Cisco Wireless LAN Controller Configuration Guide, Release 7.4
First Published: 2013-01-08
Last Modified: 2016-07-14
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
© 2013
Cisco Systems, Inc. All rights reserved.
CONTENTS
PREFACE
Preface
xlix
Audience xlix
Conventions xlix
Related Documentation l
PART I
System Management 53
CHAPTER 1
Cisco Wireless Solution Overview
1
Core Components 2
Overview of Cisco Mobility Express 3
Single-Controller Deployments 4
Multiple-Controller Deployments 4
Operating System Software 5
Operating System Security 5
Layer 2 and Layer 3 Operation 6
Operational Requirements 6
Configuration Requirements 6
Cisco Wireless Controllers 7
Client Location 7
Cisco WLC Platforms 7
Client Location 8
Cisco WLC Platforms 8
Cisco Wireless Solution WLANs 8
File Transfers 9
Power over Ethernet 9
Cisco Wireless Controller Memory 9
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
iii
Contents
Cisco Wireless Controller Failover Protection 9
CHAPTER 2
Getting Started 11
Configuring the Controller Using the Configuration Wizard 11
Connecting the Console Port of the Controller 11
Configuring the Controller (GUI) 12
Configuring the Controller—Using the CLI Configuration Wizard 23
Using the Controller Interface 25
Using the Controller CLI 26
Logging on to the Controller CLI 26
Using a Local Serial Connection 26
Using a Remote Telnet or SSH Connection 27
Logging Out of the CLI 28
Navigating the CLI 28
Information about Loading an Externally Generated SSL Certificate 29
Loading an Externally Generated SSL Certificate 30
Loading an SSL Certificate (GUI) 30
Loading an SSL Certificate (CLI) 30
Using the Controller CLI 31
Logging on to the Controller CLI 32
Using a Serial or USB Console Connection on Cisco WLC 32
Using a Local Serial Connection 32
Using a Remote Telnet or SSH Connection 33
Logging Out of the CLI 34
Navigating the CLI 34
Using the AutoInstall Feature for Controllers Without a Configuration 35
Information About the AutoInstall Feature 36
Obtaining an IP Address Through DHCP and Downloading a Configuration File from a TFTP Server
36
Selecting a Configuration File 37
Example: AutoInstall Operation 38
Managing the Controller System Date and Time 39
Information About Controller System Date and Time 39
Restrictions on Configuring the Controller Date and Time 39
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
iv
Contents
Configuring the NTP/SNTP Server to Obtain the Date and Time (CLI) 40
Configuring NTP/SNTP Authentication (GUI) 40
Configuring NTP/SNTP Authentication (CLI) 41
Configuring the Date and Time (GUI) 41
Configuring the Date and Time (CLI) 42
Telnet and Secure Shell Sessions 44
Telnet and Secure Shell Sessions 44
Restrictions on Telnet and SSH 45
Configuring Telnet and SSH Sessions (GUI) 45
Configuring Telnet and SSH Sessions (CLI) 45
Troubleshooting Access Points Using Telnet or SSH 47
Troubleshooting Access Points Using Telnet or SSH (GUI) 47
Troubleshooting Access Points Using Telnet or SSH (CLI) 47
Managing the Controller Wirelessly 48
Enabling Wireless Connections (GUI) 48
Enabling Wireless Connections (CLI) 48
CHAPTER 3
Managing Licenses
51
Installing and Configuring Licenses 51
Information About Installing and Configuring Licenses 51
Restrictions for Using Licenses 52
Obtaining an Upgrade or Capacity Adder License 52
Information About Obtaining an Upgrade or Capacity Adder License 52
Obtaining and Registering a PAK Certificate 53
Installing a License 54
Installing a License (GUI) 54
Installing a License (CLI) 55
Viewing Licenses 55
Viewing Licenses (GUI) 55
Viewing Licenses (CLI) 56
Troubleshooting Licensing Issues 59
Activating an AP-Count Evaluation License 60
Information About Activating an AP-Count Evaluation License 60
Activating an AP-Count Evaluation License (GUI) 60
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
v
Contents
Activating an AP-Count Evaluation License (CLI) 61
Rehosting Licenses 62
Information About Rehosting Licenses 62
Rehosting a License 63
Rehosting a License (GUI) 63
Rehosting a License (CLI) 64
Transferring Licenses to a Replacement Controller after an RMA 65
Information About Transferring Licenses to a Replacement Controller after an RMA 65
Transferring a License to a Replacement Controller after an RMA 66
Configuring the License Agent 66
Information About Configuring the License Agent 66
Configuring the License Agent (GUI) 67
Configuring the License Agent (CLI) 67
CHAPTER 4
Configuring 802.11 Bands
69
Configuring 802.11 Bands 69
802.11 Bands 69
Configuring the 802.11 Bands (GUI) 69
Configuring the 802.11 Bands (CLI) 70
Configuring Band Selection 72
Band Select 72
Restrictions for Band Selection 73
Configuring Band Selection 74
Configuring Band Selection (GUI) 74
Configuring Band Selection (CLI) 74
CHAPTER 5
Configuring 802.11 Parameters 77
Configuring the 802.11n Parameters 77
802.11n Parameters 77
Configuring the 802.11n Parameters (GUI) 77
Configuring the 802.11n Parameters (CLI) 78
Configuring 802.11h Parameters 80
802.11h Parameters 80
Configuring the 802.11h Parameters (GUI) 80
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
vi
Contents
Configuring the 802.11h Parameters (CLI) 81
CHAPTER 6
Configuring DHCP Proxy
83
DHCP Proxy Mode 83
Restrictions on Using DHCP Proxy 84
Configuring DHCP Proxy (GUI) 84
Configuring DHCP Proxy (GUI) 85
Configuring DHCP Proxy (CLI) 85
Configuring DHCP Proxy (CLI) 85
Configuring a DHCP Timeout (GUI) 86
Configuring a DHCP Timeout (CLI) 86
CHAPTER 7
Configuring SNMP
87
Configuring SNMP (CLI) 87
SNMP Community Strings 89
Changing the SNMP Community String Default Values (GUI) 89
Changing the SNMP Community String Default Values (CLI) 90
Configuring Real Time Statistics (CLI) 91
SNMP Trap Enhancements 91
Configuring SNMP Trap Receiver (GUI) 92
CHAPTER 8
Configuring Aggressive Load Balancing
93
Aggressive Load Balancing 93
Configuring Aggressive Load Balancing (GUI) 94
Configuring Aggressive Load Balancing (CLI) 94
CHAPTER 9
Configuring Fast SSID Changing
97
Fast SSID Changing 97
Configuring Fast SSID Changing (GUI) 97
Configuring Fast SSID Changing (CLI) 97
CHAPTER 10
Configuring 802.3 Bridging
99
Configuring 802.3 Bridging 99
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
vii
Contents
802.3 Bridging 99
Restrictions on 802.3 Bridging 99
Configuring 802.3 Bridging 99
Configuring 802.3 Bridging (GUI) 99
Configuring 802.3 Bridging (CLI) 100
Enabling 802.3X Flow Control 100
CHAPTER 11
Configuring Multicast 101
Configuring Multicast Mode 101
Multicast/Broadcast Mode 101
Restrictions on Configuring Multicast Mode 103
Enabling Multicast Mode (GUI) 105
Enabling Multicast Mode (CLI) 106
Viewing Multicast Groups (GUI) 107
Viewing Multicast Groups (CLI) 107
Viewing an Access Point’s Multicast Client Table (CLI) 108
Configuring Multicast Domain Name System 108
Multicast Domain Name System 108
Restrictions for Configuring Multicast DNS 109
Configuring Multicast DNS (GUI) 109
Configuring Multicast DNS (CLI) 111
Bonjour Gateway Based on Access Policy 113
Restrictions on Bonjour Gateway Based on Access Policy 113
Creating Bonjour Access Policy through Prime Infrastructure 114
Configuring mDNS Service Groups (GUI) 114
Configuring mDNS Service Groups (CLI) 114
Multicast Configuration for Cisco vWLC, Flex 7510, 5520, 8510, and 8540 WLCs 115
Switching from Multicast-Unicast Mode to Multicast-Multicast Mode 115
Switching from Multicast-Multicast Mode to Multicast-Unicast Mode 115
Restrictions 115
Troubleshooting 116
CHAPTER 12
Configuring Client Roaming 117
Information About Client Roaming 117
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
viii
Contents
Intra-Controller Roaming 117
Inter-Controller Roaming 117
Inter-Subnet Roaming 118
Voice-over-IP Telephone Roaming 118
CCX Layer 2 Client Roaming 118
Restrictions for Client Roaming 119
Configuring CCX Client Roaming Parameters (GUI) 119
Configuring CCX Client Roaming Parameters (CLI) 120
Obtaining CCX Client Roaming Information (CLI) 120
Debugging CCX Client Roaming Issues (CLI) 121
CHAPTER 13
Configuring IP-MAC Address Binding
123
IP-MAC Address Binding 123
Configuring IP-MAC Address Binding (CLI) 123
CHAPTER 14
Configuring Quality of Service
125
Configuring Quality of Service 125
Quality of Service 125
Configuring Quality of Service Profiles 126
Configuring QoS Profiles (GUI) 126
Configuring QoS Profiles (CLI) 127
Configuring Quality of Service Roles 129
Quality of Service Roles 129
Configuring QoS Roles 129
Configuring QoS Roles (GUI) 129
Configuring QoS Roles (CLI) 130
CHAPTER 15
Configuring Application Visibility and Control
133
Application Visibility and Control 133
Restrictions for Application Visibility and Control 134
Configuring Application Visibility and Control (GUI) 134
Configuring Application Visibility and Control (CLI) 135
Configuring NetFlow 136
NetFlow 136
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
ix
Contents
Configuring NetFlow (GUI) 137
Configuring NetFlow (CLI) 137
CHAPTER 16
Configuring Media and EDCA Parameters
139
Configuring Voice and Video Parameters 139
Voice and Video Parameters 139
Call Admission Control 139
Expedited Bandwidth Requests 140
U-APSD 141
Traffic Stream Metrics 141
Configuring Voice Parameters 142
Configuring Voice Parameters (GUI) 142
Configuring Voice Parameters (CLI) 144
Configuring Video Parameters 145
Configuring Video Parameters (GUI) 145
Configuring Video Parameters (CLI) 146
Viewing Voice and Video Settings 147
Viewing Voice and Video Settings (GUI) 147
Viewing Voice and Video Settings (CLI) 147
Configuring SIP-Based CAC 151
Restrictions for SIP-Based CAC 151
Configuring SIP-Based CAC (GUI) 151
Configuring SIP-Based CAC (CLI) 151
Configuring Media Parameters 152
Configuring Media Parameters (GUI) 152
Configuring Voice Prioritization Using Preferred Call Numbers 153
Voice Prioritization Using Preferred Call Numbers 153
Prerequisites for Configuring Voice Prioritization Using Preferred Call Numbers 153
Configuring a Preferred Call Number (GUI) 153
Configuring a Preferred Call Number (CLI) 154
Configuring EDCA Parameters 154
Enhanced Distributed Channel Access Parameters 154
Configuring EDCA Parameters (GUI) 154
Configuring EDCA Parameters (CLI) 155
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
x
Contents
CHAPTER 17
Configuring the Cisco Discovery Protocol
157
Cisco Discovery Protocol 157
Restrictions for Cisco Discovery Protocol 157
Configuring the Cisco Discovery Protocol 159
Configuring the Cisco Discovery Protocol (GUI) 159
Configuring the Cisco Discovery Protocol (CLI) 160
Viewing Cisco Discovery Protocol Information 161
Viewing Cisco Discovery Protocol Information (GUI) 161
Viewing Cisco Discovery Protocol Information (CLI) 163
Getting CDP Debug Information 164
CHAPTER 18
Configuring Authentication for the Controller and NTP/SNTP Server
165
Authentication for the Controller and NTP/SNTP Server 165
Guidelines and Restrictions on NTP 165
Configuring the NTP/SNTP Server to Obtain the Date and Time (GUI) 165
Configuring the NTP/SNTP Server for Authentication (CLI) 166
CHAPTER 19
Configuring RFID Tag Tracking
167
Information About Configuring RFID Tag Tracking 167
Configuring RFID Tag Tracking (CLI) 168
Viewing RFID Tag Tracking Information (CLI) 169
Debugging RFID Tag Tracking Issues (CLI) 169
CHAPTER 20
Resetting the Controller to Default Settings
171
Resetting the Controller to Default Settings 171
Resetting the Controller to Default Settings (GUI) 171
Resetting the Controller to Default Settings (CLI) 171
CHAPTER 21
Managing Controller Software and Configurations
173
Upgrading the Controller Software 173
Guidelines and Restrictions for Upgrading Controller Software 173
Upgrading Controller Software (GUI) 174
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xi
Contents
Upgrading Controller Software (CLI) 176
Predownloading an Image to an Access Point 178
Access Point Predownload Process 180
Guidelines and Restrictions for Predownloading an Image to an Access Point 181
Predownloading an Image to Access Points—Global Configuration (GUI) 182
Predownloading an Image to Access Points (CLI) 183
Transferring Files to and from a Controller 184
Downloading a Login Banner File 184
Downloading a Login Banner File (GUI) 185
Downloading a Login Banner File (CLI) 185
Clearing the Login Banner (GUI) 186
Downloading Device Certificates 186
Downloading Device Certificates (GUI) 187
Downloading Device Certificates (CLI) 188
Uploading Device Certificates 189
Uploading Device Certificates (GUI) 189
Uploading Device Certificates (CLI) 190
Downloading CA Certificates 190
Download CA Certificates (GUI) 191
Downloading CA Certificates (CLI) 192
Uploading CA Certificates 193
Uploading CA Certificates (GUI)
193
Uploading CA Certificates (CLI) 193
Uploading PACs for EAP-FAST 194
Uploading PACs (GUI) 194
Uploading PACs (CLI) 195
Backing Up and Restoring Controller Configuration 196
Uploading Configuration Files 196
Downloading Configuration Files 198
Saving Configurations 200
Editing Configuration Files 201
Clearing the Controller Configuration 202
Erasing the Controller Configuration 202
Resetting the Controller 203
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xii
Contents
CHAPTER 22
Managing User Accounts
205
Configuring Guest User Accounts 205
Guest Accounts 205
Restrictions on Managing User Accounts 205
Creating a Lobby Ambassador Account 206
Creating a Lobby Ambassador Account (GUI) 206
Creating a Lobby Ambassador Account (CLI) 206
Creating Guest User Accounts as a Lobby Ambassador (GUI) 207
Viewing Guest User Accounts 208
Viewing the Guest Accounts (GUI) 208
Viewing the Guest Accounts (CLI) 208
Configuring Administrator Usernames and Passwords 208
Administrator Usernames and Passwords 208
Configuring Usernames and Passwords (GUI) 208
Configuring Usernames and Passwords (CLI) 209
Restoring Passwords 210
Changing the Default Values for SNMP v3 Users 210
Information About Changing the Default Values for SNMP v3 Users 210
Changing the SNMP v3 User Default Values (GUI) 210
Changing the SNMP v3 User Default Values (CLI) 211
Generating a Certificate Signing Request using OpenSSL 212
Downloading Third-Party Certificate (GUI) 213
Downloading Third-Party Certificate (CLI) 214
CHAPTER 23
Managing Web Authentication
217
Obtaining a Web Authentication Certificate 217
Information About Web Authentication Certificates 217
Support for Chained Certificate 218
Obtaining a Web Authentication Certificate (GUI) 218
Obtaining a Web Authentication Certificate (CLI) 218
Web Authentication Process 220
Disabling Security Alert for Web Authentication Process
220
Choosing the Default Web Authentication Login Page 223
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xiii
Contents
Default Web Authentication Login Page 223
Choosing the Default Web Authentication Login Page (GUI) 223
Choosing the Default Web Authentication Login Page (CLI) 224
Example: Creating a Customized Web Authentication Login Page 225
Example: Modified Default Web Authentication Login Page Example 228
Using a Customized Web Authentication Login Page from an External Web Server 229
Information About Customized Web Authentication Login Page 229
Choosing a Customized Web Authentication Login Page from an External Web Server (GUI) 230
Choosing a Customized Web Authentication Login Page from an External Web Server (CLI) 230
Downloading a Customized Web Authentication Login Page 230
Prerequisites for Downloading a Customized Web Authentication Login Page
Downloading a Customized Web Authentication Login Page (GUI) 231
Downloading a Customized Web Authentication Login Page (CLI) 232
Example: Customized Web Authentication Login Page 233
Verifying the Web Authentication Login Page Settings (CLI) 233
Assigning Login, Login Failure, and Logout Pages per WLAN 234
Assigning Login, Login Failure, and Logout Pages per WLAN 234
Assigning Login, Login Failure, and Logout Pages per WLAN (GUI) 234
Assigning Login, Login Failure, and Logout Pages per WLAN (CLI) 235
CHAPTER 24
Configuring Wired Guest Access
237
Wired Guest Access 237
Prerequisites for Configuring Wired Guest Access 238
Restrictions for Configuring Wired Guest Access 238
Configuring Wired Guest Access (GUI) 238
Configuring Wired Guest Access (CLI) 240
Supporting IPv6 Client Guest Access 243
CHAPTER 25
Troubleshooting
245
Interpreting LEDs 245
Information About Interpreting LEDs 245
Interpreting Controller LEDs 245
Interpreting Lightweight Access Point LEDs 246
System Messages 246
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xiv
231
Contents
Information About System Messages 246
Viewing System Resources 249
Viewing System Resources 249
Viewing System Resources (GUI) 249
Viewing System Resources (CLI) 250
Using the CLI to Troubleshoot Problems 251
Configuring System and Message Logging 252
System and Message Logging 252
Configuring System and Message Logging (GUI) 253
Viewing Message Logs (GUI) 255
Configuring System and Message Logging (CLI) 255
Viewing System and Message Logs (CLI) 260
Viewing Access Point Event Logs 260
Information About Access Point Event Logs 260
Viewing Access Point Event Logs (CLI) 260
Uploading Logs and Crash Files 261
Upload Logs and Crash Files 261
Uploading Logs and Crash Files (GUI) 261
Uploading Logs and Crash Files (CLI) 262
Uploading Core Dumps from the Controller 263
Uploading Core Dumps from the Controller 263
Configuring the Controller to Automatically Upload Core Dumps to an FTP Server (GUI) 263
Configuring the Controller to Automatically Upload Core Dumps to an FTP Server (CLI) 264
Uploading Core Dumps from Controller to a Server (CLI) 265
Uploading Packet Capture Files 266
Uploading Crash Packet Capture Files 266
Restrictions for Uploading Crash Packet Capture Files 267
Uploading Crash Packet Capture Files (GUI) 267
Uploading Crash Packet Capture Files (CLI) 268
Monitoring Memory Leaks 269
Monitoring Memory Leaks (CLI) 269
Troubleshooting CCXv5 Client Devices 270
Information About Troubleshooting CCXv5 Client Devices 270
Restrictions for CCXv5 Client Devices 270
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xv
Contents
Configuring Diagnostic Channel 270
Configuring the Diagnostic Channel (GUI) 271
Configuring the Diagnostic Channel (CLI) 271
Configuring Client Reporting 276
Configuring Client Reporting (GUI) 276
Configuring Client Reporting (CLI) 276
Configuring Roaming and Real-Time Diagnostics 277
Configuring Roaming and Real-Time Diagnostics (CLI) 277
Using the Debug Facility 280
Using the Debug Packet Logging Facility 280
Configuring the Debug Facility (CLI) 281
Configuring Wireless Sniffing 285
Wireless Sniffing 285
Prerequisites for Wireless Sniffing 285
Restrictions on Wireless Sniffing 286
Configuring Sniffing on an Access Point (GUI) 286
Configuring Sniffing on an Access Point (CLI) 286
Troubleshooting Access Points Using Telnet or SSH 287
Information About Troubleshooting Access Points Using Telnet or SSH 287
Troubleshooting Access Points Using Telnet or SSH (GUI) 288
Troubleshooting Access Points Using Telnet or SSH (CLI) 288
Debugging the Access Point Monitor Service 289
Debugging the Access Point Monitor Service 289
Debugging Access Point Monitor Service Issues (CLI) 289
Troubleshooting Memory Leaks 289
Troubleshooting Memory Leaks 289
Troubleshooting OfficeExtend Access Points 290
Troubleshooting OfficeExtend Access Points 290
Interpreting OfficeExtend LEDs 290
Positioning OfficeExtend Access Points for Optimal RF Coverage 290
Troubleshooting Common Problems with OfficeExtend Access Points 291
PART II
Ports and Interfaces
293
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xvi
Contents
CHAPTER 26
Overview of Ports and Interfaces
295
Ports 295
Distribution System Ports 296
Restrictions for Configuring Distribution System Ports 296
Service Port 297
Interfaces 298
Restrictions for Configuring Interfaces 299
Dynamic AP Management 299
WLANs 299
CHAPTER 27
Configuring the Management Interface
303
Management Interface 303
Configuring the Management Interface (GUI) 304
Configuring the Management Interface (CLI) 305
CHAPTER 28
Configuring the AP-Manager Interface
309
AP-Manager Interface 309
Restrictions for Configuring AP Manager Interface 309
Configuring the AP-Manager Interface (GUI) 310
Configuring the AP Manager Interface (CLI) 311
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller 311
CHAPTER 29
Configuring Virtual Interfaces
315
Virtual Interface 315
Configuring Virtual Interfaces (GUI) 316
Configuring Virtual Interfaces (CLI) 316
CHAPTER 30
Configuring Service-Port Interfaces
317
Service-Port Interfaces 317
Restrictions on Configuring Service-Port Interfaces 318
Configuring Service-Port Interfaces Using IPv4 (GUI) 318
Configuring Service-Port Interfaces Using IPv4 (CLI) 318
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xvii
Contents
Configuring Service-Port Interface Using IPv6 (GUI) 319
Configuring Service-Port Interfaces Using IPv6 (CLI) 320
CHAPTER 31
Configuring Dynamic Interfaces
321
Dynamic Interface 321
Prerequisites for Configuring Dynamic Interfaces 322
Restrictions for Configuring Dynamic Interfaces 322
Configuring Dynamic Interfaces (GUI) 322
Configuring Dynamic Interfaces (CLI) 323
CHAPTER 32
Configuring Ports (GUI) 327
Configuring Ports (GUI) 327
CHAPTER 33
Configuring Link Aggregation
329
Link Aggregation 329
Restrictions on Link Aggregation 329
Configuring Link Aggregation (GUI) 331
Configuring Link Aggregation (CLI) 332
Verifying Link Aggregation Settings (CLI) 332
Configuring Neighbor Devices to Support Link Aggregation 332
Choosing Between Link Aggregation and Multiple AP-Manager Interfaces 333
CHAPTER 34
Configuring Multiple AP-Manager Interfaces
335
Information About Multiple AP-Manager Interfaces 335
Restrictions on Configuring Multiple AP Manager Interfaces 335
Creating Multiple AP-Manager Interfaces (GUI) 336
Creating Multiple AP-Manager Interfaces (CLI) 336
CHAPTER 35
Configuring VLAN Select
339
Information About VLAN Select 339
Restrictions for Configuring VLAN Select 340
Configuring Interface Groups 340
Interface Groups 340
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xviii
Contents
Restrictions on Configuring Interface Groups 340
Creating Interface Groups (GUI) 341
Creating Interface Groups (CLI) 341
Adding Interfaces to Interface Groups (GUI) 341
Adding Interfaces to Interface Groups (CLI) 342
Viewing VLANs in Interface Groups (CLI) 342
Adding an Interface Group to a WLAN (GUI) 342
Adding an Interface Group to a WLAN (CLI) 342
CHAPTER 36
Configuring Interface Groups
343
Interface Groups 343
Restrictions on Configuring Interface Groups 344
Creating Interface Groups (GUI) 344
Creating Interface Groups (CLI) 344
Adding Interfaces to Interface Groups (GUI) 345
Adding Interfaces to Interface Groups (CLI) 345
Viewing VLANs in Interface Groups (CLI) 345
Adding an Interface Group to a WLAN (GUI) 345
Adding an Interface Group to a WLAN (CLI) 346
CHAPTER 37
Configuring Multicast Optimization
347
Multicast VLAN 347
Configuring a Multicast VLAN (GUI) 348
Configuring a Multicast VLAN (CLI) 348
PART III
VideoStream
349
CHAPTER 38
VideoStream
351
Information about Media Stream 351
Prerequisites for Media Stream 351
Restrictions for Configuring VideoStream 351
Configuring Media Stream (GUI) 352
Configuring Media Stream (CLI) 355
Viewing and Debugging Media Stream 356
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xix
Contents
PART IV
Security Solutions 359
CHAPTER 39
Cisco Unified Wireless Network Solution Security
361
Security Overview 361
Layer 1 Solutions 361
Layer 2 Solutions 361
Restrictions for Layer 2 Solutions 362
Layer 3 Solutions 362
Integrated Security Solutions 362
CHAPTER 40
Configuring RADIUS
363
Setting up RADIUS for Management Users 363
Configuring RADIUS (GUI) 365
Configuring RADIUS (CLI) 369
RADIUS Authentication Attributes Sent by the Controller 373
Authentication Attributes Honored in Access-Accept Packets (Airespace) 376
RADIUS Accounting Attributes 382
CHAPTER 41
Configuring TACACS+
385
Setting up TACACS+ 385
TACACS+ VSA 387
Configuring TACACS+ (GUI) 387
Configuring TACACS+ (CLI) 389
Viewing the TACACS+ Administration Server Logs 390
CHAPTER 42
Configuring Maximum Local Database Entries
393
Maximum Local Database Entries 393
Configuring Maximum Local Database Entries (GUI) 393
Configuring Maximum Local Database Entries (CLI) 393
CHAPTER 43
Configuring Local Network Users on the Controller
395
Local Network Users on Controller 395
Configuring Local Network Users for the Controller (GUI) 395
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xx
Contents
Configuring Local Network Users for the Controller (CLI) 396
CHAPTER 44
Configuring Password Policies
399
Password Policies 399
Configuring Password Policies (GUI) 400
Configuring Password Policies (CLI) 400
CHAPTER 45
Configuring LDAP
401
LDAP 401
Configuring LDAP (GUI) 401
Configuring LDAP (CLI) 403
CHAPTER 46
Configuring Local EAP
407
Local EAP 407
Restrictions for Local EAP 407
Configuring Local EAP (GUI) 408
Configuring Local EAP (CLI) 411
CHAPTER 47
Configuring the System for SpectraLink NetLink Telephones
417
Information About SpectraLink NetLink Telephones 417
Configuring SpectraLink NetLink Phones 417
Enabling Long Preambles (GUI) 417
Enabling Long Preambles (CLI) 418
Configuring Enhanced Distributed Channel Access (CLI) 418
CHAPTER 48
Configuring RADIUS NAC Support
421
ISE NAC Support 421
Device Registration 421
Central Web Authentication 421
Local Web Authentication 423
Guidelines and Restrictions on ISE NAC Support 423
Configuring ISE NAC Support (GUI) 424
Configuring ISE NAC Support (CLI) 425
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxi
Contents
CHAPTER 49
Using Management Over Wireless
427
Management over Wireless 427
Enabling Management over Wireless (GUI) 427
Enabling Management over Wireless (CLI) 428
CHAPTER 50
Using Dynamic Interfaces for Management
429
Using Dynamic Interfaces for Management 429
Configuring Management using Dynamic Interfaces (CLI) 430
CHAPTER 51
Configuring DHCP Option 82 431
DHCP Option 82
431
Restrictions on DHCP Option 82
432
Configuring DHCP Option 82 (GUI) 432
Configuring DHCP Option 82 (CLI) 432
CHAPTER 52
Configuring and Applying Access Control Lists
435
Information about Access Control Lists 435
Guidelines and Restrictions on Access Control Lists 435
Configuring and Applying Access Control Lists (GUI) 436
Configuring Access Control Lists (GUI) 436
Applying an Access Control List to an Interface (GUI) 439
Applying an Access Control List to the Controller CPU (GUI) 439
Applying an Access Control List to a WLAN (GUI) 440
Applying a Preauthentication Access Control List to a WLAN (GUI) 440
Configuring and Applying Access Control Lists (CLI) 440
Configuring Access Control Lists (CLI) 440
Applying Access Control Lists (CLI) 441
CHAPTER 53
Configuring Management Frame Protection
443
Protected Management Frames (Management Frame Protection) 443
Restrictions for Management Frame Protection 444
Configuring Infrastructure MFP (GUI) 445
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxii
Contents
Viewing the Management Frame Protection Settings (GUI) 445
Configuring Infrastructure MFP (CLI) 446
Viewing the Management Frame Protection Settings (CLI) 446
Debugging Management Frame Protection Issues (CLI) 446
CHAPTER 54
Configuring Client Exclusion Policies
449
Configuring Client Exclusion Policies (GUI) 449
Configuring Client Exclusion Policies (CLI) 450
CHAPTER 55
Configuring Identity Networking
453
AAA Override (Identity Networking) 453
RADIUS Attributes Used in Identity Networking 454
CHAPTER 56
Configuring AAA Override 459
AAA Override 459
Restrictions for AAA Override 459
Updating the RADIUS Server Dictionary File for Proper QoS Values 460
Configuring AAA Override (GUI) 461
Configuring AAA Override (CLI) 461
CHAPTER 57
Managing Rogue Devices
463
Rogue Devices 463
Configuring Rogue Detection (GUI) 468
Configuring Rogue Detection (CLI) 469
CHAPTER 58
Classifying Rogue Access Points
473
Rogue Access Point Classification 473
Guidelines and Restrictions for Classifying Rogue Access Points 476
Configuring Rogue Classification Rules (GUI) 477
Viewing and Classifying Rogue Devices (GUI) 479
Configuring Rogue Classification Rules (CLI) 483
Viewing and Classifying Rogue Devices (CLI) 485
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxiii
Contents
CHAPTER 59
Configuring Cisco TrustSec SXP 489
Cisco TrustSec 489
Guidelines and Restrictions on Cisco TrustSec 491
Configuring SXP on Cisco WLC (GUI) 491
Creating a New SXP Connection (GUI) 492
Configuring SXP on Cisco WLC (CLI) 492
CHAPTER 60
Configuring Cisco Intrusion Detection System
495
Cisco Intrusion Detection System 495
Shunned Clients 495
Configuring IDS Sensors (GUI) 496
Viewing Shunned Clients (GUI) 496
Configuring IDS Sensors (CLI) 497
Viewing Shunned Clients (CLI) 498
CHAPTER 61
Configuring IDS Signatures
501
Intrusion Detection System Signatures 501
Configuring IDS Signatures (GUI) 503
Uploading or Downloading IDS Signatures 503
Configuring IDS Signatures (GUI) 504
Viewing IDS Signature Events (GUI) 506
Configuring IDS Signatures (CLI) 506
Viewing IDS Signature Events (CLI) 508
CHAPTER 62
Configuring wIPS
509
Wireless Intrusion Prevention System 509
Restrictions for wIPS 516
Configuring wIPS on an Access Point (GUI) 516
Configuring wIPS on an Access Point (CLI) 517
Viewing wIPS Information (CLI) 518
CHAPTER 63
Configuring Wi-Fi Direct Client Policy
519
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxiv
Contents
Wi-Fi Direct Client Policy 519
Restrictions for the Wi-Fi Direct Client Policy 519
Configuring the Wi-Fi Direct Client Policy (GUI) 519
Configuring the Wi-Fi Direct Client Policy (CLI) 520
Monitoring and Troubleshooting the Wi-Fi Direct Client Policy (CLI) 520
CHAPTER 64
Configuring Web Auth Proxy
521
Web Authentication Proxy 521
Configuring the Web Authentication Proxy (GUI) 522
Configuring the Web Authentication Proxy (CLI) 522
CHAPTER 65
Detecting Active Exploits
525
Detecting Active Exploits 525
PART V
WLANs
CHAPTER 66
Overview
527
529
Information About WLANs 529
Prerequisites for WLANs 529
Restrictions for WLANs 529
CHAPTER 67
Configuring WLANs
533
Prerequisites for WLANs 533
Restrictions for WLANs 533
Information About WLANs 535
Creating and Removing WLANs (GUI) 536
Enabling and Disabling WLANs (GUI) 537
Editing WLAN SSID or Profile Name for WLANs (GUI) 537
Creating and Deleting WLANs (CLI) 537
Enabling and Disabling WLANs (CLI) 538
Editing WLAN SSID or Profile Name for WLANs (CLI) 539
Viewing WLANs (CLI) 539
Searching WLANs (GUI) 539
Assigning WLANs to Interfaces 540
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxv
Contents
Configuring Network Access Identifier (CLI) 540
CHAPTER 68
Setting the Client Count per WLAN 541
Restrictions for Setting Client Count for WLANs 541
Client Count per WLAN 541
