of rogue states and
user-defined classification rules that enable rogues to automatically move between states. You can create
rules that enable the controller to organize and display rogue access points as Friendly, Malicious, or
Unclassified.
Note
Prime Infrastructure consolidates all of the rogue access point data of the controller.
By default, none of the classification rules are enabled. Therefore, all unknown access points are
categorized as Unclassified. When you create a rule, configure conditions for it, and enable the rule, the
unclassified access points are reclassified. Whenever you change a rule, it is applied to all access points
(friendly, malicious, and unclassified) in the Alert state only.
Note
Rule-based rogue classification does not apply to ad hoc rogues and rogue clients.
Note
The 5500 series controllers support up to 2000 rogues (including acknowledged rogues); the 4400 series
controllers, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch support up to
625 rogues; and the 2100 series controllers and Controller Network Module for Integrated Services
Routers support up to 125 rogues. Each controller limits the number of rogue containments to three per
radio (or six per radio for access points in monitor mode).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-23
Chapter 3
Configuring Security Solutions
Rogue Access Points, Ad hoc Events, and Clients
When the controller receives a rogue report from one of its managed access points, it responds as
follows:
1.
The controller verifies that the unknown access point is in the friendly MAC address list. If it is, the
controller classifies the access point as Friendly.
2.
If the unknown access point is not in the friendly MAC address list, the controller starts applying
rogue classification rules.
3.
If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller
does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it
automatically only if the rogue is in the Alert state.
4.
The controller applies the first rule based on priority. If the rogue access point matches the criteria
specified by the rule, the controller classifies the rogue according to the classification type
configured for the rule.
5.
If the rogue access point does not match any of the configured rules, the controller classifies the
rogue as Unclassified.
6.
The controller repeats the previous steps for all rogue access points.
7.
If RLDP determines that the rogue access point is on the network, the controller marks the rogue
state as Threat and classifies it as Malicious automatically, even if no rules are configured. You can
then manually contain the rogue (unless you have configured RLDP to automatically contain the
rogue), which would change the rogue state to Contained. If the rogue access point is not on the
network, the controller marks the rogue state as Alert, and you can manually contain the rogue.
8.
If desired, you can manually move the access point to a different classification type and rogue state.
As mentioned previously, the controller can automatically change the classification type and rogue state
of an unknown access point based on user-defined rules, or you can manually move the unknown access
point to a different classification type and rogue state. Table 3-6 shows the allowable classification types
and rogue states from and to which an unknown access point can be configured.
Table 3-6
Allowable Classification Type and Rogue State Transitions
From
To
Friendly (Internal, External, Alert)
Malicious (Alert)
Friendly (Internal, External, Alert)
Unclassified (Alert)
Friendly (Alert)
Friendly (Internal, External)
Malicious (Alert, Threat)
Friendly (Internal, External)
Malicious (Contained, Contained Pending)
Malicious (Alert)
Unclassified (Alert, Threat)
Friendly (Internal, External)
Unclassified (Contained, Contained Pending)
Unclassified (Alert)
Unclassified (Alert)
Malicious (Alert)
If the rogue state is Contained, you have to uncontain the rogue access point before you can change the
classification type. If you want to move a rogue access point from Malicious to Unclassified, you must
delete the access point and allow the controller to reclassify it.
Rogue Access Point Classification Types
Rogue access points classification types include the following:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-24
OL-27653-02
Chapter 3
Configuring Security Solutions
Rogue Access Points, Ad hoc Events, and Clients
•
Malicious—Detected but untrusted or unknown access points with a malicious intent within the
system. They also refer to access points that fit the user-defined malicious rules or have been
manually moved from the friendly access point classification. See the “Malicious Rogue Access
Points” section on page 3-19 for more information.
•
Friendly—Known, acknowledged, or trusted access points. They also refer to access points that fit
the user-defined friendly rogue access point rules. Friendly rogue access points cannot be contained.
See the “Friendly Rogue APs” section on page 3-25 for more information. For more information on
configuring friendly access point rules, see the “Configuring a Friendly Access Point Template”
section on page 11-628.
•
Unclassified—Rogue access point that are not classified as either malicious or friendly. These
access points can be contained and can be moved manually to the friendly rogue access point list.
See the “Unclassified Rogue APs” section on page 3-26 for more information.
Malicious Rogue APs
Malicious rogue access points are detected but untrusted or unknown access points with a malicious
intent within the system. They also refer to access points that fit the user-defined malicious rules or have
been manually moved from the friendly access point classification.
The Security dashboard of the Prime Infrastructure home page displays the number of malicious rogue
access points for each applicable state for the past hour, the past 24 hours, and the total number of active
malicious rogue access points.
Malicious rogue access point states include the following:
•
Alert—Indicates that the access point is not on the neighbor list or part of the user-configured
Friendly AP list.
•
Contained—The unknown access point is contained.
•
Threat—The unknown access point is found to be on the network and poses a threat to WLAN
security.
•
Contained Pending—Indicates that the containment action is delayed due to unavailable resources.
•
Removed—This unknown access point was seen earlier but is not seen now.
Click an underlined number in any of the time period categories for detailed information regarding the
malicious rogue access points. See the “Monitoring Rogue Access Points” section on page 5-91 for more
information.
Friendly Rogue APs
Friendly rogue access points are known, acknowledged or trusted access points. They also refer to access
points that fit the user-defined friendly rogue access point rules. Friendly rogue access points cannot be
contained.
The Security dashboard of the Prime Infrastructure home page displays the number of friendly rogue
access points for each applicable state for the past hour, the past 24 hours, and the total number of active
friendly rogue access points.
Friendly rogue access point states include the following:
•
Internal—If the unknown access point is inside the network and poses no threat to WLAN security, you
would manually configure it as Friendly, Internal. For example, the access points in your lab network.
•
External—If the unknown access point is outside the network and poses no threat to WLAN security,
you would manually configure it as Friendly, External. For example, the access points belonging to a
neighboring coffee shop.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-25
Chapter 3
Configuring Security Solutions
Rogue Access Point Location, Tagging, and Containment
•
Alert—The unknown access point is not on the neighbor list or part of the user-configured Friendly
AP list.
Click an underlined number in any of the time period categories for detailed information regarding the
friendly rogue access points. See the “Monitoring Rogue Access Points” section on page 5-91 for more
information.
Unclassified Rogue APs
An unclassified rogue access point refers to a rogue access point that is not classified as either malicious
or friendly. These access points can be contained and can be moved manually to the friendly rogue access
point list.
The Security dashboard of the Prime Infrastructure home page displays the number of unclassified rogue
access points for each applicable state for the past hour, the past 24 hours, and the total number of active
unclassified rogue access points.
Unclassified rogue access point states include the following:
•
Pending—On first detection, the unknown access point is put in the Pending state for 3 minutes. During
this time, the managed access points determine if the unknown access point is a neighbor access point.
•
Alert—The unknown access point is not on the neighbor list or part of the user-configured Friendly
AP list.
•
Contained—The unknown access point is contained.
•
Contained Pending—The unknown access point is marked Contained, but the action is delayed due to
unavailable resources.
Click an underlined number in any of the time period categories for further information. See the
“Monitoring Rogue Access Points” section on page 5-91.
Adhoc Rogue
If the MAC address of a mobile client operating in a ad hoc network is not in the authorized MAC address
list, then it is identified as an ad hoc rogue.
Rogue Access Point Location, Tagging, and Containment
When the Cisco Unified Wireless Network Solution is monitored using the Prime Infrastructure, the
Prime Infrastructure generates the flags as rogue access point traps and displays the known rogue access
points by MAC address. The operator can then display a map showing the location of the access points
closest to each rogue access point. The next step is to mark them as Known or Acknowledged rogue
access points (no further action), Alert rogue access points (watch for and notify when active), or
Contained rogue access points (have between one and four access points discourage rogue access point
clients by sending the clients deauthenticate and disassociate messages whenever they associate with the
rogue access point).
This built-in detection, tagging, monitoring, and containment capability enables system administrators
to take the appropriate action:
•
Locate rogue access points.
•
Receive new rogue access point notifications, eliminating hallway scans.
•
Monitor unknown rogue access points until they are eliminated or acknowledged.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-26
OL-27653-02
Chapter 3
Configuring Security Solutions
Rogue Access Point Location, Tagging, and Containment
•
Determine the closest authorized access point, making directed scans faster and more effective.
•
Contain rogue access points by sending their clients deauthenticate and disassociate messages from
one to four access points. This containment can be done for individual rogue access points by MAC
address or can be mandated for all rogue access points connected to the enterprise subnet.
•
Tag rogue access points:
– Acknowledge rogue access points when they are outside of the LAN and do not compromise the
LAN or wireless LAN security.
– Accept rogue access points when they do not compromise the LAN or wireless LAN security.
– Tag rogue access points as unknown until they are eliminated or acknowledged.
– Tag rogue access points as contained and discourage clients from associating with the rogue
access points by having between one and four access points transmit deauthenticate and
disassociate messages to all rogue access point clients. This function applies to all active
channels on the same rogue access point.
This section contains the following topics:
•
Detecting Access Points on a Network, page 3-27
•
Viewing Rogue Access Points by Controller, page 3-28
Detecting Access Points on a Network
Use the Detecting Access Points feature to view information about the Cisco lightweight access points
that are detecting a rogue access point.
To access the Rogue AP Alarms details page, follow these steps:
Step 1
To display the Rogue AP Alarms page, do one of the following:
•
Perform a search for rogue APs.
•
In the Prime Infrastructure home page, click the Security dashboard. This page displays all the
rogue access points detected in the past hour and the past 24 hours. Click the rogue access point
number to view the rogue access point alarms.
•
Click the Malicious AP number link in the dashlet.
Step 2
In the Rogue AP Alarms page, click the Rogue MAC Address for the applicable rogue access point. The
Rogue AP Alarms details page displays.
Step 3
From the Select a command drop-down list, choose View Detecting AP on Network.
Step 4
Click Go.
Click a list item to display data about that item:
•
AP Name
•
Radio
•
Detecting AP Location
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
•
Channel Number—The channel on which the rogue access point is broadcasting.
•
WEP—Enabled or disabled.
•
WPA—Enabled or disabled.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-27
Chapter 3
Configuring Security Solutions
Rogue Access Point Location, Tagging, and Containment
•
Pre-Amble—Long or short.
•
RSSI—Received signal strength indicator in dBm.
•
SNR—Signal-to-noise ratio.
•
Containment Type—Type of containment applied from this access point.
•
Containment Channels—Channels that this access point is currently containing.
Viewing Rogue Access Points by Controller
Use the Detecting Access Points feature to view information about the rogue access points by controller.
To access the Rogue AP Alarms details page, follow these steps:
Step 1
To display the Rogue AP Alarms page, do one of the following:
•
Perform a search for rogue APs.
•
In the Prime Infrastructure home page, click the Security dashboard. This page displays all the
rogue access points detected in the past hour and the past 24 hours. Click the rogue access point
number to view the rogue access point alarms.
•
Click the Malicious AP number link in the dashlet.
Step 2
In the Rogue AP Alarms page, click the Rogue MAC Address for the applicable rogue access point. The
Rogue AP Alarms details page displays.
Step 3
From the Select a command drop-down list, choose View AP Details by Controller.
Step 4
Click Go.
Click a list item to display data about that item:
•
Controller IP Address
•
Detecting AP Name
•
Radio
•
Detecting AP Location
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
•
Channel Number—The channel on which the rogue access point is broadcasting.
•
RSSI—Received Signal Strength Indicator in dBm.
•
Classification—Indicates if the rogue AP classification.
•
State—Indicates the state of the alarm. Possible states vary depending on the classification type of
rogue access point. See the “Rogue Access Point Classification Types” section on page 3-24 for
additional information.
•
On Network—Whether it belongs to this network “Yes” or “No”.
•
Containment Level—Indicates the containment level of the rogue access point or Unassigned (not
contained).
•
Last Updated Time
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-28
OL-27653-02
Chapter 3
Configuring Security Solutions
Rogue Access Point Location, Tagging, and Containment
Working with Alarms
You can view, assign, and clear alarms and events on access points and mobility services engine using
the Prime Infrastructure.
Details on how to have e-mail notifications of alarms sent to you is also described. This section contains
the following topics:
•
Assigning and Unassigning Alarms, page 3-29
•
Deleting and Clearing Alarms, page 3-29
•
Acknowledging Alarms, page 3-30
Assigning and Unassigning Alarms
To assign and unassign an alarm to yourself, follow these steps:
Step 1
Perform an advanced search for access point alarms.
Step 2
Select the alarms that you want to assign to yourself by selecting their corresponding check boxes.
Note
Step 3
To unassign an alarm assigned to you, unselect the box next to the appropriate alarm. You cannot
unassign alarms assigned to others.
From the Select a command drop-down list, choose Assign to Me (or Unassign), and click Go.
If you choose Assign to Me, your username appears in the Owner column. If you choose Unassign, the
username column becomes empty.
Deleting and Clearing Alarms
To delete or clear an alarm from a mobility services engine, follow these steps:
Step 1
In the Monitor > Alarms page, select the alarms that you want to delete or clear by selecting their
corresponding check boxes.
Note
Step 2
Note
If you delete an alarm, the Prime Infrastructure removes it from its database. If you clear an
alarm, it remains in the Prime Infrastructure database, but in the Clear state. You clear an alarm
when the condition that caused it no longer exists.
From the Select a command drop-down list, choose Delete or Clear, and click Go.
To set up cleanup of old alarms and cleared alarms, choose Administration > Settings > Alarms.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-29
Chapter 3
Configuring Security Solutions
Rogue Access Point Location, Tagging, and Containment
Acknowledging Alarms
You might want certain alarms to be removed from the Alarms List. For example, if you are continuously
receiving an interference alarm from a certain access point on the 802.11g interface, you might want to
stop that access point from being counted as an active alarm on the page or any alarms list. In this
scenario, you can find the alarm for the 802.11g interface in the Alarms list, select the check box, and
choose Acknowledge from the Select a command drop-down list.
Now if the access point generates a new violation on the same interface, the Prime Infrastructure does
not create a new alarm, and the page shows no new alarms. However, if the interference violation is
created on another interface, such as 802.11a, a new alarm is created.
Any alarms, once acknowledged, do not show up on either the page or any alarm list page. Also, no
e-mails are generated for these alarms after you have marked them as acknowledged. By default,
acknowledged alarms are not included for any search criteria. To change this default, choose
Administration > Settings > Alarms page and disable the Hide Acknowledged Alarms preference.
Note
When you acknowledge an alarm, a warning displays as a reminder that a recurrence of the problem does
not generate another alarm unless this functionality is disabled. Use the Administration > User
Preferences page to disable this warning message.
You can also search for all previously acknowledged alarms to reveal the alarms that were acknowledged
during the last seven days. Prime Infrastructure automatically deletes cleared alerts that are more than
seven days old so your results can only show activity for the last seven days. Until an existing alarm is
deleted, a new alarm cannot be generated for any managed entity for which the Prime Infrastructure has
already generated an alarm.
Monitoring Rogue Alarm Events
The Events page enables you to review information about rogue alarm events. Prime Infrastructure
generates an event when a rogue access point is detected or if you make manual changes to a rogue access
point (such as changing its state). The Rogue AP Events list page displays all rogue access point events.
To access the Rogue AP Events list page, follow these steps:
Step 1
Step 2
Do one of the following:
•
Perform a search for rogue access point events using the Advanced Search feature of the Prime
Infrastructure.
•
In the Rogue AP Alarms details page, choose Event History from the Select a command drop-down
list.
The Rogue AP Events list page displays the following event information.
•
Severity—Indicates the severity of the alarm.
•
Rogue MAC Address—Click the rogue MAC address to view the Rogue AP Event Details page. See
the “Viewing Rogue AP Event Details” section on page 3-31 for more information.
•
Vendor—Rogue access point vendor name or Unknown.
•
Classification Type—Malicious, Friendly, or Unclassified. See the “Rogue Access Point
Classification Types” section on page 3-24 for more information.
•
On Network—Indicates how the rogue detection occurred.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-30
OL-27653-02
Chapter 3
Configuring Security Solutions
Rogue Access Point Location, Tagging, and Containment
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
•
Radio Type—Lists all radio types applicable to this rogue access point.
•
Date/Time—The date and time that the event was generated.
•
State—Indicates the state of the alarm. Possible states vary depending on the classification type of
rogue access point. See the “Rogue Access Point Classification Types” section on page 3-24 for
additional information.
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
Viewing Rogue AP Event Details
To view rogue access point event details, follow these steps:
Step 1
In the Rogue AP Events list page, click the Rogue MAC Address link.
Step 2
The Rogue AP Events Details page displays the following information:
•
Rogue MAC Address
•
Vendor—Rogue access point vendor name or Unknown.
•
On Network—Indicates how the rogue detection occurred.
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
•
Classification Type—Malicious, Friendly, or Unclassified. See the “Rogue Access Point
Classification Types” section on page 3-24 for more information.
•
State—Indicates the state of the alarm. Possible states vary depending on the classification type of
rogue access point. See the “Rogue Access Point Classification Types” section on page 3-24 for
additional information.
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
•
Channel Number—The channel on which the rogue access point is broadcasting.
•
Containment Level—Indicates the containment level of the rogue access point or Unassigned.
•
Radio Type—Lists all radio types applicable to this rogue access point.
•
Created—The date and time that the event was generated.
•
Generated By—The method by which the event was generated (such as Controller).
•
Device IP Address
•
Severity—Indicates the severity of the alarm.
•
Message—Provides details of the current event.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-31
Chapter 3
Configuring Security Solutions
Rogue Access Point Location, Tagging, and Containment
Monitoring Adhoc Rogue Events
The Events page enables you to review information about ad hoc rogue events. Prime Infrastructure
generates an event when an ad hoc rogue is detected or if you make manual changes to an ad hoc rogue
(such as changing its state). The Adhoc Rogue Events list page displays all ad hoc rogue events.
To access the Rogue AP Events list page, follow these steps:
Step 1
Step 2
Do one of the following:
•
Perform a search for ad hoc rogues events using the Advanced Search feature of the Prime
Infrastructure.
•
In the Adhoc Rogue Alarms details page, choose Event History from the Select a command
drop-down list.
The Rogue AP Events list page displays the following event information:
•
Severity—Indicates the severity of the alarm.
•
Rogue MAC Address—Click the rogue MAC address to view the Rogue AP Event Details page. See
the “Viewing Adhoc Rogue Event Details” section on page 3-32 for more information.
•
Vendor—Rogue access point vendor name or Unknown.
•
On Network—Indicates how the rogue detection occurred.
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
•
Radio Type—Lists all radio types applicable to this rogue access point.
•
Date/Time—The date and time that the event was generated.
•
State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert,
Internal, External, Contained, Contained Pending, and Removed.
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
Viewing Adhoc Rogue Event Details
To view rogue access point event details, follow these steps:
Step 1
In the Rogue AP Events list page, click the Rogue MAC Address link.
Step 2
The Rogue AP Events Details page displays the following information:
•
Rogue MAC Address
•
Vendor—Rogue access point vendor name or Unknown.
•
On Network—Indicates how the rogue detection occurred.
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-32
OL-27653-02
Chapter 3
Configuring Security Solutions
Security Overview
•
State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert,
Internal, External, Contained, Contained Pending, and Removed.
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
•
Channel Number—The channel on which the rogue access point is broadcasting.
•
Containment Level—Indicates the containment level of the rogue access point or Unassigned.
•
Radio Type—Lists all radio types applicable to this rogue access point.
•
Created—The date and time that the event was generated.
•
Generated By—The method by which the event was generated (such as Controller).
•
Device IP Address
•
Severity—Indicates the severity of the alarm.
•
Message—Provides details of the current event.
Security Overview
Prime Infrastructure provides a foundation that allows IT managers to design, control, secure, and
monitor enterprise wireless networks from a centralized location.
Prime Infrastructure provides the following tools for managing and enforcing wireless security
configurations and policies within the Cisco wireless network infrastructure:
•
Network security policy creation and enforcement, such as user authentication, encryption, and
access control.
•
Wireless infrastructure security configuration.
•
Rogue detection, location, and containment.
•
wireless Intrusion Prevention System (wIPS).
•
Wireless IPS signature tuning and management.
•
Management Frame Protection (MFP).
•
Collaboration with Cisco wired Network IPS for monitoring and mitigating unauthorized or
malicious wireless user activity.
•
Comprehensive security event management and reporting.
Security Vulnerability Assessment
In Cisco Unified Wireless Network Version 5.1, an automated security vulnerability assessment is
available to facilitate analysis for the overall wireless security posture of an enterprise, as well as to
provide WLAN operators with real-time benchmarking of their security services configurations against
industry best practices. The automated security vulnerability assessment provides the following:
•
Proactive vulnerability monitoring of the entire wireless network.
•
Comprehensive information on security vulnerabilities that could lead to loss of data, network
intrusion, or malicious attack.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-33
Chapter 3
Configuring Security Solutions
Security Overview
•
Reduction in the time and expertise required to analyze and remedy weaknesses in wireless security
posture.
The automated wireless vulnerability assessment audits the security posture of the entire wireless
network for vulnerabilities. These vulnerabilities can result in:
•
Unauthorized management access or using management protocols to compromise or adversely
impact the network.
•
Unauthorized network access, data leakage, man-in-the-middle, or replay attacks.
•
Compromised or adverse impacts to the network through manipulation of network protocols and
services, for example through denial of service (DoS) attacks.
Prime Infrastructure automatically scans the entire network and compares settings against Cisco
recommended and industry best practices for wireless security configurations. The automated wireless
security assessment functions within the Prime Infrastructure scan wireless LAN controllers, access
points, and network management interfaces for vulnerabilities in configuration settings, encryption, user
authentication, infrastructure authentication network management, and access control.
Status of the wireless network security is graphically displayed to provide wireless network
administrators with an easy-to-read dashboard of security events. Prime Infrastructure displays the
vulnerability assessment results through a Security Index on the Prime Infrastructure security dashboard.
The Security Index summarizes the network security posture with a composite security score and
prioritized summary of vulnerabilities. See the “Security Index” section on page 3-34” for more
information.
Administrators can drill down to the Security Index Detailed Report if an event in the Security Summary
warrants further investigation. The Security Index Detailed Report provides in-depth analysis of the
vulnerabilities across the network. It also identifies optimal security settings and recommends changes
that remedy the vulnerabilities. Any changes the administrator makes are reflected in an updated
Security Index score. See the “Security Index Detailed Report” section on page 3-35” for more
information.
Security Index
The Security Index gives an indication of the security of the Prime Infrastructure managed network. The
security index is calculated by assigning weight to the various security configurations and displaying it
in visual form. The combined weightages can vary from 0 to 100, where 0 signifies least secured and 100
maximum secured.
The weighting comes from the lowest scoring controller and the lowest scoring Location
Server/Mobility Service Engine related security configurations that are maintained within the Prime
Infrastructure itself. For example, the security index of the Prime Infrastructure managed network is
equal to the lowest scoring controller plus the lowest scoring Location Server/Mobility Service Engine.
The following color scheme applies for the security index:
Note
•
Above or equal to 80—Green
•
Below 80 but above or equal to 60—Yellow
•
Below 60—Red
Guest WLANs are excluded from the WLANs. A WLAN which has web authentication or web
passthrough enabled is identified as a guest WLAN.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-34
OL-27653-02
Chapter 3
Configuring Security Solutions
Security Overview
The security index of the latest release is the benchmark for the required security configurations. For
example, if AES encryption was not present in an earlier version of code, the index is reduced by the
number associated with the AES encryption security configuration. Likewise, if new security
configurations are introduced, the weighting would be altered.
The configurations stored in the Prime Infrastructure might not be up-to-date with the ones in the
controllers unless the Refresh from Controller command is run from the Prime Infrastructure. You can
run Security Index calculations from the Configuration Sync task to get the latest config data from all
the controllers.
Top Security Issues
The Top Security Issues section displays the five top security issues. The View All and Devices links sort
relevant columns and show a report of security issues occurring across all controllers. Click View All to
open the Security Index Detailed Report. Click Devices to view the Security Index Controller Report.
•
Security Index Detailed Report, page 3-35
•
Security Index Controller Report, page 3-35
•
Potential Security Issues, page 3-36
Security Index Detailed Report
The Security Index Detailed Report displays all security issues found across all controllers, location
servers, and mobility service engines. It details problems found in a particular security configuration
retrieved from the device. If a particular issue has been acknowledged (just like alarms), it is ignored
when the next Configuration Sync task runs (if Security Index Calculation is enabled).
In some cases when an issue is acknowledged and it is ignored the next time the Configuration Sync task
runs, the final security index score does not change. Some possible reasons for this might include the
following:
•
The acknowledged issue is on a controller which is not directly affecting the security index score
(for instance, it is not the controller with the lowest score).
•
The acknowledged issue is on a WLAN that is not directly affecting the security index score. Only
the lowest scoring WLAN of the lowest scoring controller affects the security index score.
When SSH and Telnet are enabled on a controller and are both flagged as issues, the Telnet issue has a
higher precedence than SSH. Even if SSH is acknowledged on the controller with the lowest score, no
change would occur for the security index.
From the Select a command drop-down list, choose Show All to view all security issues (both
acknowledged and unacknowledged). Choose Show Unacknowledged to only view unacknowledged
security issues. This is the default view when View All is selected from the Security Summary page.
Choose Show Acknowledged to only view acknowledged security issues.
Note
For a user to acknowledge or unacknowledge security issues, the user must have “Ack and Unack
Security Index Issues permission enabled".
Security Index Controller Report
This page shows the security violation report as a summary for each controller. By row, each controller
shows the number of security issues that occurred on that controller and provides a link to all security
issues.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-35
Chapter 3
Configuring Security Solutions
Security Overview
If you click the number in the Security Issues Count column, the Security Index Detailed Report appears.
Potential Security Issues
Table 3-7 and Table 3-8 describe the potential security issues.
Table 3-7
Potential Security Issues
Controller Security Issue
Why is this an Issue?
What is the Solution?
WLAN SSID on the controller
has a weak authentication
method.
Weak authentication method for Use the most secured
a WLAN which can be broken by authentication method and one
that is WPA+WPA2.
using tools available online if
WLAN packets are sniffed.
WLAN SSID on the controller
has a weak authentication
method (CKIP) configured.
Weak authentication method for
a WLAN.
Use the most secured
authentication method and one
that is WPA+WPA2.
WLAN SSID on the controller
has no user authentication
configured.
No authentication method is a
clear security risk for a WLAN.
Configure strong authentication
methods such as WPA+WPA2.
WLAN SSID on the controller
Weak encryption method for a
has a weak encryption method
WLAN.
(CKIP WEP 40 bits) configured.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
Weak encryption method for a
WLAN.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
Weak encryption method for a
WLAN SSID on the controller
WLAN.
has a weak encryption method
(CKIP WEP 40 bits with MMH)
configured.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
WLAN SSID on the controller
has a weak encryption method
(CKIP WEP 40 bits with MMH
and Key Permutation)
configured.
Weak encryption method for a
WLAN.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
WLAN SSID on the controller
has a weak encryption method
(WEP 104 bits) configured.
Weak encryption method for a
WLAN.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
WLAN SSID on the controller
has a weak encryption method
(CKIP WEP 104 bits)
configured.
Weak encryption method for a
WLAN.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
WLAN SSID on the controller
has a weak encryption method
(CKIP WEP 104 bits with
MMH) configured.
Weak encryption method for a
WLAN.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
WLAN SSID on the controller
has a weak encryption method
(CKIP WEP 40 bits with Key
Permutation) configured.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-36
OL-27653-02
Chapter 3
Configuring Security Solutions
Security Overview
Table 3-7
Potential Security Issues (continued)
Controller Security Issue
Why is this an Issue?
What is the Solution?
WLAN SSID on the controller
has a weak encryption method
(CKIP WEP 104 bits with Key
Permutation) configured.
Weak encryption method for a
WLAN.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
Weak encryption method for a
WLAN SSID on the controller
WLAN.
has a weak encryption method
(CKIP WEP 104 bits with MMH
and Key Permutation)
configured.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
WLAN SSID on the controller
has a weak encryption method
(WEP 40 bits) configured.
Weak encryption method for a
WLAN.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
WLAN SSID on the controller
has a weak encryption method
(WEP 128 bits) configured.
Weak encryption method for a
WLAN.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
WLAN SSID on the controller
has a weak encryption method
(TKIP) configured.
Weak encryption method for a
WLAN.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
WLAN SSID on the controller
has no encryption configured.
No encryption method is a clear
security risk for a WLAN.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
WLAN SSID on the controller
has a weak encryption method
(WEP 104 bits) configured.
Weak encryption method for
WLAN.
Configure strong authentication
and encryption methods such as
WPA+WPA2 with AES.
WLAN SSID on the controller
has no key management methods
configured (applicable only for
WPA+WPA2).
A key management method
enhances the security of keys;
without one, WLAN is less
secure.
Configure at least one key
management methods such as
CCKM.
WLAN SSID on the controller
With MFP Client Protection set
has MFP Client Protection set to to optional for a WLAN,
“Optional”.
authenticated clients might not
be shielded from spoofed
frames.
Set MFP Client Protection to
“Required” to protect against
clients connecting to a rogue
access point.
WLAN SSID on the controller
With MFP Client Protection set
has MFP Client Protection set to to disabled for a WLAN,
“Disabled”.
authenticated clients might not
be shielded from spoofed
frames.
Set MFP Client Protection to
“Required” to protect against
clients connecting to a rogue
access point.
WLAN SSID interface is set to As recommended from SAFE,
“management” on the controller. user traffic should be separated
from management traffic.
WLAN interface should not be
set to “management” on the
controller.
Interface set to one which is
VLAN for a WLAN.
WLAN needs its interface to be
set to one which is neither
management nor one which has a
VLAN.
As recommended from SAFE,
user traffic should be separated
from VLAN traffic.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-37
Chapter 3
Configuring Security Solutions
Security Overview
Table 3-7
Potential Security Issues (continued)
Controller Security Issue
Why is this an Issue?
What is the Solution?
WLAN SSID on the controller
With Client Exclusion policies
has “Client Exclusion” disabled. disabled, an attacker is able to
continuously try to access the
WLAN network.
Enable “Client Exclusion” to
secure against malicious WLAN
client behavior.
WLAN SSID on the controller
has “Broadcast SSID” enabled.
Disable “Broadcast SSID” to
secure your wireless network.
WLAN SSID on the controller
has “MAC Filtering” disabled.
Enable “MAC Filtering” to
secure your wireless network.
Protection Type is set to “AP
Authentication” on the
controller.
When AP Authentication is set, Set Protection Type to
“Management Frame Protection
an access point checks
beacon/probe response frames in (MFP)” on the controller.
neighboring access points to see
if they contain an authenticated
information element (IE) that
matches that of the RF group.
This provides some security but
does not cover all management
frames and is open to alteration
by rogue access points.
Protection Type is set to “None” No security for 802.11
of the controller.
management messages passed
between access points and
clients.
Set Protection Type to
“Management Frame Protection
(MFP)” on the controller.
Radio type is configured to
detect rogues only on DCA
channels.
Rogue detection, if done only on
a subset of country/all channels,
is less secure than one that is
done on country/all channels.
Configure radio types 802.11a/n
and 802.11b/g/n to detect rogues
on country channels or all
channels.
Rogue detection, if not
Radio type is configured to
detect rogues on neither country configured on country nor DCA
channels, is less secure than
channels nor DCA channels.
when done on country/all
channels.
Configure radio types 802.11a/n
and 802.11b/g/n to detect rogues
on country channels or all
channels.
The rogue policy to detect and
report ad hoc networks is
disabled on the controller.
With detection and reporting of
ad hoc networks turned off, ad
hoc rogues go undetected.
Enable the rogue policy to detect
and report ad hoc networks.
“Check for all Standard and
Custom Signatures” is disabled
on the controller.
If check for all Standard and
Custom Signatures is disabled,
various types of attacks in
incoming 802.11 packets would
go undetected. various types of
attacks in incoming 802.11
packets would go undetected.
Check for all Standard and
Custom Signatures needs to be
turned on to identify various
types of attacks in incoming
802.11 packets.
Some of the Standard Signatures If only some of the Standard
are disabled on the controller.
Signatures are disabled,
Enable all Standard Signatures
on the controller.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-38
OL-27653-02
Chapter 3
Configuring Security Solutions
Security Overview
Table 3-7
Potential Security Issues (continued)
Controller Security Issue
Why is this an Issue?
What is the Solution?
The “Excessive 802.11
Association Failures” Client
Exclusion Policy is disabled on
the controller.
Excessive failed association
attempts can consume system
resources and launch potential a
denial of service attack to the
infrastructure.
Enable the “Excessive 802.11
Association Failures” Client
Exclusion Policy on the
controller.
The “Excessive 802.11
Authentication Failures” Client
Exclusion Policy is disabled on
the controller.
Excessive failed authentication
attempts can consume system
resources and launch potential
Denial of Service attack to the
infrastructure.
Enable the “Excessive 802.11
Authentication Failures” Client
Exclusion Policy on the
controller.
The “Excessive 802.1X
Authentication Failures” Client
Exclusion Policy is disabled on
the controller.
Excessive 802.1X failed
authentication attempts can
consume system resources and
launch potential denial of service
attack to the infrastructure.
Excessive 802.1X
Authentication Failures Client
Exclusion Policy must be
enabled to prevent denial of
service attack to the
infrastructure.
The “Excessive 802.11 Web
Authentication Failures” Client
Exclusion Policy is disabled on
the controller.
If Excessive 802.11 Web failed
web authentication attempts can
consume system resources and
launch potential denial of service
attack to the infrastructure.
Enable the “Excessive 802.11
Web Authentication Failures”
Client Exclusion Policy on the
controller.
The “IP Theft or IP Reuse”
Client Exclusion Policy is
disabled on the controller.
Enable the “IP Theft or IP
If IP Theft or Reuse Client
Reuse” Client Exclusion Policy
Exclusion Policy is disabled,
then an attacker masquerading as on the controller.
another client would not be
disallowed.
No CIDS Sensor configured on
the controller.
If no enabled IDS Sensor is
Configure at least one CIDS
configured, then IP-level attacks Sensor on the controller.
would not be detected.
Controller is configured with
default community strings for
SNMP v1/v2.
If SNMP V1 or V2 with default Use SNMPv3 with Auth and
Community is configured then it Privacy Types.
is open to easy attacks because
default communities are well
known.
Controller is configured with
non-default community strings
for SNMP v1/v2.
Use SNMPv3 with Auth and
SNMP V1 or V2 with
Privacy types.
non-default Community is
slightly more secure than default
Community but still less secure
than SNMP V3.
SNMPv3 is configured with a
default user on the controller.
Using a default user makes
SNMP V3 connections less
secure.
SNMPv3 is configured with
either no Auth or Privacy Type
on the controller.
Use SNMPv3 with Auth and
SNMP V3 with either Auth or
Privacy Type set to none reduces Privacy Types to secure your
wireless network.
the security of SNMP V3
connection.
Use a non-default username for
SNMPv3 with Auth and Privacy
Types.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-39
Chapter 3
Configuring Security Solutions
Security Overview
Table 3-7
Potential Security Issues (continued)
Controller Security Issue
Why is this an Issue?
What is the Solution?
HTTP (Web Mode enabled but
Secure Web Mode disabled) is
enabled on the controller.
HTTP is less secure than
HTTPS.
Enable HTTPS (both Web Mode
and Secure Web Mode) on the
controller.
Telnet is enabled on the
controller.
If telnet is enabled, then the
controller is at risk of being
hacked into.
Disable telnet on the controller.
SSH is disabled and timeout
value is set to zero on the
controller.
If SSH is enabled and timeout is Enable SSH with non-zero
zero then the controller has risk timeout value on the controller.
of being hacked into.
Telnet is enabled on the AP.
If telnet is enabled, then the
access point is at risk of being
hacked into.
SSH is enabled on the AP.
At least one of the APs is
configured with default
username or password.
Table 3-8
Disable Telnet on all access
points.
Disable SSH on all the access
points.
If default password is
configured, then access points
are more susceptible to
connections from outside the
network.
Configure a non-default
username and strong password
for all access points associated to
the controller.
Potential Security Issues
Location Server/ Mobility Server
Engine Security Issue
Why is this an Issue?
What is the Solution?
HTTP is enabled on the location HTTP is less secure than
server.
HTTPS.
Enable HTTPS on the location
server.
A location server user has a
default password configured.
Configure a strong password for
the location server users.
If default password is
configured, then Location
Server/ Mobility Server Engine
is more susceptible to
connections from outside the
network.
HTTP is enabled on the mobility HTTP is less secure than
services engine.
HTTPS.
Enable HTTPS on the mobility
services engine.
A mobility services engine user If default password is
has default password configured. configured, then Location
Server/ Mobility Server Engine
is more susceptible to
connections from outside the
network.
Configure a strong password for
the users on the mobility services
engine.
wIPS Service is not enabled on
the mobility services engine.
Deploy wIPS Service to protect
your network from advanced
security threats.
Your network is vulnerable to
advanced security threats.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-40
OL-27653-02
Chapter 3
Configuring Security Solutions
Switch Port Tracing
Switch Port Tracing
Currently, the Prime Infrastructure provides rogue access point detection by retrieving information from
the controller. The rogue access point table is populated with any detected BSSID addresses from any
frames that are not present in the neighbor list. At the end of a specified interval, the contents of the rogue
table are sent to the controller in a CAPWAP Rogue AP Report message. With this method, the Prime
Infrastructure would simply gather the information received from the controllers; but with software
Release 5.1, you can incorporate switch port tracing of Wired Rogue Access Point Switch Ports. This
enhancement allows you to react to found wired rogue access points and prevent future attacks. The trace
information is available only in the Prime Infrastructure log and only for rogue access points, not rogue
clients.
Note
Rogue Client connected to the Rogue Access point information is used to track the switch port to which
the Rogue Access point is connected in the network.
Note
If you try to set tracing for a friendly or deleted rogue, a warning message appears.
Note
For Switch Port Tracing to successfully trace the switch ports using SNMP v3, all of the OIDs should
be included in the SNMP v3 view and VLAN content should be created for each VLAN in the SNMP v3
group.
Establishing Switch Port Tracing
To establish switch port tracing, follow these steps:
Step 1
In the Prime Infrastructure home page, click the Security dashboard.
Step 2
In the Rogue APs and Adhoc Rogues dashlet, click the number URL which specifies the number of
rogues in the last hour, last 24 hours, or total active.
The Alarms window opens.
Step 3
Choose the rogue you are setting switch port tracking by checking the checkbox.
Step 4
From the Troubleshoot drop-down list, choose Traceroute. The Traceroute window opens, and the
Prime Infrastructure runs a switch port trace.
When one or more searchable MAC addresses are available, the Prime Infrastructure uses CDP to
discover any switches connected up to two hops away from the detecting access point. The MIBs of each
CDP discovered switch is examined to see if it contains any of the target MAC addresses. If any of the
MAC addresses are found, the corresponding port number is returned and reported as the switch port of
a rogue.
Integrated Security Solutions
The Cisco Unified Wireless Network Solution also provides these integrated security solutions:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-41
Chapter 3
Using Prime Infrastructure to Convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 Mode
Configuring Security Solutions
•
Cisco Unified Wireless Network Solution operating system security is built around a robust 802.1X
authorization, authentication, and accounting (AAA) engine, which enables operators to rapidly
configure and enforce a variety of security policies across the Cisco Unified Wireless Network
Solution.
•
The controllers and access points are equipped with system-wide authentication and authorization
protocols across all ports and interfaces, maximizing system security.
•
Operating system security policies are assigned to individual wireless LANs, and access points
simultaneously broadcast all (up to 16) configured wireless LANs. These policies can eliminate the
need for additional access points, which can increase interference and degrade system throughput.
•
Operating system security uses the RRM function to continually monitor the air space for
interference and security breaches and notify the operator when they are detected.
•
Operating system security works with industry-standard AAA servers, making system integration
simple and easy.
•
The Cisco Intrusion Detection System/Intrusion Protection System (IDS/IPS) instructs controllers
to block certain clients from accessing the wireless network when attacks involving these clients are
detected.
•
The operating system security solution offers comprehensive Layer 2 and Layer 3 encryption
algorithms, which typically require a large amount of processing power. Rather than assigning the
encryption tasks to yet another server, the controller can be equipped with a VPN/enhanced security
module that provides extra hardware required for the most demanding security configurations.
Using Prime Infrastructure to Convert a Cisco Unified Wireless
Network Solution from Layer 3 to Layer 2 Mode
To convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 LWAPP transport mode
using the Prime Infrastructure user interface, follow these steps:
Note
Cisco-based lightweight access points do not support Layer 2 LWAPP mode. These access points can
only be run with Layer 3.
Note
This procedure causes your access points to go offline until the controller reboots and the associated
access points reassociate to the controller.
Step 1
Make sure that all controllers and access points are on the same subnet.
Note
Step 2
You must configure the controllers and associated access points to operate in Layer 2 mode
before completing the conversion.
Log into the Prime Infrastructure user interface. Then follow these steps to change the LWAPP transport
mode from Layer 3 to Layer 2:
a.
Choose Configure > Controllers to navigate to the All Controllers page.
b.
Click the desired IP address of a controller to display the IP Address > Controller Properties page.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-42
OL-27653-02
Chapter 3
Configuring Security Solutions
Configuring a Firewall for Prime Infrastructure
c.
From the left sidebar menu, click System > General to display the IP Address > General page.
d.
Change LWAPP transport mode to Layer2, and click Save.
e.
If the Prime Infrastructure displays the following message, click OK:
Please reboot the system for the LWAPP Mode change to take effect.
Step 3
Step 4
To restart your Cisco Unified Wireless Network Solution, follow these steps:
a.
Return to the IP Address > Controller Properties page.
b.
Click System > Commands to display the IP Address > Controller Commands page.
c.
Under Administrative Commands, choose Save Config To Flash, and click Go to save the changed
configuration to the controller.
d.
Click OK to continue.
e.
Under Administrative Commands, choose Reboot, and click Go to reboot the controller.
f.
Click OK to confirm the save and reboot.
After the controller reboots, follow these steps to verify that the LWAPP transport mode is now Layer 2:
a.
Click Monitor > Controllers to navigate to the Controllers > Search Results page.
b.
Click the desired IP address of a controller to display the Controllers > IP Address > Summary page.
c.
Under General, verify that the current LWAPP transport mode is Layer2.
You have completed the LWAPP transport mode conversion from Layer 3 to Layer 2. The operating
system software now controls all communications between controllers and access points on the same
subnet.
Configuring a Firewall for Prime Infrastructure
When the Prime Infrastructure server and the Prime Infrastructure user interface are on different sides
of a firewall, they cannot communicate unless the following ports on the firewall are open to two-way
traffic:
•
80 (for initial http)
•
69 (tftp)
•
162 (trap port)
•
443 (https)
•
1522 (for HA configuration between the primary and secondary Prime Infrastructure)
Open these ports to configure your firewall to allow communications between the Prime Infrastructure
server and the Prime Infrastructure user interface.
Access Point Authorization
To view a list of authorized access points along with the type of certificate that an access point uses for
authorization, follow these steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-43
Chapter 3
Configuring Security Solutions
Management Frame Protection (MFP)
Step 1
Choose Configure > Controllers.
Step 2
Click one of the URLs in the IP address column.
Step 3
From the left sidebar menu, choose Security > AP/MSE Authorization.
Step 4
The AP Policies portion of the page indicates whether the authorization of access points is enabled or
disabled. It also indicates whether the acceptance of self-signed certificates (SSC APs) is enabled or
disabled. Normally, access points can be authorized either by AAA or certificates. (SSC is only available
for 4400 and 200 controllers.)
To change these values, choose Edit AP Policies from the Select a command drop-down list, and click
Go.
Step 5
The AP Authorization List portion shows the radio MAC address of the access point, certificate type,
and key hash. To add a different authorization entry, choose Add AP/MSE Auth Entry from the Select
a command drop-down list, and click Go.
Step 6
From the drop-down list, choose a template to apply to this controller, and click Apply. To create a new
template for access point authorization, click the click here link to get redirected to the template creation
page. See the “Configuring an Access Point or MSE Authorization Template” section on page 11-610
for steps on creating a new template.
Management Frame Protection (MFP)
Management Frame Protection (MFP) provides security for the otherwise unprotected and unencrypted
802.11 management messages passed between access points and clients. MFP provides both
infrastructure and client support.
•
Infrastructure MFP—Protects management frames by detecting adversaries who are invoking denial
of service attacks, flooding the network with associations and probes, interjecting as rogue access
points, and affecting network performance by attacking the QoS and radio measurement frames. It
also provides a quick and effective means to detect and report phishing incidents.
Specifically, infrastructure MFP protects 802.11 session management functions by adding message
integrity check information elements (MIC IEs) to the management frame emitted by access points
(and not those emitted by clients), which are then validated by other access points in the network.
Infrastructure MFP is passive. It can detect and report intrusions but has no means to stop them.
•
Client MFP—Shields authenticated clients from spoofed frames, preventing many of the common
attacks against wireless LANs from becoming effective. Most attacks, such as deauthentication
attacks, revert to simply degrading performance by contending with valid clients.
Specifically, client MFP encrypts management frames sent between access points and
Cisco-compatible Extension clients so that both access points and clients can take preventive action
by dropping spoofed class 3 management frames (that is, management frames passed between an
access point and a client that is authenticated and associated). Client MFP leverages the security
mechanisms defined by IEEE 802.11i to protect the following types of class 3 unicast management
frames: disassociation, deauthentication, and QoS (WMM) action. Client MFP is active. It can
protect a client-access point session from the most common type of denial of service attack. It
protects class 3 management frames by using the same encryption method used for the data frames
of the session. If a frame received by the access point or client fails decryption, it is dropped, and
the event is reported to the controller.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-44
OL-27653-02
Chapter 3
Configuring Security Solutions
Management Frame Protection (MFP)
To use client MFP, clients must support Cisco-compatible Extensions (Version 5) MFP and must
negotiate WPA2 using either TKIP or AES-CCMP. EAP or PSK might be used to obtain the PMK.
CCKM and controller mobility management are used to distribute session keys between access
points or Layer 2 and Layer 3 fast roaming.
To prevent attacks against broadcast frames, access points supporting Cisco-compatible Extensions
(version 5) do not emit any broadcast class 3 management frames (such as disassociation,
deauthentication, or action). Compatible extensions clients (Version 5) and access points must
discard broadcast class 3 management frames.
Client MFP supplements infrastructure MFP rather than replacing it because infrastructure MFP
continues to detect and report invalid unicast frames sent to clients that are not client-MFP capable,
as well as invalid class 1 and 2 management frames. Infrastructure MFP is applied only to
management frames that are not protected by client MFP.
Infrastructure MFP consists of three main components:
Note
•
Management frame protection—The access point protects the management frames it transmits by
adding a MIC IE to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC,
causing any receiving access point configured to detect MFP frames to report the discrepancy.
•
Management frame validation—In infrastructure MFP, the access point validates every management
frame it receives from other access points in the network. It ensures that the MC IE is present (when
the originator is configured to transmit MFP frames) and matches the content of the management
frame. If it receives any frame that does not contain a valid MIC IE from a BSSID belonging to an
access point that is configured to transmit MFP frames, it reports the discrepancy to the network
management system. For the timestamps to operate properly, all controllers must be Network
Transfer Protocol (NTP) synchronized.
•
Event reporting—The access point notifies the controller when it detects an anomaly, and the
controller aggregates the received anomaly events and reports the results through SNMP traps to the
network management system.
Client MFP uses the same event reporting mechanisms as infrastructure MFP.
Infrastructure MFP is enabled by default and can be disabled globally. When you upgrade from a
previous software release, infrastructure MFP is disabled globally if access point authentication is
enabled because the two features are mutually exclusive. After infrastructure MFP is enabled globally,
signature generation (adding MICs to outbound frames) can be disabled for selected WLANs, and
validation can be disabled for selected access points.
You set MFP in the WLAN template. See the “Configuring WLAN Templates” section on page 11-573.
Guidelines for Using MFP
Follow these guidelines for using MFP:
•
MFP is supported for use with Cisco Aironet lightweight access points, except for the 1500 series
mesh access points.
•
Lightweight access points support infrastructure MFP in local and monitor modes and in REAP and
FlexConnect modes when the access point is connected to a controller. They support client MFP in
local, FlexConnect, and bridge modes.
•
Client MFP is supported for use only with Cisco-compatible Extensions (Version 5) clients using
WPA2 with TKIP or AES-CCMP.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-45
Chapter 3
Configuring Security Solutions
Configuring Intrusion Detection Systems (IDS)
•
Non-Cisco-compatible Extensions (Version 5) clients might associate to a WLAN if client MFP is
disabled or optional.
Configuring Intrusion Detection Systems (IDS)
The Cisco Intrusion Detection System/Intrusion Prevention System (IDS/IPS) instructs controllers to
block certain clients from accessing the wireless network when attacks involving these clients are
detected. This system offers significant network protection by helping to detect, classify, and stop threats
including worms, spyware/adware, network viruses, and application abuse. Two methods are available
to detect IDS attacks:
•
IDS sensors (for Layer 3)
•
IDS signatures (for Layer 2)
Viewing IDS Sensors
When the sensors identify an attack, they alert the controller to shun the offending client. When you add
a new IDS sensor, you register the controller with that IDS sensor so that the sensor can send shunned
client reports to the controller. The controller also polls the sensor periodically.
To view IDS sensors, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Choose a controller by clicking an IP address.
Step 3
From the left sidebar menu, choose Security > IDS Sensor Lists. The IDS Sensor page appears. This
page lists all of the IDS sensors that have been configured for this controller.
Configuring IDS Signatures
You can configure IDS signatures, or bit-pattern matching rules used to identify various types of attacks
in incoming 802.11 packets, on the controller. When the signatures are enabled, the access points joined
to the controller perform signature analysis on the received 802.11 data or management frames and
report any discrepancies to the controller. If an attack is detected, an appropriate mitigation action is
initiated.
Cisco supports 17 standard signatures on the controller as shown on the Standard Signatures and Custom
Signatures page. To open this page, choose Configure > Controllers, select a controller IP address, and
then choose Security > Wireless Protection Policies > Standard Signatures from the left sidebar
menu.
These signatures are divided into six main groups. The first four groups contain management signatures,
and the last two groups contain data signatures:
•
Broadcast deauthentication frame signatures—During a broadcast deauthentication frame attack, a
hacker sends an 802.11 deauthentication frame to the broadcast MAC destination address of another
client. This attack causes the destination client to disassociate from the access point and lose its
connection. If this action is repeated, the client experiences a denial of service. When the broadcast
deauthentication frame signature (precedence 1) is used to detect such an attack, the access point
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-46
OL-27653-02
Chapter 3
Configuring Security Solutions
Configuring IDS Signatures
listens for clients transmitting broadcast deauthentication frames that match the characteristics of
the signature. If the access point detects such an attack, it alerts the controller. Depending on how
your system is configured, the offending device is contained so that its signals no longer interfere
with authorized clients, or the controller forwards an immediate alert to the system administrator for
further action, or both.
•
NULL probe response signatures—During a NULL probe response attack, a hacker sends a NULL
probe response to a wireless client adapter. As a result, the client adapter locks up. When a NULL
probe response signature is used to detect such an attack, the access point identifies the wireless
client and alerts the controller. The NULL probe response signatures include the following:
– NULL probe resp 1 (precedence 2)
– NULL probe resp 2 (precedence 3)
•
Management frame flood signatures—During a management frame flood attack, a hacker floods an
access point with 802.11 management frames. The result is a denial of service to all clients
associated or attempting to associate to the access point. This attack can be implemented with
different types of management frames: association requests, authentication requests, reassociation
requests, probe requests, disassociation requests, deauthentication requests, and reserved
management subtypes.
When a management frame flood signature is used to detect such an attack, the access point
identifies management frames matching the entire characteristics of the signature. If the frequency
of these frames is greater than the value of the frequency set in the signature, an access point that
hears these frames triggers an alarm. The controller generates a trap and forwards it to the Prime
Infrastructure.
The management frame flood signatures include the following:
– Assoc flood (precedence 4)
– Auth flood (precedence 5)
– Reassoc flood (precedence 6)
– Broadcast probe flood (precedence 7)
– Disassoc flood (precedence 8)
– Deauth flood (precedence 9)
– Reserved mgmt 7 (precedence 10)
– Reserved mgmt F (precedence 11)
The reserved management frame signatures 7 and F are reserved for future use.
•
EAPOL flood signature—During an EAPOL flood attack, a hacker floods the air with EAPOL
frames containing 802.1X authentication requests. As a result, the 802.1X authentication server
cannot respond to all of the requests and fails to send successful authentication responses to valid
clients. The result is a denial of service to all affected clients. When the EAPOL flood signature
(precedence 12) is used to detect such an attack, the access point waits until the maximum number
of allowed EAPOL packets is exceeded. It then alerts the controller and proceeds with the
appropriate mitigation.
•
NetStumbler signatures—NetStumbler is a wireless LAN scanning utility that reports access point
broadcast information (such as operating channel, RSSI information, adapter manufacturer name,
SSID, WEP status, and the latitude and longitude of the device running NetStumbler when a GPS is
attached). If NetStumbler succeeds in authenticating and associating to an access point, it sends a
data frame with the following strings, depending on the NetStumbler version listed in Table 3-9.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-47
Chapter 3
Configuring Security Solutions
Configuring IDS Signatures
Table 3-9
NetStumbler Versions
Version
String
3.2.0
“Flurble gronk bloopit, bnip Frundletrune”
3.2.3
“All your 802.11b are belong to us”
3.3.0
Sends white spaces
When a NetStumbler signature is used to detect such an attack, the access point identifies the
offending device and alerts the controller. The NetStumbler signatures include the following:
– NetStumbler 3.2.0 (precedence 13)
– NetStumbler 3.2.3 (precedence 14)
– NetStumbler 3.3.0 (precedence 15)
– NetStumbler generic (precedence 16)
•
Wellenreiter signature—Wellenreiter is a wireless LAN scanning and discovery utility that can
reveal access point and client information. When the Wellenreiter signature (precedence 17) is used
to detect such an attack, the access point identifies the offending device and alerts the controller.
This section provides the instructions to configure signatures and contains the following topics:
•
Uploading IDS Signatures, page 3-48
•
Downloading IDS Signatures, page 3-49
•
Enabling or Disabling IDS Signatures, page 3-50
Uploading IDS Signatures
To upload IDS signatures from the controller, follow these steps:
Step 1
Obtain a signature file from Cisco (hereafter called a standard signature file). You can also create your
own signature file (hereafter called a custom signature file) by following the “Downloading IDS
Signatures” section on page 3-49.
Step 2
You can configure a TFTP server for the signature download. Keep these guidelines in mind when setting
up a TFTP server:
•
If you are downloading through the service port, the TFTP server must be on the same subnet as the
service port because the service port is not routable. However, if you want to put the TFTP server
on a different network while the management port is down, add a static route if the subnet where the
service port resides has a gateway (config route add IP address of TFTP server).
•
If you are downloading through the distribution system network port, the TFTP server can be on the
same or a different subnet because the distribution system port is routable.
•
A third-party TFTP server cannot run on the same computer as Prime Infrastructure because built-in
TFTP server of the Prime Infrastructure and third-party TFTP server use the same communication
port.
Step 3
Choose Configure > Controllers.
Step 4
Choose a controller by clicking an IP address.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-48
OL-27653-02
Chapter 3
Configuring Security Solutions
Configuring IDS Signatures
Step 5
From the left sidebar menu, choose Security and then choose Standard Signatures or Custom
Signatures.
Step 6
From the Select a command drop-down list, choose Upload Signature Files from Controller.
Step 7
Specify the TFTP server name being used for the transfer.
Step 8
If the TFTP server is new, enter the TFTP IP address at the Server IP Address field.
Step 9
Choose Signature Files from the File Type drop-down list.
Step 10
The signature files are uploaded to the root directory which was configured for use by the TFTP server.
You can change to a different directory at the Upload to File field (this field only shows if the Server
Name is the default server). The controller uses this local file name as a base name and then adds _std.sig
as a suffix for standard signature files and _custom.sig as a suffix for custom signature files.
Step 11
Click OK.
Downloading IDS Signatures
If the standard signature file is already on the controller but you want to download customized signatures
to it, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Choose a controller by clicking an IP address.
Step 3
Choose System > Commands.
Step 4
From the Upload/Download Commands drop-down list, choose Download IDS Signatures, and click
Go.
Step 5
Copy the signature file (*.sig) to the default directory on your TFTP server.
Step 6
Choose local machine from the File is Located On field. If you know the filename and path relative to
the root directory of the server, you can also choose TFTP server.
Step 7
Enter the maximum number of times the controller should attempt to download the signature file in the
Maximum Retries field.
Step 8
Enter the maximum amount of time, in seconds, before the controller times out while attempting to
download the signature file in the Timeout field.
Step 9
The signature files are uploaded to the c:\tftp directory. Specify the local file name in that directory or
use the Browse button to navigate to it. A “revision” line in the signature file specifies whether the file
is a Cisco-provided standard signature file or a site-tailored custom signature file (custom signature files
must always have revision=custom).
Step 10
If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is
Located On field, and the Server File Name is populated for you and retried. The local machine option
initiates a two-step operation. First, the local file is copied from the workstation of the administrator to
the built-in TFTP server of the Prime Infrastructure. Then the controller retrieves that file. For later
operations, the file is already in the TFTP directory of the Prime Infrastructure server, and the download
web page now automatically populates the filename.
Step 11
Click OK.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-49
Chapter 3
Configuring Security Solutions
Configuring IDS Signatures
Enabling or Disabling IDS Signatures
To enable or disable IDS signature, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Choose a controller by clicking an IP address.
Step 3
From the left sidebar menu, choose Security and then choose Standard Signatures or Custom
Signatures.
Step 4
To enable or disable an individual signature, click in the Name column for the type of attack you want
to enable or disable.
The Standard Signature Parameters page shows the list of Cisco-supplied signatures that are currently
on the controller. The Custom Signatures page shows the list of customer-supplied signatures that are
currently on the controller. The following information is displayed either in the signature page or the
detailed signature page:
•
Precedence—The order, or precedence, in which the controller performs the signature checks.
•
Name—The type of attack the signature is trying to detect.
•
Description—A more detailed description of the type of attack that the signature is trying to detect.
•
Frame Type—Management or data frame type on which the signature is looking for a security
attack.
•
Action—What the controller is directed to do when the signature detects an attack. One possibility
is None, where no action is taken, and another is Report, to report the detection.
•
Frequency—The signature frequency, or the number of matching packets per interval that must be
identified at the detecting access point level before an attack is detected. The range is 1 to 32,000
packets per interval, and the default value is 50 packets per interval.
•
Quiet Time—The length of time (in seconds) after which no attacks have been detected at the
individual access point level, and the alarm can stop. This time appears only if the MAC information
is all or both. The range is 60 to 32,000 seconds, and the default value is 300 seconds.
•
MAC Information—Whether the signature is to be tracked per network or per MAC address or both
at the detecting access point level.
•
MAC Frequency—The signature MAC frequency, or the number of matching packets per interval
that must be identified at the controller level before an attack is detected. The range is 1 to 32,000
packets per interval, and the default value is 30 packets per interval.
•
Interval—Enter the number of seconds that must elapse before the signature frequency threshold is
reached within the configured interval. The range is 1 to 3600 seconds, and the default value is 1
second.
•
Enable—Select this to enable this signature to detect security attacks or unselect it to disable this
signature.
•
Signature Patterns—The pattern that is being used to detect a security attack.
Step 5
From the Enabled yes or no drop-down list, choose yes. Because you are downloading a customized
signature, you should enable the files named with the _custom.sgi and disable the standard signature
with the same name but differing suffix. (For example, if you are customizing broadcast probe flood, you
want to disable broadcast probe flood in the standard signatures but enable it in custom signatures.)
Step 6
To enable all standard and custom signatures currently on the controller, choose Edit Signature
Parameters from the Select a command drop-down list, and choose Go. The Edit Signature Parameters
page appears.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-50
OL-27653-02
Chapter 3
Configuring Security Solutions
Enabling Web Login
Step 7
Select the Check for All Standard and Custom Signatures field, Enable check box. This enables all
signatures that were individually selected as enabled in Step 5. If this check box remains unselected, all
files are disabled, even those that were previously enabled in Step 5. When the signatures are enabled,
the access points joined to the controller perform signature analysis on the received 802.11 data or
management frames and report any discrepancies to the controller.
Step 8
Click Save.
Enabling Web Login
With web authentication, guests are automatically redirected to web authentication pages when they
launch their browsers. Guests gain access to the WLAN through this web portal. Wireless LAN
administrators using this authentication mechanism should have the option of providing unencrypted or
encrypted guest access. Guest users can then log into the wireless network using a valid username and
password, which is encrypted with SSL. Web authentication accounts might be created locally or
managed by a RADIUS server. The Cisco Wireless LAN controllers can be configured to support a web
authentication client. See the “Configuring a Web Authentication Template” section on page 11-613 to
create a template that replaces the Web authentication page provided on the controller.
Step 1
Choose Configure > Controllers.
Step 2
Choose the controller on which to enable web authentication by clicking an IP address URL in the IP
Address column.
Step 3
From the left sidebar menu, choose Security > AAA > Web Auth Configuration.
Step 4
Choose the appropriate web authentication type from the drop-down list. The choices are default
internal, customized web authentication, or external.
•
If you choose default internal, you can still alter the page title, message, and redirect URL, as well
as choose whether the logo appears. Continue to Step 5.
•
If you choose customized web authentication, skip to the “Downloading Customized Web
Authentication” section on page 3-52.
•
If you choose external, you need to enter the URL you want to redirect to after a successful
authentication. For example, if the value entered for this text box is http://www.example.com, the
user is directed to the company home page.
Step 5
Select the Logo Display check box if you want your company logo to display.
Step 6
Enter the title you want displayed on the Web authentication page.
Step 7
Enter the message you want displayed on the Web authentication page.
Step 8
In the Customer Redirect URL field, provide the URL where the user is redirected after a successful
authentication. For example, if the value entered for this text box is http://www.example.com, the user
is directed to the company home page.
Step 9
Click Save.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-51
Chapter 3
Configuring Security Solutions
Enabling Web Login
Downloading Customized Web Authentication
You can download a customized Web authentication page to the controller. A customized web page is
created to establish a username and password for user web access.
When downloading customized web authentication, these strict guidelines must be followed:
•
A username must be provided.
•
A password must be provided.
•
A redirect URL must be retained as a hidden input item after extracting from the original URL.
•
The action URL must be extracted and set from the original URL.
•
Scripts to decode the return status code must be included.
•
All paths used in the main page should be of relative type.
Before downloading, if you chose the customized web authentication option in Step 4 of the previous
section, follow these steps:
Step 1
Click the preview image to download the sample login.html bundle file from the server. See Figure 3-1
for an example of the login.html file. The downloaded bundle is a .TAR file.
Figure 3-1
Step 2
Open and edit the login.html file and save it as a .tar or .zip file.
Note
Step 3
Login.html
You can edit the text of the Submit button with any text or HTML editor to read “Accept terms
and conditions and Submit.”
Make sure you have a Trivial File Transfer Protocol (TFTP) server available for the download. Keep
these guidelines in mind when setting up a TFTP server:
•
If you are downloading through the service port, the TFTP server must be on the same subnet as the
service port because the service port is not routable.
•
If you are downloading through the distribution system network port, the TFTP server can be on the
same or a different subnet because the distribution system port is routable.
•
A third-party TFTP server cannot run on the same computer as Prime Infrastructure because the
built-in TFTP server of the Prime Infrastructure and third-party TFTP server use the same
communication port.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-52
OL-27653-02
Chapter 3
Configuring Security Solutions
Enabling Web Login
Step 4
Click here in the “After editing the HTML you might click here to redirect to the Download Web Auth
Page” link to download the .tar or .zip file to the controller(s). The Download Customized Web Auth
Bundle to Controller page appears.
Note
Step 5
The IP address of the controller to receive the bundle and the current status are displayed.
Choose local machine from the File is Located On field. If you know the filename and path relative to
the root directory of the server, you can also choose TFTP server.
Note
For a local machine download, either .zip or .tar file options exists, but the Prime Infrastructure
does the conversion of .zip to .tar automatically. If you chose a TFTP server download, only .tar
files are specified.
Step 6
Enter the maximum amount of time in seconds before the controller times out while attempting to
download the file in the Timeout field.
Step 7
The Prime Infrastructure Server Files In field specifies where the Prime Infrastructure server files are
located. Specify the local file name in that directory or use the Browse button to navigate to it. A
“revision” line in the signature file specifies whether the file is a Cisco-provided standard signature file
or a site-tailored custom signature file (custom signature files must always have revision=custom).
Step 8
If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is
Located On field, and the Server File Name is populated. The local machine option initiates a two-step
operation. First, the local file is copied from the workstation of the administrator to the built-in TFTP
server of the Prime Infrastructure. Then the controller retrieves that file. For later operations, the file is
already in the TFTP directory of the Prime Infrastructure server, and the download web page now
automatically populates the filename.
Step 9
Click OK.
If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is
Located On field, and the Server File Name is populated for you.
Step 10
After completing the download, you are directed to the new page and able to authenticate.
Connecting to the Guest WLAN
To connect to the guest central WLAN to complete the web authentication process, follow these steps:
See the “Creating Guest User Accounts” section on page 7-246 for more explanation of a guest user
account.
Step 1
When you are set for open authentication and are connected, browse to the virtual interface IP address
(such as /209.165.200.225/login.html).
Step 2
When the Prime Infrastructure user interface displays the Login page, enter your username and
password.
Note
All entries are case sensitive.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
3-53
Chapter 3
Configuring Security Solutions
Certificate Signing Request (CSR) Generation
The lobby ambassador has access to the templates only to add guest users.
Certificate Signing Request (CSR) Generation
To generate a Certificate Signing Request (CSR) for a third-party certificate using the Prime
Infrastructure, see the Appendix C, “Certificate Signing Request (CSR) Generation for a Third-Party
Certificate on Cisco Prime Infrastructure.”
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
3-54
OL-27653-02
CH A P T E R
4
Performing Maintenance Operations
You can perform the actions at the system level, such as updating system softwares or downloading
certificates that can be used with many items.
This chapter describes the system level tasks to perform with the Cisco Prime Infrastructure. It contains
the following sections:
•
Information About Maintenance Operations, page 4-55
•
Performing System Tasks, page 4-55
•
Performing Prime Infrastructure Operations, page 4-60
Information About Maintenance Operations
A system-level task is a collection of tasks that relate to operations that apply to the Prime Infrastructure
database as a whole. System tasks also include restoring the Prime Infrastructure database. For more
information, see the “Restoring the Prime Infrastructure Database” section on page 4-62.
Performing System Tasks
This sections describes how to use the Prime Infrastructure to perform system-level tasks. This section
contains the following topics:
•
Adding a Controller to the Prime Infrastructure Database, page 4-55
•
Using Prime Infrastructure to Update System Software, page 4-56
•
Downloading Vendor Device Certificates, page 4-57
•
Downloading Vendor CA Certificates, page 4-58
•
Using Prime Infrastructure to Enable Long Preambles for SpectraLink NetLink Phones, page 4-59
•
Creating an RF Calibration Model, page 4-59
Adding a Controller to the Prime Infrastructure Database
To add a controller to the Prime Infrastructure database, follow these steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
4-55
Chapter 4
Performing Maintenance Operations
Performing System Tasks
Note
We recommend that you manage controllers through the controller dedicated service port for improved
security. However, when you manage controllers that do not have a service port (such as 2000 series
controllers) or for which the service port is disabled, you must manage those controllers through the
controller management interface.
Step 1
Log into the Prime Infrastructure user interface.
Step 2
Choose Configure > Controllers to display the All Controllers page.
Step 3
From the Select a command drop-down list, choose Add Controller, and click Go.
Step 4
In the Add Controller page, enter the controller IP address, network mask, and required SNMP settings.
Step 5
Click OK. Prime Infrastructure displays a Please Wait dialog box while it contacts the controller and
adds the current controller configuration to the Prime Infrastructure database. It then returns you to the
Add Controller page.
Step 6
If the Prime Infrastructure does not find a controller at the IP address that you entered for the controller,
the Discovery Status dialog displays this message:
No response from device, check SNMP.
Check these settings to correct the problem:
Step 7
•
The controller service port IP address might be set incorrectly. Check the service port setting on the
controller.
•
Prime Infrastructure might not have been able to contact the controller. Make sure that you can ping
the controller from the Prime Infrastructure server.
•
The SNMP settings on the controller might not match the SNMP settings that you entered in the
Prime Infrastructure. Make sure that the SNMP settings configured on the controller match the
settings that you entered in the Prime Infrastructure.
Add additional controllers if desired.
Using Prime Infrastructure to Update System Software
To update controller (and access point) software using the Prime Infrastructure, follow these steps:
Step 1
Enter the ping ip-address command to be sure that the Prime Infrastructure server can contact the
controller. If you use an external TFTP server, enter the ping ip-address command to be sure that the
Prime Infrastructure server can contact the TFTP server.
Note
When you are downloading through a controller distribution system (DS) network port, the
TFTP server can be on the same or a different subnet because the DS port is routable.
Step 2
Choose Configure > Controllers to navigate to the All Controllers page.
Step 3
Select the check box of the desired controller, choose Download Software (TFTP or FTP) from the
Select a command drop-down list, and click Go. Prime Infrastructure displays the Download Software
to Controller page.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
4-56
OL-27653-02
Chapter 4
Performing Maintenance Operations
Performing System Tasks
Step 4
If you use the built-in Prime Infrastructure TFTP server, choose Default Server from the Server Name
drop-down list box. If you use an external TFTP server, choose New from the Server Name drop-down
list box and add the external TFTP server IP address.
Step 5
Enter the file path and server file name in their respective text boxes (for example, AS_2000_release.aes
for 2000 series controllers). The files are uploaded to the root directory which was configured for use by
the TFTP server. You can change to a different directory.
Note
Step 6
Be sure that you have the correct software file for your controller.
Click Download. Prime Infrastructure downloads the software to the controller, and the controller writes
the code to flash RAM. As Prime Infrastructure performs this function, it displays its progress in the
Status field.
Downloading Vendor Device Certificates
Each wireless device (controller, access point, and client) has its own device certificates. For example,
the controller is shipped with a Cisco-installed device certificate. This certificate is used by EAP-TLS
and EAP-FAST (when not using PACs) to authenticate wireless clients during local EAP authentication.
However, if you want to use your own vendor-specific device certificate, it must be downloaded to the
controller.
To download a vendor-specific device certificate to the controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
You can download the certificates in one of two ways:
a.
Select the check box of the controller you choose.
b.
Choose Download Vendor Device Certificate from the Select a command drop-down list, and click
Go.
or
a.
Click the URL of the desired controller in the IP Address column.
b.
Choose System > Commands from the left sidebar menu.
c.
Choose TFTP or FTP in the Upload/Download Command section.
d.
Choose Download Vendor Device Certificate from the Upload/Download Commands drop-down
list, and click Go.
Step 3
In the Certificate Password text box, enter the password which was used to protect the certificate.
Step 4
Specify if the certificate to download is on the TFTP server or on the local machine. If it is on the TFTP
server, the name must be supplied in the Server File Name field. If the certificate is on the local machine,
you must specify the file path in the Local File Name field using the Choose File button.
Step 5
Enter the TFTP server name in the Server Name field. The default is for the Prime Infrastructure server
to act as the TFTP server.
Step 6
Enter the server IP address.
Step 7
In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to
download the certificate.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
4-57
Chapter 4
Performing Maintenance Operations
Performing System Tasks
Step 8
In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download
the certificate.
Step 9
In the Local File Name text box, enter the directory path of the certificate.
Step 10
Click OK.
Downloading Vendor CA Certificates
Controllers and access points have a certificate authority (CA) certificate that is used to sign and validate
device certificates. The controller is shipped with a Cisco-installed CA certificate. This certificate might
be used by EAP-TLS and EAP-FAST (when not using PACs) to authenticate wireless clients during local
EAP authentication. However, if you want to use your own vendor-specific CA certificate, it must be
downloaded to the controller. To download vendor CA certificate to the controller, follow the
instructions:
Step 1
Choose Configure > Controllers.
Step 2
You can download the certificates in one of two ways:
a.
Select the check box of the controller you choose.
b.
Choose Download Vendor CA Certificate from the Select a command drop-down list, and click
Go.
or
a.
Click the URL of the desired controller in the IP Address column.
b.
Choose System > Commands from the left sidebar menu.
c.
Choose Download Vendor CA Certificate from the Upload/Download Commands drop-down list,
and click Go.
Step 3
Specify if the certificate to download is on the TFTP server or on the local machine. If it is on the TFTP
server, the name must be supplied in the Server File Name field in Step 9. If the certificate is on the local
machine, you must specify the file path in the Local File Name field in Step 8 using the Browse button.
Step 4
Enter the TFTP server name in the Server Name field. The default is for the Prime Infrastructure server
to act as the TFTP server.
Step 5
Enter the server IP address.
Step 6
In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to
download the certificate.
Step 7
In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download
the certificate.
Step 8
In the Local File Name text box, enter the directory path of the certificate.
Step 9
Click OK.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
4-58
OL-27653-02
Chapter 4
Performing Maintenance Operations
Performing System Tasks
Using Prime Infrastructure to Enable Long Preambles for SpectraLink NetLink
Phones
A radio preamble (sometimes called a header) is a section of data at the head of a packet. It contains
information that wireless devices need when sending and receiving packets. Short preambles improve
throughput performance, so they are enabled by default. However, some wireless devices, such as
SpectraLink NetLink phones, require long preambles.
To optimize the operation of SpectraLink NetLink phones on your wireless LAN, to use the Prime
Infrastructure to enable long preambles, follow these steps:
Step 1
Log into the Prime Infrastructure user interface.
Step 2
Choose Configure > Controllers to navigate to the All Controllers page.
Step 3
Click the IP address of the desired controller.
Step 4
From the left sidebar menu, choose 802.11b/g/n > Parameters.
Step 5
If the IP Address > 802.11b/g/n Parameters page shows that short preambles are enabled, continue to the
next step. However, if short preambles are disabled, which means that long preambles are enabled, the
controller is already optimized for SpectraLink NetLink phones, and you do not need to continue this
procedure.
Step 6
Enable long preambles by unselecting the Short Preamble check box.
Step 7
Click Save to update the controller configuration.
Step 8
To save the controller configuration, choose System > Commands from the left sidebar menu, choose
Save Config To Flash from the Administrative Commands drop-down list, and click Go.
Step 9
To reboot the controller, choose Reboot from the Administrative Commands drop-down list and click
Go.
Step 10
Click OK when the following message appears.
Please save configuration by clicking “Save Config to flash”. Do you want to continue
rebooting anyways?
The controller reboots. This process might take some time, during which the Prime Infrastructure loses
its connection to the controller.
Note
You can view the controller reboot process with a command-line interface session.
Creating an RF Calibration Model
If you would like to further refine the Prime Infrastructure Location tracking of client and rogue access
points across one or more floors of a building, you have the option of creating an RF calibration model
that uses physically collected RF measurements to fine-tune the location algorithm. When you have
multiple floors in a building with the same physical layout as the calibrated floor, you can save time
calibrating the remaining floors by using the same RF calibration model for the remaining floors.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
4-59
Chapter 4
Performing Maintenance Operations
Performing Prime Infrastructure Operations
The calibration models are used as RF overlays with measured RF signal characteristics that can be
applied to different floor areas. This allows the Cisco Unified Wireless Network Solution installation
team to lay out one floor in a multi-floor area, use the RF calibration tool to measure and save the RF
characteristics of that floor as a new calibration model, and apply that calibration model to all the other
floors with the same physical layout.
Performing Prime Infrastructure Operations
This section contains the following topics:
•
Verifying the Status of Prime Infrastructure, page 4-60
•
Stopping Prime Infrastructure, page 4-60
•
Backing Up the Prime Infrastructure Database, page 4-61
•
Restoring the Prime Infrastructure Database, page 4-62
•
Restoring the Prime Infrastructure Database in a High Availability Environment, page 4-63
•
Upgrading WCS to Prime Infrastructure, page 4-63
•
Upgrading the Network, page 4-64
•
Reinitializing the Database, page 4-64
•
Recovering the Prime Infrastructure Password, page 4-65
•
Performing Disk Cleanup, page 4-65
Verifying the Status of Prime Infrastructure
This section provides instructions for checking the status of the Prime Infrastructure. To check the status
of the Prime Infrastructure. You can check the status at any time, follow these steps:
Step 1
Log into the system as admin.
Step 2
Using the CARS command-line interface, enter ncs status command.
The command-line interface displays messages indicating the status of the Prime Infrastructure.
Stopping Prime Infrastructure
This section provides instructions for stopping the Prime Infrastructure. You can stop the Prime
Infrastructure at any time. To stop the Prime Infrastructure, follow these steps:
Note
Step 1
If any users are logged in when you stop the Prime Infrastructure, their Prime Infrastructure sessions
stop functioning.
Log into the system as admin.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
4-60
OL-27653-02
Chapter 4
Performing Maintenance Operations
Performing Prime Infrastructure Operations
Note
Step 2
To see which version of the Prime Infrastructure you currently have installed, enter show
application version ncs.
Using the CARS command-line interface, enter ncs stop command.
The command-line interface displays messages indicating that the Prime Infrastructure is stopping.
Backing Up the Prime Infrastructure Database
This section provides instructions for backing up the Prime Infrastructure database. You can schedule
regular backups through the Prime Infrastructure user interface or manually initiate a back up. The
following files are backed up using, both the Prime Infrastructure user interface and command-line
interface:
•
Oracle database
•
Maps
•
Report files
•
Accuracy files used for generating reports
•
USERMGT file
The device configurations are obtained from the devices in the back up files.
Note
Machine specific settings (such as FTP enable and disable, FTP port, FTP root directory, TFTP
enable and disable, TFTP port, TFTP root directory, HTTP forward enable and disable, HTTP
port, HTTPS port, report repository directory, and all high availability settings) are not included
in the back up and restore function if the back up is restored to a different device.
This section contains the following topics:
•
Scheduling Automatic Backups, page 4-61
•
Performing a Manual Backup, page 4-62
Scheduling Automatic Backups
To schedule automatic back ups of the Prime Infrastructure database, follow these steps:
Step 1
Log into the Prime Infrastructure user interface.
Step 2
Choose Administration > Background Tasks to display the Scheduled Tasks page.
Step 3
Click NCS Server Backup task.
Step 4
Select the Enabled check box.
Step 5
At the Backup Repository field, Choose an existing backup repository, or click Create to create a new
repository.
Step 6
If you are backing up in remote location, select the FTP Repository check box. You need to enter the
FTP location, username, and password of the remote machine.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
4-61
Chapter 4
Performing Maintenance Operations
Performing Prime Infrastructure Operations
Step 7
In the Interval (Days) text box, enter a number representing the number of days between each back up.
For example, 1 = a daily back up, 2 = a back up every other day, 7 = a weekly back up, and so on.
Range: 1 to 360
Default: 7
Step 8
In the Time of Day text box, enter the time when you want the back up to start. It must be in this format:
hh:mm AM/PM (for example: 03:00 AM).
Note
Step 9
Backing up a large database affects the performance of the Prime Infrastructure server.
Therefore, we recommend that you schedule backups to run when the Prime Infrastructure server
is idle (for example, in the middle of the night).
Click Submit to save your settings. The back up file is saved as a .zip file in the
ftp-install-dir/ftp-server/admin/NCSBackup directory using this format: dd-mmm-yy_ hh-mm-ss.zip
(for example, 11-Nov-05_10-30-00.zip).
Performing a Manual Backup
To back up the Prime Infrastructure database, follow these steps:
Note
We recommend that you do a back up using the User Interface when the system is running. To
do this, choose Administration > Background Tasks, select the NCS Server Backup task, and
then select Execute Now.
Step 1
Log into the system as admin.
Step 2
You can perform a back up using the command-line interface.
Step 3
Back up the application data to the repository (local or remote) by entering the following command:
backup testbackup repository backup_repo application NCS
Restoring the Prime Infrastructure Database
If you are restoring the Prime Infrastructure database in a high availability environment, see the
“Restoring the Prime Infrastructure Database in a High Availability Environment” section on page 4-63.
To restore the Prime Infrastructure database from a back up file. follow these steps:
Step 1
To view all local repository backups, enter the following command:
show repository backup_repo
Note
Step 2
If possible, stop all the Prime Infrastructure user interfaces to stabilize the database.
Manually shut down the platform using the ncs stop command.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
4-62
OL-27653-02
Chapter 4
Performing Maintenance Operations
Performing Prime Infrastructure Operations
Step 3
Restore the application back up by entering the following command:
restore backup gpg file repository repository name application NCS
Step 4
Click Yes if a message appears indicating that the Prime Infrastructure is running and needs to be shut
down.
The command-line interface displays messages indicating that the Prime Infrastructure database is being
restored.
Restoring the Prime Infrastructure Database in a High Availability Environment
During installation, you were prompted to determine if a secondary Prime Infrastructure server would
be used for high availability support to the primary Prime Infrastructure server. If you opted for this high
availability environment and enabled it in the Administration > High Availability page, the status
appears as HA enabled. Before restoring a database, you must convert the status to HA not configured.
Caution
You should not upgrade the system while the system is in HA enabled mode. If you attempt to restore
the database while the status is set to HA enabled, unexpected results might occur.
To change the status from HA enabled to HA not configured, do the following
•
Choose Administration > High Availability.
•
Click Remove in the HA Configuration page.
The primary server is now in HA Not Configured mode, and you can safely restore the data from the
back up.
Once the data is successfully restored and the system is operational, reestablish the HA between the
primary and the secondary systems.
Upgrading WCS to Prime Infrastructure
A direct upgrade from a WCS release to the Prime Infrastructure 1.2 is not supported. You must first
upgrade to an NCS 1.1 release, and then upgrade to the Prime Infrastructure 1.2.
Prime Infrastructure supports data migration in the NCS Releases 1.0.2.29, 1.1.0.58, and 1.1.1.24.
Before you migrate from an NCS release to Prime Infrastructure 1.2, you must perform the following:
•
Install the ‘disk space management’ patch to the existing system.
•
Ensure that you perform a back up before attempting to upgrade.
•
Use a console connection when you upgrade, to avoid Telnet/SSH terminal timeouts.
•
Remove high availability before performing the upgrade.
For detailed information about the application upgrade, see the following URL:
http://www.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/2.0/quickstart/guide/cpi_qsg.html#w
p56675
If you are upgrading to the Prime Infrastructure in a high availability environment, see the “Upgrading
Prime Infrastructure in a High Availability Environment” section on page 4-64.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
4-63
Chapter 4
Performing Maintenance Operations
Performing Prime Infrastructure Operations
Upgrading Prime Infrastructure in a High Availability Environment
If you have a primary and secondary Prime Infrastructure, follow these steps for a successful upgrade:
Step 1
You must first remove the HA configuration with the following steps:
a.
Log in to the primary Prime Infrastructure server.
b.
Choose Administration > High Availability, and choose HA Configuration from the left sidebar
menu.
c.
Click Remove to remove the HA configuration.
Note
Step 2
It might take a few minutes for the remove to complete.
You must first upgrade the secondary Prime Infrastructure with the following steps:
a.
Shut down the secondary Prime Infrastructure. See the “Stopping Prime Infrastructure” section on
page 4-60 for more information.
Note
Step 3
Step 4
You can use ncs stop for a graceful shut down.
b.
Perform an upgrade on the secondary Prime Infrastructure.
c.
Start the secondary Prime Infrastructure.
Upgrade the primary Prime Infrastructure.
a.
Shut down the primary Prime Infrastructure. See the “Stopping Prime Infrastructure” section on
page 4-60 for more information.
b.
Perform an upgrade on the primary Prime Infrastructure.
c.
Start the primary Prime Infrastructure.
Enable HA again on the primary Prime Infrastructure.
a.
Login to the primary Prime Infrastructure server.
b.
Choose Administration > High Availability and select HA Configuration from the left sidebar menu.
c.
Enter the HA configuration settings and click Save to enable high availability.
Upgrading the Network
Network upgrades must follow a recommended procedure so that databases can remain synchronized
with each other. For example, You cannot upgrade the controller portion of the network to a newer
release but maintain the current Prime Infrastructure version and not upgrade it. The supported order of
upgrade is Prime Infrastructure first, followed by the controller, and then any additional devices.
Reinitializing the Database
If you need to reset the database because of a synchronization problem or a corruption of some type,
enter ncs db reinitdb to reinitialize the database.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
4-64
OL-27653-02
Chapter 4
Performing Maintenance Operations
Performing Prime Infrastructure Operations
Recovering the Prime Infrastructure Password
You can change the Prime Infrastructure application root user or FTP user password. This option
provides a safeguard if you lose the root password. An executable was added to the installer /bin
directory (passwd.bat for Windows and passwd.sh for Linux). To recover the passwords and regain
access, follow these steps:
Note
If you are a Linux user, you must be the root user to run the command.
Note
In Linux, use the passwd.sh to change the Prime Infrastructure password. The passwd is a built-in Linux
command to change the OS password.
Step 1
Log in to the Prime Infrastructure command-line interface as an admin user.
Step 2
Run the following command:
ncs password root password password
Where password is the root user login password. You can enter a password not exceeding 80 characters.
Example of the command usage:
ncs-appliance/admin# ncs password root password ?
<WORD>
Type in root user login password (Max Size - 80)
You should now be able to login to the Prime Infrastructure web interface with the new root password.
Performing Disk Cleanup
When the Prime Infrastructure is running low on disk space, an alarm is raised in the system. Also, the
following error appears as a pop-up dialog box.
The system is running low on diskspace, please refer to online help to perform
disk cleanup.
To resolve this issue, use the following CLI command:
ncs cleanup
You can use this command to free up and reclaim disk space.
For more information, see the “Performing Disk Cleanup” section on page A-9.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
4-65
Chapter 4
Performing Maintenance Operations
Performing Prime Infrastructure Operations
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
4-66
OL-27653-02
CH A P T E R
5
Monitoring Devices
Information About Monitoring
This chapter describes how to use the Cisco Prime Infrastructure to monitor Cisco WLAN Solution
device configurations. This chapter contains the following sections:
•
Monitoring Controllers, page 5-1
•
Monitoring Switches, page 5-34
•
Monitoring Access Points, page 5-43
•
Monitoring RFID Tags, page 5-115
•
Monitoring Chokepoints, page 5-117
•
Monitoring Interferers, page 5-118
•
Monitoring Spectrum Experts, page 5-121
•
Monitoring WiFi TDOA Receivers, page 5-123
•
Monitoring Media Streams, page 5-124
•
Monitoring Radio Resource Management (RRM), page 5-125
•
Monitoring Clients and Users, page 5-128
•
Monitoring Alarms, page 5-128
•
Monitoring Events, page 5-143
•
Monitoring Site Maps, page 5-152
•
Monitoring Google Earth Maps, page 5-152
Monitoring Controllers
Choose Monitor > Controllers to access the controller list page. Click a controller IP address to view
its details.
This section contains the following topics:
•
Searching Controllers, page 5-2
•
Viewing a List of Controllers, page 5-2
•
Monitoring System Parameters, page 5-3
•
Monitoring Ports, page 5-9
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-1
Chapter 5
Monitoring Devices
Monitoring Controllers
•
Monitoring Controller Security, page 5-15
•
Monitoring Controller Mobility, page 5-23
•
Monitoring Controller 802.11a/n, page 5-25
•
Monitoring Controllers 802.11b/g/n, page 5-29
•
Monitoring Controllers IPv6, page 5-32
•
Monitoring mDNS Service Provider Information, page 5-33
Searching Controllers
Use the Prime Infrastructure Search feature to find specific controllers or to create and save custom
searches.
For a controller search, you can search using the following fields:
Table 5-1
Search Controllers
Fields
Description
Search for controller by
Choose All Controllers, IP Address, Controller Name, or
Network.
Note
Search fields might change depending on the selected
category. When applicable, enter the additional field or filter
information to help identify the Search By category.
Enter Controller IP Address
This field only appears if you select IP Address from the Search for
controller by field.
Enter Controller Name
This field only appears if you select Controller Name from the
Search for controller by field.
Audit Status
Choose one of the following from the drop-down list:
– All Status
– Mismatch—Configuration differences were found between
Prime Infrastructure and controller during the last audit.
– Identical—No configuration differences were found during
the last audit.
– Not Available—Audit status is unavailable.
Viewing a List of Controllers
Choose Monitor > Controllers or perform a controller search to access the controller list page.
Note
For more information on performing an advanced search, see the Search Methods section in the Cisco
Prime Infrastructure 2.0 User Guide.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-2
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
The data area of this page contains a table with the following columns.
Table 5-2
Controller List Details
Fields
Description
IP Address
Local network IP address of the controller management interface. Click
an IP address in the list to display the controller details.
Controller Name
Name of the controller.
Location
The geographical location (such as a campus or building).
Mobility Group Name
Name of the controller mobility or WPS group.
Reachability Status
Reachable or Unreachable. Click the title to toggle from ascending to
descending order.
Click the title to toggle from ascending to descending order. To add, remove, or reorder columns in the
table, click the Edit View link to go to the Edit View page.
Configuring the Controller List Display
The Edit View page allows you to add, remove, or reorder columns in the Controllers table.
To edit the available columns in the Controllers table, follow these steps:
Step 1
Choose Monitor > Controllers.
Step 2
Click the Edit View link.
Step 3
To add an additional column to the controllers table, click to highlight the column heading in the left list.
Click Show to move the heading to the right list. All items in the right list are displayed in the Controllers
table.
Step 4
To remove a column from the Controllers table, click to highlight the list heading in the right list. Click
Hide to move the heading to the left list. All items in the left list are not displayed in the Controllers
table.
Step 5
Use the buttons to specify the order in which the information appears in the table. Highlight the desired
list heading and click Up or Down to move it higher or lower in the current list.
Step 6
Click Reset to restore the default view.
Step 7
Click Submit to confirm the changes.
Monitoring System Parameters
This section provides the detailed information regarding monitoring controller system parameters and
contains the following topics:
•
Monitoring System Summary, page 5-4
•
Monitoring Spanning Tree Protocol, page 5-5
•
Monitoring CLI Sessions, page 5-7
•
Monitoring DHCP Statistics, page 5-8
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-3
Chapter 5
Monitoring Devices
Monitoring Controllers
•
Monitoring WLANs, page 5-9
Monitoring System Summary
This page displays a summary of the controller parameters with a graphic displaying the status of the
controller. The graphic of the front of the controller shows front-panel ports (click a port to go to Monitor
Controllers > IPaddr > Ports > General for information about that port). You can find the links to alarms,
events and access points details related to the controller.
You can access this page in the following ways:
•
Choose Monitor > Controllers and click the applicable IP address.
•
Choose Monitor > Access Points, click a list item under AP Name, then click Registered
Controller.
•
Choose Configure > Access Points, choose a list item under AP Name, then click Registered
Controller.
Click Controllers in the page title to view a list of all the controllers. See the “Viewing a List of
Controllers” section on page 5-2.
Table 5-3 lists the Monitoring System Summary page fields.
Table 5-3
Monitoring System Summary Page Fields
Field
Description
General
IP Address
Local network IP address of the controller management interface.
Name
User-defined name of the controller.
Device Type
Type of controller.
UP Time
Time in days, hours and minutes since the last reboot.
System Time
Time used by the controller.
Internal
Temperature
The temperature of the controller.
Location
User-defined physical location of the controller.
Contact
Contact person or the owner of the controller.
Total Client Count Total number of clients currently associated with the controller.
Current CAPWAP Control and Provisioning of Wireless Access Points (CAPWAP) protocol
Transport Mode
transport mode. Communications between controllers and access points. Choose
Layer 2 or Layer 3.
Power Supply One If the power supply is available and operation. This is only for 4400 series
controller.
Power Supply Two If the power supply is available and operation. This is only for 4400 series
controller.
Inventory
Software Version
The operating system release.version.dot.maintenance number of the code
currently running on the controller.
Emergency Image An image version of the controller.
Version
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-4
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-3
Monitoring System Summary Page Fields (continued)
Field
Description
Description
Description of the inventory item.
Model No
Specifies the machine model as defined by the Vital Product Data.
Serial No
Unique serial number for this controller.
Burned-in MAC
Address
The burned-in MAC address for this controller.
Number of APs
Supported
The maximum number of access points supported by the controller.
Gig Ethernet/Fiber Displays the presence or absence of the optional 1000BASE-T/1000BASE-SX
Card
GigE card.
Crypto Card One
Displays the presence or absence of an enhanced security module which enables
IPsec security and provides enhanced processing power.
By default, the enhanced security module is not installed on a controller.
Note
Maximum number of crypto cards that can be installed on a Cisco Wireless LAN
controller:
– Cisco 2000 Series—None
– Cisco 4100 Series—One
– Cisco 4400 Series—Two
Crypto Card Two
Displays the presence or absence of a second enhanced security module.
GIGE Port(s)
Status
Up or Down. Click to review the status of the port.
Unique Device Identifier (UDI)
Name
Product type. Chassis for controller and Cisco AP for access points.
Description
Description of controller and might include number of access points.
Product ID
Orderable product identifier.
Version ID
Version of product identifier.
Serial No
Unique product serial number.
Utilization
CPU Utilization
Displays a graph of the maximum, average, and minimum CPU utilization over
the specified amount of time.
Memory
Utilization
Displays a graph of the maximum, average, and minimum memory utilization
over the specified amount of time.
Monitoring Spanning Tree Protocol
The Spanning Tree Protocol (STP) is a link management protocol. Cisco WLAN Solution implements
the IEEE 802.1D standard for media access control bridges.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-5
Chapter 5
Monitoring Devices
Monitoring Controllers
Spanning tree algorithm provides redundancy while preventing undesirable loops in a network that are
created by multiple active paths between stations. STP allows only one active path at a time between any
two network devices (this prevents the loops) but establishes the redundant links as a backup if the initial
link should fail.
You can access this page in the following ways:
•
Choose Monitor > Controllers, select an IP address, and choose System > Spanning Tree
Protocol from the left sidebar menu.
•
Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then
choose System > Spanning Tree Protocol from the left sidebar menu.
Note
The controllers that do not support Spanning Tree Protocol are WISM, 2500, 5500, 7500 and
SMWLC.
Table 5-4 lists the Spanning Tree Protocol page fields.
Table 5-4
Spanning Tree Protocol Fields Page Fields
Field
Description
General
Spanning Tree Specification
An indication of what version of the Spanning Tree Protocol is
being run. IEEE 802.1D implementations return 'IEEE 802.1D'. If
future versions of the IEEE Spanning Tree Protocol are released
that are incompatible with the current version, a new value is
defined.
Spanning Tree Algorithm
Specifies if this controller participates in the Spanning Tree
Protocol. Might be enabled or disabled by choosing the
corresponding line in the drop-down list. The factory default is
disabled.
Priority
The value of the writable portion of the Bridge ID, that is, the first
two octets of the (8 octet long) Bridge ID. The other (last) 6 octets
of the Bridge ID are given by the value of Bridge MAC Address.
The value might be specified as a number between 0 and 65535. The
factory default is 32768.
STP Statistics
Topology Change Count
The total number of topology changes detected by this bridge since
the management entity was last reset or initialized.
Time Since Topology Changed Time (in days, hours, minutes, and seconds) since a topology
change was detected by the bridge.
Designated Root
The bridge identifier of the root of the spanning tree as determined
by the Spanning Tree Protocol as executed by this node. This value
is used as the Root Identifier parameter in all Configuration Bridge
PDUs originated by this node.
Root Cost
The cost of the path to the root as seen from this bridge.
Root Port
The port number of the port which offers the lowest cost path from
this bridge to the root bridge.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-6
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-4
Spanning Tree Protocol Fields Page Fields (continued)
Field
Description
Maximum Age (seconds)
The value that all bridges use for MaxAge when this bridge is acting
as the root.
Note
The 802.1D-1990 specifies that the range for this parameter
is related to the value of Stp Bridge Hello Time. The
granularity of this timer is specified by 802.1D-1990 to be
1 second. Valid values are 6 through 40 seconds. The
factory default is 20.
Hello Time (seconds)
The value that all bridges use for HelloTime when this bridge is
acting as the root. The granularity of this timer is specified by
802.1D-1990 to be 1 second. Valid values are 1 through 10 seconds.
The factory default is 2.
Forward Delay (seconds)
The value that all bridges use for ForwardDelay when this bridge is
acting as the root. Note that 802.1D-1990 specifies that the range
for this parameter is related to the value of Stp Bridge Maximum
Age. The granularity of this timer is specified by 802.1D-1990 to
be 1 second. An agent might return a badValue error if a set is
attempted to a value which is not a whole number of seconds. Valid
values are 4 through 30 seconds. The factory default is 15.
Hold Time (seconds)
The minimum time period to elapse between the transmission of
Configuration BPDUs through a given LAN Port: at most one
Configuration BPDU shall be transmitted in any Hold Time period.
Monitoring CLI Sessions
The CLI Sessions page for a controller can be accessed in the following ways:
•
Choose Monitor > Controllers, click the applicable IP address, then choose System > CLI
Sessions from the left sidebar menu.
•
Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then
choose System > CLI Sessions from the left sidebar menu.
Table 5-5 lists CLI Sessions page fields.
Table 5-5
CLI Sessions Page Fields
Field
Description
Session Index
Session identification.
Username
Login username.
Connection Type
Telnet or serial session.
Connection From
IP address of the client computer system.
Session Time
Elapsed active session time.
Idle Time
Elapsed inactive session time.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-7
Chapter 5
Monitoring Devices
Monitoring Controllers
Monitoring DHCP Statistics
Prime Infrastructure provides DHCP server statistics for Version 5.0.6.0 controllers or later. These
statistics include information on the packets sent and received, DHCP server response information, and
the last request time stamp.
To access this page, choose Monitor > Controllers, click the applicable IP address, then choose System
> DHCP Statistics from the left sidebar menu.
Table 5-6 lists the The DHCP Statistics page fields.
Table 5-6
DHCP Statistics Page Fields
Field
Description
Server IP
Identifies the IP address of the server.
Is Proxy
Identifies whether or not this server is proxy.
Discover Packets Sent
Identifies the total number of packets sent
intended to locate available servers.
Request Packets Sent
Identifies the total number of packets sent from
the client requesting parameters from the server or
confirming the correctness of an address.
Decline Packets
Identifies the number of packets indicating that
the network address is already in use.
Inform Packets
Identifies the number of client requests to the
DHCP server for local configuration parameters
because the client already has an externally
configured network address.
Release Packets
Identifies the number of packets that release the
network address and cancel the remaining lease.
Reply Packets
Identifies the number of reply packets.
Offer Packets
Identifies the number of packets that respond to
the discover packets with an offer of configuration
parameters.
Ack Packets
Identifies the number of packets that acknowledge
successful transmission.
Nak Packets
Identifies the number of packets that indicate that
the transmission occurred with errors.
Tx Failures
Identifies the number of transfer failures that
occurred.
Last Response Received
Provides a timestamp of the last response
received.
Last Request Sent
Provides a timestamp of the last request sent.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-8
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Monitoring WLANs
Choose Monitor > Controllers click a controller IP address, and choose WLANs from the left sidebar
menu. This page enables you to view a summary of the wireless local access networks (WLANs) that
you have configured on this controller.
Table 5-7 lists the WLAN Details page fields.
Table 5-7
WLAN Page Fields
Field
Description
WLAN ID
Identification number of the WLAN.
Profile Name
User-defined profile name specified when
initially creating the WLAN. Profile Name is the
WLAN name.
SSID
User-defined SSID name.
Security Policies
Security policies enabled on the WLAN.
No of Mobility Anchors
Mobility anchors are a subset of a mobility group
specified as the anchor controllers for a WLAN.
Admin Status
Status of the WLAN is either enabled or disabled.
No. of Clients
Current number of clients currently associated
with this WLAN.
Monitoring Ports
This section provides the detailed information regarding monitoring controller port parameters and
contains the following topics:
•
Monitoring General Ports, page 5-9
•
Monitoring CDP Interface Neighbors, page 5-14
Monitoring General Ports
The Ports > General page provides information regarding physical ports on the selected controller. Click
a port number to view details for that port. See the “Port Details” section on page 5-10 for more
information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-9
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-8 lists the General page fields.
Table 5-8
General Page Fields
Field
Description
Port
Click the port number to view port details. See the “Port Details” section on
page 5-10 for more information.
Physical Mode
Displays the physical mode of all ports. The choices include the following:
– 100 Mbps Full Duplex
– 100 Mbps Half Duplex
– 10 Mbps Full Duplex
– 10 Mbps Half Duplex
Admin Status
Displays the port state as either Enable or Disable.
STP State
Displays the STP state of the port as either Forwarding or Disabled.
Physical Status
Displays the actual port physical interface:
– Auto Negotiate
– Half Duplex 10 Mbps
– Full Duplex 10 Mbps
– Half Duplex 100 Mbps
– Full Duplex 100 Mbps
– Full Duplex 1 Gbps
Link Status
Red (down/failure), Yellow (alarm), Green (up/normal).
To access the Monitor > Ports > General page, do one of the following:
•
Choose Configure > Controllers, click the applicable IP address. From the left sidebar menu,
choose General under Ports.
•
Choose Monitor > Controllers, click the applicable, and click a port to access this page.
•
Choose Monitor > Access Points and click a list item under AP Name, click Registered
Controller, then click a port to access this page.
•
Choose Monitor > Clients and click a list item under AP Name, then click Registered Controller,
then click a port to access this page.
Port Details
Note
Click Alarms to open the Monitor Alarms page. See the “Monitoring Alarms” section on page 5-128 for
more information.
Click Events to open the Monitor Events page. See the “Monitoring Events” section on page 5-143 for
more information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-10
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-9 lists the Port Detail page fields.
Table 5-9
Port Details Page Fields
Field
Description
Interface
Operational Status
Displays the operational status of the controller:
The options are UP or DOWN.
Unknown Protocol Packets
The number of packets of unknown type which
were received from this server on this port.
Traffic (Received and Transmitted)
Total Bytes
The total number of packets received.
Packets
The total number of packets (including bad
packets) received that were within the indicated
octet range in length (excluding framing bits but
including FCS octets).
Ranges include the following:
– 64 Octets
– 65-127 Octets
– 128-255 Octets
– 256-511 Octets
– 512-1023 Octets
– 1024-1518 Octets
Packets (Received and Transmitted)
Total
Total number of packets received/transmitted.
Unicast Packets
The number of subnetwork-unicast packets
delivered/sent to a higher-layer protocol.
Broadcast Packets
The total number of packets received/sent that
were directed to the broadcast address.
Packets Discarded
Packets Discarded (Received/Transmitted): The
number of inbound/outbound packets which were
chosen to be discarded even though no errors had
been detected to prevent their being deliverable to
a higher-layer protocol. A possible reason for
discarding a packet could be to free up buffer
space.
Errors in Packets
The total number of packets received with errors.
Received packets with MAC errors
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-11
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-9
Port Details Page Fields (continued)
Field
Description
Jabbers
The total number of packets received that were
longer than 1518 octets (excluding framing bits,
but including FCS octets), and had either a bad
Frame Check Sequence (FCS) with an integral
number of octets (FCS Error) or a bad FCS with a
non-integral number of octets (Alignment Error).
Note
This definition of jabber is different than
the definition in IEEE-802.3 section
8.2.1.5 (10Base-5) and section 10.3.1.4
(10Base-2). These documents define
jabber as the condition where any packet
exceeds 20 ms. The allowed range to
detect jabber is between 20 and 150 ms.
Fragments/Undersize
The total number of packets received that were
less than 64 octets in length (excluding framing
bits but including FCS octets).
Alignment Errors
The total number of packets received that had a
length (excluding framing bits, but including FCS
octets) of between 64 and 1518 octets, inclusive,
but had a bad Frame Check Sequence (FCS) with
a non-integral number of octets.
FCS Errors
The total number of packets received that had a
length (excluding framing bits, but including FCS
octets) of between 64 and 1518 octets, inclusive,
but had a bad Frame Check Sequence (FCS) with
an integral number of octets.
Transmit discards
Single Collision Frames
A count of the number of successfully transmitted
frames on a particular interface for which
transmission is inhibited by exactly one collision.
Multiple Collision Frames
A count of the number of successfully transmitted
frames on a particular interface for which
transmission is inhibited by more than one
collision.
Deferred Transmissions
A count of frames for which transmission on a
particular interface fails due to deferred
transmissions.
Late Collisions
A count of frames for which transmission on a
particular interface fails due to late collisions.
Excessive Collisions
A count of frames for which transmission on a
particular interface fails due to excessive
collisions.
Ether Stats
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-12
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-9
Port Details Page Fields (continued)
Field
Description
CRC Align Errors
The number of incoming packets with the
Checksum (FCS) alignment error. This represents
a count of frames received on a particular
interface that are not an integral number of octets
in length and do not pass the FCS check. Received
frames for which multiple error conditions obtain
are, according to the conventions of IEEE 802.3
Layer Management, counted exclusively
according to the error status presented to the LLC.
Undersize Packets
The total number of packets received that were
less than 64 octets in length (excluding framing
bits but including FCS octets).
Oversize Packets
The total number of frames that exceeded the
maximum permitted frame size. This counter has
a maximum increment rate of 815 counts per
second at 10 Mbps.
Ether Stats Collisions
The number of packets with collision errors.
SQE Test Errors
Signal Quality Error Test errors (that is,
Heartbeat) during transmission. This tests the
important collision detection electronics of the
transceiver, and lets the Ethernet interface in the
computer know that the collision detection
circuits and signal paths are working correctly.
The errors indicate a count of times that the SQE
TEST ERROR message is generated by the PLS
sublayer for a particular interface. The SQE TEST
ERROR message is defined in section 7.2.2.2.4 of
ANSI/IEEE 802.3-1985 and its generation is
described in section 7.2.4.6 of the same
document.
Internal MAC Receive Errors
A count of frames for which reception on a
particular interface fails due to an internal MAC
sublayer receive error. A frame is only counted by
an instance of this object if it is not counted by the
corresponding instance of either the
FrameTooLong property, the AlignmentErrors
property, or the FCSErrors property. The precise
meaning of the count represented by an instance
of this object is implementation-specific. In
particular, an instance of this object might
represent a count of receive errors on a particular
interface that are not otherwise counted.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-13
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-9
Port Details Page Fields (continued)
Field
Description
Internal MAC Transmit Errors
A count of frames for which transmission on a
particular interface fails due to an internal MAC
sublayer transmit error. A frame is only counted
by an instance of this object if it is not counted by
the corresponding instance of either the
LateCollisions property, the ExcessiveCollisions
property, or the CarrierSenseErrors property. The
precise meaning of the count represented by an
instance of this object is implementation-specific.
In particular, an instance of this object might
represent a count of transmission errors on a
particular interface that are not otherwise
counted.
Carrier Sense Errors
The Carrier Sense detects the presence of a
carrier. The number of times that the carrier sense
condition was lost or never asserted when
attempting to transmit a frame on a particular
interface.
Too Long Frames
A count of frames received on a particular
interface that exceed the maximum permitted
frame size. The count represented by an instance
of this object is incremented when the
FrameTooLong status is returned by the MAC
layer to the LLC (or other MAC user). Received
frames for which multiple error conditions obtain
are, according to the conventions of IEEE 802.3
Layer Management, counted exclusively
according to the error status presented to the LLC.
Monitoring CDP Interface Neighbors
To access the Monitor CDP Interface Neighbors page, follow these steps:
Step 1
Choose Monitor > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose CDP Interface Neighbors (under the Port heading).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-14
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Step 4
Table 5-10 lists the CDP Interface Neighbors page fields.
Table 5-10
CDP Interface Neighbors Page Fields
Field
Description
Local Interface
Local Port information.
Neighbor Name
The name of each CDP neighbor.
Neighbor Address
The IP address of each CDP neighbor.
Neighbor Port
The port used by each CDP neighbor for
transmitting CDP packets.
Capability
The functional capability of each CDP neighbor.
Platform
The hardware platform of each CDP neighbor
device.
Duplex
Indicates Full Duplex or Half Duplex.
Software Version
The software running on the CDP neighbor.
Monitoring Controller Security
This section provides the detailed information regarding monitoring controller security and contains the
following topics:
•
Monitoring RADIUS Authentication, page 5-15
•
Monitoring RADIUS Accounting, page 5-17
•
Monitoring Management Frame Protection, page 5-19
•
Monitoring Rogue AP Rules, page 5-20
•
Monitoring Guest Users, page 5-22
Monitoring RADIUS Authentication
The RADIUS Authentication page displays RADIUS authentication server information and enables you
to add or delete a RADIUS authentication server.
To access this page, do one of the following:
•
Choose Monitor > Controllers, click the applicable IP address, then choose Security > Radius
Authentication from the left sidebar menu.
•
Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller,
then choose Security > Radius Authentication from the left sidebar menu.
•
Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then
choose Security > Radius Authentication from the left sidebar menu.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-15
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-11 lists the RADIUS Authentication page fields.
Table 5-11
RADIUS Authentictaion Page Fields
Field
Description
RADIUS Authentication Servers
Server Index
Access priority number for RADIUS servers. Up
to four servers can be configured, and controller
polling of the servers starts with Index 1, Index 2
second, and so forth. The index number is based
on when the RADIUS server is added to the
controller.
IP Address
The IP address of the RADIUS server.
Ping
Click the icon to ping the RADIUS server from
the controller to verify the link.
Port
Controller port number for the interface
protocols.
Admin Status
Indicates whether the server is enabled or
disabled.
Authentication Server Statistics
Msg Round Trip Time
The time interval (in milliseconds) between the
most recent Access-Reply/Access-Challenge and
the Access-Request that matched it from this
RADIUS authentication server.
First Requests
The number of RADIUS Access-Request packets
sent to this server. This does not include
retransmissions.
Retry Requests
The number of RADIUS Authentication-Request
packets retransmitted to this RADIUS
authentication server.
Accept Responses
The number of RADIUS Access-Accept packets
(valid or invalid) received from this server.
Reject Responses
The number of RADIUS Access-Reject packets
(valid or invalid) received from this server.
Challenge Responses
The number of RADIUS Access-Challenge
packets (valid or invalid) received from this
server.
Malformed Msgs
The number of malformed RADIUS
Access-Response packets received from this
server. Malformed packets include packets with
an invalid length. Bad authenticators or Signature
attributes or unknown types are not included as
malformed access responses.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-16
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-11
RADIUS Authentictaion Page Fields (continued)
Field
Description
Pending Requests
The number of RADIUS Access-Request packets
destined for this server that have not yet timed out
or received a response. This variable is
incremented when an Access-Request is sent and
decremented due to receipt of an Access-Accept,
Access-Reject or Access-Challenge, a timeout, or
retransmission.
Bad Authentication Msgs
The number of RADIUS Access-Response
packets containing invalid authenticators or
Signature attributes received from this server.
Timeouts Requests
The number of authentication timeouts to this
server. After a timeout the client might retry to the
same server, send to a different server, or give up.
A retry to the same server is counted as a
retransmit as well as a timeout. A send to a
different server is counted as a Request as well as
a timeout.
Unknown Type Msgs
The number of RADIUS packets of unknown type
which were received from this server on the
authentication port.
Other Drops
The number of RADIUS packets received from
this server on the authentication port and dropped
for some other reason.
Monitoring RADIUS Accounting
You can access this page by any of the following ways:
•
Choose Monitor > Controllers and click the applicable IP address, then choose Security > Radius
Accounting from the left sidebar menu.
•
Choose Monitor > Clients and click a list item under AP Name, click Registered Controller, then
choose Security > Radius Accounting from the left sidebar menu.
•
Choose Monitor > Maps, click an item in the Name column, click an access point icon, click
Controller, then choose Security > Radius Accounting from the left sidebar menu.
•
Choose Configure > Access Points and select a list item under AP Name, click Registered
Controller, then choose Security > Radius Accounting from the left sidebar menu.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-17
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-12 lists the RADIUS Accounting page fields.
Table 5-12
RADIUS Accoungting Page Fields
Field
Description
RADIUS Accounting Server
Server Index
Access priority number for RADIUS servers. Up
to four servers can be configured, and controller
polling of the servers starts with Index 1, Index 2
second, and so forth. Index number is based on
when the RADIUS server is added to the
controller.
IP Address
The IP address of the RADIUS server.
Ping
Click the icon to ping the RADIUS Server from
the controller to verify the link.
Port
The port of the RADIUS server.
Admin Status
Indicates whether the server is enabled or
disabled.
Accounting Statistics
Msg Round Trip Time
The time interval (in milliseconds) between the
most recent Accounting-Response and the
Accounting-Request that matched it from this
RADIUS accounting server.
First Requests
The number of RADIUS Accounting-Request
packets sent. This does not include
retransmissions.
Retry Requests
The number of RADIUS Accounting-Request
packets retransmitted to this RADIUS accounting
server. Retransmissions include retries where the
Identifier and Acct-Delay have been updated, as
well as those in which they remain the same.
Accounting Responses
The number of RADIUS packets received on the
accounting port from this server.
Malformed Msgs
The number of malformed RADIUS
Accounting-Response packets received from this
server. Malformed packets include packets with
an invalid length. Bad authenticators and
unknown types are not included as malformed
accounting responses.
Bad Authentication Msgs
The number of RADIUS Accounting-Response
packets which contained invalid authenticators
received from this server.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-18
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-12
RADIUS Accoungting Page Fields (continued)
Field
Description
Pending Requests
The number of RADIUS Accounting-Request
packets sent to this server that have not yet timed
out or received a response. This variable is
incremented when an Accounting-Request is sent
and decremented due to receipt of an
Accounting-Response, a timeout or a
retransmission.
Timeouts Requests
The number of accounting timeouts to this server.
After a timeout the client might retry to the same
server, send to a different server, or give up. A
retry to the same server is counted as a retransmit
as well as a timeout. A send to a different server
is counted as an Accounting-Request as well as a
timeout.
Unknown Type Msgs
The number of RADIUS packets of unknown type
which were received from this server on the
accounting port.
Other Drops
The number of RADIUS packets which were
received from this server on the accounting port
and dropped for some other reason.
Monitoring Management Frame Protection
This page displays the Management Frame Protection (MFP) summary information. MFP provides the
authentication of 802.11 management frames. Management frames can be protected to detect adversaries
who are invoking denial of service attacks, flooding the network with probes, interjecting as rogue access
points, and affecting the network performance by attacking the QoS and radio measurement frames.
If one or more of the WLANs for the controller has MFP enabled, the controller sends each registered
access point a unique key for each BSSID the access point uses for those WLANs. Management frames
sent by the access point over the MFP enabled WLANs is signed with a Frame Protection Information
Element (IE). Any attempt to alter the frame invalidates the message causing the receiving access point
configured to detect MFP frames to report the discrepancy to the WLAN controller.
Access this page in one of the following ways:
•
Choose Monitor > Controllers. From the Controllers > Search Results page, click the applicable
IP address, then choose Security > Management Frame Protection from the left sidebar menu.
•
Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller,
then choose Security > Management Frame Protection from the left sidebar menu.
•
Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then
choose Security > Management Frame Protection from the left sidebar menu.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-19
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-13 lists the MFP page fields.
Table 5-13
MFP Page Fields
Field
Description
General
Management Frame Protection
Indicates if the infrastructure MFP is enabled
globally for the controller.
Controller Time Source Valid
The Controller Time Source Valid field indicates
whether the controller time is set locally (by
manually entering the time) or through an external
source (such as NTP server). If the time is set by
an external source, the value of this field is
“True.” If the time is set locally, the value is
“False.” The time source is used for validating the
timestamp on management frames between access
points of different controllers within a mobility
group.
WLAN Details
WLAN ID
The WLAN ID, 1 through 17.
WLAN Name
User-defined profile name when initially creating
the WLAN. Both the SSID name and profile name
are user-defined. The WLAN name is same as the
profile name.
MFP Protection
Management Frame Protection is either enabled
or disabled.
Status
Status of the WLAN is either enabled or disabled.
AP Details
AP Name
Operator-defined name of access point.
MFP Validation
Management Frame Protection is enabled or
disabled.
Radio
802.11a or 802.11b/g.
Operation Status
Displays the operational status: either UP or
DOWN.
Protection
Full (All Frames).
Validation
Full (All Frames).
Monitoring Rogue AP Rules
Rogue AP rules automatically classify rogue access points based on criteria such as authentication type,
matching configured SSIDs, client count, and RSSI values. Prime Infrastructure applies the rogue access
point classification rules to the controllers and respective access points.
These rules can limit a rogue appearance on maps based on RSSI level (weaker rogue access points are
ignored) and time limit (a rogue access point is not flagged unless it is seen for the indicated period of
time).
Rogue AP Rules also help reduce false alarms.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-20
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Note
Rogue classes include the following types:
Malicious Rogue—A detected access point that matches the user-defined malicious rules or has been
manually moved from the Friendly AP category.
Friendly Rogue—Known, acknowledged, or trusted access point or a detected access point that matches
user-defined friendly rules.
Unclassified Rogue—A detected access point that does not match the malicious or friendly rules.
Choose Monitor > Controllers. From the Controllers > Search Results page, click the applicable IP
address, then choose Security > Rogue AP Rules from the left sidebar menu.
The Rogue AP Rules page provides a list of all rogue access point rules currently applied to this
controller.
The following information is displayed for rogue access point rules:
•
Rogue AP Rule name—Click the link to view Rogue AP Rule details.
•
Rule Type—Malicious or Friendly.
– Malicious Rogue—A detected access point that matches the user-defined Malicious rules or has
been manually moved from the Friendly AP category.
– Friendly Rogue—Known, acknowledged, or trusted access point or a detected access point that
matches user-defined Friendly rules.
•
Note
Priority—Indicates the priority level for this rogue AP rule.
See the “Configuring a Rogue AP Rules Template” section on page 11-626 for more information on
Rogue AP Rules.
Rogue AP Rules
Table 5-14 lists the Rogue AP Rules page fields.
Table 5-14
Rogue AP Rule Page Fields
Field
Description
Rule Name
Name of the rule.
Rule Type
Malicious or Friendly
– Malicious Rogue—A detected access
point that matches the user-defined
Malicious rules or has been manually
moved from the Friendly AP category.
– Friendly Rogue—Known,
acknowledged, or trusted access point or
a detected access point that matches
user-defined Friendly rules.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-21
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-14
Rogue AP Rule Page Fields (continued)
Field
Description
Match Type
Match any or match all conditions.
Enabled Rule Conditions
Indicates all enabled rule conditions including:
– Open Authentication
– Match Managed AP SSID
– Match User Configured SSID
– Minimum RSSI
– Time Duration
– Minimum Number Rogue Clients
Note
See the “Configuring a Rogue AP Rules Template” section on page 11-626 for more information on
Rogue AP Rules.
Monitoring Guest Users
Choose Monitor > Controllers. From the Controllers > Search Results page, click the applicable IP
Address, then choose Security > Guest Users from the left sidebar menu.
Prime Infrastructure allows you to monitor guest users from the Guest Users page as well as from the
Prime Infrastructure home page.
The Guest Users page provides a summary of the guest access deployment and network use.
The following information is displayed for guest users currently associates on the network. Table 5-15
lists the Guest Users page fields.
Table 5-15
Guest Users Page Fields
Field
Description
Guest User Name
Indicates the guest user login name.
Profile
Indicates the profile to which the guest user is
connected.
Lifetime
Indicates the length of time that the guest user
account is active. Length of time appears in days,
hours, and minutes or as Never Expires.
Start Time
Indicates when the guest user account was
activated.
Remaining Lifetime
Indicates the remaining time for the guest user
account.
Role
Indicates the designated user role.
First Logged in at
Indicates the date and time of the user first login.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-22
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-15
Guest Users Page Fields (continued)
Field
Description
Number of logins
Indicates the total number of logins for this guest
user.
Description
User-defined description of the guest user account
for identification purposes.
Monitoring Controller Mobility
Monitoring Mobility Stats
The Mobility Stats page displays the statistics for mobility group events.
Access this page in one of the following ways:
•
Choose Monitor > Controllers and click the applicable IP address, then choose Mobility >
Mobility Stats from the left sidebar menu.
•
Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller,
then choose Mobility > Mobility Stats from the left sidebar menu.
•
Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then
choose Mobility > Mobility Stats from the left sidebar menu.
Table 5-16 lists the Mobility Stats page fields.
Table 5-16
Mobility Stats Page Fields
Field
Description
Global Mobility Statistics
Rx Errors
Generic protocol packet receive errors, such as
packet too short or format incorrect.
Tx Errors
Generic protocol packet transmit errors, such as
packet transmission fail.
Responses Retransmitted
The Mobility protocol uses UDP and it resends
requests several times if it does not receive a
response. Because of network or processing
delays, the responder might receive one or more
retry requests after it initially responds to a
request. This is a count of the response resends.
Handoff Requests Received
Total number of handoff requests received,
ignored or responded to.
Handoff End Requests
Total number of handoff end requests received.
These are sent by the Anchor or the Foreign to
notify the other about the close of a client session.
State Transitions Disallowed
PEM (policy enforcement module) has denied a
client state transition, usually resulting in the
handoff being aborted.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-23
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-16
Mobility Stats Page Fields (continued)
Field
Description
Resource Unavailable
A necessary resource, such as a buffer, was
unavailable, resulting in the handoff being
aborted.
Mobility Responder Statistics
Handoff Requests Ignored
Number of handoff requests/client announces that
were ignored. The controller simply had no
knowledge of that client.
Ping Pong Handoff Requests Dropped
Number of handoff requests that were denied
because the handoff period was too short (3 sec).
Handoff Requests Dropped
Number of handoff requests that were dropped
due to a either an incomplete knowledge of the
client or a problem with the packet.
Handoff Requests Denied
Number of handoff requests that were actively
denied.
Client Handoff as Local
Number of handoffs responses sent while in the
local role.
Client Handoff as Foreign
Number of handoffs responses sent while in the
foreign role.
Anchor Requests Received
Number of anchor requests received.
Anchor Requests Denied
Number of anchor requests denied.
Anchor Requests Granted
Number of anchor requests granted.
Anchor Transferred
Number of anchors transferred because the client
has moved from a foreign controller to controller
on the same subnet as the current anchor.
Mobility Initiator Statistics
Handoff Requests Sent
Number of clients that have associated with
controller and have been announced to the
mobility group.
Handoff Replies Received
Number of handoff replies that have been received
in response to the requests sent.
Handoff as Local Received
Number of handoffs in which the entire client
session has been transferred.
Handoff as Foreign Received
Number of handoffs in which the client session
was anchored elsewhere.
Handoff Denies Received
Number of handoffs that were denied.
Anchor Request Sent
Number of anchor requests that were sent for a
three party (foreign to foreign) handoff. Handoff
was received from another foreign and the new
controller is requesting the anchor to move the
client.
Anchor Deny Received
Number of anchor requests that were denied by
the current anchor.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-24
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-16
Mobility Stats Page Fields (continued)
Field
Description
Anchor Grant Received
Number of anchor requests that were approved by
the current anchor.
Anchor Transfer Received
Number of anchor transfers that were received by
the current anchor.
Monitoring Controller 802.11a/n
This section provides detailed information regarding monitoring 802.11a/n parameters and contains the
following topics:
•
Monitoring 802.11a/n Parameters, page 5-25
•
Monitoring 802.11a/n RRM Groups, page 5-27
Monitoring 802.11a/n Parameters
Access the 802.11a/n Parameters page in one of the following ways:
•
Choose Monitor > Controllers and click the applicable IP address, then choose Parameters from
the 802.11a/n section of the left sidebar menu.
•
Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller,
then choose Parameters from the 802.11a/n section of the left sidebar menu.
•
Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then
choose Parameters from the 802.11a/n section of the left sidebar menu.
Table 5-17 lists the 802.11a/n Parameters page fields.
Table 5-17
802.11 a/n Parameters Page Fields
Field
Description
MAC Operation Parameters
RTS Threshold
Indicates the number of octets in an MPDU,
below which an RTS/CTS handshake is not
performed.
Note
An RTS/CTS handshake is performed at
the beginning of any frame exchange
sequence where the MPDU is a data or
management type, the MPDU has an
individual address in the Address1 field,
and the length of the MPDU is greater
than this threshold. Setting this attribute
higher than the maximum MSDU size
turns off the RTS/CTS handshake for data
or management type frames transmitted
by this STA. Setting this attribute to zero
turns on the RTS/CTS handshake for all
transmitted data or management type
frames.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-25
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-17
802.11 a/n Parameters Page Fields (continued)
Field
Description
Short Retry Limit
The maximum number of transmission attempts
of a frame (less than or equal to
dot11RTSThreshold) made before a failure
condition is indicated. The default value is 7.
Long Retry Limit
The maximum number of transmission attempts
of a frame (greater than dot11RTSThreshold)
made before a failure condition is indicated. The
default value is 4.
Max Tx MSDU Lifetime
The elapsed time in TU, after the initial
transmission of an MSDU, after which further
attempts to transmit the MSDU are terminated.
The default value is 512.
Max Rx Lifetime
The elapsed time in TU, after the initial reception
of a fragmented MMPDU or MSDU, after which
further attempts to reassemble the MMPDU or
MSDU are terminated. The default value is 512.
Physical Channel Fields
TI Threshold
The threshold being used to detect a busy medium
(frequency). CCA shall report a busy medium
upon detecting the RSSI above this threshold.
Channel Agility Enabled
Physical channel agility functionality is or is not
implemented.
Station Configuration Fields
Medium Occupancy Limit
Indicates the maximum amount of time, in TU,
that a point coordinator might control the usage of
the wireless medium without relinquishing
control for long enough to allow at least one
instance of DCF access to the medium. The
default value is 100, and the maximum value is
1000.
CFP Period
The number of DTIM intervals between the start
of CFPs. It is modified by MLME-START.request
primitive.
CFP Max Duration
The maximum duration of the CFP in TU that
might be generated by the PCF. It is modified by
MLME-START.request primitive.
CF Pollable
When this attribute is implemented, it indicates
that the client is able to respond to a CF-Poll with
a data frame within a SIFS time. This attribute is
not implemented if the STA is not able to respond
to a CF-Poll with a data frame within a SIFS time.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-26
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-17
802.11 a/n Parameters Page Fields (continued)
Field
Description
CF Poll Request
Specifies whether CFP is requested by the client.
DTIM Period
The number of beacon intervals that elapse
between transmission of Beacon frames
containing a TIM element whose DTIM Count
field is 0. This value is transmitted in the DTIM
Period field of Beacon frames.
Monitoring 802.11a/n RRM Groups
Access the RRM Grouping page in one of the following ways:
•
Choose Monitor > Controllers and click the applicable IP address, then choose Grouping or WPS
Grouping from the 802.11a/n section of the left sidebar menu.
•
Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller,
then choose RRM Grouping or WPS Grouping from the 802.11a/n section of the left sidebar
menu.
•
Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then
choose RRM Grouping or WPS Grouping from the 802.11a/n section of the left sidebar menu.
Table 5-18 lists the 802.11a/n RRM Grouping page fields.
Table 5-18
802.11 a/n RRM Grouping Page Fields
Field
Description
802.11a Grouping Control
Grouping Mode
Dynamic grouping has two modes: on and off.
When the grouping is off, no dynamic grouping
occurs. Each controller optimizes only its own
parameters of the access point. When grouping is
on, the controller forms groups and elects leaders
to perform better dynamic parameter
optimization.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-27
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-18
802.11 a/n RRM Grouping Page Fields (continued)
Field
Description
Grouping Role
There are five grouping roles:
– None—This grouping role appears when
the RF Group Mode is configured as Off.
– Auto-Leader—This grouping role
appears when the RF Group Mode is
configured as Automatic and the
controller is elected as a leader by the
automatic grouping algorithm.
– Auto-Member—This grouping role
appears when the RF Group Mode is
configured as Automatic and the
controller is selected as a member by the
automatic grouping algorithm.
– Static-Leader—This grouping role
appears when the RF Group Mode is
configured as Leader.
– Static-member—This grouping role
appears when the RF Group Mode is
configured as automatic and the
controller joins the leader as a result of
the join request from the leader.
Group Leader IP Address
This is the IP address of the group leader.
Group Leader MAC Address
This is the MAC address of the group leader for
the group containing this controller.
Is 802.11a Group Leader
Yes, if this controller is the group leader or No if
the controller is not the group leader.
Last Update Time (secs)
The elapsed time since the last group update in
seconds. This is only valid if this controller is a
group leader.
Group Update Interval (secs)
When grouping is on, this interval (in seconds)
represents the period with which the grouping
algorithm is run by the Group Leader. Grouping
algorithm also runs when the group contents
changes and the automatic grouping is enabled. A
dynamic grouping can be started upon request
from the system administrator. Default value is
3600 seconds.
Group Members
Group Member Name
Name of group member(s).
Group Member IP Address
IP address of group member(s).
Member Join Reason
Current state of the member(s).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-28
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Monitoring Controllers 802.11b/g/n
This section provides the detailed information regarding monitoring 802.11b/g/n parameters and
contains the following topics:
•
Monitoring 802.11b/g/n Parameters, page 5-29
•
Monitoring 802.11b/g/n RRM Groups, page 5-30
Monitoring 802.11b/g/n Parameters
Access the 802.11b/g/n Parameters page in one of the following ways:
•
Choose Monitor > Controllers and click the applicable IP Address, then choose Parameters from
the 802.11b/g/n section of the left sidebar menu.
•
Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller,
then choose Parameters from the 802.11b/g/n section of the left sidebar menu.
•
Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then
choose Parameters from the 802.11b/g/n section of the left sidebar menu.
Table 5-19 lists the 802.11b/g Parameters page fields.
Table 5-19
802.11 b/g/n Parameters Page Fields
Field
Description
MAC Operation Parameters
RTS Threshold
Indicates the number of octets in an MPDU,
below which an RTS/CTS handshake is not
performed.
Note
An RTS/CTS handshake is performed at
the beginning of any frame exchange
sequence where the MPDU is a data or
management type, the MPDU has an
individual address in the Address1 field,
and the length of the MPDU is greater
than this threshold. Setting this attribute
higher than the maximum MSDU size
turns off the RTS/CTS handshake for data
or management type frames transmitted
by this STA. Setting this attribute to zero
turns on the RTS/CTS handshake for all
transmitted data or management type
frames.
Short Retry Limit
The maximum number of transmission attempts
of a frame (less than or equal to
dot11RTSThreshold) made before a failure
condition is indicated. The default value is 7.
Long Retry Limit
The maximum number of transmission attempts
of a frame (greater than dot11RTSThreshold)
made before a failure condition is indicated. The
default value is 4.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-29
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-19
802.11 b/g/n Parameters Page Fields (continued)
Field
Description
Max Tx MSDU Lifetime
The elapsed time in TU, after the initial
transmission of an MSDU, after which further
attempts to transmit the MSDU are terminated.
The default value is 512.
Max Rx Lifetime
The elapsed time in TU, after the initial reception
of a fragmented MMPDU or MSDU, after which
further attempts to reassemble the MMPDU or
MSDU are terminated. The default value is 512.
Physical Channel Fields
TI Threshold
The threshold being used to detect a busy medium
(frequency). CCA shall report a busy medium
upon detecting the RSSI above this threshold.
Channel Agility Enabled
Physical channel agility functionality is or is not
implemented.
Station Configuration Fields
Medium Occupancy Limit
Indicates the maximum amount of time, in TU,
that a point coordinator might control the usage of
the wireless medium without relinquishing
control for long enough to allow at least one
instance of DCF access to the medium. The
default value is 100, and the maximum value is
1000.
CFP Period
The number of DTIM intervals between the start
of CFPs. It is modified by MLME-START.request
primitive.
CFP Max Duration
The maximum duration of the CFP in TU that
might be generated by the PCF. It is modified by
MLME-START.request primitive.
CF Pollable
When this attribute is implemented, it indicates
that the client is able to respond to a CF-Poll with
a data frame within a SIFS time. This attribute is
not implemented if the STA is not able to respond
to a CF-Poll with a data frame within a SIFS time.
CF Poll Request
Specifies whether CFP is requested by the client.
DTIM Period
The number of beacon intervals that elapse
between transmission of Beacon frames
containing a TIM element whose DTIM Count
field is 0. This value is transmitted in the DTIM
Period field of Beacon frames.
Monitoring 802.11b/g/n RRM Groups
Access the 802.11b/g/n RRM Grouping page in one of the following ways:
•
Choose Monitor > Controllers and click the applicable IP address, then choose RRM Grouping
or WPS Grouping from the 802.11b/g/n section of the left sidebar menu.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-30
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
•
Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller,
then choose RRM Grouping or WPS Grouping from the 802.11b/g/n section of the left sidebar
menu.
•
Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then
choose RRM Grouping or WPS Grouping from the 802.11b/g/n section of the left sidebar menu.
Table 5-20 lists the 802.11b/g/n RRM grouping page fields.
Table 5-20
802.11 b/g/n RRM Grouping Page Fields
Field
Description
802.11 b/g/n Grouping Control
Grouping Mode
Dynamic grouping has two modes: on and off.
When the grouping is off, no dynamic grouping
occurs. Each controller optimizes only its own
parameters of the access point. When grouping is
on, the controller forms groups and elects leaders
to perform better dynamic parameter
optimization.
Grouping Role
There are five grouping roles:
– None—This grouping role appears when
the RF Group Mode is configured as Off.
– Auto-Leader—This grouping role
appears when the RF Group Mode is
configured as Automatic and the
controller is elected as a leader by the
automatic grouping algorithm.
– Auto-Member—This grouping role
appears when the RF Group Mode is
configured as Automatic and the
controller is selected as a member by the
automatic grouping algorithm.
– Static-Leader—This grouping role
appears when the RF Group Mode is
configured as Leader.
– Static-member—This grouping role
appears when the RF Group Mode is
configured as automatic and the
controller joins the leader as a result of
the join request from the leader.
Group Leader IP Address
This is the IP address of the group leader.
Group Leader MAC Address
This is the MAC address of the group leader for
the group containing this controller.
Is 802.11a Group Leader
Yes, if this controller is the group leader or No if
the controller is not the group leader.
Last Update Time (secs)
The elapsed time since the last group update in
seconds. This is only valid if this controller is a
group leader.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-31
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-20
802.11 b/g/n RRM Grouping Page Fields (continued)
Field
Description
Group Update Interval (secs)
When grouping is on, this interval (in seconds)
represents the period with which the grouping
algorithm is run by the Group Leader. Grouping
algorithm also runs when the group contents
changes and the automatic grouping is enabled. A
dynamic grouping can be started upon request
from the system administrator. Default value is
3600 seconds.
Group Members
Group Member Name
Name of group member(s).
Group Member IP Address
IP address of group member(s).
Member Join Reason
Current state of the member(s).
Monitoring Controllers IPv6
Monitoring Neighbor Bind Counter Statistics
Access the Neighbor Bind Counter Statistics page in one of the following ways:
•
Choose Monitor > Controllers, select an IP Address, and choose IPv6 > Neighbor Bind Counters
from the left sidebar menu.
•
Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller,
then choose IPv6 > Neighbor Bind Counters from the left sidebar menu.
•
Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then
choose IPv6 > Neighbor Bind Counters from the left sidebar menu.
Table 5-21 lists the Neighbor Bind Counter Stats page fields.
Table 5-21
Neighbor Bind Counter Stats Page Fields
Field
Description
Neighbor Bind Counters
Provides the statistics of the number of messages
exchanged between the host or client and the
router to generate and acquire IPv6 addresses,
link, MTU, and so on.
Received Messages
The number of Advertisement, Solicitation and
other messages received for NDP and DHCPv6.
Bridged Messages
The number of Advertisement, Solicitation and
other messages bridged for NDP and DHCPv6.
Total Snooping Dropped Messages
The number of Advertisement, Solicitation and
other messages bridged for NDP and DHCPv6
along with the reason for the drop.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-32
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Controllers
Table 5-21
Neighbor Bind Counter Stats Page Fields (continued)
Field
Description
Neighbor Discovery Suppress Drop Counter
The total number of neighbor discovery messages
dropped.
Total Suppress Dropped Messages
The reason for the neighbor discovery messages
drop.
Note
Hover your mouse cursor over the values in the Total Snooping/Suppress Drop Messages column
to see the reasons due to which the corresponding messages were dropped.
Monitoring mDNS Service Provider Information
This page enables you to view the list of mDNS services and service provider information.
To access the mDNS Service Provider Information page, choose Monitor > Controllers, select an IP
Address, and choose mDNS > Service Provider Information from the left sidebar menu.
Table 5-22 lists the Service Provider Information page fields.
Table 5-22
Service Provider Information Page Fields
Field
Description
Service Name
Name of the mDNS Service.
MAC Address
MAC address of the service provider.
Service Provider Name
Name of the service provider. You can have a
maximum of 100 service providers associated
with the controller.
VLAN ID
VLAN ID of the service provider.
Type
Displays the interface on which the service is
available. For example wired, wireless, and
wired-guest.
TTL (seconds)
Time to Live (TTL) value in seconds that
determines the validity of the service offered by
the service provider. The service provider is
removed from the controller when the TTL
expires.
Time Left (seconds)
Time left in seconds before the service provider is
removed from the controller.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-33
Chapter 5
Monitoring Devices
Monitoring Switches
Monitoring Switches
Choose Monitor > Switches to view the detailed information about the switches. This section provides
more detailed information regarding monitoring switches and includes the following topics:
•
Searching Switches, page 5-34
•
Viewing the Switches, page 5-34
•
Monitoring Switch System Parameters, page 5-35
•
Monitoring Switch Interfaces, page 5-41
•
Monitoring Switch Clients, page 5-43
Searching Switches
Use the Prime Infrastructure search feature to find specific switches or to create and save custom
searches.
You can configure the following fields when performing an advanced search for switches (see
Table 5-23).
Table 5-23
Search Switches Fields
Field
Options
Search for Switches by
Choose All Switches, IP Address, or Switch Name. You can use wildcards
(*). For example, if you select IP Address and enter 172*, the Prime
Infrastructure returns all switches that begin with IP address 172.
Items per page
Select the number of switches to return per page.
Viewing the Switches
Choose Monitor > Switches to view a list of the switches. From this page you can view a summary of
the switches including the default information shown in Table 5-24.
Table 5-24
Viewing the Switches
Field
Description
IP Address
The IP address assigned to the switch. Click a list item to view access point
details.
Device Name
Name of the switch.
Device Type
Type of switch.
Reachability Status
Indicates OK if the switch is reachable or Unreachable if the switch is not
reachable.
Endpoint Count
Number of endpoints on the switch.
Configuring the Switch List Page
The Edit View page allows you to add, remove, or reorder columns in the Switches table.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-34
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Switches
To edit the available columns in the table, follow these steps:
Step 1
Choose Monitor > Switches.
Step 2
Click the Edit View link.
Step 3
To add an additional column to the table, click to highlight the column heading in the left column. Click
Show to move the heading to the right column. All items in the right column are displayed in the table.
Step 4
To remove a column from the table, click to highlight the column heading in the right column. Click
Hide to move the heading to the left column. All items in the left column are not displayed in the table.
Step 5
Use the Up/Down buttons to specify the order in which the information appears in the table. Highlight
the desired column heading and click Up or Down to move it higher or lower in the current list.
Step 6
Click Reset to restore the default view.
Step 7
Click Submit to confirm the changes.
Monitoring Switch System Parameters
Choose Monitor > Switches, then click an IP address in the IP Address column to view details about
the switch. This section provides the detailed information regarding each switch details page and
contains the following topics:
•
Viewing Switch Summary Information, page 5-35
•
Viewing Switch Memory Information, page 5-36
•
Viewing Switch Environment Information, page 5-37
•
Viewing Switch Module Information, page 5-37
•
Viewing Switch VLAN Information, page 5-38
•
Viewing Switch VTP Information, page 5-38
•
Viewing Switch Physical Ports Information, page 5-38
•
Viewing Switch Sensor Information, page 5-39
•
Viewing Switch Spanning Tree Information, page 5-39
•
Viewing Switch Stacks Information, page 5-40
•
Viewing Switch NMSP and Location Information, page 5-40
Viewing Switch Summary Information
Choose Monitor > Switches, then click an IP address in the IP Address column to view details about
the switch. Table 5-25 describes the summary information that is displayed.
Table 5-25
Viewing Switches Summary Information
General
IP Address
IP address of the switch.
Device Name
Name of the switch.
Device Type
Switch type.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-35
Chapter 5
Monitoring Devices
Monitoring Switches
Table 5-25
Viewing Switches Summary Information (continued)
Up Time
Time since last reboot.
System Time
Time on the switch.
Reachability Status
which can be the following:
•
Reachable
•
Unreachable
Location
Location of the switch.
Contact
Contact name for the switch.
Cisco Identity Capable
Specifies if the switch is identity-capable.
Location Capable
Specifies if the switch is capable of storing the location information.
CPU Utilization
Displays a graph of the maximum, average, and minimum CPU utilization
over the specified amount of time.
Unique Device Identifier (UDI)
Name
Product type.
Description
Description of UDI.
Product ID
Orderable product identifier.
Version ID
Version of product identifier.
Serial Number
Unique product serial number.
Inventory
Software Version
Version of software currently running on the switch.
Model No.
Model number of the switch.
Port Summary
Number of Ports Up
Number of ports up on the switch.
Number of Ports Down
Number of ports down on the switch.
Memory Utilization
Displays a graph of the maximum, average, and minimum memory
utilization over the specified amount of time.
Related Topic
•
Monitoring Switch Interfaces, page 5-41
Viewing Switch Memory Information
Choose Monitor > Switches, then click an IP address in the IP Address column to view details about
the switch. From the System menu, choose Memory. Table 5-26 describes the memory information that
is displayed.
Table 5-26
Viewing Switches Memory Information
Memory Pool
Type
Type of memory.
Name
Name assigned to the memory pool.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-36
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Switches
Table 5-26
Viewing Switches Memory Information (continued)
Used (MB)
Amount of memory (in MB) used.
Free (MB)
Amount of memory (in MB) available.
Viewing Switch Environment Information
Choose Monitor > Switches, then click an IP address in the IP Address column to view details about
the switch. From the System menu, choose Environment. Table 5-27 describes the environment
information that is displayed.
Table 5-27
Viewing Switches Environment Information
Power Supply
Model Name
Model name of the power supply.
Description
Description of the power supply.
Operational Status
Status of the associated power supply:
•
Green—Power supply is operational.
•
Red—Power supply is inoperable.
Manufacturer Name
Name of the power supply manufacturer.
Free
Free power supply slots.
Vendor Equipment Type
Description of vendor equipment type.
Fans
Name
Name of fan.
Description
Description of fan.
Operational Status
Status of the fan:
•
Green—Fan is operational.
•
Red—Fan is inoperable.
Vendor Equipment Type
Description of vendor equipment type.
Serial Number
Serial number of the fan.
Viewing Switch Module Information
Choose Monitor > Switches, then click an IP address in the IP Address column to view details about
the switch. From the System menu, choose Modules. Table 5-28 describes the module information that
is displayed.
Table 5-28
Viewing Switches Modules Information
Modules
Product Name
Name of the module.
Physical Location
Location where the module is contained.
Number of Ports
Number of ports supported by the module.
Operational State
Operational status of the module.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-37
Chapter 5
Monitoring Devices
Monitoring Switches
Table 5-28
Viewing Switches Modules Information (continued)
Equipment Type
Type of equipment.
Inline Power Capable
Specifies whether the module has inline power capability.
Viewing Switch VLAN Information
Choose Monitor > Switches, then click an IP address under the IP Address column to view details about
the switch. From the System menu, choose VLANs. Table 5-29 describes the VLAN information that is
displayed.
Table 5-29
Viewing Switches VLANs Information
VLANs
VLAN ID
ID of the VLAN.
VLAN Name
Name of the VLAN.
VLAN Type
Type of VLAN.
Viewing Switch VTP Information
Choose Monitor > Switches, then click an IP address in the IP Address column to view details about
the switch. From the System menu, choose VTP. Table 5-30 describes the VTP information that is
displayed.
Table 5-30
Viewing Switches VTP Information
VTP
VTP Domain Name
Name of the VTP domain.
VTP Version
Version of VTP in use.
VTP Mode
The VTP mode:
Pruning Enabled
•
Client
•
Server
•
Transparent—Does not generate or listen to VTP
messages, but forwards messages.
•
Off—Does not generate, listen to, or forward any VTP
messages.
Specifies whether VTP pruning is enabled.
Viewing Switch Physical Ports Information
Choose Monitor > Switches, then click an IP address in the IP Address column to view details about
the switch. From the System menu, choose Physical Ports. Table 5-31 describes the physical ports
information that is displayed.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-38
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Switches
Table 5-31
Viewing Switches Physical Ports Information
Physical Ports
Port Name
Name of the physical port.
Port Description
Description of the physical port.
Residing Module
Module on which the physical port resides.
Vendor Equipment Type
Description of vendor equipment type.
Viewing Switch Sensor Information
Choose Monitor > Switches, then click an IP address under the IP Address column to view details about
the switch. From the System menu, choose Sensors. Table 5-32 describes the sensor information that is
displayed.
Table 5-32
Viewing Switches Sensors Information
Sensors
Sensor Name
Name of the sensor.
Sensor Description
Description of the sensor.
Type
Type of sensor.
Vendor Sensor Type
Description of vendor sensor type.
Equipment Name
Name of equipment.
Precision
When in the range 1 to 9, precision is the number of decimal places in the
fractional part of a Sensor Value fixed-point number. When in the range -8
to -1, Sensor Precision is the number of accurate digits in a SensorValue
fixed-point number.
Status
Operational status of the sensor.
Viewing Switch Spanning Tree Information
Choose Monitor > Switches, then click an IP address in the IP Address column to view details about
the switch. From the System menu, choose Spanning Tree. Table 5-33 describes the spanning tree
information that is displayed.
Table 5-33
Viewing Switches Spanning Tree Information
Spanning Tree
STP Instance ID
ID of the STP. Click an STP Instance ID to see the spanning tree details as
described in the “Viewing Spanning Tree Details” section on page 5-40.
VLAN ID
ID of the VLAN.
Root Path Cost
Root cost of the path.
Designated Root
Forwarding port.
Bridge Priority
Priority of the bridge.
Root Bridge Priority
Priority number of the root bridge.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-39
Chapter 5
Monitoring Devices
Monitoring Switches
Table 5-33
Viewing Switches Spanning Tree Information (continued)
Max Age (sec)
STP timer value for maximum age (in seconds).
Hello Interval (sec)
STP timer value (in seconds).
Viewing Spanning Tree Details
Choose Monitor > Switches, then click an IP address in the IP Address column to view details about
the switch. From the System menu, choose Spanning Tree, then click an STP instance ID to see the
spanning tree details as described in Table 5-34.
Table 5-34
Viewing Spanning Tree Details
Spanning Tree
STP Port
Name of the STP port.
Port Role
Role of the port.
Port Priority
Priority number of the port.
Path Cost
Cost of the path.
Port State
State of the port.
Port Type
Type of port.
Viewing Switch Stacks Information
Choose Monitor > Switches, then click an IP address in the IP Address column to view details about
the switch. From the System menu, choose Stacks. Table 5-35 describes the spanning tree information
that is displayed.
Table 5-35
Viewing Switches Stacks Information
Stacks
MAC Address
MAC address of the stack.
Role
Role of the stack:
•
Master—Stack master
•
Member—Active member of the stack
•
Not Member—Non-active stack member
Switch Priority
Priority number of the switch.
State
Current state of the stack.
Software Version
Software image running on the switch.
Viewing Switch NMSP and Location Information
You can view the NMSP and Location information for a switch using the System left sidebar menu.
To view the NMSP and Location information for a switch, choose Monitor > Switches, then click an IP
address in the IP Address column. Choose System > NMSP and Location.
The NMSP and Location page appears.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-40
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Switches
You can view the NMSP Status in the NMSP Status group box and Location information in the Location
group box.
For more information on NMSP and Location, see the Configuring Switch NMSP and Location.
Monitoring Switch Interfaces
Choose Monitor > Switches, then click an IP address in the IP Address column. From the System menu,
choose Interfaces, then select one of the following interfaces described in this section. This section
contains the following topics:
•
Monitoring Switch Ethernet Interfaces, page 5-41
•
Monitoring Switch IP Interfaces, page 5-42
•
Monitoring Switch VLAN Interfaces, page 5-42
•
Monitoring Switch EtherChannel Interfaces, page 5-43
Monitoring Switch Ethernet Interfaces
Choose Monitor > Switches, then click an IP address in the IP Address column. From the System menu,
choose Interfaces > Ethernet Interfaces. Table 5-36 describes the Ethernet interface information that
is displayed.
Table 5-36
Viewing Switch Ethernet Interfaces
Name
Name of the Ethernet interface. Click an Ethernet interface name to see
details as described in “Monitoring Switch Ethernet Interface Details”
section on page 5-41.
MAC Address
MAC address of the Ethernet interface.
Speed (Mbps)
Estimate of the current bandwidth of the Ethernet interface in bits per
second.
Operational Status
Current operational state of the Ethernet interface.
MTU
Size of the largest packet that can be sent/received on the interface.
Desired VLAN Mode
VLAN mode.
Access VLAN
VLAN on which the port is configured.
Monitoring Switch Ethernet Interface Details
Choose Monitor > Switches, then click an IP address in the IP Address column. From the System menu,
choose Interfaces > Ethernet Interfaces, then click an Ethernet interface name in the Name column.
Table 5-37 describes the Ethernet interface detail information that is displayed.
Table 5-37
Viewing Switch Ethernet Interface Details
Ethernet Interfaces
Name
Name of the Ethernet interface.
Admin Status
Administration status of the interface.
Duplex Mode
Duplex mode configured on the interface.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-41
Chapter 5
Monitoring Devices
Monitoring Switches
Table 5-37
Viewing Switch Ethernet Interface Details
VLAN Switch Port
Operational VLAN Mode
Specifies the operational mode of the VLAN switch port, which can
be either an access port or a trunk port.
Desired VLAN Mode
VLAN mode, which can be truck, access, dynamic, or desirable.
Access VLAN
VLAN on which the port is configured.
Operational Truck Encapsulation Trunk encapsulation, which can be 802.1Q or none.
VLAN Trunk
Native VLAN
Untagged VLAN on the trunk switch port.
Prune Eligible
Specifies whether VLANs on the trunk port can be pruned.
Allows VLANs
List of allowed VLANs on the trunk port.
Desired Trunking Encapsulation
Trunk encapsulation.
Trunking Encapsulation
Negotiation
Specifies that the interface negotiate with the neighboring interface
to become an ISL (preferred) or 802.1Q trunk, depending on the
configuration and capabilities of the neighboring interface.
Monitoring Switch IP Interfaces
Choose Monitor > Switches, then click an IP address in the IP Address column. From the System menu,
choose Interfaces > IP Interfaces. Table 5-38 describes the IP interface information that is displayed.
Table 5-38
Viewing Switch IP Interfaces
Interface
Name of the interface.
IP Address
IP address of the interface.
Address Type
Type of address (IPv4 or IPv6).
Monitoring Switch VLAN Interfaces
Choose Monitor > Switches, then click an IP address in the IP Address column. From the System menu,
choose Interfaces > VLAN Interfaces. Table 5-39 describes the VLAN interface information that is
displayed.
Table 5-39
Viewing Switch VLAN Interfaces
Port Name
Name of the VLAN port.
VLAN ID
ID of the VLAN port.
Operational Status
Current operational state of the VLAN interface.
Admin Status
Current administrative state of the VLAN interface.
Port Type
Type of VLAN port.
Maximum Speed (Mbps)
Maximum supported speed for the VLAN interface.
MTU
Size of the largest packet that can be sent/received on the VLAN interface.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-42
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Monitoring Switch EtherChannel Interfaces
Choose Monitor > Switches, then click an IP address in the IP Address column. From the System menu,
choose Interfaces > EtherChannel Interfaces. Table 5-40 describes the EtherChannel interface
information that is displayed.
Table 5-40
Viewing Switch EtherChannel Interfaces
Name
Name of the EtherChannel interface.
Channel Group ID
Numeric identifier for the EtherChannel.
Control Method
Protocol for managing the EtherChannel either LACP or TAgP.
Actor Admin Key
Channel Identifier.
Number of (LAG) Members Number of ports configured.
Monitoring Switch Clients
Choose Monitor > Switches, then click an IP address in the IP Address column. From the System menu,
choose Clients. Table 5-40 describes the EtherChannel interface information that is displayed.
Table 5-41
Viewing Current Associated Client
IP Address
IP address of the client.
MAC Address
MAC address of the client.
User Name
Username of the client.
Vendor Name
Vendor Name of the client.
Map Location
Location of the client.
VLAN
VLAN on which the client is configured.
Interface
Interface on which the client is configured.
Association Time
Timestamp of the client association.
Authorization Profile Name
Authorization Profile Name stored.
Monitoring Access Points
This section describes access to the controller access points summary details. Use the main date area to
access the respective access point details.
Choose Monitor > Access Points to access this page. This section provides more detailed information
regarding monitoring access points and contains the following topics:
•
Searching Access Points, page 5-44
•
Viewing a List of Access Points, page 5-44
•
Generating a Report for Access Points, page 5-48
•
Monitoring Access Points Details, page 5-58
•
Monitoring Access Point Radio Details, page 5-71
•
Monitoring Mesh Access Points, page 5-82
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-43
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Retrieving the Unique Device Identifier on Controllers and Access Points, page 5-88
•
Monitoring Coverage Holes, page 5-88
•
Monitoring Rogue Access Points, page 5-91
•
Monitoring Ad hoc Rogues, page 5-105
•
Searching Rogue Clients Using Advanced Search, page 5-109
•
Monitoring Rogue Access Point Location, Tagging, and Containment, page 5-109
Searching Access Points
Use the Prime Infrastructure Search feature to find specific access points or to create and save custom
searches. See the Search Methods section in the Cisco Prime Infrastructure 2.0 User Guide for additional
information.
Viewing a List of Access Points
Choose Monitor > Access Points or perform an access point search to access this page.
This page enables you to view a summary of access points including the default information listed in
Table 5-42.
Table 5-42
Access Point Search Results
Field
Description
AP Name Ethernet MAC
The name assigned to the access point. Click a list
item to view access point details. See the
“Monitoring Access Points Details” section on
page 5-58 for more information.
IP Address
Local IP address of the access point.
Radio
Protocol of the rogue access point is 802.11a,
802.11b or 802.11g. Click a list item to view
access point radio details. See the “Monitoring
Access Point Radio Details” section on page 5-71
for more information.
Map Location
Click a list item to go to the location indicated on
the list.
Controller
Click a list item to display a graphic and
information about the controller. See the
“Monitoring System Summary” section on
page 5-4 for more information.
Client Count
Displays the total number of clients currently
associated with the controller.
Admin Status
Displays the administration state of the access
point as either enabled or disabled.
AP Mode
Displays the operational mode of the access point.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-44
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-42
Access Point Search Results
Field
Description
Oper Status
Displays the operational status of the Cisco
WLAN Solution device, either Up or Down. If the
admin status is disabled, the operation status is
labeled as down and there are no alarms.
Alarm Status
Alarms are color coded as follows:
– Clear—No Alarm
– Red—Critical Alarm
– Orange—Major Alarm
– Yellow—Minor Alarm
Note
This status is radio alarm status ONLY
and does not includes the admin status in
the operation status.
Configuring the Access Point List Display
To add, remove, or reorder columns in the table, click the Edit View link to go to the Edit View page.
Table 5-43 lists the optional access point parameters available for the search results.
Table 5-43
Edit View Search Results
Field
Description
AP Type
Indicates the type of access point (unified or
autonomous).
Antenna Azim. Angle
Indicates the horizontal angle of the antenna.
Antenna Diversity
Indicates if antenna diversity is enabled or
disabled. Antenna diversity refers to the access
point sampling the radio signal from two
integrated antenna ports to choose the preferred
antenna.
Antenna Elev. Angle
Indicates the elevation angle of the antenna.
Antenna Gain
The peak gain of the dBi of the antenna for
directional antennas and the average gain in dBi
for omni-directional antennas connected to the
wireless network adapter. The gain is in multiples
of 0.5 dBm. An integer value 4 means 4 x 0.5 = 2
dBm of gain.
Antenna Mode
Indicates the antenna mode such as omni,
directional, or non-applicable.
Antenna Name
Indicates the antenna name or type.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-45
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-43
Edit View Search Results (continued)
Field
Description
Audit Status
Indicates one of the following audit statuses:
– Mismatch—Configuration differences
were found between Prime Infrastructure
and controller during the last audit.
– Identical—No configuration differences
were found during the last audit.
– Not Available—Audit status is
unavailable.
Base Radio MAC
Indicates the MAC address of the base radio.
Bridge Group Name
Indicates the name of the bridge group used to
group the access points, if applicable.
CDP Neighbors
Indicates all directly connected Cisco devices.
Channel Control
Indicates whether the channel control is automatic
or custom.
Channel Number
Indicates the channel on which the Cisco Radio is
broadcasting.
Channel Width
Indicates the channel bandwidth for this radio.
The Channel Width field is supported only for 11n
APs. Displays “N/A” for other APs.
Controller Port
Indicates the number of controller ports.
Google Earth Location
Indicates whether or not a Google Earth location
is assigned and indicates the location.
Location
Indicates the physical location of the access point.
Node Hops
Indicates the number of hops between access
points.
OfficeExtend AP
Specifies whether or not OfficeExtend access is
enabled. If it is disabled, the access point is
remotely deployed which increases the security
risk.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-46
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-43
Edit View Search Results (continued)
Field
Description
PoE Status
Indicates the power over Ethernet status of the
access point. The possible values include the
following:
– Low—The access point draws low power
from the Ethernet.
– Lower than 15.4 volts—The access point
draws lower than 15.4 volts from the
Ethernet.
– Lower than 16.8 volts—The access point
draws lower than 16.8 volts from the
Ethernet.
– Normal—The power is high enough for
the operation of the access point.
– Not Applicable—The power source is
not from the Ethernet.
Primary Controller
Indicates the name of the primary controller for
this access point.
Radio MAC
Indicates the radio MAC address.
Reg. Domain Supported
Indicates whether or not the regulatory domain is
supported.
Serial Number
Indicates the access point serial number.
Slot
Indicates the slot number.
Tx Power Control
Indicates whether the transmission power control
is automatic or custom.
Tx Power Level
Indicates the transmission power level.
Up Time
Indicates how long the access point has been up in
days, hours, minutes and seconds.
WLAN Override Names
Indicates the WLAN override profile names.
WLAN Override
Indicates whether WLAN Override is enabled or
disabled.
Configuring the List of Access Points Display
The Edit View page allows you to add, remove, or reorder columns in the Access Points table.
To edit the available columns in the alarms table, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Click the Edit View link.
Step 3
To add an additional column to the access points table, click to highlight the column heading in the left
column. Click Show to move the heading to the right column. All items in the right column are displayed
in the table.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-47
Chapter 5
Monitoring Devices
Monitoring Access Points
Step 4
To remove a column from the access points table, click to highlight the column heading in the right
column. Click Hide to move the heading to the left column. All items in the left column are not displayed
in the table.
Step 5
Use the Up/Down buttons to specify the order in which the information appears in the table. Highlight
the desired column heading and click Up or Down to move it higher or lower in the current list.
Step 6
Click Reset to restore the default view.
Step 7
Click Submit to confirm the changes.
Note
See the “Viewing a List of Access Points” section on page 5-44 for additional access point fields than
can be added through Edit View.
Generating a Report for Access Points
Note
You cannot customize any report that you create in the Access Points list (Monitor > Access Points).
To generate a report for access points, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Click to select the access point(s) for which you want to run a report.
Step 3
Choose the applicable report from the Select a report drop-down list.
Step 4
Click Go.
Table 5-44 lists the available reports.
Table 5-44
Access Point Reports
Report
Description
Reference
Load
Generates a report with load
information.
See the “Monitoring Traffic Load” section
on page 5-50 for more information.
Dynamic Power
Control
Generates a report with Dynamic
Power Control information.
See the “Monitoring Dynamic Power
Control” section on page 5-51 for more
information.
Noise
Generates a report with Noise
information.
See the “Monitoring Access Points Noise”
section on page 5-52 for more information.
Interference
Generates a report with Interference
information.
See the “Monitoring Access Points
Interference” section on page 5-52 for
more information.
Coverage (RSSI) Generates a report with Coverage
(RSSI) information.
See the “Monitoring Access Points
Coverage (RSSI)” section on page 5-53 for
more information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-48
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-44
Report
Access Point Reports (continued)
Description
Reference
Coverage (SNR) Generates a report with Coverage
(SNR) information.
See the “Monitoring Access Points
Coverage (SNR)” section on page 5-53 for
more information.
Up/Down
Statistics
Time in days, hours and minutes
since the last reboot. Generates a
report with Up Time information.
See the “Monitoring Access Points
Up/Down Statistics” section on page 5-53
for more information.
Voice Statistics
Generates a report for selected access See the “Monitoring the Access Points
points showing radio utilization by
Voice Statistics” section on page 5-54 for
voice traffic.
more information.
Voice TSM
Table
Generates a report for selected access See the “Monitoring the Access Points
points and radio, organized by client Voice TSM Table” section on page 5-54 for
device showing QoS status, PLR, and more information.
latency of its voice traffic stream.
Voice TSM
Reports
Graphical representation of the TSM See the “Monitoring the Access Points
Voice TSM Reports” section on page 5-56
table except that metrics from the
clients are averaged together on the for more information.
graphs.
802.11 Counters Displays counters for access points at See the “Monitoring Access Points 802.11
Counters” section on page 5-56 for more
the MAC layer. Statistics such as
information.
error frames, fragment counts,
RTS/CTS frame count, and retried
frames are generated based on the
filtering criteria and can help
interpret performance (and problems,
if any) at the MAC layer.
AP Profile
Status
Displays access point load, noise,
interference, and coverage profile
status.
See the “Monitoring Access Points AP
Profile Status” section on page 5-57 for
more information.
Air Quality vs.
Time
Displays the air quality index of the
wireless network during the
configured time duration.
See the “Monitoring Air Quality” section
on page 5-58 for more information.
Traffic Stream
Metrics
Useful in determining the current and See the “Monitoring Access Points Traffic
historical quality of service (QoS) for Stream Metrics” section on page 5-57 for
given clients at the radio level. It also more information.
displays uplink and downlink
statistics such as packet loss rate,
average queuing delay, distribution
of delayed packets, and roaming
delays.
Tx Power and
Channel
Displays the channel plan assignment See the “Monitoring Access Points Tx
Power and Channel” section on page 5-57
and transmit power level trends of
devices based on the filtering criteria for more information.
used when the report was generated.
It could help identify unexpected
behavior or issues with network
performance.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-49
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-44
Access Point Reports (continued)
Report
Description
Reference
VoIP Calls
Graph
See the “Monitoring VoIP Calls” section on
Helps analyze wireless network
page 5-58 for more information.
usage from a voice perspective by
providing details such as the number
and duration of VoIP calls (per radio)
on the network over time. To be able
to gather useful data from this report,
VoIP snooping must be enabled on
the WLAN. This report displays
information in a graph.
VoIP Calls Table Provides the same information as the See the “Monitoring VoIP Calls” section on
VoIP Calls Graph report but in table page 5-58 for more information.
form.
See the “Monitoring Voice Statistics”
section on page 5-58 for more information.
Voice Statistics
Helps analyze wireless network
usage from a voice perspective by
providing details such as percentage
of bandwidth used by voice clients,
voice calls, roaming calls, and
rejected calls (per radio) on the
network. To be able to gather useful
data from this report, make sure call
admission control (CAC) is
supported on voice clients.
Worst Air
Quality APs
See the “Monitoring Air Quality” section
Provides a high-level, easy-tounderstand metric to facilitate an "at on page 5-58 for more information.
a glance" understanding of where
interference problems are impacting
the network. Air Quality (AQ) is
reported at a channel, floor, and
system level and it supports AQ
alerts, so that you can be
automatically notified when AQ falls
below a desired threshold.
Monitoring Traffic Load
Traffic Load is the total amount of bandwidth used for transmitting and receiving traffic. This enables
WLAN managers to track network growth and plan network growth ahead of client demand.
To access the access point load report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Step 3
From the Generate a report for selected APs drop-down list, choose Load.
Step 4
Click Go. The Load report displays for the selected access points.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-50
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-45 lists the fields displayed on this page.
Table 5-45
Traffic Load
Field
Description
AP Name
Click the access point name to view access point details. See the
“Monitoring Access Points Details” section on page 5-58 for more
information.
Radio
Protocol of the rogue access point is either 802.11a, 802.11b or
802.11g. Click the radio to view On-Demand Statistics for this access
point. See the “Monitoring Access Point Radio Details” section on
page 5-71 for more information.
Attached Client Count
Number of clients attached (Actual and Threshold.)
Channel Utilization
802.11a RF utilization threshold between 0 and 100 percent (Actual and
Threshold).
Receive Utilization
802.11a or 802.11b/g RF receive utilization threshold between 0 and
100 percent.
Transmit Utilization
802.11a or 802.11b/g RF transmit utilization threshold between 0 and
100 percent.
Status
Status of the client connection.
Monitoring Dynamic Power Control
To access the access point Load report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Step 3
From the Generate a report for selected APs drop-down list, choose Dynamic Power Control.
Step 4
Click Go. The Dynamic Power Control report displays the selected access points.
Table 5-46 lists the dynamic control fields for access points displayed on this page.
Table 5-46
Dynamic Power Control Page Fields
Field
Description
AP Name
This is the name assigned to the access point. Click an access point name
in the list to access its fields. See the “Monitoring Access Points
Details” section on page 5-58 for more information.
Radio
Protocol of the rogue access point is either 802.11a, or 802.11b/g. Click
a Cisco Radio in the list to access its fields. See the “Monitoring Access
Point Radio Details” section on page 5-71 for more information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-51
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-46
Dynamic Power Control Page Fields (continued)
Field
Description
Current Power Level
Displays the operating transmit power level from the transmit power
table. Access point transmit power level: 1 = Maximum power allowed
per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to
12.5% power, and 5 = 0.195 to 6.25% power.
Note
Power Assignment Mode
The power levels and available channels are defined by the
Country Code Setting, and are regulated on a country by country
basis.
Dynamic transmit power assignment has three modes:
– Automatic—The transmit power is periodically updated for all
Cisco 1000 Series lightweight access points that permit this
operation.
– On Demand—Transmit power is updated when the Assign Now
button is selected.
– Fixed—No dynamic transmit power assignments occur and
value are set to their global default. The default is Automatic.
– Recommended Power Level.
Monitoring Access Points Noise
To access the access point Noise report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Note
If multiple access points are selected, they must have the same radio type.
Step 3
From the Generate a report selected APs drop-down list, choose Noise.
Step 4
Click Go. The Noise report displays the selected access points.
This page displays a bar graph of noise (RSSI in dBm) for each channel.
Monitoring Access Points Interference
To access the access point Interference report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-52
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Note
If multiple access points are selected, they must have the same radio type.
Step 3
From the Generate a report for selected APs drop-down list, choose Interference.
Step 4
Click Go. The Interference report displays the selected access points.
This page displays a bar graph of interference (RSSI in dBm) for each channel:
•
High interference -40 to 0 dBm.
•
Marginal interference -100 to -40 dBm.
•
Low interference -110 to -100 dBm.
Monitoring Access Points Coverage (RSSI)
To access the access point Coverage (RSSI) report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Step 3
From the Generate a report for selected APs drop-down list, choose Coverage (RSSI).
Step 4
Click Go. The Coverage (RSSI) report displays the selected access points.
This page displays a bar graph of client distribution by received signal strength showing the number of
clients versus RSSI in dBm.
Monitoring Access Points Coverage (SNR)
To access the access point Coverage (SNR) report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Step 3
From the Generate a report for selected APs drop-down list, choose Coverage (SNR).
Step 4
Click Go. The Coverage (SNR) report displays the selected access points.
This page displays a bar graph of client distribution by signal-to-noise ratio showing the number of
clients versus SNR.
Monitoring Access Points Up/Down Statistics
To access the access point Up/Down Statistics report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box of the applicable access point.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-53
Chapter 5
Monitoring Devices
Monitoring Access Points
Step 3
From the Generate a report for selected APs drop-down list, choose Up/Down Statistics.
Click Go. The Up/Down Statistics report displays the selected access points.
Note
Up Time is time in days, hours, and minutes since the last reboot.
This page displays a line graph of access point up time graphed against time.
If you select more than one access point, the following message appears:
Please select only one AP for the Up Time Report.
Monitoring the Access Points Voice Statistics
This generates a report for selected access points showing radio utilization by voice traffic. The report
includes the number of current calls.
Note
Voice Statistics reports are only applicable for CAC/WMM clients.
To access the access point Voice Statistics report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Step 3
From the Generate a report for selected APs drop-down list, choose Voice Statistics.
Click Go. The Voice Statistics report displays for the selected access points.
The page displays the following access point voice statistics:
•
AP Name—Select an item under AP Name. For more information, see the “Monitoring Access
Points Details” section on page 5-58.
•
Radio—Select an item under Radio. For more information, see the “Monitoring Access Point Radio
Details” section on page 5-71.
•
Calls in Progress—Number of calls in progress.
•
Roaming Calls in Progress—Number of roaming calls in progress.
•
Bandwidth in Use—Percentage of bandwidth in use.
Monitoring the Access Points Voice TSM Table
This generates a report for selected access points and radio, organized by client device showing QoS
status, PLR, and latency of its voice traffic stream.
To access the access point Voice TSM Table report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box of the applicable access point.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-54
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Step 3
From the Generate a report for selected APs drop-down list, choose Voice TSM Table.
Step 4
Click Go. The Voice Traffic Stream Metrics Table report displays the selected access point.
Table 5-47 lists the Voice Traffic Stream Metrics Table page fields.
Table 5-47
Voice Traffic Stream Metrics Table Page Fields
Field
Description
Time
Time that the statistics were gathered from the access
point(s).
Client MAC
MAC address of the client. This shows a list of the clients
evaluated during the most recent 90 second interval. The
client could be a VoIP phone, laptop, PDA and refers to any
client attached to the access point collecting measurements.
QoS
QoS values (packet latency, packet jitter, packet loss, roaming
time) which can affect the WLAN are monitored. Access
points and clients measure the metrics, access points collect
the measurements and send them to the controller. The access
points update the controller with traffic stream metric
information every 90 seconds and 10 minutes of data is stored
at one time.
% PLR (Downlink)
Percentage of packets lost on the downlink (access point to
client) during the 90 second interval.
% PLR (Uplink)
Percentage of packets lost on the uplink (client to access
point) during the 90 second interval.
Avg Queuing Delay (ms) (Downlink)
Average queuing delay in milliseconds for the downlink.
Average packet queuing delay is the average delay of voice
packets traversing the voice queue. Packet queue delay is
measured beginning when a packet is queued for transmission
and ending when the packet is successfully transmitted. It
includes time for re-tries, if needed.
Avg Queuing Delay (ms) (Uplink)
Average queuing delay in milliseconds for the uplink.
Average packet queuing delay is the average delay of voice
packets traversing the voice queue. Packet queue delay is
measured beginning when a packet is queued for transmission
and ending when the packet is successfully transmitted. It
includes time for re-tries, if needed.
% Packets > 40 ms Queuing Delay
Percentage of queuing delay packets greater than 40 ms.
% Packets > 20 ms Queuing Delay
Percentage of queuing delay packets greater than 20 ms.
Roaming Delay
Roaming delay in milliseconds. Roaming delay, which is
measured by clients, is measured beginning when the last
packet is received from the old access point and ending when
the first packet is received from the new access point after a
successful roam.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-55
Chapter 5
Monitoring Devices
Monitoring Access Points
Monitoring the Access Points Voice TSM Reports
This report provides a graphical representation of the Voice Traffic Stream Metrics Table except that
metrics from the clients are averaged together on the graphs.
To access the access point Voice Traffic Stream Metrics Table report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box of the applicable access point.
Step 3
From the Generate a report for selected APs drop-down list, choose Voice TSM Reports.
Click Go. The Voice Traffic Stream Metrics Table report displays for the selected access point.
This page displays line graphs of the following downlink and uplink metric information, including times
and dates (see Table 5-48).
Table 5-48
Voice Traffic Stream Metrics Table Reports Page Fields
Field
Description
Average Queuing Delay (ms)
Average queuing delay in milliseconds. Average packet
queuing delay is the average delay of voice packets
traversing the voice queue. Packet queue delay is
measured beginning when a packet is queued for
transmission and ending when the packet is successfully
transmitted. It includes time for re-tries, if needed.
% Packet with less than 10 ms delay
Percentage of packets with less than 10 milliseconds
delay.
% Packet with more than 10 < 20 ms delay
Percentage of packets with more than 10 milliseconds
delay but less than 20 milliseconds delay.
% Packet with more than 20 < 40 ms delay
Percentage of packets with more than 20 milliseconds
delay but less than 40 milliseconds delay.
% Packet with more than 40 ms delay
Percentage of packets with more than 40 milliseconds
delay.
Packet Loss Ratio
Ratio of lost packets.
Total Packet Count
Number of total packets.
Roaming Count
Number of packets exchanged for roaming negotiations
in this 90 seconds metrics page.
Roaming Delay
Roaming delay in milliseconds.
Monitoring Access Points 802.11 Counters
Displays counters for access points at the MAC layer. Statistics such as error frames, fragment counts,
RTS/CTS frame count, and retried frames are generated based on the filtering criteria and can help
interpret performance (and problems, if any) at the MAC layer.
See the “Reports” section on page 14-715 for more information on 802.11 Counters reports.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-56
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Monitoring Access Points AP Profile Status
Displays access point load, noise, interference, and coverage profile status.
See the “Reports” section on page 14-715 for more information on AP Profile Status reports.
Monitoring Access Points Radio Utilization
See the “Reports” section on page 14-715 for more information on Radio Utilization reports.
Monitoring Access Points Traffic Stream Metrics
Useful in determining the current and historical quality of service (QoS) for given clients at the radio
level. It also displays uplink and downlink statistics such as packet loss rate, average queuing delay,
distribution of delayed packets, and roaming delays.
See the “Reports” section on page 14-715 for more information on Traffic Stream Metrics reports.
Monitoring Access Points Tx Power and Channel
See the “Reports” section on page 14-715 for more information on Tx Power and Channel reports.
The Current Tx Power Level setting controls the maximum conducted transmit power. The maximum
available transmit power varies according to the configured channel, individual country regulation, and
access point capability. See the Product Guide or data sheet at www.cisco.com for each specific model
to determine the access point capability.
The Current Tx Power Level setting of 1 represents the maximum conducted power setting for the access
point. Each subsequent power level (for example. 2, 3, 4, and so on.) represents approximately a 50%
(or 3dBm) reduction in transmit power from the previous power level.
Note
The actual power reduction might vary slightly for different models of access points.
Based on the configured antenna gain, the configured channel, and the configured power level, the actual
transmit power at the access point can be reduced so that the specific country regulations are not
exceeded.
Note
Irrespective of whether you choose Global or Custom assignment method, the actual conducted transmit
power at the access point is verified such that country specific regulations are not exceeded.
Command Buttons
•
Save—Save the current settings.
•
Audit—Discover the present status of this access point.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-57
Chapter 5
Monitoring Devices
Monitoring Access Points
Monitoring VoIP Calls
VoIP calls reports helps analyze wireless network usage from a voice perspective by providing details
such as the number and duration of VoIP calls (per radio) on the network over time. To be able to gather
useful data from this report, VoIP snooping must be enabled on the WLAN. This report displays
information in a graph.
Click VoIP Calls Graph from the Report Launch Pad to open the VoIP Calls Graph Reports page. From
this page, you can enable, disable, delete, or run currently saved report templates. See the “Reports”
section on page 14-715 for more information.
Monitoring Voice Statistics
Voice Statistics report helps analyze wireless network usage from a voice perspective by providing
details such as percentage of bandwidth used by voice clients, voice calls, roaming calls, and rejected
calls (per radio) on the network. To be able to gather useful data from this report, make sure Call
Admission Control (CAC) is supported on voice clients. See the “Reports” section on page 14-715 for
more information.
Monitoring Air Quality
To facilitate an "at a glance" understanding of where interference problems are impacting the network,
the Prime Infrastructure rolls up the detailed information into a high-level, easy-to- understand metric
referred to as Air Quality (AQ). AQ is reported at a channel, floor, and system level and it supports AQ
alerts, so that you can be automatically notified when AQ falls below a desired threshold. See the
“Monitoring CleanAir Air Quality Events” section on page 5-149 for more information.
Monitoring Access Points Details
The Access Points Details page enables you to view access point information for a single AP.
Choose Monitor > Access Points and click an item in the AP Name column to access this page.
Depending on the type of access point, the following tabs might be displayed. This section provides the
detailed information regarding each Access Points Details page tab and contains the following topics:
•
General Tab, page 5-58
•
Interfaces Tab, page 5-67
•
Mesh Statistics Tab, page 5-83
•
Mesh Links Tab, page 5-87
•
CDP Neighbors Tab, page 5-69
•
Current Associated Clients Tab, page 5-69
•
SSID Tab, page 5-71
•
Clients Over Time Tab, page 5-71
General Tab
Note
The General tab fields differ between lightweight and autonomous access points.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-58
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
This section contains the following topics:
•
General—Lightweight Access Points, page 5-59
•
General—Autonomous, page 5-65
General—Lightweight Access Points
Table 5-49 lists the General (for Lightweight Access Points) Tab fields.
Table 5-49
General (for Lightweight Access Points) Tab Fields
Field
Description
General
AP Name
Operator defined name of access point.
AP IP address, Ethernet
MAC address, and Base
Radio MAC address
IP address, Ethernet MAC address and Radio MAC address.
Country Code
The codes of the supported countries. Up to 20 countries can be
supported per controller.
Note
Link Latency Settings
Access points might not operate properly if they are not
designed for use in your country of operation. For a
complete list of country codes supported per product, see
the following URL:
http://www.cisco.com/en/US/docs/wireless/wcs/4.0/confi
guration/guide/wcscod.html.
You can configure link latency on the controller to measure the
link between an access point and the controller. See the
“Configuring Link Latency Settings for Access Points” section on
page 9-491 for more information.
– Current Link Latency (in msec)—The current round-trip
time (in milliseconds) of heartbeat packets from the
access point to the controller and back.
– Minimum Link Latency (in msec)—Because link latency
has been enabled or reset, the minimum round-trip time
(in milliseconds) of heartbeat packets from the access
point to the controller and back.