Configuring the Client Count per WLAN (GUI) 542
Configuring the Maximum Number of Clients per WLAN (CLI) 542
Configuring the Maximum Number of Clients for each AP Radio per WLAN (GUI) 542
Configuring the Maximum Number of Clients for each AP Radio per WLAN (CLI) 543
CHAPTER 69
Configuring DHCP 545
Restrictions for Configuring DHCP for WLANs 545
Information about Dynamic Host Configuration Protocol 545
Internal DHCP Servers 545
External DHCP Servers 546
DHCP Assignments 546
Configuring DHCP Per WLAN (GUI) 547
Configuring DHCP Per WLAN (CLI) 548
Debugging DHCP (CLI) 549
DHCP Client Handling 549
CHAPTER 70
Configuring DHCP Scopes
551
Restrictions for Configuring Internal DHCP Server 551
Internal DHCP Server 551
Configuring DHCP Scopes (GUI) 552
Configuring DHCP Scopes (CLI) 553
CHAPTER 71
Configuring MAC Filtering for WLANs 555
Restrictions for MAC Filtering 555
MAC Filtering of WLANs 555
Enabling MAC Filtering 555
CHAPTER 72
Configuring Local MAC Filters 557
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxvi
Contents
Prerequisites for Configuring Local MAC Filters 557
Local MAC Filters 557
Configuring Local MAC Filters (CLI) 557
CHAPTER 73
Configuring Timeouts
559
Configuring a Timeout for Disabled Clients 559
Client Exclusion Timeout 559
Configuring Client Exclusion Timeout (CLI) 559
Configuring Session Timeout 560
Session Timeouts 560
Configuring a Session Timeout (GUI) 560
Configuring a Session Timeout (CLI) 560
Configuring the User Idle Timeout 561
User Idle Timeout per WLAN 561
Configuring Per-WLAN User Idle Timeout (CLI) 562
CHAPTER 74
Configuring the DTIM Period
563
DTIM Period 563
Configuring the DTIM Period (GUI) 564
Configuring the DTIM Period (CLI) 564
CHAPTER 75
Configuring Peer-to-Peer Blocking
565
Restrictions on Peer-to-Peer Blocking 565
Peer-to-Peer Blocking 565
Configuring Peer-to-Peer Blocking (GUI) 566
Configuring Peer-to-Peer Blocking (CLI) 566
CHAPTER 76
Configuring Layer2 Security
569
Prerequisites for Layer 2 Security 569
Configuring Static WEP Keys (CLI) 570
Configuring Dynamic WEP (CLI) 570
Configuring 802.11r BSS Fast Transition 571
Restrictions for 802.11r Fast Transition 571
802.11r Fast Transition 572
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxvii
Contents
Configuring 802.11r Fast Transition (GUI) 574
Configuring 802.11r Fast Transition (CLI) 575
Troubleshooting 802.11r BSS Fast Transition 576
MAC Authentication Failover to 802.1X Authentication 576
Configuring MAC Authentication Failover to 802.1x Authentication (GUI) 576
Configuring MAC Authentication Failover to 802.1X Authentication (CLI) 576
Configuring 802.11w 577
Restrictions for 802.11w 577
802.11w 577
Configuring 802.11w (GUI) 578
Configuring 802.11w (CLI) 579
CHAPTER 77
Configuring a WLAN for Static WEP 581
Restrictions for Configuring Static WEP 581
WLAN for Static WEP 581
WPA1 and WPA2 582
Configuring WPA1+WPA2 583
Configuring WPA1+WPA2 (GUI) 583
Configuring WPA1+WPA2 (CLI) 584
CHAPTER 78
Configuring Sticky PMKID Caching
587
802.11i Sticky Key Caching 587
Restrictions for Sticky Key Caching 587
Configuring Sticky Key Caching (CLI) 588
CHAPTER 79
Configuring CKIP
591
Cisco Key Integrity Protocol
591
Configuring CKIP (GUI) 592
Configuring CKIP (CLI) 592
CHAPTER 80
Configuring Layer 3 Security 595
Configuring Layer 3 Security Using Web Authentication 595
Prerequisites for Configuring Web Authentication on a WLAN 595
Restrictions for Configuring Web Authentication on a WLAN 596
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxviii
Contents
Information About Web Authentication 596
Configuring Web Authentication 596
Configuring Web Authentication (GUI) 596
Configuring Web Authentication (CLI) 596
CHAPTER 81
Configuring Captive Bypassing
599
Captive Bypassing 599
Configuring Captive Bypassing (CLI) 600
CHAPTER 82
Configuring a Fallback Policy with MAC Filtering and Web Authentication
601
Fallback Policy with MAC Filtering and Web Authentication 601
Configuring a Fallback Policy with MAC Filtering and Web Authentication (GUI) 601
Configuring a Fallback Policy with MAC Filtering and Web Authentication (CLI) 602
CHAPTER 83
Assigning a QoS Profile to a WLAN 605
QoS Profiles 605
Assigning a QoS Profile to a WLAN (GUI) 606
Assigning a QoS Profile to a WLAN (CLI) 607
CHAPTER 84
Configuring QoS Enhanced BSS 609
Prerequisites for Using QoS Enhanced BSS on Cisco 7921 and 7920 Wireless IP Phones 609
Restrictions for QoS Enhanced BSS 610
QoS Enhanced BSS 610
Configuring QBSS (GUI) 611
Configuring QBSS (CLI) 611
CHAPTER 85
Configuring Media Session Snooping and Reporting
613
SIP (Media Session) Snooping, CAC, and Reporting 613
Restrictions for SIP (Media Session) Snooping, CAC, and Reporting 613
Configuring Media Session Snooping (GUI) 614
Configuring Media Session Snooping (CLI) 614
CHAPTER 86
Configuring Key Telephone System-Based CAC 619
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxix
Contents
Restrictions for Key Telephone System-Based CAC 619
Key Telephone System-Based CAC 619
Configuring KTS-based CAC (GUI) 620
Configuring KTS-based CAC (CLI) 620
Related Commands 621
CHAPTER 87
Configuring Reanchoring of Roaming Voice Clients
623
Restrictions for Configuring Reanchoring of Roaming Voice Clients 623
Reanchoring of Roaming Voice Clients 623
Configuring Reanchoring of Roaming Voice Clients (GUI) 624
Configuring Reanchoring of Roaming Voice Clients (CLI) 624
CHAPTER 88
Configuring Seamless IPv6 Mobility
625
Prerequisites for Configuring IPv6 Mobility 625
Restrictions on Configuring IPv6 Mobility 625
IPv6 Client Mobility 626
Configuring IPv6 Globally 626
Configuring IPv6 Globally (GUI) 626
Configuring IPv6 Globally (CLI) 627
Configuring RA Guard for IPv6 Clients 627
RA Guard 627
Configuring RA Guard (GUI) 627
Configuring RA Guard (CLI) 628
Configuring RA Throttling for IPv6 Clients 628
RA Throttling 628
Configuring RA Throttling (GUI) 628
Configuring the RA Throttle Policy (CLI) 629
Configuring IPv6 Neighbor Discovery Caching 629
IPv6 Neighbor Discovery 629
Configuring Neighbor Binding (GUI) 629
Configuring Neighbor Binding (CLI) 630
CHAPTER 89
Configuring Cisco Client Extensions
631
Prerequisites for Configuring Cisco Client Extensions 631
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxx
Contents
Guidelines and Restrictions for Configuring Cisco Client Extensions 631
Cisco Client Extensions 632
Configuring CCX Aironet IEs (GUI) 632
Viewing a Client’s CCX Version (GUI) 632
Configuring CCX Aironet IEs (CLI) 632
Viewing a Client’s CCX Version (CLI) 633
CHAPTER 90
Configuring Remote LANs
635
Prerequisites for Configuring Remote LANs 635
Restrictions for Configuring Remote LANs 635
Remote LANs 635
Configuring a Remote LAN (GUI) 636
Configuring a Remote LAN (CLI) 637
CHAPTER 91
AP Groups
639
Access Point Groups 639
Restrictions for Configuring Access Point Groups 640
Configuring Access Point Groups 640
Creating Access Point Groups (GUI) 640
Creating Access Point Groups (CLI) 642
Viewing Access Point Groups (CLI) 643
802.1Q-in-Q VLAN Tagging 644
Restrictions for 802.1Q-in-Q VLAN Tagging 644
Configuring 802.1Q-in-Q VLAN Tagging (GUI) 644
Configuring 802.1Q-in-Q VLAN Tagging (CLI) 645
CHAPTER 92
Configuring RF Profiles
647
Prerequisites for Configuring RF Profiles 647
Restrictions on Configuring RF Profiles 647
RF Profiles 648
Configuring an RF Profile (GUI) 650
Configuring an RF Profile (CLI) 651
Applying an RF Profile to AP Groups (GUI) 653
Applying RF Profiles to AP Groups (CLI) 653
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxxi
Contents
CHAPTER 93
Configuring Web Redirect with 8021.X Authentication
655
Web Redirect with 802.1X Authentication 655
Conditional Web Redirect 655
Splash Page Web Redirect 656
Configuring the RADIUS Server (GUI) 656
Configuring Web Redirect 657
Configuring Web Redirect (GUI) 657
Configuring Web Redirect (CLI) 657
Disabling Accounting Servers per WLAN (GUI) 658
Disabling Coverage Hole Detection per WLAN 658
Disabling Coverage Hole Detection on a WLAN (GUI) 658
Disabling Coverage Hole Detection on a WLAN (CLI) 659
CHAPTER 94
Configuring NAC Out-of-Band Integration
661
Prerequisites for NAC Out Of Band 661
Restrictions for NAC Out of Band 662
NAC Out-of-Band Integration 662
Configuring NAC Out-of-Band Integration (GUI) 663
Configuring NAC Out-of-Band Integration (CLI) 665
CHAPTER 95
Configuring Passive Clients
667
Restrictions for Passive Clients 667
Passive Clients 667
Configuring Passive Clients (GUI) 668
Enabling the Multicast-Multicast Mode (GUI) 668
Enabling the Global Multicast Mode on Controllers (GUI) 669
Enabling the Passive Client Feature on the Controller (GUI) 669
Configuring Passive Clients (CLI) 670
Configuring the Gratuitous ARP (GARP) Forwarding to Wireless Networks 670
CHAPTER 96
Configuring Client Profiling
673
Prerequisites for Configuring Client Profiling 673
Restrictions for Configuring Client Profiling 674
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxxii
Contents
Client Profiling 674
Configuring Client Profiling 675
Configuring Client Profiling (GUI) 675
Configuring Client Profiling (CLI) 675
CHAPTER 97
Configuring Per-WLAN RADIUS Source Support
677
Prerequisites for Per-WLAN RADIUS Source Support 677
Per-WLAN RADIUS Source Support 677
Configuring Per-WLAN RADIUS Source Support (CLI) 678
Monitoring the Status of Per-WLAN RADIUS Source Support (CLI) 678
CHAPTER 98
Configuring Mobile Concierge
681
Mobile Concierge 681
Configuring Mobile Concierge (802.11u) 681
Configuring Mobile Concierge (802.11u) (GUI) 681
Configuring Mobile Concierge (802.11u) (CLI) 682
Configuring 802.11u Mobility Services Advertisement Protocol 684
802.11u MSAP 684
Configuring 802.11u MSAP (GUI) 684
Configuring MSAP (CLI) 684
Configuring 802.11u HotSpot 685
Information About 802.11u HotSpot 685
Configuring 802.11u HotSpot (GUI) 685
Configuring HotSpot 2.0 (CLI) 686
Configuring Access Points for HotSpot2 (GUI) 687
Configuring Access Points for HotSpot2 (CLI) 688
Downloading the Icon File (CLI) 691
CHAPTER 99
Configuring Assisted Roaming
693
Restrictions for Assisted Roaming 693
802.11k Neighbor List and Assisted Roaming 693
Configuring Assisted Roaming (CLI) 694
PART VI
Lightweight Access Points 697
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxxiii
Contents
CHAPTER 100
Access Point Communication Protocols
699
CAPWAP 699
Restrictions for Access Point Communication Protocols 700
Data Encryption 700
Restrictions on Data Encryption 702
Upgrading or Downgrading DTLS Images for Cisco 5508 WLC 702
Guidelines When Upgrading to or from a DTLS Image 703
Configuring Data Encryption (GUI) 703
Configuring Data Encryption (CLI) 703
Viewing CAPWAP Maximum Transmission Unit Information 704
Debugging CAPWAP 704
Controller Discovery Process 705
Guidelines and Restrictions on Controller Discovery Process 706
Verifying that Access Points Join the Controller 706
Verifying that Access Points Join the Controller (GUI) 706
Verifying that Access Points Join the Controller (CLI) 707
CHAPTER 101
Searching for Access Points
709
Information About Searching for Access Points 709
Searching the AP Filter (GUI) 709
Monitoring the Interface Details 711
Searching for Access Point Radios 713
Information About Searching for Access Point Radios 713
Searching for Access Point Radios (GUI) 713
CHAPTER 102
Searching for Access Point Radios
715
Information About Searching for Access Point Radios 715
Searching for Access Point Radios (GUI) 715
CHAPTER 103
Configuring Global Credentials for Access Points
717
Global Credentials for Access Points 717
Restrictions for Global Credentials for Access Points 718
Configuring Global Credenitals for Access Points 718
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxxiv
Contents
Configuring Global Credentials for Access Points (GUI) 718
Configuring Global Credentials for Access Points (CLI) 719
CHAPTER 104
Configuring Authentication for Access Points
721
AP Wired 802.1X Supplicant 721
Prerequisites for Configuring Wired 802.1X Authentication for Access Points 722
Restrictions for Authenticating Access Points 723
Configuring Authentication for Access Points (GUI) 723
Configuring Authentication for Access Points (CLI) 724
Configuring the Switch for Authentication 725
CHAPTER 105
Configuring Embedded Access Points
727
Embedded Access Points 727
CHAPTER 106
Converting Autonomous Access Points to Lightweight Mode
729
Converting Autonomous Access Points to Lightweight Mode 729
Restrictions for Converting Autonomous Access Points to Lightweight Mode 730
Converting Autonomous Access Points to Lightweight Mode 730
Reverting from Lightweight Mode to Autonomous Mode 731
Reverting to a Previous Release (CLI) 731
Reverting to a Previous Release Using the MODE Button and a TFTP Server 731
Authorizing Access Points 732
Authorizing Access Points Using SSCs 732
Authorizing Access Points for Virtual Controllers Using SSC 732
Configuring SSC (GUI) 732
Configuring SSC (CLI) 733
Authorizing Access Points Using MICs 733
Authorizing Access Points Using LSCs 733
Configuring Locally Significant Certificates (GUI) 734
Configuring Locally Significant Certificates (CLI) 735
Authorizing Access Points (GUI) 737
Authorizing Access Points (CLI) 737
Configuring VLAN Tagging for CAPWAP Frames from Access Points 738
VLAN Tagging for CAPWAP Frames from Access Points 738
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxxv
Contents
Configuring VLAN Tagging for CAPWAP Frames from Access Points (GUI) 738
Configuring VLAN Tagging for CAPWAP Frames from Access Points (CLI) 739
Using DHCP Option 43 and DHCP Option 60
739
Troubleshooting the Access Point Join Process 740
Configuring the Syslog Server for Access Points (CLI) 741
Viewing Access Point Join Information 742
Viewing Access Point Join Information (GUI) 742
Viewing Access Point Join Information (CLI) 743
Sending Commands to Access Points 744
Understanding How Access Points Send Crash Information to the Controller 745
Understanding How Access Points Send Radio Core Dumps to the Controller 745
Retrieving Radio Core Dumps (CLI) 745
Uploading Radio Core Dumps (GUI) 746
Uploading Radio Core Dumps (CLI) 746
Uploading Memory Core Dumps from Converted Access Points 747
Uploading Access Point Core Dumps (GUI) 747
Uploading Access Point Core Dumps (CLI) 747
Viewing the AP Crash Log Information 748
Viewing the AP Crash Log information (GUI) 748
Viewing the AP Crash Log information (CLI) 748
Viewing MAC Addresses of Access Points 749
Disabling the Reset Button on Access Points to Lightweight Mode 749
Configuring a Static IP Address on a Lightweight Access Point 749
Configuring a Static IP Address (GUI) 750
Configuring a Static IP Address (CLI) 750
Supporting Oversized Access Point Images 752
Recovering the Access Point—Using the TFTP Recovery Procedure 752
CHAPTER 107
Configuring Packet Capture
753
Information About Packet Capture 753
Restrictions for Packet Capture 754
Configuring Packet Capture (CLI) 754
CHAPTER 108
OfficeExtend Access Points
757
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxxvi
Contents
OfficeExtend Access Points 757
OEAP 600 Series Access Points 758
Supported WLAN Settings for 600 Series OfficeExtend Access Point 759
WLAN Security Settings for the 600 Series OfficeExtend Access Point 759
Authentication Settings 763
Supported User Count on 600 Series OfficeExtend Access Point 763
Remote LAN Settings 763
Channel Management and Settings 764
Firewall Settings 765
Additional Caveats 766
Implementing Security 767
Configuring OfficeExtend Access Points 767
Configuring OfficeExtend Access Points (GUI) 767
Configuring OfficeExtend Access Points (CLI) 769
Configuring a Personal SSID on an OfficeExtend Access Point Other than 600 Series OEAP 771
Viewing OfficeExtend Access Point Statistics 772
Remote LANs 773
Configuring a Remote LAN (GUI) 773
Configuring a Remote LAN (CLI) 774
CHAPTER 109
Using Cisco Workgroup Bridges
775
Information About Cisco Workgroup Bridges 775
Guidelines and Restrictions for Cisco Workgroup Bridges 777
WGB Configuration Example 778
Viewing the Status of Workgroup Bridges (GUI) 778
Viewing the Status of Workgroup Bridges (CLI) 779
Debugging WGB Issues (CLI) 779
CHAPTER 110
Using Non-Cisco Workgroup Bridges
781
Non-Cisco Workgroup Bridges 781
Restrictions for Non-Cisco Workgroup Bridges 782
CHAPTER 111
Configuring Backup Controllers
783
Backup Controllers 783
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxxvii
Contents
Restrictions for Configuring Backup Controllers 784
Configuring Backup Controllers (GUI) 784
Configuring Backup Controllers (CLI) 785
CHAPTER 112
High Availability 789
Information About High Availability 789
Restrictions for High Availability 793
Configuring High Availability (GUI) 795
Enabling High Availability (CLI) 796
Configuring High Availability Parameters (CLI) 798
Replacing the Primary Controller in an HA Setup 799
CHAPTER 113
Configuring Failover Priority for Access Points
801
Failover Priority for Access Points 801
Configuring Failover Priority for Access Points (GUI) 801
Configuring Failover Priority for Access Points (CLI) 802
Viewing Failover Priority Settings (CLI) 802
CHAPTER 114
Configuring Access Point Retransmission Interval and Retry Count
805
AP Retransmission Interval and Retry Count 805
Restrictions for Access Point Retransmission Interval and Retry Count 805
Configuring the AP Retransmission Interval and Retry Count (GUI) 806
Configuring the Access Point Retransmission Interval and Retry Count (CLI) 806
CHAPTER 115
Country Codes
809
Information About Configuring Country Codes 809
Restrictions for Configuring Country Codes 810
Configuring Country Codes (GUI) 810
Configuring Country Codes (CLI) 811
CHAPTER 116
Optimizing RFID Tracking on Access Points
813
Optimizing RFID Tracking on Access Points 813
Optimizing RFID Tracking on Access Points (GUI) 813
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxxviii
Contents
Optimizing RFID Tracking on Access Points (CLI) 814
CHAPTER 117
Configuring Probe Request Forwarding
815
Probe Request Forwarding 815
Configuring Probe Request Forwarding (CLI) 815
CHAPTER 118
Retrieving the Unique Device Identifier on Controllers and Access Points
817
Retrieving the Unique Device Identifier on Controllers and Access Points 817
Retrieving the Unique Device Identifier on Controllers and Access Points (GUI) 817
Retrieving the Unique Device Identifier on Controllers and Access Points (CLI) 818
CHAPTER 119
Performing a Link Test
819
Link Test 819
Performing a Link Test (GUI) 820
Performing a Link Test (CLI) 820
CHAPTER 120
Configuring Link Latency 823
Link Latency 823
Restrictions for Link Latency 824
Configuring Link Latency (GUI) 824
Configuring Link Latency (CLI) 824
CHAPTER 121
Configuring the TCP MSS
827
TCP Adjust MSS 827
Configuring TCP Adjust MSS (GUI) 827
Configuring TCP Adjust MSS (CLI) 828
CHAPTER 122
Configuring Power Over Ethernet
829
Information About Configuring Power over Ethernet 829
Configuring Power over Ethernet (GUI) 831
Configuring Power over Ethernet (CLI) 832
CHAPTER 123
Viewing Clients
835
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xxxix
Contents
Viewing Clients (GUI) 835
Viewing Clients (CLI) 836
CHAPTER 124
Configuring LED States for Access Points
837
Configuring LED States 837
LED States for Access Points 837
Configuring the LED State for Access Points in a Network Globally (GUI) 837
Configuring the LED State for Access Point in a Network Globally (CLI) 837
Configuring LED State on a Specific Access Point (GUI) 838
Configuring LED State on a Specific Access Point (CLI) 838
Configuring Flashing LEDs 838
Information About Configuring Flashing LEDs 838
Configuring Flashing LEDs (CLI) 838
CHAPTER 125
Configuring Access Points with Dual-Band Radios
841
Configuring Access Points with Dual-Band Radios (GUI) 841
Configuring Access Points with Dual-Band Radios (CLI) 841
PART VII
Radio Resource Management
CHAPTER 126
Configuring RRM
843
845
Information about Radio Resource Management 845
Radio Resource Monitoring 846
Transmit Power Control 846
Overriding the TPC Algorithm with Minimum and Maximum Transmit Power Settings 846
Dynamic Channel Assignment 847
Coverage Hole Detection and Correction 849
Benefits of RRM 849
RRM NDP and RF Grouping 849
Information About Configuring RRM 850
Restrictions for Configuring RRM 850
Configuring the RF Group Mode (GUI) 851
Configuring the RF Group Mode (CLI) 851
Configuring Transmit Power Control (GUI) 852
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xl
Contents
Configuring Off-Channel Scanning Defer 853
Off-Channel Scanning Deferral 853
Configuring Off-Channel Scanning Defer for WLANs 854
Configuring Off-Channel Scanning Deferral for a WLAN (GUI) 854
Configuring Off Channel Scanning Deferral for a WLAN (CLI) 854
Configuring Dynamic Channel Assignment (GUI) 855
Configuring Coverage Hole Detection (GUI) 858
Configuring RRM Profile Thresholds, Monitoring Channels, and Monitor Intervals (GUI) 859
Configuring RRM (CLI) 860
Viewing RRM Settings (CLI) 865
Debug RRM Issues (CLI) 865
CHAPTER 127
Configuring RRM Neighbor Discovery Packets
867
RRM NDP and RF Grouping 867
Configuring RRM NDP (CLI) 868
CHAPTER 128
Configuring RF Groups
869
Information About RF Groups 869
RF Group Leader 870
RF Group Name 872
Controllers and APs in RF Groups 872
Configuring RF Groups 873
Configuring an RF Group Name (GUI) 873
Configuring an RF Group Name (CLI) 873
Viewing the RF Group Status 873
Viewing the RF Group Status (GUI) 874
Viewing the RF Group Status (CLI) 874
Configuring Rogue Access Point Detection in RF Groups 875
Rogue Access Point Detection in RF Groups 875
Configuring Rogue Access Point Detection in RF Groups 875
Enabling Rogue Access Point Detection in RF Groups (GUI) 875
Configuring Rogue Access Point Detection in RF Groups (CLI) 876
CHAPTER 129
Overriding RRM
877
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xli
Contents
Overriding RRM 877
Prerequisites for Overriding RRM 877
Statically Assigning Channel and Transmit Power Settings to Access Point Radios 878
Statically Assigning Channel and Transmit Power Settings (GUI) 878
Statically Assigning Channel and Transmit Power Settings (CLI) 879
Disabling Dynamic Channel and Power Assignment Globally for a Cisco Wireless LAN Controller
882
Disabling Dynamic Channel and Power Assignment (GUI) 882
Disabling Dynamic Channel and Power Assignment (CLI) 883
CHAPTER 130
Configuring CCX Radio Management Features
885
CCX Radio Management 885
Radio Measurement Requests 885
Location Calibration 886
Configuring CCX Radio Management 886
Configuring CCX Radio Management (GUI) 886
Configuring CCX Radio Management (CLI) 887
Viewing CCX Radio Management Information (CLI) 887
Debugging CCX Radio Management Issues (CLI) 888
PART VIII
Cisco CleanAir
CHAPTER 131
Information About CleanAir
891
893
CleanAir 893
Role of the Cisco Wireless LAN Controller in a Cisco CleanAir System 894
Interference Types that Cisco CleanAir Can Detect 894
Persistent Devices 895
Persistent Devices Detection 895
Persistent Devices Propagation 895
Detecting Interferers by an Access Point 896
CHAPTER 132
Guidelines and Limitations 897
Prerequisites for CleanAir 897
Restrictions for CleanAir 898
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xlii
Contents
CHAPTER 133
Cisco CleanAir 899
Configuring Cisco CleanAir on the Controller 899
Configuring Cisco CleanAir on Cisco WLC (GUI) 899
Configuring Cisco CleanAir on Cisco WLC (CLI) 901
Configuring Cisco CleanAir on an Access Point 904
Configuring Cisco CleanAir on an Access Point (GUI) 904
Configuring Cisco CleanAir on an Access Point (CLI) 905
CHAPTER 134
Monitoring the Interference Devices
907
Prerequisites for Monitoring the Interference Devices 907
Monitoring the Interference Device (GUI) 907
Monitoring the Interference Device (CLI) 909
Detecting Interferers by an Access Point 909
Detecting Interferers by Device Type 909
Detecting Persistent Sources of Interference 911
Monitoring Persistent Devices (GUI) 911
Monitoring Persistent Devices (CLI) 911
Monitoring the Air Quality of Radio Bands 912
Monitoring the Air Quality of Radio Bands (GUI) 912
Monitoring the Air Quality of Radio Bands (CLI) 913
Viewing a Summary of the Air Quality 913
Viewing Air Quality for all Access Points on a Radio Band 913
Viewing Air Quality for an Access Point on a Radio Band (CLI) 913
Monitoring the Worst Air Quality of Radio Bands (GUI) 913
Monitoring the Worst Air Quality of Radio Bands (CLI) 914
Viewing a Summary of the Air Quality (CLI) 914
Viewing the Worst Air Quality Information for all Access Points on a Radio Band (CLI) 914
Viewing the Air Quality for an Access Point on a Radio Band (CLI) 914
Viewing the Air Quality for an Access Point by Device Type (CLI) 914
Detecting Persistent Sources of Interference (CLI) 915
CHAPTER 135
Configuring a Spectrum Expert Connection
917
Spectrum Expert Connection 917
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xliii
Contents
Configuring Spectrum Expert (GUI) 918
PART IX
FlexConnect
921
CHAPTER 136
FlexConnect
923
FlexConnect Overview 923
FlexConnect Authentication Process 925
Guidelines and Restrictions on FlexConnect 929
Configuring FlexConnect 931
Configuring the Switch at a Remote Site 931
Configuring the Controller for FlexConnect 931
Configuring the Controller for FlexConnect for a Centrally Switched WLAN Used for Guest
Access 932
Configuring the Controller for FlexConnect (GUI) 933
Configuring the Controller for FlexConnect (CLI) 934
Configuring an Access Point for FlexConnect 936
Configuring an Access Point for FlexConnect (GUI) 936
Configuring an Access Point for FlexConnect (CLI) 938
Configuring an Access Point for Local Authentication on a WLAN (GUI) 940
Configuring an Access Point for Local Authentication on a WLAN (CLI) 940
Connecting Client Devices to WLANs 941
CHAPTER 137
Configuring FlexConnect ACLs
943
FlexConnect Access Control Lists 943
Restrictions for FlexConnect Access Control Lists 943
Configuring FlexConnect Access Control Lists (GUI) 944
Configuring FlexConnect Access Control Lists (CLI) 946
Viewing and Debugging FlexConnect Access Control Lists (CLI) 948
CHAPTER 138
Configuring FlexConnect Groups
949
Information About FlexConnect Groups 949
FlexConnect Groups and Backup RADIUS Servers 950
FlexConnect Groups and Fast Secure Roaming 950
FlexConnect Groups and Opportunistic Key Caching 950
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xliv
Contents
FlexConnect Groups and Local Authentication Server 951
Configuring FlexConnect Groups 952
Configuring FlexConnect Groups (GUI) 952
Configuring FlexConnect Groups (CLI) 955
FlexConnect AP Image Upgrades 957
Restrictions on FlexConnect AP Image Upgrades 957
Configuring FlexConnect AP Upgrades (GUI) 958
Configuring FlexConnect AP Upgrades (CLI) 958
OfficeExtend Access Points 959
OfficeExtend Access Points 959
OEAP 600 Series Access Points 960
OEAP in Local Mode 960
Supported WLAN Settings for 600 Series OfficeExtend Access Point 961
WLAN Security Settings for the 600 Series OfficeExtend Access Point 961
Authentication Settings 965
Supported User Count on 600 Series OfficeExtend Access Point 965
Remote LAN Settings 965
Channel Management and Settings 966
Firewall Settings 967
Additional Caveats 968
Configuring VLAN-ACL Mapping on FlexConnect Groups 968
Configuring VLAN-ACL Mapping on FlexConnect Groups (GUI) 968
Configuring VLAN-ACL Mapping on FlexConnect Groups (CLI) 969
Viewing VLAN-ACL Mappings (CLI) 969
CHAPTER 139
Configuring AAA Overrides for FlexConnect
971
Authentication, Authorization, Accounting Overrides 971
Restrictions on AAA Overrides for FlexConnect 972
Configuring AAA Overrides for FlexConnect on an Access Point (GUI) 972
Configuring VLAN Overrides for FlexConnect on an Access Point (CLI) 973
CHAPTER 140
FlexConnect AP Image Upgrades
975
FlexConnect AP Image Upgrades 975
Restrictions on FlexConnect AP Image Upgrades 975
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xlv
Contents
Configuring FlexConnect AP Upgrades (GUI) 976
Configuring FlexConnect AP Upgrades (CLI) 976
PART X
Mobility Groups
979
CHAPTER 141
Mobility Groups
981
Information About Mobility Groups 981
Prerequisites for Configuring Mobility Groups 984
Configuring Mobility Groups (GUI) 985
Configuring Mobility Groups (CLI) 987
Viewing Mobility Group Statistics (GUI) 988
Viewing Mobility Group Statistics (CLI) 990
Information about Encrypted Mobility Tunnel 990
Restrictions for Encrypted Mobility Tunnel 990
Configuring Global Encrypted Mobility Tunnel (GUI) 990
Configuring Global Encrypted Mobility Tunnel (CLI) 991
CHAPTER 142
Viewing Mobility Group Statistics
993
Viewing Mobility Group Statistics (GUI) 993
Viewing Mobility Group Statistics (CLI) 994
CHAPTER 143
Auto-Anchor Mobility
997
Information about Auto-Anchor Mobility 997
Restrictions for Auto-Anchor Mobility 998
Configuring Auto-Anchor Mobility (GUI) 999
Configuring Auto-Anchor Mobility (CLI) 1000
Dynamic Anchoring for Clients with Static IP 1001
How Dynamic Anchoring of Static IP Clients Works 1001
Restrictions on Dynamic Anchoring for Clients With Static IP Addresses 1002
Configuring Dynamic Anchoring of Static IP Clients (GUI) 1003
Configuring Dynamic Anchoring of Static IP Clients (CLI) 1003
CHAPTER 144
Validating WLAN Mobility Security Values
WLAN Mobility Security Values 1005
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xlvi
1005
Contents
CHAPTER 145
Using Symmetric Mobility Tunneling
1007
Information About Symmetric Mobility Tunneling 1007
Guidelines and Limitations 1008
Verifying Symmetric Mobility Tunneling (GUI) 1008
Verifying if Symmetric Mobility Tunneling is Enabled (CLI) 1008
CHAPTER 146
Running Mobility Ping Tests
1009
Mobility Ping Tests 1009
Restrictions for Mobility Ping Tests 1009
Running Mobility Ping Tests (CLI) 1009
CHAPTER 147
Configuring Dynamic Anchoring for Clients with Static IP Addresses
1011
Dynamic Anchoring for Clients with Static IP 1011
How Dynamic Anchoring of Static IP Clients Works 1011
Restrictions on Dynamic Anchoring for Clients With Static IP Addresses 1012
Configuring Dynamic Anchoring of Static IP Clients (GUI) 1012
Configuring Dynamic Anchoring of Static IP Clients (CLI) 1013
CHAPTER 148
Configuring Foreign Mappings
1015
Information About Foreign Mappings 1015
Configuring Foreign Controller MAC Mapping (GUI) 1015
Configuring Foreign Controller MAC Mapping (CLI) 1015
CHAPTER 149
Configuring Proxy Mobile IPv6
1017
Proxy Mobile IPv6 1017
Restrictions on Proxy Mobile IPv6 1019
Configuring Proxy Mobile IPv6 (GUI) 1019
Configuring Proxy Mobile IPv6 (CLI) 1021
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xlvii
Contents
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xlviii
Preface
This preface describes the audience, organization, and conventions of this document. It also provides information
on how to obtain other documentation.
Note
The documentation set for this product strives to use bias-free language. For purposes of this documentation
set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial
identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be
present in the documentation due to language that is hardcoded in the user interfaces of the product software,
language used based on RFP documentation, or language that is used by a referenced third-party product.
This preface includes the following sections:
• Audience, on page xlix
• Conventions, on page xlix
• Related Documentation, on page l
Audience
This publication is for experienced network administrators who configure and maintain Cisco wireless
controllers and Cisco lightweight access points.
Conventions
This document uses the following conventions:
Table 1: Conventions
Convention
Indication
bold font
Commands and keywords and user-entered text appear in bold font.
italic font
Document titles, new or emphasized terms, and arguments for which you supply
values are in italic font.
[]
Elements in square brackets are optional.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
xlix
Preface
Related Documentation
Convention
Indication
{x | y | z }
Required alternative keywords are grouped in braces and separated by vertical
bars.
[x|y|z]
Optional alternative keywords are grouped in brackets and separated by vertical
bars.
string
A nonquoted set of characters. Do not use quotation marks around the string.
Otherwise, the string will include the quotation marks.
courier
Note
Tip
Caution
font
Terminal sessions and information the system displays appear in courier font.
<>
Nonprinting characters such as passwords are in angle brackets.
[]
Default responses to system prompts are in square brackets.
!, #
An exclamation point (!) or a pound sign (#) at the beginning of a line of code
indicates a comment line.
Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.
Means the following information will help you solve a problem.
Means reader be careful. In this situation, you might perform an action that could result in equipment damage
or loss of data.
Related Documentation
• Release Notes for Cisco Wireless Controllers and Lightweight Access Points for Cisco Wireless releases
http://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/
products-release-notes-list.html
• Cisco Wireless Solutions Software Compatibility Matrix
https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
• Feature Matrix for Wave 2 and 802.11ax (Wi-Fi 6) Access Points
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html
• Wireless and Mobility home page
https://www.cisco.com/c/en/us/products/wireless/index.html
• Cisco Wireless Controller Configuration Guides
http://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/
products-installation-and-configuration-guides-list.html
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
l
Preface
Preface
• Cisco Wireless Controller Command References
http://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/
products-command-reference-list.html
• Cisco Wireless Controller System Message Guides and Trap Logs
http://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/
products-system-message-guides-list.html
• Cisco Wireless Release Technical References
http://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/
products-technical-reference-list.html
• Cisco Wireless Mesh Access Point Design and Deployment Guides
http://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/
products-technical-reference-list.html
• Cisco Prime Infrastructure
http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-infrastructure/
tsd-products-support-series-home.html
• Cisco Connected Mobile Experiences
http://www.cisco.com/c/en_in/solutions/enterprise-networks/connected-mobile-experiences/index.html
• Cisco Mobility Express for Aironet Access Points
https://www.cisco.com/c/en/us/support/wireless/mobility-express/series.html
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
li
Preface
Preface
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
lii
PA R T
I
System Management
• Cisco Wireless Solution Overview, on page 1
• Getting Started, on page 11
• Managing Licenses, on page 51
• Configuring 802.11 Bands, on page 69
• Configuring 802.11 Parameters, on page 77
• Configuring DHCP Proxy, on page 83
• Configuring SNMP, on page 87
• Configuring Aggressive Load Balancing, on page 93
• Configuring Fast SSID Changing, on page 97
• Configuring 802.3 Bridging, on page 99
• Configuring Multicast, on page 101
• Configuring Client Roaming, on page 117
• Configuring IP-MAC Address Binding, on page 123
• Configuring Quality of Service, on page 125
• Configuring Application Visibility and Control, on page 133
• Configuring Media and EDCA Parameters, on page 139
• Configuring the Cisco Discovery Protocol, on page 157
• Configuring Authentication for the Controller and NTP/SNTP Server, on page 165
• Configuring RFID Tag Tracking, on page 167
• Resetting the Controller to Default Settings, on page 171
• Managing Controller Software and Configurations, on page 173
• Managing User Accounts, on page 205
• Managing Web Authentication, on page 217
• Configuring Wired Guest Access, on page 237
• Troubleshooting, on page 245
CHAPTER
1
Cisco Wireless Solution Overview
Cisco Wireless Solution is designed to provide 802.11 wireless networking solutions for enterprises and
service providers. Cisco Wireless Solution simplifies deploying and managing large-scale wireless LANs and
enables a unique best-in-class security infrastructure. The operating system manages all data client,
communications, and system administration functions, performs radio resource management (RRM) functions,
manages system-wide mobility policies using the operating system security solution, and coordinates all
security functions using the operating system security framework.
This figure shows a sample architecture of a Cisco Wireless Enterprise Network:
Figure 1: Sample Cisco Wireless Enterprise Network Architecture
The interconnected elements that work together to deliver a unified enterprise-class wireless solution include
the following:
• Client devices
• Access points (APs)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
1
System Management
Core Components
• Network unification through Cisco Wireless Controllers (controllers)
• Network management
• Mobility services
Beginning with a base of client devices, each element adds capabilities as the network needs to evolve and
grow, interconnecting with the elements above and below it to create a comprehensive, secure wireless LAN
(WLAN) solution.
• Core Components, on page 2
• Operating System Software, on page 5
• Operating System Security, on page 5
• Layer 2 and Layer 3 Operation, on page 6
• Cisco Wireless Controllers, on page 7
• Cisco Wireless Solution WLANs, on page 8
• File Transfers, on page 9
• Power over Ethernet, on page 9
• Cisco Wireless Controller Memory, on page 9
• Cisco Wireless Controller Failover Protection, on page 9
Core Components
A Cisco Wireless network consists of the following core components:
• Cisco Wireless Controllers: Cisco Wireless Controllers (controllers) are enterprise-class high-performance
wireless switching platforms that support 802.11a/n and 802.11b/g/n protocols. They operate under
control of the AireOS operating system, which includes the radio resource management (RRM), creating
a Cisco Wireless solution that can automatically adjust to real-time changes in the 802.11 radio frequency
(802.11 RF) environment. Controllers are built around high-performance network and security hardware,
resulting in highly reliable 802.11 enterprise networks with unparalleled security.
The following controllers are supported:
• Cisco 2504 Wireless Controller
• Cisco 5508 Wireless Controller
• Cisco Flex 7510 Wireless Controller
• Cisco 8510 Wireless Controller
• Cisco Virtual Wireless Controller
• Catalyst Wireless Services Module 2 (WiSM2)
• Cisco Access Points: Cisco access points (APs) can be deployed in a distributed or centralized network
for a branch office, campus, or large enterprise. For more information about APs, see
https://www.cisco.com/c/en/us/products/wireless/access-points/index.html
• Cisco Prime Infrastructure (PI): Cisco Prime Infrastructure can be used to configure and monitor one or
more controllers and associated APs. Cisco PI has tools to facilitate large-system monitoring and control.
When you use Cisco PI in your Cisco wireless solution, controllers periodically determine the client,
rogue access point, rogue access point client, radio frequency ID (RFID) tag location and store the
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
2
System Management
Overview of Cisco Mobility Express
locations in the Cisco PI database. For more information about Cisco PI, see https://www.cisco.com/c/
en/us/support/cloud-systems-management/prime-infrastructure/series.html.
• Cisco Connected Mobile Experiences (CMX): Cisco Connected Mobile Experiences (CMX) acts as a
platform to deploy and run Cisco Connected Mobile Experiences (Cisco CMX). Cisco Connected Mobile
Experiences (CMX) is delivered in two modes—the physical appliance (box) and the virtual appliance
(deployed using VMware vSphere Client) . Using your Cisco wireless network and location intelligence
from Cisco MSE, Cisco CMX helps you create personalized mobile experiences for end users and gain
operational efficiency with location-based services. For more information about Cisco CMX, see
https://www.cisco.com/c/en/us/support/wireless/connected-mobile-experiences/series.html.
• Cisco DNA Spaces: Cisco DNA Spaces is a multichannel engagement platform that enables you to
connect, know, and engage with visitors at their physical business locations. It covers various verticals
of business such as retail, manufacturing, hospitality, healthcare, education, financial services, enterprise
work spaces, and so on. Cisco DNA Spaces also provides solutions for monitoring and managing the
assets in your premises.
The Cisco DNA Spaces: Connector enables Cisco DNA Spaces to communicate with multiple Cisco
Wireless Controller (controller) efficiently by allowing each controller to transmit high intensity client
data without missing any client information.
For information about how to configure Cisco DNA Spaces and the Connector, see https://www.cisco.com/
c/en/us/support/wireless/dna-spaces/products-installation-and-configuration-guides-list.html.
For more information about design considerations for enterprise mobility, see the Enterprise Mobility Design
Guide at:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/Enterprise-Mobility-8-5-Design-Guide/
Enterprise_Mobility_8-5_Deployment_Guide.html
Overview of Cisco Mobility Express
The Cisco Mobility Express wireless network solution comprises of at least one Cisco Wave 2 AP with an
in-built software-based wireless controller managing other Cisco APs in the network.
The AP acting as the controller is referred to as the primary AP while the other APs in the Cisco Mobility
Express network, which are managed by this primary AP, are referred to as subordinate APs.
In addition to acting as a controller, the primary AP also operates as an AP to serve clients along with the
subordinate APs.
Cisco Mobility Express provides most features of a controller and can interface with the following:
• Cisco Prime Infrastructure: For simplified network management, including managing AP groups
• Cisco Identity Services Engine: For advanced policy enforcement
• Connected Mobile Experiences (CMX): For providing presence analytics and guest access using Connect
& Engage
For more information about using Cisco Mobility Express, see the user guide for relevant releases at:
https://www.cisco.com/c/en/us/support/wireless/mobility-express/
products-installation-and-configuration-guides-list.html
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
3
System Management
Single-Controller Deployments
Single-Controller Deployments
A standalone controller can support lightweight access points across multiple floors and buildings
simultaneously and support the following features:
• Autodetecting and autoconfiguring lightweight access points as they are added to the network.
• Full control of lightweight access points.
• Lightweight access points connect to controllers through the network. The network equipment may or
may not provide Power over Ethernet (PoE) to the access points.
Some controllers use redundant Gigabit Ethernet connections to bypass single network failures.
Note
Some controllers can connect through multiple physical ports to multiple subnets in the network. This feature
can be helpful when you want to confine multiple VLANs to separate subnets.
Figure 2: Single-Controller Deployment
This figure shows a typical single-controller deployment.
Multiple-Controller Deployments
Each controller can support lightweight access points across multiple floors and buildings simultaneously.
However, full functionality of the Cisco wireless LAN solution occurs when it includes multiple controllers.
A multiple-controller system has the following additional features:
• Autodetecting and autoconfiguring RF parameters as the controllers are added to the network.
• Same-subnet (Layer 2) roaming and inter-subnet (Layer 3) roaming.
• Automatic access point failover to any redundant controller with a reduced access point load.
Figure 3: Typical Multiple-Controller Deployment
The following figure shows a typical multiple-controller deployment. The figure also shows an optional
dedicated management network and the three physical connection types between the network and the controllers.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
4
System Management
Operating System Software
Operating System Software
The operating system software controls controllers and lightweight access points. It includes full operating
system security and radio resource management (RRM) features.
Operating System Security
Operating system security bundles Layer 1, Layer 2, and Layer 3 security components into a simple, Cisco
WLAN solution-wide policy manager that creates independent security policies for each of up to 16 wireless
LANs.
The 802.11 Static WEP weaknesses can be overcome using the following robust industry-standard security
solutions:
• 802.1X dynamic keys with extensible authentication protocol (EAP).
• Wi-Fi protected access (WPA) dynamic keys. The Cisco WLAN solution WPA implementation includes:
• Temporal key integrity protocol (TKIP) and message integrity code checksum dynamic keys
• WEP keys, with or without a preshared key p assphrase
• RSN with or without a preshared key
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
5
System Management
Layer 2 and Layer 3 Operation
• Optional MAC filtering
The WEP problem can be further solved using the following industry-standard Layer 3 security solutions:
• Passthrough VPNs
• Local and RADIUS MAC address filtering
• Local and RADIUS user/password authentication
• Manual and automated disabling to block access to network services. In manual disabling, you block
access using client MAC addresses. In automated disabling, which is always active, the operating system
software automatically blocks access to network services for a user-defined period of time when a client
fails to authenticate for a fixed number of consecutive attempts. This feature can be used to deter
brute-force login attacks.
These and other security features use industry-standard authorization and authentication methods to ensure
the highest possible security for your business-critical wireless LAN traffic.
Layer 2 and Layer 3 Operation
Lightweight Access Point Protocol (LWAPP) communications between the controller and lightweight access
points can be conducted at Layer 2 or Layer 3. Control and Provisioning of Wireless Access Points protocol
(CAPWAP) communications between the controller and lightweight access points are conducted at Layer 3.
Layer 2 mode does not support CAPWAP.
Note
The IPv4 network layer protocol is supported for transport through a CAPWAP or LWAPP controller system.
IPv6 (for clients only) and Appletalk are also supported but only on Cisco 5500 Series Controllers and the
Cisco WiSM2. Other Layer 3 protocols (such as IPX, DECnet Phase IV, OSI CLNP, and so on) and Layer 2
(bridged) protocols (such as LAT and NetBeui) are not supported.
Operational Requirements
The requirement for Layer 3 LWAPP communications is that the controller and lightweight access points can
be connected through Layer 2 devices on the same subnet or connected through Layer 3 devices across subnets.
Another requirement is that the IP addresses of access points should be either statically assigned or dynamically
assigned through an external DHCP server.
The requirement for Layer 3 CAPWAP communications across subnets is that the controller and lightweight
access points are connected through Layer 3 devices. Another requirement is that the IP addresses of access
points should be either statically assigned or dynamically assigned through an external DHCP server.
Configuration Requirements
When you are operating the Cisco wireless LAN solution in Layer 2 mode, you must configure a management
interface to control your Layer 2 communications.
When you are operating the Cisco wireless LAN solution in Layer 3 mode, you must configure an AP-manager
interface to control lightweight access points and a management interface as configured for Layer 2 mode.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
6
System Management
Cisco Wireless Controllers
Cisco Wireless Controllers
When you are adding lightweight access points to a multiple-Cisco WLC deployment network, it is convenient
to have all lightweight access points associate with one primary Cisco WLC on the same subnet. That way,
you do not have to log into multiple Cisco WLCs to find out which controller the newly-added lightweight
access points associated with.
One Cisco WLC in each subnet can be assigned as the primary Cisco WLC while adding lightweight access
points. As long as a primary Cisco WLC is active on the same subnet, all new access points without a primary,
secondary, and tertiary controller assigned automatically attempt to associate with the primary Cisco WLC.
You can monitor the primary Cisco WLC using the Cisco Prime Infrastructure and watch as access points
associate with the primary Cisco WLC. You can then verify the access point configuration and assign a
primary, secondary, and tertiary Cisco WLC to the access point, and reboot the access point so it reassociates
with its primary, secondary, or tertiary Cisco WLC.
Note
Lightweight access points without a primary, secondary, and tertiary Cisco WLC assigned always search for
a primary Cisco WLC first upon reboot. After adding lightweight access points through the primary Cisco
WLC, you should assign primary, secondary, and tertiary Cisco WLCs to each access point. We recommend
that you disable the primary setting on all Cisco WLCs after initial configuration.
Client Location
When you use Cisco Prime Infrastructure in your Cisco wireless LAN solution, Cisco WLCs periodically
determine the client, rogue access point, rogue access point client, radio frequency ID (RFID) tag location
and store the locations in the Cisco Prime Infrastructure database.
Cisco Mobility Services Engine (Cisco MSE) acts as a platform to deploy and run Cisco Connected Mobile
Experiences (Cisco CMX). Cisco MSE is delivered in two modes—the physical appliance (box) and the
virtual appliance (deployed using VMware vSphere Client) . Using your Cisco wireless network and location
intelligence from Cisco MSE, Cisco CMX helps you create personalized mobile experiences for end users
and gain operational efficiency with location-based services. For more information about Cisco CMX, see
https://www.cisco.com/c/en/us/support/wireless/connected-mobile-experiences/
tsd-products-support-series-home.html.
Cisco WLC Platforms
Cisco WLCs are enterprise-class high-performance wireless switching platforms that support 802.11a/n and
802.11b/g/n protocols. They operate under control of the operating system, which includes the radio resource
management (RRM), creating a Cisco Wireless solution that can automatically adjust to real-time changes in
the 802.11 RF environment. Cisco WLCs are built around high-performance network and security hardware,
resulting in highly reliable 802.11 enterprise networks with unparalleled security.
The following Cisco WLCs are supported:
• Cisco 2504 Wireless Controller
• Cisco 5508 Wireless Controller
• Cisco Flex 7510 Wireless Controller
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
7
System Management
Client Location
• Cisco 8510 Wireless Controller
• Cisco Virtual Wireless Controller
• Catalyst Wireless Services Module 2 (WiSM2)
Client Location
When you use Cisco Prime Infrastructure in your Cisco wireless LAN solution, controllers periodically
determine the client, rogue access point, rogue access point client, radio frequency ID (RFID) tag location
and store the locations in the Cisco Prime Infrastructure database.
Cisco WLC Platforms
Cisco WLCs are enterprise-class high-performance wireless switching platforms that support 802.11a/n and
802.11b/g/n protocols. They operate under control of the operating system, which includes the radio resource
management (RRM), creating a Cisco Wireless solution that can automatically adjust to real-time changes in
the 802.11 RF environment. Cisco WLCs are built around high-performance network and security hardware,
resulting in highly reliable 802.11 enterprise networks with unparalleled security.
The following Cisco WLCs are supported:
• Cisco 2504 Wireless Controller
• Cisco 5508 Wireless Controller
• Cisco Flex 7510 Wireless Controller
• Cisco 8510 Wireless Controller
• Cisco Virtual Wireless Controller
• Catalyst Wireless Services Module 2 (WiSM2)
Cisco Wireless Solution WLANs
The Cisco Wireless solution can control up to 512 WLANs for lightweight access points. Each WLAN has a
separate WLAN ID (1 through 512), a separate profile name, and a WLAN SSID and can be assigned with
unique security policies. The lightweight access points broadcast all active Cisco Wireless solution WLAN
SSIDs and enforce the policies defined for each WLAN.
Note
We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for management
interfaces to ensure that controllers operate with optimum performance and ease of management.
If management over wireless is enabled across the Cisco Wireless solution, you can manage the system across
the enabled WLAN using CLI and Telnet, HTTP/HTTPS, and SNMP.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
8
System Management
File Transfers
File Transfers
You can upload and download operating system code, configuration, and certificate files to and from the
controller using the GUI, CLI, or .
Power over Ethernet
Lightweight access points can receive power through their Ethernet cables from 802.3af-compatible Power
over Ethernet (PoE) devices, which can reduce the cost of discrete power supplies, additional wiring, conduits,
outlets, and installation time. PoE frees you from having to mount lightweight access points or other powered
equipment near AC outlets, which provides greater flexibility in positioning the access points for maximum
coverage.
When you are using PoE, you run a single CAT-5 cable from each lightweight access point to PoE-equipped
network elements, such as a PoE power hub or a Cisco WLAN solution single-line PoE injector. When the
PoE equipment determines that the lightweight access point is PoE-enabled, it sends 48 VDC over the unused
pairs in the Ethernet cable to power the access point.
The PoE cable length is limited by the 100BASE-T or 10BASE-T specification to 100 m or 200 m, respectively.
Cisco Wireless Controller Memory
The controller contains two kinds of memory: volatile RAM, which holds the current, active controller
configuration, and NVRAM (nonvolatile RAM), which holds the reboot configuration. When you are
configuring the operating system in the controller, you are modifying volatile RAM; you must save the
configuration from the volatile RAM to the NVRAM to ensure that the controller reboots in the current
configuration.
Knowing which memory you are modifying is important when you are doing the following tasks:
• Using the configuration wizard
• Clearing the controller configuration
• Saving configurations
• Resetting the controller
• Logging out of the CLI
Cisco Wireless Controller Failover Protection
During installation, we recommend that you connect all lightweight access points to a dedicated controller,
and configure each lightweight access point for final operation. This step configures each lightweight access
point for a primary, secondary, and tertiary controller and allows it to store the configured mobility group
information.
During the failover recovery, the following tasks are performed:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
9
System Management
Cisco Wireless Controller Failover Protection
• The configured access point attempts to contact the primary, secondary, and tertiary controllers, and then
attempts to contact the IP addresses of the other controllers in the mobility group.
• DNS is resolved with the controller IP address.
• DHCP servers get the controller IP addresses (vendor-specific option 43 in DHCP offer).
In multiple-controller deployments, if one controller fails, the access points perform the following tasks:
• If the lightweight access point has a primary, secondary, and tertiary controller assigned, it attempts to
associate with that controller.
• If the access point has no primary, secondary, or tertiary controllers assigned or if its primary, secondary,
or tertiary controllers are unavailable, it attempts to associate with a primary controller.
• If the access point finds no primary controller, it attempts to contact stored mobility group members by
the IP address.
• If the mobility group members are available, and if the lightweight access point has no primary, secondary,
and tertiary controllers assigned and there is no primary controller active, it attempts to associate with
the least-loaded controller to respond to its discovery messages.
When controllers are deployed, if one controller fails, active access point client sessions are momentarily
dropped while the dropped access point associates with another controller, allowing the client device to
immediately reassociate and reauthenticate.
To know more about high availability, see
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107250-ha-wlc.html.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
10
CHAPTER
2
Getting Started
• Configuring the Controller Using the Configuration Wizard, on page 11
• Connecting the Console Port of the Controller, on page 11
• Configuring the Controller (GUI), on page 12
• Configuring the Controller—Using the CLI Configuration Wizard, on page 23
• Using the Controller Interface, on page 25
• Information about Loading an Externally Generated SSL Certificate, on page 29
• Loading an Externally Generated SSL Certificate, on page 30
• Loading an SSL Certificate (GUI), on page 30
• Loading an SSL Certificate (CLI), on page 30
• Using the Controller CLI, on page 31
• Using the AutoInstall Feature for Controllers Without a Configuration, on page 35
• Information About the AutoInstall Feature, on page 36
• Obtaining an IP Address Through DHCP and Downloading a Configuration File from a TFTP Server,
on page 36
• Selecting a Configuration File, on page 37
• Example: AutoInstall Operation, on page 38
• Managing the Controller System Date and Time, on page 39
• Telnet and Secure Shell Sessions, on page 44
• Managing the Controller Wirelessly, on page 48
Configuring the Controller Using the Configuration Wizard
The configuration wizard enables you to configure basic settings on the controller. You can run the wizard
after you receive the controller from the factory or after the controller has been reset to factory defaults. The
configuration wizard is available in both GUI and CLI formats.
Connecting the Console Port of the Controller
Before you can configure the controller for basic operations, you need to connect it to a PC that uses a VT-100
terminal emulation program (such as HyperTerminal, ProComm, Minicom, or Tip).