– Maximum Link Latency (in msec)—Because link latency
has been enabled or reset, the maximum round-trip time
(in milliseconds) of heartbeat packets from the access
point to the controller and back.
LWAPP/CAPWAP Uptime Displays how long the LWAPP/CAPWAP connection has been
active.
LWAPP?CAPWAP Join
Taken Time
Displays how long the LWAPP/CAPWAP connection has been
joined.
Admin Status
The administration state of the access point as either enabled or
disabled.
AP Mode
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-59
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-49
General (for Lightweight Access Points) Tab Fields (continued)
Field
Description
Local
Default mode. Data clients are serviced while configured channels
are scanned for noise and rogues. The access point goes
off-channel for 50 ms and listens for rogues. It cycles through
each channel for the period specified under the Auto RF
configuration.
Note
Monitor
To configure Local or FlexConnect access points for the
Cisco Adaptive wIPS feature, choose Local or
FlexConnect and select the Enhanced wIPS Engine
Enabled check box.
Radio receive only mode. The access point scans all configured
channels every 12 seconds. Only deauthenticated packets are sent
in the air with an access point configured this way. A monitor
mode access point can connect as a client to a rogue acceess point.
Note
To configure access points for Cisco Adaptive wIPS
feature, select Monitor. Select the Enhanced wIPS
Engine Enabled check box and choose wIPS from the
Monitor Mode Optimization drop-down list.
Before you can enable an access point to be in wIPS mode,
you must disable the access point radios. If you do not
disable the access point radio, an error message appears.
Note
Once you have enabled the access point for wIPS,
reenable the radios.
Rogue Detector
The access point radio is turned off and the access point listens to
wired traffic only. The controllers that operate in this mode
monitor the rogue access points. The controller sends all the rogue
access point and client MAC address lists to the rogue detector,
and the rogue detector forwards this information to the WLC. The
MAC address list is compared to what the WLC access points
heard over the network. If the MAC addresses match, you can
determine which rogue access points are connected on the wired
network.
Sniffer
The access point captures and forwards all the packets on a
particular channel to a remote machine that runs AiroPeek. These
packets contain information such as timestamp, signal strength,
packet size, and so on. This feature can only be enabled if you run
AiroPeek, which is a third-party network analyzer software that
supports the decoding of data packets.
FlexConnect
Enables FlexConnect for up to six access points. The FlexConnect
access points can switch client data traffic locally and perform
client authentication locally when their connection to the
controller is lost.
Note
FlexConnect must be selected to configure an
OfficeExtend access point. When the AP mode is
FlexConnect, FlexConnect configuration options display
including the option to enable OfficeExtend AP and to
enable Least Latency Controller Join.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-60
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-49
General (for Lightweight Access Points) Tab Fields (continued)
Field
Description
Bridge
This is a special mode where an autonomous access point
functions as a wireless client and connects to a lightweight access
point. The bridge and its wired clients are listed as client in the
Prime Infrastructure if the AP mode is set to Bridge, and the
access point is bridge capable.
Spectrum Expert
This mode allows a CleanAir-enabled access point to be used
extensively for interference detection on all monitored channels.
All other functions such as IDS scanning and Wi-Fi are
suspended.
Enhanced wIPs Engine
Enabled or Disabled, to enable the monitoring of the security
attacks using Cisco Adaptive wIPS feature.
Operational Status
Registered or Not Registered, as determined by the controller.
Registered Controller
The controller to which the access point is registered. Click to
display the registered controller details. See the “Monitoring
System Summary” section on page 5-4 for more information.
Primary Controller
The name of the primary controller for this access point.
Port Number
The SNMP name of the access point primary controller. The
access point attempts to associate with this controller first for all
network operations and in the event of a hardware reset.
AP Uptime
Displays how long the access point has been active to receive and
transmit.
Map Location
Customer-definable location name for the access point. Click to
look at the actual location on a map. Choose Monitor > Access
Points > name > Map Location for more information.
Google Earth Location
Indicates whether a Google Earth location is assigned.
Location
The physical location where the access point is placed (or
Unassigned).
Statistics Timer
This counter sets the time in seconds that the access point sends
its DOT11 statistics to the controller.
PoE Status
The power over ethernet status of the access point. The possible
values include the following:
– Low—The access point draws low power from the
Ethernet.
– Lower than 15.4 volts—The access point draws lower
than 15.4 volts from the Ethernet.
– Lower than 16.8 volts—The access point draws lower
than 16.8 volts from the Ethernet.
– Normal—The power is high enough for the operation of
the access point.
– Not Applicable—The power source is not from the
Ethernet.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-61
Chapter 5
Monitoring Devices
Monitoring Access Points
Link Latency Settings
You can configure link latency on the controller to measure the
link between an access point and the controller. See the
“Configuring Link Latency Settings for Access Points” section on
page 9-491 for more information.
– Current Link Latency (in msec)—The current round-trip
time (in milliseconds) of heartbeat packets from the
access point to the controller and back.
– Minimum Link Latency (in msec)—Because link latency
has been enabled or reset, the minimum round-trip time
(in milliseconds) of heartbeat packets from the access
point to the controller and back.
– Maximum Link Latency (in msec)—Because link latency
has been enabled or reset, the maximum round-trip time
(in milliseconds) of heartbeat packets from the access
point to the controller and back.
LWAPP/CAPWAP Uptime Displays how long the LWAPP/CAPWAP connection has been
active.
LWAPP?CAPWAP Join
Taken Time
Displays how long the LWAPP/CAPWAP connection has been
joined.
Admin Status
The administration state of the access point as either enabled or
disabled.
AP Mode
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-62
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Rogue Detector
The access point radio is turned off and the access point listens to
wired traffic only. The controllers that operate in this mode
monitor the rogue access points. The controller sends all the rogue
access point and client MAC address lists to the rogue detector,
and the rogue detector forwards this information to the WLC. The
MAC address list is compared to what the WLC access points
heard over the network. If the MAC addresses match, you can
determine which rogue access points are connected on the wired
network.
Sniffer
The access point captures and forwards all the packets on a
particular channel to a remote machine that runs AiroPeek. These
packets contain information such as timestamp, signal strength,
packet size, and so on. This feature can only be enabled if you run
AiroPeek, which is a third-party network analyzer software that
supports the decoding of data packets.
FlexConnect
Enables FlexConnect for up to six access points. The FlexConnect
access points can switch client data traffic locally and perform
client authentication locally when their connection to the
controller is lost.
FlexConnect must be selected to configure an
OfficeExtend access point. When the AP mode is
General (for Lightweight Access Points) Tab Fields (continued)
FlexConnect, FlexConnect configuration options display
including the option to enable OfficeExtend AP and to
Description
enable Least Latency Controller Join.
Note
Table 5-49
Field
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-63
Chapter 5
Monitoring Devices
Monitoring Access Points
Map Location
Customer-definable location name for the access point. Click to
look at the actual location on a map. Choose Monitor > Access
Points > name > Map Location for more information.
Google Earth Location
Indicates whether a Google Earth location is assigned.
Location
The physical location where the access point is placed (or
Unassigned).
Statistics Timer
This counter sets the time in seconds that the access point sends
its DOT11 statistics to the controller.
PoE Status
The power over ethernet status of the access point. The possible
values include the following:
– Low—The access point draws low power from the
Ethernet.
– Lower than 15.4 volts—The access point draws lower
than 15.4 volts from the Ethernet.
– Lower than 16.8 volts—The access point draws lower
than 16.8 volts from the Ethernet.
– Normal—The power is high enough for the operation of
the access point.
Table 5-49
Field
– Not Applicable—The power source is not from the
General (for Lightweight Access Points) Tab Fields (continued)
Ethernet.
Description
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-64
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-49
General (for Lightweight Access Points) Tab Fields (continued)
Field
Description
SSH Access
Indicates whether or not SSH is enabled.
Note
An OfficeExtend access point might be connected directly
to the WAN which could allow external access if the
default password is used by the access point. Because of
this, Telnet and SSH access are disabled automatically for
OfficeExtend access points.
Versions
Software Version
The operating system release.version.dot.maintenance number of
the code currently running on the controller.
Boot Version
The operating system bootloader version number.
Inventory Information
AP Type
Type of Access Point
AP Model
Access point model number.
Cisco IOS Version
The Cisco IOS Release details.
AP Certificate Type
Either Self Signed or Manufacture Installed.
FlexConnect Mode
Supported
Indicates if FlexConnect mode is supported or not.
wIPS Profile (when applicable)
Profile Name
Click the user-assigned profile name to view wIPS profile details.
Profile Version
Unique Device Identifier (UDI)
Name
Name of the Cisco AP for access points.
Description
Description of the access point.
Product ID
Orderable product identifier.
Version ID
Version of product identifier.
Serial Number
Unique product serial number.
Run Ping Test Link
Click to ping the access point. The results are displayed in a
pop-up dialog box.
Alarms Link
Click to display alarms associated with this access point.
Events Link
Click to display events associated with this access point.
General—Autonomous
Note
For autonomous clients, the Prime Infrastructure only collects client counts. The client counts in the
Monitor page and reports have autonomous clients included. Client search, client traffic graphs, or other
client reports (such as Unique Clients, Busiest Clients, Client Association) do not include clients from
autonomous access points.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-65
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-50 lists the General (for Autonomous Access Points) tab fields.
Table 5-50
General (for Autonomous Access Points) Tab Fields
Field
Description
AP Name
Operator defined name of access point.
AP IP address and Ethernet MAC address
IP address, Ethernet MAC address of the access
point.
AP UpTime
Indicates how long the access point has been up in
number of days, hours, minutes, and seconds.
Map Location
Customer-definable location name for the access
point. Click to look at the actual location on a
map. See the “Monitoring Maps” section on
page 6-153 for more information.
WGB Mode
Indicates whether or not the access point is in
work group bridge mode.
SNMP Info
SysObjectId
System Object ID.
SysDescription
The system device type and current version of
firmware.
SysLocation
The physical location of the device, such as a
building name or room in which it is installed.
SysContact
The name of the system administrator responsible
for the device.
Versions
Software Version
The operating system
release.version.dot.maintenance number of the
code currently running on the controller.
CPU Utilization
Displays the maximum, average, and minimum
CPU utilization over the specified amount of time.
Memory Utilization
Displays the maximum, average, and minimum
memory utilization over the specified amount of
time.
Inventory Information
AP Type
Autonomous or lightweight.
AP Model
The Access Point model number.
AP Serial Number
Unique serial number for this access point.
FlexConnect Mode Supported
If FlexConnect mode is supported or not.
Unique Device Identifier (UDI)
Name
Name of Cisco AP for access points.
Description
Description of access point.
Product ID
Orderable product identifier.
Version ID
Version of product identifier.
Serial Number
Unique product serial number.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-66
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Note
Memory and CPU utilization charts are displayed.
Note
Click Alarms to display the alarms associated with the access point.
Click Events to display events associated with the access point.
Interfaces Tab
Table 5-51 lists the Interfaces tab fields.
Table 5-51
Interfaces Tab Fields
Field
Description
Interface
Admin Status
Indicates whether the Ethernet interface is enabled.
Operational Status
Indicates whether the Ethernet interface is operational.
Rx Unicast Packets
Indicates the number of unicast packets received.
Tx Unicast Packets
Indicates the number of unicast packets sent.
Rx Non-Unicast Packets
Indicates the number of non-unicast packets received.
Tx Non-Unicast Packets
Indicates the number of non-unicast packets sent.
Radio Interface
Protocol
802.11a/n or 802.11b/g/n.
Admin Status
Indicates whether the access point is enabled or disabled.
CleanAir Capable
Indicates whether the access point is able to use CleanAir.
CleanAir Status
Indicates the status of CleanAir.
Channel Number
Indicates the channel on which the Cisco Radio is broadcasting.
Extension Channel
Indicates the secondary channel on which Cisco radio is broadcasting.
Power Level
Access Point transmit power level: 1 = Maximum power allowed per
Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to
12.5% power, and 5 = 0.195 to 6.25% power.
Channel Width
Indicates the channel bandwidth for this radio interface. See the
“Configuring 802.11a/n RRM Dynamic Channel Allocation” section
on page 9-403 for more information on configuring channel
bandwidth.
Minimum (default) setting is 20 MHz. Maximum setting is the
maximum channel width supported by this radio.
Antenna Name
Identifies the type of antenna.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-67
Chapter 5
Monitoring Devices
Monitoring Access Points
Click an interface name to view its properties (see Table 5-52).
Table 5-52
Interface Properties
Field
Description
AP Name
Name of the Access Point.
Link speed
Indicates the speed of the interface in Mbps.
RX Bytes
Indicates the total number of bytes in the error-free packets received on
the interface.
RX Unicast Packets
Indicates the total number of unicast packets received on the interface.
RX Non-Unicast Packets
Indicates the total number of non-unicast or mulitcast packets received
on the interface.
Input CRC
Indicates the total number of CRC error in packets received on the
interface.
Input Errors
Indicates the sum of all errors in the packets while receiving on the
interface.
Input Overrun
Indicates the number of times the receiver hardware was incapable of
handing received data to a hardware buffer because the input rate
exceeded the receiver capability to handle the data.
Input Resource
Indicates the total number of resource errors in packets received on the
interface.
Runts
Indicates the number of packets that are discarded because they are
smaller than the medium minimum packet size.
Throttle
Indicates the total number of times the interface advised a sending NIC
that it was overwhelmed by packets being sent and to slow the pace of
delivery.
Output Collision
Indicates the total number of packet retransmitted due to an Ethernet
collision.
Output Resource
Indicates the total number of resource errors in packets transmitted on
the interface.
Output Errors
Indicates the sum of all errors that prevented the final transmission of
packets out of the interface.
Operational Status
Indicates the operational state of the physical Ethernet interface on the
AP.
Duplex
Indicates the duplex mode of an interface.
TX Bytes
Indicates the total number of bytes in the error-free packets transmitted
on the interface.
TX Unicast Packets
Indicates the total number of unicast packets transmitted on the
interface.
TX Non-Unicast Packets
Indicates the total number of non-unicast or mulitcast packets
transmitted on the interface.
Input Aborts
Indicates the total number of packet aborted while receiving on the
interface.
Input Frames
Indicates the total number of packet received incorrectly having a CRC
error and a non-integer number of octets on the interface.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-68
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-52
Interface Properties (continued)
Field
Description
Input Drops
Indicates the total number of packets dropped while receiving on the
interface because the queue was full.
Unknown Protocol
Indicates the total number of packet discarded on the interface due to
an unknown protocol.
Giants
Indicates the number of packets that are discarded because they exceed
the maximum packet size of the medium.
Interface Resets
Indicates the number of times that an interface has been completely
reset.
Output No Buffer
Indicates the total number of packets discarded because there was no
buffer space.
Output Underrun
Indicates the number of times the transmitter has been running faster
than the router can handle.
Output Total Drops
Indicates the total number of packets dropped while transmitting from
the interface because the queue was full.
CDP Neighbors Tab
Table 5-53 lists the CDP Neighbors tab fields.
Note
This tab is visible only when the CDP is enabled.
Table 5-53
CDP Neighbors Tab Fields
Field
Description
AP Name
The name assigned to the access point.
AP IP Address
IP address of the access point.
Port No
Port number connected or assigned to the access point.
Local Interface
Identifies the local interface.
Neighbor Name
Name of the neighboring Cisco device.
Neighbor Address
Network address of the neighboring Cisco device.
Neighbor Port
Port of the neighboring Cisco device.
Duplex
Indicates Full Duplex or Half Duplex.
Interface Speed
Speed at which the interface operates.
Current Associated Clients Tab
Table 5-54 lists the Current Associated Clients tab fields.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-69
Chapter 5
Monitoring Devices
Monitoring Access Points
Note
This tab is visible only when there are clients associated to the AP (CAPWAP or Autonomous
AP).
Table 5-54
Current Associated Clients Tab Fields
Field
Description
Username
Click the username to view the Monitor Client
Details page for this client. See the “Monitoring
Clients and Users” section on page 10-521 for
more information.
IP Address
IP address of the associated client.
Client MAC Address
Click the client MAC address to view the Monitor
Client Details page for this client. See the
“Monitoring Clients and Users” section on
page 10-521 for more information.
Association Time
Date and time of the association.
UpTime
Time duration of the association.
SSID
User-defined SSID name.
SNR (dB)
Signal to Noise Ratio in dB of the associated
client.
RSSI
Received Signal Strength Indicator in dBm.
Bytes Tx
This indicates the total amount of data that has
passed through the Ethernet interface either way.
Bytes Rx
This indicate the total amount of data that has
been received through the Ethernet interface
either way
When the access point is not associated with the controller, then the database is used to retrieve the
data (rather than the controller itself). If the access point is not associated, the following fields appear.
User Name
Username of the client.
IP Address
Local IP Address
Client MAC Address
Client MAC Address
Association Time
Timestamp of the client association.
Session Length
Time length of the session
SSID
User-defined SSID name.
Protocol
Avg. Session Throughput
Traffic (MB) as before
Note
Click the Edit View link to add, remove or reorder columns in the Current Associated Clients table. See
the “Configuring the List of Access Points Display” section on page 5-47 for adding a new field using
the Edit View.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-70
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
SSID Tab
Table 5-55 lists the SSID tab fields.
This tab is visible only when the access point is Autonomous AP and there are SSIDs configured
on the AP.
Note
Table 5-55
SSID Tab
Field
Description
SSID
Service Set Identifier being broadcast by the
access point radio.
SSID Vlan
SSID on an access point is configured to
recognize a specific VLAN ID or name.
SSID Vlan Name
SSID on an access point is configured to
recognize a specific VLAN ID or name.
MB SSID Broadcast
SSID broadcast disabled essentially makes your
Access Point invisible unless a wireless client
already knows the SSID, or is using tools that
monitor or 'sniff' traffic from an AP's associated
clients.
MB SSID Time Period
Within this specified time period, internal
communication within the SSID continues to
work.
Clients Over Time Tab
This tab displays the following charts:
•
Client Count on AP—Displays the total number of clients currently associated with an access point
over time.
•
Client Traffic on AP—Displays the traffic generated by the client connected in the AP distribution
over time.
Note
The information that appears in the above charts is presented in a time-based graph. For graphs
that are time-based, there is a link bar at the top of the graph page that displays 6h, 1d, 1w, 2w,
4w, 3m, 6m, 1y, and Custom. When selected, the data for that time frame is retrieved and the
corresponding graph is displayed. See the “Time-Based Graphs” section on page 6-71 for more
information.
Monitoring Access Point Radio Details
Choose Monitor > Access Points and click an item in the Radio column to access this page.
Choose Monitor > Maps and click an item in the Name column, then click an access point icon to access
this page.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-71
Chapter 5
Monitoring Devices
Monitoring Access Points
Choose Monitor > Access Points and click an item in the AP Name column, click 802.11a or 802.11b
on the AP Interfaces tab to access this page. This page enables you to view access point information for
a single 802.11a or 802.11b/g Cisco Radio.
The default is to show On Demand Statistics. Use the View drop-down list to choose a different view:
•
Choose On Demand Statistics, and click Go to display On Demand Statistics. See the “Monitoring
On Demand Statistics” section on page 5-72 for more information.
•
Choose Operational Parameters, and click Go to display Operational Parameters. See the
“Monitoring Operational Parameters” section on page 5-76 for more information.
•
Choose 802.11 MAC Counters, and click Go to display 802.11 MAC Counters. See the “Monitoring
802.11 MAC Counters” section on page 5-79 for more information.
•
Choose View Alarms and, click Go to display View Alarms. See the “Monitoring View Alarms”
section on page 5-80 for more information.
•
Choose View Events and, click Go to display View Events. See the “Monitor View Events” section
on page 5-81 for more information.
Monitoring On Demand Statistics
To view On Demand Statistics for an access point, click the Radio of the applicable access point in the
Monitor > Access Points page. The Radio Details page defaults to On Demand Statistics. See the
“Monitoring Access Point Radio Details” section on page 5-71 for more information on radio details.
Note
You can also select On Demand Statistics from the View drop-down list located on the Radio Details
page.
This page enables you to view the following access point 802.11a or 802.11b Cisco Radio statistics for
a single access point.
General
•
AP Name—Click to view the access point details. See the “Monitoring Access Points Details”
section on page 5-58 for more information.
•
AP MAC Address
•
Radio
•
CleanAir Capable—Indicates if the access point is CleanAir Capable.
•
AP in SE-Connect Mode—Yes or No. Indicates if the access point is connected in SE-Connect
mode.
•
CleanAir Enabled—Indicates if CleanAir is enabled on this access point.
•
CleanAir Sensor Status—Indicates the operational status of the CleanAir censor (Up or Down).
•
Admin Status—Enabled or disabled.
•
Operational Status—Displays the operational status of the Cisco Radios (Up or Down).
•
Controller—Click to display controller system details. See the “Monitoring System Summary”
section on page 5-4 for more information.
•
Channel—The channel upon which the Cisco Radio is broadcasting.
•
Extension Channel—Indicates the secondary channel on which Cisco radio is broadcasting.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-72
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Channel Width—Indicates the channel bandwidth for this radio interface. See the “Configuring
802.11a/n RRM Dynamic Channel Allocation” section on page 9-403 for more information on
configuring channel bandwidth.
•
Power Level—Access Point transmit power level: 1 = Maximum power allowed per Country Code
setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power.
The power levels and available channels are defined by the Country Code setting, and are regulated
on a country by country basis.
•
Port—(1 to 24) Port to which the access point is connected.
•
Map Location—Click to display the floor map showing the access point location.
Management Frame Protection
•
Protection Capability—All Frames
•
Validation Capability—All Frames
•
MFP Version Supported—Management Frame Protection version supported and configured.
•
Noise Profile—Notification sent when Noise Profile state changes between Success and Failure.
•
Interference Profile—Notification sent when Interference Profile state changes between Success
and Failure.
•
Load Profile—Notification sent when Load Profile state changes between Success and Failure.
•
Coverage Profile—Notification sent when Coverage Profile state changes between Success and
Failure.
Profile Information
Note
Click Success or Failure to view associated alarms.
Noise by Channel (dBm)
Graph showing channel and noise.
Interference by Channel (dBm%)
Graph showing the percentage of interference per channel.
Note
Channel Utilization is a combination of Receive Power (RX) + Transmit Power (TX) + Interference.
Interference—Access points report on the percentage of the medium taken up by interfering 802.11
transmissions (this can be from overlapping signals from foreign APs, as well as non-neighbors).
Note
The channel list (as configured from the RRM page) is scanned completely using the “channel scan
duration” field under monitor intervals. For example, if scanning all 11 channels in 2.4 GHz, and using
the default duration (180 seconds), you get: 180/11 = 16.36 seconds approximately between each
channel that is being scanned.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-73
Chapter 5
Monitoring Devices
Monitoring Access Points
Load Statistics
•
RX Utilization—802.11a or 802.11b/g RF receive utilization threshold between 0 and 100 percent.
•
TX Utilization—802.11a or 802.11b/g RF transmit utilization threshold between 0 and 100 percent.
•
Channel Utilization—802.11a RF utilization threshold between 0 and 100 percent (Subcolumns for
Actual and Threshold).
•
Attached Client Count—The number of clients attached.
General Tab
This section describes the information that appears on the General tab and contains the following topics:
•
“% Client Count by RSSI” section on page 5-74
•
“% Client Count by SNR” section on page 5-74
•
“Channel Utilization (% Busy)” section on page 5-74
•
“Noise by Channel(dBm)” section on page 5-74
•
“Rx Neighbors” section on page 5-74
•
“Channel Utilization Statistics” section on page 5-74
% Client Count by RSSI
Graph with % and Received Signal Strength Indicator.
% Client Count by SNR
Graph with % and Signal-to-Noise Ratio.
Channel Utilization (% Busy)
Graph displaying the channel number on the x-axis and channel utilization on the y-axis.
Noise by Channel(dBm)
Graph displaying the channel on the x-axis and power in dBm on the y-axis.
Rx Neighbors
•
Radio MAC Address
•
AP Name—Click to view access point details.
•
Map—Click to view the map.
•
Mobility Group-Leader IP Address
•
Neighbor Channel
•
Channel Bandwidth
•
RSSI (dBm)
Channel Utilization Statistics
•
Time
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-74
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Picc—Percentage of time consumed by received frames from co-channel APs and clients.
•
Pib—Percentage of time consumed by interference on the channel which cannot be correctly
demodulated.
Note
Picc and Pib values should give a good indication of the percentage of time the access point
is busy because of co channel interference.
Client Count Over last 24 Hrs
This graph shows the client count specific to the AP radios (in the last 24 hours).
CleanAir Tab
This section describes the information that appears on the CleanAir tab and contains the following
topics:
•
“Air Quality” section on page 5-75
•
“Interference Power” section on page 5-75
•
“Non-WiFi Channel Utilization” section on page 5-75
•
“Active Interferers” section on page 5-75
•
“View Drop-Down List” section on page 5-76
Air Quality
This graph displays the air quality index of the wireless network. A value of 100 indicates the air quality
is best and a value of 1 indicates maximum interference.
Interference Power
This graph displays the interference power of the interfering devices on the channel number.
Non-WiFi Channel Utilization
This graph displays the non-WiFi channel utilization of the wireless network.
Active Interferers
This section displays the details of the active interferers on the wireless network. The following details
are available:
•
Interferer Name—The name of the interfering device.
•
Affected Channels—The channel the interfering device is affecting.
•
Detected Time—The time at which the interference was detected.
•
Severity—The severity index of the interfering device.
•
Duty Cycle(%)—The duty cycle (in percentage) of the interfering device.
•
RSSI(dBm)—The Received Signal Strength Indicator of the interfering device.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-75
Chapter 5
Monitoring Devices
Monitoring Access Points
View Drop-Down List
•
Choose On Demand Statistics, and click Go to display On Demand Statistics for this access point
radio. See the “Monitoring On Demand Statistics” section on page 5-72 for more information.
•
Choose Operational Parameters, and click Go to display Operational parameters for this access
point radio. See the “Monitoring Operational Parameters” section on page 5-76 for more
information.
•
Choose 802.11 MAC Counters, and click Go to display 802.11 MAC Counters for this access point
radio. See the “Monitoring 802.11 MAC Counters” section on page 5-79 for more information.
•
Choose View Alarms, and click Go to display alarms for this access point radio. See the
“Monitoring View Alarms” section on page 5-80 for more information.
•
Choose View Events, and click Go to display events for this access point radio. See the “Monitor
View Events” section on page 5-81 for more information.
Monitoring Operational Parameters
To view Operational Parameters for an access point radio, follow these steps:
Step 1
Choose Monitor > Access Points, click the radio for the applicable access point.
Step 2
From the View drop-down list, choose Operational Parameters.
Step 3
Click Go.
This page enables you to view configuration information for a single 802.11a or 802.11b Cisco radio.
General
•
AP Name—Click to view the access point details. See the “Monitoring Access Points Details”
section on page 5-58 for more information.
•
AP MAC Address
•
Radio
•
Admin Status—Enabled or disabled.
•
Operational Status—Displays the operational status of the Cisco Radios (Up or Down).
•
Controller—Click to display controller system details. See the “Monitoring System Summary”
section on page 5-4 for more information.
•
Channel—The channel upon which the Cisco Radio is broadcasting.
•
Extension Channel—Indicates the secondary channel on which Cisco radio is broadcasting.
•
Channel Width—Indicates the channel bandwidth for this radio interface. See the “Configuring
802.11a/n RRM Dynamic Channel Allocation” section on page 9-403 for more information on
configuring channel bandwidth.
•
Power Level—Access Point transmit power level: 1 = Maximum power allowed per Country Code
setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power.
The power levels and available channels are defined by the Country Code setting, and are regulated
on a country by country basis.
•
Port—(1 to 24) Port to which the access point is connected.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-76
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Map Location—Click to display the floor map showing the access point location.
Station Configuration Parameters
•
Configuration Type—Automatic or Custom.
•
Number of WLANs—1 (one) is the default.
•
Medium Occupancy Limit—Indicates the maximum amount of time, in TU, that a point coordinator
might control the usage of the wireless medium without relinquishing control for long enough to
allow at least one instance of DCF access to the medium. The default value is 100, and the maximum
value is 1000.
•
CFP Period—The number of DTIM intervals between the start of CFPs.
•
CFP Max. Duration—The maximum duration of the CFP in TU that might be generated by the PCF.
•
BSSID—MAC address of the access point.
•
Beacon Period—The rate at which the SSID is broadcast by the access point, from 100 to 600
milliseconds.
•
DTIM Period—The number of beacon intervals that shall elapse between transmission of Beacon
frames containing a TIM element whose DTIM Count field is 0. This value is transmitted in the
DTIM Period field of Beacon frames.
•
Country String—Identifies the country in which the station is operating. The first two octets of this
string are the two character country code.
Physical Channel Parameters
•
Current Channel—Current operating frequency channel.
•
Configuration—Locally customized or globally controlled.
•
Current CCA Mode—CCA method in operation. Valid values:
– Energy detect only (edonly) = 01.
– Carrier sense only (csonly) = 02.
– Carrier sense and energy detect (edandcs)= 04.
– Carrier sense with timer (cswithtimer)= 08.
– High rate carrier sense and energy detect (hrcsanded)=16.
•
ED/TI Threshold—The Energy Detect and Threshold being used to detect a busy medium
(frequency). CCA reports a busy medium upon detecting the RSSI above this threshold.
Physical Antenna Parameters
•
Antenna Type—Internal or External.
•
Diversity—Enabled via the internal antennas or via either Connector A or Connector B. (Enabled or
Disabled).
RF Recommendation Parameters
•
Channel—802.11a Low Band, Medium Band, and High Band; 802.11b/g.
•
Tx Power Level—Zero (0) if Radio Resource Management (RRM) disabled, 1 - 5 if Radio Resource
Management (RRM) is enabled.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-77
Chapter 5
Monitoring Devices
Monitoring Access Points
•
RTS/CTS Threshold—Zero (0) if Radio Resource Management (RRM) disabled, 1 - 5 if Radio
Resource Management (RRM) is enabled.
•
Fragmentation Threshold—Zero (0) if Radio Resource Management (RRM) is disabled.
MAC Operation Parameters
•
Configuration Type—Automatic or Custom.
•
RTS Threshold—This attribute indicates the number of octets in an MPDU, below which an
RTS/CTS handshake is not performed.
An RTS/CTS handshake is performed at the beginning of any frame exchange sequence where the
MPDU is a Data or Management type, the MPDU has an individual address in the Address1 field,
and the length of the MPDU is greater than this threshold. Setting this attribute to be larger than the
maximum MSDU size turns off the RTS/CTS handshake for Data or Management type frames
transmitted by this STA. Setting this attribute to zero turns on the RTS/CTS handshake for all frames
of Data or Management type transmitted by this STA. The default value of this attribute shall be
2347.
•
Short Retry Limit—The maximum number of transmission attempts of a frame, the length of which
is less than or equal to dot11RTSThreshold, that shall be made before a failure condition is
indicated. The default value of this attribute is 7.
•
Long Retry Limit—The maximum number of transmission attempts of a frame, the length of which
is greater than dot11RTSThreshold, that shall be made before a failure condition is indicated. The
default value of this attribute shall be 4.
•
Fragmentation Threshold—The current maximum size, in octets, of the MPDU that might be
delivered to the PHY. An MSDU shall be broken into fragments if its size exceeds the value of this
attribute after adding MAC headers and trailers. An MSDU or MMPDU shall be fragmented when
the resulting frame has an individual address in the Address1 field, and the length of the frame is
larger than this threshold. The default value for this attribute shall be the lesser of 2346 or the
aMPDUMaxLength of the attached PHY and shall never exceed the lesser of 2346 or the
aMPDUMaxLength of the attached PHY. The value of this attribute shall never be less than 256.
•
Max Tx MSDU Lifetime—The elapsed time in TU, after the initial transmission of an MSDU, after
which further attempts to transmit the MSDU shall be terminated. The default value of this attribute
is 512.
•
Max Rx Lifetime—The MaxReceiveLifetime shall be the elapsed time in TU, after the initial
reception of a fragmented MMPDU or MSDU, after which further attempts to reassemble the
MMPDU or MSDU shall be terminated. The default value is 512.
•
# Supported Power Levels—Five or fewer power levels, depending on operator preference.
•
Tx Power Level x—Access point transmit power level: 1 = Maximum power allowed per Country
Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25%
power.
Tx Power
Note
•
The power levels and available channels are defined by the Country Code setting, and are
regulated on a country by country basis.
Tx Power Configuration—Globally controlled or customized for this access point (Custom or
Global).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-78
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Current Tx Power Level—Displays the operating transmit power level from the transmit power
table.
Monitoring 802.11 MAC Counters
To view Operational Parameters for an access point radio, follow these steps:
Step 1
Choose Monitor > Access Points, click the radio for the applicable access point.
Step 2
From the View drop-down list, choose 802.11 MAC Counters.
Step 3
Click Go.
This page enables you to view 802.11 MAC Counter information for a single 802.11a or 802.11b Cisco
Radio.
General
•
AP Name—Click to view the access point details. See the “Monitoring Access Points Details”
section on page 5-58 for more information.
•
AP MAC Address
•
Radio
•
Admin Status—Enabled or disabled.
•
Operational Status—Displays the operational status of the Cisco Radios (Up or Down).
•
Controller—Click to display controller system details. See the “Monitoring System Summary”
section on page 5-4 for more information.
•
Channel—The channel upon which the Cisco Radio is broadcasting.
•
Extension Channel—Indicates the secondary channel on which Cisco radio is broadcasting.
•
Channel Width—Indicates the channel bandwidth for this radio interface. See the “Configuring
802.11a/n RRM Dynamic Channel Allocation” section on page 9-403 for more information on
configuring channel bandwidth.
Note
•
Minimum (default) setting is 20 MHz. Maximum setting is the maximum channel width
supported by this radio.
Power Level—Access Point transmit power level: 1 = Maximum power allowed per Country Code
setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power.
The power levels and available channels are defined by the Country Code setting, and are regulated
on a country by country basis.
•
Port—(1 to 24) Port to which the access point is connected.
•
Map Location—Click to display the floor map showing the access point location.
•
Tx Fragment Count—This counter is incremented for each successfully received MPDU Data or
Management type.
RF Counters
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-79
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Multicast Tx Frame Count—This counter increments only when the multicast bit is set in the
destination MAC address of a successfully transmitted MSDU. When operating as a STA in an ESS,
where these frames are directed to the access point, this implies having received an acknowledgment
to all associated MPDUs.
•
Tx Failed Count—This counter increments when an MSDU is successfully transmitted after one or
more retransmissions.
•
Retry Count—This counter increments when an MSDU is successfully transmitted after one or more
retransmissions.
•
Multiple Retry Count—This counter increments when an MSDU is successfully transmitted after
more than one retransmission.
•
Frame Duplicate Count—This counter increments when a frame is received that the Sequence
Control field indicates is a duplicate.
•
RTS Success Count—This counter increments when a CTS is received in response to an RTS.
•
RTS Failure Count—This counter increments when a CTS is not received in response to an RTS.
•
ACK Failure Count—This counter increments when an ACK is not received when expected.
•
Rx Fragment Count—The total number of packets received that were less than 64 octets in length
(excluding framing bits but including FCS octets).
•
Multicast Rx Framed Count—This counter increments when a MSDU is received with the multicast
bit set in the destination MAC address.
•
FCS Error Count—This counter increments when an FCS error is detected in a received MPDU.
•
Tx Frame Count—This counter increments for each successfully transmitted MSDU.
•
WEP Undecryptable Count—This counter increments when a frame is received with the WEP
subfield of the Frame Control field set to one and the WEP On value for the key mapped to the AT
MAC address indicates that the frame should not have been encrypted or that frame is discarded due
to the receiving STA not implementing the privacy option.
Monitoring View Alarms
To access the View Alarms page from the Monitor Access Points page, follow these steps:
Note
When the AP is disassociated, in the Monitor > Access Points page, the radio status has a critical
status. There is only one alarm, AP disassociated. This is because radio alarms are correlated to
AP disassociated alarm.
Note
When the controller goes down, the controller inventory dashlet shows the controller status as
critical. But the radio inventory dashlet retains the last known status. In the Monitor > Access
Point page, the AP alarm status is shown as "Unknown".
Step 1
Choose Monitor > Access Points.
Step 2
Select the Radio Type in the Radio Type column of the applicable access point.
Step 3
From the View drop-down list, choose View Alarms.
Step 4
Click Go.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-80
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
For more information on Viewing Alarms, see the “Monitoring Alarms” section on page 5-128.
Monitor View Events
To access the View Events page from the Monitor Access Points page, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the Radio Type in the Radio Type column of the applicable access point.
Step 3
From the View drop-down list, select View Events.
Step 4
Click Go.
For more information on viewing events, see the “Monitoring Events” section on page 5-143.
Monitoring Third-Party Access Points
Prime Infrastructure supports the monitoring of certain third-party access points.
For third-party access points, the following parameters are monitored:
•
Current configuration of SSID
•
Encryption
•
Mode
•
Status
•
Current Channel
•
Ageout
•
Tx-Power
•
MTU
•
RTS Threshold
•
Location
•
Retry Limit
•
Hide SSID
•
Preamble
•
Deny Broadcast
•
Beacon Interval
•
BG mode
•
Power management
•
Radio Chipset
•
Load balance
•
Regulatory Domain
•
Rates
•
Country Code
•
DTIM Period
•
Tx Rates
•
LMS address
To view third-party access point details, follow these steps:
Step 1
Choose Monitor > Third Party Access Points.
Step 2
In the Third-Party Access Point page, click the access point’s name. The information appears on the
General tab.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-81
Chapter 5
Monitoring Devices
Monitoring Access Points
Monitoring Mesh Access Points
Mesh Health monitors the overall health of Cisco Aironet 1500 and 1520 series outdoor access points as
well as Cisco Aironet 1130 and 1240 series indoor access points when configured as mesh access points,
except as noted. Tracking this environmental information is particularly critical for access points that are
deployed outdoors. The following factors are monitored:
•
Temperature: Displays the internal temperature of the access point in Fahrenheit and Celsius (Cisco
Aironet 1510 and 1520 outdoor access points only).
•
Heater status: Displays the heater as on or off (Cisco Aironet 1510 and 1520 outdoor access points
only)
•
AP Up time: Displays how long the access point has been active to receive and transmit.
•
LWAPP Join Taken Time: Displays how long it took to establish the LWAPP connection (excluding
Cisco Aironet 1505 access points).
•
LWAPP Up Time: Displays how long the LWAPP connection has been active (excluding Cisco
Aironet 1505 access points).
Mesh Health information is displayed in the General Properties page for mesh access points.
Note
The wIPS mode is not supported in the Cisco Aironet 1500 series mesh access points.
To view the mesh health details for a specific mesh access point, follow these steps:
Step 1
Step 2
Choose Monitor > Access Points. A listing of radios belonging to access points appears.
Note
The radio status (not an access point status) is displayed when you choose Monitor > Access
Points. The given status is updated frequently from traps and wireless status polling and takes
several minutes to reflect actual radio status. The overall status of an access point can be found
by viewing the access point on a map.
Note
You can also use the New Search button to display the mesh access point summary. With the New
Search option, you can further define the criteria of the access points that appear. Search criteria
include AP Type, AP Mode, Radio Type, and 802.11n Support.
Click the AP Name link to display details for that mesh access point. The General tab for that mesh
access point appears.
Note
You can also access the General tab for a mesh access point from an Prime Infrastructure map
page. To display the page, double-click the mesh access point label. A tabbed page appears and
displays the General tab for the selected access point.
To add, remove, or reorder columns in the table, click the Edit View link in the Monitor > Access Points
page.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-82
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Mesh Statistics Tab
Mesh Statistics are reported when a child mesh access point authenticates or associates with a parent
mesh access point.
Security entries are removed and no longer displayed when the child mesh access point disassociates
from the controller.
The following mesh security statistics are displayed for mesh access points:
•
Bridging
•
Queue
•
Security
To view the mesh statistics for a specific mesh access point, follow these steps:
Step 1
Step 2
Choose Monitor > Access Points. A listing of radios belonging to access points appears.
Note
The radio status (not an access point status) is displayed when you choose Monitor > Access
Points. The given status is updated frequently from traps and wireless status polling and takes
several minutes to reflect actual radio status. The overall status of an access point can be found
by viewing the access point on a map.
Note
You can also use the New Search button to display the access point summary. With the New
Search option, you can further define the criteria of the access points that display. Search criteria
includes AP Name, IP address, MAC address, Controller IP or Name, Radio type, and Outdoor
area.
Click the AP Name link of the target mesh access point.
A tabbed page appears and displays the General Properties page for the selected access point.
Step 3
Click the Mesh Statistics tab. A three-tabbed Mesh Statistics page appears.
Note
The Mesh Statistics tab and its subordinate tabs (Bridging, Queue and Security) only appear for
mesh access points. The Mesh Link Alarms and Mesh Link Events links are accessible from each
of the three tabbed panels. You can click these links to view the relevant alarms and events.
Note
You can also access the Mesh Securities page for a mesh access point from a Prime Infrastructure
map. To display the page, double-click the mesh access point label.
Summaries of the Bridging, Queue and Security Statistics and their definitions are provided in
Table 5-56, Table 5-57 and Table 5-58 respectively.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-83
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-56
Bridging Mesh Statistics
Field
Description
Role
The role of the mesh access point. Options are mesh
access point (MAP) and root access point (RAP).
Bridge Group Name
The name of the bridge group to which the MAP or RAP
is a member. We recommend assigning membership in a
bridge group name. If one is not assigned, a MAP is by
default assigned to a default bridge group name.
Backhaul Interface
The radio backhaul for the mesh access point.
Routing State
The state of parent selection. Values that display are seek,
scan and maint. Maint appears when parent selection is
complete.
Malformed Neighbor Packets
The number of malformed packets received from the
neighbor. Examples of malformed packets include
malicious floods of traffic such as malformed or short
DNS packets and malformed DNS replies.
Poor Neighbor SNR
The number of times the signal-to-noise ratio falls below
12 dB on the backhaul link.
Excluded Packets
The number of packets received from excluded neighbor
mesh access points.
Insufficient Memory
The number of insufficient memory conditions.
RX Neighbor Requests
The number of broadcast and unicast requests received
from the neighbor mesh access points.
RX Neighbor Responses
The number of responses received from the neighbor
mesh access points.
TX Neighbor Requests
The number of unicast and broadcast requests sent to the
neighbor mesh access points.
TX Neighbor Responses
The number of responses sent to the neighbor mesh
access points.
Parent Changes
The number of times a mesh access point (child) moves
to another parent.
Neighbor Timeouts
The number of neighbor timeouts.
Node Hops
The number of hops between the MAP and the RAP.
Click the value link to display a dialog box which enables
you to configure details of what is reported, how often the
node hop value is updated, and view a graphical
representation of the report.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-84
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-57
Queue Mesh Statistics
Field
Description
Silver Queue
The average and peak number of packets waiting in the
silver (best effort) queue during the defined statistics
time interval. Packets dropped and queue size is also
summarized.
Gold Queue
The average and peak number of packets waiting in the
gold (video) queue during the defined statistics time
interval. Packets dropped and queue size is also
summarized.
Platinum Queue
The average and peak number of packets waiting in the
platinum (voice) queue during the defined statistics
time interval. Packets dropped and queue size is also
summarized.
Bronze Queue
The average and peak number of packets waiting in the
bronze (background) queue during the defined statistics
time interval. Packets dropped and queue size is also
summarized.
Management Queue
The average and peak number of packets waiting in the
management queue during the defined statistics time
interval. Packets dropped and queue size is also
summarized.
Table 5-58
Security Mesh Statistics
Field
Description
Packets Transmitted
Summarizes the total number of packets
transmitted during security negotiations by the
selected mesh access point.
Packets Received
Summarizes the total number of packets received
during security negotiations by the selected mesh
access point.
Association Request Failures
Summarizes the total number of association
request failures that occur between the selected
mesh access point and its parent.
Association Request Timeouts
Summarizes the total number of association
request time outs that occur between the selected
mesh access point and its parent.
Association Request Success
Summaries the total number of successful
association requests that occur between the
selected mesh access point and its parent.
Authentication Request Failures
Summarizes the total number of failed
authentication requests that occur between the
selected mesh access point and its parent.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-85
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-58
Security Mesh Statistics (continued)
Field
Description
Authentication Request Timeouts
Summarizes the total number of authentication
request timeouts that occur between the selected
mesh access point and its parent.
Authentication Request Success
Summarizes the total number of successful
authentication requests between the selected mesh
access point and its parent mesh node.
Reassociation Request Failures
Summarizes the total number of failed
reassociation requests between the selected mesh
access point and its parent.
Reassociation Request Timeouts
Summarizes the total number of reassociation
request timeouts between the selected mesh
access point and its parent.
Reassociation Request Success
Summarizes the total number of successful
reassociation requests between the selected mesh
access point and its parent.
Reauthentication Request Failures
Summarizes the total number of failed
reauthentication requests between the selected
mesh access point and its parent.
Reauthentication Request Timeouts
Summarizes the total number of reauthentication
request timeouts that occurred between the
selected mesh access point and its parent.
Reauthentication Request Success
Summarizes the total number of successful
reauthentication requests that occurred between
the selected mesh access point and its parent.
Invalid Association Request
Summarizes the total number of invalid
association requests received by the parent mesh
access point from the selected child mesh access
point. This state might occur when the selected
child is a valid neighbor but is not in a state that
allows association.
Unknown Association Requests
Summarizes the total number of unknown
association requests received by the parent mesh
access point from its child. The unknown
association requests often occur when a child is an
unknown neighbor mesh access point.
Invalid Reassociation Request
Summarizes the total number of invalid
reassociation requests received by the parent
mesh access point from a child. This might
happen when a child is a valid neighbor but is not
in a proper state for reassociation.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-86
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-58
Security Mesh Statistics (continued)
Field
Description
Unknown Reassociation Request
Summarizes the total number of unknown
reassociation requests received by the parent
mesh access point from a child. This might
happen when a child mesh access point is an
unknown neighbor.
Invalid Reauthentication Request
Summarizes the total number of invalid
reauthentication requests that occurred between
the selected mesh access point and its parent.This
state might occur when the selected mesh access
point is a valid neighbor but is not in a state that
allows reauthentication.
Mesh Links Tab
Table 5-59 lists the Mesh Links tab fields.
Note
This tab is visible only for mesh access points. You can click the Mesh Link Alarms and Mesh
Link Events links to view the relevant alarms and events.
Table 5-59
Note
Mesh Links Tab Fields
Field
Description
Type
The type of the access point.
AP Name
The name assigned to the access point.
AP MAC Address
The MAC address of the access point.
PER
The Packet Error Rate measured from the total
packets that are transmitted in the link test.
Link Detail
Click to view the details of the mesh link alarms,
mesh link events, and link metrics.
Link Test
The test used to measure the air link quality
between the AP and the neighbor AP.
Channel
The channel number of the mesh access point.
Link SNR (dB)
The air link SNR measured between the AP and
the neighbor AP.
SNR Down
The Signal Noise Ratio measured on the air link
from the AP to the neighbor AP.
SNR Up
The Signal Noise Ratio measured on the air link
from the neighbor AP to the AP.
Click the Edit View link to add, remove or reorder columns in the Mesh Links table. See the
“Configuring the List of Access Points Display” section on page 5-47 for adding a new field using the
Edit View.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-87
Chapter 5
Monitoring Devices
Monitoring Access Points
Retrieving the Unique Device Identifier on Controllers and Access Points
The unique device identifier (UDI) standard uniquely identifies products across all Cisco hardware
product families, enabling customers to identify and track Cisco products throughout their business and
network operations and to automate their asset management systems. The standard is consistent across
all electronic, physical, and standard business communications. The UDI consists of five data elements:
•
The orderable product identifier (PID)
•
The version of the product identifier (VID)
•
The serial number (SN)
•
The entity name
•
The product description
The UDI is burned into the EEPROM of controllers and lightweight access points at the factory and can
be retrieved through the GUI.
To retrieve the UDI on controllers and access points, perform the following steps:
Step 1
Choose Monitor > Controllers/Access Points. The Controllers/Access Points page appears.
Step 2
Click the IP address of the controller/access point whose UDI information you want to retrieve. Data
elements of the controller/access point UDI display. These elements are described in Table 5-60.
Table 5-60
Maximum Number of Crypto Cards That can be Installed on a Cisco Wireless LAN
Controller
Type of Controller
Maximum Number of Crypto Cards
Cisco 2000 Series
None
Cisco 4100 Series
One
Cisco 4400 Series
Two
Monitoring Coverage Holes
Coverage holes are areas where clients cannot receive a signal from the wireless network. The Cisco
Unified Network Solution, radio resource management (RRM) identifies these coverage hole areas and
reports them to the Prime Infrastructure, enabling the IT manager to fill holes based on user demand.
Prime Infrastructure is informed about the reliability-detected coverage holes by the controllers. Prime
Infrastructure alerts the user about these coverage holes. For more information on finding coverage
holes, refer to Cisco Context-Aware Services documentation at this location:
http://www.cisco.com/en/US/docs/wireless/mse/3350/5.2/CAS/configuration/guide/msecg_ch7_CAS.h
tml
Note
Coverage holes are displayed as alarms. Pre-coverage holes are displayed as events.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-88
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Monitoring Pre-Coverage Holes
To view pre-coverage hole events, perform these steps:
Step 1
Choose Monitor > Events to display all current events.
Step 2
To view pre-coverage hole events only, click the Advanced Search link.
Step 3
In the New Search page, change the Search Category drop-down to Events.
Step 4
From the Event Category drop-down list, choose Pre Coverage Hole, and click Go.
The Pre-Coverage Hole Events page provides the information described in Table 5-61.
Table 5-61
Pre-Coverage Hole Fields
Field
Description
Severity
Pre-coverage hole events are always considered informational
(Info).
Client MAC Address
MAC address of the client affected by the pre-coverage hole.
AP MAC Address
MAC address of the applicable access point.
AP Name
The name of the applicable access point.
Radio Type
The radio type (802.11b/g or 802.11a) of the applicable access
point.
Power Level
Access point transmit power level: 1 = Maximum power allowed per
country code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to
12.5% power, and 5 = 0.195 to 6.25% power.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-89
Chapter 5
Monitoring Devices
Monitoring Access Points
Table 5-61
Pre-Coverage Hole Fields (continued)
Field
Description
Client Type
Client type can be any of the following:
laptop(0)
pc(1)
pda(2)
dot11mobilephone(3)
dualmodephone(4)
wgb(5)
scanner(6)
tabletpc(7)
printer(8)
projector(9)
videoconfsystem(10)
camera(11)
gamingsystem(12)
dot11deskphone(13)
cashregister(14)
radiotag(15)
rfidsensor(16)
server(17)
Step 5
WLAN Coverage Hole Status
Determines if the current coverage hole state is enabled or disabled.
WLAN
The name for this WLAN.
Date/Time
The date and time the event occurred. Click the title to toggle
between ascending and descending order.
Choose a Client MAC Address to view pre-coverage hole details.
•
General—Provides the following information:
– Client MAC Address
– AP MAC Address
– AP Name
– Radio Type
– Power Level
– Client Type
– Category
– Created
– Generated By
– Device AP Address
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-90
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
– Severity
•
Neighbor AP’s—Indicates the MAC addresses of nearby access points, their RSSI values, and their
radio types.
•
Message—Describes what device reported the pre-coverage hole and on which controller it was
detected.
•
Help—Provides additional information, if available, for handling the event.
Monitoring Rogue Access Points
This section describes security solutions for rogue devices. A rogue device is an unknown access point
or client that is detected by managed access points in your network.
Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using
plain-text or other denial of service or man-in-the-middle attacks. That is, a hacker can use a rogue
access point to capture sensitive information, such as usernames and passwords. The hacker can then
transmit a series of clear-to-send (CTS) frames. This action mimics an access point informing a
particular client to transmit and instructing all others to wait, which results in legitimate clients being
unable to access network resources. Therefore, wireless LAN service providers have a strong interest in
banning rogue access points from the air space.
Because rogue access points are inexpensive and readily available, employees sometimes plug
unauthorized rogue access points into existing LANs and build ad-hoc wireless networks without IT
department knowledge or consent. These rogue access points can be a serious breach of network security
as they can be plugged into a network port behind the corporate firewall. Because employees generally
do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the
access point to intercept network traffic and hijack client sessions. Even more alarming, wireless users
frequently publish insecure access point locations, increasing the odds of having enterprise security
breached.
Detecting Rogue Devices
The controllers continuously monitor all nearby access points and automatically discover and collect
information on rogue access points and clients. When a controller discovers a rogue access point, it uses
the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your network.
Note
Prime Infrastructure consolidates all of the controllers rogue access point data.
You can configure controllers to use RLDP on all access points or only on access points configured for
monitor (listen-only) mode. The latter option facilitates automated rogue access point detection in a
crowded RF space, allowing monitoring without creating unnecessary interference and without affecting
regular data access point functionality. If you configure a controller to use RLDP on all access points,
the controller always chooses the monitor access point for RLDP operation if a monitor access point and
a local (data) access point are both nearby. If RLDP determines that the rogue is on your network, you
can choose to either manually or automatically contain the detected rogue. See the “Configuring Rogue
Policies” section on page 9-384 for information on enabling RLDP.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-91
Chapter 5
Monitoring Devices
Monitoring Access Points
Note
Rogue access point partitions are associated with one of the detecting access points (the one with the
latest or strongest RSSI value). If there is detecting access point information, the Prime Infrastructure
uses the detecting controller. If the rogue access point is detected by two controllers which are in
different partitions, the rogue access point partition might be changed at any time.
This section contains the following topics:
•
Viewing Rogue AP Alarm Details, page 5-99
•
Monitoring Rogue AP Alarms, page 5-95
•
Viewing Rogue AP Alarm Details, page 5-99
•
Viewing Rogue Client Details, page 5-103
•
Viewing Rogue AP History Details, page 5-104
•
Viewing Rogue AP Event History Details, page 5-105
•
Monitoring Ad hoc Rogue Alarms, page 5-105
Classifying Rogue Access Points
Classification and reporting of rogue access points occurs through the use of rogue states and
user-defined classification rules that enable rogues to automatically move between states. You can create
rules that enable the controller to organize and display rogue access points as Friendly, Malicious, or
Unclassified.
Note
Prime Infrastructure consolidates all of the controllers rogue access point data.
By default, none of the classification rules are enabled. Therefore, all unknown access points are
categorized as Unclassified. When you create a rule, configure conditions for it, and enable the rule, the
unclassified access points are reclassified. Whenever you change a rule, it is applied to all access points
(friendly, malicious, and unclassified) in the Alert state only.
Note
Rule-based rogue classification does not apply to ad-hoc rogues and rogue clients.
Note
The 5500 series controllers support up to 2000 rogues (including acknowledged rogues); the 4400 series
controllers, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch support up to
625 rogues; and the 2100 series controllers and Controller Network Module for Integrated Services
Routers support up to 125 rogues. Each controller limits the number of rogue containments to three per
radio (or six per radio for access points in monitor mode).
When the controller receives a rogue report from one of its managed access points, it responds as
follows:
1.
The controller verifies that the unknown access point is in the friendly MAC address list. If it is, the
controller classifies the access point as Friendly.
2.
If the unknown access point is not in the friendly MAC address list, the controller starts applying
rogue classification rules.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-92
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
3.
If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller
does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it
automatically only if the rogue is in the Alert state.
4.
The controller applies the first rule based on priority. If the rogue access point matches the criteria
specified by the rule, the controller classifies the rogue according to the classification type
configured for the rule.
5.
If the rogue access point does not match any of the configured rules, the controller classifies the
rogue as Unclassified.
6.
The controller repeats the previous steps for all rogue access points.
7.
If RLDP determines that the rogue access point is on the network, the controller marks the rogue
state as Threat and classifies it as Malicious automatically, even if no rules are configured. You can
then manually contain the rogue (unless you have configured RLDP to automatically contain the
rogue), which would change the rogue state to Contained. If the rogue access point is not on the
network, the controller marks the rogue state as Alert, and you can manually contain the rogue.
8.
If desired, you can manually move the access point to a different classification type and rogue state.
As mentioned previously, the controller can automatically change the classification type and rogue state
of an unknown access point based on user-defined rules, or you can manually move the unknown access
point to a different classification type and rogue state. Table 5-62 shows the allowable classification
types and rogue states from and to which an unknown access point can be configured.
Table 5-62
Allowable Classification Type and Rogue State Transitions
From
To
Friendly (Internal, External, Alert)
Malicious (Alert)
Friendly (Internal, External, Alert)
Unclassified (Alert)
Friendly (Alert)
Friendly (Internal, External)
Malicious (Alert, Threat)
Friendly (Internal, External)
Malicious (Contained, Contained Pending)
Malicious (Alert)
Unclassified (Alert, Threat)
Friendly (Internal, External)
Unclassified (Contained, Contained Pending)
Unclassified (Alert)
Unclassified (Alert)
Malicious (Alert)
If the rogue state is Contained, you have to uncontain the rogue access point before you can change the
classification type. If you want to move a rogue access point from Malicious to Unclassified, you must
delete the access point and allow the controller to reclassify it.
Rogue access points classification types include:
•
Malicious—Detected but untrusted or unknown access points with a malicious intent within the
system. They also refer to access points that fit the user-defined malicious rules or have been
manually moved from the friendly access point classification. See the “Malicious Rogue APs”
section on page 5-94 for more information.
•
Friendly—Known, acknowledged, or trusted access points. They also refer to access points that fit
the user-defined friendly rogue access point rules. Friendly rogue access points cannot be contained.
See the “Friendly Rogue APs” section on page 5-94 for more information. For more information on
configuring friendly access point rules, see the “Configuring a Friendly Access Point Template”
section on page 11-628.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-93
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Unclassified—Rogue access point that are not classified as either malicious or friendly. These
access points can be contained and can be moved manually to the friendly rogue access point list.
See for more information. See the “Unclassified Rogue APs” section on page 5-95 for more
information.
Malicious Rogue APs
Malicious rogue access points are detected but untrusted or unknown access points with a malicious
intent within the system. They also refer to access points that fit the user-defined malicious rules or have
been manually moved from the friendly access point classification.
The Security dashboard of the Prime Infrastructure home page displays the number of malicious rogue
access points for each applicable state for the past hour, the past 24 hours, and the total number of active
malicious rogue access points.
Malicious rogue access point states include:
•
Alert—Indicates that the access point is not on the neighbor list or part of the user-configured
Friendly AP list.
•
Contained—The unknown access point is contained.
•
Threat—The unknown access point is found to be on the network and poses a threat to WLAN
security.
•
Contained Pending—Indicates that the containment action is delayed due to unavailable resources.
•
Removed—This unknown access point was seen earlier but is not seen now.
Click an underlined number in any of the time period categories for detailed information regarding the
malicious rogue access points. See the “Monitoring Rogue Access Points” section on page 5-91 for more
information.
Friendly Rogue APs
Friendly rogue access points are known, acknowledged or trusted access points. They also refer to access
points that fit the user-defined friendly rogue access point rules. Friendly rogue access points cannot be
contained.
Note
Only the Prime Infrastructure users can add a rogue access point MAC address to the Friendly AP list.
the Prime Infrastructure does not apply the Friendly AP MAC address to controllers.
The Security dashboard of the Prime Infrastructure home page displays the number of friendly rogue
access points for each applicable state for the past hour, the past 24 hours, and the total number of active
friendly rogue access points.
Friendly rogue access point states include the following:
•
Internal—If the unknown access point is inside the network and poses no threat to WLAN security, you
would manually configure it as Friendly, Internal. For example, the access points in your lab network.
•
External—If the unknown access point is outside the network and poses no threat to WLAN security,
you would manually configure it as Friendly, External. For example, the access points belonging to a
neighboring coffee shop.
•
Alert—The unknown access point is not on the neighbor list or part of the user-configured Friendly
AP list.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-94
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Click an underlined number in any of the time period categories for detailed information regarding the
friendly rogue access points. See the “Monitoring Rogue Access Points” section on page 5-91 for more
information.
To delete a rogue access point from the Friendly AP list, ensure that both the Prime Infrastructure and
controller remove the rogue access point from the Friendly AP list. Change the rogue access point from
Friendly AP Internal or External to Unclassified or Malicious Alert.
Unclassified Rogue APs
An unclassified rogue access point refers to a rogue access point that is not classified as either malicious
or friendly. These access points can be contained and can be moved manually to the friendly rogue access
point list.
The Security dashboard of the Prime Infrastructure home page displays the number of unclassified rogue
access points for each applicable state for the past hour, the past 24 hours, and the total number of active
unclassified rogue access points.
Unclassified rogue access point states include:
•
Pending—On first detection, the unknown access point is put in the Pending state for 3 minutes. During
this time, the managed access points determine if the unknown access point is a neighbor access point.
•
Alert—The unknown access point is not on the neighbor list or part of the user-configured Friendly
AP list.
•
Contained—The unknown access point is contained.
•
Contained Pending—The unknown access point is marked Contained, but the action is delayed due to
unavailable resources.
Click an underlined number in any of the time period categories for further information. See the
“Monitoring Rogue Access Points” section on page 5-91.
Monitoring Rogue AP Alarms
Rogue access point radios are unauthorized access points detected by one or more Cisco 1000 series
lightweight access points. To open the Rogue AP Alarms page, do one of the following:
•
Search for rogue APs.
•
From the Prime Infrastructure home page, click the Security dashboard. This page displays all the
rogue access points detected in the past hour and the past 24 hours. Click the rogue access point
number to view the rogue access point alarms.
•
Click the Malicious AP number link in the Alarm Summary.
Note
If there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll
arrow on each side. Use it to view additional alarms.
Note
Rogue access point partitions are associated with one of the detecting access points (the one with the
latest or strongest RSSI value). If there is detecting access point information, the Prime Infrastructure
uses the detecting controller. If the rogue access point is detected by two controllers which are in
different partitions, the rogue access point partition might be changed at any time.
The Rogue AP Alarms page contains the following fields:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-95
Chapter 5
Monitoring Devices
Monitoring Access Points
When the Prime Infrastructure polls, some data might change or get updated. Because of this,
some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel,
SSID, and Radio Types) can change during the life of the rogue.
Note
•
Severity—Indicates the severity of the alarm including the following icons:
Table 5-63
Icon
Alarm Severity Indicator Icons
Meaning
Critical
Major
Minor
Warning
Info
Unknown
Note
When the controller goes down, the controller inventory dashlet
shown the controller status as critical. But the radio inventory
dashlet, retains the last known status. In Monitor > AP page, the AP
alarm status is shown as "Unknown".
Clear—Appears if the rogue is no longer detected by any access point.
Note
Rogues can be detected by multiple access points. If one access point
no longer detects the rogue but the other access point does, Clear is
not sent.
Note
Once the severity of a rogue is Clear, the alarm is deleted from the
Prime Infrastructure after 30 days.
You can use the Severity Configuration feature to determine the level of severity for the following
rogue access point alarm types:
– Rogue detected
– Rogue detected contained
– Rogue detected on network
See the “Alarm and Event Dictionary” section on page 13-713 for more information.
•
Rogue MAC Address—Indicates the MAC address of the rogue access points. See the “Viewing
Rogue AP Alarm Details” section on page 5-99.
•
Vendor—Rogue access point vendor name or Unknown.
•
Classification Type—Pending, Malicious, Friendly, or Unclassified.
•
Radio Type—Lists all radio types applicable to this rogue access point.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-96
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Strongest AP RSSI—Displays the strongest AP RSSI for this rogue access point across the life of
the rogue. The strongest AP RSSI over the life of the rogue displays to indicate the nearest distance
that existed between the rogue access point and your building or location. The higher the RSSI, the
closer the location.
•
No. of Rogue Clients—Indicates the number of rogue clients associated to this rogue access point.
Note
This number comes from the Prime Infrastructure database It is updated every two hours.
From the Monitor > Alarms > Alarm Details page, this number is a real-time number. It is
updated each time you open the Alarm Details page for this rogue access point.
•
Owner—Name of person to which this alarm is assigned, or (blank).
•
Last Seen Time—Indicates the date and time that the rogue access point was last seen.
•
State—Indicates the state of the alarm. Possible states vary depending on the classification type of
rogue access point. See the “Classifying Rogue Access Points” section on page 5-92 for additional
information.
– Malicious rogue states include: Alert, Contained, Threat, Contained Pending, and Removed.
See the “Malicious Rogue APs” section on page 5-94 for more information.
– Friendly rogue states include: Internal, External, and Alert. See the “Friendly Rogue APs”
section on page 5-94 for more information.
– Unclassified rogue states include: Pending, Alert, Contained, and Contained Pending. See the
“Unclassified Rogue APs” section on page 5-95 for more information.
•
SSID—Indicates the service set identifier being broadcast by the rogue access point radio. It is blank
if the SSID is not being broadcast.
•
Map Location—Indicates the map location for this rogue access point.
•
Acknowledged—Displays whether or not the alarm is acknowledged by the user.
You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The
alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the
alarm search functionality. See the “Acknowledging Alarms” section on page 5-137 for more
information.
Note
Caution
The alarm remains in the Prime Infrastructure, and you can search for all Acknowledged
alarms using the alarm search functionality.
When you choose to contain a rogue device, the following warning appears: “There may be legal issues
following this containment. Are you sure you want to continue?” The 2.4- and 5-GHz frequencies in the
Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license.
As such, containing devices on another network could have legal consequences.
Select a command Menu
Select one or more alarms by selecting their respective check boxes, choose one of the following
commands from the Select a command drop-down list, and click Go.
•
Assign to me—Assign the selected alarm(s) to the current user.
•
Unassign—Unassign the selected alarm(s).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-97
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Delete—Delete the selected alarm(s).
•
Clear—Clear the selected alarm(s). Indicates that the alarm is no longer detected by any access
point.
Note
•
Once the severity is Clear, the alarm is deleted from the Prime Infrastructure after 30 days.
Acknowledge Alarm—Acknowledge the alarm to prevent it from showing up in the Alarm Summary
page. See the “Acknowledging Alarms” section on page 5-137 for more information.
Note
The alarm remains in the Prime Infrastructure and you can search for all Acknowledged
alarms using the alarm search functionality.
•
Unacknowledge Alarm—Unacknowledge an already acknowledged alarm.
•
Email Notification—Takes you to the All Alarms > Email Notification page to view and configure
email notifications. See the “Monitoring RFID Tags” section on page 5-115 for more information.
•
Severity Configuration—Allows you to change the severity level for newly-generated alarms. See
the “Alarm and Event Dictionary” section on page 13-713 for more information.
•
Detecting APs—View the Cisco 1000 Series lightweight access points that are currently detecting
the rogue access point. See the “Detecting Access Points” section on page 5-110 for more
information.
•
Map (High Resolution)—Click to display a high-resolution map of the rogue access point location.
•
Rogue Clients—Click to view a list of rogue clients associated with this rogue access point. The
Rogue Clients page displays the Client MAC Address, when it was last heard, its current status, its
controller, and the Rogue access point. See the “Viewing Rogue Client Details” section on
page 5-103 for more information. This information can also be accessed by using the Prime
Infrastructure Search feature.
•
Set State to ‘Unclassified - Alert’—Choose this command to tag the rogue access point as the lowest
threat, continue monitoring the rogue access point, and to turn off Containment. See the
“Unclassified Rogue APs” section on page 5-95 for more information on Unclassified rogues.
•
Set State to ‘Malicious - Alert’—Choose this command to tag the rogue access point as ‘Malicious’.
See the “Malicious Rogue APs” section on page 5-94 for more information on Malicious rogues.
•
Set State to ‘Friendly - Internal’—Choose this command to tag the rogue access point as internal,
add it to the Known Rogue APs list, and to turn off Containment. See the “Friendly Rogue APs”
section on page 5-94 for more information on Friendly rogues.
•
Set State to ‘Friendly - External’—Choose this command to tag the rogue access point as external,
add it to the Known Rogue APs list, and to turn off Containment. See the “Friendly Rogue APs”
section on page 5-94 for more information on Friendly rogues.
•
1 AP Containment—Target the rogue access point for containment by one access point. (Lowest
containment level.)
•
2 AP Containment—Target the rogue access point for containment by two Cisco 1000 Series
lightweight access points.
•
3 AP Containment—Target the rogue access point for containment by three Cisco 1000 Series
lightweight access points.
•
4 AP Containment—Target the rogue access point for containment by four Cisco 1000 Series
lightweight access points. (Highest containment level.)
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-98
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Note
Caution
The higher the threat of the rogue access point, the higher the containment required.
Attempting to contain a rogue access point might lead to legal consequences. When you select any of
the AP Containment commands and click Go, a message “Containing a Rogue AP may have legal
consequences. Do you want to continue?” appears. Click OK if you are sure or click Cancel if you do
not wish to contain any access points.
Viewing Rogue AP Alarm Details
Rogue access point radios are unauthorized access points detected by Cisco 1000 Series lightweight
access points. Alarm event details for each rogue access point are available in the Rogue AP Alarms list
page.
To view alarm events for a rogue access point radio, click the rogue MAC address for the applicable
alarm from the Monitor > Alarms page for rogue access point alarms.
Note
All Alarm Details page fields (except No. of Rogue Clients) are populated through polling and
are updated every two hours.
The number of rogue clients is a real-time number and is updated each time you access the Alarm
Details page for a rogue access point alarm.
When a controller (version 7.4 or 7.5) sends custom rogue AP alarm, the Prime Infrastructure shows it
as unclassified rogue alarm. This is because the Prime Infrastructure does not support custom rogue AP
alarm.
Note
When the Prime Infrastructure polls, some data might change or get updated. Because of this,
some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel,
SSID, and Radio Types) can change during the life of the rogue.
The Alarm Details page displays the following information:
•
General
– Rogue MAC Address—MAC address of the rogue access points.
– Vendor—Rogue access point vendor name or Unknown.
Note
When a rogue access point alarm displays for Airlink, the vendor displays as Alpha
instead of Airlink.
– Rogue Type—Indicates the rogue type such as AP.
– On Network—Indicates how the rogue detection occurred.
Controller—The controller detected the rogue (Yes or No).
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-99
Chapter 5
Monitoring Devices
Monitoring Access Points
– Owner—Indicates the owner or is left blank.
– Acknowledged—Indicates whether or not the alarm is acknowledged by the user.
You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The
alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms
using the alarm search functionality. See the “Acknowledging Alarms” section on page 5-137
for more information.
– Classification Type—Malicious, Friendly, or Unclassified.
– State—Indicates the state of the alarm. Possible states vary depending on the classification type
of rogue access point.
– SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID
is not broadcast.)
– Channel Number—Indicates the channel of the rogue access point.
– Containment Level—Indicates the containment level of the rogue access point or Unassigned
(not contained).
– Radio Type—Lists all radio types applicable to this rogue access point.
– Strongest AP RSSI—Displays the strongest AP RSSI for this rogue access point across the life
of the rogue. The strongest AP RSSI over the life of the rogue displays to indicate the nearest
distance that existed between the rogue access point and your building or location. The higher
the RSSI, the closer the location.
– No. of Rogue Clients—Indicates the number of rogue clients associated to this rogue access
point.
Note
The number of rogue clients is the only real-time field in the Monitor > Alarm > Alarm
Details page. It updates each time you open the Alarm Details page for this rogue access
point.
All other fields on the Alarm Details page are populated through polling and are updated
every two hours.
– First Seen Time—Indicates the date and time when the rogue access point was first detected.
This information is populated from the controller.
– Last Seen Time—Indicates the date and time when the rogue access point was last detected.
This information is populated from the controller.
– Modified—Indicates when the alarm event was modified.
– Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
NMS (Network Management System - Prime Infrastructure)—Generated through polling.
Prime Infrastructure periodically polls the controllers and generates events. Prime
Infrastructure generates events when the traps are disabled or when the traps are lost for those
events. In this case, “Generated by” is NMS.
Trap—Generated by the controller. Prime Infrastructure process these traps and raises
corresponding events for them. In this case, “Generated by” is Controller.
– Severity—The severity of the alarm. See Table 5-63 for the list of alarm severity indicator icons.
You can use the Severity Configuration feature to determine the level of severity for rogue
access points. See the “Alarm and Event Dictionary” section on page 13-713 for more
information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-100
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
– Previous Severity—The previous severity of the alarm: Critical, Major, Minor, Clear.
– Event Details—Click the Event History link to view the event details.
– Rogue AP History—Click the Rogue AP History link to view the Rogue Alarm details.
– Switch Port Trace Status—Indicates the switch port trace status. Switch port trace status might
include: Traced, but not found, Traced and found, Not traced, Failed.
•
Switch Port Tracing Details—Provides the most recent switch port tracing details. To view
additional trace details, click the Click here for more details link.
•
Rogue Clients—Lists rogue clients for this access point including the client MAC address, the last
date and time the client was heard, and the current client status. See the “Viewing Rogue Client
Details” section on page 5-103 for more information.
Note
The number of rogue clients is the only real-time field in the Monitor > Alarm > Alarm
Details page. It updates each time you open the Alarm Details page for this rogue access
point.
All other fields in the Alarm Details page are populated through polling and are updated
every two hours.
•
Message—Displays the most recent message regarding this rogue access point. A message is sent
for the following: When the rogue access point is first detected, for any trap sent, and for any
changed state.
•
Annotations—Lists current notes regarding this rogue access point. To add a new note, click New
Annotation. Type the note and click Post to save and display the note or Cancel to close the page
without saving the note.
•
Location Notifications—Displays the number of location notifications logged against the client.
Clicking a link displays the notifications.
•
Location—Provides location information, if available.
Note
The switch port tracing does not update any of the rogue attributes such as severity, state, and so
on. As the rogue attributes are not updated by switch port tracing, alarms would not be triggered
if a rogue is discovered to be 'on network' using switch port tracing.
Select a command Menu
The Select a command drop-down list located in the Rogue AP Alarm Details page provides the
following options. Choose an option from the drop-down list, and click Go.
•
Assign to me—Assign the selected alarm(s) to the current user.
•
Unassign—Unassign the selected alarm(s).
•
Delete—Delete the selected alarm(s).
•
Clear—Clear the selected alarm(s).
•
Acknowledge Alarm—Acknowledge the alarm to prevent it from showing up in the Alarm Summary
page. See the “Acknowledging Alarms” section on page 5-137 for more information.
Note
The alarm remains in the Prime Infrastructure and you can search for all Acknowledged
alarms using the alarm search functionality.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-101
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Unacknowledge—Unacknowledge an already acknowledged alarm.
•
Trace Switch Port—Click to run a switch port trace for this rogue access point.
•
Event History—Click to view a list of events for this rogue access point. See the “Monitoring Rogue
Alarm Events” section on page 5-111 for more information.
•
Refresh from Network—Click to sync up the rogue APs from the network.
•
View Detecting AP on Network—View the Cisco 1000 Series lightweight access points that are
currently detecting the rogue access point. See the “Detecting Access Points” section on page 5-110
for more information.
Note
Detecting AP Name, Radio, SSID information might be empty as the information is not
available on controller. Refresh the page after the rogue AP task is completed to see the AP
details.
•
View Details by Controller—View the classification type and state of the rogue APs reported by the
controller.
•
Map (High Resolution)—Click to display a high-resolution map of the rogue access point location.
•
Rogue Clients—Click to view a list of rogue clients associated with this rogue access point. The
Rogue Clients page displays the Client MAC address, when it was last heard, its current status, its
controller, and the Rogue access point. See the “Viewing Rogue Client Details” section on
page 5-103 for more information. This information can also be accessed by using the Prime
Infrastructure Search feature.
•
Set State to ‘Unclassified - Alert’—Choose this command to tag the rogue access point as the lowest
threat, continue monitoring the rogue access point, and to turn off Containment. See the
“Unclassified Rogue APs” section on page 5-95 for more information on Unclassified rogues.
•
Set State to ‘Malicious - Alert’—Choose this command to tag the rogue access point as ‘Malicious’.
See the “Malicious Rogue APs” section on page 5-94 for more information on Malicious rogues.
•
Set State to ‘Friendly - Internal’—Choose this command to tag the rogue access point as internal,
add it to the Known Rogue APs list, and to turn off Containment. See the “Friendly Rogue APs”
section on page 5-94 for more information on Friendly rogues.
•
Set State to ‘Friendly - External’—Choose this command to tag the rogue access point as external,
add it to the Known Rogue APs list, and to turn off Containment. See the “Friendly Rogue APs”
section on page 5-94 for more information on Friendly rogues.
•
1 AP Containment—Target the rogue access point for containment by one access point. (Lowest
containment level.)
•
2 AP Containment—Target the rogue access point for containment by two Cisco 1000 series
lightweight access points.
•
3 AP Containment—Target the rogue access point for containment by three Cisco 1000 series
lightweight access points.
•
4 AP Containment—Target the rogue access point for containment by four Cisco 1000 series
lightweight access points. (Highest containment level.)
Note
The higher the threat of the rogue access point, the higher the containment required.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-102
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Viewing Rogue Client Details
You can view a list of rogue clients in several ways:
•
Perform a search for rogue clients using the Prime Infrastructure Search feature.
•
View the list of rogue clients for a specific rogue access point from the Alarm Details page for the
applicable rogue access point. Click the Rogue MAC address for the applicable rogue client to view
the Rogue Client details page.
•
In the Alarms Details page of a rogue access point, choose Rogue Clients from the Select a
command drop-down list.
The Rogue Clients page displays the Client MAC address, when it was last heard, its current status, its
controller, and the associated rogue access point.
Note
Rogue client statuses include: Contained (the controller contains the offending device so that its
signals no longer interfere with authorized clients); Alert (the controller forwards an immediate
alert to the system administrator for further action); and Threat (the rogue is a known threat).
Click the Client MAC Address for the rogue client to view the Rogue Client details page. The Rogue
Client details page displays the following information:
•
General—Information includes: client MAC address, number of access points that detected this
client, when the client was first and last heard, the rogue access point MAC address, and the client
current status.
•
Location Notifications—Indicates the number of notifications for this rogue client including:
absence, containment, distance, and all. Click the notification number to open the applicable
Monitor > Alarms page.
•
APs that detected the rogue client—Provides the following information for all access points that
detected this rogue client: base radio MAC address, access point name, channel number, radio type,
RSSI, SNR, and the date/time that the rogue client was last heard.
•
Location—Provides location information, if available.
Note
The higher the threat of the rogue access point, the higher the containment required.
Select a command
The Select a command drop-down list in the Rogue Client details page includes the following options:
•
Set State to ‘Unknown - Alert’—Choose this command to tag the rogue client as the lowest threat,
continue monitoring the rogue client, and to turn off Containment.
•
1 AP Containment—Target the rogue client for containment by one access point. (Lowest
containment level.)
•
2 AP Containment—Target the rogue client for containment by two access points.
•
3 AP Containment—Target the rogue client for containment by three access points.
•
4 AP Containment—Target the rogue client for containment by four access points. (Highest
containment level.)
•
Map (High Resolution)—Click to display a high-resolution map of the rogue client location.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-103
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Location History—Click to display the history of the rogue client location based on RF
fingerprinting.
Viewing Rogue AP History Details
To view the history of a rogue AP alarms, click the Rogue AP History link in the Rogue AP Alarm page.
The Rogue AP History page displays the following information:
•
Severity—The severity of the alarm.
•
Rogue MAC Address—MAC address of the rogue access points.
•
Classification Type—Malicious, Friendly, or Unclassified.
•
Radio Type—Lists all radio types applicable to this rogue access point.
•
Strongest AP RSSI—Displays the strongest AP RSSI for this rogue access point across the life of
the rogue. The strongest AP RSSI over the life of the rogue displays to indicate the nearest distance
that existed between the rogue access point and your building or location. The higher the RSSI, the
closer the location.
•
No. of Rogue Clients—Indicates the number of rogue clients associated to this rogue access point.
Note
The number of rogue clients is the only real-time field in the Monitor > Alarm > Alarm Details
page. It updates each time you open the Alarm Details page for this rogue access point. All other
fields on the Alarm Details page are populated through polling and are updated every two hours.
•
First Seen Time—Indicates the date and time when the rogue access point was first detected. This
information is populated from the controller.
•
Last Seen Time—Indicates the date and time when the rogue access point was last detected. This
information is populated from the controller.
•
State—Indicates the state of the alarm. Possible states vary depending on the classification type of
rogue access point.
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
•
Category—Indicates the category of this alarm such as Security or Prime Infrastructure.
•
On Network—Indicates how the rogue detection occurred.
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
•
Channel Number—Indicates the channel of the ad hoc rogue.
•
Containment Level—Indicates the containment level of the ad hoc rogue or Unassigned.
•
Switch Port Trace Status—Indicates the switch port trace status. Switch port trace status might
include: Traced, but not found, Traced and found, Not traced, Failed.
Click the Rogue MAC address to view the specific rogue AP history details page. The rogue AP history
details page displays the above details and also displays the actual alarm message.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-104
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Viewing Rogue AP Event History Details
To view the event details of a rogue AP, click the Event History link in the Rogue AP Alarm page.
The Rogue AP Event History page displays the following information:
•
Severity—The severity of the alarm.
•
Rogue MAC Address—MAC address of the rogue access points.
•
Vendor—Rogue access point vendor name or Unknown.
•
Classification Type—Malicious, Friendly, or Unclassified.
•
On Network—Indicates whether the rogue detection occurred.The controller detected the rogue
(Yes or No).
•
Date/Time—The date and time that the event was generated.
•
Radio Type—Lists all radio types applicable to this rogue access point.
•
State—Indicates the state of the alarm. Possible states vary depending on the classification type of
rogue access point.
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
Monitoring Ad hoc Rogues
If the MAC address of a mobile client operating in a ad hoc network is not in the authorized MAC address
list, then it is identified as an ad hoc rogue. This section contains the following topics:
•
Monitoring Ad hoc Rogue Alarms, page 5-105
•
Viewing Ad hoc Rogue Alarm Details, page 5-107
Monitoring Ad hoc Rogue Alarms
The Adhoc Rogue Alarms page displays alarm events for ad hoc rogues.To access the Adhoc Rogue
Alarms page, do one of the following:
•
Perform a search for ad hoc rogue alarms.
•
From the Prime Infrastructure home page, click the Security dashboard. This page displays all the
ad hoc rogues detected in the past hour and the past 24 hours. Click the ad hoc rogue number to view
the ad hoc rogue alarms.
If there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll
arrow on each side. Use this to view additional alarms.
The Adhoc Rogue Alarms page contains the following fields:
Note
•
When the Prime Infrastructure polls, some data might change or get updated. Because of this,
some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel,
SSID, and Radio Types) can change during the life of the rogue.
Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
You can use the Severity Configuration feature to determine the level of severity for the following
ad hoc rogue alarm types:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-105
Chapter 5
Monitoring Devices
Monitoring Access Points
– Adhoc Rogue auto contained
– Adhoc Rogue detected
– Adhoc Rogue detected on network
– Adhoc Rogue detected on network
See the “Alarm and Event Dictionary” section on page 13-713 for more information.
•
Rogue MAC Address—Indicates the MAC address of the rogue. See the “Viewing Ad hoc Rogue
Alarm Details” section on page 5-107 for more information.
•
Vendor—Indicates the ad hoc rogue vendor name, or Unknown.
•
Radio Type—Lists all radio types applicable to this rogue access point.
•
Strongest AP RSSI—Displays the strongest AP RSSI for this rogue across the life of the rogue. The
strongest AP RSSI over the life of the rogue displays to indicate the nearest distance that existed
between the rogue and your building or location. The higher the RSSI, the closer the location.
No. of Rogue Clients—Indicates the number of rogue clients associated to this rogue access point.
Note
The number of rogue clients is the only real-time field in the Monitor > Alarm > Alarm
Details page. It updates each time you open the Alarm Details page for this rogue access
point.
All other fields in the Alarm Details page are populated through polling and are updated
every two hours.
•
Owner—Indicates the owner or is left blank.
•
Last Seen Time—Indicates the date and time that the alarm was last viewed.
•
State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert,
Internal, External, Contained, Contained Pending, and Removed.
•
SSID—The Service Set Identifier that is being broadcast by the rogue ad hoc radio. It is blank if
there is no broadcast.
•
Map Location—Indicates the map location for this ad hoc rogue.
•
Acknowledged—Displays whether or not the alarm is acknowledged by the user.
You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The
alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the
alarm search functionality. See the “Acknowledging Alarms” section on page 5-137 for more
information.
Select a command Menu
Select one or more alarms by selecting their respective check boxes, choose one of the following
commands from the Select a command drop-down list, and click Go.
•
Assign to me—Assign the selected alarm(s) to the current user.
•
Unassign—Unassign the selected alarm(s).
•
Delete—Delete the selected alarm(s).
•
Clear—Clear the selected alarm(s).
•
Acknowledge—Acknowledge the alarm to prevent it from showing up in the Alarm Summary page.
See the “Acknowledging Alarms” section on page 5-137 for more information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-106
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
Note
Caution
The alarm remains in the Prime Infrastructure and you can search for all Acknowledged
alarms using the alarm search functionality.
•
Unacknowledge—Unacknowledge an already acknowledged alarm.
•
Email Notification—Takes you to the All Alarms > Email Notification page to view and configure
email notifications. See the “Monitoring RFID Tags” section on page 5-115 for more information.
•
Detecting APs—View the access points that are currently detecting the rogue ad hoc. See the
Detecting Access Points, page 110 for more information.
•
Map (High Resolution)—Click to display a high-resolution map of the ad hoc rogue location.
•
Rogue Clients—Click to view a list of rogue clients associated with this ad hoc rogue. The Rogue
Clients page displays the Client MAC Address, when it was last heard, its current status, its
controller, and the ad hoc rogue.
•
Set State to ‘Alert’—Choose this command to tag the ad hoc rogue as the lowest threat, continue
monitoring the rogue access point, and to turn off Containment.
•
Set State to ‘Internal’—Choose this command to tag the ad hoc rogue as internal, add it to the
Known Rogue APs list, and to turn off Containment.
•
Set State to ‘External’—Choose this command to tag the ad hoc rogue as external, add it to the
Known Rogue APs list, and to turn off Containment.
•
1 AP Containment—Target the ad hoc rogue for containment by one access point. (Lowest
containment level.)
•
2 AP Containment—Target the ad hoc rogue for containment by two access points.
•
3 AP Containment—Target the ad hoc rogue for containment by three access points.
•
4 AP Containment—Target the ad hoc rogue for containment by four access points. (Highest
containment level.)
Attempting to contain an ad hoc rogue might lead to legal consequences. When you select any of the AP
Containment commands and click Go, a message “Containing a Rogue AP may have legal consequences.
Do you want to continue?” appears. Click OK if you are sure, or click Cancel if you do not want to
contain any access points.
Viewing Ad hoc Rogue Alarm Details
Alarm event details for each ad hoc rogue are available from the Adhoc Rogue Alarms page.
To view alarm events for an ad hoc rogue radio, click the applicable Rogue MAC address in the Adhoc
Rogue Alarms page.
This page displays alarm events for a rogue access point radio. Rogue access point radios are
unauthorized access points detected by Cisco 1000 Series lightweight access points.
Note
•
When the Prime Infrastructure polls, some data might change or get updated. Because of this,
some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel,
SSID, and Radio Types) can change during the life of the rogue.
General
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-107
Chapter 5
Monitoring Devices
Monitoring Access Points
– Rogue MAC Address—Media Access Control address of the ad hoc rogue.
– Vendor—Ad hoc rogue vendor name or Unknown.
– On Network—Indicates how the rogue detection occurred.
Controller—The controller detected the rogue (Yes or No).
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
– Owner—Indicates the owner or left blank.
– Acknowledged—Indicates whether or not the alarm is acknowledged by the user.
You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The
alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms
using the alarm search functionality. See the “Acknowledging Alarms” section on page 5-137
for more information.
– State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert,
Internal, External, Contained, Contained Pending, and Removed.
– SSID—Service Set Identifier being broadcast by the ad hoc rogue radio. (Blank if SSID is not
broadcast.)
– Channel Number—Indicates the channel of the ad hoc rogue.
– Containment Level—Indicates the containment level of the ad hoc rogue or Unassigned.
– Radio Type—Lists all radio types applicable to this ad hoc rogue.
– Strongest AP RSSI—Indicates the strongest received signal strength indicator for this Prime
Infrastructure (including all detecting access points for all controllers and across all detection
times).
– No. of Rogue Clients—Indicates the number of rogue clients associated to this ad hoc.
Note
This number comes from the Prime Infrastructure database. It is updated every two
hours. In the Monitor > Alarms > Alarm Details page, this number is a real-time number.
It is updated each time you open the Alarm Details page for this rogue access point.
– Created—Indicates when the alarm event was created.
– Modified—Indicates when the alarm event was modified.
– Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
NMS (Network Management System - Prime Infrastructure)—Generated through polling.
Prime Infrastructure periodically polls the controllers and generates events. Prime
Infrastructure generates events when the traps are disabled or when the traps are lost for those
events. In this case, “Generated by” is NMS.
Trap—Generated by the controller. Prime Infrastructure process these traps and raises
corresponding events for them. In this case, “Generated by” is Controller.
– Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator
icons.
– Previous Severity—The previous severity of the alarm: Critical, Major, Minor, Clear. Color
coded.
•
Annotations—Enter any new notes in this box and click Add to update the alarm.
•
Message—Displays descriptive information about the alarm.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-108
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Help—Displays the latest information about the alarm.