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
11
System Management
Configuring the Controller (GUI)
Note
On Cisco 5500 Series Controllers, you can use either the RJ-45 console port or the USB console port. If you
use the USB console port, plug the 5-pin mini Type B connector into the controller’s USB console port and
the other end of the cable into the PC’s USB Type A port. The first time that you connect a Windows PC to
the USB console port, you are prompted to install the USB console driver. Follow the installation prompts to
install the driver. The USB console driver maps to a COM port on your PC; you then need to map the terminal
emulator application to the COM port.
Step 1
Connect one end of a null-modem serial cable to the controller’s console port and the other end to your PC’s serial port.
Step 2
Start the PC’s VT-100 terminal emulation program.
Step 3
Configure the terminal emulation program for these parameters:
• 9600 baud
• 8 data bits
• 1 stop bit
• No parity
• No hardware flow control
Step 4
Plug the AC power cord into the controller and a grounded 100 to 240 VAC, 50/60-Hz electrical outlet.Turn on the power
supply. The bootup script displays operating system software initialization (code download and power-on self test
verification) and basic configuration.
If the controller passes the power-on self test, the bootup script runs the configuration wizard, which prompts you for
basic configuration input.
Configuring the Controller (GUI)
Step 1
Connect your PC to the service port and configure it to use the same subnet as the controller.
Note
Step 2
With Cisco 2504 Wireless Controller, connect your PC to the port 2 on the controller and configure to use
the same subnet.
Browse to http://192.168.1.1. The configuration wizard is displayed.
Note
You can use both HTTP and HTTPS when using the service port interface. HTTPS is enabled by default and
HTTP can also be enabled.
Note
For the initial GUI Configuration Wizard, you cannot access the controller using IPv6 address.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
12
System Management
Configuring the Controller (GUI)
Figure 4: Configuration Wizard — System Information Page
Step 3
In the System Name field, enter the name that you want to assign to this controller. You can enter up to 31 ASCII
characters.
Step 4
In the User Name field, enter the administrative username to be assigned to this controller. You can enter up to 24
ASCII characters. The default username is admin.
Step 5
In the Password and Confirm Password boxes, enter the administrative password to be assigned to this controller.
You can enter up to 24 ASCII characters. The default password is admin.
• The password must contain characters from at least three of the following classes:
• Lowercase letters
• Uppercase letters
• Digits
• Special characters
• No character in the password must be repeated more than three times consecutively.
• The new password must not be the same as the associated username and not be the username reversed.
• The password must not be cisco, ocsic, or any variant obtained by changing the capitalization of letters of the word
Cisco. In addition, you cannot substitute 1, I, or ! for i, 0 for o, or $ for s.
Step 6
Click Next. The SNMP Summary page is displayed.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
13
System Management
Configuring the Controller (GUI)
Figure 5: Configuration Wizard—SNMP Summary Page
Step 7
If you want to enable Simple Network Management Protocol (SNMP) v1 mode for this controller, choose Enable from
the SNMP v1 Mode drop-down list. Otherwise, leave this parameter set to Disable.
Note
SNMP manages nodes (servers, workstations, routers, switches, and so on) on an IP network. Currently, there
are three versions of SNMP: SNMPv1, SNMPv2c, and SNMPv3.
Step 8
If you want to enable SNMPv2c mode for this controller, leave this parameter set to Enable. Otherwise, choose Disable
from the SNVP v2c Mode drop-down list.
Step 9
If you want to enable SNMPv3 mode for this controller, leave this parameter set to Enable. Otherwise, choose Disable
from the SNVP v3 Mode drop-down list.
Step 10
Click Next.
Step 11
When the following message is displayed, click OK:
Default values are present for v1/v2c community strings.
Please make sure to create new v1/v2c community strings
once the system comes up.
Please make sure to create new v3 users once the system comes up.
The Service Interface Configuration page is displayed.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
14
System Management
Configuring the Controller (GUI)
Figure 6: Configuration Wizard-Service Interface Configuration Page
Step 12
If you want the controller’s service-port interface to obtain an IP address from a DHCP server, check the DHCP
Protocol Enabled check box. If you do not want to use the service port or if you want to assign a static IP address to
the service port, leave the check box unchecked.
Note
Step 13
The service-port interface controls communications through the service port. Its IP address must be on a
different subnet from the management interface. This configuration enables you to manage the controller
directly or through a dedicated management network to ensure service access during network downtime.
Perform one of the following:
• If you enabled DHCP, clear out any entries in the IP Address and Netmask text boxes, leaving them blank.
• If you disabled DHCP, enter the static IP address and netmask for the service port in the IP Address and Netmask
text boxes.
Step 14
Click Next.
The LAG Configuration page is displayed.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
15
System Management
Configuring the Controller (GUI)
Figure 7: Configuration Wizard—LAG Configuration Page
Step 15
To enable link aggregation (LAG), choose Enabled from the Link Aggregation (LAG) Mode drop-down list. To disable
LAG, leave this field set to Disabled.
Step 16
Click Next.
The Management Interface Configuration page is displayed.
Note
Step 17
The management interface is the default interface for in-band management of the controller and connectivity
to enterprise services such as AAA servers.
In the VLAN Identifier field, enter the VLAN identifier of the management interface (either a valid VLAN identifier
or 0 for an untagged VLAN). The VLAN identifier should be set to match the switch interface configuration.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
16
System Management
Configuring the Controller (GUI)
Step 18
In the IP Address field, enter the IP address of the management interface.
Step 19
In the Netmask field, enter the IP address of the management interface netmask.
Step 20
In the Gateway field, enter the IP address of the default gateway.
Step 21
In the Port Number field, enter the number of the port assigned to the management interface. Each interface is mapped
to at least one primary port.
Step 22
In the Backup Port field, enter the number of the backup port assigned to the management interface. If the primary
port for the management interface fails, the interface automatically moves to the backup port.
Step 23
In the Primary DHCP Server field, enter the IP address of the default DHCP server that will supply IP addresses to
clients, the controller’s management interface, and optionally, the service port interface.
Step 24
In the Secondary DHCP Server field, enter the IP address of an optional secondary DHCP server that will supply IP
addresses to clients, the controller’s management interface, and optionally, the service port interface.
Step 25
Click Next. The AP-Manager Interface Configuration page is displayed.
Note
This screen does not appear for Cisco 5508 controllers because you are not required to configure an
AP-manager interface. The management interface acts like an AP-manager interface by default.
Step 26
In the IP Address field, enter the IP address of the AP-manager interface.
Step 27
Click Next. The Miscellaneous Configuration page is displayed.
Figure 8: Configuration Wizard—Miscellaneous Configuration Page
Step 28
In the RF Mobility Domain Name field, enter the name of the mobility group/RF group to which you want the controller
to belong.
Note
Step 29
Although the name that you enter here is assigned to both the mobility group and the RF group, these groups
are not identical. Both groups define clusters of controllers, but they have different purposes. All of the
controllers in an RF group are usually also in the same mobility group and vice versa. However, a mobility
group facilitates scalable, system-wide mobility and controller redundancy while an RF group facilitates
scalable, system-wide dynamic RF management.
The Configured Country Code(s) field shows the code for the country in which the controller will be used. If you
want to change the country of operation, check the check box for the desired country.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
17
System Management
Configuring the Controller (GUI)
Note
You can choose more than one country code if you want to manage access points in multiple countries from
a single controller. After the configuration wizard runs, you must assign each access point joined to the
controller to a specific country.
Step 30
Click Next.
Step 31
When the following message is displayed, click OK:
Warning! To maintain regulatory compliance functionality, the country code
setting may only be modified by a network administrator or qualified
IT professional.
Ensure that proper country codes are selected before proceeding.?
The Virtual Interface Configuration page is displayed.
Figure 9: Configuration Wizard — Virtual Interface Configuration Page
Step 32
In the IP Address field, enter the IP address of the controller’s virtual interface. You should enter a fictitious, unassigned
IP address.
Note
Step 33
The virtual interface is used to support mobility management, DHCP relay, and embedded Layer 3 security
such as guest web authentication and VPN termination. All controllers within a mobility group must be
configured with the same virtual interface IP address.
In the DNS Host Name field, enter the name of the Domain Name System (DNS) gateway used to verify the source
of certificates when Layer 3 web authorization is enabled.
Note
Step 34
To ensure connectivity and web authentication, the DNS server should always point to the virtual interface.
If a DNS hostname is configured for the virtual interface, then the same DNS hostname must be configured
on the DNS servers used by the client.
Click Next. The WLAN Configuration page is displayed.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
18
System Management
Configuring the Controller (GUI)
Figure 10: Configuration Wizard — WLAN Configuration Page
Step 35
In the Profile Name field, enter up to 32 alphanumeric characters for the profile name to be assigned to this WLAN.
Step 36
In the WLAN SSID field, enter up to 32 alphanumeric characters for the network name, or service set identifier (SSID).
The SSID enables basic functionality of the controller and allows access points that have joined the controller to enable
their radios.
Step 37
Click Next.
Step 38
When the following message is displayed, click OK:
Default Security applied to WLAN is: [WPA2(AES)][Auth(802.1x)]. You can change
this after the wizard is complete and the system is rebooted.?
The RADIUS Server Configuration page is displayed.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
19
System Management
Configuring the Controller (GUI)
Figure 11: Configuration Wizard-RADIUS Server Configuration Page
Step 39
In the Server IP Address field, enter the IP address of the RADIUS server.
Step 40
From the Shared Secret Format drop-down list, choose ASCII or Hex to specify the format of the shared secret.
Note
Due to security reasons, the RADIUS shared secret key reverts to ASCII mode even if you have selected
HEX as the shared secret format from the Shared Secret Format drop-down list.
Step 41
In the Shared Secret and Confirm Shared Secret boxes, enter the secret key used by the RADIUS server.
Step 42
In the Port Number field, enter the communication port of the RADIUS server. The default value is 1812.
Step 43
To enable the RADIUS server, choose Enabled from the Server Status drop-down list. To disable the RADIUS server,
leave this field set to Disabled.
Step 44
Click Apply. The 802.11 Configuration page is displayed.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
20
System Management
Configuring the Controller (GUI)
Figure 12: Configuration Wizard—802.11 Configuration Page
Step 45
To enable the 802.11a, 802.11b, and 802.11g lightweight access point networks, leave the 802.11a Network Status,
802.11b Network Status, and 802.11g Network Status check boxes checked. To disable support for any of these
networks, uncheck the check boxes.
Step 46
To enable the controller’s radio resource management (RRM) auto-RF feature, leave the Auto RF check box selected.
To disable support for the auto-RF feature, uncheck this check box.
Note
Step 47
The auto-RF feature enables the controller to automatically form an RF group with other controllers. The
group dynamically elects a leader to optimize RRM parameter settings, such as channel and transmit power
assignment, for the group.
Click Next. The Set Time page is displayed.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
21
System Management
Configuring the Controller (GUI)
Figure 13: Configuration Wizard — Set Time Screen
Step 48
To manually configure the system time on your controller, enter the current date in Month/DD/YYYY format and the
current time in HH:MM:SS format.
Step 49
To manually set the time zone so that Daylight Saving Time (DST) is not set automatically, enter the local hour difference
from Greenwich Mean Time (GMT) in the Delta Hours field and the local minute difference from GMT in the Delta
Mins field.
Note
Step 50
When manually setting the time zone, enter the time difference of the local current time zone with respect to
GMT (+/–). For example, Pacific time in the United States is 8 hours behind GMT. Therefore, it is entered
as –8.
Click Next. The Configuration Wizard Completed page is displayed.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
22
System Management
Configuring the Controller—Using the CLI Configuration Wizard
Figure 14: Configuration Wizard—Configuration Wizard Completed Page
Step 51
Click Save and Reboot to save your configuration and reboot the controller.
Step 52
When the following message is displayed, click OK:
Configuration will be saved and the controller will be
rebooted. Click ok to confirm.?
The controller saves your configuration, reboots, and prompts you to log on.
Configuring the Controller—Using the CLI Configuration Wizard
Before you begin
• The available options are displayed in brackets after each configuration parameter. The default value is
displayed in all uppercase letters.
• If you enter an incorrect response, an appropriate error message is displayed, such as Invalid
Response, and returns you to the wizard prompt.
• Press the hyphen key if you ever need to return to the previous command line.
Step 1
When prompted to terminate the AutoInstall process, enter yes. If you do not enter yes, the AutoInstall process begins
after 30 seconds.
Note
The AutoInstall feature downloads a configuration file from a TFTP server and then loads the configuration
onto the controller automatically.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
23
System Management
Configuring the Controller—Using the CLI Configuration Wizard
Step 2
Enter the system name, which is the name that you want to assign to the controller. You can enter up to 31 ASCII
characters.
Step 3
Enter the administrative username and password to be assigned to this controller. You can enter up to 24 ASCII characters
for each.
• The password must contain characters from at least three of the following classes:
• Lowercase letters
• Uppercase letters
• Digits
• Special characters
• No character in the password must be repeated more than three times consecutively.
• The new password must not be the same as the associated username and not be the username reversed.
• The password must not be cisco, ocsic, or any variant obtained by changing the capitalization of letters of the word
Cisco. In addition, you cannot substitute 1, I, or ! for i, 0 for o, or $ for s.
Step 4
If you want the controller’s service-port interface to obtain an IP address from a DHCP server, enter DHCP. If you do
not want to use the service port or if you want to assign a static IP address to the service port, enter none.
Note
The service-port interface controls communications through the service port. Its IP address must be on a
different subnet from the management interface. This configuration enables you to manage the controller
directly or through a dedicated management network to ensure service access during network downtime.
Step 5
If you entered none in Step 4, enter the IP address and netmask for the service-port interface on the next two lines.
Step 6
Enable or disable link aggregation (LAG) by choosing yes or NO.
Step 7
Enter the IP address of the management interface.
Note
The management interface is the default interface for in-band management of the controller and connectivity
to enterprise services such as AAA servers.
Step 8
Enter the IP address of the management interface netmask.
Step 9
Enter the IP address of the default router.
Step 10
Enter the VLAN identifier of the management interface (either a valid VLAN identifier or 0 for an untagged VLAN).
The VLAN identifier should be set to match the switch interface configuration.
Step 11
Enter the IP address of the default DHCP server that will supply IP addresses to clients, the management interface of
the controller, and optionally, the service port interface. Enter the IP address of the AP-manager interface.
Note
Step 12
This prompt does not appear for Cisco 5508 WLCs because you are not required to configure an AP-manager
interface. The management interface acts like an AP-manager interface by default.
Enter the IP address of the controller’s virtual interface. You should enter a fictitious unassigned IP address.
Note
Step 13
The virtual interface is used to support mobility management, DHCP relay, and embedded Layer 3 security
such as guest web authentication and VPN termination. All controllers within a mobility group must be
configured with the same virtual interface IP address.
If desired, enter the name of the mobility group/RF group to which you want the controller to belong.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
24
System Management
Using the Controller Interface
Note
Although the name that you enter here is assigned to both the mobility group and the RF group, these groups
are not identical. Both groups define clusters of controllers, but they have different purposes. All of the
controllers in an RF group are usually also in the same mobility group and vice versa. However, a mobility
group facilitates scalable, system-wide mobility and controller redundancy while an RF group facilitates
scalable, system-wide dynamic RF management.
Step 14
Enter the network name or service set identifier (SSID). The SSID enables basic functionality of the controller and
allows access points that have joined the controller to enable their radios.
Step 15
Enter YES to allow clients to assign their own IP address or no to require clients to request an IP address from a DHCP
server.
Step 16
To configure a RADIUS server now, enter YES and then enter the IP address, communication port, and secret key of
the RADIUS server. Otherwise, enter no. If you enter no, the following message is displayed: Warning! The
default WLAN security policy requires a RADIUS server. Please see the
documentation for more details.
Step 17
Enter the code for the country in which the controller will be used.
Note
Enter help to view the list of available country codes.
Note
You can enter more than one country code if you want to manage access points in multiple countries from a
single controller. To do so, separate the country codes with a comma (for example, US,CA,MX). After the
configuration wizard runs, you need to assign each access point joined to the controller to a specific country.
Step 18
Enable or disable the 802.11b, 802.11a, and 802.11g lightweight access point networks by entering YES or no.
Step 19
Enable or disable the controller’s radio resource management (RRM) auto-RF feature by entering YES or no.
Note
Step 20
The auto-RF feature enables the controller to automatically form an RF group with other controllers. The
group dynamically elects a leader to optimize RRM parameter settings, such as channel and transmit power
assignment, for the group.
If you want the controller to receive its time setting from an external Network Time Protocol (NTP) server when it
powers up, enter YES to configure an NTP server. Otherwise, enter no.
Note
The controller network module installed in a Cisco Integrated Services Router does not have a battery and
cannot save a time setting. Therefore, it must receive a time setting from an external NTP server when it
powers up.
Step 21
If you entered no in Step 20 and want to manually configure the system time on your controller now, enter YES. If you
do not want to configure the system time now, enter no.
Step 22
If you entered YES in Step 21, enter the current date in the MM/DD/YY format and the current time in the HH:MM:SS
format.
Step 23
When prompted to verify that the configuration is correct, enter yes or NO.
The controller saves your configuration when you enter yes, reboots, and prompts you to log on.
Using the Controller Interface
You can use the controller interface in the following two methods:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
25
System Management
Using the Controller CLI
Using the Controller CLI
A Cisco Wireless solution command-line interface (CLI) is built into each controller. The CLI enables you
to use a VT-100 terminal emulation program to locally or remotely configure, monitor, and control individual
controllers and its associated lightweight access points. The CLI is a simple text-based, tree-structured interface
that allows up to five users with Telnet-capable terminal emulation programs to access the controller.
Note
We recommend that you do not run two simultaneous CLI operations because this might result in incorrect
behavior or incorrect output of the CLI.
Note
For more information about specific commands, see the Cisco Wireless Controller Command Reference for
relevant releases at: https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/
products-command-reference-list.html
Logging on to the Controller CLI
You can access the controller CLI using either of the following methods:
• A direct serial connection to the controller console port
• A remote session over the network using Telnet or SSH through the preconfigured service port or the
distribution system ports
For more information about ports and console connection options on controllers, see the relevant controller
model's installation guide.
Using a Local Serial Connection
Before you begin
You need these items to connect to the serial port:
• A computer that is running a terminal emulation program such as Putty, SecureCRT, or similar
• A standard Cisco console serial cable with an RJ45 connector
To log on to the controller CLI through the serial port, follow these steps:
Step 1
Connect console cable; connect one end of a standard Cisco console serial cable with an RJ45 connector to the controller’s
console port and the other end to your PC’s serial port.
Configure terminal emulator program with default settings:
Step 2
• 9600 baud
• 8 data bits
• 1 stop bit
• No parity
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
26
System Management
Using a Remote Telnet or SSH Connection
• No hardware flow control
Note
The controller serial port is set for a 9600 baud rate and a short timeout. If you would like to change either of
these values, run the config serial baudrate value and config serial timeout value to make your changes. If
you set the serial timeout value to 0, serial sessions never time out.
If you change the console speed to a value other than 9600, the console speed used by controller will be 9600
during boot and will only change upon the completion of boot process. Therefore, we recommend that you do
not change the console speed, except as a temporary measure on an as-needed basis.
Step 3
Log on to the CLI—When prompted, enter a valid username and password to log on to the controller. The administrative
username and password that you created in the configuration wizard are case sensitive.
Note
The default username is admin, and the default password is admin.
The CLI displays the root level system prompt:
(Cisco Controller) >
Note
The system prompt can be any alphanumeric string up to 31 characters. You can change it by entering the
config prompt command.
Using a Remote Telnet or SSH Connection
Before you begin
You need these items to connect to a controller remotely:
• A PC with network connectivity to either the management IP address, the service port address, or if
management is enabled on a dynamic interface of the controller in question
• The IP address of the controller
• A VT-100 terminal emulation program or a DOS shell for the Telnet session
Step 1
Note
By default, controllers block Telnet sessions. You must use a local connection to the serial port to enable
Telnet sessions.
Note
The aes-cbc ciphers are not supported on controller. The SSH client which is used to log in to the controller
should have minimum a non-aes-cbc cipher.
Verify that your VT-100 terminal emulation program or DOS shell interface is configured with these parameters:
• Ethernet address
• Port 23
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
27
System Management
Logging Out of the CLI
Step 2
Use the controller IP address to Telnet to the CLI.
Step 3
When prompted, enter a valid username and password to log into the controller. The administrative username and password
that you created in the configuration wizard are case sensitive.
The default username is admin, and the default password is admin.
Note
The CLI shows the root level system prompt.
The system prompt can be any alphanumeric string up to 31 characters. You can change it by entering the
config prompt command.
Note
Logging Out of the CLI
When you finish using the CLI, navigate to the root level and enter the logout command. You are prompted
to save any changes that you made to the volatile RAM.
Note
The CLI automatically logs you out without saving any changes after 5 minutes of inactivity. You can set the
automatic logout from 0 (never log out) to 160 minutes using the config serial timeout command.
To prevent SSH or Telnet sessions from timing out, run the config sessions timeout 0 command.
Navigating the CLI
• When you log into the CLI, you are at the root level. From the root level, you can enter any full command
without first navigating to the correct command level.
• If you enter a top-level keyword such as config, debug, and so on without arguments, you are taken to
the submode of that corresponding keyword.
• Ctrl + Z or entering exit returns the CLI prompt to the default or root level.
• When navigating to the CLI, enter ? to see additional options available for any given command at the
current level.
• You can also enter the space or tab key to complete the current keyword if unambiguous.
• Enter help at the root level to see available command line editing options.
The following table lists commands you use to navigate the CLI and to perform common tasks.
Table 2: Commands for CLI Navigation and Common Tasks
Command
Action
help
At the root level, view system wide navigation
commands
?
View commands available at the current level
command ?
View parameters for a specific command
exit
Move down one level
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
28
System Management
Information about Loading an Externally Generated SSL Certificate
Command
Action
Ctrl + Z
Return from any level to the root level
save config
At the root level, save configuration changes from
active working RAM to nonvolatile RAM (NVRAM)
so they are retained after reboot
reset system
At the root level, reset the controller without logging
out
logout
Logs you out of the CLI
Information about Loading an Externally Generated SSL
Certificate
You can use a supported transfer method such as TFTP server to download an externally generated SSL
certificate to the controller. Follow these guidelines for using TFTP:
• If you load the certificate through the service port, the TFTP server must be on the same subnet as the
controller because the service port is not routable, or you must create static routes on the controller. Also,
if you load the certificate through the distribution system network port, the TFTP server can be on any
subnet.
• A third-party TFTP server cannot run on the same PC as the Cisco Prime Infrastructure because the
Prime Infrastructure built-in TFTP server and the third-party TFTP server require the same communication
port.
Note
Chained certificates are supported for web authentication and management
certificate.
CSR compliance with RFC-5280
With all parameters in CSR aligned with RFC-5280, there are some restrictions as follows:
• emailAddress in CSR can only be 128 characters long.
• If the CSR is generated using the CLI, the maximum number of characters (of all input combined for
CSR) is limited to 500 including config certificate generate csr-*****.
Related Documentation
Generate CSR for Third-Party Certificates and Download Chained Certificates to the
WLC—https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/
109597-csr-chained-certificates-wlc-00.html
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
29
System Management
Loading an Externally Generated SSL Certificate
Loading an Externally Generated SSL Certificate
This section describes how to load an externally generated SSL certificate.
Loading an SSL Certificate (GUI)
Step 1
Choose Security > Web Auth > Certificate.
Step 2
On the Web Authentication Certificate page, check the Download SSL Certificate check box.
Note
On the controller GUI, only TFTP transfer mode is used. You can use other methods such as FTP, and so on,
on the controller CLI.
Step 3
In the Server IP Address field, enter the IP address of the TFTP server.
Step 4
In the Maximum Retries field, enter the maximum number of times that the TFTP server attempts to download the
certificate.
Step 5
In the Timeout field, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate.
Step 6
In the Certificate File Path field, enter the directory path of the certificate.
Step 7
In the Certificate File Name field, enter the name of the certificate (webadmincert_name.pem).
Step 8
(Optional) In the Certificate Password field, enter a password to encrypt the certificate.
Step 9
Save the configuration.
Step 10
Choose Commands > Reboot > Reboot > Save and Reboot to reboot the controller for your changes to take effect,
Loading an SSL Certificate (CLI)
The procedure described in this section is similar for both webauthcert and webadmincert installation, with
the difference being in the download of the datatype.
Step 1
Use a password to encrypt the HTTPS certificate in a .PEM-encoded file. The PEM-encoded file is called a web
administration certificate file (webadmincert_name.pem).
Step 2
Move the webadmincert_name.pem file to the default directory on your TFTP server.
Step 3
To view the current download settings, enter this command and answer n to the prompt:
transfer download start
Information similar to the following appears:
Mode...........................................
Data Type......................................
TFTP Server IP.................................
TFTP Path......................................
TFTP Filename..................................
Are you sure you want to start? (y/n) n
Transfer Canceled
TFTP
Admin Cert
xxx.xxx.xxx.xxx
<directory path>
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
30
System Management
Using the Controller CLI
Step 4
Use these commands to change the download settings:
transfer download mode tftp
transfer download datatype webadmincert
transfer download serverip TFTP_server IP_address
transfer download path absolute_TFTP_server_path_to_the_update_file
transfer download filename webadmincert_name.pem
Step 5
To set the password for the .PEM file so that the operating system can decrypt the web administration SSL key and
certificate, enter this command:
transfer download certpassword private_key_password
Step 6
To confirm the current download settings and start the certificate and key download, enter this command and answer y
to the prompt:
transfer download start
Information similar to the following appears:
Mode...........................................
Data Type......................................
TFTP Server IP.................................
TFTP Path......................................
TFTP Filename..................................
Are you sure you want to start? (y/n) y
TFTP Webadmin cert transfer starting.
Certificate installed.
Please restart the switch (reset system) to use
TFTP
Site Cert
xxx.xxx.xxx.xxx
directory path
webadmincert_name
the new certificate.
Step 7
To save the SSL certificate, key, and secure web password to NVRAM so that your changes are retained across reboots,
enter this command:
save config
Step 8
To reboot the controller, enter this command:
reset system
Using the Controller CLI
A Cisco UWN solution command-line interface (CLI) is built into each controller. The CLI enables you to
use a VT-100 terminal emulation program to locally or remotely configure, monitor, and control individual
controllers and its associated lightweight access points. The CLI is a simple text-based, tree-structured interface
that allows up to five users with Telnet-capable terminal emulation programs to access the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
31
System Management
Logging on to the Controller CLI
Note
For more information about specific commands, see the Cisco Wireless Controller Command Reference for
relevant releases at:
https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/
products-command-reference-list.html
Logging on to the Controller CLI
You can access the controller CLI using either of the following methods:
• A direct serial connection to the controller console port
• A remote session over the network using Telnet or SSH through the preconfigured service port or the
distribution system ports
For more information about ports and console connection options on controllers, see the relevant controller
model's installation guide.
Using a Serial or USB Console Connection on Cisco WLC
On Cisco 5508 WLCs, you can use either the RJ-45 console port or the USB console port. If you use the USB
console port, plug the 5-pin mini Type B connector into the controller’s USB console port and the other end
of the cable into the PC’s USB Type A port. The first time that you connect a Windows PC to the USB console
port, you are prompted to install the USB console driver. Follow the installation prompts to install the driver.
The USB console driver maps to a COM port on your PC; you then need to map the terminal emulator
application to the COM port.
See the Telnet and Secure Shell Sessions section for information on enabling Telnet sessions.
Using a Local Serial Connection
Before you begin
You need these items to connect to the serial port:
• A computer that is running a terminal emulation program such as Putty, SecureCRT, or similar
• A standard Cisco console serial cable with an RJ45 connector
To log on to the controller CLI through the serial port, follow these steps:
Step 1
Connect console cable; connect one end of a standard Cisco console serial cable with an RJ45 connector to the controller’s
console port and the other end to your PC’s serial port.
Step 2
Configure terminal emulator program with default settings:
• 9600 baud
• 8 data bits
• 1 stop bit
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
32
System Management
Using a Remote Telnet or SSH Connection
• No parity
• No hardware flow control
Note
The controller serial port is set for a 9600 baud rate and a short timeout. If you would like to change either of
these values, run the config serial baudrate value and config serial timeout value to make your changes. If
you set the serial timeout value to 0, serial sessions never time out.
If you change the console speed to a value other than 9600, the console speed used by controller will be 9600
during boot and will only change upon the completion of boot process. Therefore, we recommend that you do
not change the console speed, except as a temporary measure on an as-needed basis.
Step 3
Log on to the CLI—When prompted, enter a valid username and password to log on to the controller. The administrative
username and password that you created in the configuration wizard are case sensitive.
Note
The default username is admin, and the default password is admin.
The CLI displays the root level system prompt:
(Cisco Controller) >
Note
The system prompt can be any alphanumeric string up to 31 characters. You can change it by entering the
config prompt command.
Using a Remote Telnet or SSH Connection
Before you begin
You need these items to connect to a controller remotely:
• A PC with network connectivity to either the management IP address, the service port address, or if
management is enabled on a dynamic interface of the controller in question
• The IP address of the controller
• A VT-100 terminal emulation program or a DOS shell for the Telnet session
Step 1
Note
By default, controllers block Telnet sessions. You must use a local connection to the serial port to enable
Telnet sessions.
Note
The aes-cbc ciphers are not supported on controller. The SSH client which is used to log in to the controller
should have minimum a non-aes-cbc cipher.
Verify that your VT-100 terminal emulation program or DOS shell interface is configured with these parameters:
• Ethernet address
• Port 23
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
33
System Management
Logging Out of the CLI
Step 2
Use the controller IP address to Telnet to the CLI.
Step 3
When prompted, enter a valid username and password to log into the controller. The administrative username and password
that you created in the configuration wizard are case sensitive.
The default username is admin, and the default password is admin.
Note
The CLI shows the root level system prompt.
The system prompt can be any alphanumeric string up to 31 characters. You can change it by entering the
config prompt command.