•
Event History—Click to access the Monitor > Events page. See the “Monitoring Events” section on
page 5-143 for more information.
•
Annotations—Lists existing notes for this alarm.
Searching Rogue Clients Using Advanced Search
When the access points on your wireless LAN are powered up and associated with controllers, the Prime
Infrastructure immediately starts listening for rogue access points. When a controller detects a rogue
access point, it immediately notifies the Prime Infrastructure, which creates a rogue access point alarm.
To find rogue access point alarms using Advanced Search, follow these steps:
Step 1
Click Advanced Search in the top right-hand corner of the Prime Infrastructure main page.
Step 2
Choose Rogue Client from the Search Category drop-down list.
Step 3
(Optional) You can filter the search even further with the other search criteria if desired.
Step 4
Click Search. The list of rogue clients appears.
Step 5
Choose a rogue client by clicking a client MAC address. The Rogue Client detail page appears.
Step 6
To modify the alarm, choose one of these commands from the Select a command drop-down list, and
click Go.
•
Set State to ‘Unknown-Alert’—Tags the ad hoc rogue as the lowest threat, continues to monitor the
ad hoc rogue, and turns off containment.
•
1 AP Containment through 4 AP Containment—Indicates the number of access points (1-4) in the
vicinity of the rogue unit that send dauthenticate and disassociate messages to the client devices that
are associated to the rogue unit.
•
Map (High Resolution)—Displays the current calculated rogue location in the Maps > Building
Name > Floor Name page.
•
Location History—Displays the history of the rogue client location based on RF fingerprinting.
Note
The client must be detected by an MSE for the location history to appear.
Monitoring Rogue Access Point Location, Tagging, and Containment
When the Cisco Unified Network Solution is monitored using the Prime Infrastructure, the Prime
Infrastructure generates the flags as rogue access point traps and displays the known rogue access points
by MAC address. The operator can then display a map showing the location of the access points closest
to each rogue access point. The next step is to mark them as Known or Acknowledged rogue access
points (no further action), Alert rogue access points (watch for and notify when active), or Contained
rogue access points (have between one and four access points discourage rogue access point clients by
sending the clients deauthenticate and disassociate messages whenever they associate with the rogue
access point).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-109
Chapter 5
Monitoring Devices
Monitoring Access Points
This built-in detection, tagging, monitoring, and containment capability enables system administrators
to take appropriate action:
•
Locate rogue access points
•
Receive new rogue access point notifications, eliminating hallway scans
•
Monitor unknown rogue access points until they are eliminated or acknowledged
•
Determine the closest authorized access point, making directed scans faster and more effective
•
Contain rogue access points by sending their clients deauthenticate and disassociate messages from
one to four access points. This containment can be done for individual rogue access points by MAC
address or can be mandated for all rogue access points connected to the enterprise subnet.
•
Tag rogue access points:
– Acknowledge rogue access points when they are outside of the LAN and do not compromise the
LAN or wireless LAN security
– Accept rogue access points when they do not compromise the LAN or wireless LAN security
– Tag rogue access points as unknown until they are eliminated or acknowledged
•
Tag rogue access points as contained and discourage clients from associating with the rogue access
points by having between one and four access points transmit deauthenticate and disassociate
messages to all rogue access point clients. This function applies to all active channels on the same
rogue access point.
Detecting Access Points
Use the Detecting Access Points feature to view information about the Cisco lightweight access points
that are detecting a rogue access point.
To access the Rogue AP Alarms details page, follow these steps:
Step 1
To display the Rogue AP Alarms page, do one of the following:
•
Perform a search for rogue APs.
•
In the Prime Infrastructure home page, click the Security dashboard. This dashboard displays all
the rogue access points detected in the past hour and the past 24 hours. Click the rogue access point
number to view the rogue access point alarms.
•
Click the Malicious AP number link in the Alarm Summary box.
Step 2
In the Rogue AP Alarms page, click the Rogue MAC Address for the applicable rogue access point. The
Rogue AP Alarms details page appears.
Step 3
From the Select a command drop-down list, choose Detecting APs.
Step 4
Click Go.
Click a list item to display data about that item:
•
AP Name
•
Radio
•
Map Location
•
SSID—Service Set Identifier being broadcast by the rogue access point radio.
•
Channel Number—Which channel the rogue access point is broadcasting on.
•
WEP—Enabled or disabled.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-110
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
•
WPA—Enabled or disabled.
•
Pre-Amble—Long or short.
•
RSSI—Received signal strength indicator in dBm.
•
SNR—Signal-to-noise ratio.
•
Containment Type—Type of containment applied from this access point.
•
Containment Channels—Channels that this access point is currently containing.
Monitoring Rogue Alarm Events
The Events page enables you to review information about rogue alarm events. the Prime Infrastructure
generates an event when a rogue access point is detected or if you make manual changes to a rogue access
point (such as changing its state). The Rogue AP Events list page displays all rogue access point events.
To access the Rogue AP Events list page, follow these steps:
Step 1
Step 2
Do one of the following:
•
Perform a search for rogue access point events using the Advanced Search feature of the Prime
Infrastructure.
•
In the Rogue AP Alarms details page, click Event History from the Select a command drop-down
list. See the “Viewing Rogue AP Alarm Details” section on page 5-99 for more information.
The Rogue AP Events list page displays the following event information.
•
Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
•
Rogue MAC Address—Click the rogue MAC address to view the Rogue AP Event Details page. See
the “Viewing Rogue AP Event Details” section on page 5-111 for more information.
•
Vendor—Rogue access point vendor name or Unknown.
•
Classification Type—Malicious, Friendly, or Unclassified.
•
On Network—Indicates how the rogue detection occurred.
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
•
Radio Type—Lists all radio types applicable to this rogue access point.
•
Date/Time—The date and time that the event was generated.
•
State—Indicates the state of the alarm. Possible states vary depending on the classification type of
rogue access point.
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
Viewing Rogue AP Event Details
To view rogue access point event details, follow these steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-111
Chapter 5
Monitoring Devices
Monitoring Access Points
Step 1
In the Rogue AP Events list page, click the Rogue MAC Address link.
Step 2
The Rogue AP Events Details page displays the following information:
•
Rogue MAC address
•
Vendor—Rogue access point vendor name or Unknown.
•
On Network—Indicates how the rogue detection occurred.
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
•
Classification Type—Malicious, Friendly, or Unclassified.
•
State—Indicates the state of the alarm. Possible states vary depending on the classification type of
rogue access point.
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
•
Channel Number—The channel on which the rogue access point is broadcasting.
•
Containment Level—Indicates the containment level of the rogue access point or Unassigned.
•
Radio Type—Lists all radio types applicable to this rogue access point.
•
Created—The date and time that the event was generated.
•
Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
– NMS (Network Management System - Prime Infrastructure)—Generated through polling.
Prime Infrastructure periodically polls the controllers and generates events. Prime
Infrastructure generates events when the traps are disabled or when the traps are lost for those
events. In this case, “Generated by” is NMS.
– Trap—Generated by the controller. Prime Infrastructure process these traps and raises
corresponding events for them. In this case, “Generated by” is Controller.
•
Device IP Address
•
Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
•
Message—Provides details of the current event.
Monitoring Ad hoc Rogue Events
The Events page enables you to review information about ad hoc rogue events. Prime Infrastructure
generates an event when an ad hoc rogue is detected or if you make manual changes to an ad hoc rogue
(such as changing its state). The Adhoc Rogue Events list page displays all ad hoc rogue events.
To access the Rogue AP Events list page, follow these steps:
Step 1
Do one of the following:
•
Perform a search for ad hoc rogues events using the Advanced Search feature of the Prime
Infrastructure.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-112
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Access Points
•
Step 2
In the Adhoc Rogue Alarms details page, click Event History from the Select a command
drop-down list. See the “Viewing Ad hoc Rogue Alarm Details” section on page 5-107 for more
information.
The Rogue AP Events list page displays the following event information.
•
Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
•
Rogue MAC Address—Click the rogue MAC address to view the Rogue AP Event Details page. See
the “Viewing Ad hoc Rogue Event Details” section on page 5-113 for more information.
•
Vendor—Rogue access point vendor name or Unknown.
•
On Network—Indicates how the rogue detection occurred.
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
•
Radio Type—Lists all radio types applicable to this rogue access point.
•
Date/Time—The date and time that the event was generated.
•
State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert,
Internal, External, Contained, Contained Pending, and Removed.
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
Viewing Ad hoc Rogue Event Details
To view rogue access point event details, follow these steps:
Step 1
In the Rogue AP Events list page, click the Rogue MAC Address link.
Step 2
The Rogue AP Events Details page displays the following information:
•
Rogue MAC Address
•
Vendor—Rogue access point vendor name or Unknown.
•
On Network—Indicates how the rogue detection occurred.
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
•
State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert,
Internal, External, Contained, Contained Pending, and Removed.
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
•
Channel Number—The channel on which the rogue access point is broadcasting.
•
Containment Level—Indicates the containment level of the rogue access point or Unassigned.
•
Radio Type—Lists all radio types applicable to this rogue access point.
•
Created—The date and time that the event was generated.
•
Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-113
Chapter 5
Monitoring Devices
Monitoring Access Points
– NMS (Network Management System - Prime Infrastructure)—Generated through polling.
Prime Infrastructure periodically polls the controllers and generates events. Prime
Infrastructure generates events when the traps are disabled or when the traps are lost for those
events. In this case, “Generated by” is NMS.
– Trap—Generated by the controller. Prime Infrastructure process these traps and raises
corresponding events for them. In this case, “Generated by” is Controller.
•
Device IP Address
•
Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
•
Message—Provides details of the current event.
Troubleshooting Unjoined Access Points
When a lightweight access point initially starts up, it attempts to discover and join a wireless LAN
controller. After joining the wireless controller, the access point updates its software image if needed
and receives all the configuration details for the device and network. After successfully joining the
wireless controller, the access point can be discovered and managed by Prime Infrastructure. Until the
access point successfully joins a wireless controller the access point cannot be managed by Prime
Infrastructure and does not contain the proper configuration settings to allow client access.
Prime Infrastructure provides you with a tool that diagnoses why an access point cannot join a controller
and lists corrective actions.
The Unjoined AP page displays a list of access points that have not joined any wireless controllers. All
gathered information about the unjoined access point is included in the page. This includes name, MAC
address, IP address, controller name and IP address, switch and port that the access point is attached to,
and any join failure reason if known.
To troubleshoot unjoined access points, do the following:
Step 1
Choose Monitor > Unjoined APs. The Unjoined APs page appears containing a list of access points
that have not been able to join a wireless controller.
Step 2
Select the access point that you wish to diagnose, then click Troubleshoot. An analysis is run on the
access point to determine the reason why the access point was not able to join a wireless controller. After
performing the analysis, the Unjoined APs page displays the results.
Step 3
If the access point has tried to join multiple wireless controllers and has been unsuccessful, the
controllers are listed in the left pane. Select a controller.
Step 4
In the middle pane, you can view what the problem is. It will also list error messages and controller log
information.
Step 5
In the right pane, recommendations for solving the problems are listed. Perform the recommended
action.
Step 6
If you need to further diagnose a problem, you can run RTTS through the Unjoined AP page. This allows
you to see the debug messages from all the wireless controllers that the access point tried to join at one
time.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-114
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring RFID Tags
To run RTTS, click the RTTS icon (
) located to the right of the table. The debug messages appear in
the table. You can then examine the messages to see if you can determine a cause for the access point
not being able to join the controllers.
Monitoring RFID Tags
The Monitor > RFID Tags page allows you to monitor tag status and location on the Prime Infrastructure
maps as well as review tag details.
Note
This page is only available in the Location version of the Prime Infrastructure.
This section provides information on the tags detected by the location appliance.
Choose Monitor > RFID Tags to access this section. By default, the Tag Summary page is displayed.
This section contains the following topics:
•
Tag Summary, page 5-115
•
Searching Tags, page 5-115
•
Viewing RFID Tag Search Results, page 5-116
•
Viewing the Tag List, page 5-117
Tag Summary
Choose Monitor > RFID Tags to access this page.
This page provides information on the number of tags that are detected by MSE. The following fields
are displayed in the main data area:
•
Device Name—Name of the MSE device.
•
Total Tags—Click the number to view tag details. Clicking the number shows the list of tags located
by the MSE. Clicking a MAC address shows the tag details pertaining to that MAC address.
Searching Tags
Use the Prime Infrastructure Advanced Search feature to find specific or all tags.
To search for tags in the Prime Infrastructure, follow these steps:
Step 1
Click Advanced Search.
Step 2
Choose Tags from the Search Category drop-down list.
Step 3
Identify the applicable tag search fields including:
•
Search By—Choose All Tags, Asset Name, Asset Category, Asset Group, MAC Address,
Controller, MSE, Floor Area, or Outdoor Area.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-115
Chapter 5
Monitoring Devices
Monitoring RFID Tags
Search fields might change depending on the selected category. When applicable, enter the
additional field or filter information to help identify the Search By category.
Note
Step 4
•
Search In—Choose MSEs or Prime Infrastructure Controllers.
•
Last detected within—Choose a time increment from 5 minutes to 24 hours. The default is 15
minutes.
•
Tag Vendor—Select the check box, and choose Aeroscout, G2, PanGo, or WhereNet.
•
Telemetry Tags only—Select the Telemetry Tags only check box to search tags accordingly.
Click Go.
Viewing RFID Tag Search Results
Use the Prime Infrastructure Advanced Search feature located in the top right of the Prime Infrastructure
page to search for tags by asset type (name, category and group), by MAC address, by system (controller or
location appliance), and by area (floor area and outdoor area).
Note
Search fields might change depending on the selected category. When applicable, enter the additional
field or filter information to help identify the Search By category.
You can further refine your search using the Advanced search fields and save the search criteria for future
use. Saved search criteria can be retrieved from the Saved Searches located in the navigation bar.
When you click the MAC address of a tag location in a search results page, the following details appear
for the tag:
•
Tag vendor
Note
This option does not appear when Asset Name, Asset Category, Asset Group or MAC
Address are the search criteria for tags.
•
Controller to which the tag is associated
•
Telemetry data (CCX v1 compliant tags only)
– Telemetry data displayed is vendor-specific; however, some commonly reported details are GPS
location, battery extended information, pressure, temperature, humidity, motion, status, and
emergency code.
•
Note
The Telemetry data option only appears when MSE (select for location servers), Floor
Area, or Outdoor Area are selected as the Search for tags by option.
Note
Only those vendor tags that support telemetry appear.
Asset Information (Name, Category, Group)
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-116
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Chokepoints
•
Statistics (bytes and packets received)
•
Location (Floor, Last Located, MSE, map)
•
Location Notification (Absence, Containment, Distance, All)
Note
•
Telemetry data displayed is vendor-specific; however, some commonly reported details are GPS
location, battery extended information, pressure, temperature, humidity, motion, status, and
emergency code.
Emergency Data (CCX v1 compliant tags only)
Viewing the Tag List
Click the Total Tags number link to view the Tags List for the applicable device name. The Tag List
contains the following information:
•
MAC Address
•
Asset Name
•
Asset Group
•
Asset Category
•
Vendor Name
•
Mobility Services Engine
•
Controller
•
Battery Status
•
Map Location
Monitoring Chokepoints
Chokepoints are installed and configured as recommended by the Chokepoint vendor. After the
chokepoint installation is complete and operational, the chokepoint can be added to the Prime
Infrastructure and placed on Floor Maps. They are pushed to the Location Server during
synchronization.
Choose Monitor > Chokepoints. A page appears displaying a list of found chokepoints. Clicking a link
in the Map Location column for a particular chokepoint displays a map that shows the location of the
chokepoint.
The following fields are displayed:
•
MAC Address—The MAC address of the chokepoint.
•
Chokepoint Name—The user-defined name of the chokepoint.
•
Entry/Exit Chokepoint—Indicates whether or not the chokepoint is an entry/exit chokepoint.
•
Range—The range of the chokepoint in feet.
•
Static IP—The static IP address of the chokepoint.
•
Map Location—A link to a map showing the location of the chokepoint.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-117
Chapter 5
Monitoring Devices
Monitoring Interferers
Performing a Chokepoint Search
An advanced search allows you to search for chokepoints.
To perform an advanced search for a chokepoint in the Prime Infrastructure, follow these steps:
Step 1
Click Advanced Search located in the top right corner of the Prime Infrastructure.
Step 2
From the New Search page, choose Chokepoint from the Search Category drop-down list.
Step 3
Choose the method by which you want to search (by MAC address or chokepoint name) from the Search
for Chokepoint by drop-down list.
Step 4
Enter the MAC address or chokepoint name, depending on the search method selected.
Step 5
Click Search.
Monitoring Interferers
The Monitor > Interferer page allows you to monitor interference devices detected by the
CleanAir-enabled access points.
This section provides information on the interferers detected by the CleanAir-enabled access points. By
default, the Monitoring AP Detected Interferers page is displayed.
This section contains the following topics:
•
Monitoring AP Detected Interferers, page 5-118
•
Monitoring AP Detected Interferer Details, page 5-119
•
Monitoring AP Detected Interferer Details Location History, page 5-120
•
Configuring the Search Results Display, page 5-121
Monitoring AP Detected Interferers
Choose Monitor > Interferers to view all the interfering devices detected by the CleanAir-enabled
access points on your wireless network. This page enables you to view a summary of the interfering
devices including the following default information:
•
Interferer ID—A unique identifier for the interferer. This is a pseudo-randomly generated ID.
Though it is similar to a to a MAC address, it is not a real address, such as the one used by a
Bluetooth headset.
•
Type—Indicates the category of the interferer. Click to read more about the type of device. A pop-up
window appears displaying more details. The categories include the following:
– Bluetooth link—A Bluetooth link (802.11b/g/n only)
– Microwave Oven—A microwave oven (802.11b/g/n only)
– 802.11 FH—An 802.11 frequency-hopping device (802.11b/g/n only)
– Bluetooth Discovery—A Bluetooth discovery (802.11b/g/n only)
– TDD Transmitter—A time division duplex (TDD) transmitter
– Jammer—A jamming device
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-118
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Interferers
– Continuous Transmitter—A continuous transmitter
– DECT-like Phone—A digital enhanced cordless communication (DECT)-compatible phone
– Video Camera—A video camera
– 802.15.4—An 802.15.4 device (802.11b/g/n only)
– WiFi Inverted—A device using spectrally inverted Wi-Fi signals
– WiFi Invalid Channel—A device using non-standard Wi-Fi channels
– SuperAG—An 802.11 SuperAG device
– Canopy—A Motorola Canopy device
– Radar—A radar device (802.11a/n only)
– XBox—A Microsoft Xbox (802.11b/g/n only)
– WiMAX Mobile—A WiMAX mobile device (802.11a/n only)
– WiMAX Fixed—A WiMAX fixed device (802.11a/n only)
– WiFi AOCI—A WiFi device with AOCI
– Unclassified
•
Status—Indicates the status of the interfering device.
– Active—Indicates that the interferer is currently being detected by the CleanAir capable access
point.
– Inactive—Indicates that the interferer is no longer being detected by the CleanAir capable
access point or no longer reacheable by the Prime Infrastructure.
•
Severity—Displays the severity ranking of the interfering device.
•
Affected Band—Displays the band in which this device is interfering.
•
Affected Channels—Displays the affected channels.
•
Duty Cycle (%)—The duty cycle of interfering device in percentage.
•
Discovered—Displays the time at which it was discovered.
•
Last Updated—The last time the interference was detected.
•
Floor—The location where the interfering device is present.
Monitoring AP Detected Interferer Details
Choose Monitor > Interferers > Interferer ID to view this page. This page enables you to view the
details of the interfering devices detected by the access points. This page provides the following details
about the interfering device.
•
Interferer Properties
– Type—Displays the type of the interfering device detected by the AP.
•
Status—The status of the interfering device. Indicates the status of the interfering device.
– Active—Indicates that the interferer is currently being detected by the CleanAir capable access
point.
– Inactive—Indicates that the interferer is no longer being detected by the CleanAir capable
access point or no longer reachable by the Prime Infrastructure.
– Severity—Displays the severity ranking of the interfering device.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-119
Chapter 5
Monitoring Devices
Monitoring Interferers
– Duty Cycle (%)—The duty cycle of interfering device in percentage.
– Affected Band—Displays the band in which this device is interfering.
– Affected Channels—Displays the affected channels.
– Discovered—Displays the time at which it was discovered.
– Last Updated—The last time the interference was detected.
•
Location
– Floor—The location where this interfering device was detected.
– Last Located At—The last time where the interfering device was located.
– On MSE—The mobility server engine on which this interference device was located.
•
Clustering Information
– Clustered By—Displays the IP address of the controller or the MSE that clustered the interferer
information from the access point.
– Detecting APs—Displays the details of the access point that has detected the interfering device.
The details include: Access Point Name (Mac), Severity, and Duty Cycle(%).
•
Details—Displays a short description about the interfering type.
Select a command
The Select a command drop-down list provides access to the location history of the interfering device
detected by the access point. See the “Monitoring AP Detected Interferer Details Location History”
section on page 5-120.
Monitoring AP Detected Interferer Details Location History
Choose Monitor > Interferers > Interference Device ID, then choose Location History from the Select
a command drop-down list, and click Go to view this page.
•
Interferer Information—Displays the basic information about the interfering device.
– Data Collected At—The time stamp at which the data was collected.
– Type—The type of the interfering device.
– Severity—The severity index of the interfering device.
– Duty Cycle—The duty cycle (in percentage) of the interfering device.
– Affected Channels—A comma separated list of the channels affected.
•
Interferer Location History—Displays the location history of the interfering devices.
– Time Stamp
– Floor
•
Clustering Information
– Clustered By
•
Detecting APs
– AP Name—The access point that detected the interfering device.
– Severity—The severity index of the interfering device.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-120
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Spectrum Experts
– Duty Cycle(%)—The duty cycle (in percentage) of the interfering device.
•
Location
– Location Calculated At—Displays the time stamp at which this information was generated.
– Floor—Displays location information of the interfering device.
– A graphical view of the location of the interfering device is displayed in a map. Click the
Enlarge link to view an enlarged image.
Configuring the Search Results Display
The Edit View page allows you to add, remove, or reorder columns in the AP Detected Interferers
Summary page.
To edit the columns in the AP Detected Interferers page, follow these steps:
Step 1
Choose Monitor > Interferers. The AP Detected Interferers page appears showing details of the
interferers detected by the CleanAir-enabled access points.
Step 2
Click the Edit View link.
Step 3
To add an additional column to the access points table, click to highlight the column heading in the left
column. Click Show to move the heading to the right column. All items in the right column are displayed
in the table.
Step 4
To remove a column from the access points table, click to highlight the column heading in the right
column. Click Hide to move the heading to the left column. All items in the left column are not displayed
in the table.
Step 5
Use the Up/Down buttons to specify the order in which the information appears in the table. Highlight
the desired column heading and click Up or Down to move it higher or lower in the current list.
Step 6
Click Reset to restore the default view.
Step 7
Click Submit to confirm the changes.
Monitoring Spectrum Experts
A Spectrum Expert client acts as a remote interference sensor and sends dynamic interference data to
the Prime Infrastructure. This feature allows the Prime Infrastructure to collect and archive and monitor
detailed interferer and air quality data from Spectrum Experts in the network.
To access the Monitor Spectrum Experts page, follow these steps:
Step 1
Choose Monitor > Spectrum Experts.
Step 2
From the left sidebar menu, you can access the Spectrum Experts Summary page and the Interferers
Summary page.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-121
Chapter 5
Monitoring Devices
Monitoring Spectrum Experts
Spectrum Experts Summary
The Spectrum Experts > Summary page is the default page and provides a table of the Spectrum Experts
added to the system. The table provides the following Spectrum Expert information:
•
Hostname—Displays the hostname or IP Address depending on how it was added. Click the
hostname to access the Spectrum Experts Details page.
•
Active Interferers—Indicates the current number of interferes being detected by the Spectrum
Experts.
•
Affected APs—The number of access points seen by the Spectrum Expert that are potentially
affected by detected interferers.
•
Alarms—The number of active interference traps sent by the Spectrum Expert. Click to access the
Alarm page that is filtered to the active alarms for this Spectrum Expert.
•
Reachability Status—Indicates “Reachable” in green if the Spectrum Expert is running and sending
data to the Prime Infrastructure; otherwise indicates “Unreachable” in red.
•
Location—When the Spectrum is a wireless client, a link is available that displays the location of
the Spectrum Expert. A red box around the Spectrum Expert indicates the effective range. Click to
access the nearest mapped access point.
Interferers Summary
The Interferers > Summary page displays a list of all the Interferers detected over a 30 day interval. The
table provides the following Interferers information:
•
Interferer ID—An identifier that is unique across different spectrum experts. This is a
pseudo-randomly generated ID. Though it is similar to a MAC address, it is not a real address, which
you can use to find the interfering device.
•
Category—Indicates the category of the interferer. Categories include: Bluetooth, Cordless Phones,
Microwave Ovens, 802.11 FH, Generic - Fixed-Frequency, Jammers, Generic - Frequency-Hopped,
Generic - Continuous.
•
Type—Indicates the type of Interferer. Click to access a pop-up description of the type.
•
Status—Indicates Active or Inactive.
– Active—Indicates that the interferer is currently being detected by a spectrum expert.
– Inactive—Indicates that the interferer is no longer detected by a spectrum expert or the spectrum
expert that saw the interferer is no longer reachable by the Prime Infrastructure.
•
Discover Time—Indicates the time of discovery.
•
Affected Channels—Identifies affected channels.
•
Number of APs Affected—An access point is listed as Affected if the following conditions are met:
– The access point is managed by the Prime Infrastructure.
– The spectrum expert detects the access point.
– The spectrum expert detects an interferer on the serving channel of the access point.
•
Power—Indicated in dBm.
•
Duty Cycle—Indicated in percentage.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-122
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring WiFi TDOA Receivers
Note
•
100% indicates the worst value.
Severity—Indicates the severity ranking of the Interferer.
Note
100% indicates the worst value where 0 indicates no interference.
Interferers Search
Use the Prime Infrastructure Search feature to find specific Interferers or to create and save custom
searches. See the Search Methods section in the Cisco Prime Infrastructure 2.0 User Guide for additional
information.
Spectrum Experts Details
The Spectrum Expert Details page provides all interference details from a single Spectrum Expert. This
page updates every 20 seconds providing a real-time look at what is happening on the remote Spectrum
Expert and includes the following items:
•
Total Interferer Count—As seen by the specific Spectrum Expert.
•
Active Interferers Count Chart—Displays a pie chart that groups interferes by category.
•
Active Interferer Count Per Channel—Displays the number of interferes grouped by category on
different channels.
•
AP List—Provides a list of access points detected by the Spectrum Expert that are on channels that
have active interferers detected by the Spectrum Expert on those channels.
•
Affected Clients List—Provides a list of clients that are currently authenticated/associated to the
radio of one of the access points listed in the access point list.
Monitoring WiFi TDOA Receivers
To monitor Wi-Fi TDOA receivers, follow these steps:
Step 1
Choose Monitor > WiFi TDOA Receivers. The WiFi TDOA Receiver summary page appears showing
all mapped WiFI TDOA receivers.
Step 2
To refine the search criteria when an extensive lists appears, you can search by MAC address or location
sensor name.
a.
To initiate a search for a TDOA receiver by its MAC address, click the Advanced Search link in the
Prime Infrastructure. Choose WiFi TDOA Receiver from the Search Category drop-down list and
MAC Address from the Search by drop-down list. Enter the MAC address of the TDOA receiver in
the available text box, and click Search.
b.
To initiate a search for a TDOA receiver by its name, click the Advanced Search link in the Prime
Infrastructure. Choose WiFi TDOA Receiver from the Search Category drop-down list and WiFi
TDOA Receivers from the Search by drop-down list. Enter the name of the TDOA receiver in the
available text box, and click Search.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-123
Chapter 5
Monitoring Devices
Monitoring Media Streams
If no match exists, then a message indicating that appears in the page. Otherwise the search result
displays.
The WiFi TDOA Receivers page displays the following information:
Note
•
MAC Address
•
WiFi TDOA Receiver Name
•
Static IP—Static IP address of the WiFi TDOA receiver.
•
Oper Status—Up or down.
•
Map Location—Click the Map Location link to view the floor map for this WiFi TDOA receiver.
See “Monitoring Floor Area” for more information on the Prime Infrastructure floor maps.
See the “Configuring Wi-Fi TDOA Receivers” section on page 6-194 for more information on adding,
configuring, and editing WiFi TDOA receivers.
Monitoring Media Streams
To monitor the media streams configurations, follow these steps:
Step 1
Choose Monitor > Media Streams. The Media Streams page appears showing the list of media streams
configured across controllers.
The Media Streams page contains a table with the following columns:
•
Stream Name—Media Stream name.
•
Start IP—Starting IP address of the media stream for which the multicast direct feature is enabled.
•
End IP—Ending IP address of the media stream for which the multicast direct feature is enabled.
•
State—Operational state of the media stream.
•
Max Bandwidth—Indicates the maximum bandwidth that is assigned to the media stream.
•
Priority—Indicates the priority bit set in the media stream. The priority can be any number from 1
to 8. A lower value indicates a higher priority. For example, a priority of 1 is highest and a value of
8 is the lowest.
•
Violation—Indicates the action to performed in case of a violation. The possible values are as
follows:
– Drop—Indicates that a stream is dropped on periodic revaluation.
– Best Effort—Indicates that a stream is demoted to best-effort class on periodic reevaluations.
Step 2
•
Policy—Indicates the media stream policy. The possible values are Admit or Deny.
•
Controllers—Indicates the number of controllers that use the specified media stream.
•
Clients—Indicates the number of clients that use the specified media stream.
To view the media stream details, click a media stream name in the Stream column. The Media Streams
page appears.
The Media Streams page displays the following group boxes:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-124
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Radio Resource Management (RRM)
•
Media Stream Details—Displays the media stream configuration information. This includes the
Name, Start Address, End Address, Maximum Bandwidth, Operational Status, Average Packet Size,
RRC Updates, Priority, and Violation.
•
Statistics—Displays the number of controllers and number of clients that use the selected media
stream. Click the controller count to access the list of controllers that use the selected media stream.
•
Error—Displays the error, Worst AP, and corresponding floor map for that AP.
•
Client Counts—Displays the number of clients for each period.
•
Failed Client Counts—Displays the number of clients that failed for each period.
Note
The client information is presented in a time-based graph. For graphs that are time-based,
there is a link bar at the top of the graph page that displays 6h, 1d, 1w, 2w, 4w, 3m, 6m, 1y,
and Custom. When selected, the data for that time frame is retrieved and the corresponding
graph is displayed.
Monitoring Radio Resource Management (RRM)
The operating system security solution uses the Radio Resource Management (RRM) function to
continuously monitor all nearby access points, automatically discover rogue access points.
Radio Resource Management (RRM), built into the Cisco Unified Wireless Network, monitors and
dynamically corrects performance issues found in the RF environment.
Prime Infrastructure would receive traps whenever a change in the transmit power of the access point or
channel occurred. These trap events or similar events such as RF regrouping were logged into the Prime
Infrastructure events as informational and were maintained by the event dispatcher. The reason behind
the transmit power or channel changes (such as signals from neighboring access points, interference,
noise, load, and the like) were not evident. You could not view these events and statistics to then perform
troubleshooting practices.
Radio Resource Management (RRM) statistics helps to identify trouble spots and provides possible
reasons for channel or power level changes. The dashboard provides network-wide RRM performance
statistics and predicts reasons for channel changes based on grouping the events together (worst
performing access points, configuration mismatch between controllers in the same RF group, coverage
holes that were detected by access points based on threshold, pre-coverage holes that were detected by
controllers, ratios of access points operating at maximum power, and so on).
Note
The RRM dashboard information is only available for lightweight access points.
This section contains the following topics:
•
Channel Change Notifications, page 5-126
•
Transmission Power Change Notifications, page 5-126
•
RF Grouping Notifications, page 5-126
•
Viewing the RRM Dashboard, page 5-126
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-125
Chapter 5
Monitoring Devices
Monitoring Radio Resource Management (RRM)
Channel Change Notifications
Notifications are sent to the Prime Infrastructure RRM dashboard when a channel change occurs.
Channel changes depend on the Dynamic Channel Assignment (DCA) configuration where the mode can
be set to auto or on demand. When the mode is auto, channel assignment is periodically updated for all
lightweight access points which permit this operation. When the mode is set to on demand, channel
assignments are updated based on request. If the DCA is static, no dynamic channel assignments occur,
and values are set to their global default.
When a channel change trap is received and a channel change had occurred earlier, the event is marked
as Channel Revised; otherwise, the event is marked as Channel Changed. Each event for channel change
can be caused by multiple reasons. The reason code is factored and equated to one irrespective of the
number of reasons for the event to occur. For example, suppose a channel change is caused by signal,
interference, or noise. When the reason code is received in the notification, the reason code is refactored
across the reasons. If three reasons caused the event to occur, the reason code is refactored to 1/3 or 0.33
per reason. If ten channel change events are received with the same reason code, all of the three reasons
are equally factored to determine the cause of the channel change.
Transmission Power Change Notifications
Notifications are sent to the Prime Infrastructure RRM dashboard when transmission power changes
occur. Each event for transmit power changes is caused by multiple reasons. The reason code is factored
and equated to one irrespective of the number of reasons for the event to occur.
RF Grouping Notifications
When RRM is run on the controller, dynamic grouping is done, and a new group leader is chosen.
Dynamic grouping has three modes: Automatic, Off and Leader. When the grouping is Off, no dynamic
grouping occurs, and each switch optimizes only its own lightweight access point parameters. When the
grouping is Automatic, switches form groups and elect leaders to perform better dynamic parameter
optimization. With grouping automatic, configured intervals (in seconds) represent the period with
which the grouping algorithm is run. (Grouping algorithms also run when the group contents change and
automatic grouping is enabled.)
Viewing the RRM Dashboard
Choose Monitor > Radio Resource Management to access the RRM dashboard.
The dashboard is made up of the following parts:
•
The RRM RF Group Summary shows the number of different RF groups.
Note
To get the latest number of RF Groups, you have to run the configuration sync background
task.
•
The RRM Statistics portion shows network-wide statistics
•
The Channel Change Reason portion shows why channels changed for all 802.11a/b/g/n radios.
– Signal—The channel changed because it improved the channel quality for some other neighbor
radio(s). Improving the channel quality for some other neighbor radio(s) improved the channel
plan of the system as evaluated by the algorithm.
– Wifi Interference
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-126
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Radio Resource Management (RRM)
– Load
– Radar
– Noise
– Persistent Non-Wifi Interference
– Major Air Quality Event
– Other
•
The Channel Change shows all events complete with causes and reasons.
•
The Configuration Mismatch portion shows comparisons between leaders and members.
•
The Coverage Hole portion rates how severe the coverage holes are and gives their location.
•
The Percent Time at Maximum Power shows what percent of time the access points were at
maximum power and gives the location of those access points.
The following statistics are displayed:
•
Total Channel Changes—The sum total of channel changes across 802.11a/b/g/n radios, irrespective
of whether the channel was updated or revised. The count is split over a 24-hour and 7-day period.
If you click the percentages link or the link under the 24-hour column, a page with details for that
access point only appears.
•
Total Configuration Mismatches—The total number of configuration mismatches detected over a
24-hour period.
•
Total Coverage Hole Events—The total number of coverage hole events over a 24-hour and 7-day
period.
•
Number of RF Groups—The total number of RF groups (derived from all the controllers which are
currently managed by the Prime Infrastructure).
•
Configuration Mismatch—The configuration mismatch over a 24-hour period by RF group with
details on the group leader.
•
APs at MAX Power—The percentage of access points with 802.11a/n radios as a total percentage
across all access points which are at maximum power. The maximum power levels are preset and are
derived with reference to the preset value.
Note
Maximum power is shown in three areas of the RRM dashboard. This maximum power
portion shows the current value and is poll driven.
•
Channel Change Causes—A graphical bar chart for 802.11a/n radios. The chart is factored based on
the reason for channel change. The chart is divided into two parts, each depicting the percentage of
weighted reasons causing the event to occur over a 24-hour and 7-day period. Each event for channel
change can be caused by multiple reasons, and the weight is equally divided across these reasons.
The net reason code is factored and equated to one irrespective of the number of reasons for the event
to occur.
•
Channel Change - APs with channel changes—Each event for channel change includes the MAC
address of the lightweight access point. For each reason code, you are given the most channel
changes that occurred for the 802.11a/n access point based on the weighted reason for channel
events. This count is split over a 24-hour and 7-day period.
•
Coverage Hole - APs reporting coverage holes—The top five access points filtered by IF Type 11
a/n which triggered a coverage hole event (threshold based) are displayed.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-127
Chapter 5
Monitoring Devices
Monitoring Clients and Users
•
Aggregated Percent Max Power APs—A graphical progressive chart of the total percentage of
802.11a/n lightweight access points which are operating at maximum power to accommodate
coverage holes events. The count is split over a 24-hour and 7-day period.
Note
•
This maximum power portion shows the values from the last 24 hours and is poll driven. This
occurs every 15 minutes or as configured for radio performance.
Percent Time at Maximum Power—A list of the top five 802.11a/n lightweight access points which
have been operating at maximum power.
Note
This maximum power portion shows the value from the last 24 hours and is only event
driven.
Monitoring Clients and Users
The Monitor Clients and Users information assists in identifying, diagnosing, and resolving client
issues. Using the Monitor Clients and Users feature, you can view a client association history and
statistical information. You can also troubleshoot client historical issues. These tools are useful when
users complain of network performance as they move throughout a building with their laptop computers.
The information might help you assess what areas experience inconsistent coverage and which areas
have the potential to drop coverage. See the “Managing Clients” section on page 10-513 for more
information.
Monitoring Alarms
This section contains the following topics:
•
Alarms and Events Overview, page 5-129
•
Viewing List of Alarms, page 5-129
•
Filtering Alarms, page 5-130
•
Viewing Alarm Details, page 5-131
•
Viewing Events Related to Alarms, page 5-132
•
Modifying Alarms, page 5-133
•
Modifying the Alarm Browser, page 5-134
•
Viewing the Alarm Summary, page 5-134
•
Modifying Alarm Settings, page 5-135
•
Working with Alarms, page 5-136
•
Monitoring Access Point Alarms, page 5-138
•
Monitoring Air Quality Alarms, page 5-138
•
Monitoring CleanAir Security Alarms, page 5-139
•
Monitoring Email Notifications, page 5-140
•
Monitoring Severity Configurations, page 5-140
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-128
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Alarms
•
Monitoring Cisco Adaptive wIPS Alarms, page 5-141
•
Monitoring Cisco Adaptive wIPS Alarm Details, page 5-142
Alarms and Events Overview
An event is an occurrence or detection of some condition in and around the network. For example, it can
be a report about radio interference crossing a threshold, the detection of a new rogue access point, or a
controller rebooting.
Events are not generated by a controller for each and every occurrence of a pattern match. Some pattern
matches must occur a certain number of times per reporting interval before they are considered a
potential attack. The threshold of these pattern matches is set in the signature file. Events can then
generate alarms which further can generate e-mail notifications if configured as such.
An alarm is a Prime Infrastructure response to one or more related events. If an event is considered of
high enough severity (critical, major, minor, or warning), the Prime Infrastructure raises an alarm until
the resulting condition no longer occurs. For example, an alarm might be raised while a rogue access
point is detected, but the alarm terminates after the rogue has not been detected for several hours.
One or more events can result in a single alarm being raised. The mapping of events to alarms is their
correlation function. For example, some IDS events are considered to be network wide so all events of
that type (regardless of which access point the event is reported from) map to a single alarm. On the other
hand, other IDS events are client-specific. For these, all events of that type for a specific client MAC
address map to an alarm which is also specific for that client MAC address, regardless of whether
multiple access points report the same IDS violation. If the same kind of IDS violation takes place for a
different client, then a different alarm is raised.
A Prime Infrastructure administrator currently has no control over which events generate alarms or when
they time out. On the controller, individual types of events can be enabled or disabled (such as
management, SNMP, trap controls, and so on).
Viewing List of Alarms
Choose Monitor > Alarms to access the Alarm Browser page which provides a list of alarms. You can
also hover your mouse cursor over Alarm Browser on the toolbar at the bottom of the Prime
Infrastructure page to view the Alarm Browser page.
The Alarm Browser lists the following information for each alarm:
•
Severity—Severity of the alarm which can be:
– Critical
– Major
– Minor
– Warning
– Informational
•
Status—Status of the alarm.
•
Timestamp—Date and time that the alarm occurred.
•
Category—Category assigned to the alarm such as rogue AP, controller, switch, and security.
•
Condition—Condition that caused the alarm.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-129
Chapter 5
Monitoring Devices
Monitoring Alarms
Note
•
Owner—Name of the person to whom this alarm is assigned, if one was entered.
•
Message—Messages about the alarm.
•
Failure Source—Indicates the source of the event (including name and/or MAC address).
By default, acknowledged alarms are not shown in the Alarm Browser page. To change this, choose
Administration > Settings > Alarms, then unselect the Hide Acknowledged Alarms check box. You
must unselect the preference of hiding acknowledged alarms if you want acknowledged alarms to show
in the Prime Infrastructure Alarm Summary and alarms lists page.
Use the check box to select one or more alarms. To select all alarms displayed in the Alarm Browser,
click the topmost box. See the “Modifying Alarms” section on page 5-133 for more information.
Filtering Alarms
In the Monitor > Alarms page, you can filter the alarms that are displayed in the Alarm Browser.
Choose Monitor > Alarms, then from the Show drop-down list, select one of the following filters:
•
Quick Filter—Enter text in any of the boxes to display alarms that contain the text you enter. For
example, if you enter AP in the Category field, AP and Rogue AP alarms are displayed. It provides
an optional filtered view of alarms for wired and wireless alarms.
•
Advance Filter—This filter provides an advanced alarm search capability. It provides ability to
search on specific fields with various conditions like contains, does not contain, starts with, ends
with and so on. Additionally advanced filters allows nesting of AND/OR conditions. Select the
category and operator, enter criteria in the text field to compare against, then do the following:
– Click + to add an additional filter or - to remove a filter you specified.
– Click Go to apply your filter.
– Click Clear Filter to clear the entries you entered.
– Click the disc icon to save your filter. Enter a name for the filter you want to save, then click
Save.
Note
When you select a preset filter and click the filter button, the filter criteria is dimmed. You can
only see the filter criteria but you can not change it. When All is selected to view all the entries,
clicking the filter button shows the Quick Filter options, where you can filter the data using the
filterable fields. You can also use the free-form box to enter text to filter the table.
•
All—Displays all alarms.
•
Manage Preset Filter—Displays any previously saved filters and allows you to edit and delete
previously saved filters.
•
Assigned to Me—Displays all alarms assigned to you.
•
Unassigned Alarms—Displays all unassigned alarms.
•
Alarms in Last 5 Minutes
•
Alarms in Last 15 Minutes
•
Alarms in Last 30 Minutes
•
Alarms in the last hour
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-130
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Alarms
•
Alarms in the last 8 hours
•
Alarms in the last 24 hours
•
Alarms in last 7 days
•
All wired alarms—Displays all alarms for wired devices.
•
All wireless alarms—Displays all alarms for wireless devices.
Exporting Alarms
You can quickly export the list of alarms into a CSV file (a spreadsheet format with comma-separated
values).
Note
The columns that are shown in the alarms table are only exported to the CSV file.
To export the list of alarms, follow these steps:
Step 1
Choose Monitor > Alarms.
Step 2
Click the
Step 3
In the File Download window, click Save to save the file.
icon on the toolbar. A pop-up window appears.
Viewing Alarm Details
You can view alarm details in the Monitor > Alarms page by clicking the expand icon to the far left of
the Monitor > Alarms page for the alarm for which you want to see details. The details that are displayed
depend on the alarm type you selected (see Table 5-64).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-131
Chapter 5
Monitoring Devices
Monitoring Alarms
Table 5-64
Viewing Alarm Details
Section
General Info
Device Info
1
Field
Description
Failure Source
Indicates the source of the event (including name
and/or MAC address).
Owner
Name of person to which this alarm is assigned, or
blank.
Acknowledged
Displays whether or not the alarm is acknowledged by
the user.
Category
The category of the alarm (for example, AP, Rogue
AP, or Security).
Created
Month, day, year, hour, minute, second, AM or PM
alarm created.
Modified
Month, day, year, hour, minute, second, AM or PM
alarm last modified.
Generated By
Device that generated the alarm.
Severity
Level of security: Critical, Major, Minor, Warning,
Clear, Info.
Previous Severity
The severity of the alarm the after the most recent
polling cycle.
Device Name
Name of the device.
Device Address
IP address of the device.
Device Contact
Contact information for the device.
Device Location
Location of the device.
Device Status
Status of the device.
Messages
Device information retrieved from log messages.
Annotation
Lists current notes regarding this rogue access point.
To add a new note, click New Annotation. Type the
note and click Post to save and display the note or
Cancel to close the page without saving the note.
1.The General information might vary depending on the type of alarm. For
example, some alarm details might include location and switch port tracing
information.
In the Alarms list page, you can also view the events for the alarm you selected as explained in the
“Viewing Events Related to Alarms” section on page 5-132.
Viewing Events Related to Alarms
When you select Monitor > Alarms page, you can view alarm summary information by hovering your
mouse cursor over an alarm severity in the Severity column and clicking the icon that appears.
A dialog appears displaying the top 5 events related to the alarm you selected.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-132
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Alarms
Click Events to display all events associated with the selected alarm.
Modifying Alarms
In the Monitor > Alarms page, you can modify the alarms by selecting the check box next to an alarm
and then clicking one of the tasks at the top of the Alarm Browser page:
Note
The alarms that appear in the Monitor > Alarms page depend on the settings you specify on the
Administration > Settings page. See the “Modifying Alarm Settings” section on page 5-135 for more
information.
•
Change Status—Change the alarm status to one of the following:
– Acknowledge—You can acknowledge the alarm. By default, acknowledged alarms are not
displayed in the Alarm Browser page. Acknowledged alarms remain in the Prime Infrastructure
and you can search for all acknowledged alarms using the alarm search functionality. See the
“Acknowledging Alarms” section on page 5-137 for more information.
– Unacknowledge—You can choose to unacknowledge an already acknowledged alarm.
– Clear—Clear the selected alarm(s). The alarm is removed from the Alarm Browser. Cleared
alarms remain in the Prime Infrastructure and you can search for all cleared alarms using the
alarm search functionality
Note
•
Once the severity is Clear, the alarm is deleted from the Prime Infrastructure after 30 days
by default. You can modify this setting in the Administration > Settings page.
Assign—For the selected alarm, you can do the following:
– Assign to me—Assigns the alarm to the specified user.
– Unassign—Removes the specified owner from the alarm.
•
Annotation—Enter an annotation for the selected alarm, then click Post. The annotation you entered
appears when you view the alarm details.
•
Delete—Delete the selected alarm(s). Indicates that the alarm is no longer detected by any device.
Specifying Email Notifications for Alarms
In the Monitor > Alarms page, you can set up e-mail notifications for alarms based on the alarm category
and severity level.
Step 1
Choose Monitor > Alarms, then click Email Notification.
Step 2
Select the Enable check box next to the alarm category for which you want to set up e-mail notifications,
then click Save.
Prime Infrastructure sends e-mail notifications when alarms for the categories you specified occur.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-133
Chapter 5
Monitoring Devices
Monitoring Alarms
Modifying the Alarm Browser
Choose Monitor > Alarms to view a list of alarms. You can also click Alarm Browser on the toolbar
at the bottom of the Prime Infrastructure home page. You can modify the following information
displayed in the Alarm Browser:
•
To reorder the columns, drag and drop the column headings into any position.
•
Click a column heading to sort the information by that column. By default, the column is sorted in
descending order. Click the column heading again to change the sort the column in ascending order.
Note
•
Not every column is sortable. Hover your mouse cursor over a column heading, and the Prime
Infrastructure displays whether the column is sortable.
To customize which columns are displayed, click the Settings icon, then click Columns. Select the
check box next to columns you want to appear, and unselect the boxes for the columns you do not
want to appear in the Alarm Browser page.
Viewing the Alarm Summary
When the Prime Infrastructure receives an alarm message from a controller, switch, or Prime
Infrastructure, it displays an alarm indicator in the Alarm Summary. The Alarm Summary is at the
bottom of the Prime Infrastructure home page and displays the total count of critical, major, and minor
alarms currently detected by the Prime Infrastructure. Hover your mouse cursor over the Alarm
Summary, and the alarm details are displayed.
Note
The alarms that appear in the Alarm Summary and Monitor > Alarms pages depend on the settings you
specify in the Administration > Settings page. By default, acknowledged alarms are not shown. See the
“Modifying Alarm Settings” section on page 5-135 for more information.
Alarms are color coded as follows:
•
Red—Critical Alarm
•
Orange—Major Alarm
•
Yellow—Minor Alarm
Alarms indicate the current fault or state of an element, and alarms are usually generated by one or more
events. The alarm can be cleared but the event remains. See the “Alarms and Events Overview” section
on page 5-129 for more information about alarms.
Note
By default, alarm counts refresh every minute. You can modify when alarms are refreshed in the
Administration > User Preferences page.
When you hover your mouse cursor over the Alarm Summary, a pop-up page appears listing the number
of critical, major, and minor alarms for each of alarm category. You can specify which alarm categories
are displayed in the Alarm Summary on the Administration > User Preferences page. By default, all
categories are displayed:
•
Alarm Summary—Displays a summary of the total alarms for all alarm categories.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-134
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Alarms
•
AP—Display counts for AP alarms such as AP Disassociated from controller, Thresholds violation
for Load, Noise or Interference, AP Contained as Rogue, AP Authorization Failure, AP regulatory
domain mismatch, or Radio card Failure.
•
Context Aware Notifications
•
Controller—Displays counts for controller alarms, such as reachability problems from the Prime
Infrastructure and other controller failures (fan failure, POE controller failure, AP license expired,
link down, temperature sensor failure, and low temperature sensed).
•
Coverage Hole—Displays counts for coverage hole alarms generated for access points whose clients
are not having enough coverage set by thresholds. See the “Monitoring Maps” section on page 6-153
for more information.
•
Mesh Links—Displays counts for mesh link alarms, such as poor SNR, console login, excessive
parent change, authorization failure, or excessive association failure.
•
Mobility Services—Displays counts for location alarms such as reachability problems from the
Prime Infrastructure and location notifications (In/Out Area, Movement from Marker, or Battery
Level).
•
Prime Infrastructure—Displays counts for the Prime Infrastructure alarms.
•
Performance—Displays counts for performance alarms.
•
Rogue AP—Displays counts for malicious rogue access points alarms.
•
Rogue Adhoc—Displays counts for unclassified rogue access point alarms.
•
Security—Displays counts for security alarms such as Signature Attacks, AP Threats/Attacks, and
Client Security Events.
•
Switch—Displays counts for switch alarms such as authentication errors.
Modifying Alarm Settings
You can modify the following settings for alarms:
•
Alarm count refresh rate—See the “Modifying Alarm Count Refresh Rate” section on page 5-135.
•
Alarm severity levels—See the “Configuring Alarm Severity Levels” section on page 5-135.
Modifying Alarm Count Refresh Rate
By default, alarm counts refresh every minute. You can modify the refresh rate by selecting
Administration > User Preferences, and then choosing a new value for the Refresh Alarm Count from
the Alarm Summary Every menu.
Configuring Alarm Severity Levels
The Administration > Settings > Severity Configuration page allows you to change the severity level for
newly generated alarms.
Note
Existing alarms remain unchanged.
To reconfigure the severity level for a newly generated alarm, follow these steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-135
Chapter 5
Monitoring Devices
Monitoring Alarms
Step 1
Choose Administration > Settings.
Step 2
From the left sidebar menu, choose Severity Configuration.
Step 3
Select the check box of the alarm condition whose severity level you want to change.
Step 4
From the Configure Security Level drop-down list, choose from the following severity levels:
•
Critical
•
Major
•
Minor
•
Warning
•
Informational
•
Reset to Default
Step 5
Click Go.
Step 6
Click OK to confirm the change or Cancel to leave the security level unchanged.
Working with Alarms
You can view, assign, and clear alarms and events on access points and mobility services engine using
the Prime Infrastructure.
This section also describes how to have e-mail notifications of alarms sent to you and contains the
following topics:
•
Assigning and Unassigning Alarms, page 5-136
•
Deleting and Clearing Alarms, page 5-137
•
Acknowledging Alarms, page 5-137
Assigning and Unassigning Alarms
To assign and unassign an alarm to yourself, follow these steps:
Step 1
Perform an advanced search for access point alarms.
Step 2
Select the alarms that you want to assign to yourself by selecting their corresponding check boxes.
Note
Step 3
To unassign an alarm assigned to you, Unselect the check box next to the appropriate alarm. You
cannot unassign alarms assigned to others.
From the Select a command drop-down list, choose Assign to Me (or Unassign), and click Go.
If you choose Assign to Me, your username appears in the Owner column. If you choose Unassign, the
username column is empty.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-136
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Alarms
Deleting and Clearing Alarms
To delete or clear an alarm from a mobility services engine, follow these steps:
Step 1
In the Monitor > Alarms page, select the alarms that you want to delete or clear by selecting their
corresponding check boxes.
Note
Step 2
Note
If you delete an alarm, the Prime Infrastructure removes it from its database. If you clear an
alarm, it remains in the Prime Infrastructure database, but in the Clear state. You clear an alarm
when the condition that caused it no longer exists.
From the Select a command drop-down list, choose Delete or Clear, and click Go.
To set up cleanup of old alarms and cleared alarms, choose Administration > Settings > Alarms. See
the “Alarm and Event Dictionary” section on page 13-713 for more information.
Acknowledging Alarms
You might want certain alarms to be removed from the Alarms List. For example, if you are continuously
receiving an interference alarm from a certain access point on the 802.11g interface, you might want to
stop that access point from being counted as an active alarm on the Alarm Summary page or any alarms
list. In this scenario, you can find the alarm for the 802.11g interface in the Alarms list, select the check
box, and choose Acknowledge from the Select a command drop-down list.
Now if the access point generates a new violation on the same interface, the Prime Infrastructure does
not create a new alarm, and the Alarm Summary page shows no new alarms. However, if the interference
violation is created on another interface, such as 802.11a, a new alarm is created.
By default, acknowledged alarms are not displayed in either the Alarm Summary page or any alarm list
page. Also, no e-mail messages generated for these alarms after you have marked them as acknowledged.
By default, acknowledged alarms are not included for any search criteria. To change this default, choose
to the Administration > Settings > Alarms page and unselect the Hide Acknowledged Alarms check
box.
When you acknowledge an alarm, the following warning appears as a reminder that a recurrence of the
problem does not generate another alarm unless this functionality is disabled.
Note
When you acknowledge an alarm, a warning displays as a reminder that a recurrence of the problem does
not generate another alarm unless this functionality is disabled. Choose Administration > User
Preferences page to disable this warning message.
You can also search for all previously acknowledged alarms to reveal the alarms that were acknowledged
during the last seven days. Prime Infrastructure automatically deletes cleared alerts that are more than
seven days old so your results can only show activity for the last seven days. Until an existing alarm is
deleted, a new alarm cannot be generated for any managed entity for which the Prime Infrastructure has
already generated an alarm.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-137
Chapter 5
Monitoring Devices
Monitoring Alarms
Monitoring Access Point Alarms
The Access Point Alarms page displays the access point based alarms on your network.
To access the AP alarms page, do one of the following:
•
Perform a search for AP alarms.
•
Click the Access Point number link in the Alarm Summary box.
The Monitor AP Alarms page contains the following fields:
•
Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
•
Failure Source—Device that generated the alarm.
•
Owner—Name of the person to which this alarm is assigned, or blank.
•
Date/Time—The time at which the alarm was generated.
•
Message—The associated message displayed in the Prime Infrastructure alarm browser.
•
Category—Indicates the category assigned to the alarm such as rogue AP, controller, switch, and
security.
•
Condition—Condition that caused the alarm.
•
Acknowledged—Displays whether or not the alarm is acknowledged by the user. See the
“Acknowledging Alarms” section on page 5-137 for more information.
Monitoring Air Quality Alarms
The Air Quality Alarms page displays air quality alarms on your network.
To access the air quality alarms page, do one of the following:
•
Perform a search for Performance alarms.
•
Click the Performance number link in the Alarm Summary box.
The Monitor Air Quality Alarms page contains the following fields:
•
Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
•
Failure Source—Device that generated the alarm.
•
Owner—Name of the person to which this alarm is assigned, or blank.
•
Date/Time—The time at which the alarm was generated.
•
Message—The associated message displayed in the Prime Infrastructure alarm browser.
•
Acknowledged—Displays whether or not the alarm is acknowledged by the user. See the
“Acknowledging Alarms” section on page 5-137 for more information.
Select a command Menu
Select one or more alarms by selecting their respective check boxes, choose one of the following
commands from the Select a command drop-down list, and click Go.
•
Assign to me—Assign the selected alarm(s) to the current user.
•
Unassign—Unassign the selected alarm(s).
•
Clear—Clear the selected alarm(s).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-138
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Alarms
•
Delete—Delete the selected alarm(s).
•
Acknowledge—Acknowledge the alarm to prevent it from showing up in the Alarm Summary page.
See the “Acknowledging Alarms” section on page 5-137 for more information.
Note
The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms
using the alarm search functionality.
•
Unacknowledge—Unacknowledge an already acknowledged alarm.
•
Email Notification—Takes you to the All Alarms > Email Notification page to view and configure
e-mail notifications. See the “Monitoring RFID Tags” section on page 5-115 for more information.
Monitoring CleanAir Security Alarms
The CleanAir Security Alarms page displays security alarms on your network.
To access the security alarms page, do one of the following:
•
Perform a search for Security alarms.
•
Click the Security number link in the Alarm Summary box.
The Monitor CleanAir Security Alarms page contains the following fields:
•
Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
•
Failure Source—Device that generated the alarm.
•
Owner—Name of the person to which this alarm is assigned, or blank.
•
Date/Time—The time at which the alarm was generated.
•
Message—The associated message displayed in the Prime Infrastructure alarm browser.
•
Acknowledged—Displays whether or not the alarm is acknowledged by the user. See the
“Acknowledging Alarms” section on page 5-137 for more information.
Select a command Menu
Select one or more alarms by selecting their respective check boxes, choose one of the following
commands from the Select a command drop-down list, and click Go.
•
Assign to me—Assign the selected alarm(s) to the current user.
•
Unassign—Unassign the selected alarm(s).
•
Clear—Clear the selected alarm(s).
•
Delete—Delete the selected alarm(s).
•
Acknowledge—Acknowledge the alarm to prevent it from showing up in the Alarm Summary page.
See the “Acknowledging Alarms” section on page 5-137 for more information.
Note
•
The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms
using the alarm search functionality.
Unacknowledge—Unacknowledge an already acknowledged alarm.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-139
Chapter 5
Monitoring Devices
Monitoring Alarms
•
Email Notification—Takes you to the All Alarms > Email Notification page to view and configure
e-mail notifications. See the “Monitoring RFID Tags” section on page 5-115 for more information.
Monitoring Email Notifications
Prime Infrastructure includes a built-in e-mail notification function which can notify the network
operator when critical alarms occur.
The Email Notification page allows you to add a filter for each alert category. The severity level is set to
critical by default when the alert category is enabled, but you can choose a different severity level for
different categories. E-mail notifications are generated only for the severity levels that are configured.
To configure e-mail notifications, follow these steps:
Step 1
Choose Monitor > Alarms from Classic View.
or
Choose Operate > Alarms & Events from Life Cycle View.
Step 2
From the Select a command drop-down list, choose Email Notification.
Step 3
Click Go.
Step 4
Click an Alarm Category to edit severity level and e-mail recipients for its e-mail notifications.
Step 5
Select the severity level check box(es) (Critical, Major, Minor, or Warning) for which you want a
notification sent.
Step 6
Enter the notification recipient e-mail addresses in the To text box.
Note
Separate multiple e-mail addresses with a comma.
Step 7
Click OK.
Step 8
Select the Enabled check box for applicable alarm categories to activate the delivery of e-mail
notifications.
Step 9
Click OK.
Monitoring Severity Configurations
You can change the severity level for newly generated alarms.
Note
Existing alarms remain unchanged.
To change the severity level of newly-generated alarms, follow these steps:
Step 1
Choose Administration > Setting.
Step 2
Choose Severity Configuration from the left sidebar menu.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-140
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Alarms
Step 3
Select the check box of the alarm condition for which you want to change the severity level.
Step 4
From the Configure Severity Level drop-down list, choose the new severity level (Critical, Major, Minor,
Warning, Informational, Reset to Default).
Step 5
Click Go.
Step 6
Click OK to confirm the change.
Monitoring Cisco Adaptive wIPS Alarms
Alarms from Cisco Adaptive wIPS DoS (denial of service) and security penetration attacks are classified
as security alarms. You can view these wIPS alarms and their details in the Monitor > Alarms page.
To view a list of wIPS DoS and security penetration attack alarms, follow these steps:
Step 1
Perform a search for Security alarms using the Advanced Search feature.
The following information is provided for wIPS alarms:
•
Severity—Severity levels include critical, major, info, warning, and clear.
•
Failure Object—Displays the name and IP or MAC address of the object for which the alarm was
generated. Click the Failure Object to view alarm details. See the “Monitoring Cisco Adaptive wIPS
Alarm Details” section on page 5-142 for more information on viewing wIPS alarm details.
•
Date/Time—Displays the date and time that the alarm occurred.
•
Message—Displays a message explaining why the alarm occurred (such as the applicable wIPS
policy).
•
Acknowledged—Displays whether or not the alarm is acknowledged by the user.
•
Category—Indicates the category of this alarm such as Security.
•
Condition—Displays a description of what caused this alarm to be triggered.
When there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll
arrow on each side. Use this to view additional alarms.
To add, remove, or reorder columns in the table, click the Edit View link to go to the Edit View page.
Select a command
Using the Select a command drop-down list, you can perform the following actions on the selected
alarms:
•
Assign to me—Assign the selected alarm(s) to the current user.
•
Unassign—Unassign the selected alarm(s).
•
Delete—Delete the selected alarm(s).
•
Clear—Clear the selected alarm(s).
•
Acknowledge—You can acknowledge the alarm to prevent it from showing up in the Alarm
Summary page. The alarm remains in the Prime Infrastructure and you can search for all
Acknowledged alarms using the alarm search functionality.
•
Unacknowledge—You can choose to unacknowledge an already acknowledged alarm.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-141
Chapter 5
Monitoring Devices
Monitoring Alarms
•
Email Notification—Takes you to the All Alarms > Email Notification page to view and configure
e-mail notifications.
To perform an action on the selected alarm, follow these steps:
Step 1
Select an alarm by selecting its check box.
Step 2
From the Select a command drop-down list, select the applicable command.
Step 3
Click Go.
Monitoring Cisco Adaptive wIPS Alarm Details
Choose Monitor > Alarms > failure object to view details of the selected Cisco wIPS alarm. The
following Alarm details are provided for Cisco Adaptive wIPS alarms:
•
General
– Detected By wIPS AP—The access point that detected the alarm.
– wIPS AP IP Address—The IP address of the wIPS access point.
– Owner—Name of person to which this alarm is assigned or left blank.
– Acknowledged—Displays whether or not the alarm is acknowledged by the user.
– Category—For wIPS, the alarm category is Security.
– Created—Month, day, year, hour, minute, second, AM or PM that the alarm was created.
– Modified—Month, day, year, hour, minute, second, AM or PM that the alarm was last modified.
– Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
NMS (Network Management System - Prime Infrastructure)—Generated through polling.
Prime Infrastructure periodically polls the controllers and generates events. Prime
Infrastructure generates events when the traps are disabled or when the traps are lost for those
events. In this case, “Generated by” is NMS.
Trap—Generated by the controller. Prime Infrastructure process these traps and raises
corresponding events for them. In this case, “Generated by” is Controller.
– Severity—Level of severity including critical, major, info, warning, and clear.
– Last Disappeared—The date and time that the potential attack last disappeared.
– Channel—The channel on which the potential attack occurred.
– Attacker Client/AP MAC—The MAC address of the client or access point that initiated the
attack.
– Attacker Client/AP IP Address—The IP address of the client or access point that initiated the
attack.
– Target Client/AP IP Address—The IP address of the client or access point targeted by the
attacker.
– Controller IP Address—The IP address of the controller to which the access point is associated.
– MSE—The IP address of the associated mobility services engine.
– Controller MAC address—The MAC address of the controller to which the access point is
associated.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-142
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Events
– wIPS access point MAC address
– Forensic File
– Event History—Takes you to the “Monitoring Alarms” page to view all events for this alarm.
•
Annotations—Enter any new notes in this text box, and click Add to update the alarm. Notes are
displayed in the “Annotations” display area.
•
Messages—Displays information about the alarm.
•
Audit Report—Click to view config audit alarms details. This report is only available for Config
Audit alarms.
Configuration audit alarms are generated when audit discrepancies are enforced on config groups.
Note
•
If enforcement fails, a critical alarm is generated on the config group. If enforcement
succeeds, a minor alarm is generated on the config group.
The alarms have links to the audit report where you can view a list of discrepancies for each
controller.
Rogue Clients—If the failure object is a rogue access point, information about rogue clients is
displayed.
Select a command
Select one or more alarms by selecting their respective check boxes, and click Go.
•
Assign to me—Assign the selected alarm(s) to the current user.
•
Unassign—Unassign the selected alarm(s).
•
Delete—Delete the selected alarm(s).
•
Clear—Clear the selected alarm(s).
•
Acknowledge—You can acknowledge the alarm to prevent it from showing up in the Alarm
Summary page. The alarm remains in the Prime Infrastructure and you can search for all
Acknowledged alarms using the alarm search functionality.
•
Unacknowledge—You can choose to unacknowledge an already acknowledged alarm.
•
Email Notification—Takes you to the All Alarms > Email Notification page to view and configure
e-mail notifications.
•
Event History—Takes you to the Monitor Alarms > Events page to view events for Rogue Alarms.
Monitoring Events
One or more events might generate an abnormal state or alarm. The alarm can be cleared, but the event
remains. Choose Monitor > Events to access the Events page, which displays the following information:
•
Description—Describes the event details.
•
Time—Indicates the date and time the event was generated.
•
Severity—Event severities include: Critical, Major, Minor, Warning, Cleared, or Information.
•
Failure Source—Indicates the source of the event (including name and/or MAC address).
•
Category—Type of event such as Rogue AP, Security, or AP.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-143
Chapter 5
Monitoring Devices
Monitoring Events
Click any column heading to sort by that column.
Use the quickview icon to disclose more information on the event. The additional information for the
event is divided into general information and the message. In the general information, the failure source,
the category, severity, generated time and IP address. The message of the event is also displayed.
Note
Events also has preset, quick and advanced filters similar to alarms. These filters work in same
way as the filters in alarms.
When you filter the table using the Search feature, the Events page might display the additional
information. The additional information includes the following:
•
Coverage Hole Events
– Access Point Name
– Failed Clients—Number of clients that failed due to the coverage hole.
– Total Clients—Total number of clients affected by the coverage hole.
– Radio Type—The radio type (802.11b/g or 802.11a) of the applicable access point.
– Coverage Threshold
•
Rogue AP Events
– Vendor—Rogue access point vendor name or Unknown.
– Classification Type—Indicates the type of rogue access point including Malicious, Friendly, or
Unclassified.
– On Network—Indicates how the rogue detection occurred.
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
– Radio Type—Lists all radio types applicable to this rogue access point.
– State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert,
Internal, External, Contained, Contained Pending, and Removed.
– SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID
is not broadcast.)
Note
•
See the “Monitoring Rogue Alarm Events” section on page 5-111 or the “Viewing Rogue
AP Event Details” section on page 5-111 for more information on rogue access points
events.
Adhoc Rogue Events
– Vendor—Rogue access point vendor name or Unknown.
– On Network—Indicates how the rogue detection occurred.
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
– Radio Type—Lists all radio types applicable to this rogue access point.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-144
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Events
– State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert,
Internal, External, Contained, Contained Pending, and Removed.
– SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID
is not broadcast.)
•
Interference
– Detected By—IP address of the device that detected the interference.
– ID—ID of the device that detected the interference.
•
Mesh Links
•
Client
•
Context Aware Notification
•
Pre Coverage Hole
– Client MAC Address—MAC address of the client affected by the Pre Coverage Hole.
– AP MAC Address—MAC address of the applicable access point.
– Radio Type—The radio type (802.11b/g or 802.11a) of the applicable access point.
– Power Level—Access Point transmit power level (1 = Maximum power allowed per Country
Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, 5 = 0.195 to 6.25%
power).
– Client Type—Client type can be laptop(0), pc(1), pda(2), dot11mobilephone(3),
dualmodephone(4), wgb(5), scanner(6), tabletpc(7), printer(8), projector(9),
videoconfsystem(10), camera(11), gamingsystem(12), dot11deskphone(13), cashregister(14),
radiotag(15), rfidsensor(16), server(17)
– WLAN Coverage Hole Status
If there is more than one page of events, the number of pages is displayed with a scroll arrow on each
side. Use this to view additional events.
This section contains the following topics:
•
Searching Events, page 5-145
•
Monitoring Failure Objects, page 5-146
•
Monitoring Events for Rogue APs, page 5-146
•
Viewing Ad hoc Rogue Event Details, page 5-113
•
Monitoring Cisco Adaptive wIPS Events, page 5-148
•
Working with Events, page 5-151
Searching Events
Use the Prime Infrastructure Search feature to find specific events or to create and save custom searches.
See the Search Methods section in the Cisco Prime Infrastructure 2.0 User Guide for additional
information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-145
Chapter 5
Monitoring Devices
Monitoring Events
Exporting Events
You can quickly export the list of events into a CSV file (a spreadsheet format with comma-separated
values).
Note
The columns that are shown in the events table are only exported to the CSV file.
To export the list of events, follow these steps:
Step 1
Choose Monitor > Events.
Step 2
Click the
Step 3
In the File Download window, click Save to save the file.
icon on the toolbar. A pop-up window appears.
Monitoring Failure Objects
Note
The event categories Location Servers and Location Notifications appear only in the Cisco NCS
Location version.
Choose Monitor > Events, then click the expand icon to the far left of the Monitor > Events page for
the event for which you want to see details. Details about the event are displayed. Depending on the type
of event you selected, the associated details vary.
•
General Info
– Failure Source—Indicates the source of the event (including name and/or MAC address).
– Category—Type of alarm such as Security or AP.
– Generated—Date and time that the event was generated.
– Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
NMS (Network Management System - Prime Infrastructure)—Generated through polling.
Prime Infrastructure periodically polls the controllers and generates events. Prime
Infrastructure generates events when the traps are disabled or when the traps are lost for those
events. In this case, “Generated by” is NMS.
Trap—Generated by the controller. Prime Infrastructure process these traps and raises
corresponding events for them. In this case, “Generated by” is Controller.
– Device IP Address—IP address of the alarm-generating device.
– Severity—Level of severity including critical, major, info, warning, and clear.
•
Messages—Message explaining why the event occurred.
Monitoring Events for Rogue APs
Choose Monitor > Events. Click an item in the Description column to display the alarm events for a
rogue access point radio. Rogue access point radios are unauthorized access points detected by
controllers. The following fields appear:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-146
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Events
General
•
Rogue MAC Address
•
Vendor
•
On Network—Indicates how the rogue detection occurred.
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
•
Owner—Name of person to which this alarm is assigned, or (blank).
•
State—State of this radio relative to the network or Port. Rogue access point radios appear as “Alert”
when first scanned by the Port, or as “Pending” when operating system identification is still
underway.
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
•
Containment Level—An access point which is being contained is either unable to provide service at
all, or provides exceedingly slow service. There is a level associated with the containment activity
which indicates how many Cisco 1000 series lightweight access points to use in containing the
threat. This service must be initiated and halted by the administrator. Containment Type - Contained
if the rogue access point clients have been contained at Level 1 through Level 4 under Update Status,
otherwise Unassigned.
•
Channel—Indicates the band at which the ad hoc rogue is broadcasting.
•
Radio Type—Lists all radio types applicable to this rogue access point.
•
Created—Date and time that the event occurred.
•
Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
– NMS (Network Management System - Prime Infrastructure)—Generated through polling.
Prime Infrastructure periodically polls the controllers and generates events. Prime
Infrastructure generates events when the traps are disabled or when the traps are lost for those
events. In this case, “Generated by” is NMS.
– Trap—Generated by the controller. Prime Infrastructure process these traps and raises
corresponding events for them. In this case, “Generated by” is Controller.
•
Device IP Address—IP address of the alarm-generating device.
•
Severity—Level of severity, Critical, Major, Minor, Warning, Clear, Info. Color coded.
Message—Displays descriptive information about the alarm.
Help—Displays information about the alarm.
Note
Use the Advance Search feature to find specific events. See the Search Methods section in the Cisco
Prime Infrastructure 2.0 User Guide for more information.
Monitoring Events for Ad hoc Rogues
Choose Monitor > Events. Click an item in the Description column to display ad hoc rogue event
details.
General
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-147
Chapter 5
Monitoring Devices
Monitoring Events
•
Rogue MAC Address
•
Vendor
•
On Network—Indicates how the rogue detection occurred.
– Controller—The controller detected the rogue (Yes or No).
– Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the
following: Traced but not found, Traced and found, Not traced.
•
Owner—Name of person to which this alarm is assigned, or (blank).
•
State—State of this radio relative to the network or Port. Rogue access point radios appear as “Alert”
when first scanned by the Port, or as “Pending” when operating system identification is still
underway.
•
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not
broadcast.)
•
Containment Level—An access point which is being contained is either unable to provide service at
all, or provides exceedingly slow service. There is a level associated with the containment activity
which indicates how many Cisco 1000 series lightweight access points to use in containing the
threat. This service must be initiated and halted by the administrator. Containment Type - Contained
if the rogue access point clients have been contained at Level 1 through Level 4 under Update Status,
otherwise Unassigned.
•
Channel—Indicates the band at which the ad hoc rogue is broadcasting.
•
Created—Date and time that the event occurred.
•
Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
– NMS (Network Management System - Prime Infrastructure)—Generated through polling.
Prime Infrastructure periodically polls the controllers and generates events. Prime
Infrastructure generates events when the traps are disabled or when the traps are lost for those
events. In this case, “Generated by” is NMS.
– Trap—Generated by the controller. Prime Infrastructure process these traps and raises
corresponding events for them. In this case, “Generated by” is Controller.
•
Device IP Address—IP address of the alarm-generating device.
•
Severity—Level of severity, Critical, Major, Minor, Warning, Clear, Info. Color coded.
Message—Displays descriptive information about the alarm.
Help—Displays information about the alarm.
Monitoring Cisco Adaptive wIPS Events
Choose Monitor > Events to view wIPS events. One or more events might generate an abnormal state
or alarm. The alarm can be cleared, but the event remains. For more information regarding monitoring
events, see the “Monitoring Events” section on page 5-143.
The following sections provide additional information regarding Cisco Adaptive wIPS:
•
Configuring wIPS Profiles
•
Prime Infrastructure Services
•
wIPS Policy Alarm Encyclopedia
Perform an events search to narrow the results to mobility services engine or Security events only. To
view mobility services engine or Security events, choose Monitor > Events.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-148
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Events
Note
If there is more than one page of events, the number of pages is displayed with a scroll arrow on
each side. Use this to view additional events.
Monitoring CleanAir Air Quality Events
You can use the Prime Infrastructure to view the events generated on the air quality of the wireless
network.
To view air quality events, follow these steps:
Step 1
Click Advanced Search in the Prime Infrastructure.
The New Search page appears.
Step 2
In the New Search page, choose Events from the Search Category drop-down list.
Step 3
From the Severity drop-down list, choose the type of severity you want to search the air quality events.
Step 4
From the Event Category drop-down list, choose Performance.
Step 5
Click Go.
The air quality events page displays the following information:
•
Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
•
Failure Source—Device that generated the alarm.
•
Date/Time—The time at which the alarm was generated.
Viewing Air Quality Event Details
To view air quality event details, follow these steps:
Step 1
From the Air Quality Events page, click an item under Failure Source to access the alarm details page.
See the “Monitoring CleanAir Air Quality Events” section on page 5-149.
Step 2
The air quality event page displays the following information:
•
Failure Source—Device that generated the alarm.
•
Category—The category this event comes under. In this case, Performance.
•
Created—The time stamp at which the event was generated.
•
Generated by—The device that generated the event.
•
Device IP Address—The IP address of the device that generated the event.
•
Severity—The severity of the event.
•
Alarm Details—A link to the related alarms associated with this event. Click the link to learn more
about the alarm details.
•
Message—Describes the air quality index on this access point.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-149
Chapter 5
Monitoring Devices
Monitoring Events
Monitoring Interferer Security Risk Events
You can use the Prime Infrastructure to view the security events generated on your wireless network.
To view interferer security events, follow these steps:
Step 1
Click Advanced Search in the Prime Infrastructure.
The New Search page appears.
Step 2
In the New Search page, choose Events from the Search Category drop-down list.
Step 3
From the Severity drop-down list, choose the type of severity you want to search the air quality events.
Step 4
From the Event Category drop-down list, choose Security.
Step 5
Click Go.
The interferer security events page displays the following information:
•
Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
•
Failure Source—Device that generated the alarm.
•
Date/Time—The time at which the alarm was generated.
Viewing Interferer Security Risk Event Details
To view interferer security event details, follow these steps:
Step 1
In the Interferer Security Event details page, click an item under Failure Source to access the alarm
details page. See the “Monitoring Interferer Security Risk Events” section on page 5-150.
Step 2
The air quality event page displays the following information:
•
Failure Source—Device that generated the alarm.
•
Category—The category this event comes under. In this case, Security.
•
Created—The time stamp at which the event was generated.
•
Generated by—The device that generated the event.
•
Device IP Address—The IP address of the device that generated the event.
•
Severity—The severity of the event.
•
Alarm Details—A link to the related alarms associated with this event. Click the link to know more
about the alarm details.
•
Message—Describes the interferer device affecting the access point.
Monitoring Health Monitor Events
You can use the Prime Infrastructure to view the events generated by the Health Monitor.
To view the health monitor events, follow these steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-150
OL-27653-02
Chapter 5
Monitoring Devices
Monitoring Events
Step 1
Click Advanced Search in the Prime Infrastructure.
The New Search page appears.
Step 2
In the New Search page, choose Events from the Search Category drop-down list.
Step 3
From the Severity drop-down list, choose the type of severity you want to search the health monitor
events.
Step 4
From the Event Category drop-down list, choose the Prime Infrastructure.
Step 5
Click Go.
The Health Monitor Events page displays the following information:
•
Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
•
Failure Source—Device that generated the alarm.
•
Date/Time—The time at which the alarm was generated.
•
Message—Describes the health details.
Viewing Health Monitor Event Details
To view health monitor event details, follow these steps:
Step 1
In the Health Monitor Events page, click an item under Failure Source to access the alarm details page.
See the “Monitoring Health Monitor Events” section on page 5-150.
Step 2
The Health Monitor Events page displays the following information:
•
Failure Source—Device that generated the alarm.
•
Category—The category this event comes under. In this case, Prime Infrastructure.
•
Created—The time stamp at which the event was generated.
•
Generated by—The device that generated the event.
•
Device IP Address—The IP address of the device that generated the event.
•
Severity—The severity of the event.
•
Alarm Details—A link to the related alarms associated with this event. Click the link to know more
about the alarm details.
•
Message—Describes the event through a message.
Working with Events
You can use the Prime Infrastructure to view mobility services engine and access point events. You can
search and display events based on their severity (critical, major, minor, warning, clear, info) and event
category or you can search for a mobility services engine and access point by its IP address, MAC
address or name.
A successful event search displays the event severity, failure object, date and time of the event, and any
messages for each event.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
5-151
Chapter 5
Monitoring Devices
Monitoring Site Maps
To display events, follow these steps:
Step 1
In the Prime Infrastructure, click Monitor > Events.
Step 2
In the Events page:
Step 3
•
If you want to display the events for a specific element and you know its IP address, MAC address,
or Name, enter that value in the Quick Search text box (left pane). Click Go.
•
To display events by severity and category, choose the appropriate options from the Severity and
Event Category drop-down lists (left pane). Click Search.
If the Prime Infrastructure finds events that match the search criteria, it displays a list of these events.
Note
For more information about an event, click the failure object associated with the event.
Additionally, you can sort the events summary by each of the column headings.
Monitoring Site Maps
Maps provide a summary view of all your managed systems on campuses, buildings, outdoor areas, and
floors. With the Prime Infrastructure database, you can add maps and view your managed system on
realistic campus, building, and floor maps. See the “Monitoring Maps” section on page 6-153 for more
information.
Monitoring Google Earth Maps
You can enable location presence by mobility server to provide expanded Civic (city, state, postal code,
country) and GEO (longitude, latitude) location information beyond the Cisco default setting (campus,
building, floor, and X, Y coordinates). This information can then be requested by clients on a demand
basis for use by location-based services and applications. Location Presence can be configured when a
new campus, building, floor, or outdoor area is being added or configured at a later date. See the
“Monitoring Google Earth Maps” section on page 6-230 for more information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
5-152
OL-27653-02
CH A P T E R
6
Monitoring Maps
This chapter describes how to add and monitor maps. It contains the following sections:
•
About Maps, page 6-153
•
Adding a Campus Map, page 6-154
•
Adding a Building to a Campus Map, page 6-155
•
Adding Floor Areas, page 6-158
•
Monitoring Floor Area, page 6-175
•
Using the Automatic Hierarchy to Create Maps, page 6-180
•
Using the Map Editor, page 6-182
•
Adding an Outdoor Area, page 6-190
•
Using Chokepoints to Enhance Tag Location Reporting, page 6-191
•
Configuring Wi-Fi TDOA Receivers, page 6-194
•
Searching Maps, page 6-203
•
Using the Map Editor, page 6-203
•
Inspecting Location Readiness and Quality, page 6-208
•
Monitoring Mesh Networks Using Maps, page 6-210
•
Monitoring Tags Using Maps, page 6-217
•
Using Planning Mode, page 6-217
•
Refresh Options, page 6-222
•
Creating a Network Design, page 6-223
•
Importing or Exporting WLSE Map Data, page 6-225
•
Monitoring Device Details, page 6-226
•
Monitoring Google Earth Maps, page 6-230
About Maps
Maps provide a summary view of all your managed systems on campuses, buildings, outdoor areas, and
floors.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-153
Chapter 6
Monitoring Maps
Adding a Campus Map
In addition to the features of the legacy maps, the the Cisco Prime Infrastructure 2.0 enables you to use
the features of the Next Generation Maps. The Next Generation Maps feature is enabled by default. Use
the Administration > User Preferences page to disable or enable this feature.
The Next Generation Maps feature provides the following benefits:
•
Displays a large amount of information on map. When you have numerous clients, interferers and
access points, these may clutter the display on the Prime Infrastructure map pages. Also, pages load
slowly. Prime Infrastructure 2.0 introduces clustering and layering of information. Information
cluster reduces clutter at the high level and reveals more information when you click an object. For
details, see the “Monitoring Floor Area” section on page 6-175.
•
Simplifies and accelerates the process of adding APs to the map. In the legacy maps, the process of
adding access points to maps is manual and tedious. With the Prime Infrastructure 2.0, you can use
automated hierarchy creation to add and name access points. For details, see the “Using the
Automatic Hierarchy to Create Maps” section on page 6-180.
•
Provides High quality map images with easy navigation and zoom/pan controls. In the legacy maps,
the map image quality is low and navigating, zooming, and panning is slow. With the Prime
Infrastructure 2.0, you can use the next-generation ‘tile-aware’ map engine to load maps faster and
zoom/pan easily Also, Next Generation Maps enables administrators to load high-resolution maps
faster and navigate around the map. For details, see the “Panning and Zooming with Next Generation
Maps” section on page 6-175.
Table 6-1
Process for Working with Maps
Process
Description
1. Add a new campus/building map
Choose Monitor > Site Maps. From the Select a command
drop-down list, choose New Campus or New Building.
2. Add a floor map
Choose Monitor > Site Maps. From the Select a command
drop-down list, choose New Floor Area.
3. Use Map Editor
Choose Monitor > Site Maps. From the Select a command
drop-down list, choose Map Editor.
Adding a Campus Map
Note
When you navigate to Monitor > Site Maps, you see the “Unassigned Campus” area. This is an area for
the Assurance data when the site classification information is unavailable. All the end points or hosts
data are aggregated to unassigned campus. “Unassigned” is a default site available in the Prime
Infrastructure.
To add a single campus map to the Prime Infrastructure database, follow these steps:
Step 1
Save the map in .PNG, .JPG, .JPEG, or .GIF format.
Note
The map can be of any size because the Prime Infrastructure automatically resizes the map to fit
its working areas.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-154
OL-27653-02
Chapter 6
Monitoring Maps
Adding a Building to a Campus Map
Step 2
Browse to and import the map from anywhere in your file system.
Step 3
Choose Monitor > Site Maps to display the Maps page.
Step 4
From the Select a command drop-down list, choose New Campus, and click Go.
Step 5
In the Maps > New Campus page, enter the campus name and campus contact name.
Step 6
Browse to and choose the image filename containing the map of the campus, and click Open.
Step 7
Select the Maintain Aspect Ratio check box to prevent length and width distortion when the Prime
Infrastructure resizes the map.
Step 8
Enter the horizontal and vertical span of the map in feet.
Note
To change the unit of measurement (feet or meters), choose Monitor > Site Maps and choose
Properties from the Select a command drop-down list. The horizontal and vertical span should
be larger than any building or floor plan to be added to the campus.
Step 9
Click OK to add this campus map to the Prime Infrastructure database. Prime Infrastructure displays the
Maps page, which lists maps in the database, map types, and campus status.
Step 10
(Optional) To assign location presence information, click the newly created campus link in the Monitor
> Site Maps page.
Note
System Campus is always present in each virtual domain, whether it is explicitly added to the
respective virtual domain or not. Adding System Campus explicitly to a virtual domain does not
include all its child buildings and floors to the same virtual domain.
Adding a Building to a Campus Map
To add a building to a campus map in the Prime Infrastructure database, follow these steps:
Step 1
Choose Monitor > Site Maps to display the Maps page.
Step 2
Click the desired campus. The Site Maps > Campus Name page appears.
Step 3
From the Select a command drop-down list, choose New Building, and click Go.
Step 4
In the Campus Name > New Building page, follow these steps to create a virtual building in which to
organize related floor plan maps:
a.
Enter the building name.
b.
Enter the building contact name.
c.
Enter the number of floors and basements.
d.
Enter the horizontal position (distance from the corner of the building rectangle to the left edge of
the campus map) and the vertical position (distance from the corner of the building rectangle to the
top edge of the campus map) in feet.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-155
Chapter 6
Monitoring Maps
Adding a Building to a Campus Map
Note
e.
Enter an approximate building horizontal span and vertical span (width and depth on the map) in
feet.
Note
The horizontal and vertical span should be larger than or the same size as any floors that you
might add later.
Tip
You can also use Ctrl-click to resize the bounding area in the upper-left corner of the campus
map. As you change the size of the bounding area, the Horizontal Span and Vertical Span
parameters of the building change to match your actions.
f.
Click Place to put the building on the campus map. Prime Infrastructure creates a building rectangle
scaled to the size of the campus map.
g.
Click the building rectangle and drag it to the desired position on the campus map.
Note
h.
Note
Step 5
To change the unit of measurement (feet or meters), choose Monitor > Site Maps, and choose
Properties from the Select a command drop-down list.
After adding a new building, you can move it from one campus to another without having to
recreate it.
Click Save to save this building and its campus location to the database. Prime Infrastructure saves
the building name in the building rectangle on the campus map.
A hyperlink associated with the building takes you to the corresponding Map page.
(Optional) To assign location presence information for the new outdoor area, do the following:
a.
Note
b.
Choose Edit Location Presence Info from the Select a command drop-down list. Click Go. The
Location Presence page appears.
By default, the Presence Info check box of the Override Child Element is selected. This option
should remain selected if you want to propagate the campus location to all buildings and floors
on that campus. When adding buildings to the campus map, you can import the campus location
information. The campus address cannot be imported to a building if the check box is unselected.
This option should be unselected if you want to assign building-specific addresses to buildings
on its campus rather than one campus address to all.
Click the Civic Address or Advanced tab.
– Civic Address identifies the campus by name, street, house number, house number suffix, city
(address line2), state, postal code, and country.
– Advanced identifies the campus with expanded civic information such as neighborhood, city
division, country, and postal community name.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-156
OL-27653-02
Chapter 6
Monitoring Maps
Adding a Building to a Campus Map
Each selected field is inclusive of all of those above it. For example, if you choose
Advanced, it can also provide Civic location information upon client demand. The selected
setting must match what is set on the location server level (Services > Mobility Services).
Note
c.
Step 6
By default, the Override Child’s Presence Information check box is selected. There is no need to
alter this setting for standalone buildings.
Click Save.
Adding a Standalone Building
To add a standalone building to the Prime Infrastructure database, follow these steps:
Step 1
Choose Monitor > Site Maps to display the Maps page.
Step 2
From the Select a command drop-down list, choose New Building, and click Go.
Step 3
In the Maps > New Building page, follow these steps to create a virtual building in which to organize
related floor plan maps:
a.
Enter the building name.
b.