Note
Logging Out of the CLI
When you finish using the CLI, navigate to the root level and enter the logout command. You are prompted
to save any changes that you made to the volatile RAM.
Note
The CLI automatically logs you out without saving any changes after 5 minutes of inactivity. You can set the
automatic logout from 0 (never log out) to 160 minutes using the config serial timeout command.
To prevent SSH or Telnet sessions from timing out, run the config sessions timeout 0 command.
Navigating the CLI
• When you log into the CLI, you are at the root level. From the root level, you can enter any full command
without first navigating to the correct command level.
• If you enter a top-level keyword such as config, debug, and so on without arguments, you are taken to
the submode of that corresponding keyword.
• Ctrl + Z or entering exit returns the CLI prompt to the default or root level.
• When navigating to the CLI, enter ? to see additional options available for any given command at the
current level.
• You can also enter the space or tab key to complete the current keyword if unambiguous.
• Enter help at the root level to see available command line editing options.
The following table lists commands you use to navigate the CLI and to perform common tasks.
Table 3: Commands for CLI Navigation and Common Tasks
Command
Action
help
At the root level, view system wide navigation
commands
?
View commands available at the current level
command ?
View parameters for a specific command
exit
Move down one level
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
34
System Management
Using the AutoInstall Feature for Controllers Without a Configuration
Command
Action
Ctrl + Z
Return from any level to the root level
save config
At the root level, save configuration changes from
active working RAM to nonvolatile RAM (NVRAM)
so they are retained after reboot
reset system
At the root level, reset the controller without logging
out
logout
Logs you out of the CLI
Using the AutoInstall Feature for Controllers Without a
Configuration
When you boot up a controller that does not have a configuration, the AutoInstall feature can download a
configuration file from a TFTP server and then load the configuration onto the controller automatically.
If you create a configuration file on a controller that is already on the network (or through a Prime Infrastructure
filter), place that configuration file on a TFTP server, and configure a DHCP server so that a new controller
can get an IP address and TFTP server information, the AutoInstall feature can obtain the configuration file
for the new controller automatically.
When the controller boots, the AutoInstall process starts. The controller does not take any action until
AutoInstall is notified that the configuration wizard has started. If the wizard has not started, the controller
has a valid configuration.
If AutoInstall is notified that the configuration wizard has started (which means that the controller does not
have a configuration), AutoInstall waits for an additional 30 seconds. This time period gives you an opportunity
to respond to the first prompt from the configuration wizard:
Would you like to terminate autoinstall? [yes]:
When the 30-second terminate timeout expires, AutoInstall starts the DHCP client. You can terminate the
AutoInstall task even after this 30-second timeout if you enter Yes at the prompt. However, AutoInstall cannot
be terminated if the TFTP task has locked the flash and is in the process of downloading and installing a valid
configuration file.
Note
The AutoInstall process and manual configuration using both the GUI and CLI of controller can occur in
parallel. As part of the AutoInstall cleanup process, the service port IP address is set to 192.168.1.1 and the
service port protocol configuration is modified. Because the AutoInstall process takes precedence over the
manual configuration, whatever manual configuration is performed is overwritten by the AutoInstall process.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
35
System Management
Information About the AutoInstall Feature
Information About the AutoInstall Feature
When you boot up a controller that does not have a configuration, the AutoInstall feature can download a
configuration file from a TFTP server and then load the configuration onto the controller automatically.
If you create a configuration file on a controller that is already on the network (or through a Prime Infrastructure
filter), place that configuration file on a TFTP server, and configure a DHCP server so that a new controller
can get an IP address and TFTP server information, the AutoInstall feature can obtain the configuration file
for the new controller automatically.
When the controller boots, the AutoInstall process starts. The controller does not take any action until
AutoInstall is notified that the configuration wizard has started. If the wizard has not started, the controller
has a valid configuration.
If AutoInstall is notified that the configuration wizard has started (which means that the controller does not
have a configuration), AutoInstall waits for an additional 30 seconds. This time period gives you an opportunity
to respond to the first prompt from the configuration wizard:
Would you like to terminate autoinstall? [yes]:
When the 30-second termination timeout expires, AutoInstall starts the DHCP client. You can terminate the
AutoInstall task even after this 30-second timeout if you enter Yes at the prompt. However, AutoInstall cannot
be terminated if the TFTP task has locked the flash and is in the process of downloading and installing a valid
configuration file.
Note
The AutoInstall process and manual configuration using both the GUI and CLI of Cisco WLC can occur in
parallel. As part of the AutoInstall cleanup process, the service port IP address is set to 192.168.1.1 and the
service port protocol configuration is modified. Because the AutoInstall process takes precedence over the
manual configuration, whatever manual configuration is performed is overwritten by the AutoInstall process.
Obtaining an IP Address Through DHCP and Downloading a
Configuration File from a TFTP Server
AutoInstall attempts to obtain an IP address from the DHCP server until the DHCP process is successful or
until you terminate the AutoInstall process. The first interface to successfully obtain an IP address from the
DHCP server registers with the AutoInstall task. The registration of this interface causes AutoInstall to begin
the process of obtaining TFTP server information and downloading the configuration file.
Following the acquisition of the DHCP IP address for an interface, AutoInstall begins a short sequence of
events to determine the host name of the controller and the IP address of the TFTP server. Each phase of this
sequence gives preference to explicitly configured information over default or implied information and to
explicit host names over explicit IP addresses.
The process is as follows:
• If at least one Domain Name System (DNS) server IP address is learned through DHCP, AutoInstall
creates a /etc/resolv.conf file. This file includes the domain name and the list of DNS servers that have
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
36
System Management
Selecting a Configuration File
been received. The Domain Name Server option provides the list of DNS servers, and the Domain Name
option provides the domain name.
• If the domain servers are not on the same subnet as the controller, static route entries are installed for
each domain server. These static routes point to the gateway that is learned through the DHCP Router
option.
• The host name of the controller is determined in this order by one of the following:
• If the DHCP Host Name option was received, this information (truncated at the first period [.]) is
used as the host name for the controller.
• A reverse DNS lookup is performed on the controller IP address. If DNS returns a hostname, this
name (truncated at the first period [.]) is used as the hostname for the controller.
• The IP address of the TFTP server is determined in this order by one of the following:
• If AutoInstall received the DHCP TFTP Server Name option, AutoInstall performs a DNS lookup
on this server name. If the DNS lookup is successful, the returned IP address is used as the IP address
of the TFTP server.
• If the DHCP Server Host Name (sname) text box is valid, AutoInstall performs a DNS lookup on
this name. If the DNS lookup is successful, the IP address that is returned is used as the IP address
of the TFTP server.
• If AutoInstall received the DHCP TFTP Server Address option, this address is used as the IP address
of the TFTP server.
• AutoInstall performs a DNS lookup on the default TFTP server name (cisco-wlc-tftp). If the DNS
lookup is successful, the IP address that is received is used as the IP address of the TFTP server.
• If the DHCP server IP address (siaddr) text box is nonzero, this address is used as the IP address of
the TFTP server.
• The limited broadcast address (255.255.255.255) is used as the IP address of the TFTP server.
• If the TFTP server is not on the same subnet as the controller, a static route (/32) is installed for the IP
address of the TFTP server. This static route points to the gateway that is learned through the DHCP
Router option.
Selecting a Configuration File
After the hostname and TFTP server have been determined, AutoInstall attempts to download a configuration
file. AutoInstall performs three full download iterations on each interface that obtains a DHCP IP address. If
the interface cannot download a configuration file successfully after three attempts, the interface does not
attempt further.
The first configuration file that is downloaded and installed successfully triggers a reboot of the controller.
After the reboot, the controller runs the newly downloaded configuration.
AutoInstall searches for configuration files in the order in which the names are listed:
• The filename that is provided by the DHCP Boot File Name option
• The filename that is provided by the DHCP File text box
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
37
System Management
Example: AutoInstall Operation
• host name-confg
• host name.cfg
• base MAC address-confg (for example, 0011.2233.4455-confg)
• serial number-confg
• ciscowlc-confg
• ciscowlc.cfg
AutoInstall runs through this list until it finds a configuration file. It stops running if it does not find a
configuration file after it cycles through this list three times on each registered interface.
Note
• The downloaded configuration file can be a complete configuration, or it can be a minimal configuration
that provides enough information for the controller to be managed by the Cisco Prime Infrastructure.
Full configuration can then be deployed directly from the Prime Infrastructure.
• AutoInstall does not expect the switch connected to the controller to be configured for either channels.
AutoInstall works with a service port in LAG configuration.
• Cisco Prime Infrastructure provides AutoInstall capabilities for controllers. A Cisco Prime Infrastructure
administrator can create a filter that includes the host name, the MAC address, or the serial number of
the controller and associate a group of templates (a configuration group) to this filter rule. The Prime
Infrastructure pushes the initial configuration to the controller when the controller boots up initially.
After the controller is discovered, the Prime Infrastructure pushes the templates that are defined in the
configuration group. For more information about the AutoInstall feature and Cisco Prime Infrastructure,
see the Cisco Prime Infrastructure documentation.
Example: AutoInstall Operation
The following is an example of an AutoInstall process from start to finish:
Welcome to the Cisco Wizard Configuration Tool
Use the '-' character to backup
Would you like to terminate autoinstall? [yes]:
AUTO-INSTALL: starting now...
AUTO-INSTALL: interface 'service-port' - setting DHCP TFTP Filename ==> 'abcd-confg'
AUTO-INSTALL: interface 'service-port' - setting DHCP TFTP Server IP ==> 1.100.108.2
AUTO-INSTALL: interface 'service-port' - setting DHCP siaddr ==> 1.100.108.2
AUTO-INSTALL: interface 'service-port' - setting DHCP Domain Server[0] ==> 1.100.108.2
AUTO-INSTALL: interface 'service-port' - setting DHCP Domain Name ==> 'engtest.com'
AUTO-INSTALL: interface 'service-port' - setting DHCP yiaddr ==> 172.19.29.253
AUTO-INSTALL: interface 'service-port' - setting DHCP Netmask ==> 255.255.255.0
AUTO-INSTALL: interface 'service-port' - setting DHCP Gateway ==> 172.19.29.1
AUTO-INSTALL: interface 'service-port' registered
AUTO-INSTALL: interation 1 -- interface 'service-port'
AUTO-INSTALL: DNS reverse lookup 172.19.29.253 ===> 'wlc-1'
AUTO-INSTALL: hostname 'wlc-1'
AUTO-INSTALL: TFTP server 1.100.108.2 (from DHCP Option 150)
AUTO-INSTALL: attempting download of 'abcd-confg'
AUTO-INSTALL: TFTP status - 'TFTP Config transfer starting.' (2)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
38
System Management
Managing the Controller System Date and Time
AUTO-INSTALL: interface 'management' - setting DHCP file ==> 'bootfile1'
AUTO-INSTALL: interface 'management' - setting DHCP TFTP Filename ==> 'bootfile2-confg'
AUTO-INSTALL: interface 'management' - setting DHCP siaddr ==> 1.100.108.2
AUTO-INSTALL: interface 'management' - setting DHCP Domain Server[0] ==> 1.100.108.2
AUTO-INSTALL: interface 'management' - setting DHCP Domain Server[1] ==> 1.100.108.3
AUTO-INSTALL: interface 'management' - setting DHCP Domain Server[2] ==> 1.100.108.4
AUTO-INSTALL: interface 'management' - setting DHCP Domain Name ==> 'engtest.com'
AUTO-INSTALL: interface 'management' - setting DHCP yiaddr ==> 1.100.108.238
AUTO-INSTALL: interface 'management' - setting DHCP Netmask ==> 255.255.254.0
AUTO-INSTALL: interface 'management' - setting DHCP Gateway ==> 1.100.108.1
AUTO-INSTALL: interface 'management' registered
AUTO-INSTALL: TFTP status - 'Config file transfer failed - Error from server: File not
found' (3)
AUTO-INSTALL: attempting download of 'wlc-1-confg'
AUTO-INSTALL: TFTP status - 'TFTP Config transfer starting.' (2)
AUTO-INSTALL: TFTP status - 'TFTP receive complete... updating configuration.' (2)
AUTO-INSTALL: TFTP status - 'TFTP receive complete... storing in flash.' (2)
AUTO-INSTALL: TFTP status - 'System being reset.' (2)
Resetting system
Managing the Controller System Date and Time
You can configure the controller system date and time at the time of configuring the controller using the
configuration wizard. If you did not configure the system date and time through the configuration wizard or
if you want to change your configuration, you can follow the instructions in this section to configure the
controller to obtain the date and time from a Network Time Protocol (NTP) server or to configure the date
and time manually. Greenwich Mean Time (GMT) is used as the standard for setting the time zone on the
controller.
You can also configure an authentication mechanism between various NTP servers.
Information About Controller System Date and Time
You can configure the controller system date and time at the time of configuring the controller using the
configuration wizard. If you did not configure the system date and time through the configuration wizard or
if you want to change your configuration, you can follow the instructions in this section to configure the
controller to obtain the date and time from a Network Time Protocol (NTP) server or to configure the date
and time manually. Greenwich Mean Time (GMT) is used as the standard for setting the time zone on the
controller.
You can also configure an authentication mechanism between various NTP servers.
Restrictions on Configuring the Controller Date and Time
• If you are configuring wIPS, you must set the controller time zone to UTC.
• Cisco Aironet lightweight access points might not connect to the controller if the date and time are not
set properly. Set the current date and time on the controller before allowing the access points to connect
to it.
• You can configure an authentication channel between the controller and the NTP server.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
39
System Management
Configuring the NTP/SNTP Server to Obtain the Date and Time (CLI)
Configuring the NTP/SNTP Server to Obtain the Date and Time (CLI)
Use these commands to configure an NTP/SNTP server to obtain the date and time:
Procedure
• To specify the NTP/SNTP server for the controller, enter this command:
config time ntp server index ip-address
• (Optional) To specify the polling interval (in seconds), enter this command:
config time ntp interval
• To enable or disable NTP/SNTP server authentication, enter these commands:
• config time ntp auth enable server-index key-index—Enables NTP/SNTP authentication on a given
NTP/SNTP server.
• config time ntp key-auth add key-index md5 {ascii | hex} key—Adds an authentication key. By
default MD5 is used. The key format can be ASCII or hexadecimal.
• config time ntp key-auth delete key-index—Deletes authentication keys.
• config time ntp auth disable server-index—Disables NTP/SNTP authentication.
• show ntp-keys—Displays the NTP/SNTP authentication related parameter.
• To delete an NTP server IP address or DNS server from the controller, enter this command:
config time ntp delete NTP_server index
Configuring NTP/SNTP Authentication (GUI)
Step 1
Choose Controller > NTP > Servers to open the NTP Servers page.
Step 2
Click New to add an NTP server.
Step 3
Choose a server priority from the Server Index (Priority) drop-down list.
Step 4
Enter the NTP server IPv4/IPv6 address in the Server IP Address (IPv4/IPv6) text box.
Step 5
Enable NTP server authentication by checking the NTP Server Authentication check box.
Step 6
Click Apply.
Step 7
Choose Controller > NTP > Keys.
Step 8
Click New to create a key.
Step 9
Enter the key index in the Key Index text box.
Step 10
Choose the key format from the Key Format drop-down list.
Step 11
Enter the key in the Key text box.
Step 12
Click Apply.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
40
System Management
Configuring NTP/SNTP Authentication (CLI)
Configuring NTP/SNTP Authentication (CLI)
Note
By default, MD5 is used.
• config time ntp auth enable server-index key-index
• config time ntp auth disable server-index
• config time ntp key-auth add key-index md5 key-format key
• Delete an authentication key by entering this command:
config time ntp key-auth delete key-index
• View the list of NTP/SNTP key Indices by entering this command:
show ntp-keys
Configuring the Date and Time (GUI)
Step 1
Choose Commands > Set Time to open the Set Time page.
Figure 15: Set Time Page
The current date and time appear at the top of the page.
Step 2
In the Timezone area, choose your local time zone from the Location drop-down list.
Note
When you choose a time zone that uses Daylight Saving Time (DST), the controller automatically sets its
system clock to reflect the time change when DST occurs. In the United States, DST starts on the second Sunday
in March and ends on the first Sunday in November.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
41
System Management
Configuring the Date and Time (CLI)
You cannot set the time zone delta on the controller GUI. However, if you do so on the controller CLI, the
change is reflected in the Delta Hours and Mins boxes on the controller GUI.
Note
Step 3
Click Set Timezone to apply your changes.
Step 4
In the Date area, choose the current local month and day from the Month and Day drop-down lists, and enter the year
in the Year box.
Step 5
In the Time area, choose the current local hour from the Hour drop-down list, and enter the minutes and seconds in the
Minutes and Seconds boxes.
If you change the time zone location after setting the date and time, the values in the Time area are updated to
reflect the time in the new time zone location. For example, if the controller is currently configured for noon
Eastern time and you change the time zone to Pacific time, the time automatically changes to 9:00 a.m.
Note
Step 6
Click Set Date and Time to apply your changes.
Step 7
Click Save Configuration.
Configuring the Date and Time (CLI)
Step 1
Configure the current local date and time in GMT on the controller by entering this command:
config time manual mm/dd/yy hh:mm:ss
When setting the time, the current local time is entered in terms of GMT and as a value between 00:00 and
24:00. For example, if it is 8:00 a.m. Pacific time in the United States, you would enter 16:00 because the
Pacific time zone is 8 hours behind GMT.
Note
Step 2
Perform one of the following to set the time zone for the controller:
• Set the time zone location in order to have Daylight Saving Time (DST) set automatically when it occurs by entering
this command:
config time timezone location location_index
where location_index is a number representing one of the following time zone locations:
a.
(GMT-12:00) International Date Line West
b.
(GMT-11:00) Samoa
c.
(GMT-10:00) Hawaii
d.
(GMT-9:00) Alaska
e.
(GMT-8:00) Pacific Time (US and Canada)
f.
(GMT-7:00) Mountain Time (US and Canada)
g.
(GMT-6:00) Central Time (US and Canada)
h.
(GMT-5:00) Eastern Time (US and Canada)
i.
(GMT-4:00) Atlantic Time (Canada)
j.
(GMT-3:00) Buenos Aires (Argentina)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
42
System Management
Configuring the Date and Time (CLI)
k.
(GMT-2:00) Mid-Atlantic
l.
(GMT-1:00) Azores
m.
(GMT) London, Lisbon, Dublin, Edinburgh (default value)
n.
(GMT +1:00) Amsterdam, Berlin, Rome, Vienna
o.
(GMT +2:00) Jerusalem
p.
(GMT +3:00) Baghdad
q.
(GMT +4:00) Muscat, Abu Dhabi
r.
(GMT +4:30) Kabul
s.
(GMT +5:00) Karachi, Islamabad, Tashkent
t.
(GMT +5:30) Colombo, Kolkata, Mumbai, New Delhi
u.
(GMT +5:45) Katmandu
v.
(GMT +6:00) Almaty, Novosibirsk
w.
(GMT +6:30) Rangoon
x.
(GMT +7:00) Saigon, Hanoi, Bangkok, Jakarta
y.
(GMT +8:00) Hong Kong, Beijing, Chongqing
z.
(GMT +9:00) Tokyo, Osaka, Sapporo
aa.
(GMT +9:30) Darwin
ab.
(GMT+10:00) Sydney, Melbourne, Canberra
ac.
(GMT+11:00) Magadan, Solomon Is., New Caledonia
ad.
(GMT+12:00) Kamchatka, Marshall Is., Fiji
ae.
(GMT+12:00) Auckland (New Zealand)
Note
If you enter this command, the controller automatically sets its system clock to reflect DST when it occurs.
In the United States, DST starts on the second Sunday in March and ends on the first Sunday in November.
• Manually set the time zone so that DST is not set automatically by entering this command:
config time timezone delta_hours delta_mins
where delta_hours is the local hour difference from GMT, and delta_mins is the local minute difference from GMT.
When manually setting the time zone, enter the time difference of the local current time zone with respect to GMT
(+/–). For example, Pacific time in the United States is 8 hours behind GMT. Therefore, it is entered as –8.
Note
Step 3
You can manually set the time zone and prevent DST from being set only on the controller CLI.
Save your changes by entering this command:
save config
Step 4
Verify that the controller shows the current local time with respect to the local time zone by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
43
System Management
Telnet and Secure Shell Sessions
show time
Information similar to the following is displayed:
Time.................. Thu Apr 7 13:56:37 2011
Timezone delt......... 0:0
Timezone location..... (GMT +5:30) Colombo, New Delhi, Chennai, Kolkata
NTP Servers
NTP Polling Interval..........3600
Index
------1
Note
NTP Key Index
NTP Server
NTP Msg Auth Status
-------------------------------------------------------1
209.165.200.225
AUTH SUCCESS
If you configured the time zone location, the Timezone Delta value is set to “0:0.” If you manually configured
the time zone using the time zone delta, the Timezone Location is blank.
Telnet and Secure Shell Sessions
Telnet and Secure Shell Sessions
Telnet is a network protocol used to provide access to the controller’s CLI. Secure Shell (SSH) is a more
secure version of Telnet that uses data encryption and a secure channel for data transfer. You can use the
controller GUI or CLI to configure Telnet and SSH sessions.
In Release 8.10.130.0, Cisco Wave 2 APs support the following cipher suites:
• HMAC: hmac-sha2-256,hmac-sha2-512
• KEX: diffie-hellman-group18-sha512,diffie-hellman-group14-sha1,ecdh-sha2-nistp256,
ecdh-sha2-nistp384, ecdh-sha2-nistp521
• Host Key: ecdsa-sha2-nistp256, ssh-rsa
• Ciphers: [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
This section contains the following subsections:
Guidelines and Restrictions on Telnet and Secure Shell Sessions
• When the controller's config paging is disabled and clients running OpenSSH_8.1p1 OpenSSL 1.1.1
library are connected to the controller, you may experience the output display freezing. You may press
any key to unfreeze the display.
We recommend that you use one of the following methods to avoid this situation:
• Connect using different version of OpenSSH and Open SSL library
• Use Putty
• Use Telnet
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
44
System Management
Restrictions on Telnet and SSH
• When the tool Putty is used as an SSH client to connect to the controller running versions 8.6 and above,
you may observe disconnects from Putty when a large output is requested with paging disabled. This is
observed when the controller has many configurations and has a high count of APs and clients, or in
either of the cases. We recommend that you use alternate SSH clients in such situations.
• In Release 8.6, controllers are migrated from OpenSSH to libssh, and libssh does not support these key
exchange (KEX) algorithms: ecdh-sha2-nistp384 and ecdh-sha2-nistp521. Only ecdh-sha2-nistp256 is
supported.
• In Release 8.10.130.0 and later releases, controllers no longer support legacy cipher suites, weak ciphers,
MACs and KEXs.
Restrictions on Telnet and SSH
• Only the FIPS approved algorithm aes128-cbc is supported when using SSH to control WLANs.
• The controller does not support raw Telnet mode.
Configuring Telnet and SSH Sessions (GUI)
Step 1
Choose Management > Telnet-SSH to open the Telnet-SSH Configuration page.
Step 2
In the Idle Timeout(minutes) field, enter the number of minutes that a Telnet session is allowed to remain inactive before
being terminated. The valid range is from 0 to 160 minutes. A value of 0 indicates no timeout.
Step 3
From the Maximum Number of Sessions drop-down list, choose the number of simultaneous Telnet or SSH sessions
allowed. The valid range is from 0 to 5 sessions (inclusive), and the default value is 5 sessions. A value of zero indicates
that Telnet or SSH sessions are disallowed.
Step 4
To forcefully close current login sessions, choose Management > User Sessions and from the CLI session drop-down
list, choose Close.
Step 5
From the Allow New Telnet Sessions drop-down list, choose Yes or No to allow or disallow new Telnet sessions on the
controller. The default value is No.
Step 6
From the Allow New SSH Sessions drop-down list, choose Yes or No to allow or disallow new SSH sessions on the
controller. The default value is Yes.
Step 7
Save your configuration.
What to do next
To see a summary of the Telnet configuration settings, choose Management > Summary. The Summary
page that is displayed shows additional Telnet and SSH sessions are permitted.
Configuring Telnet and SSH Sessions (CLI)
Step 1
Allow or disallow new Telnet sessions on the controller by entering this command:
config network telnet {enable | disable}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
45
System Management
Managing and Monitoring Remote Telnet and SSH Sessions
The default value is disabled.
Step 2
Allow or disallow new SSH sessions on the controller by entering this command:
config network ssh {enable | disable}
The default value is enabled.
Note
Step 3
Use the config network ssh cipher-option high {enable | disable} command to enable sha2 which is supported
in controller.
(Optional) Specify the number of minutes that a Telnet session is allowed to remain inactive before being terminated by
entering this command:
config sessions timeout timeout
The valid range for timeout is from 0 to 160 minutes, and the default value is 5 minutes. A value of 0 indicates no timeout.
Step 4
(Optional) Specify the number of simultaneous Telnet or SSH sessions allowed by entering this command:
config sessions maxsessions session_num
The valid range session_num is from 0 to 5, and the default value is 5 sessions. A value of zero indicates that Telnet or
SSH sessions are disallowed.
Step 5
Save your changes by entering this command:
save config
Step 6
You can close all the Telnet or SSH sessions by entering this command:
config loginsession close {session-id | all}
The session-id can be taken from the show login-session command.
Managing and Monitoring Remote Telnet and SSH Sessions
Step 1
See the Telnet and SSH configuration settings by entering this command:
show network summary
Information similar to the following is displayed:
RF-Network Name............................. TestNetwork1
Web Mode.................................... Enable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Shell (ssh).......................... Enable
Telnet................................... Disable
...
Step 2
See the Telnet session configuration settings by entering this command:
show sessions
Information similar to the following is displayed:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
46
System Management
Troubleshooting Access Points Using Telnet or SSH
CLI Login Timeout (minutes)............ 5
Maximum Number of CLI Sessions....... 5
Step 3
See all active Telnet sessions by entering this command:
show login-session
Information similar to the following is displayed:
ID
User Name
-- --------------00 admin
EIA-232
Connection From
Idle Time
--------------- -----------00:00:00
00:19:04
Session Time
------------
Troubleshooting Access Points Using Telnet or SSH
The controller supports the use of the Telnet and Secure Shell (SSH) protocols to troubleshoot Cisco APs.
Using these protocols makes debugging easier, especially when the AP is unable to join the controller.
• Telnet is not supported on Cisco Wave 2 and 802.11ax APs.
Troubleshooting Access Points Using Telnet or SSH (GUI)
Step 1
Choose Wireless > Access Points > All APs to open the All APs page.
Step 2
Click the name of the access point for which you want to enable Telnet or SSH.
Step 3
Choose the Advanced tab to open the All APs > Details for (Advanced) page.
Step 4
Select the Telnet check box to enable Telnet connectivity on this access point. The default value is unchecked.
Step 5
Select the SSH check box to enable SSH connectivity on this access point. The default value is unchecked.
Step 6
Click Apply.
Step 7
Click Save Configuration.
Troubleshooting Access Points Using Telnet or SSH (CLI)
Step 1
Enable Telnet or SSH connectivity on an access point by entering this command:
config ap {telnet | ssh} enable Cisco_AP
The default value is disabled.
Note
Step 2
Disable Telnet or SSH connectivity on an access point by entering this command: config ap {telnet | ssh}
disable Cisco_AP
Save your changes by entering this command:
save config
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
47
System Management
Managing the Controller Wirelessly
Step 3
See whether Telnet or SSH is enabled on an access point by entering this command:
show ap config general Cisco_AP
Information similar to the following appears:
Cisco AP Identifier..............................
Cisco AP Name....................................
Country code.....................................
Reg. Domain allowed by Country...................
AP Country code..................................
AP Regulatory Domain.............................
Switch Port Number ..............................
MAC Address......................................
IP Address Configuration.........................
IP Address.......................................
IP NetMask.......................................
Gateway IP Addr..................................
Domain...........................................
Name Server......................................
Telnet State.....................................
Ssh State........................................
...
5
AP33
Multiple Countries:US,AE,AR,AT,AU,BH
802.11bg:-ABCENR 802.11a:-ABCEN
US - United States
802.11bg:-A 802.11a:-A
2
00:19:2f:11:16:7a
Static IP assigned
10.22.8.133
255.255.248.0
10.22.8.1
Enabled
Enabled
Managing the Controller Wirelessly
You can monitor and configure controllers using a wireless client. This feature is supported for all management
tasks except uploads from and downloads to the controller.
Before you can open the GUI or the CLI from a wireless client device, you must configure the controller to
allow the connection.
Enabling Wireless Connections (GUI)
Step 1
Log onto the GUI.
Step 2
Choose Management > Mgmt Via Wireless page.
Step 3
Enable the Controller Management to be accessible from wireless clients.
Step 4
Click Apply.
Enabling Wireless Connections (CLI)
Step 1
Log onto the CLI.
Step 2
Enter the config network mgmt-via-wireless enable command.
Step 3
Use a wireless client to associate to a lightweight access point connected to the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
48
System Management
Enabling Wireless Connections (CLI)
Step 4
On the wireless client, open a Telnet session to the controller, or browse to the controller GUI.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
49
System Management
Enabling Wireless Connections (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
50
CHAPTER
3
Managing Licenses
• Installing and Configuring Licenses, on page 51
• Rehosting Licenses, on page 62
• Configuring the License Agent, on page 66
Installing and Configuring Licenses
Information About Installing and Configuring Licenses
You can order Cisco 5508 WLCs with support for 12, 25, 50, 100, 250 or 500 access points as the controller’s
base capacity. You can add additional access point capacity through capacity adder licenses available at 25,
50, 100 and 250 access point capacities. You can add the capacity adder licenses to any base license in any
combination to arrive at the maximum capacity of 500 access points. The base and adder licenses are supported
through both rehosting and RMAs.
The base license supports the standard base software set, and the premium software set is included as part of
the base feature set, which includes this functionality:
• Datagram Transport Layer Security (DTLS) data encryption for added security across remote WAN and
LAN links.