Enter the building contact name.
Note
c.
Enter the number of floors and basements.
d.
Enter an approximate building horizontal span and vertical span (width and depth on the map) in
feet.
e.
Step 4
After adding a new building, you can move it from one campus to another without having to
recreate it.
Note
To change the unit of measurement (feet or meters), choose Monitor > Site Maps, and
choose Properties from the Select a command drop-down list.
Note
The horizontal and vertical span should be larger than or the same size as any floors that you
might add later.
Click OK to save this building to the database.
(Optional) To assign location presence information for the new building, do the following:
a.
Choose Location Presence from the Select a command drop-down list. Click Go. The Location
Presence page appears.
b.
Click the Civic or Advanced tab.
– Civic Address identifies the campus by name, street, house number, house number suffix, city
(address line2), state, postal code, and country.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-157
Chapter 6
Monitoring Maps
Adding Floor Areas
– Advanced identifies the campus with expanded civic information such as neighborhood, city
division, county, and postal community name.
Note
c.
Step 5
Note
Each selected field is inclusive of all of those above it. For example, if you select Advanced,
it can also provide Civic location information upon client demand. The selected setting must
match what is set on the location server level (Services > Mobility Services).
By default, the Presence Info check box of the Override Child Element is selected. This option
should remain selected if you want to propagate the campus location to all buildings and floors on
that campus. When adding buildings to the campus map, you can import the location information.
The campus address cannot be imported to a building if the check box is unselected. This option
should be deselected if you want to assign building-specific addresses to buildings on its campus
rather than one campus address to all.
Click Save.
The standalone buildings are automatically placed in System Campus.
Adding Floor Areas
This section describes how to add floor plans to either a campus building or a standalone building in the
Prime Infrastructure database and includes the following topics:
•
Adding Floor Areas to a Campus Building, page 6-158
•
Adding Floor Plans to a Standalone Building, page 6-161
•
Configuring Floor Settings, page 6-163
•
Import Map and AP Location Data, page 6-174
•
Placing Access Points, page 6-178
Adding Floor Areas to a Campus Building
After you add a building to a campus map, you can add individual floor plan and basement maps to the
building.
Note
Use the zoom controls at the top of the campus image to enlarge or decrease the size of the map
view and to hide or show the map grid (which displays the map size in feet or meters).
To add a floor area to a campus building, follow these steps:
Step 1
Save your floor plan maps in .PNG, .JPG, ,JPEG, or .GIF format.
Note
The maps can be any size because the Prime Infrastructure automatically resizes the maps to fit
the workspace.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-158
OL-27653-02
Chapter 6
Monitoring Maps
Adding Floor Areas
Note
If there are problems converting the auto-cad file, an error message is displayed. Prime
Infrastructure uses a native image conversion library to convert auto-cad files into raster formats
like .PNG. If the native library cannot be loaded, the Prime Infrastructure displays an “unable to
convert the auto-cad file” message. If you receive this error, make sure all the required
dependencies are met for the native library. To find any dependency problems, use ldd on Linux
platforms. The following DLLs must be present under the /webnms/rfdlls Prime Infrastructure
installation directory: LIBGFL254.DLL, MFC71.DLL, MSVCR71.DLL, and MSVCP71.DLL.
If dependency problems occur, you might need to install the required libraries and restart the
Prime Infrastructure.
Note
An imported auto-cad file can become blurred when you zoom. Without the zoom, the clarity is
about the same as the original auto-cad file. Make sure all relevant sections are clearly visible in
the original auto-cad file (DWG/DXF) and then import the auto-cad file into .PNG/.GIF format
rather than .JPEG or .JPG.
Note
The floor map image is enhanced for zooming and panning. The floor image will not be visible
completely until this operation is complete. You can zoom in and out to view the complete map
image. For example, if you have a high resolution image (near 181 megapixels) whose size is
approximately 60 megabytes, it may take two minutes to appear on the map.
Step 2
Choose Monitor > Site Maps.
Step 3
From the Maps Tree View or the Monitor > Site Maps list, choose the applicable campus building to
open the Building View page.
Step 4
Hover your mouse cursor over the name within an existing building rectangle to highlight it.
Note
You can also access the building from the Campus View page. In the Campus View page, click
the building name to open the Building View page.
Step 5
From the Select a command drop-down list, choose New Floor Area.
Step 6
Click Go. The New Floor Area page appears.
Step 7
In the New Floor Area page, follow these steps to add floors to a building in which to organize related
floor plan maps:
a.
Enter the floor area and contact names.
b.
Choose the floor or basement number from the Floor drop-down list.
c.
Choose the floor or basement type (RF Model).
d.
Enter the floor-to-floor height in feet.
Note
To change the unit of measurement (feet or meters), choose Monitor > Site Maps, and choose
Properties from the Select a command drop-down list.
e.
Select the Image or CAD File check box.
f.
Browse to and choose the desired floor or basement image or CAD filename, and click Open.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-159
Chapter 6
Monitoring Maps
Adding Floor Areas
Note
If you are importing a CAD file, use the Convert CAD File drop-down list to determine the
image file for conversion.
Tip
We do not recommend a .JPEG (.JPG) format for an auto-cad conversion. Unless a JPEG is
specifically required, use .PNG or .GIF format for higher quality images.
g.
Click Next. At this point, if a CAD file was specified, a default image preview is generated and
loaded.
Note
Prime Infrastructure uses a native image conversion library to convert auto-cad files into
raster formats like .PNG. When there are issues loading the native library, the Prime
Infrastructure displays the following error: "Unable to convert the auto-cad file. Reason:
Error while loading the auto-cad image conversion library.” For more information see the
Prime Infrastructure online help or Prime Infrastructure documentation.
The names of the CAD file layers are listed with check boxes to the right side of the image indicating
which are enabled.
h.
Note
When you choose the floor or basement image filename, the Prime Infrastructure displays
the image in the building-sized grid.
Note
The maps can be any size because the Prime Infrastructure automatically resizes the maps
to fit the workspace.
Note
The map must be saved in .PNG, .JPG, .JPEG, or .GIF format.
If you have CAD file layers, you can select or deselect as many as you want and click Preview to
view an updated image. Click Next when you are ready to proceed with the selected layers.
Enter the remaining parameters for the floor area.
i.
Either leave the Maintain Aspect Ratio check box selected to preserve the original image aspect
ratio or unselect the check box to change the image aspect ratio.
j.
Enter an approximate floor or basement horizontal and vertical span (width and depth on the map)
in feet.
Note
k.
The horizontal and vertical spans should be smaller than or the same size as the building
horizontal and vertical spans in the Prime Infrastructure database.
If applicable, enter the horizontal position (distance from the corner of the outdoor area rectangle to
the left edge of the campus map) and vertical position (distance from the corner of the outdoor area
rectangle to the top edge of the campus map) in feet or meters.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-160
OL-27653-02
Chapter 6
Monitoring Maps
Adding Floor Areas
Tip
l.
If desired, select the Launch Map Editor after floor creation check box to rescale the floor and
draw walls.
m.
Click OK to save this floor plan to the database. The floor is added to the Maps Tree View and the
Monitor > Site Maps list.
Note
Step 8
Note
Use Ctrl-click to resize the image within the building-sized grid.
Use different floor names in each building. If you are adding more than one building to the
campus map, do not use a floor name that exists in another building. This overlap causes
incorrect mapping information between a floor and a building.
Click any of the floor or basement images to view the floor plan or basement map.
You can zoom in or out to view the map at different sizes and you can add access points.
Adding Floor Plans to a Standalone Building
After you have added a standalone building to the Prime Infrastructure database, you can add individual
floor plan maps to the building.
To add floor plans to a standalone building, follow these steps:
Step 1
Save your floor plan maps in .PNG, .JPG, or .GIF format.
Note
Step 2
The maps can be any size because the Prime Infrastructure automatically resizes the maps to fit
the workspace.
Browse to and import the floor plan maps from anywhere in your file system. You can import CAD files
in DXF or DWG formats or any of the formats you created in Step 1.
Note
If there are problems converting the auto-cad file, an error message is displayed. Prime
Infrastructure uses a native image conversion library to convert auto-cad files into raster formats
like .PNG. If the native library cannot be loaded, the Prime Infrastructure displays an “unable to
convert the auto-cad file” message. If you receive this error, make sure all the required
dependencies are met for the native library. To find any dependency problems, use ldd on Linux
platforms. The following DLLs must be present under the /webnms/rfdlls Prime Infrastructure
installation directory: LIBGFL254.DLL, MFC71.DLL, MSVCR71.DLL, and MSVCP71.DLL.
If dependency problems occur, you might need to install the required libraries and restart the
Prime Infrastructure.
Step 3
Choose Monitor > Site Maps.
Step 4
From the Maps Tree View or the Monitor > Site Maps left sidebar menu, choose the desired building to
display the Building View page.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-161
Chapter 6
Monitoring Maps
Adding Floor Areas
Step 5
From the Select a command drop-down list, choose New Floor Area.
Step 6
Click Go.
Step 7
In the New Floor Area page, add the following information:
Step 8
•
Enter the floor area and contact names.
•
Choose the floor or basement number from the Floor drop-down list.
•
Choose the floor or basement type (RF Model).
•
Enter the floor-to-floor height in feet.
•
Select the Image or CAD File check box.
•
Browse to and choose the desired floor or basement Image or CAD file, and click Open.
Note
If you are importing a CAD file, use the Convert CAD File drop-down list to determine the image
file for conversion.
Tip
A .JPEG (.JPG) format is not recommended for an auto-cad conversion. Unless a .JPEG is
specifically required, use a .PNG or .GIF format for higher quality images.
Click Next. At this point, if a CAD file was specified, a default image preview is generated and loaded.
Note
Prime Infrastructure uses a native image conversion library to convert auto-cad files into raster
formats like .PNG. When there are issues loading the native library, the Prime Infrastructure
displays the following error: "Unable to convert the auto-cad file. Reason: Error while loading
the auto-cad image conversion library. For more information, see the Prime Infrastructure online
help or Prime Infrastructure documentation."
The names of the CAD file layers are listed with check boxes to the right side of the image indicating
which are enabled.
Note
When you choose the floor or basement image filename, the Prime Infrastructure displays
the image in the building-sized grid.
Note
The maps can be any size because the Prime Infrastructure automatically resizes the maps
to fit the workspace.
Note
The map must be saved in .PNG, .JPG, .JPEG, or .GIF format.
If you have CAD file layers, you can select or deselect as many as you want and click Preview to
view an updated image. Click Next when you are ready to proceed with the selected layers.
Step 9
Enter the remaining parameters for the floor area.
•
Either leave the Maintain Aspect Ratio check box selected to preserve the original image aspect
ratio or unselect the check box to change the image aspect ratio.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-162
OL-27653-02
Chapter 6
Monitoring Maps
Adding Floor Areas
•
Enter an approximate floor or basement horizontal and vertical span (width and depth on the map)
in feet.
Note
•
Tip
•
The horizontal and vertical spans should be smaller than or the same size as the building
horizontal and vertical spans in the Prime Infrastructure database.
If applicable, enter the horizontal position (distance from the corner of the outdoor area rectangle to
the left edge of the campus map) and vertical position (distance from the corner of the outdoor area
rectangle to the top edge of the campus map) in feet or meters.
Use Ctrl-click to resize the image within the building-sized grid.
Adjust the floor characteristics with the Prime Infrastructure map editor by selecting the check box
next to Launch Map Editor. See the “Using the Map Editor” section on page 6-182 for more
information regarding the map editor feature.
Step 10
Click OK to save this floor plan to the database. The floor is added to the Maps Tree View and the
Monitor > Site Maps list.
Step 11
Click any of the floor or basement images to view the floor plan or basement map.
Note
You can zoom in or out to view the map at different sizes and you can add access points.
Configuring Floor Settings
You can modify the appearance of the floor map by selecting or unselecting various floor settings check
boxes. The selected floor settings appears in the map image.
The Floor Settings options include the following:
•
Access Points
•
AP Heatmaps
•
AP Mesh Info
•
Clients
•
802.11 Tags
•
Rogue APs
•
Rogue Adhocs
•
Rogue Clients
•
Coverage Areas
•
Location Regions
•
Rails
•
Markers
•
Chokepoints
•
Wi-Fi TDOA Receivers
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-163
Chapter 6
Monitoring Maps
Adding Floor Areas
•
Interferers
Use the blue arrows to access floor setting filters for access points, access point heatmaps, clients, 802.11
tags, rogue access points, rogue adhocs, and rogue clients. When filtering options are selected, click OK.
Use the Show MSE data within last drop-down list to choose the timeframe for mobility services engine
data. Choose to view mobility services engine data from a range including the past two minutes up to
the past 24 hours. This option only appears if a mobility services engine is present on the Prime
Infrastructure.
Click Save Settings to make the current view and filter settings your new default for all maps.
Defining Inclusion and Exclusion Regions on a Floor
To further refine location calculations on a floor, you can define the areas that are included (inclusion
areas) in the calculations and those areas that are not included (exclusion areas).
For example, you might want to exclude areas such as an atrium or stairwell within a building but include
a work area (such as cubicles, labs, or manufacturing floors).
Note
If the MSE to which the floor is synchronized is running the Aeroscout tag engine, then inclusion and
exclusion regions are not calculated for tags.
Viewing Floor Component Details
To view details regarding the components displayed on the Floor View, hover your mouse cursor over
the applicable icon. A dialog box containing detailed information is displayed. Table 6-2 displays the
floor map icons.
Table 6-2
Icon
Floor Map Icons
Description
Access point icon. The color of the circle indicates the alarm status of the Cisco
Radios.
Note
Each access point contains two Cisco Radios. When a single protocol is
selected in the Access Point filter page, the entire icon represents this radio.
If both protocols are selected, the top half of the icon represents the state of
the 802.11a/n radio and the bottom half represents the state of the
802.11b/g/n radio.
Note
If a Cisco Radio is disabled, a small “x” appears in the middle of the icon.
Note
Monitor mode access points are shown with a gray label to distinguish these
from other access points.
AP heatmaps icon.
Client icon. Hover your mouse cursor over the icon to view client details.
Tag icon. Hover your mouse cursor over the icon to view tag details.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-164
OL-27653-02
Chapter 6
Monitoring Maps
Adding Floor Areas
Table 6-2
Icon
Floor Map Icons (continued)
Description
Rogue access point icon. The color of the icon indicates the type of rogue access
point. For example, red indicates a malicious rogue access point and blue indicates
an unknown type.
Hover your mouse cursor over the icon to view rogue access point details.
Rogue adhoc icon.
Hover your mouse cursor over the icon to view rogue adhoc details.
Rogue client icon.
Hover your mouse cursor over the icon to view rogue client details.
Coverage icon.
Location regions icon.
Rails icon.
Marker icon.
Chokepoint icon.
Wi-Fi TDOA receiver icon.
Interferer device icon.
Indicates a guest client that is configured through web auth WLAN on the Prime
Infrastructure.
Note
If you create a Guest WLAN on controller and assign that controller to MSE,
only then the guests from that controller will show as guest icons.
Cisco 1000 Series Lightweight Access Point Icons
The icons indicate the present status of an access point. The circular part of the icon can be split in half
horizontally. The more severe of the two Cisco Radio colors determines the color of the large triangular
pointer.
Note
When the icon is representing 802.11a/n and 802.11b/n, the top half displays the 802.11a/n status, and
the bottom half displays the 802.11b/g/n status. When the icon is representing only 802.11b/g/n, the
whole icon displays the 802.11b/g/n status. The triangle indicates the more severe color.
Table 6-3 shows the icons used in the Prime Infrastructure user interface Map displays.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-165
Chapter 6
Monitoring Maps
Adding Floor Areas
Table 6-3
Icon
Access Points Icons Description
Description
The green icon indicates an access point (AP) with no faults. The top half of the circle
represents the optional 802.11a Cisco Radio. The bottom half of the circle represents the
state of the 802.11b/g Cisco Radio.
The yellow icon indicates an access point with a minor fault. The top half of the circle
represents the optional 802.11a Cisco Radio. The bottom half of the circle represents the
state of the 802.11b/g Cisco Radio.
Note
A flashing yellow icon indicates that there has been an 802.11a or 802.11b/g
interference, noise, coverage, or load Profile Failure. A flashing yellow icon
indicates that there have been 802.11a and 802.11b/g profile failures.
The red icon indicates an access point (AP) with a major or critical fault. The top half of
the circle represents the optional 802.11a Cisco Radio. The bottom half of the circle
represents the state of the 802.11b/g Cisco Radio.
The dimmed icon with a question mark in the middle represents an unreachable access
point. It is gray because its status cannot be determined.
The dimmed icon with no question mark in the middle represents an unassociated access
point.
The icon with a red “x” in the center of the circle represents an access point that has been
administratively disabled.
The icon with the top half green and the lower half yellow indicates that the optional
802.11a Cisco Radio (top) has no faults, and the 802.11b/g Cisco Radio (bottom) has a
minor fault. The more severe of the two Cisco Radio colors determines the color of the
large triangular pointer.
The icon with the top half green and the lower half red indicates that the optional 802.11a
Cisco Radio (top) is operational with no faults, and the 802.11b/g Cisco Radio (bottom)
has a major or critical fault. The more severe of the two Cisco Radio colors determines
the color of the large triangular pointer.
The icon with the top half yellow and the lower half red indicates that the optional
802.11a Cisco Radio (top) has a minor fault, and the 802.11b/g Cisco Radio (bottom) has
a major or critical fault. The more severe of the two Cisco Radio colors determines the
color of the large triangular pointer.
The icon with the top half yellow and the lower half green indicates that the optional
802.11a Cisco Radio (top) has a minor fault, and the 802.11b/g Cisco Radio (bottom) is
operational with no faults. The more severe of the two Cisco Radio colors determines the
color of the large triangular pointer.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-166
OL-27653-02
Chapter 6
Monitoring Maps
Adding Floor Areas
Table 6-3
Icon
Access Points Icons Description (continued)
Description
The icon with the top half red and the lower half green indicates that the optional 802.11a
Cisco Radio (top) has a major or critical fault, and the 802.11b/g Cisco Radio (bottom)
is operational with no faults. The more severe of the two Cisco Radio colors determines
the color of the large triangular pointer.
The icon with the top half red and the lower half yellow indicates that the optional
802.11a Cisco Radio (top) has major or critical faults, and the 802.11b/g Cisco Radio
(bottom) has a minor fault. The more severe of the two Cisco Radio colors determines
the color of the large triangular pointer.
The icon with a red “x” on the top half (optional 802.11a) shows that the indicated Cisco
Radio has been administratively disabled. There are six color coding possibilities as
shown.
Each of the access point icons includes a small black arrow that indicates the direction in which the
internal Side A antenna points.
Table 6-4 shows some arrow examples used in the Prime Infrastructure user interface map displays.
Table 6-4
Arrow
Examples
Arrows
Direction
Zero degrees, or to the right on the map.
45 degrees, or to the lower right on the map.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-167
Chapter 6
Monitoring Maps
Adding Floor Areas
Table 6-4
Arrows
Arrow
Examples
Direction
90 degrees, or down on the map.
These examples show the first three 45-degree increments allowed, with an additional five at 45-degree
increments.
Filtering Access Point Floor Settings
If you enable the access point floor setting and then click the blue arrow to the right of the floor settings,
the Access Point Filter dialog box appears with filtering options.
Access point filtering options include the following:
•
Show—Select this radio button to display the radio status or the access point status.
Because the access point icon color is based on the access point status, the icon color might
vary depending on the status selected. The default on floor maps is radio status.
Note
•
Protocol—From the drop-down list, choose which radio types to display (802.11a/n, 802.11b/g/n,
or both).
The displayed heatmaps correspond to the selected radio type(s).
Note
•
Display—From the drop-down list, choose what identifying information is displayed for the access
points on the map image.
– Channels—Displays the Cisco Radio channel number or Unavailable (if the access point is not
connected).
– TX Power Level—Displays the current Cisco Radio transmit power level (with 1 being high) or
Unavailable (if the access point is not connected).
Note
The power levels differ depending on the type of access point. The 1000 series access
points accept a value between 1 and 5, the 1230 access points accept a value between 1
and 7, and the 1240 and 1100 series access points accept a value between 1 and 8.
Table 6-5 lists the transmit power level numbers and their corresponding power setting.
Table 6-5
Transmit Power Level Values
Transmit Power
Level Number
Power Setting
1
Maximum power allowed per country code setting
2
50% power
3
25% power
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-168
OL-27653-02
Chapter 6
Monitoring Maps
Adding Floor Areas
Table 6-5
Transmit Power Level Values
Transmit Power
Level Number
Power Setting
4
12.5 to 6.25% power
5
6.25 to 0.195% power
Note
The power levels are defined by the country code setting and are regulated by country.
See the following URL for more information:
http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps5861/product_data_sh
eet0900aecd80537b6a_ps430_Products_Data_Sheet.html
– Channel and Tx Power—Displays both the channel and transmit power level (or Unavailable if
the access point is not connected).
– Coverage Holes—Displays a percentage of clients whose signal has become weaker until the
client lost its connection, Unavailable for unconnected access points, or MonitorOnly for access
points in monitor-only mode.
Note
Coverage holes are areas in which clients cannot receive a signal from the wireless
network. When you deploy a wireless network, you must consider the cost of the initial
network deployment and the percentage of coverage hole areas. A reasonable coverage
hole criterion for launch is between 2 and 10 percent. This means that between two and
ten test locations out of 100 random test locations might receive marginal service. After
launch, Cisco Unified Wireless Network Solution Radio Resource Management (RRM)
identifies these coverage hole areas and reports them to the IT manager, who can fill
holes based on user demand.
– MAC Addresses—Displays the MAC address of the access point, whether or not the access
point is associated to a controller.
– Names—Displays the access point name. This is the default value.
– Controller IP—Displays the IP address of the controller to which the access point is associated
or Not Associated for disassociated access points.
– Utilization—Displays the percentage of bandwidth used by the associated client devices
(including receiving, transmitting, and channel utilization). Displays Unavailable for
disassociated access points and MonitorOnly for access points in monitor-only mode.
– Profiles—Displays the load, noise, interference, and coverage components of the corresponding
operator-defined thresholds. Displays Okay for thresholds not exceeded, Issue for exceeded
thresholds, or Unavailable for unconnected access points.
Note
Use the Profile Type drop-down list to choose Load, Noise, Interference, or Coverage.
– CleanAir Status—Displays the CleanAir status of the access point and whether or not CleanAir
is enabled on the access point.
– Average Air Quality—Displays the average air quality on this access point. The details include
the band and the average air quality.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-169
Chapter 6
Monitoring Maps
Adding Floor Areas
– Minimum Air Quality—Displays the minimum air quality on this access point. The details
include the band and the minimum air quality.
– Average and Minimum Air Quality—Displays the average and minimum air quality on this
access point. The details include the band, average air quality, and minimum air quality.
– Associated Clients—Displays the number of associated clients, Unavailable for unconnected
access points or MonitorOnly for access points in monitor-only mode.
– Bridge Group Names
•
RSSI Cutoff—From the drop-down list, choose the RSSI cutoff level. The RSSI cutoff ranges from
-60 dBm to -90 dBm.
•
Show Detected Interferers—Select the check box to display all interferers detected by the access
point.
•
Max. Interferers/label—Choose the maximum number of interferers to be displayed per label from
the drop-down list.
Click OK when all applicable filtering criteria are selected.
Filtering Access Point Heatmap Floor Settings
An RF heatmap is a graphical representation of RF wireless data where the values taken by variables are
represented in maps as colors. The current heatmap is computed based on the RSSI prediction model,
Antenna Orientation, and AP transmit power.
If you enable the Access Point Heatmap floor setting and click the blue arrow to the right of the Floor
Settings, the Contributing APs dialog appears with heatmap filtering options.
Prime Infrastructure introduces dynamic heatmaps. When dynamic heatmaps are enabled, the Prime
Infrastructure recomputes the heatmaps to represent changed RSSI values.
Access point heatmap filtering options include the following:
•
Heatmap Type—Select Coverage, or Air Quality. If you choose Air Quality, you can further filter
the heat map type for access points with average air quality or minimum air quality. Select the
appropriate radio button.
Note
If you have monitor mode access points on the floor plan, you have a choice between IDS
or coverage heatmap types. A coverage heatmap excludes monitor mode access points.
Note
Only APs in Local, FlexConnect, or Bridge mode can contribute to the Coverage and Air
Quality Heatmap.
•
Total APs—Displays the number of access points positioned on the map.
•
Select the access point check box(es) to determine which heatmaps are displayed on the image map.
Click OK when all applicable filtering criteria are selected.
Filtering AP Mesh Info Floor Settings
Note
The AP Mesh Info check box only appears when bridging access points are added to the floor.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-170
OL-27653-02
Chapter 6
Monitoring Maps
Adding Floor Areas
When this check box is selected, the Prime Infrastructure initiates a contact with the controllers and
displays information about bridging access points. The following information is displayed:
– Link between the child and the parent access point.
– An arrow that indicates the direction from the child to parent access point.
– A color-coded link that indicates the signal-to-noise ratio (SNR). A green link represents a high
SNR (above 25 dB), an amber link represents an acceptable SNR (20-25 dB), and a red link
represents a very low SNR (below 20 dB).
If you enable the AP Mesh Info floor setting and click the blue arrow to the right of the floor settings,
the Mesh Parent-Child Hierarchical View page appears with mesh filtering options.
You can update the map view by choosing the access points you want to see on the map. From the Quick
Selections drop-down list, choose to select only root access point, various hops between the first and the
fourth, or select all access points.
Note
For a child access point to be visible, its parent must also be selected.
Click OK when all applicable filtering criteria are selected.
Filtering Client Floor Settings
Note
The Clients option only appears if a mobility server is added in the Prime Infrastructure .
If you enable the Clients floor setting and click the blue arrow to the right, the Client Filter dialog box
appears.
Client filtering options include the following:
•
Show All Clients—Select the check box to display all clients on the map.
•
Small Icons—Select the check box to display icons for each client on the map.
Note
If you select the Show All Clients check box and Small Icons check box, all other drop-down
list options are dimmed.
If you unselect the Small Icons check box, you can choose if you want the label to display the
MAC address, IP address, username, asset name, asset group, or asset category.
If you unselect the Show All Clients check box, you can specify how you want the clients
filtered and enter a particular SSID.
•
Display—Choose the client identifier (IP address, username, MAC address, asset name, asset group,
or asset category) to display on the map.
•
Filter By—Choose the parameter by which you want to filter the clients (IP address, username, MAC
address, asset name, asset group, asset category, or controller). Once selected, type the specific
device in the text box.
Note
If there are multiple IPv6 addresses for a client, then you can specify any one IP address to
uniquely identify the client.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-171
Chapter 6
Monitoring Maps
Adding Floor Areas
•
SSID—Enter the client SSID in the available text box.
•
Protocol—Choose All, 802.11a/n, or 802.11b/g/n from the drop-down list.
– All—Displays all the access points in the area.
– 802.11a/n—Displays a colored overlay depicting the coverage patterns for the clients with
802.11a/n radios. The colors show the received signal strength from red (–35 dBm) through
dark blue (–85 dBm).
– 802.11b/g/n—Displays a colored overlay depicting the coverage patterns for the clients with
802.11b/g/n radios. The colors show the received signal strength from red (–35 dBm) through
dark blue (–85 dBm). This is the default value.
•
State—Choose All, Idle, Authenticated, Probing, or Associated from the drop-down list.
Click OK when all applicable filtering criteria are selected.
Filtering 802.11 Tag Floor Settings
If you enable the 802.11 Tags floor setting and then click the blue arrow to the right, the Tag Filter dialog
appears.
Tag filtering options include the following:
•
Show All Tags—Select the check box to display all tags on the map.
•
Small Icons—Select the check box to display icons for each tag on the map.
Note
If you select the Show All Tags check box and Small Icons check box, all other drop-down list
options are dimmed.
If you unselect the Small Icons check box, you can choose if you want the label to display MAC
address, asset name, asset group, or asset category.
If you unselect the Show All Tags check box, you can specify how you want the tags filtered.
•
Display—Choose the tag identifier (MAC address, asset name, asset group, or asset category) to
display on the map.
•
Filter By—Choose the parameter by which you want to filter the clients (MAC address, asset name,
asset group, asset category, or controller). Once selected, type the specific device in the text box.
Click OK when all applicable filtering criteria are selected.
Filtering Rogue AP Floor Settings
If you enable the Rogue APs floor setting and then click the blue arrow to the right, the Rogue AP filter
dialog box appears.
Rogue AP filtering options include the following:
•
Show All Rogue APs—Select the check box to display all rogue access points on the map.
•
Small Icons—Select the check box to display icons for each rogue access point on the map.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-172
OL-27653-02
Chapter 6
Monitoring Maps
Adding Floor Areas
Note
If you select the Show All Rogue APs check box and Small Icons check box, all other
drop-down list options are dimmed.
If you unselect the Show All Rogue APs check box, you can specify how you want the rogue
access points filtered.
•
MAC Address—If you want to view a particular MAC address, enter it in the MAC Address text box.
•
State—Use the drop-down list to choose from Alert, Known, Acknowledged, Contained, Threat, or
Unknown contained states.
•
On Network—Use the drop-down list to specify whether or not you want to display rogue access
points on the network.
Click OK when all applicable filtering criteria are selected.
Filtering Rogue Adhoc Floor Settings
If you enable the Rogue Adhocs floor setting and then click the blue arrow to the right, the Rogue Adhoc
filter dialog appears.
Rogue Adhoc filtering options include the following:
•
Show All Rogue Adhocs—Select the check box to display all rogue adhoc on the map.
•
Small Icons—Select the check box to display icons for each rogue adhoc on the map.
Note
If you select the Show All Rogue Adhocs check box and Small Icons check box, all other
drop-down list options are dimmed.
If you unselect the Show All Rogue Adhocs check box, you can specify how you want the rogue
adhocs filtered.
•
MAC Address—If you want to view a particular MAC address, enter it in the MAC Address text box.
•
State—Use the drop-down list to select from Alert, Known, Acknowledged, Contained, Threat, or
Unknown contained states.
•
On Network—Use the drop-down list to specify whether or not you want to display rogue adhocs
on the network.
Click OK when all applicable filtering criteria are selected.
Filtering Rogue Client Floor Settings
If you enable the Rogue Clients floor setting and then click the blue arrow to the right, the Rogue Clients
filter dialog appears.
Rogue Clients filtering options include the following:
•
Show All Rogue Clients—Select the check box to display all rogue clients on the map.
•
Small Icons—Select the check box to display icons for each rogue client on the map.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-173
Chapter 6
Monitoring Maps
Adding Floor Areas
If you select the Show All Rogue Clients check box and Small Icons check box, all other
drop-down list options are dimmed. If you unselect the Show All Rogue Clients check box, you
can specify how you want the rogue clients filtered.
Note
•
Assoc. Rogue AP MAC Address—If you want to view a particular MAC address, enter it in the MAC
Address text box.
•
State—Use the drop-down list to choose from Alert, Contained, Threat, or Unknown contained
states.
Click OK when all applicable filtering criteria are selected.
Filtering Interferer Settings
If you enable Interferer floor setting and then click the blue arrow to the right, the Interferers filter dialog
box appears.
Interferer filtering options include the following:
•
Show active interferers only—Select the check box to display all active interferers.
•
Small Icons—Select the check box to display icons for each interferer on the map.
•
Show Zone of Impact—Displays the approximate interference impact area. The opacity of the circle
denotes its severity. A solid red circle represents a very strong interferer that likely disrupts Wi-Fi
communications, a light pink circle represents a weak interferer.
•
Click OK when all applicable filtering criteria are selected.
Import Map and AP Location Data
When converting from autonomous to lightweight access points and from the WLSE to Prime
Infrastructure, one of the conversion steps is to manually reenter the access point-related information
into the Prime Infrastructure. To speed up this process, you can export the information about access
points from the WLSE and import it into the Prime Infrastructure.
Note
The Prime Infrastructure expects a .tar file and checks for a .tar extension before importing the file. If
the file you are trying to import is not a .tar file, the Prime Infrastructure displays an error message and
prompts you to import a different file.
Note
For more information on the WLSE data export functionality (WLSE Version 2.15), see the following
URL:
http://<WLSE_IP_ADDRESS>:1741/debug/export/exportSite.jsp.
To map properties and import a tar file containing WLSE data using the Prime Infrastructure web
interface, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
From the Select a command drop-down list, choose Import Maps, and click Go.
Step 3
Choose the WLSE Map and AP Location Data option, and click Next.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-174
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Floor Area
Step 4
In the Import WLSE Map and AP Location Data page, click Browse to select the file to import.
Step 5
Find and select the .tar file to import and click Open.
Prime Infrastructure displays the name of the file in the Import From text box.
Step 6
Click Import.
Prime Infrastructure uploads the file and temporarily saves it into a local directory while it is being
processed. If the file contains data that cannot be processed, the Prime Infrastructure prompts you to
correct the problem and retry. Once the file has been loaded, the Prime Infrastructure displays a report
of what is added to the Prime Infrastructure. The report also specifies what cannot be added and why.
If some of the data to be imported already exists, the Prime Infrastructure either uses the existing data
in the case of campuses or overwrites the existing data using the imported data in the cases of buildings
and floors.
If there are duplicate names between a WLSE site and building combination and the Prime
Infrastructure campus (or top-level building) and building combination, the Prime Infrastructure
displays a message in the Pre Execute Import Report indicating that it will delete the existing
building.
Note
Step 7
Click Import to import the WLSE data.
Prime Infrastructure displays a report indicating what was imported.
Step 8
Choose Monitor > Site Maps to view the imported data.
Monitoring Floor Area
The floor area is the area of each floor of the building measured to the outer surface of the outer walls
including the area of lobbies, cellars, elevator shafts, and in multi-dwelling buildings, all the common
spaces.
This section contains the following topics:
•
Panning and Zooming with Next Generation Maps, page 6-175
•
Adding Access Points to a Floor Area, page 6-176
•
Placing Access Points, page 6-178
Panning and Zooming with Next Generation Maps
Panning
To move the map, click and hold the left mouse button and drag the map to a new place.
You can also move the map North, South, East or West using the pan arrows. These can be found in the
top left hand corner of the map (see Figure 6-1).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-175
Chapter 6
Monitoring Maps
Monitoring Floor Area
Figure 6-1
Note
Panning Control
You can also perform the panning operations using the arrow keys on a keyboard.
Zooming in and out - changing the scale
The zooming levels depend upon the resolution of an image. A high resolution image may provide more
zoom levels. Each zoom level is made of a different style map shown at different scales, each one
showing more or less detail. Some maps will be of the same style, but at a smaller or larger scale.
To see a map with more detail you need to zoom in. You can do this using the zoom bar on the left hand
side of the map (see Figure 6-2). Click the + sign on the top of the zoom bar. To centre and zoom in on
a location, double click the location. To see a map with less detail you need to zoom out. To do this, click
the - sign on the bottom of the zoom bar.
Figure 6-2
Note
Zooming Control
You can perform zooming operations using mouse or keyboard. With keyboard, click the + or signs to zoom in or zoom out. With mouse, use the mouse scroll wheel to zoom in or zoom out
or double click to zoom in.
Adding Access Points to a Floor Area
After you add the .PNG, .JPG, .JPEG, or .GIF format floor plan and outdoor area maps to the Prime
Infrastructure database, you can position lightweight access point icons on the maps to show where they
are installed in the buildings. To add access points to a floor area and outdoor area, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
From the Maps Tree View or the Monitor > Site Maps left sidebar menu, select the applicable floor to
open the Floor View page.
Step 3
From the Select a command drop-down list, choose Add Access Points, and click Go.
Step 4
In the Add Access Points page, select the check boxes of the access points that you want to add to the
floor area.
Note
If you want to search for access points, enter AP name or MAC address (Ethernet/Radio)/IP in
the Search AP [Name/MacAddress (Ethernet/Radio)/IP] text box, and then click Search. The
search is case-insensitive.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-176
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Floor Area
Step 5
Note
Only access points that are not yet assigned to any floor or outdoor area appear in the list.
Note
Select the check box at the top of the list to select all access points.
When all of the applicable access points are selected, click OK located at the bottom of the access point
list.
The Position Access Points page appears.
Each access point you have chosen to add to the floor map is represented by a gray circle (differentiated
by access point name or MAC address) and is lined up in the upper left part of the floor map.
Step 6
Click and drag each access point to the appropriate location. Access points turn blue when selected.
Note
When you drag an access point on the map, its horizontal and vertical position appears in the
Horizontal and Vertical text boxes.
Note
The small black arrow at the side of each access point represents Side A of each access point,
and each access point arrow must correspond with the direction in which the access points were
installed. Side A is clearly noted on each 1000 series access point and has no relevance to the
802.11a/n radio. To adjust the directional arrow, choose the appropriate orientation from the
Antenna Angle drop-down list.
When selected, the access point details are displayed on the left side of the page. Access point details
include the following:
•
AP Model—Indicates the model type of the selected access point.
•
Protocol—Choose the protocol for this access point from the drop-down list.
•
Antenna—Choose the appropriate antenna type for this access point from the drop-down list.
•
Antenna/AP Image—The antenna image reflects the antenna selected from the Antenna drop-down
list. Click the arrow at the top right of the antenna image to expand the image size.
•
Antenna Orientation—Depending on the antenna type, enter the Azimuth and the Elevation
orientations in degrees.
Note
The Azimuth option does not appear for Omnidirectional antennas because their pattern is
nondirectional in azimuth.
Note
For internal antennas, the same elevation angle applies to both radios.
The antenna angle is relative to the map X axis. Because the origin of the X (horizontal) and Y
(vertical) axes is in the upper left corner of the map, 0 degrees points side A of the access point to
the right, 90 degrees points side A down, 180 degrees points side A to the left, and so on.
The antenna elevation is used to move the antenna vertically, up or down, to a maximum of 90
degrees.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-177
Chapter 6
Monitoring Maps
Monitoring Floor Area
Make sure each access point is in the correct location on the map and has the correct antenna
orientation. Accurate access point positioning is critical when you use the maps to find coverage
holes and rogue access points.
Note
See the following URL for further information about the antenna elevation and azimuth patterns:
http://www.cisco.com/en/US/products/hw/wireless/ps469/tsd_products_support_series_home.html
Step 7
When you are finished placing and adjusting each access point, click Save.
Note
Clicking Save causes the antenna gain on the access point to correspond to the selected antenna.
This might cause the radio to reset.
Prime Infrastructure computes the RF prediction for the coverage area. These RF predictions are
popularly known as heat maps because they show the relative intensity of the RF signals on the coverage
area map.
Note
This display is only an approximation of the actual RF signal intensity because it does not take
into account the attenuation of various building materials, such as drywall or metal objects, nor
does it display the effects of RF signals bouncing off obstructions.
Note
Antenna gain settings have no effect on heatmaps and location calculations. Antenna gain is
implicitly associated to the antenna name. Because of this, the following apply:
– If an antenna is used and marked as “Other” in Prime Infrastructure, it is ignored for all
heatmap and location calculations;
– If an antenna is used and marked as a Cisco antenna in the Prime Infrastructure, that antenna
gain setting (internal value on Prime Infrastructure) is used no matter what gain is set on the
controller.
Note
See the “Placing Access Points” section on page 6-178 for more information on placing access
points on a map.
Note
You can change the position of access points by importing or exporting a file. See the
“Positioning Wi-Fi TDOA Receivers” section on page 6-195 for more information.
Placing Access Points
To determine the best location of all devices in the wireless LAN coverage areas, you need to consider
the access point density and location.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-178
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Floor Area
Ensure that no fewer than 3 access points, and preferably 4 or 5, provide coverage to every area where
device location is required. The more access points that detect a device, the better. This high level
guideline translates into the following best practices, ordered by priority:
Note
1.
Most importantly, access points should surround the desired location.
2.
One access point should be placed roughly every 50 to 70 linear feet (about 17 to 20 meters). This
translates into one access point every 2,500 to 5000 square feet (about 230 to 450 square meters).
The access point must be mounted so that it is under 20 feet high. For best performance, a mounting at
10 feet would be ideal.
Following these guidelines makes it more likely that access points detect tracked devices. Rarely do two
physical environments have the same RF characteristics. Users might need to adjust these parameters to
their specific environment and requirements.
Note
Devices must be detected at signals greater than –75 dBm for the controllers to forward information to
the location appliance. No fewer than three access points should be able to detect any device at signals
below –75 dBm.
Note
If you have a ceiling-mounted AP with an integrated omni-directional antenna, the antenna orientation
does not really need to be set in the Prime Infrastructure. However, if you mount that same AP on the
wall, you must set the antenna orientation to 90 degrees.
Table 6-6 describes the orientation of the access points.
Table 6-6
Antenna Orientation of the Access Points
Access Point
Antenna Orientation
1140 mounted on the ceiling
The Cisco logo should be pointing to the floor.
Elevation: 0 degrees.
1240 mounted on the ceiling
The antenna should be perpendicular to the access
point.
Elevation: 0 degrees.
1240 mounted on the wall
The antenna should be parallel to the access point.
Elevation: 0 degrees.
If the antenna is perpendicular to the AP then the
angle is 90 degrees (up or down does not matter as
the dipole is omni).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-179
Chapter 6
Monitoring Maps
Using the Automatic Hierarchy to Create Maps
Using the Automatic Hierarchy to Create Maps
Automatic Hierarchy Creation is a way for you to quickly create maps and assign access points to maps
in Prime Infrastructure. You can use Automatic Hierarchy Creation to create maps, once you have added
wireless LAN controllers to Prime Infrastructure and named your access points. Also, you can use it after
adding access points to your network to assign access points to maps in Prime Infrastructure.
Note
To use the Automatic Hierarchy Creation feature, you must have an established naming pattern for your
wireless access points that provides the campus, building, floor, or outdoor area names for the maps.
For example, San Jose-01-GroundFloor-AP3500i1.
Step 1
Choose Monitor > Automatic Hierarchy Creation to display the Automatic Hierarchy Creation page.
Step 2
In the text box, enter the name of an access point on your system. Or, you can choose one from the list.
This name is used to create a regular expression to create your maps.
To update a previously created regular expression, click Load and Continue next to the
expression and update the expression accordingly. To delete a regular expression, click Delete
next to the expression.
Note
Step 3
Click Next.
Step 4
If your access point‘s name has a delimiter, enter it in the text box and click Generate basic regex based
on delimiter. The system generates a regular expression that matches your access point’s name based
on the delimiter.
For example, using the dash (-) delimiter in the access point name San Jose-01-GroundFloor-AP3500i1,
produces the regular expression /(.*)-(.*)-(.*)-(.*)/.
If you have a more complicated access point name, you can manually enter the regular expression.
Note
You are not required to enter the leading and trailing slashes.
Note
As a convention, the Prime Infrastructure displays regular expressions in slashes.
Step 5
Click Test. The system displays the maps that will be created for the access point name and the regular
expression entered.
Step 6
Using the Group fields, assign matching groups to hierarchy types.
For example, if your access point is named: SJC14-4-AP-BREAK-ROOM
In this example, the campus name is SJC, the building name is 14, the floor name is 4, and the AP name
is AP-BREAK-ROOM.
Use the regular expression: /([A-Z]+)(\d+)-(\d+)-(.*)/
From the AP name, the following groups are extracted:
1.
SJC
2.
14
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-180
OL-27653-02
Chapter 6
Monitoring Maps
Using the Automatic Hierarchy to Create Maps
3.
4
4.
AP-BREAK-ROOM
The matching groups are assigned from left to right, starting at 1.
To make the matching groups match the hierarchy elements, use the drop-down list for each group
number to select the appropriate hierarchy element.
This enables you to have almost any ordering of locations in your access point names.
For example, if your access point is named: EastLab-Atrium2-3-SanFrancisco
If you use the regular expression: /(.*)-(.*)-(.*)-(.*)/
with the following group mapping:
1.
Building
2.
Device Name
3.
Floor
4.
Campus
Automatic Hierarchy Creation produces a campus named SanFrancisco, a building under that campus
named EastLab, and a floor in EastLab named 3.
Note
The two hierarchy types, Not in device name and Device have no effect, but enable you to skip groups
in case you need to use a matching group for some other purpose.
Automatic Hierarchy Creation requires the following groups to be mapped in order to compute a map on
which to place the access point:
Campus group present Building group
in match?
present in match?
Floor group present in
match?
Resulting location
Yes
Yes
Yes
Campus > Building > Floor
Yes
Yes
No
Failed match
Yes
No
Yes
Campus > Floor (where Floor
is an outdoor area)
Yes
No
No
Failed match
No
Yes
Yes
System Campus > Building >
Floor
No
Yes
No
Failed match
No
No
Yes
Failed match
No
No
No
Failed match
Automatic Hierarchy Creation attempts to guess the floor index from the floor name. If the floor name
is a number, AHC will assign the floor a positive floor index. If the floor name is a negative number or
starts with the letter B (for example, b1, -4, or B2), AHC assigns the floor a negative floor index. This
indicates that the floor is a basement.
When searching for an existing map on which to place the access point, AHC considers floors in the
access point’s building with the same floor index as the access point’s name.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-181
Chapter 6
Monitoring Maps
Using the Map Editor
For example, if the map SF > MarketStreet > Sublevel1 exists and has a floor index of -1, then the access
point SF-MarketStreet-b1-MON1 will be assigned to that floor.
Step 7
Click Next. You can test against more access points. You may test your regular expression and matching
group mapping against more access points by entering the access point names in the Add more device
names to test against field, and clicking Add.
You then click Test to test each of the access points names in the table. The result of each test is displayed
in the table.
If required, return to the previous step to edit the regular expression or group mapping for the current
regular expression.
Step 8
Click Next, then click Save and Apply. This applies the regular expression to the system. The system
processes all the access points that are not assigned to a map.
Note
You can edit the maps to include floor images, correct dimensions, and so on. When Automatic
Hierarchy Creation creates a map, it uses the default dimensions of 20 feet by 20 feet. You will need to
edit the created maps to specify the correct dimensions and other attributes.
Maps created using Automatic Hierarchy Creation appear in the maps list with an incomplete icon. Once
you have edited a map, the incomplete icon disappears. You may hide the column for incomplete maps
by clicking the Edit View link.
Using the Map Editor
You use the Map Editor to define, draw, and enhance floor plan information. The map editor allows you
to create obstacles so that they can be taken into consideration while computing RF prediction heatmaps
for access points. You can also add coverage areas for location appliances that locate clients and tags in
that particular area.
The planning mode opens the map editor in the browser window from which the planning tool is
launched. If the original browser window has navigated away from the floor page, you need to navigate
back to the floor page to launch the map editor.
This section contains the following topics:
•
Guidelines for Using the Map Editor, page 6-183
•
Guidelines for Placing Access Points, page 6-183
•
Guidelines for Inclusion and Exclusion Areas on a Floor, page 6-185
•
Opening the Map Editor, page 6-185
•
Map Editor Icons, page 6-186
•
Using the Map Editor to Draw Coverage Areas, page 6-186
•
Using the Map Editor to Draw Obstacles, page 6-187
•
Defining an Inclusion Region on a Floor, page 6-187
•
Defining an Exclusion Region on a Floor, page 6-189
•
Defining a Rail Line on a Floor, page 6-189
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-182
OL-27653-02
Chapter 6
Monitoring Maps
Using the Map Editor
Guidelines for Using the Map Editor
Consider the following when modifying a building or floor map using the map editor:
•
We recommend that you use the map editor to draw walls and other obstacles rather than importing
an .FPE file from the legacy floor plan editor.
– If necessary, you can still import .FPE files. To do so, navigate to the desired floor area, choose
Edit Floor Area from the Select a command drop-down list, click Go, select the FPE File
check box, and browse to choose the .FPE file.
•
You can add any number of walls to a floor plan with the map editor; however, the processing power
and memory of a client workstation might limit the refresh and rendering aspects of the Prime
Infrastructure.
– We recommend a practical limit of 400 walls per floor for machines with 1GB RAM or less.
•
All walls are used by the Prime Infrastructure when generating RF coverage heatmaps.
Guidelines for Placing Access Points
Place access points along the periphery of coverage areas to keep devices close to the exterior of rooms
and buildings. Access points placed in the center of these coverage areas provide good data on devices
that would otherwise appear equidistant from all other access points.
Figure 6-3
Access Points Clustered Together
By increasing overall access point density and moving access points towards the perimeter of the
coverage area, location accuracy is greatly improved.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-183
Chapter 6
Monitoring Maps
Using the Map Editor
Figure 6-4
Improved Location Accuracy by Increasing Density
In long and narrow coverage areas, avoid placing access points in a straight line. Stagger them so that
each access point is more likely to provide a unique snapshot of a device location.
Figure 6-5
Refrain From Straight Line Placement
Although the design in might provide enough access point density for high bandwidth applications,
location suffers because each access point view of a single device is not varied enough; therefore,
location is difficult to determine.
Move the access points to the perimeter of the coverage area and stagger them. Each has a greater
likelihood of offering a distinctly different view of the device, resulting in higher location accuracy.
Figure 6-6
Improved Location Accuracy by Staggering Around Perimeter
Most current wireless handsets support only 802.11b/n, which offers only three non-overlapping
channels. Therefore, wireless LANs designed for telephony tend to be less dense than those planned to
carry data. Also, when traffic is queued in the Platinum QoS bucket (typically reserved for voice and
other latency-sensitive traffic), lightweight access points postpone their scanning functions that allow
them to peak at other channels and collect, among other things, device location information. The user
has the option to supplement the wireless LAN deployment with access points set to monitor-only mode.
Access points that perform only monitoring functions do not provide service to clients and do not create
any interference. They simply scan the airwaves for device information.
Less dense wireless LAN installations, such as voice networks, find their location accuracy greatly
increased by the addition and proper placement of monitor access points.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-184
OL-27653-02
Chapter 6
Monitoring Maps
Using the Map Editor
Figure 6-7
Less Dense Wireless LAN Installations
Verify coverage using a wireless laptop, handheld, or phone to ensure that no fewer than three access
points are detected by the device. To verify client and asset tag location, ensure that the Prime
Infrastructure reports client devices and tags within the specified accuracy range (10 m, 90%).
Note
If you have a ceiling-mounted AP with an integrated omni-directional antenna, the antenna
orientation does not really need to be set in the Prime Infrastructure. However, if you mount that
same AP on the wall, you must set the antenna orientation to 90 degrees.
Guidelines for Inclusion and Exclusion Areas on a Floor
Inclusion and exclusion areas can be any polygon shape and must have at least three points.
You can only define one inclusion region on a floor. By default, an inclusion region is defined for each
floor when it is added to the Prime Infrastructure. The inclusion region is indicated by a solid aqua line,
and generally outlines the region.
You can define multiple exclusion regions on a floor.
Newly defined inclusion and exclusion regions appear on heatmaps only after the mobility services
engine recalculates location.
Opening the Map Editor
Follow these steps to use the map editor:
Step 1
Choose Monitor > Site Map Design.
Step 2
Click the desired campus. The Site Maps > Campus Name page appears.
Step 3
Click a campus and then click a building.
Step 4
Click the desired floor area. The Site Maps > Campus Name > Building Name > Floor Area Name page
appears.
Step 5
From the Select a command drop-down list, choose Map Editor, and click Go. The Map Editor page
appears.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-185
Chapter 6
Monitoring Maps
Using the Map Editor
Map Editor Icons
Table 6-7
Icon
Next Generation Maps Icons
Description
Scale Floor—Click anywhere on the map to start drawing line. Double click
to finish the line and enter the new line length in the popup shown. This will
modify the floor dimensions to the new dimensions.
Measure Distance—Click anywhere on the map to start drawing line.
Double click to finish the line. Measured line length in ft/meters is shown
on the top.
Copy/Move Obstacles—Select obstacles either by drawing a box on the
map or by clicking the obstacles. To copy obstacles, click Copy. This will
create new obstacles just above the selected obstacles. To move the
obstacles, drag the selected obstacles to new position. Clicking anywhere
on the map will unselect all the elements.
Delete Mode—Select the elements to be deleted either by drawing a box on
the map or clicking each element. Use Shift key to select multiple elements.
Use the Ctrl key to toggle selection of elements, one at a time. Clicking
anywhere on the map will unselect all the elements. Click Delete to delete
the selected elements
Modify Mode—Click an element and click the vertices to reshape or drag
the element to move to a new position. Clicking anywhere on the map will
unselect the selected element.
Draw Coverage Area
Draw Location Region
Draw Rail
Draw Obastacle—Click anywhere on the map to start drawing. Double click
to finish drawing. Use Ctrl-z to undo, Ctrl-y to redo and 'Esc' key to cancel
the current drawing.
Place Marker
Navigation—Remove any selected modes such as drawing or editing and
switches to navigation mode where you can view the map and perform
zooming or panning.
Using the Map Editor to Draw Coverage Areas
If you have a building that is non-rectangular or you want to mark a non-rectangular area within a floor,
you can use the map editor to draw a coverage area.
Step 1
Add the floor plan if it is not already represented in the Prime Infrastructure.
Step 2
Choose Monitor > Site Maps.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-186
OL-27653-02
Chapter 6
Monitoring Maps
Using the Map Editor
Step 3
Click the Map Name that corresponds to the outdoor area, campus, building, or floor you want to edit.
Step 4
From the Select a command drop-down list, choose Map Editor, and click Go.
Step 5
It the Map Editor page, click the Draw Coverage Area icon on the toolbar.
A pop-up appears.
Step 6
Enter the name of the area that you are defining. Click OK.
A drawing tool appears.
Step 7
Move the drawing tool to the area you want to outline.
•
Click the left mouse button to begin and end drawing a line.
•
When you have completely outlined the area, double-click the left mouse button and the area is
highlighted in the page.
The outlined area must be a closed object to appear highlighted on the map.
Step 8
Click the disk icon on the toolbar to save the newly drawn area.
Using the Map Editor to Draw Obstacles
Table 6-8 describes the obstacle color coding.
Table 6-8
Obstacle Color Coding
Type of obstacle
Color coding
Loss (in dB)
Thick wall
13
Light wall
2
Heavy door
15
Light door
4
Cubicle
1
Glass
1.5
Defining an Inclusion Region on a Floor
To define an inclusion area, follow these steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-187
Chapter 6
Monitoring Maps
Using the Map Editor
Step 1
Choose Monitor > Site Maps.
Step 2
Click the name of the appropriate floor area.
Step 3
From the Select a command drop-down list, choose Map Editor.
Step 4
Click Go.
Step 5
At the map, click the aqua box on the toolbar.
Note
A message box appears reminding you that only one inclusion area can be defined at a time.
Defining a new inclusion region automatically removes the previously defined inclusion region.
By default, an inclusion region is defined for each floor when it is added to the Prime
Infrastructure. The inclusion region is indicated by a solid aqua line and generally outlines the
region.
Step 6
Click OK in the message box that appears. A drawing icon appears to outline the inclusion area.
Step 7
To begin defining the inclusion area, move the drawing icon to a starting point on the map and click once.
Step 8
Move the cursor along the boundary of the area you want to include and click to end a border line. Click
again to define the next boundary line.
Step 9
Repeat Step 8 until the area is outlined and then double-click the drawing icon. A solid aqua line defines
the inclusion area.
Step 10
Choose Save from the Command menu or click the disk icon on the toolbar to save the inclusion region.
Note
If you made an error in defining the inclusion area, click the area. The selected area is outlined
by a dashed aqua line. Next, click the X icon on the toolbar. The area is removed from the floor
map.
Step 11
Select the Location Regions check box if it is not already selected. If you want it to apply to all floor
maps, click Save settings. Close the Layers configuration page.
Step 12
To resynchronize the Prime Infrastructure and MSE databases, choose Services > Synchronize
Services.
Note
Step 13
If the two DBs are already synchronized then a resynchronization happens automatically every
time there is a change. There is no need for an explicit resynch.
In the Synchronize page, choose Network Designs from the Synchronize drop-down list and then click
Synchronize.
You can confirm that the synchronization is successful by viewing two green arrows in the Sync. Status
column.
Note
Newly defined inclusion and exclusion regions appear on heatmaps only after the mobility
services engine recalculates location.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-188
OL-27653-02
Chapter 6
Monitoring Maps
Using the Map Editor
Defining an Exclusion Region on a Floor
To further refine location calculations on a floor, you can define areas that are excluded (exclusion areas)
in the calculations. For example, you might want to exclude areas such as an atrium or stairwell within
a building. As a rule, exclusion areas are generally defined within the borders of an inclusion area.
To define an exclusion area, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Click the name of the appropriate floor area.
Step 3
From the Select a command drop-down list, choose Map Editor.
Step 4
Click Go.
Step 5
At the map, click the purple box on the toolbar.
Step 6
Click OK in the message box that appears. A drawing icon appears to outline the exclusion area.
Step 7
To begin defining the exclusion area, move the drawing icon to the starting point on the map, and click
once.
Step 8
Move the drawing icon along the boundary of the area you want to exclude. Click once to start a
boundary line, and click again to end the boundary line.
Step 9
Repeat Step 8 until the area is outlined and then double-click the drawing icon. The defined exclusion
area is shaded in purple when the area is completely defined. The excluded area is shaded in purple.
Step 10
To define additional exclusion regions, repeat Step 5 to Step 9.
Step 11
When all exclusion areas are defined, choose Save from the Command menu or click the disk icon on
the toolbar to save the exclusion region.
Note
To delete an exclusion area, click the area to be deleted. The selected area is outlined by a dashed
purple line. Next, click the X icon on the toolbar. The area is removed from the floor map.
Step 12
Select the Location Regions check box if it is not already selected, click Save settings, and close the
Layers configuration page when complete.
Step 13
To resynchronize the Prime Infrastructure and location databases, choose Services > Synchronize
Services.
Step 14
In the Synchronize page, choose Network Designs from the Synchronize drop-down list and then click
Synchronize.
You can confirm that the synchronization is successful by viewing two green arrows in the Sync. Status
column.
Defining a Rail Line on a Floor
You can define a rail line on a floor that represents a conveyor belt. Additionally, you can define an area
around the rail area known as the snap-width to further assist location calculations. This represents the
area in which you expect clients to appear. Any client located within the snap-width area is plotted on
the rail line (majority) or just outside of the snap-width area (minority).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-189
Chapter 6
Monitoring Maps
Adding an Outdoor Area
Note
Rail line configurations do not apply to tags.
The snap-width area is defined in feet or meters (user-defined) and represents the distance that is
monitored on either side (east and west or north and south) of the rail.
To define a rail with a floor, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Click the name of the appropriate floor area.
Step 3
Choose Map Editor from the Select a command drop-down list.
Step 4
Click Go.
Step 5
In the map, click the rail icon (to the right of the purple exclusion icon) on the toolbar.
Step 6
In the message dialog box that appears, enter a snap-width (feet or meters) for the rail and then click
OK. A drawing icon appears.
Step 7
Click the drawing icon at the starting point of the rail line. Click again when you want to stop drawing
the line or change the direction of the line.
Step 8
Click the drawing icon twice when the rail line is completely drawn on the floor map. The rail line
appears on the map and is bordered on either side by the defined snap-width region.
Note
To delete a rail line, click the area to be deleted. The selected area is outlined by a dashed purple
line. Next, click the X icon on the toolbar. The area is removed from the floor map.
Step 9
At the floor map, choose the Layers drop-down list.
Step 10
Select the Rails check box for if it is not already selected, click Save settings, and close the Layers
configuration pane when complete.
Step 11
To resynchronize the Prime Infrastructure and mobility services engine, choose Services > Synchronize
Services.
Step 12
In the Synchronize page, choose Network Designs from the Synchronize drop-down list and then click
Synchronize.
You can confirm that the synchronization is successful by viewing two green arrows in the Sync. Status
column.
Adding an Outdoor Area
Note
You can add an outdoor area to a campus map in the Prime Infrastructure database regardless of whether
you have added outdoor area maps to the database.
To add an outdoor area to a campus map, follow these steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-190
OL-27653-02
Chapter 6
Monitoring Maps
Using Chokepoints to Enhance Tag Location Reporting
Step 1
If you want to add a map of the outdoor area to the database, save the map in .PNG, .JPG, .JPEG, or .GIF
format. Then browse to and import the map from anywhere in your file system.
Note
You do not need a map to add an outdoor area. You can simply define the dimensions of the area
to add it to the database. The map can be any size because the Prime Infrastructure automatically
resizes the map to fit the workspace.
Step 2
Choose Monitor > Site Maps.
Step 3
Click the desired campus to display the Monitor > Site Maps > Campus View page.
Step 4
From the Select a command drop-down list, choose New Outdoor Area.
Step 5
Click Go. The Create New Area page appears.
Step 6
In the New Outdoor Area page, enter the following information:
•
Name—The user-defined name of the new outdoor area.
•
Contact—The user-defined contact name.
•
Area Type (RF Model)—Cubes And Walled Offices, Drywall Office Only, Outdoor Open Space
(default).
•
AP Height (feet)—Enter the height of the access point.
•
Image File—Name of the file containing the outdoor area map. Click Browse to find the file.
Step 7
Click Next.
Step 8
Click Place to put the outdoor area on the campus map. Prime Infrastructure creates an outdoor area
rectangle scaled to the size of the campus map.
Step 9
Click and drag the outdoor area rectangle to the desired position on the campus map.
Step 10
Click Save to save this outdoor area and its campus location to the database.
Note
Step 11
A hyperlink associated with the outdoor area takes you to the corresponding Maps page.
(Optional) To assign location presence information for the new outdoor area, choose Edit Location
Presence Info, and click Go.
Note
By default, the Override Child Element Presence Info check box is selected. There is no need to
alter this setting for outdoor areas.
Using Chokepoints to Enhance Tag Location Reporting
Installation of chokepoints provides enhanced location information for RFID tags. When an active
Cisco-compatible Extensions Version 1-compliant RFID tag enters the range of a chokepoint, it is
stimulated by the chokepoint. The MAC address of this chokepoint is then included in the next beacon
sent by the stimulated tag. All access points that detect this tag beacon then forward the information to
the controller and location appliance.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-191
Chapter 6
Monitoring Maps
Using Chokepoints to Enhance Tag Location Reporting
Using chokepoints in conjunction with active compatible extensions compliant tags provides immediate
location information on a tag and its asset. When a Cisco-compatible Extension tag moves out of the
range of a chokepoint, its subsequent beacon frames do not contain any identifying chokepoint
information. Location determination of the tag defaults to the standard calculation methods based on
RSSIs reported by the access point associated with the tag.
This section contains the following topics:
•
Adding a Chokepoint to a Prime Infrastructure Map, page 6-192
•
Positioning Chokepoints, page 6-194
•
Adding Wi-Fi TDOA Receivers to the Prime Infrastructure Database, page 6-195
•
Adding Wi-Fi TDOA Receivers to a Map, page 6-195
•
Positioning Wi-Fi TDOA Receivers, page 6-195
•
Managing RF Calibration Models, page 6-196
Adding Chokepoints to the Prime Infrastructure Database
Chokepoints are installed and configured as recommended by the Chokepoint vendor. After the
chokepoint installation is complete and operational, the chokepoint can be entered into the location
database and plotted on an Prime Infrastructure map.
To add a chokepoint to the Prime Infrastructure database, follow these steps:
Step 1
Choose Configure > Chokepoints.
Step 2
From the Select a command drop-down list, choose Add Chokepoints.
Step 3
Click Go.
Step 4
Enter the MAC address and name for the chokepoint.
Step 5
Select the Entry/Exit Chokepoint check box.
Step 6
Enter the coverage range for the chokepoint.
Note
Step 7
The Chokepoint range is a visual representation only. It is product-specific. The actual range
must be configured separately using the applicable chokepoint vendor software.
Click OK.
Note
After the chokepoint is added to the database, it can be placed on the appropriate Prime
Infrastructure floor map.
Adding a Chokepoint to a Prime Infrastructure Map
To add the chokepoint to a map, follow these steps:
Step 1
Choose Monitor > Site Maps.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-192
OL-27653-02
Chapter 6
Monitoring Maps
Using Chokepoints to Enhance Tag Location Reporting
Step 2
In the Maps page, choose the link that corresponds to the floor location of the chokepoint.
Step 3
From the Select a command drop-down list, choose Add Chokepoints.
Step 4
Click Go.
Note
The Add Chokepoints summary page lists all recently added chokepoints that are in the database
but are not yet mapped.
Step 5
Select the check box next to the chokepoint that you want to place on the map.
Step 6
Click OK.
A map appears with a chokepoint icon located in the top left-hand corner. You are now ready to place
the chokepoint on the map.
Step 7
Left-click the chokepoint icon and drag it to the proper location.
Note
Step 8
The MAC address, name, and coverage range of the chokepoint appear in the dialog box in the
left when you click the chokepoint icon for placement.
Click Save.
You are returned to the floor map and the added chokepoint appears on the map.
Step 9
Note
The newly created chokepoint icon might or might not appear on the map depending on the
display settings for that floor.
Note
The rings around the chokepoint icon indicate the coverage area. When a CCX tag and its asset
passes within the coverage area, location details are broadcast, and the tag is automatically
mapped on the chokepoint coverage circle. When the tag moves out of the chokepoint range, its
location is calculated as before and is no longer mapped on the chokepoint rings.
Note
The MAC address, name, entry/exit chokepoint, static IP address, and range of the chokepoint
appear when you hover your mouse cursor over its map icon.
If the chokepoint does not appear on the map, select the Chokepoints check box located in the Floor
Settings menu.
Note
Note
Do not click Save Settings unless you want to save this display criteria for all maps.
You must synchronize the network design to the mobility services engine or location server to push
chokepoint information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-193
Chapter 6
Monitoring Maps
Configuring Wi-Fi TDOA Receivers
Positioning Chokepoints
To position chokepoints on the map, follow these steps:
Step 1
Left-click the Chokepoint icon and drag it to the proper location.
Note
The MAC address, name, and coverage range of the chokepoint appear in the dialog box in the
left when you click the chokepoint icon for placement.
Step 2
Click Save when the icon is correctly placed on the map.
Step 3
The newly created chokepoint icon might or might not appear on the map depending on the display
settings for that floor.
Step 4
Note
The rings around the chokepoint icon indicate the coverage area. When a Cisco-compatible
Extensions tag and its asset passes within the coverage area, location details are broadcast, and
the tag is automatically mapped on the chokepoint coverage circle. The chokepoint range is
provided as a visual only, but chokepoint vendor software is required to actually configure the
range. When the tag moves out of the chokepoint range, its location is calculated as before and
is no longer mapped on the chokepoint rings.
Note
The MAC address, name, and range of a chokepoint are displayed when you hover your mouse
cursor over its map icon.
If the chokepoint does not appear on the map, choose Layers to view a drop-down list of possible
elements to display on the map. Select the Chokepoints check box.
Note
Note
Do not click Save Settings unless you want to save this display criteria for all maps.
You can change the position of chokepoints by importing or exporting a file.
Configuring Wi-Fi TDOA Receivers
This section contains the following topics:
•
Adding Wi-Fi TDOA Receivers to the Prime Infrastructure Database, page 6-195
•
Adding Wi-Fi TDOA Receivers to a Map, page 6-195
•
Positioning Wi-Fi TDOA Receivers, page 6-195
•
Managing RF Calibration Models, page 6-196
•
Managing Location Presence Information, page 6-202
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-194
OL-27653-02
Chapter 6
Monitoring Maps
Configuring Wi-Fi TDOA Receivers
Adding Wi-Fi TDOA Receivers to the Prime Infrastructure Database
To add Wi-Fi TDOA receivers to the Prime Infrastructure database, follow these steps:
Step 1
Choose Configure > WiFi TDOA Receivers.
Step 2
From the Select a command drop-down list, choose Add WiFi TDOA Receivers.
Step 3
Click Go.
Step 4
Enter the MAC address, name, and static IP address for the Wi-Fi TDOA receiver.
Note
Step 5
Wi-Fi TDOA receivers are configured separately using the Wi-Fi TDOA receiver vendor
software.
Click OK to save the Wi-Fi TDOA receiver entry to the database.
Note
After the Wi-Fi TDOA receiver is added to the database, place it on the appropriate Prime
Infrastructure floor map. See the “Adding Wi-Fi TDOA Receivers to the Prime Infrastructure
Database” section on page 6-195 for more information.
Adding Wi-Fi TDOA Receivers to a Map
To add a WiFi TDOA receiver to a map, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Choose the link that corresponds to the floor location of the Wi-Fi TDOA receiver.
Step 3
From the Select a command drop-down list, choose Add WiFi TDOA Receivers.
Step 4
Click Go.
Note
The Add WiFi TDOA Receivers summary page lists all recently added Wi-Fi TDOA receivers
that are in the database but are not yet mapped.
Step 5
Select the check box next to the Wi-Fi TDOA receiver to be added to the map.
Step 6
Click OK.
A map appears with a green WiFi TDOA receiver icon located in the top left-hand corner. You are now
ready to position the Wi-Fi TDOA receiver on the map.
Positioning Wi-Fi TDOA Receivers
To position Wi-Fi TDOA receivers on the map, follow these steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-195
Chapter 6
Monitoring Maps
Configuring Wi-Fi TDOA Receivers
Step 1
Left-click the WiFi TDOA receiver icon and drag it to the proper location.
Note
Step 2
Click Save when the icon is correctly placed on the map.
Note
Step 3
The MAC address of the Wi-Fi TDOA receiver appears when you hover your mouse cursor over
its map icon.
If the chokepoint does not appear on the map, click Layers to view a drop-down list of possible elements
to display on the map. Select the WiFi TDOA Receivers check box.
Note
Note
The MAC address and name of the Wi-Fi TDOA receiver appear in the left pane when you click
the WiFi TDOA receiver icon for placement.
Do not select Save Settings unless you want to save this display criteria for all maps.
You can change the position of Wi-Fi TDOA Receivers by importing or exporting a file.
Managing RF Calibration Models
If the provided RF models do not sufficiently characterize the floor layout, you can create a calibration
model that is applied to the floor and better represents the attenuation characteristics of that floor. The
calibration models are used as RF overlays with measured RF signal characteristics that can be applied
to different floor areas. This enables the Cisco WLAN solution installation team to lay out one floor in
a multi-floor area, use the RF calibration tool to measure, save the RF characteristics of that floor as a
new calibration model, and apply that calibration model to all the other floors with the same physical
layout.
You can collect data for a calibration using one of two methods:
•
Point mode data collection—Calibration points are selected and their coverage area is calculated one
location at a time.
•
Linear mode data collection—A series of linear paths are selected and then calculated as you
traverse the path. This approach is generally faster than the point mode data collection. You can also
employ point mode data collection to augment data collection for locations missed by the linear
paths.
Note
Calibration models can only be applied to clients, rogue clients, and rogue access points.
Calibration for tags is done using the Aeroscout System Manager. See the following URL for
details on tag calibration at: http://support.aeroscout.com.
Note
We recommend client device that supports both 802.11a/n and 802.11b/g/n radios to expedite
the calibration process for both spectrums.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-196
OL-27653-02
Chapter 6
Monitoring Maps
Configuring Wi-Fi TDOA Receivers
Use a laptop or other wireless device to open a browser to Prime Infrastructure server and perform the
calibration process.
This section contains the following topics:
•
Accessing Current Calibration Models, page 6-197
•
Applying Calibration Models to Maps, page 6-197
•
Viewing Calibration Model Properties, page 6-197
•
Viewing Calibration Model Details, page 6-198
•
Creating New Calibration Models, page 6-198
•
Starting Calibration Process, page 6-198
•
Calibrating, page 6-201
•
Apply the Model to the Floor, page 6-201
•
Deleting Calibration Models, page 6-202
Accessing Current Calibration Models
To access current calibration models, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
From the Select a command drop-down list, choose RF Calibration Models. The Model Name and
Status for each calibration model are listed.
Step 3
Click the model name to access a specific calibration model.
Applying Calibration Models to Maps
To apply a current calibration model to a map, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
From the Select a command drop-down list, choose RF Calibration Models.
Step 3
Click the model name to access the applicable calibration model.
Step 4
From the Select a command drop-down list, choose Apply to Maps.
Step 5
Click Go.
Viewing Calibration Model Properties
To view or edit current calibration models, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
From the Select a command drop-down list, choose RF Calibration Models.
Step 3
Click the model name to access the applicable calibration model.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-197
Chapter 6
Monitoring Maps
Configuring Wi-Fi TDOA Receivers
Step 4
From the Select a command drop-down list, choose Properties.
Step 5
Click Go to view or edit calibration model details. See the “Viewing Calibration Model Properties”
section on page 6-197 for more information.
Viewing Calibration Model Details
To edit calibration model details, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
From the Select a command drop-down list, choose RF Calibration Models.
Step 3
Click the model name to access the applicable calibration model.
Step 4
From the Select a command drop-down list, choose Properties.
Step 5
Click Go.
Step 6
The following parameters might be edited:
Step 7
•
Sweep Client Power for Location—Click to enable. You might want to enable this if a high density
of access points exists and transmit power is reduced or unknown. The sweeping range of client
transmit power might improve accuracy but scalability is negatively affected.
•
HeatMap Binsize—Choose 4, 8, 16, or 32 from the drop-down list.
•
HeatMap Cutoff—Determine the heatmap cutoff. We recommend a low heatmap cutoff especially
if the access point density is high and RF propagation conditions are favorable. A higher cutoff value
increases scalability but might cause difficulty when locating clients.
When any necessary changes have been made or to exit the page, click OK.
Creating New Calibration Models
To create a new calibration model, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
From the Select a command drop-down list, choose RF Calibration Models.
Step 3
Click Go.
Step 4
From the Select a command drop-down list, choose Create New Model.
Step 5
Click Go.
Step 6
Enter a model name, and click OK.
The new model appears along with the other RF calibration models with a status of Not Yet Calibrated.
Starting Calibration Process
To start the calibration process, follow these steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-198
OL-27653-02
Chapter 6
Monitoring Maps
Configuring Wi-Fi TDOA Receivers
Step 1
Click the model name to open the Calibration Model > Model Name page.
Step 2
From the Select a command drop-down list, choose Add Data Points.
Step 3
Click Go.
Step 4
Enter the MAC address of the device being used to perform the calibration. Manually-entered MAC
addresses must be delimited with colons (such as FF:FF:FF:FF:FF:FF).
Note
Step 5
If this process is being performed from a mobile device connected to the Prime Infrastructure
through the Cisco Centralized architecture, the MAC address text box is automatically populated
with the device address.
Choose the appropriate campus, building, floor, or outdoor area where the calibration is performed.
Note
The calibration in the outdoor area is supported in Release 1.0.x and later. You can use this
option to add the calibration data points to the outdoor area. The data points can be added to the
outdoor area using the same procedure for calibration.
Step 6
Click Next.
Step 7
When the chosen floor map and access point locations appear, a grid of plus marks (+) indicates the
locations where data collection for calibration is performed.
Using these locations as guidelines, you can perform either a point or linear collection of data by
appropriate placement of either the Calibration Point pop-up (point) or the Start and Finish pop-ups
(linear) that appear on the map when the respective options are displayed.
If you want to perform a point collection of data for the calibration, do the following:
a.
Choose Point from the Collection Method drop-down list and select the Show Data points check
box if not already selected. A calibration point pop-up appears on the map.
b.
Position the tip of the calibration point pop-up at a data point (+), and click Go. A dialog box appears
showing the progress of the data collection.
Note
c.
Rotate the calibrating client laptop during data collection so that the client is heard evenly by all
access points in the vicinity.
When the data collection is complete for a selected data point and the coverage area is plotted on
the map, move the calibration point pop-up to another data point, and click Go.
Note
The coverage area plotted on the map is color-coded and corresponds with the specific
wireless LAN standard used to collect that data. Information on color-coding is provided in
legend on the left side of the page. Additionally, the progress of the calibration process is
indicated by two status bars above the legend, one for 802.11a/n and one for 802.11b/g/n.
Note
To delete data points for locations selected in error, click Delete and move the black square
that appears over the appropriate data points. Resize the square as necessary by pressing
Ctrl and moving the mouse.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-199
Chapter 6
Monitoring Maps
Configuring Wi-Fi TDOA Receivers
d.
Repeat point collection Steps a. to c. until the calibration status bar of the relevant spectrums
(802.11a/n, 802.11b/g/n) display as ‘done.’
Note
The calibration status bar indicates data collection for the calibration as done after roughly
50 distinct locations and 150 measurements have been gathered. For every location point
saved in the calibration process, more than one data point is gathered. The progress of the
calibration process is indicated by two status bars above the legend, one for 802.11b/g/n and
one for 802.11a/n.
If you want to perform a linear collection of data for the calibration, do the following:
a.
Choose Linear from the Collection Method drop-down list, and select the Show Data points check
box if not already selected. A line appears on the map with both Start and Finish pop-ups.
b.
Position the tip of the Start pop-up at the starting data point.
c.
Position the Finish pop-up at the ending data point.
d.
Position yourself with your laptop at the starting data point, and click Go. Walk steadily towards the
end point along the defined path. A dialog box appears to show that data collection is in process.
e.
f.
Note
Do not stop data collection until you reach the end point even if the data collection bar
indicates completion.
Note
Only Intel and Cisco adapters have been tested. Make sure Enable Cisco-compatible
Extensions and Enable Radio Management Support are enabled in the Cisco-compatible
Extension Options.
Press the space bar (or Done on the data collection panel) when you reach the end point. The
collection pane displays the number of samples taken before it closes to reveal the map. The map
displays all the coverage areas where data was collected.
Note
To delete data points for locations selected in error, click Delete and move the black square
that appears over the appropriate data points. Resize the square as necessary by pressing the
Ctrl and moving the mouse.
Note
The coverage area is color-coded and corresponds with the specific wireless LAN standard
used to collect that data. Information on color-coding is provided in legend on the left-hand
side of the page.
Repeat linear collection Steps b to e until the status bar for the respective spectrum is filled in (done).
Note
Step 8
You can augment linear collection with point mode data collection to address missed
coverage areas.
Click the name of the calibration model at the top of the page to return to the main page for that model
to calibrate the data points.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-200
OL-27653-02
Chapter 6
Monitoring Maps
Configuring Wi-Fi TDOA Receivers
Step 9
Choose Calibrate from the Select a command drop-down list, and click Go.
Step 10
Click the Inspect Location Quality link when calibration completes. A map displays showing RSSI
readings displays.
Step 11
To use the newly created calibration model, you must apply the model to the floor on which it was
created (and on any other floors with similar attenuation characteristics as well). Choose Monitor > Site
Maps and find the specific floor to which the model is applied. At the floor map interface, choose Edit
Floor Area from the drop-down list, and click Go.
Step 12
From the Floor Type (RF Model) drop-down list, choose the newly created calibration model. Click OK
to apply the model to the floor.
Note
This process can be repeated for as many models and floors as needed. After a model is applied
to a floor, all location determination performed on that floor is done using the specific collected
attenuation data from the calibration model.
Calibrating
To compute the collected data points, follow these steps:
Step 1
Click the model name to open the Calibration Model > Model Name page.
Step 2
In the Calibration Model > Model Name page, choose Calibrate from the Select a command drop-down
list.
Step 3
Click Go.
Apply the Model to the Floor
To use the newly created calibration model, you must apply the model to the floor on which it was
created (along with other floors with similar attenuation characteristics).
To apply the model to the floor, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Locate the specific floor to which the model is applied.
Step 3
From the Select a command drop-down list, choose Edit Floor Area.
Step 4
Click Go.
Step 5
From the Floor Type (RF Model) drop-down list, choose the newly-created calibration model.
Step 6
Click OK to apply the model to the floor.
This process can be repeated for as many models and floors as needed. After a model is applied to a floor,
all location determination performed on that floor is done using the specific collected attenuation data
from the calibration model.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-201
Chapter 6
Monitoring Maps
Configuring Wi-Fi TDOA Receivers
Deleting Calibration Models
To delete a calibration model, follow these steps:
Step 1
Click the model name to open the Calibration Model > Model Name page.
Step 2
From the Select a command drop-down list, choose Delete Model.
Step 3
Click Go.
Managing Location Presence Information
You can enable location presence through mobility services engine to provide expanded Civic (city,
state, postal code, country) and GEO (longitude, latitude) location information beyond the Cisco default
setting (campus, building, floor, and X, Y coordinates). This information can then be requested by clients
on a demand basis for use by location-based services and applications. See the “Enabling Location
Presence for Mobility Services” section on page 16-774 for more information on enabling location
presence.
To view or edit current location presence information for a current map, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Select the check box of the map.
Step 3
From the Select a command drop-down list, choose Location Presence.
Step 4
Click Go.
The Location Presence page appears.
Note
Step 5
The current map location information (Area Type, Campus, Building, and Floor) see the map
you selected in the Monitor > Site Maps page. To select a different map, use the Select a Map
to Update Presence Information drop-down lists to choose the new map location.
Click the Civic Address, GPS Markers, or Advanced tab.
– Civic Address—Identifies the campus, building, or floor by name, street, house number, house
number suffix, city (address line2), state, postal code, and country.
– GPS Markers—Identify the campus, building, or floor by longitude and latitude.
– Advanced—Identifies the campus, building, or floor with expanded civic information such as
neighborhood, city division, county, and postal community name.
Note
Each selected field is inclusive of all of those above it. For example, if you select Advanced,
it can also provide GPS and Civic location information upon client demand. The selected
setting must match what is set on the mobility services engine level. See the Enabling
Location Presence for Mobility Services, page 16-774 for more information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-202
OL-27653-02
Chapter 6
Monitoring Maps
Searching Maps
Note
If a client requests location information such as GPS Markers for a campus, building, floor,
or outdoor area that is not configured for that field, an error message appears.
By default, the Override Child Element Presence Info check box is selected.
Note
Searching Maps
You can use the following parameters in the Search Maps page:
•
Search for
•
Map Name
•
Search in
•
Save Search
•
Items per page
After you click Go, the map search results page appears (see Table 6-9).
Table 6-9
Map Search Results
Field
Options
Name
Clicking an item in the Name column provides a map of an existing
building with individual floor area maps for each floor.
Type
Campus, building, or floor area.
Total APs
Displays the total number of Cisco Radios detected.
a/n Radios
Displays the number of 802.11a/n Cisco Radios.
b/g/n Radios
Displays the number of 802.11b/g/n Cisco Radios.
Using the Map Editor
You can use the Prime Infrastructure map editor to define, draw, and enhance floor plan information.
This section contains the following topics:
•
Opening the Map Editor, page 6-204
•
Using the Map Editor to Draw Polygon Areas, page 6-204
•
Defining an Inclusion Region on a Floor, page 6-205
•
Defining an Exclusion Region on a Floor, page 6-206
•
Defining a Rail Line on a Floor, page 6-207
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-203
Chapter 6
Monitoring Maps
Using the Map Editor
Opening the Map Editor
Follow these steps to use the map editor:
Step 1
Choose Monitor > Site Maps to display the Maps page.
Step 2
Click the desired campus. The Site Maps > Campus Name page appears.
Step 3
Click a campus and then click a building.
Step 4
Click the desired floor area. The Site Maps > Campus Name > Building Name > Floor Area Name page
appears.
Step 5
From the Select a command drop-down list, choose Map Editor, and click Go. The Map Editor page
appears.
Note
Make sure that the floor plan images are properly scaled so that all white space outside of the
external walls is removed. To make sure that floor dimensions are accurate, click the compass
tool on the toolbar.
Step 6
Position the reference length. When you do, the Scale menu appears with the line length supplied. Enter
the dimensions (width and height) of the reference length, and click OK.
Step 7
Determine the propagation pattern from the Antenna Mode drop-down list.
Step 8
Make antenna adjustments by sliding the antenna orientation bar to the desired degree of direction.
Step 9
Choose the desired access point.
Step 10
Click Save.
Using the Map Editor to Draw Polygon Areas
If you have a building that is non-rectangular or you want to mark a non-rectangular area within a floor,
you can use the map editor to draw a polygon-shaped area.
Step 1
Add the floor plan if it is not already represented in the Prime Infrastructure (see the “Adding Floor
Areas” section on page 6-158).
Step 2
Choose Monitor > Site Maps.
Step 3
Click the Map Name that corresponds to the outdoor area, campus, building, or floor you want to edit.
Step 4
From the Select a command drop-down list, choose Map Editor, and click Go.
Step 5
It the Map Editor page, click the Add Perimeter icon on the toolbar.
A pop-up appears.
Step 6
Enter the name of the area that you are defining. Click OK.
A drawing tool appears.
Step 7
Move the drawing tool to the area you want to outline.
•
Click the left mouse button to begin and end drawing a line.
•
When you have completely outlined the area, double-click the left mouse button and the area is
highlighted in the page.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-204
OL-27653-02
Chapter 6
Monitoring Maps
Using the Map Editor
The outlined area must be a closed object to appear highlighted on the map.
Step 8
Click the disk icon on the toolbar to save the newly drawn area.
Step 9
Choose Command > Exit to close the window. You are returned to the original floor plan.
Note
Step 10
Note
When you return to the original floor plan view after exiting the map editor, the newly drawn
area is not visible; however, it appears in the Planning Model page when you add elements.
Choose Planning Mode from the Select a command drop-down list to begin adding elements to the
newly defined polygon-shaped area. See Table 6-8 for the obstacle color coding.
The RF prediction heatmaps for access points approximates of the actual RF signal intensity. It takes
into account the attenuation of obstacles drawn using the Map Editor but it does not take into account
the attenuation of various building materials, such as drywall or metal objects, nor does it display the
effects of RF signals bouncing off obstructions. The thick wall (color-coded orange) with a loss of 13
dB might not be enough to contain the RF signal beyond the walls of the heatmap.
Defining an Inclusion Region on a Floor
To define an inclusion area, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Click the name of the appropriate floor area.
Step 3
From the Select a command drop-down list, choose Map Editor.
Step 4
Click Go.
Step 5
At the map, click the aqua box on the toolbar.
Note
A message box appears reminding you that only one inclusion area can be defined at a time.
Defining a new inclusion region automatically removes the previously defined inclusion region.
By default, an inclusion region is defined for each floor when it is added to the Prime
Infrastructure. The inclusion region is indicated by a solid aqua line and generally outlines the
region.
Step 6
Click OK in the message box that appears. A drawing icon appears to outline the inclusion area.
Step 7
To begin defining the inclusion area, move the drawing icon to a starting point on the map and click once.
Step 8
Move the cursor along the boundary of the area you want to include and click to end a border line. Click
again to define the next boundary line.
Step 9
Repeat Step 8 until the area is outlined and then double-click the drawing icon. A solid aqua line defines
the inclusion area.
Step 10
Choose Save from the Command menu or click the disk icon on the toolbar to save the inclusion region.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-205
Chapter 6
Monitoring Maps
Using the Map Editor
Note
If you made an error in defining the inclusion area, click the area. The selected area is outlined
by a dashed aqua line. Next, click the X icon on the toolbar. The area is removed from the floor
map.
Step 11
To return to the floor map to enable inclusion regions on heatmaps, choose Exit from the Command
menu.
Step 12
Select the Location Regions check box if it is not already selected. If you want it to apply to all floor
maps, click Save settings. Close the Layers configuration page.
Step 13
To resynchronize the Prime Infrastructure and MSE databases, choose Services > Synchronize
Services.
Note
Step 14
If the two DBs are already synchronized then a resynchronization happens automatically every
time there is a change. There is no need for an explicit resynch.
In the Synchronize page, choose Network Designs from the Synchronize drop-down list and then click
Synchronize.
You can confirm that the synchronization is successful by viewing two green arrows in the Sync. Status
column.
Note
Newly defined inclusion and exclusion regions appear on heatmaps only after the mobility
services engine recalculates location.
Defining an Exclusion Region on a Floor
To further refine location calculations on a floor, you can define areas that are excluded (exclusion areas)
in the calculations. For example, you might want to exclude areas such as an atrium or stairwell within
a building. As a rule, exclusion areas are generally defined within the borders of an inclusion area.
To define an exclusion area, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Click the name of the appropriate floor area.
Step 3
From the Select a command drop-down list, choose Map Editor.
Step 4
Click Go.
Step 5
At the map, click the purple box on the toolbar.
Step 6
Click OK in the message box that appears. A drawing icon appears to outline the exclusion area.
Step 7
To begin defining the exclusion area, move the drawing icon to the starting point on the map, and click
once.
Step 8
Move the drawing icon along the boundary of the area you want to exclude. Click once to start a
boundary line, and click again to end the boundary line.
Step 9
Repeat Step 8 until the area is outlined and then double-click the drawing icon. The defined exclusion
area is shaded in purple when the area is completely defined. The excluded area is shaded in purple.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-206
OL-27653-02
Chapter 6
Monitoring Maps
Using the Map Editor
Step 10
To define additional exclusion regions, repeat Step 5 to Step 9.
Step 11
When all exclusion areas are defined, choose Save from the Command menu or click the disk icon on
the toolbar to save the exclusion region.
Note
To delete an exclusion area, click the area to be deleted. The selected area is outlined by a dashed
purple line. Next, click the X icon on the toolbar. The area is removed from the floor map.
Step 12
To return to the floor map to enable exclusion regions on heatmaps, choose Exit from the Command
menu.
Step 13
Select the Location Regions check box if it is not already selected, click Save settings, and close the
Layers configuration page when complete.
Step 14
To resynchronize the Prime Infrastructure and location databases, choose Services > Synchronize
Services.
Step 15
In the Synchronize page, choose Network Designs from the Synchronize drop-down list and then click
Synchronize.
You can confirm that the synchronization is successful by viewing two green arrows in the Sync. Status
column.