• The availability of data DTLS is as follows:
• Cisco 5508 WLC—The Cisco 5508 WLC is available with two licensing options: One with data
DTLS capabilities and another image without data DTLS.
• Cisco 2504 WLC and Cisco WiSM2—These platforms by default do not contain DTLS. To turn
on data DTLS, you must install a license. These platforms will have a single image with data DTLS
turned off. To use data DTLS, you must have a license.
• Support for OfficeExtend access points, which are used for secure mobile teleworking.
All features included in a Wireless LAN Controller WPLUS license are now included in the base license.
There are no changes to Cisco Prime Infrastructure BASE and PLUS licensing. These WPlus license features
are included in the base license:
• OfficeExtend AP
• Enterprise Mesh
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
51
System Management
Restrictions for Using Licenses
• CAPWAP Data Encryption
For information about upgrade and capacity adder licenses, see the product data sheet of your controller model.
Restrictions for Using Licenses
The following are the restrictions you must keep in mind when using licenses for the controllers:
• The licensing change can affect features on your wireless LAN when you upgrade or downgrade software
releases, so you should be aware of these guidelines:
• If you have a WPlus license and you upgrade from 6.0.x.x to 7.x.x.x, your license file contains both
Basic and WPlus license features. There is no disruption in feature availability and operation.
• If you have a WPlus license and you downgrade from 7.x.x.x to 6.0.196.0 or 6.0.188.0 or 6.0.182.0,
your license file contains only base license, and you will lose all WPlus features.
• If you have a base license and you downgrade from 6.0.196.0 to 6.0.188.0 or 6.0.182.0, when you
downgrade, you lose all WPlus features.
• In the controller software 7.0.116.0 and later releases, the AP association trap is ciscoLwappApAssociated.
In prior releases, the trap was bsnAPAssociated.
• The ap-count licenses and their corresponding image-based licenses are installed together. The controller
keeps track of the licensed access point count and does not allow more than the number of access points
to associate to it.
• The Cisco 5508 WLC is shipped with both permanent and evaluation base and base-ap-count licenses.
If desired, you can activate the evaluation licenses, which are designed for temporary use and set to
expire after 60 days.
• No licensing steps are required after you receive your Cisco 5508 WLC because the licenses you ordered
are installed at the factory. In addition, licenses and product authorization keys (PAKs) are preregistered
to serial numbers. However, as your wireless network evolves, you might want to add support for additional
access points or upgrade from the standard software set to the base software set. To do so, you must
obtain and install an upgrade license.
Obtaining an Upgrade or Capacity Adder License
This section describes how to get an upgrade or capacity adder license.
Information About Obtaining an Upgrade or Capacity Adder License
A certificate with a product authorization key (PAK) is required before you can obtain an upgrade license.
You can use the capacity adder licenses to increase the number of access points supported by the controller
up to a maximum of 500 access points. The capacity adder licenses are available in access point capacities of
10, 25, 50, 100 and 250 access points. You can add these licenses to any of the base capacity licenses of 12,
25, 50, 100 and 250 access points.
For example, if your controller was initially ordered with support for 100 access points (base license
AIR-CT5508-100-K9), you could increase the capacity to 500 access points by purchasing a 250 access point,
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
52
System Management
Obtaining and Registering a PAK Certificate
100 access point, and a 50 access point additive capacity license (LIC-CT5508-250A, LIC-CT5508-100A,
and LIC-CT5508-50A).
You can find more information on ordering capacity adder licenses at this URL:
http://www.cisco.com/c/en/us/products/wireless/5500-series-wireless-controllers/datasheet-listing.html
Note
If you skip any tiers when upgrading (for example, if you do not install the -25U and -50U licenses along
with the -100U), the license registration for the upgraded capacity fails.
For a single controller, you can order different upgrade licenses in one transaction (for example, -25U, -50U,
-100U, and -250U), for which you receive one PAK with one license. Then you have only one license (instead
of four) to install on your controller.
If you have multiple controllers and want to upgrade all of them, you can order multiple quantities of each
upgrade license in one transaction (for example, you can order 10 each of the -25U, -50U, -100U, and -250
upgrade licenses), for which you receive one PAK with one license. You can continue to register the PAK
for multiple controllers until it is exhausted.
For more information about the base license SKUs and capacity adder licenses, see the respective controller’s
data sheet.
Obtaining and Registering a PAK Certificate
Step 1
Order the PAK certificate for an upgrade license through your Cisco channel partner or your Cisco sales representative,
or order it online at this URL:
http://www.cisco.com/go/ordering
Step 2
If you are ordering online, begin by choosing the primary upgrade SKU L-LIC-CT5508-UPG or LIC CT5508-UPG.
Then, choose any number of the following options to upgrade one or more controllers under one PAK. After you receive
the certificate, use one of the following methods to register the PAK:
• Cisco License Manager (CLM)—This method automates the process of obtaining licenses and deploying them on
Cisco devices. For deployments with more than five controllers, we recommend using CLM to register PAKs and
install licenses. You can also use CLM to rehost or RMA a license.
Note
You cannot use CLM to change the licensed feature set or activate an ap-count evaluation license. To
perform these operations, you must follow the instructions in the Activating an AP-Count Evaluation
License section. Because you can use CLM to perform all other license operations, you can disregard the
remaining licensing information in this chapter except these two sections and the Configuring the License
Agent section if you want your controller to use HTTP to communicate with CLM.
Note
You can download the CLM software and access user documentation at this URL:
http://www.cisco.com/go/clm
• Licensing portal—This alternative method enables you to manually obtain and install licenses on your controller.
If you want to use the licensing portal to register the PAK, follow the instructions in Step 3.
Step 3
Use the licensing portal to register the PAK as follows:
a) Go to http://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
53
System Management
Installing a License
b) On the main Product License Registration page, enter the PAK mailed with the certificate in the Product Authorization
Key (PAK) text box and click Submit.
c) On the Validate Features page, enter the number of licenses that you want to register in the Qty text box and click
Update.
d) To determine the controller’s product ID and serial number, choose Controller > Inventory on the controller GUI
or enter the show license udi command on the controller CLI.
Information similar to the following appears on the controller CLI:
Device#
------*0
PID
SN
------------------- --------------AIR-CT5508-K9
CW1308L030
UDI
----------------------AIR-CT5508-K9:FCW1308L030
e) On the Designate Licensee page, enter the product ID and serial number of the controller on which you plan to install
the license, read and accept the conditions of the end-user license agreement (EULA), complete the rest of the text
boxes on this page, and click Submit.
f) On the Finish and Submit page, verify that all information is correct and click Submit.
g) When a message appears indicating that the registration is complete, click Download License. The license is e-mailed
within 1 hour to the address that you specified.
h) When the e-mail arrives, follow the instructions provided.
i) Copy the license file to your TFTP server.
Installing a License
Installing a License (GUI)
Step 1
Choose Management > Software Activation > Commands to open the License Commands page.
Step 2
From the Action drop-down list, choose Install License. The Install License from a File section appears.
Step 3
In the File Name to Install text box, enter the path to the license (*.lic) on the TFTP server.
Step 4
Click Install License. A message appears to show whether the license was installed successfully. If the installation fails,
the message provides the reason for the failure, such as the license is an existing license, the path was not found, the
license does not belong to this device, you do not have correct permissions for the license, and so on.
Step 5
If the end-user license agreement (EULA) acceptance dialog box appears, read the agreement and click Accept to accept
the terms of the agreement.
Typically, you are prompted to accept the EULA for evaluation, extension, and rehost licenses. The EULA is
also required for permanent licenses, but it is accepted during license generation.
Note
Step 6
Save a backup copy of all installed licenses as follows:
a) From the Action drop-down list, choose Save License.
b) In the File Name to Save text box, enter the path on the TFTP server where you want the licenses to be saved.
Note
You cannot save evaluation licenses.
c) Click Save Licenses.
Step 7
Reboot the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
54
System Management
Installing a License (CLI)
Note
We recommend that you reset the system to ensure that the newly installed license file is saved in the WLC.
Installing a License (CLI)
Step 1
Install a license on the controller by entering this command:
license install url
where url is tftp://server_ip/path/filename.
Note
Step 2
If you are prompted to accept the end-user license agreement (EULA), read and accept the terms of the agreement.
Note
Step 3
To remove a license from the controller, enter the license clear license_name command. For example, you
might want to delete an expired evaluation license or any unused license. You cannot delete unexpired evaluation
licenses, the permanent base image license, or licenses that are in use by the controller.
Typically, you are prompted to accept the EULA for evaluation, extension, and rehost licenses. The EULA is
also required for permanent licenses, but it is accepted during license generation.
Add comments to a license or delete comments from a license by entering this command:
license comment {add | delete} license_name comment_string
Step 4
Save a backup copy of all installed licenses by entering this command:
license save url
where url is tftp://server_ip/path/filename.
Step 5
Reboot the controller by entering this command:
reset system.
Note
We recommend that you reset the system to ensure that the newly installed license file is saved in the WLC.
Viewing Licenses
Viewing Licenses (GUI)
Step 1
Choose Management > Software Activation > Licenses to open the Licenses page.
This page lists all the licenses that are installed on the controller. For each license, it shows the license type, expiration,
count (the maximum number of access points that are allowed for this license), priority (low, medium, or high), and status
(in use, not in use, inactive, or EULA not accepted).
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
55
System Management
Viewing Licenses (CLI)
Controller platforms do not support the status of “grace period” or “extension” as a license type. The license
status always shows as “evaluation” even if a grace period or an extension evaluation license is installed.
Note
If you ever want to remove a license from the controller, hover your cursor over the blue drop-down arrow for
the license and click Remove. For example, you might want to delete an expired evaluation license or any
unused license. You cannot delete unexpired evaluation licenses, the permanent base image license, or licenses
that are in use by the controller.
In Cisco 2504 and 5508 Wireless Controllers, the license section is limited to display 10 licenses only. Also,
these licenses cannot be deleted from the controller.
Step 2
Click the link for the desired license to view more details for a particular license. The License Detail page appears.
This page shows the following additional information for the license:
• The license type (permanent, evaluation, or extension)
• The license version
• The status of the license (in use, not in use, inactive, or EULA not accepted).
• The length of time before the license expires
Note
Permanent licenses never expire.
• Whether the license is a built-in license.
• The maximum number of access points allowed for this license
• The number of access points currently using this license
Step 3
If you want to enter a comment for this license, type it in the Comment text box and click Apply.
Step 4
Click Save Configuration to save your changes.
Viewing Licenses (CLI)
Procedure
• See the license level, license type, and number of access points licensed on the controller by entering
this command:
See the license level, license type, and number of access points licensed on the controller by entering
this command:
show sysinfo
This example shows a sample output of the command run on Cisco 8540 Wireless Controller using
Release 8.3:
Manufacturer's Name..............................
Product Name.....................................
Product Version..................................
RTOS Version.....................................
Bootloader Version...............................
Emergency Image Version..........................
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
56
Cisco Systems Inc.
Cisco Controller
8.3.100.0
8.3.100.0
8.0.110.0
8.0.110.0
System Management
Viewing Licenses (CLI)
OUI File Last Update Time........................ Sun Sep 07 10:44:07 IST 2014
Build Type....................................... DATA + WPS
System Name......................................
System Location..................................
System Contact...................................
System ObjectID..................................
Redundancy Mode..................................
IP Address.......................................
IPv6 Address.....................................
System Up Time...................................
TestSpartan8500Dev1
1.3.6.1.4.1.9.1.1615
Disabled
8.1.4.2
::
0 days 17 hrs 20 mins 58 secs
--More-- or (q)uit
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country...............................
Operating Environment............................
Internal Temp Alarm Limits.......................
Internal Temperature.............................
Fan Status.......................................
Multiple Countries : IN,US
Commercial (10 to 35 C)
10 to 38 C
+21 C
OK
RAID Volume Status
Drive 0.......................................... Good
Drive 1.......................................... Good
State of 802.11b Network.........................
State of 802.11a Network.........................
Number of WLANs..................................
Number of Active Clients.........................
Enabled
Enabled
7
1
OUI Classification Failure Count................. 0
Burned-in MAC Address............................ F4:CF:E2:0A:27:00
Power Supply 1................................... Present, OK
--More-- or (q)uit
Power Supply 2...................................
Maximum number of APs supported..................
System Nas-Id....................................
WLC MIC Certificate Types........................
Licensing Type...................................
Note
Present, OK
6000
SHA1/SHA2
RTU
The Operating Environment and Internal Temp Alarm Limits data are not displayed for Cisco Flex 7510
WLCs.
• See a brief summary of all active licenses installed on the controller by entering this command:
show license summary
Information similar to the following appears:
Index 1 Feature: wplus
Period left: 0 minute 0 second
Index 2 Feature: wplus-ap-count
Period left: 0 minute 0 second
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
57
System Management
Viewing Licenses (CLI)
Index3
Feature: base
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 4 Feature: base-ap-count
Period left: 6 weeks, 4 days
License Type: Evaluation
License State: Active, In Use
License Count: 250/250/0
License Priority: High
• See all of the licenses installed on the controller by entering this command:
show license all
Information similar to the following appears:
License Store: Primary License Storage
StoreIndex: 1 Feature: base
Version: 1.0
License Type: Permanent
License State: Active, Not in Use
License Count: Non-Counted
License Priority: Medium
StoreIndex: 3 Feature: base-ap-count
Version: 1.0
License Type: Evaluation
License State: Active, In Use
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 3 days
License Count: 250/0/0
License Priority: High
• See the details for a particular license by entering this command:
show license detail license_name
Information similar to the following appears:
Index:
1
Feature: base-ap-count
Version: 1.0
License Type: Permanent
License State: Active, Not in Use
License Count: 12/0/0
License Priority: Medium
Store Index: 0
Store Name: Primary License Storage
Index:
2
Feature: base-ap-count
Version: 1.0
License Type: Evaluation
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License Count: 250/0/0
License Priority: Low
Store Index: 3
Store Name: Evaluation License Storage
• See all expiring, evaluation, permanent, or in-use licenses by entering this command:
show license {expiring | evaluation | permanent | in-use}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
58
System Management
Troubleshooting Licensing Issues
Information similar to the following appears for the show license in-use command:
StoreIndex: 2
License
License
License
License
StoreIndex: 3
License
License
License
Note
Feature: base-ap-count
Version: 1.0
Type: Permanent
State: Active, In Use
Count: 12/12/0
Priority: Medium
Feature: base Version: 1.0
Type: Permanent
State: Active, In Use
Count: Non-Counted License Priority: Medium
Controller platforms do not support the status of “grace period” or “extension” as a license type. The license
status will always show “evaluation” even if a grace period or an extension evaluation license is installed.
• See the maximum number of access points allowed for this license on the controller, the number of access
points currently joined to the controller, and the number of access points that can still join the controller
by entering this command:
show license capacity
Information similar to the following appears:
Licensed Feature
---------------AP Count
Max Count
--------250
Current Count
------------4
Remaining Count
--------------246
• See statistics for all licenses on the controller by entering this command:
show license statistics
• See a summary of license-enabled features by entering this command:
show license feature
Troubleshooting Licensing Issues
Procedure
• Configure debugging of license agent by entering this command:
debug license agent {errors | all} {enable | disable}
• Configure debugging of licensing core events and core errors by entering this command:
debug license core {all | errors | events} {enable | disable}
• Configure debugging of licensing errors by entering this command:
debug license errors {enable | disable}
• Configure debugging of licensing events by entering this command:
debug license events {enable | disable}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
59
System Management
Activating an AP-Count Evaluation License
Activating an AP-Count Evaluation License
Information About Activating an AP-Count Evaluation License
If you are considering upgrading to a license with a higher access point count, you can try an evaluation license
before upgrading to a permanent version of the license. For example, if you are using a permanent license
with a 50-access-point count and want to try an evaluation license with a 100-access-point count, you can try
out the evaluation license for 60 days.
AP-count evaluation licenses are set to low priority by default so that the controller uses the ap-count permanent
license. If you want to try an evaluation license with an increased access point count, you must change its
priority to high. If you no longer want to have this higher capacity, you can lower the priority of the ap-count
evaluation license, which forces the controller to use the permanent license.
Note
To prevent disruptions in operation, the controller does not switch licenses when an evaluation license expires.
You must reboot the controller in order to return to a permanent license. Following a reboot, the controller
defaults to the same feature set level as the expired evaluation license. If no permanent license at the same
feature set level is installed, the controller uses a permanent license at another level or an unexpired evaluation
license.
Activating an AP-Count Evaluation License (GUI)
Step 1
Choose Management > Software Activation > Licenses to open the Licenses page.
The Status column shows which licenses are currently in use, and the Priority column shows the current priority of each
license.
Step 2
Activate an ap-count evaluation license as follows:
a) Click the link for the ap-count evaluation license that you want to activate. The License Detail page appears.
b) Choose High from the Priority drop-down list and click Set Priority.
Note
c)
d)
e)
f)
g)
Step 3
You can set the priority only for ap-count evaluation licenses. AP-count permanent licenses always have
a medium priority, which cannot be configured.
Click OK when prompted to confirm your decision about changing the priority of the license.
When the EULA appears, read the terms of the agreement and then click Accept.
When prompted to reboot the controller, click OK.
Reboot the controller in order for the priority change to take effect.
Click Licenses to open the Licenses page and verify that the ap-count evaluation license now has a high priority and
is in use. You can use the evaluation license until it expires.
If you decide to stop using the ap-count evaluation license and want to revert to using an ap-count permanent license,
follow these steps:
a) On the Licenses page, click the link for the ap-count evaluation license that is in use.
b) Choose Low from the Priority drop-down list and click Set Priority.
Note
You can set the priority only for ap-count evaluation licenses. AP-count permanent licenses always have
a medium priority, which cannot be configured.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
60
System Management
Activating an AP-Count Evaluation License (CLI)
c)
d)
e)
f)
g)
Click OK when prompted to confirm your decision about changing the priority of the license.
When the EULA appears, read the terms of the agreement and then click Accept.
When prompted to reboot the controller, click OK.
Reboot the controller in order for the priority change to take effect.
Click Licenses to open the Licenses page and verify that the ap-count evaluation license now has a low priority and
is not in use. Instead, the ap-count permanent license should be in use.
Activating an AP-Count Evaluation License (CLI)
Step 1
See the current status of all the licenses on your controller by entering this command:
show license all
Information similar to the following appears:
License Store: Primary License Storage
StoreIndex: 0 Feature: base-ap-count
Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: 12/0/0
License Priority: Medium
StoreIndex: 1 Feature: base
Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
StoreIndex: 2 Feature: base
Version: 1.0
License Type: Evaluation
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License Count: Non-Counted
License Priority: Low
StoreIndex: 3 Feature: base-ap-count
Version: 1.0
License Type: Evaluation
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License Count: 250/0/0
License Priority: Low
The License State text box shows the licenses that are in use, and the License Priority text box shows the current priority
of each license.
Step 2
Activate an ap-count evaluation license as follows:
a) Raise the priority of the base-ap-count evaluation license by entering this command:
license modify priority license_name high
Note
You can set the priority only for ap-count evaluation licenses. AP-count permanent licenses always have
a medium priority, which cannot be configured.
b) Reboot the controller in order for the priority change to take effect by entering this command:
reset system
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
61
System Management
Rehosting Licenses
c) Verify that the ap-count evaluation license now has a high priority and is in use by entering this command:
show license all
You can use the evaluation license until it expires.
Step 3
If you decide to stop using the ap-count evaluation license and want to revert to using an ap-count permanent license,
follow these steps:
a) Lower the priority of the ap-count evaluation license by entering this command:
license modify priority license_name low
b) Reboot the controller in order for the priority change to take effect by entering this command:
reset system
c) Verify that the ap-count evaluation license now has a low priority and is not in use by entering this command:
show license all
Instead, the ap-count permanent license should be in use.
Rehosting Licenses
This section describes how to rehost licenses.
Information About Rehosting Licenses
Revoking a license from one controller and installing it on another is called rehosting. You might want to
rehost a license in order to change the purpose of a controller. For example, if you want to move your
OfficeExtend or indoor mesh access points to a different controller, you could transfer the adder license from
one controller to another controller of the same model (intramodel transfer). This can be done in the case of
RMA or a network rearchitecture that requires you to transfer licenses from one appliance to another. It is not
possible to rehost base licenses in normal scenarios of network rearchitecture. The only exception where the
transfer of base licenses is allowed is for RMA when you get a replacement hardware when your existing
appliance has a failure.
Evaluation licenses cannot be rehosted.
In order to rehost a license, you must generate credential information from the controller and use it to obtain
a permission ticket to revoke the license from the Cisco licensing site. Next, you must obtain a rehost ticket
and use it to obtain a license installation file for the controller on which you want to install the license.
Note
A revoked license cannot be reinstalled on the same controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
62
System Management
Rehosting a License
Note
Starting in the release 7.3, the Right-to-Use licensing is supported on the Cisco Flex 7510 WLCs, thereby the
rehosting behavior changes on these controllers. If you require to rehost licenses, you need to plan rehosting
the installed adder licenses prior to an upgrade.
Rehosting a License
Rehosting a License (GUI)
Step 1
Choose Management > Software Activation > Commands to open the License Commands page.
Step 2
From the Action drop-down list, choose Rehost. The Revoke a License from the Device and Generate Rehost Ticket
area appears.
Step 3
In the File Name to Save Credentials field, enter the path on the TFTP server where you want the device credentials to
be saved and click Save Credentials.
Step 4
To obtain a permission ticket to revoke the license, follow these steps:
a) Click Cisco Licensing (https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet).
b) On the Product License Registration page, click Look Up a License under Manage Licenses.
c) Enter the product ID and serial number for your controller.
Note
To find the controller’s product ID and serial number, choose Controller > Inventory on the controller
GUI.
d) Open the device credential information file that you saved in Step 3 and copy and paste the contents of the file into
the Device Credentials field.
e) Enter the security code in the blank box and click Continue.
f) Choose the licenses that you want to revoke from this controller and click Start License Transfer.
g) On the Rehost Quantities page, enter the number of licenses that you want to revoke in the To Rehost field and click
Continue.
h) On the Designate Licensee page, enter the product ID and serial number of the controller for which you plan to revoke
the license, read and accept the conditions of the End User License Agreement (EULA), complete the rest of the text
boxes on this page, and click Continue.
i) On the Review and Submit page, verify that all information is correct and click Submit.
j) When a message appears indicating that the registration is complete, click Download Permission Ticket. The rehost
permission ticket is e-mailed within 1 hour to the address that you specified.
k) After the e-mail arrives, copy the rehost permission ticket to your TFTP server.
Step 5
Use the rehost permission ticket to revoke the license from this controller and generate a rehost ticket as follows:
a) In the Enter Saved Permission Ticket File Name field, enter the TFTP path and filename (*.lic) for the rehost
permission ticket that you generated in Step 4.
b) In the Rehost Ticket File Name field, enter the TFTP path and filename (*.lic) for the ticket that will be used to
rehost this license on another controller.
c) Click Generate Rehost Ticket.
d) When the End User License Agreement (EULA) acceptance dialog box appears, read the agreement and click Accept
to accept the terms of the agreement.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
63
System Management
Rehosting a License (CLI)
Step 6
Use the rehost ticket generated in Step 5 to obtain a license installation file, which can then be installed on another
controller as follows:
a) Click Cisco Licensing.
b) On the Product License Registration page, click Upload Rehost Ticket under Manage Licenses.
c) On the Upload Ticket page, enter the rehost ticket that you generated in Step 5 in the Enter Rehost Ticket field and
click Continue.
d) On the Validate Features page, verify that the license information for your controller is correct, enter the rehost
quantity, and click Continue.
e) On the Designate Licensee page, enter the product ID and serial number of the controller on which you plan to use
the license, read and accept the conditions of the End User License Agreement (EULA), complete the rest of the text
boxes on this page, and click Continue.
f) On the Review and Submit page, verify that all information is correct and click Submit.
g) When a message appears indicating that the registration is complete, click Download License. The rehost license
key is e-mailed within 1 hour to the address that you specified.
h) After the e-mail arrives, copy the rehost license key to your TFTP server.
i) Follow the instructions in the Installing a License section to install this on another controller.
Step 7
After revoking the license on original controller, correspondent evaluation license appears with high priority. Lower the
priority of the evaluation license so that the permanent license is in "In Use" status.
Rehosting a License (CLI)
Step 1
Save device credential information to a file by entering this command:
license save credential url
where url is tftp://server_ip/path/filename.
Step 2
Obtain a permission ticket to revoke the license as follows:
a) Go to https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet. The Product License Registration page
appears.
b) Under Manage Licenses, click Look Up a License.
c) Enter the product ID and serial number for your controller.
Note
To find the controller’s product ID and serial number, enter the show license udi command on the controller
CLI.
d) Open the device credential information file that you saved in Step 1 and copy and paste the contents of the file into
the Device Credentials text box.
e) Enter the security code in the blank box and click Continue.
f) Choose the licenses that you want to revoke from this controller and click Start License Transfer.
g) On the Rehost Quantities page, enter the number of licenses that you want to revoke in the To Rehost text box and
click Continue.
h) On the Designate Licensee page, enter the product ID and serial number of the controller for which you plan to revoke
the license, read and accept the conditions of the End-User License Agreement (EULA), complete the rest of the text
boxes on this page, and click Continue.
i) On the Review and Submit page, verify that all information is correct and click Submit.
j) When a message appears indicating that the registration is complete, click Download Permission Ticket. The rehost
permission ticket is e-mailed within 1 hour to the address that you specified.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
64
System Management
Transferring Licenses to a Replacement Controller after an RMA
k) After the e-mail arrives, copy the rehost permission ticket to your TFTP server.
Step 3
Use the rehost permission ticket to revoke the license from this controller and generate a rehost ticket as follows:
a) Revoke the license from the controller by entering this command:
license revoke permission_ticket_url
where permission_ticket_url is tftp://server_ip/path/filename.
b) Generate the rehost ticket by entering this command:
license revoke rehost rehost_ticket_url
where rehost_ticket_url is tftp://server_ip/path/filename.
c) If prompted, read and accept the terms of the End-User License Agreement (EULA).
Step 4
Use the rehost ticket generated in Step 3 to obtain a license installation file, which can then be installed on another
controller as follows:
a) Go to https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet.
b) On the Product License Registration page, click Upload Rehost Ticket under Manage Licenses.
c) On the Upload Ticket page, enter the rehost ticket that you generated in Step 3 in the Enter Rehost Ticket text box
and click Continue.
d) On the Validate Features page, verify that the license information for your controller is correct, enter the rehost
quantity, and click Continue.
e) On the Designate Licensee page, enter the product ID and serial number of the controller on which you plan to use
the license, read and accept the conditions of the End-User License Agreement (EULA), complete the rest of the text
boxes on this page, and click Continue.
f) On the Review and Submit page, verify that all information is correct and click Submit.
g) When a message appears indicating that the registration is complete, click Download License. The rehost license
key is e-mailed within 1 hour to the address that you specified.
h) After the e-mail arrives, copy the rehost license key to your TFTP server.
i) Follow the instructions in the Installing a License (GUI), on page 54 section to install this license on another controller.
Step 5
After revoking the license on original controller, correspondent evaluation license appears with High priority. Lower the
priority of the evaluation license so that the permanent license is in "In Use" status.
Transferring Licenses to a Replacement Controller after an RMA
Information About Transferring Licenses to a Replacement Controller after an RMA
If you return a Cisco WLC Cisco as part of the Return Material Authorization (RMA) process, you must
transfer that controller’s licenses within 60 days to a replacement controller that you receive from Cisco.
Because licenses are registered to the serial number of a controller, you can use the licensing portal on
Cisco.com to request that the license from your returned controller be revoked and authorized for use on the
replacement controller. After your request is approved, you can install the old license on the replacement
controller. Any additional ap-count licenses if installed in the returned controller has to be rehosted on the
replacement controller. Before you begin, you need the product ID and serial number of both the returned
controller and the replacement controller. This information is included in your purchase records.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
65
System Management
Transferring a License to a Replacement Controller after an RMA
Note
The evaluation licenses on the replacement controller are designed for temporary use and expire after 60 days.
To prevent disruptions in operation, the controller does not switch licenses when an evaluation license expires.
You must reboot the controller in order to return to a permanent license. If the evaluation licenses expire
before you transfer the permanent licenses from your defective controller to your replacement controller, the
replacement controller remains up and running using the permanent base license, but access points are no
longer able to join the controller.
Transferring a License to a Replacement Controller after an RMA
Step 1
Browse to https://tools.cisco.com/SWIFT/LicensingUI/Quickstart.
Step 2
Log on to the site.
Step 3
In the Manage tab, click Devices.
Step 4
Choose Actions > Rehost/Transfer.
Step 5
Follow the on-screen instructions to generate the license file.
The license is provided online or in an e-mail.
Step 6
Copy the license file to the TFTP server.
Step 7
Install the license by choosing Management > Software Activation > Commands > Action > Install License.
Configuring the License Agent
Information About Configuring the License Agent
If your network contains various Cisco-licensed devices, you might want to consider using the Cisco License
Manager (CLM) to manage all of the licenses using a single application. CLM is a secure client/server
application that manages Cisco software licenses network wide.
The license agent is an interface module that runs on the controller and mediates between CLM and the
controller’s licensing infrastructure. CLM can communicate with the controller using various channels, such
as HTTP, Telnet, and so on. If you want to use HTTP as the communication method, you must enable the
license agent on the controller.
The license agent receives requests from CLM and translates them into license commands. It also sends
notifications to CLM. It uses XML messages over HTTP or HTTPS to receive the requests and send the
notifications. For example, CLM sends a license install command, and the agent notifies CLM after the license
expires.