Defining a Rail Line on a Floor
You can define a rail line on a floor that represents a conveyor belt. Additionally, you can define an area
around the rail area known as the snap-width to further assist location calculations. This represents the
area in which you expect clients to appear. Any client located within the snap-width area is plotted on
the rail line (majority) or just outside of the snap-width area (minority).
Note
Rail line configurations do not apply to tags.
The snap-width area is defined in feet or meters (user-defined) and represents the distance that is
monitored on either side (east and west or north and south) of the rail.
To define a rail with a floor, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Click the name of the appropriate floor area.
Step 3
Choose Map Editor from the Select a command drop-down list.
Step 4
Click Go.
Step 5
In the map, click the rail icon (to the right of the purple exclusion icon) on the toolbar.
Step 6
In the message dialog box that appears, enter a snap-width (feet or meters) for the rail and then click
OK. A drawing icon appears.
Step 7
Click the drawing icon at the starting point of the rail line. Click again when you want to stop drawing
the line or change the direction of the line.
Step 8
Click the drawing icon twice when the rail line is completely drawn on the floor map. The rail line
appears on the map and is bordered on either side by the defined snap-width region.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-207
Chapter 6
Monitoring Maps
Inspecting Location Readiness and Quality
Note
To delete a rail line, click the area to be deleted. The selected area is outlined by a dashed purple
line. Next, click the X icon on the toolbar. The area is removed from the floor map.
Step 9
To return to the floor map to enable rails on heatmaps, choose Exit from the Command menu.
Step 10
At the floor map, choose the Layers drop-down list.
Step 11
Select the Rails check box for if it is not already selected, click Save settings, and close the Layers
configuration panel when complete.
Step 12
To resynchronize the Prime Infrastructure and mobility services engine, choose Services > Synchronize
Services.
Step 13
In the Synchronize page, choose Network Designs from the Synchronize drop-down list and then click
Synchronize.
You can confirm that the synchronization is successful by viewing two green arrows in the Sync. Status
column.
Inspecting Location Readiness and Quality
You can configure Prime Infrastructure to verify the ability of the existing access point deployment to
estimate the true location of a client, rogue client, rogue access point, or tag within 10 meters at least
90% of the time. The location readiness calculation is based on the number and placement of access
points.
You can also check the location quality and the ability of a given location to meet the location
specification (10 m, 90%) based on data points gathered during a physical inspection and calibration.
Inspecting Location Readiness
The Inspect Location Readiness feature is a distance-based predictive tool that can point out problem
areas with access point placement.
To access the Inspect Location Readiness tool, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Click the applicable floor area name to view the map.
Step 3
Note
If RSSI is not displayed, you can enable AP Heatmaps by selecting the AP Heatmaps check box
on the left sidebar menu.
Note
If clients, tags, and access points are not displayed, verify that their respective check boxes are
selected on the left sidebar menu. Licenses for both clients and tags must also be purchased for
each to be tracked.
From the Select a command drop-down list, choose Inspect Location Readiness.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-208
OL-27653-02
Chapter 6
Monitoring Maps
Inspecting Location Readiness and Quality
Step 4
Click Go.
A color-coded map appears showing those areas that meet (indicated by Yes) and do not meet (indicated
by No) the ten meter, 90% location specification.
Inspecting Location Quality Using Calibration Data
After completing a calibration model based on data points generated during a physical tour of the area,
you can inspect the location quality of the access points.
To inspect location quality based on calibration, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Choose RF Calibration Model from the Select a command list. Click Go.
A list of calibration models appears.
Step 3
Click the appropriate calibration model.
Details on the calibration including date of last calibration, number of data points by signal type
(802.11a, 802.11 b/g) used in the calibration, location, and coverage are displayed.
Step 4
In the same page, click the Inspect Location Quality link found under the Calibration Floors heading.
A color-coded map noting percentage of location errors appears.
Note
You can modify the distance selected to see the effect on the location errors.
Inspecting VoWLAN Readiness
The VoWLAN Readiness (voice readiness) tool allows you to check the RF coverage to determine if it
is sufficient for your voice needs. This tool verifies RSSI levels after access points have been installed.
To access the VoWLAN Readiness Tool (VRT), follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Click the applicable floor area name.
Step 3
From the Select a command drop-down list, choose Inspect VoWLAN Readiness.
Step 4
Choose the applicable Band, AP Transmit Power, and Client parameters from the drop-down lists.
Note
Step 5
By default, the region map displays the b/g/n band for Cisco Phone-based RSSI threshold. The
new settings cannot be saved.
Depending on the selected client, the following RSSI values might not be editable:
•
Cisco Phone—RSSI values are not editable.
•
Custom—RSSI values are editable with the following ranges:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-209
Chapter 6
Monitoring Maps
Monitoring Mesh Networks Using Maps
– Low threshold between -95dBm to -45dBm
– High threshold between -90dBm to -40dBm
Step 6
The following color schemes indicate whether or not the area is voice ready:
•
Green—Yes
•
Yellow—Marginal
•
Red—No
Note
The accuracy of the Green/Yellow/Red regions depends on the RF environment and whether or
not the floor is calibrated. If the floor is calibrated, the accuracy of the regions is enhanced.
Troubleshooting Voice RF Coverage Issues
•
Floors with either calibration or no calibration data are treated as follows:
– Set the AP Transmit field to Max (the maximum downlink power settings). If the map still
shows some yellow or red regions, more access points are required to cover the floor.
– If the calibrated model shows red or yellow regions (where voice is expected to be deployed)
with the AP Transmit field set to Current, increasing the power level of the access points might
help.
Monitoring Mesh Networks Using Maps
You can access and view details for the following elements from a mesh network map in the Prime
Infrastructure:
•
Mesh Link Statistics
•
Mesh Access Points
•
Mesh Access Point Neighbors
Details on how this information is accessed and displayed for each of these items is detailed in this
section. This section contains the following topics:
•
Monitoring Mesh Link Statistics Using Maps, page 6-210
•
Monitoring Mesh Access Points Using Maps, page 6-212
•
Monitoring Mesh Access Point Neighbors Using Maps, page 6-213
•
Viewing the Mesh Network Hierarchy, page 6-214
•
Using Mesh Filters to Modify Map Display of Maps and Mesh Links, page 6-215
Monitoring Mesh Link Statistics Using Maps
You can view the SNR for a specific mesh network link, view the number of packets transmitted and
received on that link, and initiate a link test in the Monitor > Site Maps page.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-210
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Mesh Networks Using Maps
To view details on a specific mesh link between two mesh access points or a mesh access point and a
root access point, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Click the map name that corresponds to the outdoor area, campus, building, or floor you want to monitor.
Step 3
From the left sidebar menu, click the arrow to the right of AP Mesh Info. The Mesh Filter dialog box
appears.
Step 4
Move the cursor over the colored dot next to each mesh access point child to view details on the link
between it and its parent. Table 6-10 summarizes the parameters that appear.
The color of the dot also provides a quick reference point of the SNR strength as follows:
•
A green dot represents a high SNR (above 25 dB).
•
An amber dot represents an acceptable SNR (20-25 dB).
•
A red dot represents a low SNR (below 20 dB).
•
A black dot indicates a root access point.
The Bridging Link information appears.
Table 6-10
Step 5
Step 6
Bridging Link Information
Field
Description
Information fetched on
Date and time that information was compiled.
Link SNR
Link signal-to-noise ratio (SNR).
Link Type
Hierarchical link relationship.
SNR Up
Signal-to-noise radio for the uplink (dB).
SNR Down
Signal-to-noise radio for the downlink (dB).
PER
The packet error rate for the link.
Tx Parent Packets
The TX packets to a node while acting as a parent.
Rx Parent Packets
The RX packets to a node while acting as a parent.
Time of Last Hello
Date and time of last hello.
Click either Link Test, Child to Parent or Link Test, Parent to Child. After the link test is complete, a
results page appears.
Note
A link test runs for 30 seconds.
Note
You cannot run link tests for both links (child-to-parent and parent-to-child) at the same time.
To view a graphical representation of SNR statistics over a period of time, click the arrow on the link. A
page with multiple SNR graphs appears.
The following graphs are displayed for the link:
•
SNR Up—Plots the RSSI values of the neighbor from the perspective of the access point.
•
SNR Down—Plots the RSSI values that the neighbor reports to the access point.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-211
Chapter 6
Monitoring Maps
Monitoring Mesh Networks Using Maps
•
Link SNR—Plots a weighed and filtered measurement based on the SNR Up value.
•
The Adjusted Link Metric—Plots the value used to determine the least cost path to the root access point.
This value represents the ease of getting the rooftop access point and accounts for the number of hops.
The lower the ease value, the less likely the path is used.
•
The Unadjusted Link Metric—Plots the least cost path to get to the root access point unadjusted by the
number of hops. The higher the value for the unadjusted link, the better the path.
Monitoring Mesh Access Points Using Maps
You can view the following summary information for a mesh access point from a mesh network map:
•
Parent
•
Number of children
•
Hop count
•
Role
•
Group name
•
Backhaul interface
•
Data Rate
•
Channel
Note
This information is in addition to the information shown for all access points (MAC address,
access point model, controller IP address, location, height of access point, access point uptime,
and LWAPP uptime).
Note
You can also view detailed configuration, and access alarm, and event information from the map.
For detailed information on the Alarms and Events displayed, see the “Alarm and Event
Dictionary” section on page 13-713.
To view summary and detailed configuration information for a mesh access point from a mesh network
map, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Click the map name that corresponds to the outdoor area, campus, building, or floor location of the
access point you want to monitor.
Step 3
To view summary configuration information for an access point, hover your mouse cursor over the access
point that you want to monitor. A dialog box with configuration information for the selected access point
appears.
Step 4
To view detailed configuration information for an access point, double-click the access point appearing
on the map. The configuration details for the access point appear.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-212
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Mesh Networks Using Maps
Note
Step 5
For more details on the View Mesh Neighbors link in the access point dialog box, see the
“Monitoring Mesh Access Point Neighbors Using Maps” section on page 6-213. If the access
point has an IP address, a Run Ping Test link is also visible at the bottom of the mesh access
point dialog box.
In the Access Point Details configuration page, follow these steps to view configuration details for the
mesh access point:
a.
Click the General tab to view the overall configuration of the mesh access point such as the AP
name, MAC address, AP Up time, associated controllers (registered and primary) operational status,
and software version.
Note
The software version for mesh access points is appended with the letter m and the word mesh
appears in parentheses.
b.
Click the Interface tab to view configuration details for the interfaces supported on the mesh access
point. Interface options are radio and Ethernet.
c.
Click the Mesh Links tab to view parent and neighbor details (name, MAC address, packet error
rate, and link details) for the mesh access point. You can also initiate link tests from this page.
d.
Click the Mesh Statistics tab to view details on the bridging, queue, and security statistics for the
mesh access point. For more details on mesh statistics, see the “Mesh Statistics Tab” section on
page 5-83.
Monitoring Mesh Access Point Neighbors Using Maps
To view details on neighbors of a mesh access point from a mesh network map, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Click the map name that corresponds to the outdoor area, campus, building, or floor you want to monitor.
Step 3
To view detailed information on mesh links for a mesh access point, click the arrow portion of the access
point label. The Access Points page appears.
Step 4
Click the Mesh Links tab.
Note
You can also view mesh link details for neighbors of a selected access point by clicking the View Mesh
Neighbors link on the Mesh tab of the access point configuration summary dialog box, which appears
when you hover your mouse cursor over an access point on a map.
Note
Signal-to-noise (SNR) appears in the View Mesh Neighbors dialog box.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-213
Chapter 6
Monitoring Maps
Monitoring Mesh Networks Using Maps
Note
In addition to listing the current and past neighbors in the dialog box that appears, labels are added to
the mesh access points map icons to identify the selected access point, the neighbor access point, and
the child access point. Click the clear link of the selected access point to remove the relationship labels
from the map.
Note
The drop-down lists at the top of the mesh neighbors page indicate the resolution of the map (100%)
displayed and how often the information displayed is updated (every 5 mins). You can modify these
default values.
Viewing the Mesh Network Hierarchy
You can view the parent-child relationship of mesh access points within a mesh network in an easily
navigable display. You can also filter which access points are displayed in the map view by selecting
only access points of interest.
To view the mesh network hierarchy for a selected network, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Click the map name you want to display.
Step 3
Select the AP Mesh Info check box in the left sidebar menu if it is not already selected.
Note
The AP Mesh Info check box is only selectable if mesh access points are present on the map. It
must be selected to view the mesh hierarchy.
Step 4
Click the blue arrow to the right of the AP Mesh Info to display the Mesh Parent-Child Hierarchical
View.
Step 5
Click the plus (+) sign next to a mesh access point to display its children.
All subordinate mesh access points are displayed when a negative (-) sign appears next to the parent
mesh access point entry. For example, the access point, indoor-mesh-45-rap2, has only one child,
indoor-mesh-44-map2.
Step 6
Hover your mouse cursor over the colored dot next to each mesh access point child to view details on
the link between it and its parent. Table 6-11 summarizes the parameters that appear.
The color of the dot also provides a quick reference point of the SNR strength:
•
A green dot represents a high SNR (above 25 dB).
•
An amber dot represents an acceptable SNR (20-25 dB).
•
A red dot represents a low SNR (below 20 dB).
•
A black dot indicates a root access point.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-214
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Mesh Networks Using Maps
Table 6-11
Bridging Link Information
Field
Description
Information fetched on
Date and time that information was compiled.
Link SNR
Link signal-to-noise ratio (SNR).
Link Type
Hierarchical link relationship.
SNR Up
Signal-to-noise radio for the uplink (dB).
SNR Down
Signal-to-noise radio for the downlink (dB).
PER
The packet error rate for the link.
Tx Parent Packets
The TX packets to a node while acting as a parent.
Rx Parent Packets
The RX packets to a node while acting as a parent.
Time of Last Hello
Date and time of last hello.
Using Mesh Filters to Modify Map Display of Maps and Mesh Links
In the mesh hierarchical page, you can also define mesh filters to determine which mesh access points
display on the map based on hop values as well as what labels display for mesh links.
Mesh access points are filtered by the number of hops between them and their root access point.
To use mesh filtering, follow these steps:
Step 1
To modify what label and color displays for a mesh link, follow these steps:
a. In the Mesh Parent-Child Hierarchical View, choose an option from the Link Label drop-down
list. Options are None, Link SNR, and Packet Error Rate.
b. In the Mesh Parent-Child Hierarchical View, choose an option from the Link Color drop-down
list to define which parameter (Link SNR or Packet Error Rate) determines the color of the mesh
link on the map.
Note
The color of the link provides a quick reference point of the SNR strength or Packet Error Rate.
Table 6-12 defines the different link colors.
Table 6-12
Definition for SNR and Packet Error Rate Link Color
Link Color
Link SNR
Packet Error Rate (PER)
Green
Represents a SNR above 25 dB (high
value)
Represents a PER of one percent (1%) or
lower
Amber
Represents a SNR between 20 and 25 dB Represents a PER that is less than ten
(acceptable value)
percent (10%) and greater than one
percent (1%)
Red
Represents a SNR below 20 dB (low
value)
Represents a PER that is greater than ten
percent (10%)
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-215
Chapter 6
Monitoring Maps
Monitoring Mesh Networks Using Maps
The Link label and color settings are reflected on the map immediately. You can display both
SNR and PER values simultaneously.
Note
Step 2
To modify which mesh access points display based on the number of hops between them and their
parents, do the following:
a. In the Mesh Parent-Child Hierarchical View, choose the appropriate options from the Quick
Selections drop-down list. A description of the options is provided in Table 6-13.
Table 6-13
Quick Selection Options
Field
Description
Select only Root APs
Choose this setting if you want the map view to
display root access points only.
Select up to 1st hops
Choose this setting if you want the map view to
display 1st hops only.
Select up to 2nd hops
Choose this setting if you want the map view to
display 2nd hops only.
Select up to 3rd hops
Choose this setting if you want the map view to
display 3rd hops only.
Select up to 4th hops
Choose this setting if you want the map view to
display 4th hops only.
Select All
Select this setting if you want the map view to
display all access points.
b. Click Update Map View to refresh the screen and display the map view with the selected
options.
Note
Map view information is retrieved from the Prime Infrastructure database and is updated
every 15 minutes.
Note
You can also select or unselect the check boxes of access points in the mesh hierarchical
view to modify which mesh access points are displayed. For a child access point to be
visible, the parent access point to root access point must be selected.
Note
If you want to have the MAC address appear with the client logo in the Monitor > Site Maps
page, follow these steps:
a) Go to the Maps Tree View.
b) Click the > beside Clients.
c) Unselect the Small Icons check box.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-216
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Tags Using Maps
Monitoring Tags Using Maps
On an Prime Infrastructure map, you can review the name of the access point that generated the signal
for a tagged asset, its strength of signal and when the location information was last updated for the asset.
This information is displayed by simply hovering the mouse cursor over the asset tag icon on the map.
To enable tag location status on a map, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Choose Campus > Building > Floor for the applicable mobility services engine and tag.
Step 3
Select the 802.11 Tags check box in the Floor Settings pane (left), if not already selected.
Note
Do not click Save Settings unless you want to save changes made to the Floor Settings across
all maps.
Step 4
Hover the mouse cursor over a tag icon (yellow tag) and a summary of its configuration appears in a
dialog box.
Step 5
Click the tag icon to see tag details in a new window.
Using Planning Mode
You can calculate the recommended number and location of access points based on whether data and/or
voice traffic and/or location are active.
Note
Based on the throughput specified for each protocol (802.11a or 802.11 b/g), planning mode calculates
the total number of access points required that would provide optimum coverage in your network.
Accessing Planning Mode
To access the Planning Mode feature, follow these steps:
Step 1
Choose Monitor > Site Maps.
Step 2
Select the desired campus or building from the Name list.
Step 3
Click the desired floor area in the Building.
Step 4
From the Select a command drop-down list, choose Planning Mode.
Step 5
Click Go.
Note
Planning mode does not use AP type or Antenna pattern information for calculating the number of access
points required. The calculation is based on the access point coverage area or the number of users per
access point.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-217
Chapter 6
Monitoring Maps
Using Planning Mode
Planning Mode options:
•
Add APs—Enables you to add access points on a map. See the “Using Planning Mode to Calculate
Access Point Requirements” section on page 6-218 for details.
•
Delete APs—Deletes the selected access points.
•
Map Editor—Opens the Map Editor window. See the “Using the Map Editor” section on page 6-203
for more details.
•
Synchronize with Deployment—Synchronizes your planning mode access points with the current
deployment scenario.
•
Generate Proposal—View a planning summary of the current access points deployment.
•
Planned AP Association Tool—Allows you to perform add, delete or import an AP Association from
an excel or CSV file. Once an access point is defined, it can be associated to a base radio MAC
address using the Planned AP Association Tool. If the AP is not discovered they get pushed into a
standby bucket and get associated when discovered.
Note
AP association is subjected to a limitation that AP should not belong to any floor or outdoor area.
If the AP is already assigned to a floor or outdoor area, then the standby bucket holds the AP and
when removed from the floor or outdoor, get positioned to the given floor. One Mac address
cannot be put into bucket for multiple floor or outdoor areas.
Note
The map synchronizations works only if the AP is associated to a base radio MAC address and
not to its Ethernet MAC address.
Using Planning Mode to Calculate Access Point Requirements
Prime Infrastructure planning mode enables you to calculate the number of access points required to
cover an area by placing fictitious access points on a map and allowing you to view the coverage area.
Based on the throughput specified for each protocol (802.11a/n or 802.11b/g/n), planning mode
calculates the total number of access points required to provide optimum coverage in your network. You
can calculate the recommended number and location of access points based on the following criteria:
•
traffic type active on the network: data or voice traffic or both
•
location accuracy requirements
•
number of active users
•
number of users per square footage
To calculate the recommended number and placement of access points for a given deployment, follow
these steps:
Step 1
Choose Monitor > Site Maps.
The Site Map page appears.
Step 2
Select the appropriate location link from the list that appears.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-218
OL-27653-02
Chapter 6
Monitoring Maps
Using Planning Mode
A color-coded map appears showing placement of all installed elements (access points, clients, tags) and
their relative signal strength.
Step 3
Choose Planning Mode from the Select a command drop-down list (top-right), and click Go. A blank
floor map appears.
Step 4
Click Add APs.
Step 5
In the page that appears, drag the dashed-line rectangle over the map location for which you want to
calculate the recommended access points.
Note
Adjust the size or placement of the rectangle by selecting the edge of the rectangle and holding
down the Ctrl key. Move the mouse as necessary to outline the targeted location. When you use
the next-generation maps mode, the rectangle is resizable by dragging on the handles on its
edges and corners.
Step 6
Choose Automatic from the Add APs drop-down list.
Step 7
Choose the AP Type and the appropriate antenna and protocol for that access point.
Step 8
Choose the target throughput for the access point.
Step 9
Select the check box(es) next to the service(s) that is used on the floor. Options are Data/Coverage
(default), Voice, Location, and Location with Monitor Mode APs. (see Table 6-14).
Note
You must select at least one service or an error occurs.
Note
If you select the Advanced Options check box, two additional access point planning options
appear: Demand and Override Coverage per AP. Additionally, a Safety Margin field appears for
the Data/Coverage and Voice safety margin options.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-219
Chapter 6
Monitoring Maps
Using Planning Mode
Table 6-14
Definition of Services Option
Service Options
Description
Data/Coverage
Select this check box if data traffic is transmitted on the wireless
LAN. The following densities are used depending on the band and
data rates:
Band
Path Loss Model
(dBm)
Date Rate (Mb/s)
Area (Sq. ft.)
802.11a
–3.3
10-12
6000
802.11a
–3.3
15-18
4500
802.11a
–3.5
10-12
5000
802.11a
–3.5
15-18
3250
802.11bg
–3.3
5
6500
802.11bg
–3.3
6
4500
802.11bg
–3.5
5
5500
802.11bg
–3.5
6
3500
If you select the Advanced Options check box, you can select the
desired safety margin (aggressive, safe, or very safe) of the signal
strength threshold for data.
Voice
•
Aggressive = Minimum (–3 dBm)
•
Safe = Medium (0 dBm)
•
Very Safe = Maximum (+3 dBm)
Select the Voice check box if voice traffic is transmitted on the
wireless LAN.
If you select the Advanced Options check box, you can select the
desired safety margin (aggressive, safe, very safe or 7920-enabled)
of the signal strength threshold for voice.
Location
•
Aggressive = Minimum [–78 dBm (802.11a/b/g)]
•
Safe = Medium [–75 dBm (802.11a/b/g)]
•
Very Safe = Maximum [(–72 dBm (802.11a/b/g)]
•
7920_enabled = [(–72 dBm (802.11a); –67 dBm (802.11b/g)]
Select this check box to ensure that the recommended access point
calculation provides the true location of an element within 10
meters at least 90% of the time.
To meet the criteria, access points are collocated within 70 feet of
each other in a hexagonal pattern employing staggered and
perimeter placement.
Note
Each service option includes all services that are listed
above it. For example, if you select the Location check box,
the calculation considers data/coverage, voice, and location
in determining the optimum number of access points
required.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-220
OL-27653-02
Chapter 6
Monitoring Maps
Using Planning Mode
Table 6-15
Definition of Advanced Services
Service Options
Description
Data/Coverage
Select this check box, if data traffic is transmitted on the wireless
LAN. The following densities are used depending on the band and
data rates:
Band
Path Loss Model
(dBm)
Date Rate (Mb/s)
Area (Sq. ft.)
802.11a
–3.3
10-12
6000
802.11a
–3.3
15-18
4500
802.11a
–3.5
10-12
5000
802.11a
–3.5
15-18
3250
802.11bg
–3.3
5
6500
802.11bg
–3.3
6
4500
802.11bg
–3.5
5
5500
802.11bg
–3.5
6
3500
If you select the Advanced Options check box, you can select the
desired safety margin (aggressive, safe, or very safe) of the signal
strength threshold for data.
Voice
•
Aggressive = Minimum (–3 dBm)
•
Safe = Medium (0 dBm)
•
Very Safe = Maximum (+3 dBm)
Select the voice check box if voice traffic is transmitted on the
wireless LAN.
If you select the Advanced Options check box, you can select the
desired safety margin (aggressive, safe, very safe or 7920-enabled)
of the signal strength threshold for voice.
•
Aggressive = Minimum [–78 dBm (802.11a/b/g)]
•
Safe = Medium [–75 dBm (802.11a/b/g)]
•
Very Safe = Maximum [(–72 dBm (802.11a/b/g)]
7920_enabled = [(–72 dBm (802.11a); –67 dBm (802.11b/g)]
Location
Select this check box to ensure that the recommended access point
calculation provides the true location of an element within 10
meters at least 90% of the time.
To meet the criteria, access points are collocated within 70 feet of
each other in a hexagonal pattern employing staggered and
perimeter placement.
Note
Demand
Each service option includes all services that are listed
above it. For example, if you select the Location check box,
the calculation considers data/coverage, voice, and location
in determining the optimum number of access points
required.
Select this check box if you want to use the total number of users or
user ratio per access point as a basis for the access point calculation.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-221
Chapter 6
Monitoring Maps
Refresh Options
Table 6-15
Step 10
Definition of Advanced Services (continued)
Service Options
Description
Override Coverage per
AP
Select this check box if you want to specify square foot coverage as
the basis for access point coverage.
Safety Margin
Select this check box to qualify relative signal strength
requirements for data and voice service in the access point
calculation. Options are: Aggressive, Safe, Very Safe, and
7920-enabled (voice only). Select Aggressive to require minimal
signal strength requirements in the calculation and Very Safe to
request the highest signal strength.
Click Calculate.
The recommended number of access points given the selected services appears.
Note
Recommended calculations assume the need for consistently strong signals unless adjusted
downward by the safety margin advanced option. In some cases, the recommended number of
access points is higher than what is required.
Note
Walls are not used or accounted for in planning mode calculations.
Step 11
Click Apply to generate a map that shows proposed deployment of the recommended access points in
the selected area based on the selected services and parameters.
Step 12
Choose Generate Proposal to display a textual and graphical report of the recommended access point
number and deployment based on the given input.
Refresh Options
To prepare for monitoring your wireless LANs, become familiar with the various refresh options for a
map.
•
Load—The Load option in the left sidebar menu refreshes map data from the Prime Infrastructure
database on demand.
•
Auto Refresh—The Auto Refresh option provides an interval drop-down list to set how often to
refresh the map data from the database.
•
Refresh from network—By clicking the Refresh from network icon to the right of the Auto Refresh
drop-down list, you can refresh the map status and statistics directly from the controller through an
SNMP fetch rather than polled data from the Prime Infrastructure database that is five to fifteen
minutes older.
Note
If you have monitor mode access points on the floor plan, you have a choice between IDS
or coverage heatmap types. A coverage heatmap excludes monitor mode access points, and
an IDS heatmap includes them.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-222
OL-27653-02
Chapter 6
Monitoring Maps
Creating a Network Design
•
Refresh browser—Above the map next to the Logout and Print option is another refresh option.
Clicking this refreshes the complete page, or the map and its status and statistics if you are on a map
page.
Creating a Network Design
After access points have been installed and have joined a controller, and the Prime Infrastructure has
been configured to manage the controllers, set up a network design. A network design is a representation
within the Prime Infrastructure of the physical placement of access points throughout facilities. A
hierarchy of a single campus, the buildings that comprise that campus, and the floors of each building
constitute a single network design. These steps assume that the location appliance is set to poll the
controllers in that network, as well as be configured to synchronize with that specific network design, to
track devices in that environment. The concept and steps to perform synchronization between the Prime
Infrastructure and the mobility service engine are explained in the Cisco 3350 Mobility Services Engine
Configuration Guide.
Designing a Network
To design a network, follow these steps:
Step 1
Open the Prime Infrastructure web interface and log in.
Note
To create or edit a network design, you must log into the Prime Infrastructure and have
SuperUser, Admin, or ConfigManager access privileges.
Step 2
Choose Monitor > Site Maps.
Step 3
From the drop-down list on the right-hand side, choose either New Campus or New Building, depending
on the size of the network design and the organization of maps. If you chose New Campus, continue to
Step 4. To create a building without a campus, skip to Step 14.
Step 4
Click Go.
Step 5
Enter a name for the campus network design, a contact name, and the file path to the campus image file.
.bmps and .jpgs are importable.
Note
You can use the Browse... button to navigate to the location.
Step 6
Click Next.
Step 7
Select the Maintain Aspect Ratio check box. Enabling this check box causes the horizontal span of the
campus to be 5000 feet and adjusts the vertical span according to the aspect ratio of the image file.
Adjusting either the horizontal or vertical span changes the other field in accordance with the image
ratio.
You should unselect the Maintain Aspect Ratio check box if you want to override this automatic
adjustment. You could then adjust both span values to match the real world campus dimensions.
Step 8
Click OK.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-223
Chapter 6
Monitoring Maps
Creating a Network Design
Step 9
In the Monitor > Site Maps page, click the hyperlink associated with the above-made campus map. A
page showing the new campus image is displayed.
Step 10
From the Select a command menu on the upper right of the page, choose New Building, and click Go.
Step 11
Enter the name of the building, the contact person, the number of floors and basements in the building,
and the dimensions. Click OK.
Step 12
Indicate which building on the campus map is the correct building by clicking the blue box in the upper
left of the campus image and dragging it to the intended location. To resize the blue box, hold down the
Ctrl key and click and drag to adjust its horizontal size. You can also enter dimensions of the building
by entering numerical values in the Horizontal Span and Vertical Span fields and click Place. After
resizing, reposition the blue box if necessary by clicking it and dragging it to the desired location. Click
Save.
Step 13
Prime Infrastructure is then returned to the campus image with the newly created building highlighted
in a green box. Click the green box.
Step 14
To create a building without a campus, choose New Building and click Go.
Step 15
Enter the name, contact information, number of floors and basements, and dimension information of the
building. Click Save. Prime Infrastructure is returned to the Monitor > Site Maps page.
Step 16
Click the hyperlink associated with the newly created building.
Step 17
In the Monitor > Site Maps > Campus Name > Building Name page, from the drop-down list and choose
New Floor Area. Click Go.
Step 18
Enter a name for the floor, a contact, a floor number, floor type, and height at which the access points
are installed and the path of the floor image. Click Next.
Note
The Floor Type (RF Model) field specifies the type of environment on that specific floor. This
RF Model indicates the amount of RF signal attenuation likely to be present on that floor. If the
available models do not properly characterize a floor's makeup, details on how to create RF
models specific to a floor's attenuation characteristics are available in the Cisco 3350 Mobility
Services Engine Configuration Guide.
Step 19
If the floor area is a different dimension than the building, adjust floor dimensions by either making
numerical changes to the text fields under the Dimensions heading or by holding the Ctrl key and
clicking and dragging the blue box around the floor image. If the floor's location is offset from the upper
left corner of the building, change the placement of the floor within the building by either clicking and
dragging the blue box to the desired location or by altering the numerical values under the Coordinates
of top left corner heading. After making changes to any numerical values, click Place.
Step 20
Adjust the characteristics of the floor with Prime Infrastructure map editor by selecting the check box
next to Launch Map Editor. For an explanation of the map editor feature, see the “Using the Map
Editor” section on page 6-203.
Step 21
At the image of the new floor (Monitor > Site Maps > CampusName > BuildingName > FloorName), go
to the drop-down list on the upper right and choose Add Access Points. Click Go.
Step 22
All access points that are connected to controllers are displayed. Even controllers that Prime
Infrastructure is configured to manage but which have not yet been added to another floor map are
displayed. Select the access points to be placed on the specific floor map by checking the boxes to the
left of the access point entries. Select the box to the left of the Name column to select all access points.
Click OK.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-224
OL-27653-02
Chapter 6
Monitoring Maps
Importing or Exporting WLSE Map Data
Step 23
Each access point you have chosen to add to the floor map is represented by a gray circle (differentiated
by access point name or MAC address) and is lined up in the upper left part of the floor map. Drag each
access point to the appropriate location. (Access points turn blue when you click them to relocate them.)
The small black arrow at the side of each access point represents Side A of each access point, and each
arrow of the access point must correspond with the direction in which the access points were installed.
(Side A is clearly noted on each 1000 series access point and has no relevance to the 802.11a/n radio.)
Step 24
To adjust the directional arrow, choose the appropriate orientation on the Antenna Angle drop-down list.
Click Save when you are finished placing and adjusting each direction of the access point.
Note
Step 25
Access point placement and direction must directly reflect the actual access point deployment
or the system cannot pinpoint the device location.
Repeat these steps to create campuses, buildings, and floors until each device location is properly
detailed in a network design.
Importing or Exporting WLSE Map Data
When you convert an access point from autonomous to CAPWAP and from the WLSE to Prime
Infrastructure, one of the conversion steps is to manually re-enter the access point information into the
Prime Infrastructure. This can be a time-consuming step. To speed up the process, you can export the
information about access points from the WLSE and import it into the Prime Infrastructure.
Note
Prime Infrastructure expects a .tar file and checks for a .tar extension before importing the file. If the file
you are trying to import is not a .tar file, the Prime Infrastructure displays an error message and prompts
you to import a different file.
To map properties and import a tar file containing WLSE data using the Prime Infrastructure web
interface, follow these steps. For more information on the WLSE data export functionality (WLSE
version 2.15), see
http://<WLSE_IP_ADDRESS>:1741/debug/export/exportSite.jsp.
Step 1
Choose Monitor > Site Maps.
Step 2
Choose Properties from the Select a command drop-down list, and click Go.
Step 3
In the Export/Import AP/LS/SP Placement, click Browse to select the file to import.
Step 4
Find and select the .tar file to import and click Open.
Prime Infrastructure displays the name of the file in the Import From field.
Step 5
Click Import.
Prime Infrastructure uploads the file and temporarily saves it into a local directory while it is being
processed. If the file contains data that cannot be processed, the Prime Infrastructure prompts you to
correct the problem and retry. After the file has been loaded, the Prime Infrastructure displays a report
of what is added to the Prime Infrastructure. The report also specifies what cannot be added and why.
If some of the data to be imported already exists, the Prime Infrastructure either uses the existing data
in the case of campuses or overwrites the existing data using the imported data in the cases of buildings
and floors.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-225
Chapter 6
Monitoring Maps
Monitoring Device Details
If there are duplicate names between a WLSE site and building combination and an Prime Infrastructure
campus (or top-level building) and building combination, the Prime Infrastructure displays a message in
the Pre Execute Import Report indicating that it will delete the existing building.
Step 6
Click Import to import the WLSE data.
Prime Infrastructure displays a report indicating what was imported.
Note
Step 7
Because a WLSE file has no floor number information, the structure of the floor index
calculation after WLSE is imported into the Prime Infrastructure is in descending order. You can
click the floor image to go directly to the appropriate floor page.
Choose Monitor > Site Maps to verify the imported data.
Monitoring Device Details
Access Point Details
Hover your mouse cursor over an access point icon to view access point details. Click the appropriate
tab to view access point and radio information.
Note
Monitor mode access points are shown with gray labels to distinguish them from other access points.
The AP Info tab includes the following access point information:
•
MAC address
•
Access point model
•
Controller
•
Location
•
Access point height
•
Access point uptime
•
LWAPP uptime
Note
From the AP Info tab, you can run a ping test by clicking the Run Ping Test link.
The 802.11 tabs includes the following radio information:
•
Channel number
•
Extension channel
•
Channel width
•
Transmit power level
•
Client count
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-226
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Device Details
Note
The number of clients associated to access points might not match the total number of
clients.
•
Receiving and transmitting utilization percentages
•
Channel utilization percentage
Note
Total utilization = (Rx + Tx + Channel utilization) scaled to 100%.
•
Antenna name and angle
•
Elevation angle
Note
From either of the 802.11 tabs, you can view Rx neighbors and radio details for this access point
by clicking the appropriate link (View Rx Neighbors or View Radio Details).
•
Dot11n Enabled
•
CleanAir Status—Displays the CleanAir status of the access point, whether or not CleanAir is
enabled on the access point.
•
Average Air Quality—Displays the average air quality on this access point.
•
Minimum Air Quality—Displays the minimum air quality on this access point.
Client Details
Hover your mouse cursor over a client icon to view client details.
Client details information includes the following:
•
Username
•
IP address
•
Asset name, group, and category
•
Status
•
Auth
•
SSID
•
Access point name
•
Protocol
•
Port number
•
Last location
Tag Details
Hover your mouse cursor over a tag icon to view tag details.
Tag details includes the following:
•
Asset name, group, and category
•
Type
•
Battery life
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-227
Chapter 6
Monitoring Maps
Monitoring Device Details
•
Last located
Rogue Access Point Details
Hover your mouse cursor over an access point icon to view rogue access point details.
Rogue access point details includes the following:
•
Classification type—Friendly, malicious, or unknown.
•
State
•
Detecting access points
•
Type
•
Rogue clients
•
First seen
•
Last seen
•
On network
•
Last located
Rogue Adhoc Details
Hover your mouse cursor over an access point icon to view rogue ad hoc details.
Rogue Client Details
Hover your mouse cursor over an access point icon to view rogue client details.
Interferer Details
Hover your mouse cursor over an interferer icon to view its details. Interferer details includes the
following:
•
Interferer Name—The name of the interfering device.
•
Affected Channels—The channel the interfering device is affecting.
•
Detected Time—The time at which the interference was detected.
•
Severity—The severity index of the interfering device.
•
Duty Cycle—The duty cycle (in percentage) of the interfering device.
•
RSSI (dBm)—The Received Signal Strength Indicator of the interfering device.
Rogue client details includes the following:
•
State
•
Associated rogue access point
•
Detecting access points
•
First seen
•
Last seen
•
Last located
Floor View Navigation
The main Floor View navigation pane provides access to multiple map functions.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-228
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Device Details
This navigation pane includes the following functionality:
•
Zoom In/Zoom Out—Click the magnifying glass icon with the plus sign (+) to enlarge the map view.
Click the magnifying glass icon with the minus sign (-) to decrease the size of the map view.
•
Map Size—See the “Panning and Zooming with Next Generation Maps” section on page 6-175.
•
Show Grid—Click to show or hide the grid that displays distance in feet on the map.
•
RSSI Legend—Hover your mouse cursor over the RSSI Legend icon to display the RSSI color
scheme (ranging from red/-35 dBm to dark blue/-90 dBm).
•
Add Access Points—Click to open the Add Access Points page. For more information, see the
“Adding Access Points to a Floor Area” section on page 6-176.
•
Remove Access Points—Click to open the Remove Access Points page. Select the access points that
you want to remove and click OK.
•
Position Access Points—Click to open the Position Access Points page.
•
Add Chokepoints—Click to open the Add Chokepoints page. For more information, see the Cisco
Context-Aware Services Configuration Guide.
•
Add WiFi TDOA Receivers—Click to open the Add Wi-Fi TDOA Receivers page. For more
information, see the Cisco Context-Aware Services Configuration Guide.
•
Auto Refresh—From the drop-down list, choose the length of time between each system refresh.
•
Refresh from Network—Click to initiate an immediate refresh of the current data.
•
Planning Mode—Click to open the Planning Mode window. For more information, see the “Using
Planning Mode” section on page 6-217 for more information.
•
Map Editor—Click to open the Map Editor.
Full Screen—Click to increase the size of the map to full screen. Once there, click Exit Full Screen to
return to the normal view.
Understanding RF Heatmap Calculation
A radio frequency heat map is a graphical representation of the strength of the RF signals. Because
WLANs are very dynamic and nondeterministic in nature, administrators can never be certain of the
coverage at a particular moment. To help combat this challenge, the Prime Infrastructure provides a map
of your floor plan along with visual cues as to the Wi-Fi coverage of the floor. These maps are called
heatmaps because they are similar to the colored maps used to show varying levels of heat in
oceanography or geographical sciences. Color is used to show the various levels of signal strength. The
different shades in the "heatmap" reflect differing signal strengths.
This color visualization is extremely useful. At one glance, you can see the current state of coverage
(without having to walk around measuring it), the signal strength, and any gaps or "holes" in the WLAN.
Because floor plans and heat maps are very intuitive, this system greatly enhances the speed and ease
with which you support your organization and troubleshoot specific problems.
The RF heatmap calculation is based on an internal grid. Depending on the exact positioning of an
obstacle in that grid, the RF heatmap, within a few feet or meters of the obstacle, might or might not
account for the obstacle attenuation.
In detail, grid squares partially affected by an obstacle crossing the grid square might or might not
incorporate the obstacle attenuation according to the geometry of the access point, obstacle, and grid.
For example, consider a wall crossing one grid square. The midpoint of the grid square is behind the wall
from the AP, so the whole grid square is colored with attenuation, including (unfortunately) the top left
corner that is actually in front of the wall.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-229
Chapter 6
Monitoring Maps
Monitoring Google Earth Maps
The midpoint of the grid square is on the same side of the wall as the AP, so the whole grid square is not
colored with attenuation, including (unfortunately) the bottom right corner that is actually behind the
wall from the AP.
Dynamic Heatmap Calculation
The RF heatmap calculation can be static or dynamic. By default it is dynamic, to configure it to be
static, disable the dynamic heatmap option in the map properties page.Prime Infrastructure server
maintains the current list of all APs RSSI strength for all APs. The neighbor AP RSSI strength is used
to modify the RF heatmaps for all APs. The main purpose of the dynamic heatmap feature is to
recompute the RF heatmaps due to obstacles.
Monitoring Google Earth Maps
Within Monitor > Google Earth Maps, you can create an outdoor location, import a file, view Google
Earth maps, and specify Google Earth settings.
This section contains the following topics:
•
Creating an Outdoor Location Using Google Earth, page 6-230
•
Importing a File into Prime Infrastructure, page 6-234
•
Viewing Google Earth Maps, page 6-235
•
Adding Google Earth Location Launch Points to Access Point Pages, page 6-236
•
Google Earth Settings, page 6-236
Creating an Outdoor Location Using Google Earth
To group the access points together into outdoor locations, use the Latitude/Longitude geographical
coordinates for each access point. These coordinates are provided in two ways:
•
Importing a KML (Google Keyhole Markup Language) File
•
Importing a CSV File (Spreadsheet format with comma-separated values)
This section contains the following topics:
•
Understanding Geographical Coordinates for Google Earth, page 6-230
•
Creating and Importing Coordinates in Google Earth (KML File), page 6-232
•
Creating and Importing Coordinates as a CSV File, page 6-233
Understanding Geographical Coordinates for Google Earth
The following geographical information is required for each access point:
Note
Adding an AP to Google Earth map without having the AP associated on a standard map, you do not see
any heatmap when you view the AP in Google Earth.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-230
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Google Earth Maps
•
Longitude (East or West)—Angular distance in degrees relative to Prime Meridian. Values west of
Meridian range from –180 to 0 degrees. Values east of Meridian range from 0 to 180 degrees. The
default is 0.
Coordinates in degrees, minutes, seconds, direction:
– Degrees (–180 to 180)
– Minutes (0 to 59)
– Seconds (00.00 to 59.99)
– Direction—East or West (E, W)
Decimal format (converted from degrees, minutes, and seconds):
– Longitude can range from –179.59.59.99 W to 179.59.59.99 E
•
Latitude (North or South)—Angular distance in degrees relative to the Equator. Values south of the
Equator range from –90 to 0 degrees. Values north of the Equator range from 0 to 90 degrees. The
default is 0.
Coordinates in degrees, minutes, seconds, direction:
– Degrees (–90 to 90)
– Minutes (0 to 59)
– Seconds (00.00 to 59.99)
– Direction—North or South (N, S)
Decimal format (converted from degrees, minutes, and seconds):
– Latitude can range from –89.59.59.99 S to 89.59.59.99 N
•
Altitude—Height or distance of the access point from the surface of the earth in meters. If not
provided, value defaults to 0. Values range from 0 to 99999.
•
Tilt—Values range from 0 to 90 degrees (cannot be negative). A tilt value of 0 degrees indicates
viewing from directly above the access point. A tilt value of 90 degrees indicates viewing along the
horizon. Values range from 0 to 90. The default azimuth angle is 0.
•
Range—Distance in meters from the point specified by longitude and latitude to the point where the
access point is being viewed (the Look At position) (camera range above sea level). Values range
from 0 to 999999.
•
Heading—Compass direction in degrees. The default is 0 (North). Values range from 0 to ±180
degrees.
•
Altitude Mode—Indicates how the <altitude> specified for the Look At point is interpreted.
– Clamped to ground—Ignores the <altitude> specification and places the Look At position on
the ground. This is the default.
– Relative to ground—Interprets the <altitude> as a value in meters above the ground.
– Absolute—Interprets the <altitude> as a value in meters above sea level.
•
Extend to ground—Indicates whether or not the access point is attached to a mast.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-231
Chapter 6
Monitoring Maps
Monitoring Google Earth Maps
Creating and Importing Coordinates in Google Earth (KML File)
The geographical coordinates can be created in Google Earth and imported. Either a folder or individual
placemarks can be created. Creating a folder helps group all the Placemarks into a single folder and
allows you to save the folder as a single KML (a.k.a. XML) file. If individual Placemarks are created,
each Placemark must be individually saved.
Follow these steps to create a folder in Google Earth:
Step 1
Launch Google Earth.
Step 2
In the Places page on the left sidebar menu, choose My Places or Temporary Places.
Step 3
Right-click Temporary Places and select Add > Folder from the drop-down lists.
Note
Step 4
By using a KML file, folders can be created hierarchically to any depth. For example, you can
create folders and placemarks organized by country, city, state, zip.
This is not applicable for CSV. In CSV there can be only one level of hierarchy.
Enter the following information (optional):
•
Name—Folder name
•
Description—Folder description
•
View—Includes latitude, longitude, range, heading, and tilt
Note
Step 5
If the View coordinates (latitude, longitude, range, heading, and tilt) are specified, this
information is used to “fly” or advance to the correct location when Google Earth is first
loaded.
If no coordinates are specified, the latitude and longitude information is derived using the
minimum and maximum latitude and longitude of all access points within this group or
folder.
Click OK to save the folder. After the folder is created, it can be selected from the Places page to create
Placemarks.
To create Placemarks, follow these steps:
Step 1
Launch Google Earth.
Step 2
In the Places page on the left sidebar, select My Places or Temporary Places.
Step 3
Select the folder that you previously created.
Step 4
Right-click your created folder and select Add > Placemark from the drop-down lists.
Step 5
Configure the following parameters, if applicable:
•
Name—The Placemark name must contain the name, MAC address, or IP address of the appropriate
access point.
Note
The MAC address refers to base radio MAC not Ethernet MAC.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-232
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Google Earth Maps
•
Latitude—Provides the current coordinate for the folder if the placemark is created inside the folder
or the coordinate for the placemark (if not created inside a folder). This field is automatically filled
depending on where the yellow Placemark icon is located on the map. Use your mouse to move the
Placemark to the correct location or enter the correct coordinate in the Latitude text box.
•
Longitude—Provides the current coordinate for the folder if the placemark is created inside the
folder or the coordinate for the placemark (if not created inside a folder). This field is automatically
filled depending on where the yellow Placemark icon is located on the map. Use your mouse to move
the Placemark to the correct location or enter the correct coordinate in the Longitude text box.
•
Description (optional)—Field is ignored by the Prime Infrastructure.
•
Style, Color (optional)—Field is ignored by the Prime Infrastructure.
•
View—Allows you to configure the Latitude, Longitude, Range, Heading and Tilt coordinates. See
the “Understanding Geographical Coordinates for Google Earth” section on page 6-230” for more
information on these geographical coordinates.
– Longitude and latitude are automatically filled depending on where the yellow Placemark icon
is located on the map. Use your mouse to click and move the Placemark to the correct location.
– All of the coordinates can be entered manually.
•
Altitude—Enter the altitude in meters in the text box or use the Ground to Space slide bar to indicate
the altitude.
– Clamped to ground—Indicates that the Look At position is on the ground. This is the default.
– Relative to ground—Interprets the <altitude> as a value in meters above the ground.
– Absolute—Interprets the <altitude> as a value in meters above sea level.
– Extend to ground—For Relative to ground or Absolute settings, indicates whether or not the
access point is attached to a mast.
Step 6
When all coordinates are entered, click Snapshot current view or click Reset to return the coordinates
to the original settings.
Note
For more information regarding Google Earth, see to the Google Earth online help.
Step 7
Click OK.
Step 8
Repeat these steps for all placemarks you want to add.
Step 9
When all placemarks are created, save the folder as a .kmz file (KML Zip file) or as a .kml file.
Note
A .kmz file should contain only one .kml file.
Note
To save the folder, right-click the folder, select Save as from the drop-down list, navigate to the
correct location on your computer, and click Save. Both .kmz and .kml files can be imported into
the Prime Infrastructure.
Creating and Importing Coordinates as a CSV File
To create a CSV file to import into the Prime Infrastructure, follow these steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-233
Chapter 6
Monitoring Maps
Monitoring Google Earth Maps
Step 1
Open a flat file and provide the necessary information as a comma-separated list. The Table 6-16 lists
the potential data, whether the data is optional or required, and the parameters of the data.
Note
For more information regarding the geographical coordinates listed in Table 6-16, see the
“Understanding Geographical Coordinates for Google Earth” section on page 6-230.
Table 6-16
Step 2
Potential Fields for the CSV File
"FolderName"
"Value Optional"
Max Length: 32
"FolderState"
"Value Optional"
Permitted Values: true/false
"FolderLongitude"
"Value Optional"
Range: 0 to ±180
"FolderLatitude"
"Value Optional"
Range: 0 to ±90
"FolderAltitude"
"Value Optional"
Range: 0 to 99999
"FolderRange"
"Value Optional"
Range: 0 to 99999
"FolderTilt"
"Value Optional"
Range: 0 to 90
"FolderHeading"
"Value Optional"
Range: 0 to ±180
"FolderGeoAddress"
"Value Optional"
Max Length: 128
"FolderGeoCity"
"Value Optional"
Max Length: 64
"FolderGeoState"
"Value Optional"
Max Length: 40
"FolderGeoZip"
"Value Optional"
Max Length: 12
"FolderGeoCountry"
"Value Optional"
Max Length: 64
"AP_Name"
"Value Required"
Max Length: 32
"AP_Longitude"
"Value Required"
Range: 0 to ±180
"AP_Latitude"
"Value Required"
Range: 0 to ±90
Save the .csv file. The file is now ready to import into the Prime Infrastructure.
Importing a File into Prime Infrastructure
To import a Google KML or a CSV into the Google Earth Maps feature of the Prime Infrastructure,
follow these steps:
Step 1
Log in to the Prime Infrastructure.
Step 2
Choose Monitor > Google Earth Maps.
Step 3
From the Select a command drop-down list, choose Import Google KML or Import CSV.
Step 4
Click Go.
Step 5
Use the Browse button to navigate to the .kml, .kmz, or .csv file on your computer.
Step 6
When the file name path is displayed in the text box, click Next.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-234
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Google Earth Maps
The input file is parsed and validated for the following:
Step 7
•
Access points specified in the uploaded file are validated (the specified access points must be
available within the Prime Infrastructure).
•
Range validations are performed for tilt, heading, range, and other geographical coordinates fields.If
longitude and latitudeare provided, range validations are performed; if not, the value is defaulted to
0.
Note
In KML, the longitude and latitude ranges can only be entered in decimal format. In CSV,
different formats are supported (see the CSV sample under Google Maps > Import CSV).
Note
If the input file does not validate for completeness, an error page appears. The uploaded
information cannot be saved until all errors are corrected.
After the files pass all validation checks, review the file details and click Save.
If the uploaded information was saved previously, the information is overwritten accordingly:
•
If the folder was uploaded previously, the coordinates are updated for the folder.
•
If access points were uploaded previously, the coordinates are updated for the access points.
•
Existing access points in the folder are not removed.
•
New folders, as needed, are created and access points are placed accordingly.
Viewing Google Earth Maps
To view Google Earth maps, follow these steps:
Step 1
Log in to the Prime Infrastructure.
Step 2
Choose Monitor > Google Earth Maps. The Google Earth Maps page displays all folders and the
number of access points included within each folder.
Step 3
Click Launch for the map you want to view. Google Earth opens in a separate page and displays the
location and its access points.
Note
To use this feature, you must have Google Earth installed on your computer and configured to
auto-launch when data is sent from the server. You can download Google Earth from the Google
website: http://www.google.com/earth/index.html.
Viewing Google Earth Map Details
To view details for a Google Earth Map folder, follow these steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-235
Chapter 6
Monitoring Maps
Monitoring Google Earth Maps
Step 1
In the Google Earth Map page, click the folder name to open the details page for this folder. The Google
Earth Details provide the access point names and MAC or IP addresses.
Note
Step 2
To delete an access point, select the applicable check box and click Delete.
To delete the entire folder, select the check box next to Folder Name and click Delete. Deleting
a folder also deletes all subfolders and access points inside the folder.
Click Cancel to close the details page.
Adding Google Earth Location Launch Points to Access Point Pages
You can expand the number of Google Earth Location launch points within the Prime Infrastructure by
adding it to the Access Point summary and detail pages.
To add a Google Earth Location launch point to the Access Point summary and details page, follow these
steps:
Step 1
Choose Monitor > Access Points.
Step 2
In the Access Point summary page, click the Edit View link next to page heading.
Step 3
In the Edit View page, highlight Google Earth Location in the left-hand column. Click Show.
The Google Earth Location column heading moves into the View Information column.
Note
Step 4
The View Information listings, top-to-bottom, reflect the left-to-right order of the columns as they
appear on the Access Point summary page.
To change the display order of the columns, highlight the Google Earth Location entry and click the Up
and Down buttons as needed. Click Submit.
You are returned to the Access Points summary page, and a Google Earth launch link is in the display.
Note
The launch link also appears in the general summary page of the Access Points details page
(Monitor > Access Points > AP Name).
Google Earth Settings
Access point related settings can be defined from the Google Earth Settings page. To configure access
point settings for the Google Earth Maps feature, follow these steps:
Step 1
Choose Monitor > Google Earth Maps.
Step 2
Configure the following parameters:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-236
OL-27653-02
Chapter 6
Monitoring Maps
Monitoring Google Earth Maps
•
Caution
Refresh Settings—Select the Refresh from Network check box to enable this on-demand refresh.
This option is applied only once and then disabled.
Because this refresh occurs directly from the network, it could take a long period of time to collect data
according to the number of access points.
•
Layers—Layer filters for access points, access point heat maps, and access point mesh information
can be selected and saved. Select the check box to activate the applicable layer and click > to open
the filter page.
Note
These settings apply when Google Earth sends the request for the next refresh.
– Access Points—From the AP Filter drop-down list, choose to display channels, Tx power level,
coverage holes, MAC addresses, names, controller IP, utilization, profiles, or clients.
Note
If the access point layer is not checked, no data is returned, and an error message is
returned to Google Earth as a Placemark without an icon.
– AP Heatmap—From the Protocol drop-down list, choose 802.11a/n, 802.11b/g/n, 802.11a/n &
802.11b/g/n, or None. Select the cutoff from the RSSI Cutoff drop-down list (- 60 to - 90 dBm).
Note
If the protocol chosen is both 802.11a/n and 802.11b/g/n, the heat maps are generated
for both and overlaid on top of each other. The order cannot be defined. To prevent this
overlay, you must turn off individual overlay in Google Earth or change it in the Google
Earth Settings on the Prime Infrastructure.
– AP Mesh Info—Choose Link SNR, Packet Error Rate, or none from the Link Label drop-down
list. Choose Link SNR or Packet Error Rate from the Link Color drop-down list.
Note
Step 3
When the AP Mesh Info check box is chosen, Mesh Links are also automatically shown.
Click Save Settings to confirm these changes or Cancel to close the page without saving the changes.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
6-237
Chapter 6
Monitoring Maps
Monitoring Google Earth Maps
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
6-238
OL-27653-02
CH A P T E R
7
Managing User Accounts
The Cisco Prime Infrastructure Administration enables you to schedule tasks, administer accounts, and
configure local and external authentication and authorization. Also, set logging options, configure mail
servers, and data management related to configuring the data retain periods. Information is available
about the types of the Prime Infrastructure licenses and how to install a license.
Organizations need an easy and cost-effective method to manage and control wireless network segments
using a single management platform. They need a solution that supports limiting an individual
administrator to manage or control the wireless LAN.
This chapter describes the administrative tasks to perform with the Prime Infrastructure. It contains the
following sections:
•
Managing the Prime Infrastructure User Accounts, page 7-239
•
Viewing the Audit Trail, page 7-245
•
Managing the Prime Infrastructure Guest User Accounts, page 7-247
•
Adding a New User, page 7-250
•
Managing Lobby Ambassador Accounts, page 7-252
Managing the Prime Infrastructure User Accounts
This section describes how to configure global e-mail parameters and manage the Prime Infrastructure
user accounts. It contains the following topics:
•
Configuring the Prime Infrastructure User Accounts, page 7-240
•
Deleting the Prime Infrastructure User Accounts, page 7-241
•
Changing Passwords, page 7-242
•
Monitoring Active Sessions, page 7-242
•
Viewing or Editing User Account Information, page 7-243
•
Viewing or Editing Group Information, page 7-244
•
Viewing the Audit Trail, page 7-245
•
Creating Guest User Accounts, page 7-246
•
Logging in to the Prime Infrastructure User Interface as a Lobby Ambassador, page 7-254
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
7-239
Chapter 7
Managing User Accounts
Managing the Prime Infrastructure User Accounts
Configuring the Prime Infrastructure User Accounts
This section describes how to configure a Prime Infrastructure user. The accounting portion of the AAA
framework is not implemented at this time. Besides complete access, you can give administrative access
with differentiated privileges to certain user groups. Prime Infrastructure supports external user
authentication using these access restrictions and authenticates the users against the TACACS+ and
RADIUS servers.
The username and password supplied by you at install time are always authenticated, but the steps you
take here create additional superusers. If the password is lost or forgotten, you must run a utility to reset
the password to another user-defined password.
To configure a new user account to the Prime Infrastructure, follow these steps:
Step 1
Start the Prime Infrastructure server.
Step 2
Log into the Prime Infrastructure user interface as root.
Note
We recommend that you create a new superuser assigned to the SuperUsers group.
Step 3
Choose Administration > AAA. The Change Password page appears.
Step 4
In the Old Password text box, enter the current password that you want to change.
Step 5
Enter the username and password for the new the Prime Infrastructure user account. You must enter the
password twice.
Note
Step 6
These entries are case sensitive.
Choose User Groups from the left sidebar menu. The All Groups page displays the following group
names.
Note
Some usergroups cannot be combined with other usergroups. For instance, you cannot choose
both lobby ambassador and monitor lite.
•
System Monitoring—Allows users to monitor the Prime Infrastructure operations.
•
ConfigManagers—Allows users to monitor and configure the Prime Infrastructure operations.
•
Admin—Allows users to monitor and configure the Prime Infrastructure operations and perform all
system administration tasks.
Note
If you choose admin account and log in as such on the controller, you can also see the guest
users under Local Net Admin.
•
SuperUsers—Allows users to monitor and configure the Prime Infrastructure operations and
perform all system administration tasks including administering Prime Infrastructure user accounts
and passwords. Superusers tasks can be changed.
•
Users Assistant—Allows only local net user administration. User assistants cannot configure or
monitor controllers. They must access the Configure > Controller page to configure these local net
features.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
7-240
OL-27653-02
Chapter 7
Managing User Accounts
Managing the Prime Infrastructure User Accounts
Note
Step 7
If you create a user assistant user, log in as that user, and choose Monitor > Controller, you
receive a “permission denied” message, which is an expected behavior.
•
Lobby Ambassador—Allows access for configuration and management of only Guest User user
accounts.
•
Monitor lite—Allows monitoring of assets location.
•
Root—Allows users to monitor and configure the Prime Infrastructure operations and perform all
system administration tasks including changing any passwords. Only one user can be assigned to
this group and is determined upon installation. It cannot be removed from the system, and no task
changes can be made for this user.
Click the name of the user group to which you assigned the new user account. The Group Detail > User
Group page shows a list of this permitted operations of the group.
From this page you can also show an audit trail of login and logout patterns or export a task list.
Step 8
Step 9
Make any desired changes by selecting or unselecting the appropriate check boxes for task permissions
and members.
Note
Any changes you make affect all members of this user group.
Note
To view complete details in the Monitor > Client details page and to perform operations such as
Radio Measurement, users in User Defined groups need permission for Monitor Clients, View
Alerts & Events, Configure Controllers, and Client Location.
Click Submit to save your changes or Cancel to leave the settings unchanged.
Deleting the Prime Infrastructure User Accounts
To delete a Prime Infrastructure user account, follow these steps:
Step 1
Start the Prime Infrastructure server.
Step 2
Log into the Prime Infrastructure user interface as a user assigned to the SuperUsers group.
Step 3
Choose Administration > AAA.
Step 4
Choose Users from the left sidebar menu to display the Users page.
Step 5
Select the check box to the left of the user account(s) to be deleted.
Step 6
From the Select a command drop-down list, choose Delete User(s), and click Go.
When prompted, click OK to confirm your decision. The user account is deleted and can no longer be
used.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
7-241
Chapter 7
Managing User Accounts
Managing the Prime Infrastructure User Accounts
Changing Passwords
To change the password for a Prime Infrastructure user account, follow these steps:
Step 1
Start the Prime Infrastructure server.
Step 2
Log into the Prime Infrastructure user interface as a user assigned to the SuperUsers group.
Step 3
Choose Administration > AAA to display the Change Password page.
Step 4
Enter your old password.
Step 5
Enter the new password in both the New Password and Confirm New Password text boxes.
Step 6
Click Save to save your changes. The password for this user account has been changed and can be used
immediately.
Changing the Root User Password using CLI
To change the password for a root user using the command-line interface, follow these steps:
Step 1
Log into the system as administrator.
Step 2
Using the command-line interface (CLI), enter the following commands:
VMNCS/admin# ncs password ?
ftpuser Modifies ftp username and password
root
Modifies root user login password
VMNCS/admin# ncs password root ?
password Modifies root user login password
VMNCS/admin# ncs password root password ? <password>
<WORD> Type in root user login password (Max Size - 80)
Monitoring Active Sessions
To view a list of active users, follow the steps:
Step 1
Choose Administration > AAA.
Step 2
From the left sidebar menu, choose Active Sessions. The Active Sessions page appears.
The user highlighted in red represents your current login. If a column heading is a hyperlink, click the
heading to sort the list of active sessions in descending or ascending order along that column. The sort
direction is toggled each time the hyperlink is clicked.
The Active Sessions page has the following columns:
•
Username—The logged in username.
•
IP/Host Name—The IP address or the hostname of the machine on which the browser is running. If
the hostname of the user machine is not in DNS, the IP address is displayed.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
7-242
OL-27653-02
Chapter 7
Managing User Accounts
Managing the Prime Infrastructure User Accounts
•
Login Time—The time at which the user logged in to the Prime Infrastructure. All times are based
on the Prime Infrastructure server machine time.
•
Last Access Time—The time at which the user last accessed Prime Infrastructure. All times are
based on the Prime Infrastructure server machine time.
Note
•
The time displayed in this column is usually a few seconds behind the current system time
because Last Access Time is updated frequently by the updates to the alarm status dashlet.
Login Method:
– Regular: Sessions created for users who log into the Prime Infrastructure directly through a
browser.
•
User Groups: The list of groups to which the user belongs.
•
Audit trail icon: Link to page that displays the audit trail (previous login times) for that user.
Viewing or Editing User Account Information
To see the group the user is assigned to or to adjust a password or group assignment for that user, follow
these steps:
Step 1
Choose Administration > AAA.
Step 2
From the left sidebar menu, choose Users.
Step 3
Click a user in the User Name column. The User Detail : User Group page appears.
You can see which group is assigned to this user or change a password or group assignment.
Setting the Lobby Ambassador Defaults
If you choose a Lobby Ambassador from the User Name column, a Lobby Ambassador Defaults tab
appears. All of the guest user accounts created by the lobby ambassador have these credentials by
default. If the default values are not specified, the lobby ambassador must provide the required guest user
credential fields.
Note
Step 1
If no default profile is chosen on this tab, the defaults do not get applied to this lobby
ambassador. The lobby ambassador account does get created, and you can create users with any
credentials you choose.
Use the Profile drop-down list to choose the guest user to connect to.
Wired-guest is an example of a profile that might be defined to indicate traffic that is originating from
wired LAN ports. See the “Configuring Wired Guest Access” section on page 9-320.
Step 2
Choose a user role to manage the amount of bandwidth allocated to specific users within the network.
They are predefined by the administrator and are associated with the guests’ access (such as contractor,
customer, partner, vendor, visitor, and so on).
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
7-243
Chapter 7
Managing User Accounts
Managing the Prime Infrastructure User Accounts
Step 3
Step 4
Step 5
Choose Limited or Unlimited at the Lifetime radio button.
•
For the limited option, you choose the period of time that the guest user account is active using the
hours and minutes drop-down lists. The default value for Limited is one day (8 hours).
•
When unlimited is chosen, no expiration date for the guest account exists.
Use the Apply to drop-down list to choose from the following options. What you choose determines what
additional parameters appear.
•
Indoor area—A campus, building, or floor.
•
Outdoor area—A campus or outdoor area.
•
Controller list—A list of controller(s) with the selected profile created.
•
Config Group—Those config group names configured on the Prime Infrastructure.
Enter the email ID of the host to whom the guest account credentials are sent.
Note
This field is optional. The lobby ambassador user can enter any email id of his preference at the
time of creating a guest user.
Step 6
Provide a brief description of the account.
Step 7
If you want to supply disclaimer text, enter it.
Select the Defaults Editable check box if you want to allow the lobby ambassador to override these
configured defaults. This allows the Lobby Ambassadors to modify Guest User default settings while
creating guest account from the Lobby Ambassador portal.
Note
If no default profile is selected on this tab, the defaults are not applied to this Lobby Ambassador.
However, the Lobby Ambassador account is created, and the Lobby Ambassador can create users
with credentials as desired.
Step 8
Select the Max User Creations Allowed check box to set limits on the number of guest users that can
be created by the lobby ambassador in a given time period. The time period is defined in hours, days, or
weeks.
Step 9
Click the Preview Current Logo link to see what is currently being used as a logo, and then you can
click to enable it or browse to another location to update the logo.
Step 10
If you want additional page header text, you can enter it at the Print Page Header Text field.
Step 11
Click Submit.
Viewing or Editing Group Information
To see specific tasks the user is permitted to do within the defined group or make changes to the tasks,
follow these steps:
Step 1
Choose Administration > AAA.
Step 2
Choose Users from the left sidebar menu.
Step 3
Click the group link in the Member Of column. The Group Detail: User Group page appears.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
7-244
OL-27653-02
Chapter 7
Managing User Accounts
Viewing the Audit Trail
Note
The detailed page varies based on what group you choose.
You can see the specific tasks the user is permitted to do within the defined group or make changes to
the tasks.
Editing the Guest User Credentials
Click the Prime Infrastructure username of the guest user whose credentials you want to edit. The Lobby
Ambassador Default tab appears, and you can modify the credentials.
Note
While editing, if the Profile selection is removed (changed to Select a profile), the defaults are
removed for this Lobby Ambassador. The user must reconfigure the defaults to reinforce them.
Viewing the Audit Trail
Click the
icon in the Users page to view the configuration changes performed by individual users.
The Audit Trail page appears.
This page enables you to view the following data:
•
User—User login name.
•
Operation—Type of operation audited.
•
Time—Time operation was audited.
•
Status—Success or failure.
•
Reason—Indicates any login failure reason, for example, invalid password.
•
Configuration Changes—This field provides a Details link if there are any configuration changes.
Click the Details link for more information on the configuration changes done by an individual user.
The entries list the change of values for individual parameters between the Prime Infrastructure and
Controller. For more information on Audit Trail Details, see “Audit Trail Details Page” section on
page 7-246.
Note
You will see the Details link only when you make configuration changes to the wireless devices.
Note
The audit trail entries could be logged for individual controller changes. For example, If a
template is applied on multiple controllers, then there are multiple audit entries for each
controller to which the template has been applied to.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
7-245
Chapter 7
Managing User Accounts
Creating Guest User Accounts
Audit Trail Details Page
The Configuration Changes column in the Audit Trail list page contains a Details link if there are
changes to the configuration. Click the Details link to view the Audit Trail Details for a specific User.
The Audit Trail Details dialog box shows the attribute-level differences when a User changes the
configuration from either the Templates or Configuration side.
Table 7-1 describes the fields in the Audit Trail Details dialog box.
Table 7-1
Fields in the Audit Trail Details Page
Fields
Description
Prime Infrastructure Username
The username who triggered this audit trail.
Object Name
The name of the object that has triggered this
audit trail.
Operation Time
The date and time at which the audit entry was
made.
Configuration Changes
Lists the attributes that have been changed as a
result of a user action in the Prime Infrastructure
and the controller.
For example, the attributes could be:
•
Quality of service
•
Admin Status
•
MAC Filters
Creating Guest User Accounts
You can use the Cisco Lobby Ambassador to create guest user accounts in the Prime Infrastructure. A
guest network provided by an enterprise allows access to the Internet for a guest without compromising
the host. The web authentication is provided with or without a supplicant or client, so a guest needs to
initiate a VPN tunnel to their desired destinations.
Both wired and wireless guest user access is supported. Wired guest access enables guest users to
connect to the guest access network from a wired Ethernet connection designated and configured for
guest access. Wired guest access ports might be available in a guest office or specific ports in a
conference room. Like wireless guest user accounts, wired guest access ports are added to the network
using the lobby ambassador feature.
The network administrator must first set up a lobby ambassador account. Guest user accounts are for
visitors, temporary workers, and so on. who need network access. A lobby ambassador account has
limited configuration privileges and only allows access to the screens used to configure and manage
guest user accounts.
The lobby ambassador can create the following types of guest user accounts:
•
A guest user account with a limited lifetime. After the specified time period, the guest user account
automatically expires.
•
A guest user account with an unlimited lifetime. This account never expires.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
7-246
OL-27653-02
Chapter 7
Managing User Accounts
Managing the Prime Infrastructure Guest User Accounts
•
A guest user account that is activated at a predefined time in the future. The lobby ambassador
defines the beginning and end of the valid time period.
To create guest user accounts in the Prime Infrastructure, follow these steps:
Note
A group that has the SuperUser/administrator privileges (by default) can create a lobby ambassador
account. Multiple lobby ambassador accounts can be created by the administrator with varying profiles
and permissions.
Note
A root group, which is created during installation, has only one assigned user, and no additional users
can be assigned after installation. This root user cannot be changed. Also, unlike a super user, no task
changes are allowed.
Step 1
Log into the Prime Infrastructure user interface as an administrator.
Step 2
Choose Administration > AAA.
Step 3
From the left sidebar menu, choose Users.
Step 4
From the Select a command drop-down list, choose Add User, and click Go. The Users page appears.
Step 5
Enter the username.
Step 6
Enter the password. The minimum is six characters. Reenter and confirm the password.
Note
The password must include at least three of the following four types of elements: lowercase
letters, uppercase letters, numbers, and special characters.
Step 7
In the Groups Assigned to this User section, select the LobbyAmbassador check box to access the
Lobby Ambassador Defaults tab.
Step 8
Follow the steps in the “Setting the Lobby Ambassador Defaults” section on page 7-243.
Managing the Prime Infrastructure Guest User Accounts
Prime Infrastructure guest user accounts are managed with the use of templates. This section describes
how to manage the Prime Infrastructure user accounts. It contains the following topics:
•
Configuring a Guest User Template, page 11-608
•
Scheduling the Prime Infrastructure Guest User Accounts, page 7-248
•
Printing or E-mailing the Prime Infrastructure Guest User Details, page 7-249
•
Saving Guest Accounts on a Device, page 7-249
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
7-247
Chapter 7
Managing User Accounts
Managing the Prime Infrastructure Guest User Accounts
Scheduling the Prime Infrastructure Guest User Accounts
A lobby ambassador is able to schedule automatic creation of a guest user account. The validity and
recurrence of the account can be defined. The generation of a new password on every schedule is optional
and is enabled by selecting a check box. For scheduled users, the password is automatically generated
and is automatically sent by e-mail to the host of the guest. The e-mail address for the host is configured
on the New User page. After clicking Save, the Guest User Details page displays the password. From
this page, you can e-mail or printer the account credentials.
To schedule a recurring guest user account in the Prime Infrastructure, follow these steps:
Step 1
Log in to the Prime Infrastructure user interface as lobby ambassador.
Step 2
Choose Schedule Guest User from the Guest User page.
Note
You can also schedule guest users from the Configure > Controller Template Launch Pad >
Security > Guest User option.
Step 3
In the Guest Users > Scheduling page, enter the guest username. The maximum is 24 characters.
Step 4
Select the check box to generate a username and password on every schedule. If this is enabled, a
different password is supplied for each day (up to the number of days chosen). If this is disabled
(unselected), one password is supplied for a span of days. The generation of a new password on every
schedule is optional.
Step 5
Select a Profile ID from the drop-down list. This is the SSID to which this guest user applies and must
be a WLAN that has Layer 3 authentication policy configured. Your administrator can advise which
Profile ID to use.
Step 6
Enter a description of the guest user account.
Step 7
Choose limited or unlimited.
•
Limited—From the drop-down list, choose days, hours, or minutes for the lifetime of this guest user
account. The maximum is 35 weeks.
– Start time—Date and time when the guest user account begins.
– End time—Date and time when the guest user account expires.
Step 8
•
Unlimited—This user account never expires.
•
Days of the week—Select the check box for the days of the week that apply to this guest user
account.
Choose Apply To to restrict a guest user to a confined area by selecting a campus, building, or floor so
that when applied, only those controllers and associated access points are available. You can use AP
grouping to enforce access point level restrictions that determine which SSIDs to broadcast. Those
access points are then assigned to the respective floors. You can also restrict the guest user to specific
listed controllers or a configuration group, which is a group of controllers that has been preconfigured
by the administrator.
From the drop-down lists, choose one of the following:
•
Controller List—Select the check box for the controller(s) to which the guest user account is
associated.
•
Indoor Area—Choose the applicable campus, building, and floor.
•
Outdoor Area—Choose the applicable campus and outdoor area.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
7-248
OL-27653-02
Chapter 7
Managing User Accounts
Managing the Prime Infrastructure Guest User Accounts
•
Config group—Choose the configuration group to which the guest user account belongs.
Step 9
Enter the e-mail address to send the guest user account credentials. Each time the scheduled time comes
up, the guest user account credentials are e-mailed to the specified e-mail address.
Step 10
Review the disclaimer information. Use the scroll bar to move up and down.
Step 11
Click Save to save your changes or Cancel to leave the settings unchanged.
Printing or E-mailing the Prime Infrastructure Guest User Details
The lobby ambassador can print or e-mail the guest user account details to the host or person who
welcomes guests.
The e-mail and print copy shows the following details:
•
Username—Guest user account name.
•
Password—Password for the guest user account.
•
Start time—Data and time when the guest user account begins.
•
End time—Date and time when the guest user account expires.
•
Profile ID—Profile assigned to the guest user. Your administrator can advise which Profile ID to use.
•
Disclaimer—Disclaimer information for the guest user.
When creating the guest user account and applying the account to a list of controllers, area, or
configuration group, a link is provided to e-mail or print the guest user account details. You can also
print guest user account details from the Guest Users List page.
To print guest user details from the Guest Users List page, follow these steps:
Step 1
Log into the Prime Infrastructure user interface as lobby ambassador.
Step 2
On the Guest User page, select the check box next to User Name, choose Print/E-mail User Details
from the Select a command drop-down list, and click Go.
•
If printing, click Print and from the print page, select a printer, and click Print or Cancel.
•
If e-mailing, click E-mail and from the e-mail page, enter the subject text and the e-mail address of
the recipient. Click Send or Cancel.
Note
You can also print or e-mail user details from the Configure > Controller Template Launch Pad
> Security > Guest User option.
Saving Guest Accounts on a Device
Select the Save Guest Accounts on Device check box to save guest accounts to a WLC flash so that they
are maintained across WLC reboots.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
7-249
Chapter 7
Managing User Accounts
Adding a New User
Note
In the Configure > Controller Template Launch Pad > Security > Guest page, you choose Save
Guest Accounts on device from the Select a command drop-down list.
Editing the Guest User Credentials
Click the Prime Infrastructure username of the guest user whose credentials you want to edit. The Lobby
Ambassador Default tab appears, and you can modify the credentials.
While editing, if the Profile selection is removed (changed to Select a profile), the defaults are removed
for this Lobby Ambassador. The user must reconfigure the defaults to reinforce them.
Adding a New User
The Add User page allows the administrator to set up a new user login including username, password,
groups assigned to the user, and virtual domains for the user.
Note
You can only assign virtual domains to a newly created user which you own. By assigning virtual
domains to a user, the user is restricted to information applicable to those virtual domains.
This section contains the following topics:
•
Adding User Names, Passwords, and Groups, page 7-250
•
Assigning a Virtual Domain, page 7-251
Adding User Names, Passwords, and Groups
To add a new user, follow these steps:
Step 1
Choose Administration > AAA.
Step 2
From the left sidebar menu, choose Users.
Step 3
From the Select a command drop-down list, choose Add User.
Step 4
Click Go. The Users page appears.
Step 5
Enter a new Username.
Step 6
Enter and confirm a password for this account.
Step 7
Select the check box(es) of the groups to which this user is assigned.
Note
If the user belongs to Lobby Ambassador, Monitor Lite, Northbound API, or Users Assistant
group, the user cannot belong to any other group.
•
Admin—Allows users to monitor and configure the Prime Infrastructure operations and perform all
system administration tasks.
•
ConfigManagers—Allows users to monitor and configure the Prime Infrastructure operations.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
7-250
OL-27653-02
Chapter 7
Managing User Accounts
Adding a New User
•
System Monitoring—Allows users to monitor the Prime Infrastructure operations.
•
Users Assistant—Allows local net user administration only.
•
Lobby Ambassador—Allows guest access for configuration and management only of user accounts.
If Lobby Ambassador is selected, a Lobby Ambassador Defaults tab appears.
•
Monitor Lite—Allows monitoring of assets location.
•
North Bound API User—A user group used by the Prime Infrastructure Web Service consumers.
That is, any North Bound APIs.
Note
If you are creating a North Bound API user from TACACS or RADIUS, the default user
domain should be root.
Note
North Bound API Users cannot be assigned a Virtual Domain. When a North Bound API
group is selected, the Virtual Domains tab is not available.
•
SuperUsers—Allows users to monitor and configure the Prime Infrastructure operations and
perform all system administration tasks including administering the Prime Infrastructure user
accounts and passwords. Superuser tasks can be changed.
•
Root—This group is only assignable to 'root' user and that assignment cannot be changed.
•
User Defined.
Assigning a Virtual Domain
To assign a virtual domain to this user, follow these steps:
Step 1
Step 2
Click the Virtual Domains tab. This tab displays all virtual domains available and assigned to this user.
Note
The Virtual Domains tab enables the administrator to assign virtual domains for each user. By
assigning virtual domains to a user, the user is restricted to information applicable to those
virtual domains.
Note
North Bound API Users cannot be assigned a Virtual Domain. When a North Bound API group
is selected, the Virtual Domains tab is not available.
Click to highlight the virtual domain in the Available Virtual Domains list that you want to assign to this
user.
Note
Step 3
You can select more than one virtual domain by holding down the Shift or Control key.
Click Add >. The virtual domain moves from the Available Virtual Domains to the Selected Virtual
Domains list.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
7-251
Chapter 7
Managing User Accounts
Managing Lobby Ambassador Accounts
To remove a virtual domain from the Selected Virtual Domains list, click to highlight the domain in the
Selected Virtual Domains list, and click Remove. The virtual domain moves from the Selected Virtual
Domains to the Available Virtual Domains list.
Step 4
Click Submit to save the changes or Cancel to close the page without adding or editing the current user.
Managing Lobby Ambassador Accounts
You can use the Cisco Lobby Ambassador to create guest user accounts in the Prime Infrastructure. A
guest network provided by an enterprise allows access to the Internet for a guest without compromising
the host. The web authentication is provided with or without a supplicant or client, so a guest needs to
initiate a VPN tunnel to their desired destinations.
Both wired and wireless guest user access is supported. Wired guest access enables guest users to
connect to the guest access network from a wired Ethernet connection designated and configured for
guest access. Wired guest access ports might be available in a guest office or specific ports in a
conference room. Like wireless guest user accounts, wired guest access ports are added to the network
using the lobby ambassador feature.
The network administrator must first set up a lobby ambassador account. Guest user accounts are for
visitors, temporary workers, and so on. who need network access. A lobby ambassador account has
limited configuration privileges and only allows access to the pages used to configure and manage guest
user accounts.
The lobby ambassador can create the following types of guest user accounts:
•
A guest user account with a limited lifetime. After the specified time period, the guest user account
automatically expires.
•
A guest user account with an unlimited lifetime. This account never expires.
•
A guest user account that is activated at a predefined time in the future. The lobby ambassador
defines the beginning and end of the valid time period.
This section contains the following topics:
•
Creating a Lobby Ambassador Account, page 7-252
•
Editing a Lobby Ambassador Account, page 7-254
•
Logging in to the Prime Infrastructure User Interface as a Lobby Ambassador, page 7-254
•
Logging the Lobby Ambassador Activities, page 7-255
Creating a Lobby Ambassador Account
Note
A group that has the SuperUser/administrator privileges (by default) can create a lobby ambassador
account.
To create a lobby ambassador account in the Prime Infrastructure, follow these steps:
Step 1
Log into the Prime Infrastructure user interface as an administrator.
Step 2
Choose Administration > AAA.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
7-252
OL-27653-02
Chapter 7
Managing User Accounts
Managing Lobby Ambassador Accounts
Step 3
From the left sidebar menu, choose Users.
Step 4
From the Select a command drop-down list, choose Add User.
Step 5
Click Go.
Step 6
Enter the username.
Step 7
Enter the password. Reenter to confirm the password. Password requirements include the following:
Step 8
•
The password must have a minimum of eight characters.
•
The password must include at least three of the following elements: lowercase letters, uppercase
letters, numbers, or special characters.
In the Groups Assigned to this User section, select the LobbyAmbassador check box to access the
Lobby Ambassador Defaults tab.
The Lobby Ambassador Defaults tab has the following parameters:
•
Profile—The default profile to which the guest users would connect.
•
Lifetime—Limited or Unlimited.
Note
•
By default, the lifetime is limited to eight hours.
Apply to—From the drop-down list, choose one of the following:
– Indoor Area—Campus, Building, and Floor.
– Outdoor Area—Campus, Outdoor Area.
– Controller List—List of controller(s) on which the selected profile is created.
– Config Groups—Config group names configured on the Prime Infrastructure.
•
Email ID—The e-mail ID of the host to whom the guest account credentials are sent.
Note
This field is optional. The lobby ambassador user can enter any email id of his preference at
the time of creating a guest user.
•
Description—A brief description of this account.
•
Disclaimer—The default disclaimer text.
•
Defaults Editable—Select this check box if you want to allow the lobby ambassador to override
these configured defaults. This allows the lobby ambassador to modify these Guest User Account
default settings while creating Guest Accounts from the Lobby Ambassador portal.
Note
•
If no default profile is selected on this tab, the defaults are not applied to this Lobby
Ambassador. However, the Lobby Ambassador account is created and the Lobby
Ambassador can create users with credentials as desired.
Max User Creation Allowed—Select this check box to set limits on the number of guest users that
can be created by the Lobby Ambassador in a given time period. The time period is defined in hours,
days, or weeks.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
7-253
Chapter 7
Managing User Accounts
Managing Lobby Ambassador Accounts
•
Click Submit. The name of the new lobby ambassador account is listed and the account can be used
immediately.
Editing a Lobby Ambassador Account
The Lobby Ambassador default credentials can be edited from the username link on the Prime
Infrastructure user list page.
To edit the Lobby Ambassador default credentials, follow these steps:
Step 1
Log into the Prime Infrastructure user interface as an administrator.
Step 2
Choose Administration > AAA.
Step 3
From the left sidebar menu, choose Users.
Step 4
Click the applicable Lobby Ambassador account in the User Name column.
Step 5
From the Lobby Ambassador Defaults page, edit the credentials as necessary.
Note
Step 6
While editing, if the Profile selection is removed (changed to Select a profile), the defaults are
removed for this Lobby Ambassador. The user must reconfigure the defaults to reinforce them.
Click Submit.
Logging in to the Prime Infrastructure User Interface as a Lobby Ambassador
When you log in as a lobby ambassador, you have access to the guest user template page in the Prime
Infrastructure. You can then configure guest user accounts (through templates).
To log into the Prime Infrastructure user interface through a web browser, follow these steps:
Step 1
Launch Internet Explorer 8 or later on your computer.
Note
Some Prime Infrastructure features might not function properly if you use a web browser other
than Internet Explorer 8 or later on a Windows workstation.
Step 2
In the browser address line, enter https://Prime Infrastructure-ip-address (such as https://1.1.1.1),
where Prime Infrastructure-ip-address is the IP address of the computer on which the Prime
Infrastructure is installed. Your administrator can provide this IP address.
Step 3
When the Prime Infrastructure user interface displays the Login window, enter your username and
password.
Note
All entries are case sensitive.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
7-254
OL-27653-02
Chapter 7
Managing User Accounts
Managing Lobby Ambassador Accounts
Note
Step 4
The lobby ambassador can only define guest users templates.
Click Submit to log into the Prime Infrastructure. Prime Infrastructure user interface is now active and
available for use. The Guest Users page is displayed. This page provides a summary of all created Guest
Users.
To exit the Prime Infrastructure user interface, close the browser window or click Logout in the upper
right corner of the page. Exiting a Prime Infrastructure user interface session does not shut down the
Prime Infrastructure on the server.
Note
When a system administrator stops the Prime Infrastructure server during a Prime Infrastructure session,
the session ends, and the web browser displays this message: “The page cannot be displayed.” Your
session does not reassociate to the Prime Infrastructure when the server restarts. You must restart the Prime
Infrastructure session.
Logging the Lobby Ambassador Activities
The following activities are logged for each lobby ambassador account:
•
Lobby ambassador login—Prime Infrastructure logs the authentication operation results for all
users.
•
Guest user creation—When a lobby ambassador creates a guest user account, the Prime
Infrastructure logs the guest username.
•
Guest user deletion—When a lobby ambassador deletes the guest user account, the Prime
Infrastructure logs the deleted guest username.
•
Account updates—Prime Infrastructure logs the details of any updates made to the guest user
account. For example, increasing the life time.
To view the lobby ambassador activities, follow these steps:
Note
You must have administrative permissions to open this window.
Step 1
Log into the Prime Infrastructure user interface as an administrator.
Step 2
Choose Administration > AAA > Groups from the left sidebar menu to display the All Groups page.
Step 3
On the All Groups page, click the Audit Trail icon for the lobby ambassador account you want to view.
The Audit Trail page for the lobby ambassador appears.
This page enables you to view a list of lobby ambassador activities over time.
•
User—User login name
•
Operation—Type of operation audited
•
Time—Time operation was audited
•
Status—Success or failure
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
7-255
Chapter 7
Managing User Accounts
Managing Lobby Ambassador Accounts
Step 4
To clear the audit trail, choose Clear Audit Trail from the Select a command drop-down list, and click
Go.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
7-256
OL-27653-02
CH A P T E R
8
Configuring Mobility Groups
This chapter describes mobility groups and explains how to configure them on the Cisco Prime
Infrastructure. It contains the following sections:
•
Information About Mobility, page 8-257
•
Symmetric Tunneling, page 8-261
•
Overview of Mobility Groups, page 8-261
•
Configuring Mobility Groups, page 8-264
•
Mobility Anchors, page 8-267
•
Configuring Multiple Country Codes, page 8-267
•
Configuring Controller Config Groups, page 8-268
•
Reporting Config Groups, page 8-272
•
Downloading Software, page 8-273
Information About Mobility
Mobility, or roaming, is an ability of a wireless client to maintain its association seamlessly from one
access point to another securely and with as little latency as possible. This section explains how mobility
works when controllers are included in a wireless network.
When a wireless client associates and authenticates to an access point, the controller places an entry for
that client in its client database. This entry includes the MAC and IP addresses of the client, security
context and associations, quality of service (QoS) contexts, the WLANs, and the associated access point.
The controller uses this information to forward frames and manage traffic to and from the wireless client.
Figure 8-1 illustrates a wireless client roaming from one access point to another when both access points
are joined to the same controller.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
8-257
Chapter 8
Configuring Mobility Groups
Information About Mobility
Figure 8-1
Intra-Controller Roaming
When the wireless client moves its association from one access point to another, the controller simply
updates the client database with the newly associated access point. If necessary, new security context
and associations are established as well.
The process becomes more complicated, however, when a client roams from an access point joined to
one controller to an access point joined to a different controller. The process also varies based on whether
the controllers are operating on the same subnet. Figure 8-2 illustrates inter-controller roaming, which
occurs when the wireless LAN interfaces of a controller are on the same IP subnet.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
8-258
OL-27653-02
Chapter 8
Configuring Mobility Groups
Information About Mobility
Figure 8-2
Inter-Controller Roaming
When the client associates to an access point joined to a new controller, the new controller exchanges
mobility messages with the original controller, and the client database entry is moved to the new
controller. New security context and associations are established if necessary, and the client database
entry is updated for the new access point. This process remains invisible to the user.
Note
All clients configured with 802.1X/Wi-Fi Protected Access (WPA) security complete a full
authentication to comply with the IEEE standard.
Figure 8-3 illustrates inter-subnet roaming, which occurs when the wireless LAN interfaces of a
controller are on different IP subnets.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
8-259
Chapter 8
Configuring Mobility Groups
Information About Mobility
Figure 8-3
Inter-Subnet Roaming
Inter-subnet roaming is similar to inter-controller roaming in that the controllers exchange mobility
messages on how the client roams. However, instead of moving the client database entry to the new
controller, the original controller marks the client with an “Anchor” entry in its own client database. The
database entry is copied to the new controller client database and marked with a “Foreign” entry in the
new controller. The roam remains invisible to the wireless client, and the client maintains its original IP
address.
After an inter-subnet roam, data flows in an asymmetric traffic path to and from the wireless client.
Traffic from the client to the network is forwarded directly into the network by the foreign controller.
Traffic to the client arrives at the anchor controller, which forwards the traffic to the foreign controller
in an EtherIP tunnel. The foreign controller then forwards the data to the client. If a wireless client roams
to a new foreign controller, the client database entry is moved from the original foreign controller to the
new foreign controller, but the original anchor controller is always maintained. If the client moves back
to the original controller, it becomes local again.
In inter-subnet roaming, WLANs on both anchor and foreign controllers need to have the same network
access privileges and no source-based routing or source-based firewalls in place. Otherwise, the clients
might have network connectivity problems after the handoff.
Note
Currently, multicast traffic cannot be passed during inter-subnet roaming. In other words, avoid
designing an inter-subnet network for Spectralink phones that need to send multicast traffic while using
push to talk.
Note
Both inter-controller roaming and inter-subnet roaming require the controllers to be in the same mobility
group. See the next two sections for a description of mobility groups and instructions for configuring
them.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
8-260
OL-27653-02
Chapter 8
Configuring Mobility Groups
Symmetric Tunneling
Symmetric Tunneling
With symmetric mobility tunneling, the controller provides inter-subnet mobility for clients roaming
from one access point to another within a wireless LAN. The client traffic on the wired network is
directly routed by the foreign controller. If a router has Reverse Path Filtering (RPF) enabled (which
provides additional checks on incoming packets), the communication is blocked. Symmetric mobility
tunneling allows the client traffic to reach the controller designated as the anchor, even with RPF
enabled. You enable or disable symmetric tunneling by choosing Configure > Controller and then
System > General from the left sidebar menu.
Note
All controllers in a mobility group should have the same symmetric tunneling mode.
Note
For symmetric tunneling to take effect, a reboot is required.
With this guest tunneling N+1 redundancy feature, the time it takes for a client to join another access
point following a controller failure is decreased because a failure is quickly identified, the clients are
moved away from the problem controller, and the clients are anchored to another controller.
See the “Configuring Controller Templates” section on page 11-558 for instructions on configuring this
feature within a template.
Overview of Mobility Groups
A set of controllers can be configured as a mobility group to allow seamless client roaming within a
group of controllers. By creating a mobility group, you can enable multiple controllers in a network to
dynamically share information and forward data traffic when inter-controller or inter-subnet roaming
occurs. Controllers can share the context and state of client devices and controller loading information.
With this information, the network can support inter-controller wireless LAN roaming and controller
redundancy.
Note
Clients do not roam across mobility groups.
Figure 8-4 shows an example of a mobility group.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
8-261
Chapter 8
Configuring Mobility Groups
Overview of Mobility Groups
Figure 8-4
A Single Mobility Group
As shown in Figure 8-4, each controller is configured with a list of the other members of the mobility
group. Whenever a new client joins a controller, the controller sends out a unicast message to all of the
controllers in the mobility group. The controller to which the client was previously connected passes on
the status of the client. All mobility exchange traffic between controllers is carried over a CAPWAP
tunnel.
Examples:
1.
A 4404-100 controller supports up to 100 access points. Therefore, a mobility group consisting of
24 4404-100 controllers supports up to 2400 access points (24 * 100 = 2400 access points).
2.
A 4402-25 controller supports up to 25 access points, and a 4402-50 controller supports up to 50
access points. Therefore, a mobility group consisting of 12 4402-25 controllers and 12 4402-50
controllers supports up to 900 access points (12 * 25 + 12 * 50 = 300 + 600 = 900 access points).
Mobility groups enable you to limit roaming between different floors, buildings, or campuses in the same
enterprise by assigning different mobility group names to different controllers within the same wireless
network. Figure 8-5 shows the results of creating distinct mobility group names for two groups of
controllers.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
8-262
OL-27653-02
Chapter 8
Configuring Mobility Groups
Overview of Mobility Groups
Figure 8-5
Two Mobility Groups
The controllers in the ABC mobility group recognize and communicate with each other through their
access points and through their shared subnets. The controllers in the ABC mobility group do not
recognize or communicate with the XYZ controllers, which are in a different mobility group. Likewise,
the controllers in the XYZ mobility group do not recognize or communicate with the controllers in the
ABC mobility group. This feature ensures mobility group isolation across the network.
Note
Clients might roam between access points in different mobility groups, provided they can detect them.
However, their session information is not carried between controllers in different mobility groups.
When to Include Controllers in a Mobility Group
If it is possible for a wireless client in your network to roam from an access point joined to one controller
to an access point joined to another controller, both controllers should be in the same mobility group.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
8-263
Chapter 8
Configuring Mobility Groups
Configuring Mobility Groups
Messaging among Mobility Groups
The controller provides inter-subnet mobility for clients by sending mobility messages to other member
controllers. There can be up to 72 members in the list with up to 24 in the same mobility group. In the
Prime Infrastructure and controller software releases 5.0, two improvements have been made to mobility
messaging, each of which is especially useful when sending messages to the full list of mobility
members:
•
Sending Mobile Announce messages within the same group first and then to other groups in the list
The controller sends a Mobile Announce message to members in the mobility list each time a new
client associates to it. In the Prime Infrastructure and controller software releases prior to 5.0, the
controller sends this message to all members in the list irrespective of the group to which they
belong. However, in controller software release 5.0, the controller sends the message only to those
members that are in the same group as the controller and then includes all of the other members
while sending retries.
•
Sending Mobile Announce messages using multicast instead of unicast
In the Prime Infrastructure and controller software releases prior to 5.0, the controller might be
configured to use multicast to send the mobile announce messages, which requires sending a copy
of the messages to every mobility member. This behavior is not efficient because many messages
(such as Mobile Announce, PMK Update, AP List Update, and IDS Shun) are meant for all members
in the group. In the Prime Infrastructure and controller software releases 5.0, the controller uses
multicast mode to send the Mobile Announce messages. This behavior allows the controller to send
only one copy of the message to the network, which destines it to the multicast group containing all
the mobility members. To derive the maximum benefit from multicast messaging, We recommend
that it be enabled or disabled on all group members.
Configuring Mobility Groups
This section provides instructions for configuring mobility groups.
Note
You can also configure mobility groups using the controller. See the Cisco Wireless LAN Controller
Configuration Guide for instructions.
Prerequisites
Before you add controllers to a mobility group, you must verify that the following requirements have
been met for all controllers that are to be included in the group:
•
All controllers must be configured for the same LWAPP transport mode (Layer 2 or Layer 3).
Note
•
You can verify and, if necessary, change the LWAPP transport mode in the System > General
page.
IP connectivity must exist between the management interfaces of all devices.
Note
You can verify IP connectivity by pinging the controllers.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
8-264
OL-27653-02
Chapter 8
Configuring Mobility Groups
Configuring Mobility Groups
•
All controllers must be configured with the same mobility group name.
Note
•
All devices must be configured with the same virtual interface IP address.
Note
•
For the Cisco WiSM, both controllers should be configured with the same mobility group
name for seamless routing among 300 access points.
If all the controllers within a mobility group are not using the same virtual interface,
inter-controller roaming might appear to work, but the hand-off does not complete, and the
client loses connectivity for a period of time.
You must have gathered the MAC address and IP address of every controller that is to be included
in the mobility group. This information is necessary because you configure all controllers with the
MAC address and IP address of all the other mobility group members.
Note
You can find the MAC and IP addresses of the other controllers to be included in the mobility
group in the Configure > Controllers page.
To add each WLC controller into mobility groups and configure them, follow these steps:
Step 1
Choose Configure > Controllers.
This page shows the list of all the controllers you added in Step 1. The mobility group names and the IP
address of each controller that is currently a member of the mobility group is listed.
Step 2
Choose the first controller by clicking the WLC IP address. You then access the controller templates
interface for the controller you are managing.
Step 3
Choose System > Mobility Groups from the left sidebar menu. The existing Mobility Group members
are listed in the page.
Step 4
You see a list of available controllers. From the Select a command drop-down list in the upper right-hand
corner, choose Add Group Members and then click Go.
Step 5
If no controllers were found to add to the mobility group, you can add the members manually by clicking
the “To add members manually to the Mobility Group click here” link. The Mobility Group Member
page appears.
Step 6
In the Member MAC Address text box, enter the MAC address of the controller to be added.
Step 7
In the Member IP Address text box, enter the management interface IP address of the controller to be
added.
Note
If you are configuring the mobility group in a network where Network Address Translation
(NAT) is enabled, enter the IP address sent to the controller from the NAT device rather than the
management interface IP address of the controller. Otherwise, mobility fails among controllers
in the mobility group.
Step 8
Enter the multicast group IP address to be used for multicast mobility messages in the Multicast Address
text box. The group address of the local mobility member must be the same as the group address of the
local controller.
Step 9
In the Group Name text box, enter the name of the mobility group.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
8-265
Chapter 8
Configuring Mobility Groups
Configuring Mobility Groups
Step 10
Click Save.
Step 11
Repeat the Steps 1 through 9 for the remaining WLC devices.
Setting the Mobility Scalability Parameters
To set the mobility message parameters, follow these steps:
Note
You must complete the steps in the “Configuring Mobility Groups” section on page 8-264 prior
to setting the mobility scalability parameters.
Step 1
Choose Configure > Controllers.
Step 2
Choose an IP address of a controller whose software version is 5.0 or later.
Step 3
Choose System > Multicast from the left sidebar menu. The Multicast page appears.
Step 4
From the Ethernet Multicast Support drop-down list, specify if you want to disable the ability for the
controller to use multicast mode to send Mobile Announce messages to mobility members. Otherwise,
you can choose Multicast or Unicast from the drop-down list.
Step 5
If you chose multicast in Step 4, you must enter the group IP address at the Multicast Group Address
field to begin multicast mobility messaging. You must configure this IP address for the local mobility
group, but it is optional for other groups within the mobility list. If you do not configure the IP address
for other (non-local) groups, the controllers use unicast mode to send mobility messages to those
members.
Step 6
Select the Global Multicast Mode check box to make the multicast mode available globally.
Step 7
Select the Enable IGMP Snooping check box to enable IGMP snooping.
Step 8
Choose Enable from the Multicast Mobility Mode drop-down list to change the IGMP snooping status
or to set the IGMP timeout. When IGMP snooping is enabled, the controller gathers IGMP reports from
the clients and then sends each access point a list of the clients listening to any multicast group. The
access point then forwards the multicast packets only to those clients.
The timeout interval has a range of 3 to 300 and a default value of 60. When the timeout expires, the
controller sends a query to all WLANs. Those clients which are listening in the multicast group then send
a packet back to the controller.
Step 9
If you enabled the Multicast Mobility Mode, enter the mobility group multicast address.
Step 10
Select the Multicast Direct check box to enable videos to be streamed over a wireless network.
Step 11
Specify the Session Banner information, which is the error information sent to the client if the client is
denied or dropped from a Media Stream.
a.
State—Select the check box to activate the Session Banner. If not activated, the Session Banner is
not sent to the client
b.
URL—A web address reported to the client
c.
Email—An e-mail address reported to the client
d.
Phone—A telephone number reported to the client
e.
Note—A note reported to the client
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
8-266
OL-27653-02
Chapter 8
Configuring Mobility Groups
Mobility Anchors
Note
Step 12
All media streams on a controller share this configuration.
Click Save.
Mobility Anchors
Mobility anchors are a subset of a mobility group specified as the anchor controllers for a WLAN. This
feature can be used to restrict a WLAN to a single subnet, regardless of the entry point of a client into
the network. In this way, users can access a public or guest WLAN throughout an enterprise but still be
restricted to a specific subnet. Guest WLAN can also be used to provide geographic load balancing
because WLANs can represent a particular section of a building (such as a lobby, a restaurant, and so
on). For more information about Mobility Anchors, and how to configure a new WLAN and guest anchor
controller, see the Mobility Anchors section in the Cisco Prime Infrastructure 2.0 User Guide.
Configuring Multiple Country Codes
You can configure one or more countries on a controller. After countries are configured on a controller,
the corresponding 802.11a/n DCA channels are available for selection. At least one DCA channel must
be selected for the 802.11a/n network. When the country codes are changed, the DCA channels are
automatically changed in coordination.
Note
802.11a/n and 802.11b/n networks for controllers and access points must be disabled before
configuring a country on a controller. To disable 802.11a/n or 802.11b/n networks, choose
Configure > Controllers, select the desired controller you want to disable, choose 802.11a/n or
802.11b/g/n from the left sidebar menu, and then choose Parameters. The Network Status is the
first check box.
Note
To configure multiple country codes outside of a mobility group, see the “Configuring Security
Parameters” section on page 9-362.
To add multiple controllers that are defined in a configuration group and then set the DCA channels,
follow these steps:
Step 1
Choose Configure > Controller Config Groups.
Step 2
Choose Add Config Groups from the Select a command drop-down list, and click Go.
Step 3
Create a config group by entering the group name and mobility group name.
Step 4
Click Save. The Config Groups page appears.
Step 5
Click the Controllers tab. The Controllers page appears.
Step 6
Highlight the controllers you want to add, and click Add. The controller is added to the Group
Controllers page.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
8-267
Chapter 8
Configuring Mobility Groups
Configuring Controller Config Groups
Step 7
Click the Country/DCA tab. The Country/DCA page appears. Dynamic Channel Allocation (DCA)
automatically selects a reasonably good channel allocation amongst a set of managed devices connected
to the controller.
Step 8
Select the Update Country/DCA check box to display a list of countries from which to choose.
Step 9
Those DCA channels that are currently configured on the controller for the same mobility group are
displayed in the Select Country Codes page. The corresponding 802.11a/n and 802.11b/n allowable
channels for the chosen country is displayed as well. You can add or delete any channels in the list by
selecting or deselecting the channel and clicking Save Selection.
Note
A minimum of 1 and a maximum of 20 countries can be configured for a controller.
Configuring Controller Config Groups
By creating a config group, you can group controllers that should have the same mobility group name
and similar configuration. You can assign templates to the group and push templates to all the controllers
in a group. You can add, delete, or remove config groups, and download software, IDS signatures, or a
customized web authentication page to controllers in the selected config groups. You can also save the
current configuration to nonvolatile (flash) memory to controllers in selected config groups.
Note
A controller cannot be a member of more than one mobility group. Adding a controller to one
mobility group removes that controller from any other mobility group to which it is already a
member.
For information about applying templates to either individual controllers or controllers in selected
Config Groups, see the “Using Templates” section on page 11-555.
By choosing Configure > Controller Config Groups, you can view a summary of all config groups in the
Prime Infrastructure database. When you choose Add Config Groups from the Select a command
drop-down list, the page displays a table with the following columns:
•
Group Name: Name of the config group.
•
Templates: Number of templates applied to config group.
Adding New Group
To add a config group, follow these steps:
Step 1
Choose Configure > Controller Config Groups.
Step 2
From the Select a command drop-down list, choose Add Config Group, and click Go. The Add New
Group page appears.
Step 3
Enter the new config group name. It must be unique across all groups. If Enable Background Audit is
selected, the network and controller audits occur for this config group. If Enable Enforcement is
selected, the templates are automatically applied during the audit if any discrepancies are found.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
8-268
OL-27653-02
Chapter 8
Configuring Mobility Groups
Configuring Controller Config Groups
Note
Step 4
If the Enable Background Audit option is chosen, the network and controller audit is performed
on this config group.
Other templates created in the Prime Infrastructure can be assigned to a config group. The same WLAN
template can be assigned to more than one config group. Choose from the following:
•
Select and add later: Click to add a template at a later time.
•
Copy templates from a controller: Click to copy templates from another controller. Choose a
controller from a list of current controllers to copy its applied template to the new config group.
Only the templates are copied.
Note
Step 5
The order of the templates is important when dealing with radio templates. For example, if
the template list includes radio templates that require the radio network to be disabled prior
to applying the radio parameters, the template to disable the radio network must be added to
the template first.
Click Save. The Config Groups page appears.
Configuring Config Groups
To configure a config group, follow these steps:
Step 1
Choose Configure > Controller Config Groups, and click a group name in the Group Name column.
The Config Group page appears.
Step 2
Click the General tab. The following options for the config group appear:
•
Group Name: Name of the config group
– Enable Background Audit—If selected, all the templates that are part of this group are audited
against the controller during network and controller audits.
– Enable Enforcement—If selected, the templates are automatically applied during the audit if
any discrepancies are found.
Note
The audit and enforcement of the config group template happens when the selected audit
mode is Template based audit.
– Enable Mobility Group—If selected, the mobility group name is pushed to all controllers in the
group.
•
Mobility Group Name: Mobility Group Name that is pushed to all controllers in the group. The
Mobility Group Name can also be modified here.
Note
•
A controller can be part of multiple config groups.
Last Modified On: Date and time config group was last modified.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
8-269
Chapter 8
Configuring Mobility Groups
Configuring Controller Config Groups
•
Last Applied On: Date and time last changes were applied.
Step 3
You must click the Apply/Schedule tab to distribute the specified mobility group name to the group
controllers and to create mobility group members on each of the group controllers.
Step 4
Click Save.
Adding or Removing Controllers from a Config Group
To add or remove controllers from a config group, follow these steps:
Step 1
Choose Configure > Controller Config Groups, and click a group name in the Group Name column.
Step 2
Click the Controllers tab. The columns in the table display the IP address of the controller, the config
group name the controller belongs to, and the mobility group name of the controller.
Step 3
Click to highlight the row of the controller you want to add to the group.
Step 4
Click Add.
Note
If you want to remove a controller from the group, highlight the controller in the Group
Controllers box and click Remove.
Step 5
You must click the Apply/Schedule tab, and click Apply to add or remove the controllers to the config
groups.
Step 6
Click Save Selection.
Adding or Removing Templates from the Config Group
To add or remove templates from the config group, follow these steps:
Step 1
Choose Configure > Controller Config Groups, and click a group name in the Group Name column.
Step 2
Click the Templates tab. The Remaining Templates table displays the item number of all available
templates, the template name, and the type and use of the template.
Step 3
Click to highlight the row of the template you want to add to the group.
Step 4
Click Add to move the highlighted template to the Group Templates column.
Note
If you want to remove a template from the group, highlight the template in the Remaining
Templates box, and click Remove.
Step 5
You must click the Apply/Schedule tab, and click Apply to add or remove the templates to the config
groups.
Step 6
Click Save Selection.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
8-270
OL-27653-02
Chapter 8
Configuring Mobility Groups
Configuring Controller Config Groups
Applying or Scheduling Config Groups
Note
The scheduling function allows you to schedule a start day and time for provisioning.
To apply the mobility groups, mobility members, and templates to all the controllers in a config group,
follow these steps:
Step 1
Choose Configure > Controller Config Groups, and click a group name in the Group Name column.
Step 2
Click the Apply/Schedule tab to access this page.
Step 3
Click Apply to start the provisioning of mobility groups, mobility members, and templates to all the
controllers in the config group. After you apply, you can leave this page or log out of the Prime
Infrastructure. The process continues, and you can return later to this page to view a report.
Note
Do not perform any other config group functions during the apply provisioning.
A report is generated and appears in the Recent Apply Report page. It shows which mobility group,
mobility member, or template were successfully applied to each of the controllers.
Note
If you want to print the report as shown on the page, you must choose landscape page orientation.
Step 4
Enter a starting date in the text box or use the calendar icon to choose a start date.
Step 5
Choose the starting time using the hours and minutes drop-down lists.
Step 6
Click Schedule to start the provisioning at the scheduled time.
Auditing Config Groups
The Config Groups Audit page allows you to verify if the configuration complies of the controller with
the group templates and mobility group. During the audit, you can leave this screen or log out of the
Prime Infrastructure. The process continues, and you can return to this page later to view a report.
Note
Do not perform any other config group functions during the audit verification.
To perform a config group audit, follow these steps:
Step 1
Choose Configure > Controller Config Groups, and click a group name in the Group Name column.
Step 2
Click the Audit tab to access this page.
Step 3
Click to highlight a controller from the Controllers tab, choose >> (Add), and Save Selection.
Step 4
Click to highlight a template from the Templates tab, choose >> (Add), and Save Selection.
Step 5
Click Audit to begin the auditing process.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
8-271
Chapter 8
Configuring Mobility Groups
Reporting Config Groups
A report is generated and the current configuration on each controller is compared with that in the config
group templates. The report displays the audit status, the number of templates in sync, and the number
of templates out of sync.
Note
This audit does not enforce the Prime Infrastructure configuration to the device. It only identifies
the discrepancies.
Step 6
Click Details to view the Controller Audit Report details.
Step 7
Double-click a line item to open the Attribute Differences page. This page displays the attribute, its value
in the Prime Infrastructure, and its value in the controller.
Note
Step 8
Click Retain Prime Infrastructure Value to push all attributes in the Attribute Differences
page to the device.
Click Close to return to the Controller Audit Report page.
Rebooting Config Groups
To reboot a config group, follow these steps:
Step 1
Choose Configure > Controller Config Groups, and click a group name in the Group Name column.
Step 2
Click the Reboot tab.
Step 3
Select the Cascade Reboot check box if you want to reboot one controller at a time, waiting for that
controller to come up before rebooting the next controller.
Step 4
Click Reboot to reboot all controllers in the config group at the same time. During the reboot, you can
leave this page or logout of the Prime Infrastructure. The process continues, and you can return later to
this page and view a report.
The Recent Reboot Report page shows when each controller was rebooted and what the controller status
is after the reboot. If the Prime Infrastructure is unable to reboot the controller, a failure is shown.
Note
If you want to print the report as shown on the page, you must choose landscape page orientation.
Reporting Config Groups
To display all recently applied reports under a specified group name, follow these steps:
Step 1
Choose Configure > Controller Config Groups, and click a group name in the Group Name column.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
8-272
OL-27653-02
Chapter 8
Configuring Mobility Groups
Downloading Software
Step 2
Step 3
Click the Report tab. The Recent Apply Report page displays all recently applied reports including the
apply status, the date and time the apply was initiated, and the number of templates. The following
information is provided for each individual IP address:
•
Apply Status—Indicates success, partial success, failure, or not initiated.
•
Successful Templates—Indicates the number of successful templates associated with the applicable
IP address.
•
Failures—Indicates the number of failures with the provisioning of mobility group, mobility
members, and templates to the applicable controller.
•
Details—Click Details to view the individual failures and associated error messages.
If you want to view the scheduled task reports, click the click here link at the bottom of the page. You
are then redirected to the Configure > Scheduled Configuration Tasks > Config Group menu where you
can view reports of the scheduled config groups.
Downloading Software
To download software to all controllers in the selected groups after you have a config group established,
follow these steps:
Step 1
Choose Configure > Controller Config Groups.
Step 2
Select the check box to choose one or more config groups names on the Config Groups page.
Step 3
Choose Download Software from the Select a command drop-down list, and click Go.
Step 4
The Download Software to Controller page appears. The IP address of the controller to receive the
bundle and the current status are displayed. Choose local machine from the File is Located On field.
Step 5
Enter the maximum number of times the controller should attempt to download the signature file in the
Maximum Retries field.
Step 6
Enter the maximum amount of time in seconds before the controller times out while attempting to
download the signature file in the Timeout field.
Step 7
The signature files are uploaded to the c:\tftp directory. Specify the local filename in that directory or
click Browse to navigate to it. The controller uses this local filename as a base name and then adds
_custom.sgi as a suffix.
If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is
Located On field, and the server filename is populated for you and retried.
Step 8
Click OK.
Downloading IDS Signatures
To download Intrusion Detection System (IDS) signature files from your config group to a local TFTP
server, follow these steps:
Step 1
Choose Configure > Controller Config Groups.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
8-273
Chapter 8
Configuring Mobility Groups
Downloading Software
Step 2
Select the check box to choose one or more config groups on the Config Groups page.
Step 3
Choose Download IDS Signatures from the Select a command drop-down list, and click Go.
Step 4
The Download IDS Signatures to Controller page appears. The IP address of the controller to receive the
bundle and the current status are displayed. Choose local machine from the File is Located On field.
Step 5
Enter the maximum number of times the controller should attempt to download the signature file in the
Maximum Retries field.
Step 6
Enter the maximum amount of time in seconds before the controller times out while attempting to
download the signature file in the Timeout field.
Step 7
The signature files are uploaded to the c:\tftp directory. Specify the local filename in that directory or
click Browse to navigate to it. The controller uses this local filename as a base name and then adds
_custom.sgi as a suffix.
If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is
Located On field, and the server filename is populated for you and retried.
Step 8
Click OK.
Downloading Customized WebAuth
To download customized web authentication, follow these steps:
Step 1
Choose Configure > Controller Config Groups.
Step 2
Select the check box to choose one or more config groups on the Config Groups page.
Step 3
Choose Download Customized WebAuth from the Select a command drop-down list, and click Go.
Step 4
The Download Customized Web Auth Bundle to Controller page appears. The IP address of the
controller to receive the bundle and the current status are displayed.
Step 5
Choose local machine from the File is Located On field.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
8-274
OL-27653-02
CH A P T E R
9
Configuring Devices
This chapter describes how to configure devices in the Prime Infrastructure database. It contains the
following sections:
•
Configuring Controllers, page 9-275
•
Configuring Existing Controllers, page 9-297
•
Configuring Third-Party Controllers and Access Points, page 9-441
•
Configuring Access Points, page 9-444
•
Configuring Switches, page 9-477
•
Configuring Spectrum Experts, page 9-487
•
Configuring Chokepoints, page 9-492
•
Configuring Wi-Fi TDOA Receivers, page 9-495
•
Configuring Scheduled Configuration Tasks, page 9-498
•
Configuring Auto Provisioning for Controllers, page 9-498
•
Configuring Redundancy on Controllers, page 9-499
•
Configuring wIPS Profiles, page 9-500
•
Configuring ACS View Servers, page 9-509
•
Configuring TFTP or FTP Servers, page 9-510
•
Interactive Graphs, page 9-511
Configuring Controllers
This section describes how to configure controllers in the Prime Infrastructure database.
Choose Configure > Controllers to access the following:
•
A summary of all controllers in the Prime Infrastructure database.
•
The ability to add, remove, and reboot selected controllers.
•
The ability to download software from the Prime Infrastructure server to selected controllers.
•
The ability to save the current configuration to nonvolatile (flash) memory on selected controllers.
•
The ability to view audit reports for selected controllers.
The controllers data table contains the following columns:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-275
Chapter 9
Configuring Devices
Configuring Controllers
•
Check box—Select the applicable controller.
•
IP Address—Local network IP address of the controller management interface.
– Click the title to sort the list items.
– Click a list item to display parameters for that IP address. See the “Configuring Controllers
Properties” section on page 9-297.
– Click the icon to the right of the IP address to launch the controller web user interface in a new
browser window.
•
Device Name—Indicates the name of the controller. Click the Controller Name link to sort the list
by controller name.
•
Device Type—Click to sort by type. Based on the series, device types are grouped. For example:
– WLC2100—21xx Series Wireless LAN Controllers
– 2500—25xx Series Wireless LAN Controllers
– 4400—44xx Series Wireless LAN Controllers
– 5500—55xx Series Wireless LAN Controllers
– 7500—75xx Series Wireless LAN Controllers
– WiSM—WiSM (slot number, port number)
– WiSM2—WiSM2 (slot number, port number)
•
Location—Indicates the location of the controller.
•
Software Version—The operating system release.version.dot.maintenance number of the code
currently running on the controller.
•
Mobility Group Name—Name of the mobility or WPS group.
•
Reachability Status—Reachable or not reachable.
Note
•
Reachability status is updated based on the last execution information of the Device Status
background task. For updating the current status, choose Administration > Background
Tasks, and choose Execute Now from the Select a command drop-down list.
Audit Status
– Not Available—No audit occurred on this switch.
– Identical—No configuration differences were discovered.
– Mismatch—Configuration differences were discovered.
Click the Audit Status link to access the audit report. In the Audit Report page, choose Audit Now
from the Select a command drop-down list to run a new audit for this controller. See the
“Understanding the Controller Audit Report” section on page 9-277 for more information on audit
reports.
Note
Audit status is updated based on the last execution information of either the Configuration
Sync background task or the Audit Now option located in the Controllers page. To get the
current status, either choose Administration > Background Tasks and choose Execute
Now or Audit Now from the Select a command drop-down list.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-276
OL-27653-02
Chapter 9
Configuring Devices
Configuring Controllers
Note
Use the Search feature to search for a specific controller. See the Search Methods section in the Cisco
Prime Infrastructure 2.0 User Guide for additional information.
This section contains the following topics:
•
Understanding the Controller Audit Report, page 9-277
•
Adding Controllers, page 9-278
•
Bulk Update of Controller Credentials, page 9-281
•
Removing Controllers from the Prime Infrastructure, page 9-282
•
Rebooting Controllers, page 9-282
•
Downloading Software to Controllers, page 9-283
•
Downloading IDS Signatures, page 9-288
•
Downloading a Customized WebAuthentication Bundle to a Controller, page 9-289
•
Downloading a Vendor Device Certificate, page 9-290
•
Downloading a Vendor CA Certificate, page 9-291
•
Saving the Configuration to Flash, page 9-292
•
Refreshing the Configuration from the Controller, page 9-292
•
Discovering Templates from the Controller, page 9-292
•
Updating Credentials in the Prime Infrastructure, page 9-293
•
Viewing Templates Applied to a Controller, page 9-294
•
Using the Audit Now Feature, page 9-295
•
Viewing the Latest Network Audit Report, page 9-296
Understanding the Controller Audit Report
The Controller Audit Report displays the following information depending on the type of audit selected
in Administration > Settings > Audit and on which parameters the audit is performed:
•
Applied template discrepancies (Template Based Audit only)
•
Config group template discrepancies (Template Based Audit only)
•
Total enforcements for config groups with background audit enabled (Template Based Audit only)
– If the total enforcement count is greater than zero, this number appears as a link. Click the link
to view a list of the enforcements made from the Prime Infrastructure.
•
Failed for config groups with background audit enabled (Template Based Audit only)
– If the failed enforcement count is greater than zero, this number appears as a link. Click the link
to view the failures returned from the device.
•
Note
Other Prime Infrastructure discrepancies
The controller audit report indicates if the audit was performed on all parameters or on a selected set of
parameters.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-277
Chapter 9
Configuring Devices
Configuring Controllers
A current Controller Audit Report can be accessed in the Configure > Controllers page by clicking a
value in the Audit Status column.
You can audit a controller by choosing Audit Now from the Select a command drop-down list in the
Configure > Controllers page (See the “Using the Audit Now Feature” section on page 9-295 for more
information) or by clicking Audit Now in the Controller Audit Report.
Adding Controllers
Note
You cannot add or configure Cisco Catalyst 3850 Series Switches or Cisco 5760 Series Wireless
LAN Controllers using the Classic view. To add or configure these devices, use the Lifecycle
view.
You can add controllers one at a time or in batches.
To add controllers, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
From the Select a command drop-down list, choose Add Controllers, and click Go. The Add Controller
page appears.
Step 3
Choose one of the following:
If you want to add one controller or use commas to separate multiple controllers, leave the Add Format
Type drop-down list at Device Info.
If you want to add multiple controllers by importing a CSV file, choose File from the Add Format Type
drop-down list. The CSV file allows you to generate your own import file and add the devices you want.
Step 4
Note
When a controller is removed from the system, the associated access points are not removed
automatically and therefore remain in the system. These disassociated access points must be
removed manually.
Note
If you are adding a controller into the Prime Infrastructure across a GRE link using IPsec or a
lower MTU link with multiple fragments, you might need to adjust the Maximum VarBinds per
Get PDU and Maximum VarBinds per Set PDU. If it is set too high, the controller might fail to
be added into the Prime Infrastructure. To adjust the Maximum VarBinds per Get PDU or
Maximum VarBinds per Set PDU, do the following: Stop the Prime Infrastructure, choose
Administration > Settings > SNMP Settings, and edit the Maximum VarBinds per Get PDU
and Maximum VarBinds per Set PDU values to 50 or lower.
Note
If you reduce the Maximum VarBinds per Get PDU or Maximum VarBinds per Set PDU value,
applying the configurations to the device might fail.
If you chose Device Info, enter the IP address of the controller you want to add. If you want to add
multiple controllers, use a comma between the string of IP addresses.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-278
OL-27653-02
Chapter 9
Configuring Devices
Configuring Controllers
Note
If a partial byte boundary is used and the IP address appears to be broadcast (without regard to
the partial byte boundary), there is a limitation on adding the controllers into the Prime
Infrastructure. For example, 10.0.2.255/23 cannot be added but 10.0.2.254/23 can.
If you chose File, click Browse to find the location of the CSV file you want to import.
The first row of the CSV file is used to describe the columns included. The first row of the CSV file is
used to describe the columns included. The IP Address column is mandatory. The following example
shows a sample CSV file.
ip_address,network_mask,snmp_version,snmp_community,snmpv3_user_name,snmpv3_auth_type,snmp
v3_auth_password,snmpv3_privacy_type,snmpv3_privacy_password,snmp_retries,snmp_timeout,pro
tocol,telnet_username,telnet_password,enable_password,telnet_timeout
209.165.200.225,255.255.255.224,v2,public,,,,,,3,10,telnet,cisco,cisco,cisco,60
209.165.200.226,255.255.255.224,v2,public,,,,,,3,10,,cisco,cisco,cisco,60
209.165.200.227,255.255.255.224,v2,public,,,,,,3,10,telnet,cisco,cisco,cisco,60
The CSV files can contain the following fields:
Step 5
•
ip_address
•
network_mask
•
snmp_version
•
snmp_community
•
snmpv3_user_name
•
snmpv3_auth_type
•
snmpv3_auth_password
•
snmpv3_privacy_type
•
snmpv3_privacy_password
•
snmp_retries
•
snmp_timeout
•
protocol
•
telnet_username
•
telnet_password
•
enable_password
•
telnet_timeout
Select the Verify Telnet/SSH Credentials check box if you want this controller to verify Telnet/SSH
credentials. You might want to leave this unselected (or disabled) because of the substantial time it takes
for discovery of the devices.
Note
Step 6
Enter SNMP parameters for the write access, if available. If you enter read-only access
parameters, the controller is added but the Prime Infrastructure is unable to modify the
configuration and the Prime Infrastructure can not be registered as a trap receiver on that
Controller.
Use the Version drop-down list to choose v1, v2, or v3.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-279
Chapter 9
Configuring Devices
Configuring Controllers
Step 7
In the Retries text box, enter the number of times that attempts are made to discover the controller.
Step 8
Provide the client session timeout value in seconds. This determines the maximum amount of time
allowed for a client before it is forced to reauthenticate.
Step 9
In the Community field, enter either public or private (for v1 and v2 only).
Note
If you go back and later change the community mode, you must perform a refresh config for that
controller.
Step 10
Choose None, HMAC-SHA, or HMAC-MD5 (for v3 only) for the authorization type.
Step 11
Enter the authorization password (for v3 only).
Step 12
Enter None, CBC-DES, or CFB-AES-128 (for v3 only) for the privacy type.
Step 13
Enter the privacy password (for v3 only).
Step 14
Enter the Telnet credentials information for the controller. If you chose the File option and added
multiple controllers, the information applies to all specified controllers. If you added controllers from a
CSV file, the username and password information is obtained from the CSV file.
Note
The Telnet/SSH username must have sufficient privileges to execute commands in CLI
templates.
The default username and password is admin.
Step 15
Enter the retries and timeout values. The default retries number is 3, and the default retry timeout is 1
minute.
Step 16
Click OK.
Note
If you fail to add a device to the Prime Infrastructure, and if the error message ‘Sparse table not
supported' occurs, verify that the Prime Infrastructure and WLC versions are compatible and
retry. For information on compatible versions, see the following URL:
http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Co
mpatibility_Matrix.html.
Note
When a controller is added to the Prime Infrastructure, the Prime Infrastructure acts as a TRAP
receiver and the following traps are enabled on the controller: 802.11 Disassociation, 802.11
Deauthentication, and 802.11 Authenticated.
Note
To update the credentials of multiple controllers in a bulk, choose Bulk Update Controllers
from the Select a command drop-down list. The Bulk Update Controllers page appears. You can
choose a CSV file. The CSV file contains a list of controllers to be updated, one controller per
line. Each line is a comma separated list of controller attributes. The first line describes the
attributes included. The IP address attribute is mandatory. For details, see the Cisco Prime Prime
Infrastructure Configuration Guide.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-280
OL-27653-02
Chapter 9
Configuring Devices
Configuring Controllers
Note
After adding a controller, it is placed temporarily in the Monitor > Unknown Devices page while
the Prime Infrastructure attempts to communicate with the controller that you have added. Once
communication with the controller has been successful, the controller moves from the Monitor
> Unknown Devices page to the Monitor > Controllers page. If the Prime Infrastructure is unable
to successfully communicate with a controller, it remains in the Monitor > Unknown Devices
and an error condition an error message is displayed. To access the Unknown Devices page,
choose Configure > Unknown Devices.
See the Configuring Third-Party Controllers and Access Points, page 9-441 for more information on how
to add third-party controllers and AP.
Bulk Update of Controller Credentials
You can update multiple controllers credentials by importing a CSV file.
To update controller(s) information in bulk, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box(es) of the applicable controller(s).
Step 3
From the Select a command drop-down list, choose Bulk Update Controller. The Bulk Update
Controllers page appears.
Step 4
Enter the CSV filename in the Select CSV File text box or click Browse to locate the desired file.
Step 5
Click Update and Sync.
Sample CSV File for the Bulk Update of Controller Credentials
The first row of the CSV file is used to describe the columns included. The IP Address column is
mandatory. The following example shows a sample CSV file.
ip_address,network_mask,snmp_version,snmp_community,snmpv3_user_name,snmpv3_auth_type,snmp
v3_auth_password,snmpv3_privacy_type,snmpv3_privacy_password,snmp_retries,snmp_timeout,pro
tocol,telnet_username,telnet_password,enable_password,telnet_timeout
209.165.200.225,255.255.255.224,v2,public,,,,,,3,10,telnet,cisco,cisco,cisco,60
209.165.200.226,255.255.255.224,v2,public,,,,,,3,10,,cisco,cisco,cisco,60
209.165.200.227,255.255.255.224,v2,public,,,,,,3,10,telnet,cisco,cisco,cisco,60
The CSV files can contain the following fields:
•
ip_address
•
network_mask
•
snmp_version
•
snmp_community
•
snmpv3_user_name
•
snmpv3_auth_type
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-281
Chapter 9
Configuring Devices
Configuring Controllers
•
snmpv3_auth_password
•
snmpv3_privacy_type
•
snmpv3_privacy_password
•
snmp_retries
•
snmp_timeout
•
protocol
•
telnet_username
•
telnet_password
•
enable_password
•
telnet_timeout
Removing Controllers from the Prime Infrastructure
To remove a controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box(es) of the applicable controller(s).
Step 3
From the Select a command drop-down list, choose Remove Controllers.
Step 4
Click Go.
Step 5
Click OK in the pop-up dialog box to confirm the deletion.
Note
When a controller is removed from the system, the associated access points are not removed
automatically and, therefore, remain in the system. These disassociated access points must be removed
manually.
Rebooting Controllers
To reboot a controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box(es) of the applicable controller(s).
Step 3
From the Select a command drop-down list, choose Reboot Controllers.
Step 4
Click Go. The Reboot Controllers page appears.
Note
Step 5
Save the current controller configuration prior to rebooting.
Select the Reboot Controller options that must be applied.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-282
OL-27653-02
Chapter 9
Configuring Devices
Configuring Controllers
•
Save Config to Flash—Data is saved to the controller in non-volatile RAM (NVRAM) and is
preserved in the event of a power cycle. If the controller is rebooted, all applied changes are lost
unless the configuration has been saved.
•
Reboot APs—Select the check box to enable a reboot of the access point after making any other
updates.
•
Swap AP Image—Indicates whether or not to reboot controllers and APs by swapping AP images.
This could be either Yes or No.
Note
Step 6
Options are disabled unless the Reboot APs check box is selected.
Click OK to reboot the controller with the optional configuration selected.
Downloading Software to Controllers
Both File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) are supported for uploading
and downloading files to and from the Prime Infrastructure. In previous software releases, only TFTP
was supported.
This section contains the following topics:
•
Downloading Software (FTP), page 9-283
•
Downloading Software (TFTP), page 9-285
•
Configuring IPaddr Upload Configuration/Logs from the Controller, page 9-287
Downloading Software (FTP)
To download software to a controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box(es) of the applicable controller(s).
Step 3
From the Select a command drop-down list, choose Download Software (FTP).
Step 4
Click Go.
Note
Software can also be downloaded by choosing Configure > Controllers > IPaddr > System >
Commands > Upload/Download Commands > Download Software.
The IP address of the controller and its current status appears in the Download Software to Controller
page.
Step 5
Select the download type.
Note
The pre-download option is displayed only when all selected controllers are using the Release
7.0.x.x or later.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-283
Chapter 9
Configuring Devices
Configuring Controllers
•
Now—Executes the download software operation immediately. If you select this option, proceed
with Step 7.
Note
•
After the download is successful, reboot the controllers to enable the new software.
Scheduled—Specify the scheduled download options.
– Schedule download to controller—Select this check box to schedule download software to
controller.
– Pre-download software to APs—Select this check box to schedule the pre-download software
to APs. The APs download the image and then reboot when the controller reboots.
Note
Step 6
If you selected the Scheduled option under Download type, enter the schedule details.
•
Task Name—Enter a Scheduled Task Name to identify this scheduled software download task.
•
Reboot Type—Indicates whether the reboot type is manual, automatic, or scheduled.
Note
Reboot Type Automatic can be set when the only Download software to controller option is
selected.
•
Download date/time—Enter a date in the provided text box or click the calendar icon to open a
calendar from which you can choose a date. Choose the time from the hours and minutes drop-down
lists.
•
Reboot date/time—This option appears only if you select the reboot type as “Scheduled”. Enter a
date in the provided text box or click the calendar icon to open a calendar from which you can choose
a date to reboot the controller. Choose the time from the hours and minutes drop-down lists.
•
Note
Schedule enough time (at least 30mins) between Download and Reboot so that all APs can
complete the software pre-download.
Note
If any one of the AP is in pre-download progress state at the time of scheduled reboot, the
controller will not reboot. In such a case, wait for the pre-download to finish for all the APs
and reboot the controller manually.
Notification (Optional)—Enter the e-mail address of recipient to send notifications via e-mail.
Note
Step 7
To see Image Predownload status per AP, enable the task in the Administration >
Background Task > AP Image Predownload Task page, and run an AP Image
Predownload report from the Report Launch Pad.
To receive e-mail notifications, configure the Prime Infrastructure mail server in the
Administration > Settings > Mail Server Configuration page.
Enter the FTP credentials including username, password, and port.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-284
OL-27653-02
Chapter 9
Configuring Devices
Configuring Controllers
Note
Step 8
Step 9
In the File is located on option, select either the Local machine or FTP Server radio button.
Note
If you choose FTP Server, choose Default Server or New from the Server Name drop-down list.
Note
The software files are uploaded to the FTP directory specified during the install.
Specify the local filename or click Browse to navigate to the appropriate file.
Note
Step 10
You cannot use special characters such as $, ', \, %, &, (, ), ;, ", <, >, , , ? , and | as part of the
FTP password. The special characters such as @, #, ^, *, ~, _, -, +, =, {, }, [, ], :, ., and / are
allowed in password. The special character "!" (exclamation mark) works when the password
policy is disabled.
If you chose FTP Server previously, specify the server filename.
Click Download.
Note
If the transfer times out for some reason, you can choose the FTP server option in the File is
located on field; the server filename is populated and retried.
Downloading Software (TFTP)
To download software to a controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box(es) of the applicable controller(s).
Step 3
In the Select a command drop-down list, choose Download Software (TFTP).
Step 4
Click Go.
Note
Software can also be downloaded from Configure > Controllers > IPaddr > System > Commands
> Upload/Download Commands > Download Software.
The IP address of the controller and its current status are displayed in the Download Software to
Controller page.
Step 5
Select the download type.
Note
The pre-download option is displayed only when all selected controllers are using the Release
7.0.x.x or later.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-285
Chapter 9
Configuring Devices
Configuring Controllers
•
Now—Executes the download software operation immediately. If you select this option, proceed
with Step 7.
Note
•
After the download is successful, reboot the controllers to enable the new software.
Scheduled—Specify the scheduled download options.
– Download software to controller—Select this option to schedule download software to
controller.
– Pre-download software to APs—Select this option to schedule the pre-download software to
APs. The APs download the image and then reboot when the controller reboots.
Note
Step 6
If you selected the Scheduled option under Download type, enter the schedule detail.
•
Task Name—Enter a scheduled task name to identify this scheduled software download task.
•
Reboot Type—Indicates whether the reboot type is manual, automatic, or scheduled.
Note
Reboot Type Automatic can be set when only Download software to controller option is
selected.
•
Download date/time—Enter a date in the provided text box or click the calendar icon to open a
calendar from which you can choose a date. Choose the time from the hours and minutes drop-down
lists.
•
Reboot date/time—This option appears only if you select the reboot type as “Scheduled”. Enter a
date in the provided text box or click the calendar icon to open a calendar from which you can choose
a date to reboot the controller. Choose the time from the hours and minutes drop-down lists.
•
Note
Schedule enough time (at least 30 minutes) between Download and Reboot so that all APs
can complete the software pre-download.
Note
If any one of the APs is in pre-download progress state at the time of scheduled reboot, the
controller does not reboot. In such a case, wait for the pre-download to finish for all the APs
and reboot the controller manually.
Notification (Optional)—Enter the e-mail address of recipient to send notifications via e-mail.
Note
Step 7
To see Image Predownload status per AP, enable the task in the Administration >
Background Task > AP Image Predownload Task page, and run an AP Image
Predownload report from the Report Launch Pad.
To receive e-mail notifications, configure the Prime Infrastructure mail server in the
Administration > Settings > Mail Server Configuration page.
From the File is located on field, choose Local machine or TFTP server.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-286
OL-27653-02
Chapter 9
Configuring Devices
Configuring Controllers
Note
If you choose TFTP server, choose the Default Server or add a New server using the Server Name
drop-down list.
Step 8
From the Maximum Retries field, enter the maximum number of tries the controller should attempt to
download the software.
Step 9
In the Timeout field, enter the maximum amount of time (in seconds) before the controller times out
while attempting to download the software.
Note
Step 10
Specify the local filename or click Browse to navigate to the appropriate file.
Note
Step 11
The software files are uploaded to the TFTP directory specified during the install.
If you selected TFTP server previously, specify the server filename.
Click Download.
Tip
If the transfer times out for some reason, you can choose the TFTP server option in the File is
located on field; the server filename is populated and retried.
Configuring IPaddr Upload Configuration/Logs from the Controller
To upload files from the controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click an IP address in the IP address column.
Step 3
From the left sidebar menu, choose System > Commands.
Step 4
Select the FTP or TFTP radio button.
Note
Both File Transfer Protocol (FTP) and Trivial Transfer Protocol (TFTP) are supported for
uploading and downloading files to and from the Prime Infrastructure. In previous software
releases, only TFTP was supported.
Step 5
From the Upload/Download Commands drop-down list, choose Upload File from Controller.
Step 6
Click Go to access this page.
•
FTP Credentials Information—Enter the FTP username, password, and port if you selected the FTP
radio button previously.
•
TFTP or FTP Server Information:
– Server Name—From the drop-down list, choose Default Server or New.
– IP Address—IP address of the controller. This is automatically populated if the default server
is selected.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-287
Chapter 9
Configuring Devices
Configuring Controllers
– File Type—Select from configuration, event log, message log, trap log, crash file, signature
files, or PAC.
– Enter the Upload to File from /(root)/Prime Infrastructure-tftp/ or /(root)/Prime
Infrastructure-ftp/ filename.
– Select whether or not Prime Infrastructure saves the information before backing up the
configuration.
Note
Step 7
Prime Infrastructure uses an integral TFTP and FTP server. This means that third-party TFTP
and FTP servers cannot run on the same workstation as the Prime Infrastructure, because the
Prime Infrastructure and the third-party servers use the same communication port.
Click OK. The selected file is uploaded to your TFTP or FTP server and named what you entered in the
File Name text box.
Downloading IDS Signatures
To download Intrusion Detection System (IDS) signature files to a controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box(es) of the applicable controller(s).
Step 3
From the Select a command drop-down list, choose Download IDS Signatures.
Step 4
Click Go.
Note
IDS signature files can also be downloaded from Configure > Controllers > IPaddr > System >
Commands > Upload/Download Commands > Download IDS Signatures.
In the Download IDS Signatures to Controller page, the controller IP address and its current status
appears.
Step 5
Copy the signature file (*.sig) to the default directory on your TFTP server.
Step 6
In the File is located on option, select the Local machine radio button.
Note
If you know the filename and path relative to the server root directory, you can also select the
TFTP server radio button.
Step 7
In the Maximum Retries text box, enter the maximum number of tries the controller should attempt to
download the signature file.
Step 8
In the Timeout text box, enter the maximum amount of time (in seconds) before the controller times out
while attempting to download the signature file.
Note
The signature files are uploaded to the c:\tftp directory.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-288
OL-27653-02
Chapter 9
Configuring Devices
Configuring Controllers
Step 9
Specify the local filename or click Browse to navigate to the appropriate file. The controller uses this
local filename as a base name and adds _custom.sgi as a suffix.
Note
Step 10
If you chose TFTP server previously, specify the server filename.
Click Download.
Tip
If the transfer times out for some reason, you can choose the TFTP server option in the File is
located on field; the server filename is populated and retried.
Note
The local machine option initiates a two-step operation. First, the local file is copied from the
administrator workstation to the Prime Infrastructure own built-in TFTP server. Then the
controller retrieves that file. For later operations, the file is already in the Prime Infrastructure
server TFTP directory, and the downloaded web page now automatically populates the filename.
Downloading a Customized WebAuthentication Bundle to a Controller
To download customized web authentication bundle to a controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box(es) of the applicable controller(s).
Step 3
From the Select a command drop-down list, choose Download Customized WebAuth.
Step 4
Click Go.
Note
A customized web authentication bundle can also be downloaded from Configure > Controllers
> IPaddr > System > Commands > Upload/Download Commands > Download Customized Web
Auth.
In the Download Customized WebAuth bundle to Controller page, the controller IP address and its
current status appears.
Step 5
Select the Local machine radio button in the File is located on field.
Note
If you know the filename and path relative to the server root directory, you can also select the
TFTP server radio button.
Note
For a local machine download, either .zip or .tar file options exists but the Prime Infrastructure
does the conversion of .zip to .tar automatically. If you choose a TFTP server download, only
.tar files are specified.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-289
Chapter 9
Configuring Devices
Configuring Controllers
Step 6
In the Maximum Retries text box, enter the maximum number of tries the controller should attempt to
download the file.
Step 7
In the Timeout text box, enter the maximum amount of time (in seconds) before the controller times out
while attempting to download the file.
Prime Infrastructure Server Files In field specifies where the Prime Infrastructure server files are
located.
Note
Step 8
Specify the local filename or click Browse to navigate to the appropriate file. The controller uses this
local filename as a base name and adds _custom.sgi as a suffix.
Step 9
Click Download.
If the transfer times out for some reason, you can select the TFTP server radio button in the File
is located on field; the server filename is populated and retried.
Tip
Step 10
The local machine option initiates a two-step operation. First, the local file is copied from the
administrator workstation to the Prime Infrastructure own built-in TFTP server. Then the controller
retrieves that file. For later operations, the file is already in the Prime Infrastructure server TFTP
directory, and the downloaded web page now automatically populates the filename.
Step 11
After completing the download, you are directed to a new page and are able to authenticate.
Downloading a Vendor Device Certificate
Each wireless device (controller, access point, and client) has its own device certificate. If you want to
use your own vendor-specific device certificate, it must be downloaded to the controller.
To download a vendor device certificate to a controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
You can download the certificate in one of two ways:
a.
Select the check box(es) of the applicable controller(s).
b.
From the Select a command drop-down list, choose Download Vendor Device Certificate.
c.
Click Go.
-or-
a.
Click the IP address of the desired controller.
b.
Choose System > Commands from the left sidebar menu.
c.
From the Upload/Download Commands drop-down list, choose Download Vendor Device
Certificate.
d.
Click Go.
Step 3
In the Certificate Password text box, enter the password used to protect the certificate.
Step 4
Reenter the password in the Confirm Password text box.
Step 5
In the File is located on field, select the Local machine or TFTP server radio button.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-290
OL-27653-02
Chapter 9
Configuring Devices
Configuring Controllers
If the certificate is located on the TFTP server, enter the server filename. If it is located on the
local machine, enter the local filename by clicking Browse.
Note
Step 6
Enter the TFTP server name in the Server Name field. The default is the Prime Infrastructure server.
Step 7
Enter the server IP address.
Step 8
In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to
download the certificate.
Step 9
In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download
the certificate.
Step 10
In the Local File Name text box, enter the directory path of the certificate.
Step 11
In the Server File Name text box, enter the name of the certificate.
Step 12
Click Download.
Downloading a Vendor CA Certificate
Controllers and access points have a certificate authority (CA) certificate that is used to sign and validate
device certificates. The controller is shipped with a Cisco-installed CA certificate. This certificate might
be used by EAP-TLS and EAP-FAST (when not using PACs) to authenticate wireless clients during local
EAP authentication. However, if you want to use your own vendor-specific CA certificate, it must be
downloaded to the controller.
To download a vendor CA certificate to the controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
You can download the certificate in one of two ways:
a.
Select the check box(es) of the applicable controller(s).
b.
From the Select a command drop-down list, choose Download Vendor CA Certificate.
c.
Click Go.
-or-
Step 3
a.
Click the IP address of the desired controller.
b.
Choose System > Commands from the left sidebar menu.
c.
From the Upload/Download Commands drop-down list, choose Download Vendor CA Certificate.
d.
Click Go.
In the File is located on field, Select the Local machine or TFTP server radio button.
Note
If the certificate is located on the TFTP server, enter the server file name. If it is located on the
local machine, enter the local filename by clicking Browse.
Step 4
Enter the TFTP server name in the Server Name text box. The default is the Prime Infrastructure server.
Step 5
Enter the server IP address.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-291
Chapter 9
Configuring Devices
Configuring Controllers
Step 6
In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to
download the certificate.
Step 7
In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download
the certificate.
Step 8
In the Local File Name text box, enter the directory path of the certificate.
Step 9
In the Server File Name text box, enter the name of the certificate.
Step 10
Click OK.
Saving the Configuration to Flash
To save the configuration to flash memory, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box(es) for the applicable controller(s).
Step 3
From the Select a command drop-down list, choose Save Config to Flash.
Step 4
Click Go.
Refreshing the Configuration from the Controller
The Refresh Config from Controller command will not work when there is a custom rogue AP rule
specified on the controller.
To refresh the configuration from the controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box(es) for the applicable controller(s).
Step 3
From the Select a command drop-down list, choose Refresh Config from Controller.
Step 4
Click Go.
Step 5
At the Configuration Change prompt, select the Retain or Delete radio button.
Step 6
Click Go.
Discovering Templates from the Controller
Prior to software Release 5.1, templates were detected when a controller was detected, and every
configuration found on the Prime Infrastructure for a controller had an associated template. Now
templates are not automatically detected with controller discovery, and you can specify which Prime
Infrastructure configurations you want to have associated templates.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-292
OL-27653-02
Chapter 9
Configuring Devices
Configuring Controllers
Note
The templates that are discovered do not retrieve management or local user passwords.
The following rules apply for template discovery:
•
Template Discovery discovers templates that are not found in the Prime Infrastructure.
•
Existing templates are not discovered.
•
Template Discovery does not retrieve dynamic interface configurations for a controller. You must
create a new template to apply the dynamic interface configurations on a controller.
To discover current templates, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box of the controller for which you want to discover templates.
Step 3
From the Select a command drop-down list, choose Discover Templates from Controller.
Step 4
Click Go. The Discover Templates page displays the number of discovered templates, each template type
and each template name.
Note
You can select the Enabling this option will create association between discovered templates
and the device listed above check box so that discovered templates are associated to the
configuration on the device and are shown as applied on that controller.
Note
Template discovery refreshes configuration from the controller prior to discovering templates.
Click OK in the warning dialog box to continue with the discovery.
Note
For the TACACS+ Server templates, the configuration on the controller with same server IP
address and port number but different server types are aggregated into one single template with
the corresponding Server Types set on the Discovered Template. For the TACACS+ Server
templates, the Admin Status on the discovered template reflects the value of Admin Status on
the first configuration from the controller with same Server IP address and port number.
Updating Credentials in the Prime Infrastructure
To update SNMP/Telnet credential details in the Prime Infrastructure for multiple controllers, there is
no configuration available. To perform this mass update, you need to go to each device and update the
SNMP and Telnet credentials.
To update the SNMP/Telnet credentials, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box for each controller to which you want to update SNMP/Telenet credentials.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-293
Chapter 9
Configuring Devices
Configuring Controllers
Step 3
From the Select a command drop-down list, choose Update Credentials in Prime Infrastructure. The
Update Credentials in the Prime Infrastructure page appears.
Step 4
Select the SNMP Parameters check box and configure the following parameters:
Note
Step 5
SNMP write access parameters are needed for modifying controller configuration. With
read-only access parameters, configuration can only be displayed.
•
Version—Choose from v1, v2, or v3.
•
Retries—Indicates the number of controller discovery attempts.
•
Timeout—Indicate the amount of time (in seconds) allowed before the process time outs. The valid
range is 2 to 90 seconds. The default is 2 seconds.
•
Community—Public or Private.
•
Verify SNMP Credentials—Select this check box to verify SNMP credentials.
Select the Telnet/SSH Parameters check box and configure the following parameters:
•
User Name—Enter the username.
•
Password/Confirm Password—Enter and confirm the password.
•
Timeout—Indicate the amount of time (in seconds) allowed before the process time outs. The valid
range is 2 to 90 seconds. The default is 60 seconds.
Viewing Templates Applied to a Controller
You can view all templates currently applied to a specific controller.
Note
Only templates applied in this partition are displayed.
To view applied templates, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box for the applicable controller.
Step 3
From the Select a command drop-down list, choose Templates Applied to a Controller.
Step 4
Click Go. The Templates Applied to a Controller page displays each applied template name, template
type, the date the template was last saved, and the date the template was last applied.
Note
Click the template name link to view the template details. See the “Using Templates” section on
page 11-555 for more information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-294
OL-27653-02
Chapter 9
Configuring Devices
Configuring Controllers
Using the Audit Now Feature
You can audit a controller by choosing Audit Now from the Select a command drop-down list in the
Configure > Controllers page or by choosing Audit Now directly from the Select a command drop-down
list.
Note
A current Controller Audit Report can be accessed in the Configure > Controllers page by clicking a
value in the Audit Status column.
To audit a controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box for the applicable controller.
Step 3
From the Select a command drop-down list, choose Audit Now.
Step 4
Click Go.
Step 5
Click OK in the pop-up dialog box if you want to remove the template associations from configuration
objects in the database as well as template associations for this controller from associated config groups
(Template based audit only).
The Audit Report displays:
•
Device Name
•
Time of Audit
•
Audit Status
•
Applied and Config Group Template Discrepancies information including the following:
– Template type (template name)
– Template application method
– Audit status (For example, mismatch, identical)
– Template attribute
– Value in Prime Infrastructure
– Value in Controller
•
Other Prime Infrastructure Discrepancies including the following:
– Configuration type (name)
– Audit Status (For example, mismatch, identical)
– Attribute
– Value in Prime Infrastructure
– Value in Controller
•
Total enforcements for config groups with background audit enabled—If discrepancies are found
during the audit in regards to the config groups enabled for background audit and if the enforcement
is enabled, this section lists the enforcements made during the controller audit.
•
Failed Enforcements for Config Groups with background audit enabled—Click the link to view a
list of failure details (including the reason for the failure) returned by the device.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-295
Chapter 9
Configuring Devices
Configuring Controllers
•
Restore Prime Infrastructure Values to Controller or Refresh Config from Controller—If there are
config differences found as a result of the audit, you can either click Restore Prime Infrastructure
Values to controller or Refresh Config from controller to bring the Prime Infrastructure
configuration in sync with the controller.
– Choose Restore Prime Infrastructure Values to Controller to push the discrepancies to the
device.
– Choose Refresh config from controller to pick up the device for this configuration from the
device.
Note
Templates are not refreshed as a result of clicking Refresh Config from Controller.
Viewing the Latest Network Audit Report
The Network Audit Report shows the time of the audit, the IP address of the selected controller, and the
synchronization status.
Note
This method shows the report from the network audit task and not an on-demand audit per controller.
To view the latest network audit report for the selected controllers, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Select the check box for the applicable controller.
Step 3
From the Select a command drop-down list, choose View Latest Network Configuration Audit
Report.
Step 4
Click Go.
The Audit Summary displays the time of the audit, the IP address of the selected controller, and the audit
status. The Audit Details display the config differences, if applicable.
Note
Use the General and Schedule tabs to revise Audit Report parameters.
Command Buttons
•
Save—Click to save changes made to the current parameters.
•
Save and Run—Click to save the changes to the current parameters and run the report.
•
Run Now—Click to run the audit report based on existing parameters.
•
Export Now—Click to export the report results. The supported export formats is PDF and CSV.
•
Cancel—Click to cancel any changes made to the existing parameters.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-296
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Note
From the All Controllers page, click the Audit Status column value to view the latest audit details page
for the selected controller. This method has similar information as the Network Audit report on the
Reports menu, but this report is interactive and per controller.
Note
To run an on-demand audit report, choose which controller you want to run the report on and choose
Audit Now from the Select a command drop-down list. If you run an on-demand audit report and
configuration differences are detected, you are given the option to retain the existing controller or Prime
Infrastructure values.
Configuring Existing Controllers
This section contains the following topics:
•
Configuring Controllers Properties, page 9-297
•
Configuring Controller System Parameters, page 9-299
•
Configuring Controller WLANs, page 9-338
•
Configuring FlexConnect Parameters, page 9-358
•
Configuring Security Parameters, page 9-362
•
Configuring Cisco Access Points, page 9-391
•
Configuring 802.11 Parameters, page 9-393
•
Configuring 802.11a/n Parameters, page 9-400
•
Configuring 802.11b/g/n Parameters, page 9-412
•
Configuring Mesh Parameters, page 9-422
•
Configuring Port Parameters, page 9-425
•
Configuring Controllers Management Parameters, page 9-426
•
Configuring Location Configurations, page 9-432
•
Configuring IPv6, page 9-434
•
Configuring Proxy Mobile IPv6, page 9-436
•
Configuring mDNS, page 9-438
•
Configuring AVC Profiles, page 9-439
•
Configuring NetFlow, page 9-440
Configuring Controllers Properties
To configure the properties for current controllers, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose Properties > Settings. The following parameters appear:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-297
Chapter 9
Configuring Devices
Configuring Existing Controllers
•
General Parameters:
– Name—Name assigned to the controller.
– Type—Controller type.
– Restore on Cold Start Trap—Select to enable a restore on a cold start trap.
– Auto Refresh on Save Config Trap—Select to enable an automatic refresh on a Save Config
trap.
– Trap Destination Port—Read-only.
– Software Version—Read-only.
– Location—Location of the controller.
– Contact—The contact person for this controller.
– Most Recent Backup—The date and time of the most recent backup.
– Save Before Backup—Select to enable a save before backup.
•
SNMP Parameters:
Note
SNMP write access parameters are needed for modifying controller configuration. With
read-only access parameters, configuration can only be displayed.
– Version—Choose from v1, v2, or v3.
– Retries—Indicates the number of controller discovery attempts.
– Timeout (seconds)—Client Session timeout. Sets the maximum amount of time allowed a client
before it is forced to reauthenticate.
– Community—Public or Private.
– Access Mode—Read Write
Note
Community settings only apply to v1 and v2.
– User Name—Enter a username.
– Auth. Type—Choose an authentication type from the drop-down list or choose None.
– Auth. Password—Enter an authentication password.
– Privacy Type—Choose a privacy type from the drop-down list or choose None.
– Privacy Password—Enter a privacy password.
Note
•
User Name, Auth. Type, Auth. Password, Privacy Type, and Privacy Password only
display for v3.
Telnet/SSH Parameters:
– User Name—Enter the username. (Default username is admin.)
Note
The Telnet/SSH username must have sufficient privileges to execute commands in CLI
templates.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-298
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
– Password/Confirm Password—Enter and confirm the password. (Default password is admin.)
– Retries—Indicate the number of allowed retry attempts. The default is three.
– Timeout—Indicate the amount of time (in seconds) allowed before the process time outs. The
default is 60 seconds.
Note
Step 4
Default values are used if the Telnet/SSH parameters are left blank.
If you made changes to this controller properties, click Save to confirm the changes, Reset to return to
the previous or default settings, or Cancel to return to the Configure > Controllers page without making
any changes to these settings.
Configuring Controller System Parameters
This section describes how to configure the controller system parameters and contains the following
topics:
•
Managing General System Properties for Controllers, page 9-299
•
Configuring Controller System Commands, page 9-306
•
Configuring Controller System Interfaces, page 9-313
•
Configuring Controller System Interface Groups, page 9-316
•
Configuring Controller Network Routes, page 9-323
•
Configuring Controller Spanning Tree Protocol Parameters, page 9-324
•
Configuring Controller Mobility Groups, page 9-324
•
Configuring Controller Network Time Protocol, page 9-327
•
Configuring Controller QoS Profiles, page 9-330
•
Configuring Controller DHCP Scopes, page 9-331
•
Configuring Controller User Roles, page 9-332
•
Configuring a Global Access Point Password, page 9-333
•
Configuring AP 802.1X Supplicant Credentials
•
Configuring Controller DHCP, page 9-335
•
Configuring Controller Multicast Mode, page 9-336
•
Configuring Access Point Timer Settings, page 9-337
Managing General System Properties for Controllers
To view the general system parameters for a current controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > General. The following parameters appear:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-299
Chapter 9
Configuring Devices
Configuring Existing Controllers
•
802.3x Flow Control Mode—Disable or enable. See the “802.3x Flow Control” section on
page 9-303 for more information.
•
802.3 Bridging—Disable or enable. See the “Configuring 802.3 Bridging” section on page 9-303 for
more information.
•
Web Radius Authentication—Choose PAP, CHAP, or MD5-CHAP.
– PAP—Password Authentication Protocol. Authentication method where user information
(username and password) is transmitted in clear text.
– CHAP—Challenge Handshake Authentication Protocol. Authentication method where user
information is encrypted for transmission.
– MD5-CHAP—Message Digest 5 Challenge Handshake Authentication Protocol. With MD5,
passwords are hashed using the Message Digest 5 algorithm.
•
AP Primary Discovery Timeout—Enter a value between 30 and 3600 seconds.
The access point maintains a list of backup controllers and periodically sends primary discovery
requests to each entry in the list. When configured, the primary discovery request timer specifies the
amount of time that a controller has to respond to the discovery request of the access point before
the access point assumes that the controller cannot be joined and waits for a discovery response from
the next controller in the list.
•
CAPWAP Transport Mode—Layer 3 or Layer 2. See the “Lightweight Access Point Protocol
Transport Mode” section on page 9-304 for more information.
•
Current LWAPP Operating Mode—Automatically populated.
•
Broadcast Forwarding—Disable or enable.
•
LAG Mode—Choose Disable if you want to disable LAG.
Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It
bundles all of the controller distribution system ports into a single 802.3ad port channel, thereby
reducing the number of IP addresses needed to configure the ports on your controller. When LAG is
enabled, the system dynamically manages port redundancy and load balances access points
transparently to the user.
Note
LAG is disabled by default on the Cisco 5500 and 4400 series controllers but enabled by
default on the Cisco WiSM and the controller in the Catalyst 3750G Integrated Wireless
LAN Controller Switch.
See the “Link Aggregation” section on page 9-305 for more information.
•
Ethernet Multicast Support
– Disable—Select to disable multicast support on the controller.
– Unicast—Select if the controller, upon receiving a multicast packet, forwards the packets to all
the associated access points.
Note
FlexConnect supports only unicast mode.
– Multicast—Select to enable multicast support on the controller.
•
Aggressive Load Balancing—Disable or enable. See the “Aggressive Load Balancing” section on
page 9-305 for more information on load balancing.
•
Peer to Peer Blocking Mode
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-300
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
– Disable—Same-subnet clients communicate through the controller.
– Enable—Same-subnet clients communicate through a higher-level router.
•
Over Air Provision AP Mode—Disable or enable.
Over-the-air provisioning (OTAP) is supported by Cisco 5500 and 4400 series controllers. If this
feature is enabled on the controller, all associated access points transmit wireless CAPWAP or
LWAPP neighbor messages, and new access points receive the controller IP address from these
messages. This feature is disabled by default and should remain disabled when all access points are
installed.
•
Note
Disabling OTAP on the controller does not disable it on the access point. OTAP cannot be
disabled on the access point.
Note
You can find additional information about OTAP at the following URL:
http://www.ciscosystems.com/en/US/products/ps6366/products_tech_note09186a008093d
74a.shtml
AP Fallback—Disable or enable.
Note
•
Enabling AP Fallback causes an access point which lost a primary controller connection to
automatically return to service when the primary controller returns.
AP Failover Priority—Disable or enable.
Note
To configure failover priority settings for access points, you must first enable the AP
Failover Priority feature. See the “AP Failover Priority” section on page 9-302 for more
information.
•
AppleTalk Bridging—Disable or enable.
•
Fast SSID change—Disable or enable.
When fast SSID changing is enabled, the controller allows clients to move between SSIDs. When
the client sends a new association for a different SSID, the client entry in the controller connection
table is cleared before the client is added to the new SSID. When fast SSID changing is disabled,
the controller enforces a delay before clients are allowed to move to a new SSID.
Note
•
Master Controller Mode—Disable or enable.
Note
•
If enabled, the client connects instantly to the controller between SSIDs without having
appreciable loss of connectivity.
Because the master controller is normally not used in a deployed network, the master
controller setting is automatically disabled upon reboot or OS code upgrade.
Wireless Management—Disable or enable. See the “Wireless Management” section on page 9-305
for more information.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-301
Chapter 9
Configuring Devices
Configuring Existing Controllers
•
Symmetric Tunneling Mode
•
ACL Counters—Disable or enable. The number of hits are displayed in the ACL Rule page. See the
“Configuring Access Control Lists” section on page 9-378 or the “Configuring IPaddr > Access Control
List > listname Rules” section on page 9-378 for more information.
•
Multicast Mobility Mode—Disable or enable. See the “Setting the Mobility Scalability Parameters”
section on page 9-327 for more information.
•
Default Mobility Domain Name—Enter domain name.
•
Mobility Anchor Group Keep Alive Interval—Enter the amount of delay time allowed between tries
for a client attempting to join another access point. See the “Mobility Anchor Group Keep Alive
Interval” section on page 9-306 for more information.
Tip
•
Tip
When you hover your mouse cursor over the parameter text box, the valid range for that field
appears.
Mobility Anchor Group Keep Alive Retries—Enter number of allowable retries.
When you hover your mouse cursor over the parameter text box, the valid range for that field
appears.
•
RF Network Name—Enter network name.
•
User Idle Timeout (seconds)—Enter timeout in seconds.
•
ARP Timeout (seconds)—Enter timeout in seconds.
This section contains the following topics:
•
AP Failover Priority, page 9-302
•
Configuring 802.3 Bridging, page 9-303
•
802.3x Flow Control, page 9-303
•
Lightweight Access Point Protocol Transport Mode, page 9-304
•
Aggressive Load Balancing, page 9-305
•
Link Aggregation, page 9-305
•
Wireless Management, page 9-305
•
Mobility Anchor Group Keep Alive Interval, page 9-306
AP Failover Priority
When a controller fails, the backup controller configured for the access point suddenly receives a number
of Discovery and Join requests. If the controller becomes overloaded, it might reject some of the access
points.
By assigning failover priority to an access point, you have some control over which access points are
rejected. When the backup controller is overloaded, join requests of access points configured with a
higher priority levels take precedence over lower-priority access points.
To configure failover priority settings for access points, you must first enable the AP Failover Priority
feature.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-302
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
To enable the AP Failover Priority feature, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > General.
Step 4
From the AP Failover Priority drop-down list, choose Enabled.
To configure an access point failover priority, follow these steps:
Step 1
Choose Configure > Access Points > AP Name.
Step 2
From the AP Failover Priority drop-down list, choose the applicable priority (Low, Medium, High,
Critical).
Note
The default priority is Low.
Configuring 802.3 Bridging
The controller supports 802.3 frames and applications that use them, such as those typically used for
cash registers and cash register servers. However, to make these applications work with the controller,
the 802.3 frames must be bridged on the controller.
Support for raw 802.3 frames allows the controller to bridge non-IP frames for applications not running
over IP. Only this raw 802.3 frame format is currently supported.
To configure 802.3 bridging using the Prime Infrastructure release 4.1 or later, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
Choose System > General to access the General page.
Step 4
From the 802.3 Bridging drop-down list, choose Enable to enable 802.3 bridging on your controller or
Disable to disable this feature. The default value is Disable.
Step 5
Click Save to confirm your changes.
802.3x Flow Control
Flow control is a technique for ensuring that a transmitting entity, such as a modem, does not overwhelm
a receiving entity with data. When the buffers on the receiving device are full, a message is sent to the
sending device to suspend the transmission until the data in the buffers has been processed.
By default, flow control is disabled. You can only enable a Cisco switch to receive PAUSE frames but
not to send them.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-303
Chapter 9
Configuring Devices
Configuring Existing Controllers
Lightweight Access Point Protocol Transport Mode
Lightweight Access Point Protocol transport mode indicates the communications layer between
controllers and access points. Selections are Layer 2 or Layer 3.
To convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 lightweight access point
transport mode using the Prime Infrastructure user interface, follow these steps:
Note
Cisco IOS-based lightweight access points do not support Layer 2 lightweight access point mode. These
access points can only be run with Layer 3.
Note
This procedure causes your access points to go offline until the controller reboots and the associated
access points reassociate to the controller.
Step 1
Make sure that all controllers and access points are on the same subnet.
Note
Step 2
You must configure the controllers and associated access points to operate in Layer 2 mode
before completing the conversion.
Log into the Prime Infrastructure user interface. Then follow these steps to change the lightweight access
point transport mode from Layer 3 to Layer 2:
a.
Choose Configure > Controllers.
b.
Click the IP address of the applicable controller.
c.
Choose System > General to access the General page.
d.
Change lightweight access point transport mode to Layer2 and click Save.
e.
If the Prime Infrastructure displays the following message, click OK:
Please reboot the system for the CAPWAP Mode change to take effect.
Step 3
Step 4
To restart the Prime Infrastructure, follow these steps:
a.
Choose System > Commands.
b.
From the Administrative Commands drop-down list, choose Save Config To Flash, and click Go to
save the changed configuration to the controller.
c.
Click OK to continue.
d.
From the Administrative Commands drop-down list, choose Reboot, and click Go to reboot the
controller.
e.
Click OK to confirm the save and reboot.
After the controller reboots, follow these steps to verify that the CAPWAP transport mode is now Layer
2:
a.
Choose Configure> Controllers.
b.
Click the IP address of the applicable controller.
c.
Verify that the current CAPWAP transport mode is Layer2 from the general drop-down list.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-304
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
You have completed the CAPWAP transport mode conversion from Layer 3 to Layer 2. The operating
system software now controls all communications between controllers and access points on the same
subnet.
Aggressive Load Balancing
In routing, load balancing refers to the capability of a router to distribute traffic over all its network ports
that are the same distance from the destination address. Good load-balancing algorithms use both line
speed and reliability information. Load balancing increases the use of network segments, thus increasing
effective network bandwidth.
Aggressive load balancing actively balances the load between the mobile clients and their associated
access points.
Link Aggregation
Link aggregation allows you to reduce the number of IP addresses needed to configure the ports on your
controller by grouping all the physical ports and creating a link aggregation group (LAG). In a 4402
model, two ports are combined to form a LAG whereas in a 4404 model, all four ports are combined to
form a LAG.
If LAG is enabled on a controller, the following configuration changes occur:
•
Any dynamic interfaces that you have created are deleted. This is done to prevent configuration
inconsistencies in the interface database.
•
Interfaces cannot be created with the “Dynamic AP Manager” flag set.
Note
You cannot create more than one LAG on a controller.
The advantages of creating a LAG include the following:
•
Assurance that, if one of the links goes down, the traffic is moved to the other links in the LAG. As
long as one of the physical ports is working, the system remains functional.
•
No need to configure separate backup ports for each interface.
•
Multiple AP-manager interfaces are not required because only one logical port is visible to the
application.
Note
Tip
When you make changes to the LAG configuration, the controller has to be rebooted for the
changes to take effect.
When you hover your mouse cursor over the parameter text box, the valid range for that field
appears.
Wireless Management
Because of IPsec operation, management via wireless is only available to operators logging in across
WPA, Static WEP, or VPN Pass Through WLANs. Wireless management is not available to clients
attempting to log in via an IPsec WLAN.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-305
Chapter 9
Configuring Devices
Configuring Existing Controllers
Mobility Anchor Group Keep Alive Interval
Indicate the delay between tries for clients attempting to join another access point. This decreases the
time it takes for a client to join another access point following a controller failure because the failure is
quickly identified, the clients are moved away from the problem controller, and the clients are anchored
to another controller.
Tip
When you hover your mouse cursor over the parameter text box, the valid range for that field appears.
Configuring Controller System Commands
To view the System Command parameters for current controllers, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Commands. The following parameters appear:
•
Administrative
– Reboot—This command enables you to confirm the restart of your controller after saving your
configuration changes. Open and confirm a new session and log into the controller to avoid
loosing a system connection.
– Save Config to Flash—Data is saved to the controller in non-volatile RAM (NVRAM) and is
preserved in the event of a power cycle. If the controller is rebooted, all applied changes are lost
unless the configuration has been saved.
– Reset to Factory Default—Choose this command to return the controller to its original settings.
See the “Restoring Factory Defaults” section on page 9-307 for more information.
– Ping From Controller—Send a ping to a network element. This pop-up dialog box allows you
to tell the controller to send a ping request to a specified IP address. This is useful for
determining if there is connectivity between the controller and a particular IP station. If you
click OK, three pings are sent and the results of the ping are displayed in the pop-up. If a reply
to the ping is not received, it shows No Reply Received from IP xxx.xxx.xxx.xxx, otherwise it
shows Reply received from IP xxx.xxx.xxx.xxx: (send count =3, receive count = n).
•
Configuration
– Audit Config—See the “Viewing the Latest Network Audit Report” section on page 9-296.
– Refresh Config From Controller—See the “Refreshing the Configuration from the Controller”
section on page 9-292.
– Restore Config To Controller—Choose this command to restore the configuration from the
Prime Infrastructure database to the controller.
– Set System Time—See the “Setting the Controller Time and Date” section on page 9-308.
•
Upload/Download Commands
Note
Select the FTP or TFTP radio button. Both File Transfer Protocol (FTP) and Trivial Transfer
Protocol (TFTP) are supported for uploading and downloading files to and from the Prime
Infrastructure. In previous software releases, only TFTP was supported.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-306
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
– Upload File from Controller—See the “Uploading Configuration/Logs from Controllers”
section on page 9-308.
– Download Config—See the “Downloading Configurations to Controllers” section on
page 9-309.
– Download Software—Choose this command to download software to the selected controller or
all controllers in the selected groups after you have a configuration group established. See the
“Downloading Software to a Controller” section on page 9-310.
– Download Web Auth Cert—Choose this command to access the Download Web Auth
Certificate to Controller page. See the “Downloading a Web Admin Certificate to a Controller”
section on page 9-310.
– Download Web Admin Cert—Choose this command to access the Download Web Admin
Certificate to Controller page. See the “Downloading a Web Admin Certificate to a Controller”
section on page 9-310.
– Download IDS Signatures—Choose this command to download customized signatures to the
standard signature file currently on the controller. See the “Downloading Signature Files”
section on page 9-387 for more information.
– Download Customized Web Auth—Choose this command to download a customized Web
authentication page to the controller. A customized web page is created to establish a username
and password for user web access. See the “Downloading a Customized WebAuthentication
Bundle to a Controller” section on page 9-289.
– Download Vendor Device Certificate—Choose this command to download your own
vendor-specific device certificate to the controller to replace the current wireless device
certificate. See the “Downloading a Vendor Device Certificate” section on page 9-290.
– Download Vendor CA Certificate—Choose this command to download your own
vendor-specific certificate authority (CA) to the controller to replace the current CA. See the
“Downloading a Vendor CA Certificate” section on page 9-291.
•
RRM Commands
– RRM 802.11a/n Reset—Resets Remote Radio Management for 802.11a/n Cisco Radios.
– 802.11b/g/n Reset—Resets Remote Radio Management for 802.11b/g/n Cisco Radios.
– 802.11a/n Channel Update—Updates access point dynamic channel algorithm for 802.11a/n
Cisco Radios.
– 802.11b/g/n Channel Update—Updates access point dynamic channel algorithm for
802.11b/g/n Cisco Radios.
– 802.11a/n Power Update—Updates access point dynamic transmit power algorithm for
802.11a/n Cisco Radios.
– 802.11b/g/n Power Update—Updates access point dynamic transmit power algorithm for
802.11b/g/n Cisco Radios.
Restoring Factory Defaults
Choose Configure > Controllers, and click an IP address in the IP Address column. From the left
sidebar menu, choose System > Commands, and from the Administrative Commands drop-down list,
choose Reset to Factory Default, and click Go to access this page.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-307
Chapter 9
Configuring Devices
Configuring Existing Controllers
This command enables you to reset the controller configuration to the factory default. This overwrites
all applied and saved configuration parameters. You are prompted for confirmation to reinitialize your
controller.
All configuration data files are deleted, and upon reboot, the controller is restored to its original
non-configured state. This removes all IP configuration, and you need a serial connection to restore its
base configuration.
Note
After confirming configuration removal, you must reboot the controller and select the Reboot Without
Saving option.
Setting the Controller Time and Date
Choose Configure > Controllers, and click an IP address under the IP Address column. From the left
sidebar menu, choose System > Commands, and from the Configuration Commands drop-down list
choose Set System Time, and click Go to access this page.
Use this command to manually set the current time and date on the controller. To use a Network Time
Server to set or refresh the current time, see the “Configuring an NTP Server Template” section on
page 11-563 page. The following parameters appear:
•
Current Time—Shows the time currently being used by the system.
•
Month/Day/Year—Choose the month/day/year from the drop-down list.
•
Hour/Minutes/Seconds—Choose the hour/minutes/seconds from the drop-down list.
•
Delta (hours)—Enter the positive or negative hour offset from GMT (Greenwich Mean Time).
•
Delta (minutes)—Enter the positive or negative minute offset from GMT.
•
Daylight Savings—Select to enable Daylight Savings Time.
•
Set Date and Time
•
Set Time Zone
•
Cancel
Command Buttons
Uploading Configuration/Logs from Controllers
To upload files from the controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click an IP address in the IP Address column.
Step 3
From the left sidebar menu, choose System > Commands.
Step 4
From the Upload/Download Commands drop-down list, choose Upload File from Controller.
Step 5
Click Go to access this page.
Use this command to upload files from your controller to a local TFTP (Trivial File Transfer Protocol)
server. The following fields appear:
•
IP Address—IP address of the controller.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-308
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 6
Note
•
Status—Upload NOT_INITIATED, or other state.
•
Enter the TFTP server name, or New and the new TFTP server name.
•
Verify and/or enter the IP Address of the TFTP server.
•
Select the file type—Configuration file, Event Log, Message Log, Trap Log, Crash File.
•
Enter the Upload to File from /(root)/Prime Infrastructure-tftp/ filename.
•
Choose whether or not Prime Infrastructure saves before backing up the configuration.
Click OK. The selected file is uploaded to your TFTP server and named what you entered in the File
Name text box.
Prime Infrastructure uses an integral TFTP server. This means that third-party TFTP servers cannot run
on the same workstation as Prime Infrastructure, because the Cisco Prime Infrastructure and the
third-party TFTP servers use the same communication port.
Downloading Configurations to Controllers
To download configuration files, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click an IP address in the IP Address column.
Step 3
From the left sidebar menu, choose System > Commands.
Step 4
From the Upload/Download Commands drop-down list, choose Download Config.
Step 5
Click Go to access this page.
Use this command to download and install a configuration file to your controller from a local TFTP
(Trivial File Transfer Protocol) server. The following parameters appear:
Note
Prime Infrastructure uses an integral TFTP server. This means that third-party TFTP servers
cannot run on the same workstation as Prime Infrastructure, because the Prime Infrastructure and
the third-party TFTP servers use the same communication port.
•
IP Address—IP address of the controller.
•
Status—Status of the certificate, for example, NOT_INITIATED.
•
Server Name—Choose Default Server or New from the drop-down list. When you choose New, type
in the IP address.
•
Server Address—IP address of the server.
•
Maximum Retries—How many times to retry if the download fails.
•
Timeout—How long to allow between retries.
TFTP Servers
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-309
Chapter 9
Configuring Devices
Configuring Existing Controllers
•
File Name—Enter or choose the filename to download by clicking Browse.
Downloading Software to a Controller
To download software, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click an IP address in the IP Address column.
Step 3
From the left sidebar menu, choose System > Commands.
Step 4
From the Upload/Download Commands drop-down list, choose Download Software.
Step 5
Click Go to access this page.
Use this command to download and install a new Operating System software to your controller from a
local TFTP (Trivial File Transfer Protocol) server.
Note
Prime Infrastructure uses an integral TFTP server. This means that third-party TFTP servers cannot run
on the same workstation as Prime Infrastructure, because the Prime Infrastructure and the third-party
TFTP servers use the same communication port.
•
IP Address—IP address of the controller to receive the software.
•
Current Software Version—The software version currently running on the controller.
•
Status—Status of the software, for example, NOT_INITIATED.
•
TFTP Server on Cisco Prime Infrastructure System—Select the check box enable the built-in Cisco
Prime Infrastructure TFTP server.
•
Server IP Address—Indicates the IP address of the TFTP server to send the software to the controller
when you have disabled the built-in the Prime Infrastructure TFTP server.
•
Maximum Retries—Maximum number of unsuccessful attempts before the download is abandoned.
•
Timeout—Maximum number of seconds before the download is abandoned.
•
File Name—Enter or select the filename to download by clicking Browse.
Downloading a Web Admin Certificate to a Controller
To download a Web Admin Certificate, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click an IP address in the IP Address column.
Step 3
From the left sidebar menu, choose System > Commands.
Step 4
From the Upload/Download Commands drop-down list, choose Download WEB Admin Cert.
Step 5
Click Go to access this page.
This page enables you to download a web administration certificate to the controller. The following
parameters appear:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-310
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Caution
Each certificate has a variable-length embedded RSA Key. The RSA key length varies from 512 bits,
which is relatively insecure, to thousands of bits, which is very secure. When you are obtaining a new
certificate from a certificate authority (such as the Microsoft CA), Make sure the RSA key embedded in
the certificate is at least 768 Bits.
•
IP Address—IP address of the controller to receive the certificate.
•
Status—Status of the certificate, for example, NOT_INITIATED.
•
Server Name—Use the drop-down list to choose the Default Server or New. When you select New,
type in the IP address.
•
Server Address—IP address of the server.
•
Maximum Retries—Maximum number of times each download operation can be attempted.
•
Timeout (seconds)—The amount of time allowed for each download operation.
•
File Name—File name of the certificate.
•
Password—Password to access the certificate.
TFTP Servers
Downloading IDS Signatures
To download a IDS Signature, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click an IP address in the IP Address column.
Step 3
From the left sidebar menu, choose System > Commands.
Step 4
From the Upload/Download Commands drop-down list, choose Download IDS Signatures.
Step 5
Click Go to access this page.
Use this command to download IDS (Intrusion Detection System) signature files from your controller to
a local TFTP (Trivial File Transfer Protocol) server. The following parameters appear:
•
IP Address—IP address of the controller.
•
Status—Download NOT_INITIATED, TRANSFER_SUCCESSFUL or other state.
Downloading a Customized Web Auth Bundle to a Controller
To download a customized web authentication page to the controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click an IP address in the IP Address column.
Step 3
From the left sidebar menu, choose System > Commands.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-311
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 4
From the Upload/Download Commands drop-down list, choose Download Customized Web Auth.
The following parameters appear:
•
IP Address—IP address of the controller to receive the bundle.
•
Status—State of download: NOT_INITIATED, TRANSFER_SUCCESSFUL,
TRANSFER_FAILED, NOT_RESPONDING.
Before downloading the customized Web authentication bundle, follow these steps:
Step 1
Click the indicated link to download the example login.tar bundle file from the server.