Note
You can download the CLM software and access user documentation at http://www.cisco.com/go/clm.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
66
System Management
Configuring the License Agent (GUI)
Configuring the License Agent (GUI)
Step 1
Choose Management > Software Activation > License Agent to open the License Agent Configuration page.
Step 2
Select the Enable Default Authentication check box to enable the license agent, or leave it unselected to disable this
feature. The default value is unselected.
Step 3
In the Maximum Number of Sessions text box, enter the maximum number of sessions for the license agent. The valid
range is 1 to 25 sessions (inclusive).
Step 4
Configure the license agent to listen for requests from the CLM as follows:
a) Select the Enable Listener check box to enable the license agent to receive license requests from the CLM, or unselect
this check box to disable this feature. The default value is unselected.
b) In the Listener Message Processing URL text box, enter the URL where the license agent receives license requests
(for example, http://209.165.201.30/licenseAgent/custom). The Protocol parameter indicates whether the URL requires
HTTP or HTTPS.
Note
You can specify the protocol to use on the HTTP Configuration page.
c) Select the Enable Authentication for Listener check box to enable authentication for the license agent when it is
receiving license requests, or unselect this check box to disable this feature. The default value is unselected.
d) In the Max HTTP Message Size text box, enter the maximum size for license requests. The valid range is 0 to 9999
bytes, and the default value is 0.
Step 5
Configure the license agent to send license notifications to the CLM as follows:
a) Select the Enable Notification check box to enable the license agent to send license notifications to the CLM, or
unselect this check box to disable this feature. The default value is unselected.
b) In the URL to Send the Notifications text box, enter the URL where the license agent sends the notifications (for
example, http://www.cisco.com/license/notify).
c) In the User Name text box, enter the username required in order to view the notification messages at this URL.
d) In the Password and Confirm Password text boxes, enter the password required in order to view the notification
messages at this URL.
Step 6
Click Apply to commit your changes.
Step 7
Click Save Configuration to save your changes.
Configuring the License Agent (CLI)
Step 1
Enable the license agent by entering one of these commands:
• config license agent default authenticate—Enables the license agent default listener with authentication.
• config license agent default authenticate none—Enables the license agent default listener without authentication.
Note
Step 2
To disable the license agent default listener, enter the config license agent default disable command.
The default value is disabled.
Specify the maximum number of sessions for the license agent by entering this command:
config license agent max-sessions sessions
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
67
System Management
Configuring the License Agent (CLI)
The valid range for the sessions parameter is 1 to 25 (inclusive), and the default value is 9.
Step 3
Enable the license agent to receive license requests from the CLM and to specify the URL where the license agent receives
the requests by entering this command:
config license agent listener http {plaintext | encrypt} url authenticate [none] [max-message size] [acl acl]
The valid range for the size parameter is 0 to 65535 bytes, and the default value is 0.
Note
Step 4
To prevent the license agent from receiving license requests from the CLM, enter the config license agent
listener http disable command. The default value is disabled.
Configure the license agent to send license notifications to the CLM and to specify the URL where the license agent
sends the notifications by entering this command:
config license agent notify url username password
Note
To prevent the license agent from sending license notifications to the CLM, enter the config license agent
notify disable username password command. The default value is disabled.
Step 5
Enter the save config command to save your changes.
Step 6
See statistics for the license agent’s counters or sessions by entering this command:
show license agent {counters | sessions}
Information similar to the following appears for the show license agent counters command:
License Agent Counters
Request Messages Received:10: Messages with Errors:1
Request Operations Received:9: Operations with Errors:0
Notification Messages Sent:12: Transmission Errors:0: Soap Errors:0
Information similar to the following appears for the show license agent sessions command:
License Agent Sessions: 1 open, maximum is 9
Note
To clear the license agent’s counter or session statistics, enter the clear license agent {counters | sessions}
command.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
68
CHAPTER
4
Configuring 802.11 Bands
• Configuring 802.11 Bands, on page 69
• Configuring Band Selection, on page 72
Configuring 802.11 Bands
802.11 Bands
You can configure the 802.11b/g/n (2.4 GHz) and 802.11a/n (5 GHz) bands for the controller to comply with
the regulatory requirements in your country. By default, both 802.11b/g/n and 802.11a/n are enabled.
This section contains the following subsections:
Configuring the 802.11 Bands (GUI)
Step 1
Choose Wireless > 802.11a/n or 802.11b/g/n > Network to open the Global Parameters page.
Step 2
Select the 802.11a (or 802.11b/g) Network Status check box to enable the 802.11a or 802.11b/g band. To disable the
band, unselect the check box. The default value is enabled. You can enable both the 802.11a and 802.11b/g bands.
Step 3
If you enabled the 802.11b/g band in Step 2, select the 802.11g Support check box if you want to enable 802.11g
network support. The default value is enabled. If you disable this feature, the 802.11b band is enabled without 802.11g
support.
Step 4
Specify the period at which the SSID is broadcast by the access point by entering a value between 20 and 1000
milliseconds (inclusive) in the Beacon Period text box. The default and the recommended value is 100 milliseconds.
Note
Step 5
The beacon period in controllers is listed in terms of milliseconds. The beacon period can also be measured
in time units, where one time unit equals 1024 microseconds or 102.4 milliseconds. If a beacon interval is
listed as 100 milliseconds in a controller, it is only a rounded off value for 102.4 milliseconds. Due to hardware
limitation in certain radios, even though the beacon interval is, say 100 time units, it is adjusted to 102 time
units, which roughly equals 104.448 milliseconds. When the beacon period is to be represented in terms of
time units, the value is adjusted to the nearest multiple of 17.
Specify the size at which packets are fragmented by entering a value between 256 and 2346 bytes (inclusive) in the
Fragmentation Threshold text box. Enter a low number for areas where communication is poor or where there is a great
deal of radio interference.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
69
System Management
Configuring the 802.11 Bands (CLI)
Step 6
Make access points advertise their channel and transmit power level in beacons and probe responses for CCX clients.
Select the DTPC Support check box. Otherwise, unselect this check box. The default value is enabled.
Client devices using dynamic transmit power control (DTPC) receive the channel and power level information from
the access points and adjust their settings automatically. For example, a client device used primarily in Japan could
rely on DTPC to adjust its channel and power settings automatically when it travels to Italy and joins a network there.
Note
DTPC and 801.11h power constraint cannot be enabled simultaneously.
Step 7
Specify the maximum number of allowed clients per radio within this band by entering a value between 1 to 200 in the
Maximum Allowed Client box. The default value is 200.
Step 8
Use the Data Rates options to specify the rates at which data can be transmitted between the access point and the client.
These data rates are available:
• 802.11a—6, 9, 12, 18, 24, 36, 48, and 54 Mbps
• 802.11b/g—1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps
For each data rate, choose one of these options:
• Mandatory—Clients must support this data rate in order to associate to an access point on the controller. At least
one data rate must be mandatory.
• Supported—Any associated clients that support this data rate may communicate with the access point using that
rate. However, the clients are not required to be able to use this rate in order to associate.
• Disabled—This data rate is not used for communication with associated clients.
Step 9
Click Apply.
Step 10
Click Save Configuration.
Configuring the 802.11 Bands (CLI)
Step 1
Disable the 802.11a band by entering this command:
config 802.11a disable network
Note
Step 2
The 802.11a band must be disabled before you can configure the 802.11a network parameters in this section.
Disable the 802.11b/g band by entering this command:
config 802.11b disable network
Note
Step 3
The 802.11b band must be disabled before you can configure the 802.11b network parameters in this section.
Specify the rate at which the SSID is broadcast by the access point by entering this command:
config {802.11a | 802.11b} beaconperiod time_unit
where time_unit is the beacon interval in time units (TUs). One TU is 1024 microseconds. You can configure the access
point to send a beacon every 20 to 1000 milliseconds.
Step 4
Specify the size at which packets are fragmented by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
70
System Management
Configuring the 802.11 Bands (CLI)
config {802.11a | 802.11b} fragmentation threshold
where threshold is a value between 256 and 2346 bytes (inclusive). Specify a low number for areas where communication
is poor or where there is a great deal of radio interference.
Step 5
Make access points advertise their channel and transmit power level in beacons and probe responses by entering this
command:
config {802.11a | 802.11b } dtpc {enable | disable}
The default value is enabled. Client devices using dynamic transmit power control (DTPC) receive the channel and
power level information from the access points and adjust their settings automatically. For example, a client device
used primarily in Japan could rely on DTPC to adjust its channel and power settings automatically when it travels to
Italy and joins a network there.
Note
Step 6
On access points that run Cisco IOS software, this feature is called world mode.
Specify the maximum allowed clients that can be configured by entering this command:
config {802.11a | 802.11b} max-clients max_allow_clients
The valid range is between 1 to 200.
Step 7
Specify the rates at which data can be transmitted between the controller and the client by entering this command:
config {802.11a | 802.11b} rate {disabled | mandatory | supported} rate
where
• disabled—Clients specify the data rates used for communication.
• mandatory—Clients support this data rate in order to associate to an access point on the controller.
• supported—Any associated clients that support this data rate may communicate with the access point using that
rate. However, the clients are not required to be able to use this rate in order to associate.
• rate—The rate at which data is transmitted:
• 6, 9, 12, 18, 24, 36, 48, and 54 Mbps (802.11a)
• 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps (802.11b/g)
Step 8
Enable the 802.11a band by entering this command:
config 802.11a enable network
The default value is enabled.
Step 9
Enable the 802.11b band by entering this command:
config 802.11b enable network
The default value is enabled.
Step 10
Enable or disable 802.11g network support by entering this command:
config 802.11b 11gSupport {enable | disable}
The default value is enabled. You can use this command only if the 802.11b band is enabled. If you disable this feature,
the 802.11b band is enabled without 802.11g support.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
71
System Management
Configuring Band Selection
Step 11
Enter the save config command to save your changes.
Step 12
View the configuration settings for the 802.11a or 802.11b/g band by entering this command:
show {802.11a | 802.11b}
Information similar to the following appears:
802.11a Network............................... Enabled
11nSupport.................................... Enabled
802.11a Low Band........................... Enabled
802.11a Mid Band........................... Enabled
802.11a High Band.......................... Enabled
802.11a Operational Rates
802.11a 6M Rate.............................. Mandatory
802.11a 9M Rate.............................. Supported
802.11a 12M Rate............................. Mandatory
802.11a 18M Rate............................. Supported
802.11a 24M Rate............................. Mandatory
802.11a 36M Rate............................. Supported
802.11a 48M Rate............................. Supported
802.11a 54M Rate............................. Supported
...
Beacon Interval.................................. 100
...
Default Channel............................... 36
Default Tx Power Level........................ 1
DTPC Status................................... Enabled
Fragmentation Threshold....................... 2346
Maximum Number of Clients per AP................. 200
Configuring Band Selection
Band Select
Band select enables client radios that are capable of dual-band (2.4 and 5-GHz) operations to move to a less
congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience
interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference
from other access points because of the 802.11b/g limit of 3 nonoverlapping channels. To prevent these sources
of interference and improve overall network performance, configure band selection on the controller.
Band select works by regulating probe responses to clients and it can be enabled on a per-WLAN basis. It
makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channels.
In an access point, the band select table can be viewed by running the show dot11 band-select command. It
can also be viewed by running the show cont d0/d1 | begin Lru command.
Band Select Algorithm
The band select algorithm affects clients that use 2.4-GHz band. Initially, when a client sends a probe request
to an access point, the corresponding client probe’s Active and Count values (as seen from the band select
table) become 1. The algorithm functions based on the following scenarios:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
72
System Management
Restrictions for Band Selection
• Scenario1: Client RSSI (as seen from the show cont d0/d1 | begin RSSIcommand output) is greater than
both Mid RSSI and Acceptable Client RSSI.
• Dual-band clients: No 2.4-GHz probe responses are seen at any time; 5-GHz probe responses are
seen for all 5-GHz probe requests.
• Single-band (2.4-GHz) clients: 2.4-GHz probe responses are seen only after the probe suppression
cycle.
• After the client’s probe count reaches the configured probe cycle count, the algorithm waits for the
Age Out Suppression time and then marks the client probe’s Active value as 0. Then, the algorithm
is restarted.
• Scenario2: Client RSSI (as seen from show cont d0/d1 | begin RSSI) lies between Mid-RSSI and
Acceptable Client RSSI.
• All 2.4-GHz and 5-GHz probe requests are responded to without any restrictions.
• This scenario is similar to the band select disabled.
Note
The client RSSI value (as seen in the sh cont d0 | begin RSSI command output) is the average of the client
packets received, and the Mid RSSI feature is the instantaneous RSSI value of the probe packets. As a result,
the client RSSI is seen as weaker than the configured Mid RSSI value (7-dB delta). The 802.11b probes from
the client are suppressed to push the client to associate with the 802.11a band.
Restrictions for Band Selection
• Band selection-enabled WLANs do not support time-sensitive applications such as voice and video
because of roaming delays.
• Mid-RSSI is unsupported on Cisco Aironet 1600 Series APs.
• Band selection is unsupported on Cisco Aironet 1040, OEAP 600 Series APs.
• Band selection is unsupported on Cisco Aironet 1040, OEAP 600 Series APs.
• Band selection operates only on access points that are connected to a controller. A FlexConnect access
point without a controller connection does not perform band selection after a reboot.
• The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio
of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios
are up and running.
• You can enable both band selection and aggressive load balancing on the controller. They run
independently and do not impact one another.
• It is not possible to enable or disable band selection and client load balancing globally through the
controller GUI or CLI. You can, however, enable or disable band selection and client load balancing for
a particular WLAN.
• We recommend that you do not use Band Select in high-density areas such as stadiums.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
73
System Management
Configuring Band Selection
Configuring Band Selection
Configuring Band Selection (GUI)
Step 1
Choose Wireless > Advanced > Band Select to open the Band Select page.
Step 2
In the Probe Cycle Count text box, enter a value between 1 and 10. This cycle count sets the number of 2.4 GHz probe
suppression cycles. The cycle count sets the number of suppression cycles for a new client. The default cycle count is
2.
Step 3
In the Scan Cycle Period Threshold (milliseconds) text box, enter a value between 1 and 1000 milliseconds for the
scan cycle period threshold. This setting determines the time threshold during which new probe requests from a client
come from a new scanning cycle (i.e. only if the time difference between the successive probe requests is greater than
this configured value, then the count value in the band select table increases). The default cycle threshold is 200
milliseconds.
Step 4
In the Age Out Suppression (seconds) text box, enter a value between 10 and 200 seconds. Age-out suppression sets
the expiration time for pruning previously known 802.11b/g/n clients. The default value is 20 seconds. After this time
elapses, clients become new and are subject to probe response suppression.
Step 5
In the Age Out Dual Band (seconds) text box, enter a value between 10 and 300 seconds. The age-out period sets the
expiration time for pruning previously known dual-band clients. The default value is 60 seconds. After this time elapses,
clients become new and are subject to probe response suppression.
Step 6
In the Acceptable Client RSSI (dBm) text box, enter a value between –20 and –90 dBm. This parameter sets the
minimum RSSI for a client to respond to a probe. The default value is –80 dBm.
Step 7
In the Acceptable Client Mid RSSI (dBm) text box, enter a value between –20 and –90 dBm. This parameter sets the
mid-RSSI, whose value can be used for toggling 2.4 GHz probe suppression based on the RSSI value. The default value
is –60 dBm.
Step 8
Click Apply.
Step 9
Click Save Configuration.
Step 10
To enable or disable band selection on specific WLANs, choose WLANs > WLAN ID. The WLANs > Edit page
appears.
Step 11
Click the Advanced tab.
Step 12
In the Load Balancing and Band Select text area, if you want to enable band selection, select the Client Band Select
check box. If you want to disable band selection, leave the check box unselected. The default value is disabled.
Step 13
Click Save Configuration.
Configuring Band Selection (CLI)
Step 1
Set the probe cycle count for band select by entering this command:
config band-select cycle-count cycle_count
You can enter a value between 1 and 10 for the cycle_count parameter.
Step 2
Set the time threshold for a new scanning cycle period by entering this command:
config band-select cycle-threshold milliseconds
You can enter a value for threshold between 1 and 1000 for the milliseconds parameter.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
74
System Management
Configuring Band Selection (CLI)
Step 3
Set the suppression expire to the band select by entering this command:
config band-select expire suppression seconds
You can enter a value for suppression between 10 to 200 for the seconds parameter.
Step 4
Set the dual band expire by entering this command:
config band-select expire dual-band seconds
You can enter a value for dual band between 10 and 300 for the seconds parameter.
Step 5
Set the client RSSI threshold by entering this command:
config band-select client-rssi client_rssi
You can enter a value for minimum dBm of a client RSSI to respond to a probe between -20 and -90 for the client_rssi
parameter.
Step 6
Set the client mid RSSI threshold by entering this command:
config band-select client-mid-rssi client_mid_rssi
You can enter a value for mid RSSI between -20 and -90 for the client_mid_rssi parameter.
Step 7
Enter the save config command to save your changes.
Step 8
Enable or disable band selection on specific WLANs by entering this command:
config wlan band-select allow {enable | disable} wlan_ID
You can enter a value between 1 and 512 for wlan_ID parameter.
Step 9
Verify your settings by entering this command:
show band-select
Information similar to the following appears:
Band Select Probe Response.......................
Cycle Count...................................
Cycle Threshold...............................
Age Out Suppression...........................
Age Out Dual Band.............................
Client RSSI...................................
Client Mid RSSI...............................
Step 10
Enabled
3 cycles
300 milliseconds
20 seconds
20 seconds
-30 dBm
-80 dBm
Enter the save config command to save your changes.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
75
System Management
Configuring Band Selection (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
76
CHAPTER
5
Configuring 802.11 Parameters
• Configuring the 802.11n Parameters, on page 77
• Configuring 802.11h Parameters, on page 80
Configuring the 802.11n Parameters
802.11n Parameters
This section provides instructions for managing 802.11n access points on your network. The 802.11n devices
support the 2.4 and 5-GHz bands and offer high throughput data rates.
The 802.11n high throughput rates are available on all the 802.11n access points for the WLANs using WMM
with no Layer 2 encryption or with WPA2/AES encryption enabled.
Note
Some Cisco 802.11n APs may intermittently emit incorrect beacon frames, which can trigger false wIPS
alarms. We recommend that you ignore these alarms. The issue is observed in the following Cisco 802.11n
APs: 1140, 1250, 2600, 3500, and 3600.
Configuring the 802.11n Parameters (GUI)
Step 1
Choose Wireless > 802.11a/n or 802.11b/g/n > High Throughput to open the (5 GHz or 2.4 GHz) High Throughput
page.
Step 2
Select the 11n Mode check box to enable 802.11n support on the network. The default value is enabled.
Step 3
Select the check boxes of the desired rates to specify the modulation and coding scheme (MCS) rates at which data can
be transmitted between the access point and the client. These data rates, which are calculated for a 20-MHz channel width
using a short guard interval, are available:
• 0 (7 Mbps)
• 1 (14 Mbps)
• 2 (21 Mbps)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
77
System Management
Configuring the 802.11n Parameters (CLI)
• 3 (29 Mbps)
• 4 (43 Mbps)
• 5 (58 Mbps)
• 6 (65 Mbps)
• 7 (72 Mbps)
• 8 (14 Mbps)
• 9 (29 Mbps)
• 10 (43 Mbps)
• 11 (58 Mbps)
• 12 (87 Mbps)
• 13 (116 Mbps)
• 14 (130 Mbps)
• 15 (144 Mbps)
Any associated clients that support the selected rates may communicate with the access point using those rates.
However, the clients are not required to be able to use this rate in order to associate. The MCS settings determine
the number of spatial streams, the modulation, the coding rate, and the data rate values that are used.
Step 4
Click Apply.
Step 5
Use the 802.11n data rates that you configured by enabling WMM on the WLAN as follows:
a) Choose WLANs to open the WLANs page.
b) Click the ID number of the WLAN for which you want to configure WMM mode.
c) When the WLANs > Edit page appears, choose the QoS tab to open the WLANs > Edit (Qos) page.
d) From the WMM Policy drop-down list, choose Required or Allowed to require or allow client devices to use WMM.
Devices that do not support WMM cannot join the WLAN.
If you choose Allowed, devices that cannot support WMM can join the WLAN but will not benefit from the 802.11n
rates.
e) Click Apply.
Step 6
Click Save Configuration.
Note
To determine if an access point supports 802.11n, look at the 11n Supported text box on either the 802.11a/n
(or 802.11b/g/n) Cisco APs > Configure page or the 802.11a/n (or 802.11b/g/n) AP Interfaces > Details page.
Configuring the 802.11n Parameters (CLI)
Procedure
• Enable 802.11n support on the network by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
78
System Management
Configuring the 802.11n Parameters (CLI)
config {802.11a | 802.11b} 11nsupport {enable | disable}
• Specify the modulation and coding scheme (MCS) rates at which data can be transmitted between the
access point and the client by entering this command:
config {802.11a | 802.11b} 11nsupport mcs tx {0-15} {enable | disable}
• Use the 802.11n data rates that you configured by enabling WMM on the WLAN as follows:
config wlan wmm {allow | disable | require} wlan_id
The require parameter requires client devices to use WMM. Devices that do not support WMM cannot
join the WLAN.
If set to allow, devices that cannot support WMM can join the WLAN but do not benefit from 802.11n
rates.
• Specify the aggregation method used for 802.11n packets as follows:
a) Disable the network by entering this command:
config {802.11a | 802.11b} disable network
b) Specify the aggregation method entering this command:
config {802.11a | 802.11b} 11nsupport {a-mpdu | a-msdu} tx priority {0-7 | all} {enable | disable}
Aggregation is the process of grouping packet data frames together rather than transmitting them
separately. Two aggregation methods are available: Aggregated MAC Protocol Data Unit (A-MPDU)
and Aggregated MAC Service Data Unit (A-MSDU). A-MSDU is performed in hardware and
therefore is the default method.
You can specify the aggregation method for various types of traffic from the access point to the
clients. This table defines the priority levels (0-7) assigned per traffic type.
Table 4: Traffic Type Priority Levels
User Priority
Traffic Type
0
Best effort
1
Background
2
Spare
3
Excellent effort
4
Controlled load
5
Video, less than 100-ms latency and jitter
6
Voice, less than 10-ms latency and jitter
7
Network control
You can configure each priority level independently, or you can use the all parameter to configure
all of the priority levels at once. When you use the enable command, the traffic associated with that
priority level uses A-MPDU transmission. When you use the disable command, the traffic associated
with that priority level uses A-MSDU transmission. Configure the priority levels to match the
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
79
System Management
Configuring 802.11h Parameters
aggregation method used by the clients. By default, A-MPDU is enabled for priority level 0, 4 and
5 and the rest are disabled. By default, A-MSDU is enabled for all priorities except 6 and 7.
c) Reenable the network by entering this command:
config {802.11a | 802.11b} enable network
• Configure the 802.11n-5 GHz A-MPDU transmit aggregation scheduler by entering this command:
config 802.11{a | b} 11nsupport a-mpdu tx scheduler {enable | disable | timeout rt timeout-value}
The timeout value is in milliseconds. The valid range is between 1 millisecond to 1000 milliseconds.
• Configure the guard interval for the network by entering this command:
config 802.11{a | b} 11nsupport guard_interval {any | long}
• Configure the Reduced Interframe Space (RIFS) for the network by entering this command:
config 802.11{a | b} 11nsupport rifs rx {enable | disable}
• Save your changes by entering this command:
save config
• View the configuration settings for the 802.11 networks by entering this command:
show {802.11a | 802.11b}
Configuring 802.11h Parameters
802.11h Parameters
802.11h informs client devices about channel changes and can limit the transmit power of those client devices.
Configuring the 802.11h Parameters (GUI)
Step 1
Disable the 802.11 band as follows:
a) Choose Wireless > 802.11a/n > Network to open the 802.11a Global Parameters page.
b) Unselect the 802.11a Network Status check box.
c) Click Apply.
Step 2
Choose Wireless > 802.11a/n > DFS (802.11h) to open the 802.11h Global Parameters page.
Step 3
In the Power Constraint area, enter the local power constraint. The valid range is between 0 dBm and 30 dBm.
Step 4
In the Channel Switch Announcement area, select the Channel Announcement check box if you want the access point
to announce when it is switching to a new channel and the new channel number, or unselect this check box to disable the
channel announcement. The default value is disabled.
Step 5
If you enabled the channel announcement, the Channel Quiet Mode check box appears. Select this check box if you
want the access point to stop transmitting on the current channel, or unselect this check box to disable quiet mode. The
default value is disabled.
Step 6
Click Apply.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
80
System Management
Configuring the 802.11h Parameters (CLI)
Step 7
Reenable the 802.11a band as follows:
a) Choose Wireless > 802.11a/n > Network to open the 802.11a Global Parameters page.
b) Select the 802.11a Network Status check box.
c) Click Apply.
Step 8
Click Save Configuration.
Configuring the 802.11h Parameters (CLI)
Step 1
Disable the 802.11a network by entering this command:
config 802.11a disable network
Step 2
Enable or disable an access point to announce when it is switching to a new channel, and the new channel number by
entering this command:
config 802.11h channelswitch {enable {loud | quiet} | disable}
Enter either quiet or loud for the enable parameter. When the quiet mode is enabled, all the clients who can enable
802.11h channel switch announcements should stop transmitting packets immediately because the AP detects that the
radar and client devices should also quit transmitting to reduce interference. By default, the Channel Switch feature is in
disabled state.
Step 3
Configure a new channel using the 802.11h channel announcement by entering this command:
config 802.11h setchannel channel channel
Step 4
Configure the 802.11h power constraint value by entering this command:
config 802.11h powerconstraint value
Use increments of 3 dB for the value so that the AP goes down one power level at a time.
Step 5
Reenable the 802.11a network by entering this command:
config 802.11a enable network
Step 6
View the status of the 802.11h parameters by entering this command:
show 802.11h
Information similar to the following appears:
Power Constraint................................. 0
Channel Switch................................... Disabled
Channel Switch Mode.............................. 0
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
81
System Management
Configuring the 802.11h Parameters (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
82
CHAPTER
6
Configuring DHCP Proxy
• DHCP Proxy Mode, on page 83
• Restrictions on Using DHCP Proxy, on page 84
• Configuring DHCP Proxy (GUI), on page 84
• Configuring DHCP Proxy (CLI), on page 85
• Configuring a DHCP Timeout (GUI), on page 86
• Configuring a DHCP Timeout (CLI), on page 86
DHCP Proxy Mode
In DHCP Proxy Mode, the controller’s virtual IP address is used as the source IP address of all DHCP
transactions to the client. As a result, the real DHCP server IP address is not exposed in the air. This virtual
IP is displayed in debug output for DHCP transactions on the controller. However, use of a virtual IP address
can cause issues on certain types of clients.
When multiple offers come from external DHCP servers, the DHCP proxy normally selects the first one that
comes in and sets the IP address of the server in the client data structure. As a result, all following transactions
go through the same DHCP server until a transaction fails after retries. At this point, the proxy selects a
different DHCP server for the client.
DHCP proxy is enabled by default. All controllers in a mobility list must have the same DHCP proxy setting.
Note
DHCP proxy must be enabled in order for DHCP option 82 to operate correctly.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
83
System Management
Restrictions on Using DHCP Proxy
Proxy Mode Packet Flow
This section contains the following subsections:
Restrictions on Using DHCP Proxy
• DHCP proxy must be enabled in order for DHCP option 82 to operate correctly.
• All controllers that will communicate must have the same DHCP proxy setting.
• DHCP v6 Proxy is not supported.
• Suppose an interface in an interface group is marked as dirty. If a client is mapped to this interface through
its association with a WLAN mapped to the interface group, the client does not get mapped to a new
interface in the interface group because the controller DHCP proxy does not update the client interface
VLAN to a new interface. This has been observed in conditions in which the interface group is assigned
through AAA override and the DHCP mode is aggressive. The workaround is to use a non-aggressive
DHCP mode.
For more information, see CSCvv74634.
Configuring DHCP Proxy (GUI)
Step 1
Choose Controller > Advanced > DHCP to open the DHCP Parameters page.
Step 2
Select the Enable DHCP Proxy check box to enable DHCP proxy on a global basis. Otherwise, unselect the check box.
The default value is selected.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
84
System Management
Configuring DHCP Proxy (GUI)
Configuring DHCP Proxy (GUI)
Step 1
Choose Controller > Interfaces.
Step 2
Select the interface you want to configure the DHCP proxy.
You can configure the DHCP proxy on the management, virtual, ap manager, or dynamic interfaces in the controller.
The Interfaces > Edit page is displayed with DHCP information on the primary and secondary DHCP servers configured
in the controller. If the primary and secondary servers are not listed, you must enter values for the IP address of the DHCP
servers in the text boxes displayed in this window.
Step 3
Select from the following option of the proxy mode drop-down to enable DHCP proxy on the selected management
interface:Global—Uses the global DHCP proxy mode on the controller.Enabled—Enables the DHCP proxy mode on the
interface. When you enable DHCP proxy on the controller; the controller unicasts the DHCP requests from the client to
the configured servers. You must configure at least one DHCP server on either the interface associated with the WLAN
or on the WLAN.Disabled—Disables the DHCP proxy mode on the interface. When you disable the DHCP proxy on the
controller, the DHCP packets transmitted to and from the clients are bridged by the controller without any modification
to the IP portion of the packet. Packets received from the client are removed from the CAPWAP tunnel and transmitted
on the upstream VLAN. DHCP packets directed to the client are received on the upstream VLAN, converted to 802.11,
and transmitted through a CAPWAP tunnel toward the client. As a result, the internal DHCP server cannot be used when
DHCP proxy is disabled.
Step 4
Check the Enable DHCP option 82 checkbox to ensure additional security when DHCP is used to allocate network
addresses, check the Enable DHCP option 82 checkbox.
Step 5
Click Apply to save the configuration.