The link is the highlighted word “here” near the bottom of the page.
Step 2
Edit the login.html file and save it as a .tar or .zip file.
Step 3
Download the .tar or .zip file to the controller.
The file contains the pages and image files required for the web authentication display.
Note
The controller accepts a .tar or .zip file of up to 1 MB in size. The 1 MB limit includes the total
size of uncompressed files in the bundle.
TFTP Servers
To set up one or more TFTP servers, configure the following parameters:
•
File is located on—Choose Local machine or TFTP server. The default is local machine (Prime
Infrastructure internal server).
•
Server Name—Use the drop-down list to choose one of the following:
– New—Set up a new server. Enter the server name and IP address in the text boxes provided.
– Default Server—The server name (editable) and IP address (read-only) are automatically
added.
•
Server IP Address—IP address of the server.
•
Maximum Retries—Maximum number of unsuccessful attempts before the download is abandoned.
•
Timeout—Maximum number of seconds before the download is abandoned.
•
Prime Infrastructure Server Files In—C:\tftp or other specified file directory on the local machine.
•
Local File Name—Filename of the Web authentication bundle on the local machine. Click Browse
to locate the file.
•
Server File Name—Filename on a remote TFTP server.
When completed, these fields and settings are repopulated in the page and do not need to be entered
again.
Command Buttons
•
OK—The file is downloaded from the local machine or TFTP server with the name shown in the
File Name text box.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-312
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
•
Cancel
Configuring Controller System Interfaces
This section describes how to configure controller system interfaces and contains the following topics:
•
Adding an Interface, page 9-313
•
Viewing Current Interface Details, page 9-314
•
Deleting a Dynamic Interface, page 9-315
•
NAC Integration, page 9-318
•
Configuring Wired Guest Access, page 9-320
To view existing interfaces, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Interfaces. The following parameters appear:
•
Check box—Select the dynamic interface for deletion. Choose Delete Dynamic Interfaces from the
Select a command drop-down list.
•
Interface Name—User-defined name for this interface (For example, Management, Service-Port,
Virtual).
•
VLAN Identifier—VLAN identifier between 0 (untagged) and 4096, or N/A.
•
Quarantine—Select the check box if the interface has a quarantine VLAN ID configured on it.
•
IP Address—IP address of this interface.
•
Interface Type—Static (Management, AP-Manager, Service-Port, and Virtual interfaces) or
Dynamic (operator-defined interfaces).
•
AP Management Status—Displays the status of AP Management interfaces. The parameters include
Enabled, Disabled, and N/A.
Note
Only the management port can be configured as Redundancy Management Interface port.
Adding an Interface
To add an interface, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Interfaces.
Step 4
From the Select a command drop-down list, choose Add Interface.
Step 5
Enter the necessary parameters:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-313
Chapter 9
Configuring Devices
Configuring Existing Controllers
•
Interface Name—User-defined name for this interface (Management, Service-Port, Virtual, and
VLAN n).
•
Wired Interface—Select the check box to mark the interface as wired.
•
Interface Address
– VLAN Identifier—1 through 4096, or 0 = untagged.
– Quarantine—Enable/disable to quarantine a VLAN. Select the check box to enable.
– IP Address—IP address of the interface.
– Gateway—Gateway address of the interface.
•
Physical Information
– Port Number—The port that is used by the interface.
– Primary Port Number (active)—The port that is currently used by the interface.
– Secondary Port Number—The port that is used by the interface when the primary port is down.
Note
Primary and secondary port numbers are only present in Cisco 4400 Series Wireless
LAN controllers.
Note
The secondary port is used when the primary port shuts down. When the primary port
is reactivated, the Cisco 4400 Series Wireless LAN controller transfers the interfaces
back to the primary port.
– AP Management—Select to enable access point management.
•
DHCP Information
– Primary DHCP Server—IP address of the primary DHCP server.
– Secondary DHCP Server—IP address of the secondary DHCP server.
•
Access Control List—User-defined ACL name (or none).
•
mDNS Profile—Drop-down list from which you can choose the mDNS profile. The default option
is none.
Viewing Current Interface Details
To view details for a current interface, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Interfaces.
Step 4
Select the Interface Name for the applicable interface. The Interface Details page opens.
Step 5
View or edit the following interface parameters:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-314
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Note
•
Changing the Interface parameters causes the WLANs to be temporarily disabled and thus might
result in loss of connectivity for some clients.
Interface Address
– VLAN Identifier—1 through 4096, or 0 = untagged.
– Guest LAN
– Quarantine—Enable/disable to quarantine a VLAN. Select the check box to enable.
– IP Address—IP address of the interface.
– Gateway—Gateway address of the interface.
•
Physical Information
– Primary Port Number (active)—The port that is currently used by the interface.
– Secondary Port Number—The port that is used by the interface when the primary port is down.
Note
Primary and secondary port numbers are only present in Cisco 4400 Series Wireless
LAN Controllers.
Note
The secondary port is used when the primary port shuts down. When the primary port
is reactivated, the Cisco 4400 Series Wireless LAN Controller transfers the interfaces
back to the primary port.
– AP Management—Select to enable access point management.
•
DHCP Information
– Primary DHCP Server—IP address of the primary DHCP server.
– Secondary DHCP Server—IP address of the secondary DHCP server.
•
Access Control List
– ACL Name—User-defined name of the access control list (or none).
Step 6
Click Save to confirm any changes made. Click Audit to audit the device values.
Deleting a Dynamic Interface
To delete a dynamic interface, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Interfaces.
Step 4
Select the check box of the dynamic interface that you want to delete.
Step 5
From the Select a command drop-down list, choose Delete Dynamic Interfaces.
Step 6
Click OK to confirm the deletion.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-315
Chapter 9
Configuring Devices
Configuring Existing Controllers
Note
The dynamic interface cannot be deleted if it has been assigned to interface group.
Configuring Controller System Interface Groups
Note
The Interface Groups feature is supported by controller software release 7.0.116.0 and later.
This section describes how to configure controller system interface groups and contains the following
topics:
•
Adding an Interface Group, page 9-316
•
Deleting an Interface Group, page 9-317
•
Viewing Interface Groups, page 9-317
Adding an Interface Group
To add an interface group, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Interface Groups.
Step 4
From the Select a command drop-down list, choose Add Interface Group.
Step 5
Enter the necessary parameters:
Step 6
•
Name—User-defined name for this interface group (group1, group2).
•
Description—(Optional) Description for the Interface group.
•
Quarantine—Enable/disable to quarantine a VLAN. Select the check box to enable.
•
mDNS Profile—Drop-down list from which you can choose the mDNS profile. The default option
is none.
Click Add.
The Interface dialog box appears.
Step 7
Select the interfaces that you want to add to the group, and click OK.
To remove an Interface from the Interface group, from the Interface Group page, select the Interface and
click Remove.
Step 8
Once you are done with adding the interfaces in the Interface Group page, click any of the following
buttons:
•
Save to confirm any changes made.
•
Cancel to discard the changes.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-316
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Note
•
The number of interfaces that can be added to an interface group depends upon the type of the
controller.
•
Guest LAN interfaces cannot be part of interface groups.
•
An Interface group name must be different from the Interface name.
Deleting an Interface Group
To delete an interface group, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Interface Groups.
Step 4
Select the check box of the interface group that you want to delete.
Step 5
From the Select a command drop-down list, choose Delete Interface Group, and click Go.
Step 6
Click OK to confirm the deletion.
Note
•
The Interface Group cannot be deleted if it has been assigned to WLAN(s).
•
The Interface Group cannot be deleted if it has been assigned to AP Group(s).
•
The Interface Group cannot be deleted if it has been assigned to Foreign Controller Mapping for the
WLAN(s).
•
The Interface Group Template cannot be deleted if it has been assigned to WLAN Template(s).
•
The Interface Group Template cannot be deleted if it has been assigned to AP Group Template(s).
•
You cannot enable/disable quarantine for an interface if it has been assigned to an interface group.
Viewing Interface Groups
To view existing interface groups, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Interface Groups. The following parameters appear:
Step 4
•
Name—User-defined name for the interface group (For example, group1, group2).
•
Description—(Optional) Description for the Interface Group.
•
Interfaces—Count of the number of interfaces belonging to the group.
Click the Interface group name link.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-317
Chapter 9
Configuring Devices
Configuring Existing Controllers
The Interface Groups Details page appears with the Interface group details as well as the details of the
Interfaces that form part of that particular Interface group.
NAC Integration
The Cisco NAC appliance, also known as Cisco Clean Access (CCA), is a Network Admission Control
(NAC) product that allows network administrators to authenticate, authorize, evaluate, and remediate
wired, wireless, and remote users and their machines prior to allowing users onto the network. It
identifies whether machines are compliant with security policies and repairs vulnerabilities before
permitting access to the network. The NAC appliance is available in two modes: in-band and
out-of-band. Customers can deploy both modes if desired, each geared toward certain types of access
(in-band for supporting wireless users and out-of-band for supporting wired users, for example).
For more information on NAC Out-of-Band Integration, see the applicable section in the Cisco Prime
Prime Infrastructure Configuration Guide.
This section contains the following topics:
•
Guidelines for Using SNMP NAC, page 9-318
•
Configuring NAC Out-of-Band Integration (SNMP NAC), page 9-319
Guidelines for Using SNMP NAC
Follow these guidelines when using SNMP NAC out-of-band integration:
•
The NAC appliance supports up to 3500 users, and the controller supports up to 5000 users.
Therefore, multiple NAC appliances might need to be deployed.
•
Because the NAC appliance supports static VLAN mapping, you must configure a unique quarantine
VLAN for each interface configured on the controller. For example, you might configure a
quarantine VLAN of 110 on controller 1 and a quarantine VLAN of 120 on controller 2. However,
if two WLANs or guest LANs use the same distribution system interface, they must use the same
quarantine VLAN, provided they have one NAC appliance deployed in the network. The NAC
appliance supports unique quarantine-to-access VLAN mapping.
•
For posture reassessment based on session expiry, you must configure the session timeout on both
the NAC appliance and the WLAN, making sure that the session expiry on the WLAN is greater than
that on the NAC appliance.
•
When a session timeout is configured on an open WLAN, the timing out of clients in the Quarantine
state is determined by the timer on the NAC appliance. Once the session timeout expires for WLANs
using web authentication, clients deauthenticate from the controller and must perform posture
validation again.
•
NAC out-of-band integration is supported only on WLANs configured for FlexConnect central
switching. It is not supported for use on WLANs configured for FlexConnect local switching.
•
If you want to enable NAC on an access point group VLAN, you must first enable NAC on the
WLAN. Then you can enable or disable NAC on the access point group VLAN. If you ever decide
to disable NAC on the WLAN, be sure to disable it on the access point group VLAN as well.
•
NAC out-of-band integration is not supported for use with the WLAN AAA override feature.
•
All Layer 2 and Layer 3 authentication occurs in the quarantine VLAN. To use external web
authentication, you must configure the NAC appliance to allow HTTP traffic to and from external
web servers and to allow the redirect URL in the quarantine VLAN.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-318
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Note
See the Cisco NAC appliance configuration guides for configuration instructions at the
following URL:
http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides
_list.html.
Guidelines for Using RADIUS NAC
Follow these guidelines when using RADIUS NAC:
•
RADIUS NAC is available only for WLAN with 802.1x/WPA/WPA2 Layer 2 security.
•
RADIUS NAC cannot be enabled when FlexConnect local switching is enabled.
•
AAA override should be enabled to configure RADIUS NAC.
Configuring NAC Out-of-Band Integration (SNMP NAC)
To configure SNMP NAC out-of-band integration, follow these steps:
Step 1
To configure the quarantine VLAN for a dynamic interface, follow these steps:
a.
Choose Configure > Controller.
b.
Choose which controller you are configuring for out-of-band integration by clicking it in the IP
Address column.
c.
Choose System > Interfaces from the left sidebar menu.
d.
Choose Add Interface from the Select a command drop-down list.
e.
In the Interface Name text box, enter a name for this interface, such as “quarantine.”
f.
In the VLAN Identifier text box, enter a non-zero value for the access VLAN ID, such as “10.”
g.
Select the Quarantine check box if the interface has a quarantine VLAN ID configured on it.
Note
Step 2
We recommend that you configure unique quarantine VLANs throughout your network. If
multiple controllers are configured in the same mobility group and access interfaces on all
controllers are in the same subnet, it is mandatory to have the same quarantine VLAN if
there is only one NAC appliance in the network. If multiple controllers are configured in the
same mobility group and access interfaces on all controllers are in different subnets, it is
mandatory to have different quarantine VLANs if there is only one NAC appliance in the
network.
h.
Configure any remaining fields for this interface, such as the IP address, netmask, and default
gateway.
i.
Enter an IP address for the primary and secondary DHCP server.
j.
Click Save. You are now ready to create a NAC-enabled WLAN or Guest LAN.
To configure NAC out-of-band support on a WLAN or guest LAN, follow these steps:
a.
Choose WLANs > WLAN from the left sidebar menu.
b.
Choose Add a WLAN from the Select a command drop-down list, and click Go.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-319
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 3
c.
If you have a template established that you want to apply to this controller, choose the guest LAN
template name from the drop-down list. Otherwise, click the click here link to create a new
template. For more information on setting up the template, see the “Configuring Wired Guest
Access” section on page 9-320 section.
d.
Click the Advanced tab.
e.
To configure SNMP NAC support for this WLAN or guest LAN, choose SNMP NAC from the NAC
Stage drop-down list. To disable SNMP NAC support, choose None from the NAC Stage drop-down
list, which is the default value.
f.
Click Apply to commit your changes.
To configure NAC out-of-band support for a specific AP group, follow these steps:
a.
Choose WLANs > AP Groups VLAN from the left sidebar menu to open the AP Groups page.
Note
Step 4
AP Groups (for 5.2 and later controllers) is referred to as AP Group VLANs for controllers
prior to 5.2.
b.
Click the name of the desired AP group.
c.
From the Interface Name drop-down list, choose the quarantine enabled interface.
d.
To configure SNMP NAC support for this AP group, choose SNMP NAC from the Nac State
drop-down list. To disable NAC out-of-band support, choose None from the Nac State drop-down
list, which is the default value.
e.
Click Apply to commit your changes.
To see the current state of the client (either Quarantine or Access), follow these steps:
a.
Choose Monitor > Clients to open the Clients. Perform a search for clients.
b.
Click the MAC address of the desired client to open the Clients > Detail page. The NAC state
appears as access, invalid, or quarantine in the Security Information section.
Configuring Wired Guest Access
Wired Guest Access enables guest users to connect to the guest access network from a wired Ethernet
connection designated and configured for guest access. Wired guest access ports might be available in a
guest office or specific ports in a conference room.
Like wireless guest user accounts, wired guest access ports are added to the network using the Lobby
Ambassador feature.
Wired Guest Access can be configured in a standalone configuration or in a dual controller configuration
employing an anchor and foreign controller. This latter configuration is used to further isolate wired
guest access traffic but is not required for deployment of wired guest access.
Wired Guest Access ports initially terminate on a Layer 2 access switch or switch port which is
configured with VLAN interfaces for wired guest access traffic.
The wired guest traffic is then trunked from the access switch to a wireless LAN controller. This
controller is configured with an interface that is mapped to a wired guest access VLAN on the access
switch.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-320
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
If two controllers are being used, the controller (foreign) that receives the wired guest traffic from the
switch then forwards the wired guest traffic to an anchor controller that is also configured for wired guest
access. After successful hand off of the wired guest traffic to the anchor controller, a bidirectional
Ethernet over IP (EoIP) tunnel is established between the foreign and anchor controllers to handle this
traffic.
Note
Although wired guest access is managed by anchor and foreign anchors when two controllers are
deployed, mobility is not supported for wired guest access clients. In this case, DHCP and web
authentication for the client are handled by the anchor controller.
Note
You can specify how much bandwidth a wired guest user is allocated in the network by configuring and
assigning a role and bandwidth contract.
To configure and enable wired guest user access on the network, follow these steps:
Step 1
To configure a dynamic interface for wired guest user access, choose Configure > Controllers and after
IP address, choose System > Interfaces.
Step 2
Choose Add Interface from the Select a command drop-down list, and click Go.
Step 3
Enter a name and VLAN ID for the new interface.
Step 4
Select the Guest LAN check box.
Step 5
Enter the primary and secondary port number.
Step 6
Click Save. You are now ready to create a wired LAN for guest access.
Step 7
To configure a wired LAN for guest user access, choose WLANs > WLAN configuration from the left
sidebar menu.
Step 8
Choose Add a WLAN from the Select a command drop-down list, and click Go.
Step 9
If you have a template established that you want to apply to this controller, choose the guest LAN
template name from the drop-down list. Otherwise, click the click here link to create a new template.
Step 10
In the WLAN > New Template general page, enter a name in the Profile Name text box that identifies
the guest LAN. Do not use any spaces in the name entered.
Step 11
Select the Enabled check box for the WLAN Status field.
Step 12
From the Ingress Interface drop-down list, choose the VLAN that you created in Step 3. This VLAN
provides a path between the wired guest client and the controller by way of the Layer 2 access switch.
Step 13
From the Egress Interface drop-down list, choose the name of the interface. This WLAN provides a path
out of the controller for wired guest client traffic.
Note
Step 14
If you have only one controller in the configuration, choose management from the Egress
Interface drop-down list.
Click the Security > Layer 3 tab to modify the default security policy (web authentication) or to assign
WLAN specific web authentication (login, logout, login failure) pages and the server source.
a.
To change the security policy to passthrough, select the Web Policy check box and select the
Passthrough radio button. This option allows users to access the network without entering a
username or password.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-321
Chapter 9
Configuring Devices
Configuring Existing Controllers
An Email Input check box appears. Select this check box if you want users to be prompted for their
e-mail address when attempting to connect to the network.
b.
To specify custom web authentication pages, unselect the Global WebAuth Configuration Enabled
check box.
When the Web Auth Type drop-down list appears, choose one of the following options to define the
web login page for the wireless guest users:
Default Internal—Displays the default web login page for the controller. This is the default value.
Customized Web Auth—Displays custom web login, login failure, and logout pages. When the
customized option is selected, three separate drop-down lists for login, login failure, and logout page
selection appear. You do not need to define a customized page for all three of the options. Choose
None from the appropriate drop-down list if you do not want to display a customized page for that
option.
These optional login, login failure, and logout pages are downloaded to the controller as webauth.tar
files. For specifics on downloading custom pages, see the “Downloading a Customized
WebAuthentication Bundle to a Controller” section on page 9-289.
External—Redirects users to an external server for authentication. If you choose this option, you
must also enter the URL of the external server in the URL text box.
You can select specific RADIUS or LDAP servers to provide external authentication in the Security
> AAA pane. To do so, continue with Step 17.
Note
The RADIUS and LDAP external servers must be already configured to have selectable options
in the Security > AAA pane. You can configure these servers on the RADIUS Authentication
Servers, TACACS+ Authentication Servers page, and LDAP Servers page.
Step 15
If you selected External as the Web Authentication Type in Step 15, choose Security > AAA and choose
up to three RADIUS and LDAP servers using the drop-down lists.
Step 16
Click Save.
Step 17
Repeat this process if a second (anchor) controller is being used in the network.
Creating an Ingress Interface
To create an Ingress interface, follow these steps:
Step 1
Choose Add Interface from the Select a command drop-down list, and click Go.
Step 2
Click an interface name. The Interfaces Details : New Config page appears.
Step 3
In the Interface Name text box, enter a name for this interface, such as guestinterface.
Step 4
Enter a VLAN identifier for the new interface.
Step 5
Select the Guest LAN check box.
Step 6
Enter the primary and secondary port numbers.
Step 7
Click Save.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-322
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Creating an Egress Interface
To create an Egress interface, follow these steps:
Step 1
Choose Add Interface from the Select a command drop-down list, and click Go.
Step 2
Click an interface name. The Interfaces Details : New Config page appears.
Step 3
In the Interface Name text box, enter a name for this interface, such as quarantine.
Step 4
In the VLAN Identifier text box, enter a non-zero value for the access VLAN ID, such as 10.
Step 5
Select the Quarantine check box and enter a non-zero value for the quarantine VLAN ID, such as 110.
Note
You can have NAC-support enabled on the WLAN or guest WLAN template Advanced tab for
interfaces with Quarantine enabled.
Step 6
Enter the IP address, netmask, and default gateway.
Step 7
Enter the primary and secondary port numbers.
Step 8
Provide an IP address for the primary and secondary DHCP server.
Step 9
Configure any remaining fields for this interface, and click Save.
You are now ready to create a wired LAN for guest access.
Configuring Controller Network Routes
The Network Route page enables you to add a route to the controller service port. This route allows you
to direct all Service Port traffic to the designated management IP address.
•
Viewing Existing Network Routes, page 9-323
•
Adding a Network Route, page 9-324
Viewing Existing Network Routes
To view existing network routes, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Network Route. The following parameters appear:
•
IP Address—The IP address of the network route.
•
IP Netmask—Network mask of the route.
•
Gateway IP Address—Gateway IP address of the network route.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-323
Chapter 9
Configuring Devices
Configuring Existing Controllers
Adding a Network Route
To add a network route, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Network Route.
Step 4
From the Select a command drop-down list, choose Add Network Route.
Step 5
Click Go.
Step 6
Enter the IP address, IP Netmask, and Gateway IP address information.
Step 7
Click Save.
Configuring Controller Spanning Tree Protocol Parameters
Spanning Tree Protocol (STP) is a link management protocol that provides path redundancy while
preventing undesirable loops in the network.
To view or manage current STP parameters, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Spanning Tree Protocol. The Spanning Tree Protocol
page displays the following parameters:
•
Protocol Spec—The current protocol specification.
•
Admin Status—Select this check box to enable.
•
Priority—The numerical priority number of the ideal switch.
•
Maximum Age (seconds)—The amount of time (in seconds) before the received protocol
information recorded for a port is discarded.
•
Hello Time (seconds)—Determines how often (in seconds) the switch broadcasts its hello message
to other switches.
•
Forward Delay (seconds)—The time spent (in seconds) by a port in the learning/listening states of
the switches.
Configuring Controller Mobility Groups
By creating a mobility group, you can enable multiple network controllers to dynamically share
information and forward data traffic when inter-controller or inter-subnet roaming occurs. Controllers
can share the context and state of client devices and controller loading information. With this
information, the network can support inter-controller wireless LAN roaming and controller redundancy.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-324
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Note
If it is possible for a wireless client in your network to roam from an access point joined to one controller
to an access point joined to another controller, both controllers should be in the same mobility group.
•
Messaging Among Mobility Groups, page 9-325
•
Mobility Group Prerequisites, page 9-325
•
Viewing Current Mobility Group Members, page 9-325
•
Adding Mobility Group Members from a List of Controllers, page 9-326
•
Manually Adding Mobility Group Members, page 9-326
•
Setting the Mobility Scalability Parameters, page 9-327
Messaging Among Mobility Groups
The controller provides inter-subnet mobility for clients by sending mobility messages to other member
controllers:
Note
•
There can be up to 72 members in the list with up to 24 in the same mobility group.
•
The controller sends a Mobile Announce message to members in the mobility list each time a new
client associates to it.
•
In the Prime Infrastructure and controller software release 5.0, the controller uses multicast mode to
send the Mobile Announce messages. This allows the controller to send only one copy of the
message to the network, which delivers it to the multicast group containing all the mobility
members.
For more information regarding mobility groups, see the Cisco Prime Prime Infrastructure
Configuration Guide.
Mobility Group Prerequisites
Before you add controllers to a mobility group, you must verify that the following requirements have
been met for all controllers that are to be included in the group:
•
All controllers must be configured for the same CAPWAP transport mode (Layer 2 or Layer 3).
•
IP connectivity must exist between the management interfaces of all devices.
•
All controllers must be configured with the same mobility group name.
•
All devices must be configured with the same virtual interface IP address.
•
Availability of MAC and IP addresses of each controller to be included in the mobility group (to
configure the controllers with the MAC address and IP address of all the other mobility group
members).
Viewing Current Mobility Group Members
To view current mobility group members, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-325
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 3
From the left sidebar menu, choose System > Mobility Groups.
Note
To delete a group member, select a check box for the applicable group member, choose Delete
Group Members, and click Go.
Adding Mobility Group Members from a List of Controllers
To add a mobility group member from a list of existing controllers, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Mobility Groups.
Step 4
From the Select a command drop-down list, choose Add Group Members.
Step 5
Click Go.
Step 6
Select the check box(es) for the controller to be added to the mobility group.
Step 7
Click Save.
Manually Adding Mobility Group Members
If no controllers were found to add to the mobility group, you can add members manually. To manually
add members to the mobility group, follow these steps:
Step 1
Click the click here link from the Mobility Group Member details page.
Step 2
In the Member MAC Address text box, enter the MAC address of the controller to be added.
Step 3
In the Member IP Address text box, enter the management interface IP address of the controller to be
added.
Note
If you are configuring the mobility group in a network where Network Address Translation
(NAT) is enabled, enter the IP address sent to the controller from the NAT device rather than the
controller management interface IP address. Otherwise, mobility fails among controllers in the
mobility group.
Step 4
Enter the multicast group IP address to be used for multicast mobility messages in the Multicast Address
text box. The local mobility member group address must be the same as the local controller group
address.
Step 5
In the Group Name text box, enter the name of the mobility group.
Step 6
Click Save.
Step 7
Repeat Steps 1 through 6 for the remaining WLC devices.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-326
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Setting the Mobility Scalability Parameters
Note
Mobility Groups must be configured prior to setting the mobility scalability parameters.
To set the mobility message parameters, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click an IP address of a controller whose software version is 5.0 or later.
Step 3
From the left sidebar menu, choose System > General.
Step 4
From the Multicast Mobility Mode drop-down list, specify if you want to enable or disable the ability
for the controller to use multicast mode to send Mobile Announce messages to mobility members.
Step 5
If you enabled multicast messaging by setting multicast mobility mode to enabled, you must enter the
group IP address at the Mobility Group Multicast-address field to begin multicast mobility messaging.
You must configure this IP address for the local mobility group but it is optional for other groups within
the mobility list. If you do not configure the IP address for other (non-local) groups, the controllers use
unicast mode to send mobility messages to those members.
Step 6
Click Save.
Configuring Controller Network Time Protocol
To add a new NTP Server, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > Network Time Protocol.
Step 4
From the Select a command drop-down list, choose Add NTP Server.
Step 5
Click Go.
Step 6
From the Select a template to apply to this controller drop-down list, choose the applicable template to
apply to this controller.
Command Buttons
•
Apply
•
Cancel
To create a New Template for NTP Servers, use the click here link to access the template creation page
(Configure NTP Servers > New Template).
NTP general parameters include the following:
•
Template Name—Enter the new NTP Template name.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-327
Chapter 9
Configuring Devices
Configuring Existing Controllers
Note
Template Name is the unique key used to identify the template. A template name is
mandatory to distinguish between two templates that have identical key attributes.
•
Server Address—Enter the NTP server IP address.
•
No. of Controllers Applied To—Number of controllers to which this template is applied (read-only).
Background Scanning on 1510s in Mesh Networks
Background scanning allows Cisco Aironet 1510 Access Points to actively and continuously monitor
neighboring channels for more optimal paths and parents. Because the access points are searching on
neighboring channels as well as the current channel, the list of optimal alternate paths and parents is
greater.
Identifying this information prior to the loss of a parent results in a faster transfer and the best link
possible for the access points. Additionally, access points might switch to a new channel if a link on that
channel is found to be better than the current channel in terms of fewer hops, stronger signal-to-noise
ratio (SNR), and so on.
Background scanning on other channels and data collection from neighbors on those channels are
performed on the primary backhaul between two access points:
The primary backhaul for 1510s operate on the 802.11a link.
Background scanning is enabled on a global basis on the associated controller of the access point.
Note
Latency might increase for voice calls when they are switched to a new channel.
Note
In the EMEA regulatory domain, locating neighbors on other channels might take longer given DFS
requirements.
Background Scanning Scenarios
A few scenarios are provided below to better illustrate how background scanning operates.
In Figure 9-1, when the mesh access point (MAP1) initially comes up, it is aware of both root access
points (RAP1 and RAP2) as possible parents. It chooses RAP2 as its parent because the route through
RAP2 is better in terms of hops, SNR, and so on. After the link is established, background scanning
(once enabled) continuously monitors all channels in search of a more optimal path and parent. RAP2
continues to act as parent for MAP1 and communicates on channel 2 until either the link goes down or
a more optimal path is located on another channel.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-328
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Figure 9-1
Mesh Access Point (MAP1) Selects a Parent
RAP1
Channel 1 = 153
MAP1
Channel 2 = 161
230615
RAP2
In Figure 9-2, the link between MAP1 and RAP2 is lost. Data from ongoing background scanning
identifies RAP1 and channel 1 as the next best parent and communication path for MAP1 so that link is
established immediately without the need for additional scanning after the link to RAP2 goes down.
Figure 9-2
Background Scanning Identifies a New Parent
RAP1
Channel 1 = 153
MAP1
Channel 2 = 161
230614
RAP2
Enabling Background Scanning
To enable background scanning on an AP1510 RAP or MAP, follow these steps:
Step 1
Choose Configure > Controllers.
Note
You can also enable this on the Controllers template. See the “Configuring Mesh Templates”
section on page 11-662.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-329
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 2
Choose Mesh > Mesh Settings from the left sidebar menu. The Mesh Settings page appears.
Step 3
Select the Background Scanning check box to enable background scanning or unselect it to disable the
feature. The default value is disabled.
Step 4
Click Save.
Configuring Controller QoS Profiles
To make modifications to the quality of service profiles, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > QoS Profiles. The following parameters appear:
•
Bronze—For Background
•
Gold—For Video Applications
•
Platinum—For Voice Applications
•
Silver—For Best Effort
Step 4
Click the applicable profile to view or edit profile parameters.
Step 5
Set the following values in the Per-User Bandwidth Contracts group box (all have a default of 0 or Off):
Step 6
Step 7
Step 8
•
Average Data Rate—The average data rate for non-UDP traffic.
•
Burst Data Rate—The peak data rate for non-UDP traffic.
•
Average Real-time Rate—The average data rate for UDP traffic.
•
Burst Real-time Rate—The peak data rate for UDP traffic.
Set the following values for the Over-the-Air QoS group box:
•
Maximum QoS RF Usage Per AP (%)—The maximum air bandwidth available to clients. The
default is 100%.
•
QoS Queue Depth—The depth of queue for a class of client. The packets with a greater value are
dropped at the access point.
Set the following values in the WLAN QoS group box:
•
Maximum Priority
•
Unicast Default Priority
•
Multicast Default Priority
Set the following value in the Wired QoS Protocol group box:
•
Step 9
Wired QoS Protocol—Choose 802.1P to activate 802.1P priority tags or None to deactivate 802.1P
priority tags.
Click Save.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-330
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Configuring Controller DHCP Scopes
This section contains the following topics:
•
Viewing Current DHCP Scopes, page 9-331
•
Adding a New DHCP Scope, page 9-331
Viewing Current DHCP Scopes
To view current DHCP (Dynamic Host Configuration Protocol) scopes, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > DHCP Scopes.
The following DHCP Scopes information appears:
•
Pool Address
•
Lease Time
•
Status
Adding a New DHCP Scope
To add a new DHCP Scope, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > DHCP Scopes.
Step 4
From the Select a command drop-down list, choose Add DHCP Scope.
Step 5
Enter the following information:
•
Scope Name
•
Lease Time (in seconds)
•
Network
•
Netmask
•
Pool Start Address
•
Pool End Address
•
DNS Domain Name
•
Status
•
Router Addresses—Enter which IP addresses are already in use and should therefore be excluded.
For example, you should enter the IP address of your company router. In doing so, this IP address
is blocked from use by another client.
•
DNS Servers—Enter the IP address of the DNS server(s). Each DNS server must be able to update
a client DNS entry to match the IP address assigned by this DHCP scope.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-331
Chapter 9
Configuring Devices
Configuring Existing Controllers
•
Step 6
NetBios Servers—Enter the IP address of the Microsoft Network Basic Input Output System
(NetBIOS) name server(s), such as a Windows Internet Naming Service (WINS) server.
Click Save.
Configuring Controller User Roles
This section contains the following topics:
•
Viewing Current Local Net User Roles, page 9-332
•
Adding a New Local Net User Role, page 9-332
Viewing Current Local Net User Roles
To view current local net user roles, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > User Roles.
The following Local Net User Role parameters appear:
•
Template Name
Note
Step 4
Template Name is the unique key used to identify the template. A template name is
mandatory to distinguish between two templates that have identical key attributes.
•
Role Name
•
Average Data Rate—The average data rate for non-UDP traffic.
•
Burst Data Rate—The peak data rate for non-UDP traffic.
•
Average Real-time Rate—The average data rate for UDP traffic.
•
Burst Real-time Rate—The peak data rate for UDP traffic.
Click a Template Name to view the User Role details.
Adding a New Local Net User Role
To add a new local net user role, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose System > User Roles.
Step 4
From the Select a command drop-down list, choose Add User Role.
Step 5
Select a template from the Select a template to apply to this controller drop-down list.
Step 6
Click Apply.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-332
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Note
To create a new template for local net user roles, click the click here link to access the template creation
page. See the “Configuring User Roles Controller Templates” section on page 11-563 for more
information about User Role templates.
Configuring a Global Access Point Password
The AP Username Password page enables you to set a global password that all access points inherit as
they join a controller. When you are adding an access point, you can also choose to accept this global
username and password or override it on a per-access point basis. See the “Configuring AP
Configuration Templates” section on page 11-679 to view where the global password is displayed and
how it can be overridden on a per-access point basis.
Also in controller software release 5.0, after an access point joins the controller, the access point enables
console port security and you are prompted for your username and password whenever you log into the
access point console port. When you log in, you are in non-privileged mode and you must enter the
enable password to use the privileged mode.
To establish a global username and password, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click an IP address of a controller with a Release 5.0 or later.
Step 3
From the left sidebar menu, choose System > AP Username Password.
Step 4
Enter the username and password that you want to be inherited by all access points that join the
controller.
Note
Step 5
For Cisco IOS access points, you must also enter and confirm an enable password.
Click Save.
Configuring Global CDP
Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network
equipment. Each device sends identifying messages to a multicast address, and each device monitors the
messages sent by other devices.
Note
CDP is enabled on the Ethernet and radio ports of a bridge by default.
Note
Global Interface CDP configuration is applied to only the APs with CDP enabled at AP level.
To configure a Global CDP, perform the following steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-333
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 1
Choose Configure > Controllers.
Step 2
Choose the IP address of the desired controller.
Step 3
From the left sidebar menu, choose System > Global CDP Configuration from the left sidebar menu.
The Global CDP Configuration page appears.
Step 4
In the Global CDP group box, configure the following parameters:
•
CDP on controller—Choose enable or disable CDP on the controller.
Note
Step 5
•
Global CDP on APs—Choose to enable or disable CDP on the access points.
•
Refresh-time Interval (seconds)—In the Refresh Time Interval field, enter the time in seconds at
which CDP messages are generated. The default is 60.
•
Holdtime (seconds)—Enter the time in seconds before the CDP neighbor entry expires. The default
is 180.
•
CDP Advertisement Version—Enter which version of the CDP protocol to use. The default is v1.
In the CDP for Ethernet Interfaces group box, select the slots of Ethernet interfaces for which you want
to enable CDP.
Note
Step 6
CDP for Ethernet Interfaces fields are supported for Controller Release 7.0.110.2 and later.
In the CDP for Radio Interfaces group box, select the slots of Radio interfaces for which you want to
enable CDP.
Note
Step 7
This configuration cannot be applied on WiSM2 controllers.
CDP for Radio Interfaces fields are supported for Controller Release 7.0.110.2 and later.
Click Save.
Configuring AP 802.1X Supplicant Credentials
You can configure 802.1X authentication between lightweight access points and the switch. The access
point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous
PAC provisioning. You can set global authentication settings that all access points inherit as they join
the controller. This includes all access points that are currently joined to the controller and any that join
in the future.
If desired, you can override the global authentication settings and assign unique authentication settings
for a specific access point. See the “Configuring Access Point Details” section on page 9-457 for more
information.
To enable global supplicant credentials, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Choose the IP address of the desired controller.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-334
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 3
From the left sidebar menu, choose System > AP 802.1X Supplicant Credentials.
Step 4
Select the Global Supplicant Credentials check box.
Step 5
Enter the supplicant username.
Step 6
Enter and confirm the applicable password.
Step 7
Click Save.
Note
Once saved, you can click Audit to perform an audit on this controller. See the “Understanding
the Controller Audit Report” section on page 9-277.
Configuring Controller DHCP
To configure DHCP (Dynamic Host Configuration Protocol) information for a controller, follow these
steps:
Step 1
Choose Configure > Controllers.
Step 2
Choose the IP address of the desired controller.
Step 3
From the left sidebar menu, choose System > DHCP.
Step 4
Add or modify the following parameters:
•
DHCP Option 82 Remote Id Field Format—Choose AP-MAC, AP-MAC-SSID, AP-ETHMAC, or
AP-NAME-SSID from the drop-down list.
Note
•
DHCP Proxy—Select the check box to enable DHCP by proxy.
Note
Step 5
When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from
the client to the configured servers. Consequently, at least one DHCP server must be
configured on either the interface associated with the WLAN or the WLAN itself.
Enter the DHCP Timeout in seconds after which the DHCP request times out. The default setting is 5.
Allowed values range from 5 to 120 seconds.
Note
Step 6
To set the format for RemoteID field in DHCP option 82
If Ap-Mac is selected, then set the RemoteID format as AP-Mac. If Ap-Mac-ssid is selected,
then set the RemoteID format as AP-Mac:SSID.
DHCP Timeout is applicable for Controller Release 7.0.114.74 and later.
Click Save.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-335
Chapter 9
Configuring Devices
Configuring Existing Controllers
Note
Once saved, you can click Audit to perform an audit on this controller. See the “Understanding
the Controller Audit Report” section on page 9-277.
Configuring Controller Multicast Mode
Prime Infrastructure provides an option to configure IGMP (Internet Group Management Protocol)
snooping and timeout values on the controller.
To configure multicast mode and IGMP snooping for a controller, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the desired controller.
Step 3
From the left sidebar menu, choose System > Multicast.
Step 4
Choose Disable, Unicast, or Multicast from the Ethernet Multicast Support drop-down list.
Note
IGMP Snooping and timeout can be set only if Ethernet Multicast mode is Enabled.
Step 5
If Multicast is selected, enter the multicast group IP address.
Step 6
Select the Enable Global Multicast Mode check box to make the multicast mode available globally.
Step 7
Select to enable IGMP Snooping.
Step 8
Choose Enable from the Multicast Mobility Mode drop-down list to change the IGMP snooping status
or to set the IGMP timeout. When IGMP snooping is enabled, the controller gathers IGMP reports from
the clients and then sends each access point a list of the clients listening to any multicast group. The
access point then forwards the multicast packets only to those clients.
The timeout interval has a range of 3 to 300 and a default value of 60. When the timeout expires, the
controller sends a query to all WLANs. Those clients which are listening in the multicast group then send
a packet back to the controller.
Step 9
If you enabled the Multicast Mobility Mode, enter the mobility group multicast address.
Step 10
Select the Multicast Direct feature check box to enable videos to be streamed over a wireless network.
Step 11
Choose Enable from the Multicast Mobility Mode drop-down list to change MLD configuration.
Step 12
Select the Enable MLD Snooping check box to enable IPv6 MLD snooping. If you have selected this
check box, configure the following parameters:
•
MLD Timeout—Enter the MLD timeout value in seconds. The timeout has a range of 3 to 7200 and
a default value of 60.
•
MLD Query Interval—Enter the MLD query interval timeout value in seconds. The interval has a
range of 15 to 2400 and a default value of 20.
Note
Internet Group Management Protocol (IGMP) snooping enables you to limit the flooding of
multicast traffic for IPv4. For IPv6, Multicast Listener Discovery (MLD) snooping is used.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-336
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 13
Specify the Session Banner information, which is the error information sent to the client if the client is
denied or dropped from a Media Stream.
a.
State—Select the check box to activate the Session Banner. If not activated, the Session Banner is
not sent to the client.
b.
URL—A web address reported to the client
c.
Email—An e-mail address reported to the client
d.
Phone—A telephone number reported to the client
e.
Note—A note reported to the client
All Media Streams on a Controller share this configuration.
Note
Step 14
Click Save.
Once saved, you can click Audit to perform an audit on this controller. See the “Understanding
the Controller Audit Report” section on page 9-277.
Note
Configuring Access Point Timer Settings
Advanced timer configuration for FlexConnect and local mode is available for the controller on Prime
Infrastructure.
Note
This feature is only supported on Release 6.0 controllers and later.
•
Configuring Advanced Timers, page 9-337
•
Access Point Timer Settings for Local Mode, page 9-338
•
Access Point Timer Settings for FlexConnect Mode, page 9-338
Configuring Advanced Timers
To configure the advanced timers, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Choose the controller for which you want to set timer configuration.
Step 3
From the left sidebar menu, choose System > AP Timers.
Step 4
Select the applicable access point mode (Local mode or FlexConnect mode).
Step 5
See the “Access Point Timer Settings for Local Mode” section on page 9-338 or the “Access Point Timer
Settings for FlexConnect Mode” section on page 9-338 for more information on each mode
configuration.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-337
Chapter 9
Configuring Devices
Configuring Existing Controllers
Access Point Timer Settings for Local Mode
To reduce the failure detection time, you can configure the fast heartbeat interval (between the controller
and the access point) with a smaller timeout value. When the fast heartbeat timer expires (at every
heartbeat interval), the access point determines if any data packets have been received from the controller
within the last interval. If no packets have been received, the access point sends a fast echo request to
the controller. You can then enter a value between 10 and 15 seconds.
Access Point Timer Settings for FlexConnect Mode
Once selected, you can configure the FlexConnect timeout value. Select the AP Primary Discovery
Timeout check box to enable the timeout value. Enter a value between 30 and 3600 seconds.
Note
5500 series controllers accept access point fast heartbeat timer values in the range of 1-10.
Configuring Controller WLANs
Because controllers can support 512 WLAN configurations, the Prime Infrastructure provides an
effective way to enable or disable multiple WLANs at a specified time for a given controller.
To view a summary of the wireless local access networks (WLANs) that you have configured on your
network, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose WLANs > WLAN Configuration. The Configure WLAN Summary
page appears. This WLAN Configuration page contains the values found in Table 9-1.
Table 9-1
WLAN Configuration Summary Page
Field
Description
Check box
Select the WLAN for deletion. Choose Delete
WLANs from the Select a command drop-down
list.
WLAN ID
Identification number of the WLAN.
Profile Name
User-defined profile name specified when
creating the WLAN template. Profile Name is the
WLAN name.
SSID
Service Set Identifier being broadcast by.
WLAN/Guest LAN
Specifies if it is a WLAN or guest LAN.
Security Policies
Security policies enabled on the WLAN.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-338
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Table 9-1
WLAN Configuration Summary Page (continued)
Field
Description
Status
Status of the WLAN is either enabled or disabled.
Task List
If a task is scheduled in Configure > Scheduled
Configuration Tasks, you have a link to view the
scheduled configuration task.
Viewing WLAN Details
To view WLAN details, choose WLANs. The WLAN Details page appears.
Use the tabs (General, Security, QoS, and Advanced) to view or edit parameters for the WLAN.
This section contains the following topics:
•
General Tab, page 9-339
•
Security Tab, page 9-340
•
QoS Tab, page 9-345
•
Advanced Tab, page 9-346
General Tab
The General tab includes the following information:
Note
Depending on the WLAN template used for this controller, these parameters might or might not be
available.
•
Guest LAN—Indicates whether or not this WLAN is a Guest LAN.
•
Profile Name
•
SSID
•
Status—Select the Enabled check box to enable this WLAN.
Note
To configure a start time for the WLAN status to be enabled, select the Schedule Status
check box. Choose the hours and minutes from the drop-down lists. Click the calendar icon
to select the applicable date.
•
Schedule Status
•
Security Policies—Identifies the security policies set using the Security tab (includes security
policies such as None, 802.1X, Static WEP, Static WEP-802.1X, WPA+WPA2, and CKIP). Changes
to the security policies appear after the page is saved.
•
Radio Policy—Choose any of the following from the drop-down list:
– All, 802.11a only, 802.11g only, 802.11b/g only, 802.11a/g only.
•
Interface/Interface Group—Choose from the drop-down list.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-339
Chapter 9
Configuring Devices
Configuring Existing Controllers
•
Broadcast SSID—Select the check box to enable.
•
Egress Interface—Select the name of the applicable interface. This WLAN provides a path out of
the controller for wired guest client traffic.
Note
If you only have one controller in the configuration, choose Management from the Egress
Interface drop-down list.
•
Ingress Interface—Choose the applicable VLAN from the drop-down list. This interface provides a
path between the wired guest client and the controller by way of the Layer 2 access switch.
Security Tab
The Security tab includes three additional tabs: Layer 2, Layer 3, and AAA Servers.
Layer 2 Security
Use the Layer 2 Security drop-down list to choose between None, 802.1x, Static WEP, Cranite, Static
WEP-802.1x, WPA1+WPA2, and CKIP. These parameters are described in the Table 9-2.
Mac Filtering—Select the check box if you want to filter clients by MAC address.
Note
Mac Filtering, Max-Clients, Client Profiling are not supported with FlexConnect Local
Authentication.
Table 9-2
Field
None
Layer 2 Security Options
Description
•
No Layer 2 security selected.
– FT Enable—Select the check box to enable Fast Transition (FT)
between access points.
Note
The fast transition feature is not supported with FlexConnect mode.
– Over the DS—Select the check box to enable the fast transition over
a distributed system.
– Reassociation Timeout—Time in seconds after which fast
transition reassociation times out. The default is 20 seconds, and
the valid range is 1 to 100.
Note
802.1x
To enable Over the DS or Reassociation Timeout, you should enable
fast transition.
802.11 Data Encryption:
•
Type—WEP
•
Key Size—40, 104, or 128 bits.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-340
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Table 9-2
Layer 2 Security Options (continued)
Field
Description
Static WEP
802.11 Data Encryption:
•
Type
•
Key Size—Not set, 40, 104, or 128 bits.
•
Key Index—1 to 4.
•
Encryption Key
•
Encryption Key Format—ASCII or HEX.
•
Allowed Shared Key Authentication—Select the check box to enable
shared key authentication.
Cranite
Configure the WLAN to use the FIPS140-2 compliant Cranite Wireless Wall
Software Suite, which uses AES encryption and VPN tunnels to encrypt and
verify all data frames carried by the Cisco Wireless LAN Solution.
Static WEP-802.1X
Use this setting to enable both Static WEP and 802.1X policies. If this
option is selected, static WEP and 802.1X parameters are displayed at the
bottom of the page.
Static WEP encryption parameters:
•
802.11 Data Encryption
– Type
– Key Size—Not set, 40, 104, or 128 bits.
– Key Index—1 to 4.
– Encryption Key
– Encryption Key Format—ASCII or HEX.
•
Allowed Shared Key Authentication—Select the check box to enable.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-341
Chapter 9
Configuring Devices
Configuring Existing Controllers
Table 9-2
Layer 2 Security Options (continued)
Field
Description
WPA+WPA2
Use this setting to enable WPA, WPA2, or both. WPA enables Wi-Fi
Protected Access with TKIP-MIC Data Encryption or AES. When
WPA+WPA2 is selected, you can use Cisco Centralized Key Management
(CCKM) authentication key management, which allows fast exchange when
a client roams from one access point to another.
When WPA+WPA2 is selected as the Layer 2 security policy and preshared
key is enabled, neither CCKM nor 802.1X can be enabled; although, both
CCKM and 802.1X can be enabled at the same time.
•
Note
•
Note
Mac Filtering—Enables MAC address filtering.
Mac Filtering and Max-Clients are not supported with FlexConnect
Local Authentication.
FT Enable—Select the check box to enable fast transition between
access points.
Fast transition is not supported with FlexConnect mode.
– Over the DS—Select the check box to enable the fast transition over
a distributed system.
– Reassociation Timeout—Time in seconds after which fast
transition reassociation times out. The default is 20 seconds, and
the valid range is 1 to 100.
Note
To enable Over the DS or Reassociation Timeout, fast transition
should be enabled.
WPA+WPA2 parameters:
•
WPA1—Select the check box to enable WPA1.
•
WPA2—Select the check box to enable WPA2.
Authentication Key Management:
•
FT802.1X—Select the check box to enable FT802.1X.
•
802.1X—Select the check box to enable 802.1X.
•
CCKM—Select the check box to enable CCKM.
•
PSK—Select the check box to enable PSK.
•
FTPSK—Select the check box to enable FTPSK.
Note
Enable WPA2 and fast transition to set FT802.1X or FTPSK.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-342
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Table 9-2
Layer 2 Security Options (continued)
Field
Description
CKIP
Cisco Key Integrity Protocol. A Cisco access point advertises support for
CKIP in beacon and probe response packets. CKIP can be configured only
when Aironet IE is enabled on the WAN.
Note
CKIP is not supported on 10xx access points.
CKIP parameters:
•
802.11 Data Encryption
– Type
– Key Size—Not set, 40, 104, or 128 bits.
– Key Index—1 to 4.
– Encryption Key
– Encryption Key Format—ASCII or HEX.
•
MMH Mode—Select the check box to enable.
•
Key Permutation—Select the check box to enable.
Layer 3 Security
Use the Layer 3 Security drop-down list to choose between None, VPN Pass Through, and IPsec
(Internet Protocol Security). The page parameters change according to the selection you make.
Note
Depending on the type of WLAN, the Layer 3 parameters might or might not be available.
Note
If you choose VPN pass through, you must enter the VPN gateway address.
Note
IPsec is a suite of protocols for securing IP communications by authenticating and/or
encrypting each IP packet in a data stream. IPsec also includes protocols for establishing
cryptographic keys.
Web Policy—Select the check box to specify policies such as authentication, pass through,
conditional web redirect, or WebAuth on MAC Filter Failure. This section also allows you to enable
guest users to view customized login pages.
Note
If you choose Pass Through, the Email Input check box appears. Select this check box if you
want users to be prompted for their e-mail addresses when attempting to connect to the
network.
Preauthentication ACL—Lists IPv4, IPv6, and WebAuth ACLs to be used for traffic between the
client and the controller.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-343
Chapter 9
Configuring Devices
Configuring Existing Controllers
Note
IPv6 ACL mapping for WLANs is supported from Controller Release 7.2.x.
To allow guest users to view customized login pages, follow these steps:
Step 1
Unselect the Global WebAuth Configuration check box.
Step 2
Choose Web Auth Type from the drop-down list on the Security > Layer 3 tab.
•
Default Internal—The guest user receives the default login page.
•
Customized WebAuth—Customized login pages can be downloaded from the Upload/Download
Commands page. See the “Downloading a Customized Web Authentication Page” section on
page 11-614 for more information.
– Choose Web Auth Login Page, Web Auth Login Failure Page, or Web Auth Logout Page
from the drop-down lists.
– Choose None from any of the drop-down lists if you do not want to display a customized page
for that option.
•
External—The guest user is redirected to an external login page. Enter the login page URL in the
External Web Auth URL text box.
Note
If External is selected, you can select up to three RADIUS and LDAP servers in the Security
> AAA page. See the “AAA Servers” section on page 9-344 for more information.
AAA Servers
Select RADIUS and LDAP servers to override use of default servers on the current WLAN.
– RADIUS Servers—Use the drop-down lists to choose authentication and accounting servers.
With this selection, the default RADIUS server for the specified WLAN overrides the RADIUS
server that is configured for the network. If all three RADIUS servers are configured for a
particular WLAN, server 1 has the highest priority, and so on.
– LDAP Servers—If no LDAP servers are chosen from the drop-down lists, the Prime
Infrastructure uses the default LDAP server order from the database.
– Local EAP Authorization—Allows users and wireless clients to be authenticated locally. It is
designed for use in remote offices that want to maintain connectivity to wireless clients when
the back-end system becomes disrupted or the external authentication server fails.
Select the check box to enable if you have an EAP profile configured. Select the profile from
the drop-down list.
– Allow AAA Override—When enabled, if a client has conflicting AAA and controller WLAN
authentication parameters, client authentication is performed by the AAA server.
As part of this authentication, the operating system moves clients from the default Cisco WLAN
solution to a VLAN returned by the AAA server and predefined in the controller interface
configuration (only when configured for MAC filtering, 802.1X, or WPA operation).
In all cases, the operating system also uses QoS and ACL provided by the AAA server as long
as they are predefined in the controller interface configuration. (This VLAN switching by AAA
override is also referred to as identity networking.)
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-344
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
When AAA override is disabled, all client authentication defaults to the controller
authentication parameter settings, and authentication is only performed by the AAA server if
the controller WLANs do not contain any client-specific authentication parameters.
QoS Tab
•
Quality of service (QoS)—From the drop-down list, choose Platinum (voice), Gold (video), Silver
(best effort), or Bronze (background).
– Services such as VoIP should be set to gold. Non-discriminating services such as text messaging
can be set to bronze.
•
NBAR Visibility—Check box that you enable to view the classification of applications based on the
Network Based Application Recognition (NBAR) deep packet inspection technology.
•
AVC Profile—Drop-down list from which you can choose an Application Visibility and Control
(AVC) profile for the WLAN.
•
Netflow Monitor—Drop-down list from which you can choose a Netflow monitor for the WLAN.
•
Override Per-User Rate Limits—The wireless rate limits can be defined on both upstream and
downstream traffic. To define the data rates on a per-user basis, configure the following:
– Average Data Rate—Define the average data rate for TCP traffic per user or per SSID by
entering the rate in Kbps in the Average Data Rate text boxes. A value of 0 imposes no
bandwidth restriction on the profile.
– Burst Data Rate—Define the peak data rate for TCP traffic per useror per SSID by entering the
rate in Kbps in the Burst Data Rate text boxes. A value of 0 imposes no bandwidth restriction
on the profile. The Burst Data Rate should be greater than or equal to the Average Data Rate.
Otherwise, the QoS policy may block traffic to and from the wireless client.
– Average Real-Time Rate—Define the average real-time rate for UDP traffic per user or per
SSID by entering the rate in Kbps in the Average Real-Time Rate text boxes. A value of 0
imposes no bandwidth restriction on the profile.
– Burst Real-Time Rate—Define the peak real-time rate for UDP traffic per user or per SSID by
entering the rate in Kbps in the Burst Real-Time Rate text boxes. A value of 0 imposes no
bandwidth restriction on the profile. The Burst Real-Time Rate should be greater than or equal
to the Average Real-Time Rate. Otherwise, the QoS policy may block traffic to and from the
wireless client.
•
Override Per-SSID Rate Limits—To define the data rates on a per SSID basis, configure the
following:
– Average Data Rate—Define the average data rate TCP traffic per user or per SSID by entering
the rate in Kbps in the Average Data Rate text boxes. A value of 0 imposes no bandwidth
restriction on the profile.
– Burst Data Rate—Define the peak data rate for TCP traffic per user or per SSID by entering the
rate in Kbps in the Burst Data Rate text boxes. A value of 0 imposes no bandwidth restriction
on the profile. The Burst Data Rate should be greater than or equal to the Average Data Rate.
Otherwise, the QoS policy may block traffic in the WLANs.
– Average Real-Time Rate—Define the average real-time rate for UDP traffic per user or per
SSID by entering the rate in Kbps in the Average Real-Time Rate text boxes. A value of 0
imposes no bandwidth restriction on the profile.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-345
Chapter 9
Configuring Devices
Configuring Existing Controllers
– Burst Real-Time Rate—Define the peak real-time rate for UDP traffic per user or per SSID by
entering the rate in Kbps in the Burst Real-Time Rate text boxes. A value of 0 imposes no
bandwidth restriction on the profile. The Burst Real-Time Rate should be greater than or equal
to the Average Real-Time Rate. Otherwise, the QoS policy may block traffic in the WLANs.
•
WMM Parameters
– WMM Policy—Choose Disabled, Allowed (to allow clients to communicate with the WLAN),
or Required (to make it mandatory for clients to have WMM enabled for communication).
– 7920 AP CAC—Select the check box to enable support on Cisco 7920 phones.
– 7920 Client CAC—Select the check box to enable WLAN support for older versions of the
software on 7920 phones. The CAC limit is set on the access point for newer versions of
software.
Advanced Tab
•
FlexConnect Local Switching—Select this check box to enable FlexConnect local switching. When
enabled, the FlexConnect access point handles client authentication and switches client packets
locally. See the “Configuring FlexConnect” section on page 12-702 for more information.
Note
•
FlexConnect local switching applies only to Cisco 1130/1240/1250 series access points. It
is not supported with L2TP, PPTP, CRANITE, and FORTRESS authentications. It does not
apply to WLAN IDs 9-16.
Enable FlexConnect local authentication by selecting the FlexConnect Local Auth check box.
Local authentication is useful where you cannot maintain the criteria, which is a remote office setup
of minimum bandwidth of 128 kbps with the roundtrip latency no greater than 100 ms and the
maximum transmission unit (MTU) no smaller than 500 bytes. In local switching, the authentication
capabilities are present in the access point itself. Therefore, local authentication reduces the latency
requirements of the branch office.
Note
Local authentication can only be enabled on the WLAN of a FlexConnect AP that is in local
switching mode.
Local authentication is not supported in the following scenarios:
– Guest Authentication cannot be performed on a FlexConnect local authentication-enabled
WLAN.
– RRM information is not available at the controller for the FlexConnect local
authentication-enabled WLAN.
– Local RADIUS is not supported.
– Once the client has been authenticated, roaming is supported only after the WLC and the other
FlexConnects in the group are updated with the client information.
•
Session Timeout (secs)—Set the maximum time a client session can continue before
reauthentication.
•
Override Interface ACL—Lists IPv4 and IPv6 access control list (ACL) that overrides the ACL
configured for the interface on this WLAN.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-346
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
•
Learn Client IP Address—When you enable hybrid-REAP local switching, the Learn Client IP
Address check box is enabled by default. However, if the client is configured with Fortress Layer 2
encryption, the controller cannot learn the client IP address, and the controller periodically drops
the client. Disable this option so that the controller maintains the client connection without waiting
to learn the client IP address. The ability to disable this option is supported only with hybrid-REAP
local switching; it is not supported with hybrid-REAP central switching.
•
VLAN Based Central Switching—Select or unselect the VLAN based Central Switching check box
to enable or disable central switching on a locally switched WLAN based on AAA overridden
VLAN.
•
Central DHCP Processing—Select or unselect the Central DHCP Processing check box to enable or
disable the feature. When you enable this feature, the DHCP packets received from AP are centrally
switched to the controller and then forwarded to the corresponding VLAN based on the AP and the
SSID.
•
Override DNS—Select or unselect the Override DNS check box to enable or disable the overriding
of the DNS server address on the interface assigned to the locally switched WLAN. When you
override DNS in centrally switched WLANs, the clients get their DNS server IP address from the
AP, not from the controller.
•
NAT-PAT—Select or unselect the NAT-PAT check box to enable or disable Network Address
Translation (NAT) and Port Address Translation (PAT) on locally switched WLANs. You must
enable Central DHCP Processing to enable NAT and PAT.
•
Aironet IE—Select the check box to enable support for Aironet information elements (IEs) for this
WLAN.
– If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the
access point name, load, number of associated clients, and so on) in the beacon and probe
responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains
the management IP address of the controller and the IP address of the access point) in the
reassociation response if it receives Aironet IE 0x85 in the association request.
•
IPv6—Select the check box to enable IPv6.
Note
•
Diagnostic Channel—Click to enable the diagnostics. When enabled, clients can connect to this
WLAN for diagnostic purposes.
Note
•
Layer 3 security must be set to None for IPv6 to be enabled.
The results of the diagnostic tests are stored in the SNMP table, and the Prime Infrastructure
polls these tables to display the results.
Override Interface ACL—Choose a defined access control list (ACL) from the drop-down list. When
the ACL is selected, the WLAN associates the ACL to the WLAN.
Note
Choosing an ACL is optional, and the default is None.
For more information, see the “Configuring an Access Control List Template” section on
page 11-617.
•
Peer to Peer Blocking—From the drop-down list, choose Disable, Drop, or Forward-Up Stream.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-347
Chapter 9
Configuring Devices
Configuring Existing Controllers
– This option allows users to configure peer-to-peer blocking for individual clients rather than
universally for all WLAN clients.
Note
•
For controller Release 7.2.x and later, the Forward Up Stream is same as Drop for locally
switched clients.
Wi-Fi Direct Client Policy—Devices that are Wi-Fi Direct capable can connect directly to each other
quickly and conveniently to do tasks such as printing, synchronization, and sharing of data. Wi-Fi
Direct devices might associate with multiple peer-to-peer (P2P) devices and with infrastructure
wireless LANs (WLANs) concurrently. You can use the controller to configure the Wi-Fi Direct
Client Policy, on a per-WLAN basis, where you can allow or disallow association of Wi-Fi devices
with infrastructure WLANs, or disable Wi-Fi Direct Client Policy for WLANs altogether. From the
Wi-Fi Direct Clients Policy drop-down list, choose one of the following options:
– Disabled—Disables the Wi-Fi Direct Clients Policy for the WLAN and deauthenticates all
Wi-Fi Direct capable clients.
– Allow—Allows the Wi-Fi Direct clients to associate with an infrastructure WLAN.
– Not-Allow—Disallows the Wi-Fi Direct clients from associating with an infrastructure WLAN.
•
Note
The Wi-Fi Direct Clients Policy is applicable to WLANs that have APs in local mode only.
Note
The Wi-Fi Direct Clients Policy is applicable for controller Release 7.2.x. and later.
Client Exclusion—Select the check box to enable automatic client exclusion. If it is enabled, set the
timeout value in seconds for disabled client machines.
– Client machines are excluded by MAC address, and their status can be observed.
– A timeout setting of 0 indicates that administrative control is required to reenable the client.
Note
•
When session timeout is not set, the excluded client remains and does not time out from the
excluded state. It does not imply that the exclusion feature is disabled.
Media Session Snooping—Select the check box to enable media session snooping. This feature
enables access points to detect the establishment, termination, and failure of voice calls and then
report them to the controller and Prime Infrastructure. It can be enabled or disabled for each WLAN.
When media session snooping is enabled, the access point radios advertise this WLAN snoop for
Session Initiation Protocol (SIP) voice packets. Any packets destined to or originating from port
number 5060 are considered for further inspection. The access point tracks whether Wi-Fi
Multimedia (WMM) and non-WMM clients are establishing a call, already on an active call, or in
the process of ending a call and then notify the controller of any major call events.
•
KTS based CAC—Select the check box to enable KTS-based CAC support per WLAN.
WLC supports TSPEC-based CAC and SIP based CAC. But there are certain phones that work with
different protocols for CAC, which are based on the Key Telephone System (KTS). For supporting
CAC with KTS-based SIP clients, WLC should understand and process the bandwidth request
message from those clients, to allocate the required bandwidth on the AP radio, in addition to
handling and sending certain other messages, as part of this protocol.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-348
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Note
The KTS CAC configuration is only supported by Cisco 5508, 7500, WISM2, and 2500
controllers that run controller software Release 7.2.x. This feature is not supported by Cisco
4400 series controllers.
Note
The voice parameters appear only if you choose Platinum (voice) from the quality of service
(QoS) drop-down list on the QoS tab.
•
NAC State—From the NAC State drop-down list, choose SNMP NAC or Radius NAC. SIP errors
that are discovered generate traps that appear on the Client Troubleshooting and Alarms pages. The
controller can integrate with the NAC appliance in out-of-band mode, where the NAC appliance
remains in the data path only until clients have been analyzed and cleaned. Out-of-band mode
reduces the traffic load on the NAC appliance and enables centralized NAC processing. See the
“NAC Integration” section on page 9-318 for more information.
You can enable RADIUS NAC on WLAN with open authentication and MAC filtering. If
you are using local web authentication with RADIUS NAC, the Layer 3 web authentication
must also be enabled.
Note
•
Passive Client—If the check box is selected, it enables passive clients on your WLAN.
Passive clients are wireless devices like scales and printers that are configured with a static IP
address. These clients do not transmit any IP information such as IP address, subnet mask, and
gateway information during association with an access point. As a result, when passive clients are
used, the controller never knows the IP address unless they use DHCP.
Wireless LAN controllers currently act as a proxy for ARP requests. On receiving an ARP request,
the controller responds with an ARP response instead of passing the request directly to the client.
This has two advantages:
– The upstream device that sends out the ARP request to the client cannot know where the client
is located.
– Reserves power for battery-operated devices like mobile phones and printers as they do not need
to respond to every ARP request.
Because the wireless controller does not have any IP-related information about passive clients, it
cannot respond to any ARP requests. The current behavior does not allow the transfer of ARP
requests to passive clients. Therefore, any application that tries to access a passive client fails.
This feature enables ARP requests and responses to be exchanged between wired and wireless
clients on a per VLAN/WLAN basis. This feature enables the user to mark a desired WLAN for
presence of proxy ARP thereby enabling the controller to pass the ARP requests until the client gets
to RUN state.
Note
This feature is supported only on the 2100, 5500, 5760 and 3850 series controllers.
•
DTIM Period (in beacon intervals)—For 802.11a/n and 802.11b/g/n, specify the frequency of the
DTIM packet sent in the wireless medium. This period can be configured for every WLAN (except
guest WLAN) on all Version 6.0 and later controllers.
•
DHCP
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-349
Chapter 9
Configuring Devices
Configuring Existing Controllers
– DHCP Server—Select the check box to override the DHCP server, and enter the IP address of
the DHCP server.
Note
For some WLAN configurations, this setting is required.
– DHCP Addr. Assignment—If you select the Required check box, clients connected to this
WLAN get an IP address from the default DHCP server.
•
Management Frame Protection (MFP)
– MFP Signature Generation—If the check box is selected, it enables signature generation for the
802.11 management frames transmitted by an access point associated with this WLAN. With
signature generation, changes to the transmitted management frames by an intruder are detected
and reported.
– MFP Client Protection—From the drop-down list, choose Enabled, Disabled, or Required for
individual WLAN configurations.
Note
The Enabled parameter is the same as the Optional parameter that you choose from the
MFP Client Protection drop-down list in the WLC graphical user interface.
– MFP Version—Displays the Management Frame Protection version.
Note
Client-side MFP is available only for those WLANs configured to support CCXv5 (or later)
clients. In addition, WPA1 must first be configured.
•
Foreign Controller Mapping—Click this link to configure foreign controller mappings. This takes
you to the Foreign Controller configuration page. In this configuration page, choose a foreign
controller from the Foreign Controller drop-down list and choose an interface or interface group
from the Interface/Interface Group drop-down list. After choosing the required options, click Add
to complete the adding of a foreign controller.
•
Client Profiling—Select the check box to enable or disable profiling of all the clients that are
associated with the WLAN.
Note
Client Profiling is not supported with FlexConnect local authentication.
Note
Client Profiling is configurable only when you select the DHCP Address Assignment
check box.
Note
Client profiling is supported for controllers Release 7.2.x.
•
mDNS Snooping—Select the mDNS Snooping check box to enable mDNS snooping on the WLAN.
•
mDNS Profile—From the mDNS Profile drop-down list from which you can choose the mDNS
profile for the WLAN. The default value is default-mdns-profile.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-350
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Configuring Mobile Concierge (802.11u)
Mobile Concierge is a solution that enables 802.1X capable clients to interwork with external networks.
The Mobile Concierge feature provides service availability information to clients and can help them to
associate available networks.
The services offered by the network can be broadly classified into two protocols:
•
802.11u MSAP
•
802.11u HotSpot 2.0
The following guidelines and limitations apply to Mobile Concierge:
•
Mobile Concierge is not supported on FlexConnect Access Points.
•
802.11u configuration upload is not supported. If you perform a configuration upgrade and upload
a configuration on the controller, the HotSpot configuration on the WLANs is lost.
To configure Mobile Concierge (802.11u) Groups, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose WLANs > WLAN Configuration.
Step 4
Click the Hot Spot tab.
Step 5
On the General tab, configure the following fields:
•
Select the 802.11u Status check box to enable 802.11u on the WLAN.
•
Select the Internet Access check box to enable this WLAN to provide Internet services.
•
From the Network Type drop-down list, choose the network type that best describes the 802.11u you
want to configure on this WLAN. The following options are available:
– Private Network
– Private Network with Guest Access
– Chargeable Public Network
– Free Public Network
– Emergency Services Only Network
– Personal Device Network
– Test or Experimental
– Wildcard
•
Choose the authentication type that you want to configure for the 802.11u parameters on this
network:
– Not configured
– Acceptance of Terms and Conditions
– Online Enrollment
– HTTP/HTTPS Redirection
•
Step 6
In the HESSID field, enter the Homogenous Extended Service Set Identifier value. The HESSID is
a 6-octet MAC address that identifies the homogeneous ESS.
On the Others tab, configure the following fields:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-351
Chapter 9
Configuring Devices
Configuring Existing Controllers
•
In the OUI List group box, enter the following details:
– OUI name
– Is Beacon
– OUI Index
Click Add to add the OUI (Organizationally Unique Identifier) entry to this WLAN.
•
In the Domain List group box, enter the following details:
– Domain Name—The domain name operating in the 802.11 access network.
– Domain Index—Choose the domain index from the drop-down list.
Click Add to add the domain entry to this WLAN.
Step 7
On the Realm tab, configure the following fields:
•
In the OUI List section, enter the following details:
– Realm Name—The realm name.
– Realm Index—The realm index.
Click Add to add the domain entry to this WLAN.
Step 8
On the Service Advertisement tab, configure the following fields:
•
Select the MSAP Enable check box to enable service advertisements.
•
If you enabled MSAP in the previous step, you must provide a server index. Enter the server index
for this WLAN. The server index field uniquely identifies an MSAP server instance serving a venue
that is reachable through the BSSID.
Note
Step 9
MSAP (Mobility Services Advertisement Protocol) is designed to be used primarily by mobile
devices that are configured with a set of policies for establishing network services. These
services are available for devices that offer higher-layer services, or network services that are
enabled through service providers. Service advertisements use MSAP to provide services to
mobile devices prior to association to a Wi-Fi access network. This information is conveyed in
a service advertisement. A single-mode or dual-mode mobile device queries the network for
service advertisements before association. The device's network discovery and the selection
function may use the service advertisements in its decision to join the network.
On the HotSpot 2.0 tab, configure the following fields:
•
Choose the Enable option from the HotSpot2 Enable drop-down list.
•
In the WAM Metrics group box, specify the following:
– WAN Link Status—The link status. The valid range is 1 to 3.
– WAN SIM Link Status—The symmetric link status. For example, you can configure the uplink
and downlink to have different speeds or same speeds.
– Down Link Speed—The downlink speed. The maximum value is 4,194,304 kbps.
– Up Link Speed—The uplink speed. The maximum value is 4,194,304 kbps.
•
In the Operator Name List group box, specify the following:
– Operator Name—Specify the name of the 802.11 operator.
– Operator Index—Select an operator index. The range is from 1 to 32.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-352
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
– Language Code—An ISO-14962-1997 encoded string defining the language. This string is a
three character language code.
Click Add to add the operator details. The operator details are displayed in a tabular form.
•
In the Port Config List, specify the following:
– IP Protocol—The IP protocol that you want to enable. The following options are ESP, FTP,
ICMP, and IKEV2.
– Port No—The port number that is enabled on this WLAN.
– Status—The status of the port.
Step 10
Click Save.
Adding a WLAN
To add a WLAN, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the appropriate controller.
Step 3
From the left sidebar menu, choose WLANs > WLAN Configuration.
Step 4
From the Select a command drop-down list, choose Add a WLAN.
Step 5
Click Go to open the WLAN Details: Add from Template page.
Step 6
Choose a template from the Select a template to apply to this controller drop-down list.
Step 7
Click Apply.
Note
To create a new template for WLANs, use the click here link in this page, or choose Configure
> Controller Template Launch Pad > WLANs > WLAN.
Deleting a WLAN
To delete a WLAN, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the appropriate controller.
Step 3
From the left sidebar menu, choose WLANs > WLAN Configuration.
Step 4
Select the check boxes of the WLANs that you want to delete.
Step 5
From the Select a command drop-down list, choose Delete a WLAN.
Step 6
Click Go.
Step 7
Click OK to confirm the deletion.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-353
Chapter 9
Configuring Devices
Configuring Existing Controllers
Managing WLAN Status Schedules
Prime Infrastructure enables you to change the status of more than one WLAN at a time on a given
controller. You can select multiple WLANs and select the date and time for that status change to take
place.
To schedule multiple WLANs for a status change, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the appropriate controller.
Step 3
From the left sidebar menu, choose WLANs > WLAN Configuration.
Step 4
Select the check boxes of the WLANs that you want to schedule for a status change.
Step 5
From the Select a command drop-down list, choose Schedule Status to open the WLAN Schedule Task
Detail page.
The selected WLANs are listed at the top of the page.
Step 6
Enter a Scheduled Task Name to identify this status change schedule.
Step 7
Choose the new Admin Status (Enabled or Disabled) from the drop-down list.
Step 8
Choose the schedule time using the hours and minutes drop-down lists.
Step 9
Click the calendar icon to choose a schedule date or enter the date in the text box (MM/DD/YYYY).
Step 10
Select the appropriate Recurrence radio button to determine the frequency of the status change (Daily,
Weekly, or No Recurrence).
Step 11
Click Submit to initiate the status change schedule.
Note
For more information on the WLAN Configuration Scheduled Task results, see the Viewing WLAN
Configuration Scheduled Task Results section in the Cisco Prime Infrastructure 2.0 User Guide.
Mobility Anchors
Mobility anchors are one or more controllers defined as anchors for the WLAN. Clients (802.11 mobile
stations such as a laptop) are always attached to one of the anchors.
This feature can be used to restrict a WLAN to a single subnet, regardless of the entry point of the client
into the network. In this way, users can access a public or guest WLAN throughout an enterprise but still
be restricted to a specific subnet. Guest WLAN can also be used to provide geographical load balancing
because WLANs can represent a particular section of a building (such as a lobby, restaurant, and so on).
When a client first associates to a controller of a mobility group that has been preconfigured as a mobility
anchor for a WLAN, the client associates to the controller locally, and a local session is created for the
client. Clients can be anchored only to preconfigured anchor controllers of the WLAN. For a given
WLAN, you should configure the same set of anchor controllers on all controllers in the mobility group.
When a client first associates to a controller of a mobility group that has not been configured as a
mobility anchor for a WLAN, the client associates to the controller locally, a local session is created for
the client, and the controller is announced to the other controllers in the same mobility group. If the
announcement is not answered, the controller contacts one of the anchor controllers configured for the
WLAN and creates a foreign session for the client on the local switch. Packets from the client are
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-354
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
encapsulated and delivered to the wired network. Packets to the client are received by the anchor
controller and forwarded to the foreign controller through a mobility tunnel using EitherIP. The foreign
controller decapsulates the packets and forwards them to the client.
Note
A 2000 series controller cannot be designated as an anchor for a WLAN. However, a WLAN
created on a 2000 series controllers can have a 4100 series controller or a 4400 series controller
as its anchor.
Note
The L2TP Layer 3 security policies are unavailable for WLANs configured with a mobility
anchor.
To view the real time status of mobility anchors for a specific WLAN, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the appropriate controller.
Step 3
From the left sidebar menu, choose WLANs > WLAN Configuration.
Step 4
Click a WLAN ID to view the parameters for a specific WLAN.
Step 5
Click the Advanced tab.
Step 6
Click the Mobility Anchors link. Table 9-3 describes the parameters that are displayed.
Table 9-3
Mobility Anchors
Field
Description
Mobility Anchor
The IP address of the anchor.
Status
The current status of the anchor. For example,
reachable or unreachable.
Configuring WLANs AP Groups
Site-specific VLANs or AP groups limit the broadcast domains to a minimum by segmenting a WLAN
into different broadcast domains. Benefits of this include more effective management of load balancing
and bandwidth allocation.
To open this page, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click a controller IP address.
Step 3
From the left sidebar menu, choose WLAN > AP Groups.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-355
Chapter 9
Configuring Devices
Configuring Existing Controllers
This page displays a summary of the AP groups configured on your network. From here you can add,
remove, or view details of an AP group. Click the AP group name on the Access Points tab to view or
edit its access point(s). Click the WLAN Profiles tab to view, edit, add, or delete WLAN profiles.
Adding Access Point Groups
To add a new access point group, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click a controller IP address.
Step 3
From the left sidebar menu, choose WLAN > AP Groups.
Note
AP Groups (for 5.2 and later controllers) is referred to as AP Group VLANs for controllers prior
to 5.2.
Step 4
From the Select a command drop-down list, choose Add AP Groups.
Step 5
Click Go.
In the AP Groups details page, you can add access points and WLAN profiles to this access point group.
Step 6
Enter a name and group description for the access point group.
Note
Step 7
Step 8
The group description is optional.
To add access points to the group, follow these steps:
a.
Click the Access Points tab.
b.
Click Add. The access point page displays parameters for available access points. Click the access
point name to view or edit parameters for one of the available access points.
c.
Select the check box(es) of the access point(s) you want to add.
d.
Click Select.
To add a WLAN profile, click the WLAN Profiles tab and configure the following parameters:
a.
Click Add.
Note
To display all available WLAN profile names, delete the current WLAN profile name from
the text box. When the current WLAN profile name is deleted from the text box, all available
WLAN profiles appear in the drop-down list.
Note
Each access point is limited to 16 WLAN profiles. Each access point broadcasts all WLAN
profiles unless the WLAN override feature is enabled. The WLAN override feature allows
you to disable any of the 16 WLAN profiles per access point.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-356
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Note
b.
Type a WLAN profile name or choose one from the WLAN Profile Name drop-down list.
c.
Enter an interface/interface group or choose one from the Interface/Interface Group drop-down list.
Note
Step 9
The WLAN override feature applies only to older controllers that do not support the 512
WLAN feature (can support up to 512 WLAN profiles).
To display all available interfaces, delete the current interface in the Interface text box.
When the current interface is deleted from the Interface text box, all available interfaces
appear in the drop-down list.
d.
Select the NAC Override check box, if applicable. NAC override is disabled by default.
e.
When access points and WLAN profiles are added, click Save.
If you want to add a RF profile, click the RF Profiles tab and configure the following parameters:
•
802.11a—Drop-down list from which you can choose an RF profile for APs with 802.11a radios.
•
802.11b—Drop-down list from which you can choose an RF profile for APs with 802.11b radios.
•
When RF profiles are added, click Save.
Note
Use the Click here link to add a new RF profile. See the “Configuring RF Profiles Templates
(802.11)” section on page 11-633 for more information.
Note
Changing the WLAN-interface mapping in an AP Group removes the local VLAN mapping
for FlexConnect APs in this group. These mappings need to be reconfigured after applying
this change.
Deleting Access Point Groups
To delete an access point group, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click a controller IP address.
Step 3
From the left sidebar menu, choose WLAN > AP Groups.
Step 4
Select the check box(es) of the access point group(s) that you want to delete.
Step 5
From the Select a command drop-down list, choose Delete AP Groups.
Step 6
Click OK to confirm the deletion.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-357
Chapter 9
Configuring Devices
Configuring Existing Controllers
Auditing Access Point Groups
You can audit the access point group to determine if the Prime Infrastructure and device values differ.
To audit an access point group, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click a controller IP address.
Step 3
From the left sidebar menu, choose WLAN > AP Groups.
Step 4
Click the name of the access point group that you want to audit.
Note
Click Audit located at the bottom of the page.
Configuring FlexConnect Parameters
FlexConnect enables customers to configure and control access points in a branch or remote office from
the corporate office through a wide area network (WAN) link without deploying a controller in each
office. There is no deployment restriction on the number of FlexConnect access points per location. The
FlexConnect access points can switch client data traffic locally and perform client authentication locally
when their connection to the controller is lost. When they are connected to the controller, they can also
send traffic back to the controller.
•
Configuring FlexConnect AP Groups, page 9-358
•
Auditing a FlexConnect Group, page 9-362
Configuring FlexConnect AP Groups
To view a list of existing FlexConnect AP groups, follow these steps:
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose FlexConnect > FlexConnect AP Groups. The FlexConnect AP
Groups page opens.
•
Note
Group Name—The name of the FlexConnect AP group. Click the group name to view its details.
Use the check box to select a group for deletion.
Configuring a FlexConnect AP Group
To configure a FlexConnect access point group, follow these steps:
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-358
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 1
Choose Configure > Controllers.
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose FlexConnect > FlexConnect AP Groups.
Step 4
From the Select a command drop-down list, click Add FlexConnect AP Group to open the FlexConnect
AP Group > Add From Template pane.
Step 5
Choose a template from the Select a template to apply to this controller drop-down list.
Step 6
Click Apply.
Note
Step 7
To make modifications to an existing FlexConnect AP Group, click the existing group in the Group
Name column of the FlexConnect AP Group page.
To delete an existing group, select the check box of the group you want to remove, and choose Delete
FlexConnect AP Group from the Select a command drop-down list.
Configure the following FlexConnect AP Group parameters:
•
General tab
– Template Name—The name of the template applied to this controller.
– Primary Radius—From the drop-down list, choose the primary radius authentication server
present on the controller.
Note
If a RADIUS authentication server is not present on the controller, the Prime
Infrastructure configured RADIUS server does not apply.
Note
You must configure the RADIUS server configuration on the controller before you
apply FlexConnect RADIUS server configuration from the Prime Infrastructure.
– Secondary Radius—From the drop-down list, choose the secondary radius authentication server
present on the controller.
Note
•
If a RADIUS authentication server is not present on the controller, the Prime
Infrastructure configured RADIUS server does not apply.
FlexConnect AP tab
– Ethernet MAC—Select the check box to apply to the FlexConnect group.
Note
An AP Ethernet MAC address cannot exist in more than one FlexConnect group on the
same controller. The controller does not allow you to set an AP Ethernet MAC in a
FlexConnect group if it is already present in another FlexConnect group.
– Add AP—Click to add an additional FlexConnect AP (present in the Prime Infrastructure) to an
existing FlexConnect group. When you click Add AP, only those access points that are part of
this FlexConnect group is listed.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-359
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 8
If you want to enable local authentication for a FlexConnect group, click the FlexConnect
Configuration tab.
Note
Make sure that the Primary RADIUS Server and Secondary RADIUS Server parameters are set
to None on the General tab.
Step 9
Select the FlexConnect Local Authentication Enable check box to enable local authentication for this
FlexConnect group. The default value is unselected.
Step 10
To allow a FlexConnect access point to authenticate clients using LEAP, select the LEAP check box.
Otherwise, to allow a FlexConnect access point to authenticate clients using EAP-FAST, select the
EAP-FAST check box.
If you have selected the EAP-FAST check box, then you are required to provide the EAP-FAST key as
well as confirm the EAP-FAST key.
Step 11
Perform one of the following, depending on how you want Protected Access Credentials (PACs) to be
provisioned:
•
To use manual PAC provisioning, enter the key used to encrypt and decrypt PACs in the EAP=FAST
Key text box. The key must be 32 hexadecimal characters.
•
To allow PACs to be sent automatically to clients that do not have one during PAC provisioning,
select the Ignore Server Key check box.
Step 12
In the EAP-FAST Authority ID text box, enter the authority identifier of the EAP-FAST server. The
identifier must be 32 hexadecimal characters.
Step 13
In the EAP-FAST Authority Info text box, enter the authority identifier of the EAP-FAST server in text
format. You can enter up to 32 hexadecimal characters.
Step 14
In the EAP-FAST PAC Timeout text box, specify a PAC timeout value by entering the number of seconds
for the PAC to remain visible in the edit text box. The valid range is 2 to 4095 seconds.
Note
Step 15
Step 16
To see if an individual access point belongs to a FlexConnect group, click the Users configured
in the group link. It advances you to the FlexConnect AP Group page which shows the names
of the groups and the access points that belong in it.
Click the Image Upgrade tab and configure the following:
•
FlexConnect AP Upgrade—Select the check box if you want to upgrade the FlexConnect access
points.
•
Slave Maximum Retry Count—Specify the maximum retries for the slave to undertake to start the
download from the master in the FlexConnect group. This option is available only if you select the
FlexConnect AP Upgrade check box.
Note
You are allowed to add an access point as a master access point only if the FlexConnect AP
Upgrade check box is enabled on the General tab.
Click the VLAN-ACL Mapping tab to view, add, edit, or remove a VLAN ACL mapping.
a.
Click Add Row.
b.
Enter a VLAN ID. The valid VLAN ID range is 1—4094.
c.
From the Ingress ACL drop-down list, choose an Ingress ACL.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-360
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 17
d.
From the Egress AC drop-down list, choose an Egress ACL.
e.
Click Save.
Click the WLAN-ACL Mapping tab, and select the FlexConnect access control list for external web
authentication.
a.
Click Add Row.
b.
From the WLAN Profile Name drop-down list, choose a WLAN profile.
c.
From the WebAuth ACL drop-down list, choose a WebAuth ACL.
d.
Click Save.
Note
Step 18
Click the WebPolicy ACL tab and select the FlexConnect access control list to be added as a web policy.
a.
Click Add Row.
b.
From the Web-Policy ACL drop-down list, choose a WebPolicy ACL.
c.
Click Save.
Note
Step 19
You can add up to a maximum of 16 WebAuth ACLs.
You can add up to a maximum of 16 Web-Policy ACLs.
Click the Local Split tab to view, add, edit, or remove a Local Split ACL mapping.
a.
Click Add Row.
b.
From the WLAN Profile Name drop-down list, choose a WLAN profile.
Note
Step 20
Only the FlexConnect central switching WLANs are displayed in the WLAN Profile Name
drop-down list.
c.
From the Local-Split ACL drop-down list, choose a FlexConnect ACL.
d.
Click Save.
Click the Central DHCP tab to view, add, edit, or remove a Central DHCP processing.
a.
Click Add Row.
b.
From the WLAN Profile Name drop-down list, choose a WLAN profile.
Note
Only the FlexConnect local switching WLANs are displayed in the WLAN Profile Name
drop-down list.
c.
From the Central DHCP drop-down list, choose Enable or Disable. When you enable this feature,
the DHCP packets received from AP are centrally switched to the controller and then forwarded to
the corresponding VLAN based on the AP and the SSID.
d.
From the Override DNS drop-down list, choose Enable or Disable. You can enable or disable the
overriding of the DNS server address on the interface assigned to the locally switched WLAN. When
you override DNS in centrally switched WLANs, the clients get their DNS server IP address from
the AP, not from the controller.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
OL-27653-02
9-361
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 21
e.
From the NAT-PAT drop-down list, choose Enable or Disable. You can enable or disable Network
Address Translation (NAT) and Port Address Translation (PAT) on locally switched WLANs. You
must enable Central DHCP Processing to enable NAT and PAT.
f.
Click Save.
Click Save.
Auditing a FlexConnect Group
If the FlexConnect configuration changes over a period of time either on the Prime Infrastructure or the
controller, you can audit the configuration. The changes are visible in subsequent pages. You can specify
to refresh the Prime Infrastructure or the controller to synchronize the configuration.
Configuring Security Parameters
This section contains the following topics:
•
Configuring Controller File Encryption, page 9-362
•
Configuring Controllers > IPaddr > Security > AAA, page 9-363
•
Configuring Controllers > IPaddr > Security > Local EAP, page 9-373
•
Configuring User Login Policies, page 9-377
•
Managing Manually Disabled Clients, page 9-377
•
Configuring Access Control Lists, page 9-378
•
Configuring CPU Access Control Lists, page 9-380
•
Configuring the IDS Sensor List, page 9-381
•
Configuring CA Certificates, page 9-381
•
Configuring ID Certificates, page 9-382
•
Configuring Controllers > IPaddr > Security > Web Auth Certificate, page 9-383
•
Configuring Wireless Protection Policies, page 9-383
•
Configuring Rogue Policies, page 9-384
•
Configuring Rogue AP Rules, page 9-385
•
Configuring Client Exclusion Policies, page 9-385
•
Configuring Controller Standard Signature Parameters, page 9-386
•
Configuring Custom Signatures, page 9-390
•
Configuring AP Authentication and MFP, page 9-390
Configuring Controller File Encryption
To configure a controller file encryption, follow these steps:
Step 1
Choose Configure > Controllers.
Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices
9-362
OL-27653-02
Chapter 9
Configuring Devices
Configuring Existing Controllers
Step 2
Click the IP address of the applicable controller.
Step 3
From the left sidebar menu, choose Security > File Encryption. File encryption ensures that data is
encrypted when you upload or download the controller configuration file from a TFTP server.
File Encryption parameters include the following:
•
File Encryption—If this option is enabled, the data in the controller configuration file is encrypted
when it is uploaded or downloaded through the TFTP server.
•
Encryption Key—A text string of exactly 16 characters.
•
Confirm Encryption Key—Enter the encryption key.
Configuring Controllers > IPaddr > Security > AAA
This section describes how to configure controller security AAA parameters and contains the following
topics:
•
Configuring AAA General Parameters, page 9-363
•
Configuring AAA RADIUS Auth Servers, page 9-363
•
Configuring AAA RADIUS Acct Servers, page 9-364
•
Configuring AAA RADIUS Fallback Parameters, page 9-366
•
Configuring AAA LDAP Servers, page 9-366
•
Configuring AAA TACACS+ Servers, page 9-368
•
Configuring AAA