Configuring DHCP Proxy (CLI)
Step 1
Enable or disable DHCP proxy by entering this command:
config dhcp proxy {enable | disable}
Step 2
View the DHCP proxy configuration by entering this command:
show dhcp proxy
Information similar to the following appears:
DHCP Proxy Behavior: enabled
Configuring DHCP Proxy (CLI)
Step 1
Configure the DHCP primary and secondary servers on the interface. To do this, enter the following commands:
• config interface dhcp management primary primary-server
• config interface dhcp dynamic-interface interface-name primary primary-s
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
85
System Management
Configuring a DHCP Timeout (GUI)
Step 2
Configure DHCP proxy on the management or dynamic interface of the controller. To do this, enter the following
command:
• config interface dhcp management proxy-mode enableglobaldisable
• config interface dhcp dynamic-interface interface-name proxy-mode enableglobaldisable.
Note
To ensure additional security when DHCP is configured, use the config interface dhcpinterface typeoption-82
enable command.
Step 3
Enter the save config command.
Step 4
To view the proxy settings of the controller interface enter the show dhcp proxy command.
Configuring a DHCP Timeout (GUI)
For client associations to a WLAN that has DHCP required, the DHCP timeout controls how long the controller
will wait, after a new association, for the client to complete DHCP. If the DHCP exchange is not completed
within the timeout period, the controller deauthenticates the client. The default setting is the maximum of 120
seconds; we recommend that you do not reduce this value.
Step 1
Choose Controller > Advanced > DHCP to open the DHCP Parameters page.
Step 2
Select the DHCP Timeout (5 - 120 seconds) check box to enable a DHCP timeout on a global basis. Otherwise, unselect
the check box. The valid range is 5 through 120 seconds.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Configuring a DHCP Timeout (CLI)
For client associations to a WLAN that has DHCP required, the DHCP timeout controls how long the controller
will wait, after a new association, for the client to complete DHCP. If the DHCP exchange is not completed
within the timeout period, the controller deauthenticates the client. The default setting is the maximum of 120
seconds; we recommend that you do not reduce this value.
Procedure
• Configure a DHCP timeout by entering this command:
config dhcp timeout seconds
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
86
CHAPTER
7
Configuring SNMP
• Configuring SNMP (CLI), on page 87
• SNMP Community Strings, on page 89
• Configuring Real Time Statistics (CLI), on page 91
• Configuring SNMP Trap Receiver (GUI), on page 92
Configuring SNMP (CLI)
Procedure
• Create an SNMP community name by entering this command:
config snmp community create name
• Delete an SNMP community name by entering this command:
config snmp community delete name
• Configure an SNMP community name with read-only privileges by entering this command:
config snmp community accessmode ro name
• Configure an SNMP community name with read-write privileges by entering this command:
config snmp community accessmode rw name
• For IPv4 configuration—Configure an IPv4 address and subnet mask for an SNMP community by
entering this command:
config snmp community ipaddr ip-address ip-mask name
Note
This command behaves like an SNMP access list. It specifies the IP address from which the device accepts
SNMP packets with the associated community. An AND operation is performed between the requesting
entity’s IP address and the subnet mask before being compared to the IP address. If the subnet mask is set to
0.0.0.0, an IP address of 0.0.0.0 matches to all IP addresses. The default value is 0.0.0.0.
Note
The controller can use only one IP address range to manage an SNMP community.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
87
System Management
Configuring SNMP (CLI)
• For IPv6 configuration—Configure an IPv6 address and prefix-length for an SNMP community by
entering this command:
config snmp community ipaddr ipv6-address ip-mask name
• Enable or disable a community name by entering this command:
config snmp community mode {enable | disable}
• Enable or disable a community name by entering this command:
config snmp community ipsec {enable | disable}
• Configure the IKE authentication methods by entering this command:
config snmp community ipsec ike auth-mode {certificate | pre-shared-key ascii/hex secret}
Authentication mode can be configured per trap receiver. By default, the authentication mode is set to
certificate.
• Configure a destination for a trap by entering this command:
config snmp trapreceiver create name ip-address
• Delete a trap by entering this command:
config snmp trapreceiver delete name
• Change the destination for a trap by entering this command:
config snmp trapreceiver ipaddr old-ip-address name new-ip-address
• Configure the trap receiver IPSec session entering this command:
config snmp trapreceiver ipsec {enable | disable} community-name
Trap receiver IPSec must be in the disabled state to change the authentication mode.
• Configure the IKE authentication methods by entering this command:
config snmp trapreceiver ipsec ike auth-mode {certificate | pre-shared-key ascii/hex secret
community-name}
Authentication mode can be configured per trap receiver. By default, the authentication mode is set to
certificate.
• Enable or disable the traps by entering this command:
config snmp trapreceiver mode {enable | disable}
• Configure the name of the SNMP contact by entering this command:
config snmp syscontact syscontact-name
Enter up to 31 alphanumeric characters for the contact name.
• Configure the SNMP system location by entering this command:
config snmp syslocation syslocation-name
Enter up to 31 alphanumeric characters for the location.
• Verify that the SNMP traps and communities are correctly configured by entering these commands:
show snmpcommunity
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
88
System Management
SNMP Community Strings
show snmptrap
Note
Related issue: CSCvr33858.
Read-only community does not get snmpEngineID. As per RFC 2575, the recommendation is such that, some
of the OIDs are to be restricted and one of them is SnmpEngineId(engineId). For more information, see
https://tools.ietf.org/html/rfc2575.
• See the enabled and disabled trap flags by entering this command:
show trapflags
If necessary, use the config trapflags command to enable or disable trap flags.
• Configure when the warning message should be displayed after the number of clients or RFID tags
associated with the controller hover around the threshold level by entering this command:
config trapflags {client | rfid} max-warning-threshold {threshold-between-80-to-100 | enable | disable}
The warning message is displayed at an interval of 600 seconds (10 minutes).
• Configure the SNMP engine ID by entering this command:
config snmp engineID engine-id-string
Note
The engine ID string can be a maximum of 24 characters.
• View the engine ID by entering this command:
show snmpengineID
• Configure the SNMP version by entering this command:
config snmp version {v1 | v2c | v3} {enable | disable}
SNMP Community Strings
The controller has commonly known default values of "public" and "private" for the read-only and read-write
SNMP community strings. Using these standard values presents a security risk. If you use the default community
names, and since these are known, the community names could be used to communicate to the controller
using SNMP. Therefore, we strongly advise that you change these values.
Changing the SNMP Community String Default Values (GUI)
Step 1
Choose Management and then Communities under SNMP. The SNMP v1 / v2c Community page appears.
Step 2
If “public” or “private” appears in the Community Name column, hover your cursor over the blue drop-down arrow
for the desired community and choose Remove to delete this community.
Step 3
Click New to create a new community. The SNMP v1 / v2c Community > New page appears.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
89
System Management
Changing the SNMP Community String Default Values (CLI)
Step 4
In the Community Name text box, enter a unique name containing up to 16 alphanumeric characters. Do not enter
“public” or “private.”
Step 5
In the next two text boxes, enter the IPv4/IPv6 address and IP Mask/Prefix Length from which this device accepts
SNMP packets with the associated community and the IP mask.
Step 6
Choose Read Only or Read/Write from the Access Mode drop-down list to specify the access level for this community.
Step 7
Choose Enable or Disable from the Status drop-down list to specify the status of this community.
Step 8
Click Apply to commit your changes.
Step 9
Click Save Configuration to save your settings.
Step 10
Repeat this procedure if a “public” or “private” community still appears on the SNMP v1 / v2c Community page.
Changing the SNMP Community String Default Values (CLI)
Step 1
See the current list of SNMP communities for this controller by entering this command:
show snmp community
Step 2
If "public" or "private" appears in the SNMP Community Name column, enter this command to delete this community:
config snmp community delete name
The name parameter is the community name (in this case, “public” or “private”).
Step 3
Create a new community by entering this command:
config snmp community create name
Enter up to 16 alphanumeric characters for the name parameter. Do not enter “public” or “private.”
Step 4
For IPv4 specific configuration, enter the IPv4 address from which this device accepts SNMP packets with the associated
community by entering this command:
config snmp community ipaddr ip_address ip_mask name
Step 5
For IPv6 specific configuration, enter the IPv6 address from which this device accepts SNMP packets with the associated
community by entering this command:
config snmp community ipaddr ip_address prefix_length name
Step 6
Specify the access level for this community by entering this command, where ro is read-only mode and rw is read/write
mode:
config snmp community accessmode {ro | rw} name
Step 7
Enable or disable this SNMP community by entering this command:
config snmp community mode {enable | disable} name
Step 8
Enable or disable SNMP IPSec sessions for all SNMP communities by entering this command:
config snmp community ipsec {enable | disable} name
By default SNMP IPSec session is disabled. SNMP IPSec session must be disabled state to change the authentication
mode.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
90
System Management
Configuring Real Time Statistics (CLI)
Step 9
Configure the IKE authentication methods by entering this command:
config snmp community ipsec ike auth-mode {certificate | pre-shared-key ascii/hex secret}
• If authentication mode is configured as pre-shared-key, then enter a secret value. The secret value can either be
an ASCII or a hexadecimal value. If auth-mode configured is certificate, then WLC will use the ipsecCaCert and
ipsecDevCerts for SNMP over IPSEC.
• If authentication mode is configured as certificate, then controller uses the IPSEC CA and IPSEC device certificates
for SNMP sessions. You need to download these certificates to the controller using the transfer download datatype
{ipseccacert | ipsecdevcert} command.
Step 10
Save your changes by entering this command:
save config
Step 11
Repeat this procedure if you still need to change the default values for a “public” or “private” community string.
Configuring Real Time Statistics (CLI)
SNMP traps are defined for CPU and memory utilization of AP and controller. The SNMP trap is sent out
when the threshold is crossed. The sampling period and statistics update interval can be configured using
SNMP and CLI.
Note
To get the right value for the current memory usage, you should configure either sampling interval or statistics
interval.
• Configure the sampling interval by entering this command:
config service statistics sampling-interval seconds
• Configure the statistics interval by entering this command:
config service statistics statistics-interval seconds
• See sampling and service interval statistics by entering this command:
show service statistics interval
SNMP Trap Enhancements
This feature provides soaking of SNMP traps and resending of traps after a threshold that you can configure
called the hold time. The hold time helps in suppressing false traps being generated. The traps that are supported
are for CPU and memory utilization of AP and controller. The retransmission of the trap occurs until the trap
is cleared.
Procedure
• Configure the hold time after which the SNMP traps are to be resent by entering this command:
config service alarm hold-time seconds
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
91
System Management
Configuring SNMP Trap Receiver (GUI)
• Configure the retransmission interval of the trap by entering this command:
config service alarm trap retransmit-interval seconds
• Configure debugging of the traps by entering this command:
debug service alarm {enable | disable}
Configuring SNMP Trap Receiver (GUI)
Step 1
Choose Management > SNMP > Trap Receivers.
Step 2
Click New.
The SNMP Trap Receiver > New page is displayed.
Step 3
In the SNMP Trap Receiver Name box, enter the SNMP trap receiver name.
Step 4
In the IP Address (IPv4/IPv6) box, enter the IP address of the trap receiver. Both IPv4 and IPv6 address formats are
supported.
Step 5
From the Status drop-down list, choose to Enable or Disable the trap receiver.
Step 6
Check the IPSec check box if you want to enable IPSec parameters for the trap receiver.
Step 7
(Optional) If you enable the IPSec for the trap receiver, choose an IPSec Profile Name from the drop-down list.
Step 8
Save the configuration.
You can create a maximum of 6 such SNMP trap receivers.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
92
CHAPTER
8
Configuring Aggressive Load Balancing
• Aggressive Load Balancing, on page 93
• Configuring Aggressive Load Balancing (GUI), on page 94
• Configuring Aggressive Load Balancing (CLI), on page 94
Aggressive Load Balancing
Enabling aggressive load balancing on the controller allows lightweight access points to load balance wireless
clients across access points. You can enable aggressive load balancing using the controller.
Note
Clients are load balanced between access points on the same controller. Load balancing does not occur between
access points on different controllers.
When a wireless client attempts to associate to a lightweight access point, association response packets are
sent to the client with an 802.11 response packet including status code 17. The code 17 indicates that the AP
is busy. The AP does not respond with an association response bearing 'success' if the AP threshold is not
met, and with code 17 (AP busy) if the AP utilization threshold is exceeded, and another less busy AP heard
the client request.
For example, if the number of clients on AP1 is more than the number of clients on AP2 plus the load-balancing
window, then AP1 is considered to be busier than AP2. When a client attempts to associate to AP1, it receives
an 802.11 response packet with status code 17, indicating that the access point is busy, and the client attempts
to associate to a different access point.
You can configure the controller to deny client associations up to 10 times (if a client attempted to associate
11 times, it would be allowed to associate on the 11th try). You can also enable or disable load balancing on
a particular WLAN, which is useful if you want to disable load balancing for a select group of clients (such
as time-sensitive voice clients).
Note
Cisco 600 Series OfficeExtend Access Points do not support client load balancing.
FlexConnect APs do support client load balancing.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
93
System Management
Configuring Aggressive Load Balancing (GUI)
Note
For a FlexConnect AP the association is locally handled. The load-balancing decisions are taken at the
controller. A FlexConnect AP initially responds to the client before knowing the result of calculations at the
controller. Load-balancing doesn't take effect when the FlexConnect AP is in standalone mode.
FlexConnect AP does not send (re)association response with status 17 for Load-Balancing as Local mode
APs do; instead, it first sends (re)association with status 0 (success) and then deauth with reason 5.
This section contains the following subsections:
Configuring Aggressive Load Balancing (GUI)
Step 1
Choose Wireless > Advanced > Load Balancing to open the Load Balancing page.
Step 2
In the Client Window Size text box, enter a value between 1 and 20.
The window size becomes part of the algorithm that determines whether an access point is too heavily loaded to accept
more client associations:
load-balancing window + client associations on AP with the lightest load = load-balancing threshold
In the group of access points accessible to a client device, each access point has a different number of client associations.
The access point with the lowest number of clients has the lightest load. The client window size plus the number of clients
on the access point with the lightest load forms the threshold. Access points with more client associations than this
threshold is considered busy, and clients can associate only to access points with client counts lower than the threshold.
Step 3
In the Maximum Denial Count text box, enter a value between 0 and 10.
The denial count sets the maximum number of association denials during load balancing.
Step 4
Click Apply.
Step 5
Click Save Configuration.
Step 6
To enable or disable aggressive load balancing on specific WLANs, do the following:
a) Choose WLANs > WLAN ID. The WLANs > Edit page appears.
b) In the Advanced tab, select or unselect the Client Load Balancing check box.
c) Click Apply.
d) Click Save Configuration.
Configuring Aggressive Load Balancing (CLI)
Step 1
Set the client window for aggressive load balancing by entering this command:
config load-balancing window client_count
You can enter a value between 0 and 20 for the client_count parameter.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
94
System Management
Configuring Aggressive Load Balancing (CLI)
Step 2
Set the denial count for load balancing by entering this command:
config load-balancing denial denial_count
You can enter a value between 1 and 10 for the denial_count parameter.
Step 3
Save your changes by entering this command:
save config
Step 4
Enable or disable aggressive load balancing on specific WLANs by entering this command:
config wlan load-balance allow {enable | disable} wlan_ID
You can enter a value between 1 and 512 for wlan_ID parameter.
Step 5
Verify your settings by entering this command:
show load-balancing
Step 6
Save your changes by entering this command:
save config
Step 7
Configure the load balance mode on a WLAN by entering this command:
config wlan load-balance mode {client-count | uplink-usage} wlan-id
This feature requires the AP to upload its uplink usage statistics to the controller periodically. Check these statistics by
entering this command:
show ap stats system cisco-AP
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
95
System Management
Configuring Aggressive Load Balancing (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
96
CHAPTER
9
Configuring Fast SSID Changing
• Fast SSID Changing, on page 97
• Configuring Fast SSID Changing (GUI), on page 97
• Configuring Fast SSID Changing (CLI), on page 97
Fast SSID Changing
By default, when a client roams between SSIDs, the controller enforces a delay of a few seconds before that
client is permitted to associate to the new SSID.
When fast SSID changing is enabled, the controller allows clients to move faster between SSIDs. When fast
SSID is enabled, the client entry is not cleared and the delay is not enforced.
This section contains the following subsections:
Configuring Fast SSID Changing (GUI)
Step 1
Choose Controller to open the General page.
Step 2
From the Fast SSID Change drop-down list, choose Enabled to enable this feature or Disabled to disable it. The default
value is disabled.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Configuring Fast SSID Changing (CLI)
Step 1
Enable or disable fast SSID changing by entering this command:
config network fast-ssid-change {enable | disable}
By default, fast SSID changing is in disabled state.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
97
System Management
Configuring Fast SSID Changing (CLI)
Step 2
Save your changes by entering this command:
save config
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
98
CHAPTER
10
Configuring 802.3 Bridging
• Configuring 802.3 Bridging, on page 99
• Enabling 802.3X Flow Control, on page 100
Configuring 802.3 Bridging
802.3 Bridging
The controller supports 802.3 frames and the applications that use them, such as those typically used for cash
registers and cash register servers. However, to make these applications work with the controller, the 802.3
frames must be bridged on the controller.
You can also configure 802.3 bridging using the Cisco Prime Network Control System. See the Cisco Prime
Network Control System Configuration Guide for instructions.
This section contains the following subsections:
Restrictions on 802.3 Bridging
• Support for raw 802.3 frames allows the controller to bridge non-IP frames for applications not running
over IP.
The raw 802.3 frame contains destination MAC address, source MAC address, total packet length, and
payload.
• By default, Cisco WLCs bridge all non-IPv4 packets (such as AppleTalk, IPv6, and so on). You can also
use ACLs to block the bridging of these protocols.
Configuring 802.3 Bridging
Configuring 802.3 Bridging (GUI)
Step 1
Choose Controller > General to open the General page.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
99
System Management
Configuring 802.3 Bridging (CLI)
Step 2
From the 802.3 Bridging drop-down list, choose Enabled to enable 802.3 bridging on your controller or Disabled to
disable this feature. The default value is Disabled.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Configuring 802.3 Bridging (CLI)
Step 1
See the current status of 802.3 bridging for all WLANs by entering this command:
show network
Step 2
Enable or disable 802.3 bridging globally on all WLANs by entering this command:
config network 802.3-bridging {enable | disable}
The default value is disabled.
Step 3
Save your changes by entering this command:
save config
Enabling 802.3X Flow Control
802.3X Flow Control is disabled by default. To enable it, enter the config switchconfig flowcontrol enable
command.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
100
CHAPTER
11
Configuring Multicast
• Configuring Multicast Mode, on page 101
• Configuring Multicast Domain Name System, on page 108
• Multicast Configuration for Cisco vWLC, Flex 7510, 5520, 8510, and 8540 WLCs, on page 115
Configuring Multicast Mode
Multicast/Broadcast Mode
If your network supports packet multicasting, you can configure the multicast method that the controller uses.
The controller can perform multicasting in one of two modes:
• Unicast mode: In this mode, the controller unicasts every multicast packet to every access point associated
to the controller. This mode is inefficient but might be required on networks that do not support
multicasting.
• Multicast mode: In this mode, the controller sends multicast packets to a CAPWAP multicast group.
This method reduces overhead on the controller processor and shifts the work of packet replication to
your network, which is much more efficient than the unicast method.
Note
We recommend that you use the unicast method only in networks where 50 or
fewer APs are joined with the controller.
When you enable multicast mode and the controller receives a multicast packet from the wired LAN, the
controller encapsulates the packet using CAPWAP and forwards the packet to the CAPWAP multicast group
address. The controller always uses the management interface for sending multicast packets. Access points
in the multicast group receive the packet and forward it to all the BSSIDs mapped to the interface on which
clients receive multicast traffic. From the access point perspective, the multicast appears to be a broadcast to
all SSIDs.
The controller supports Multicast Listener Discovery (MLD) v1 snooping for IPv6 multicast. This feature
keeps track of and delivers IPv6 multicast flows to the clients that request them. To support IPv6 multicast,
you must enable Global Multicast Mode.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
101
System Management
Multicast/Broadcast Mode
Note
When you disable the Global Multicast Mode, the controller still forwards the IPv6 ICMP multicast messages,
such as router announcements and DHCPv6 solicits, as these are required for IPv6 to work. As a result,
enabling the Global Multicast Mode on the controller does not impact the ICMPv6 and the DHCPv6 messages.
These messages will always be forwarded irrespective of whether or not the Global Multicast Mode is enabled.
Internet Group Management Protocol (IGMP) snooping is available to better direct multicast packets. When
this feature is enabled, the controller gathers IGMP reports from the clients, processes them, creates unique
multicast group IDs (MGIDs) from the IGMP reports after selecting the Layer 3 multicast address and the
VLAN number, and sends the IGMP reports to the infrastructure switch. The controller sends these reports
with the source address as the interface address on which it received the reports from the clients. The controller
then updates the access point MGID table on the access point with the client MAC address. When the controller
receives multicast traffic for a particular multicast group, it forwards it to all the access points, but only those
access points that have active clients listening or subscribed to that multicast group send multicast traffic on
that particular WLAN. IP packets are forwarded with an MGID that is unique for an ingress VLAN and the
destination multicast group. Layer 2 multicast packets are forwarded with an MGID that is unique for the
ingress interface.
When IGMP snooping is disabled, the following is true:
• The controller always uses Layer 2 MGID when it sends multicast data to the access point. Every interface
created is assigned one Layer 2 MGID. For example, the management interface has an MGID of 0, and
the first dynamic interface created is assigned an MGID of 8, which increments as each dynamic interface
is created.
• The IGMP packets from clients are forwarded to the router. As a result, the router IGMP table is updated
with the IP address of the clients as the last reporter.
When IGMP snooping is enabled, the following are true:
• The controller always uses Layer 3 MGID for all Layer 3 multicast traffic sent to the access point. For
all Layer 2 multicast traffic, it continues to use Layer 2 MGID.
• IGMP report packets from wireless clients are consumed or absorbed by the controller, which generates
a query for the clients. After the router sends the IGMP query, the controller sends the IGMP reports
with its interface IP address as the listener IP address for the multicast group. As a result, the router
IGMP table is updated with the controller IP address as the multicast listener.
• When the client that is listening to the multicast groups roams from one controller to another, the first
controller transmits all the multicast group information for the listening client to the second controller.
As a result, the second controller can immediately create the multicast group information for the client.
The second controller sends the IGMP reports to the network for all multicast groups to which the client
was listening. This process aids in the seamless transfer of multicast data to the client.
• If the listening client roams to a controller in a different subnet, the multicast packets are tunneled to the
anchor controller of the client to avoid the reverse path filtering (RPF) check. The anchor then forwards
the multicast packets to the infrastructure switch.
Note
The MGIDs are controller specific. The same multicast group packets coming
from the same VLAN in two different controllers may be mapped to two different
MGIDs.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
102
System Management
Restrictions on Configuring Multicast Mode
Note
If Layer 2 multicast is enabled, a single MGID is assigned to all the multicast
addresses coming from an interface.
Note
The maximum number of multicast groups supported per VLAN for a controller
is 100.
This section contains the following subsections:
Restrictions on Configuring Multicast Mode
• The Cisco Wireless network solution uses some IP address ranges for specific purposes, and you should
keep these ranges in mind when configuring a multicast group:
• 224.0.0.0 through 224.0.0.255—Reserved link local addresses
• 224.0.1.0 through 238.255.255.255—Globally scoped addresses
• 239.0.0.0 through 239.255.x.y /16—Limited scope addresses
• When you enable multicast mode on the controller, you must also configure a CAPWAP multicast group
address. APs subscribe to the CAPWAP multicast group using IGMP.
• Cisco 1100, 1130, 1200, 1230, and 1240 access points use IGMP versions 1, 2, and 3.
• APs in monitor mode, sniffer mode, or rogue detector mode do not join the CAPWAP multicast group
address.
• The CAPWAP multicast group configured on the controllers should be different for different controllers.
• Lightweight APs transmit multicast packets at one of the configured mandatory data rates.
Because multicast frames are not retransmitted at the MAC layer, clients at the edge of the cell might
fail to receive them successfully. If reliable reception is a goal, multicast frames should be transmitted
at a low data rate, by disabling the higher mandatory data rates. If support for high data rate multicast
frames is required, it might be useful to shrink the cell size and disable all lower data rates, or to use
Media Stream.
Depending on your requirements, you can take the following actions:
• If you need to transmit multicast data with the greatest reliability and if there is no need for great
multicast bandwidth, then configure a single basic rate, that is low enough to reach the edges of the
wireless cells.
• If you need to transmit multicast data at a certain data rate in order to achieve a certain throughput,
you can configure that rate as the highest basic rate. You can also set a lower basic rate for coverage
of nonmulticast clients.
• Configure Media Stream.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
103
System Management
Restrictions on Configuring Multicast Mode
• Multicast mode does not operate across intersubnet mobility events such as guest tunneling. It does,
however, operate across Layer 3 roams.
• For CAPWAP, the controller drops multicast packets sent to UDP control and data ports 5246 and 5247,
respectively. Therefore, you may want to consider not using these port numbers with the multicast
applications on your network. We recommend that you do not use any Multicast UDP ports listed in
https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html#anc8
as being UDP ports used by the controller.
• We recommend that any multicast applications on your network not use the multicast address configured
as the CAPWAP multicast group address on the controller.
• For multicast to work on Cisco 2504 WLC, you have to configure the multicast IP address.
• Multicast mode is not supported on Cisco Flex 7500 Series WLCs.
• We recommend that you do not use Broadcast-Unicast or Multicast-Unicast mode on controller setup
where there are more than 50 APs joined.
• While using Local and FlexConnect AP mode the controller's multicast support differs for different
platforms.
The parameters that affect Multicast forwarding are:
• Controller platform.
• Global AP multicast mode configuration at controller.
• Mode of the AP—Local, FlexConnect central switching.
• For Local switching, it does not send/receive the packet to/from controller, so it does not matter
which Multicast mode is configured on the controller.
Note
FlexConnect APs will join the CAPWAP multicast group only if they have
centrally switched WLANs. Flex APs with only locally switched WLANs do not
join the CAPWAP multicast group.
• Effective with Release 8.2.100.0, it is not possible to download some of the older configurations from
the controller because of the Multicast and IP address validations introduced in this release. The platform
support for global multicast and multicast mode are listed in the following table.
Table 5: Platform Support for Global Multicast and Multicast Mode
Platform
Global Multicast
Multicast Mode
Supported
Cisco 5520 , 8510, and
8540 Controllers
Enabled
Unicast
No
Enabled
Multicast
Yes
Disabled
Unicast
No multicast support
(config supported)
Disabled
Multicast
No multicast support
(config supported)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
104
System Management
Enabling Multicast Mode (GUI)
Platform
Global Multicast
Multicast Mode
Supported
Cisco Flex 7510
Controller
Global Multicast cannot be enabled. Only Unicast mode is supported. Also,
AP-Multicast mode cannot be changed to Multicast-Multicast.
Cisco 2504 Controller
Only Multicast mode is supported.
Cisco vWLC
Multicast is not supported; only Unicast mode is supported.
and Cisco 5508
Controller
Enabled
Unicast
Yes
Enabled
Multicast
Yes
Disabled
Unicast
Yes
Disabled
Multicast
No
• For central switching downstream multicast, AP switching traffic is based on the MGID-to-WLAN
mapping (bit map).
Enabling Multicast Mode (GUI)
Step 1
Choose Controller > Multicast to open the Multicast page.
Step 2
Select the Enable Global Multicast Mode check box to configure sending multicast packets. The default value is
disabled.
Step 3
If you want to enable IGMP snooping, select the Enable IGMP Snooping check box. If you want to disable IGMP
snooping, leave the check box unselected. The default value is disabled.
Step 4
To set the IGMP timeout, enter a value between 30 and 7200 seconds in the IGMP Timeout text box. The controller
sends three queries in one timeout value at an interval of timeout/ 3 to see if any clients exist for a particular multicast
group. If the controller does not receive a response through an IGMP report from the client, the controller times out
the client entry from the MGID table. When no clients are left for a particular multicast group, the controller waits for
the IGMP timeout value to expire and then deletes the MGID entry from the controller. The controller always generates
a general IGMP query (that is, to destination address 224.0.0.1) and sends it on all WLANs with an MGID value of 1.
Step 5
Enter the IGMP Query Interval (seconds).
Step 6
Select the Enable MLD Snooping check box to support IPv6 forwarding decisions.
Note
To enable MLD Snooping, you must enable Global Multicast Mode of the controller.
Step 7
In the MLD Timeout text box, enter a value between 30 and 7200 seconds to set the MLD timeout.
Step 8
Enter the MLD Query Interval (seconds). The valid range is between 15 and 2400 seconds.
Step 9
Click Apply.
Step 10
Click Save Configuration.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
105
System Management
Enabling Multicast Mode (CLI)
Enabling Multicast Mode (CLI)
Step 1
Enable or disable multicasting on the controller by entering this command:
config network multicast global {enable | disable}
The default value is disabled.
Note
Step 2
The config network broadcast {enable | disable} command allows you to enable or disable broadcasting
without enabling or disabling multicasting as well. This command uses the multicast mode currently on the
controller to operate.
Perform either of the following:
a) Configure the controller to use the unicast method to send multicast and/or broadcast packets by entering this command:
config network multicast mode unicast
b) Configure the controller to use the multicast method to send multicast and/or broadcast packets to a CAPWAP
multicast group by entering this command:
config network multicast mode multicast multicast_group_ip_address
Step 3
Enable or disable IGMP snooping by entering this command:
config network multicast igmp snooping {enable | disable}
The default value is disabled.
Step 4
Set the IGMP timeout value by entering this command:
config network multicast igmp timeout timeout
You can enter a timeout value between 30 and 7200 seconds. The controller sends three queries in one timeout value at
an interval of timeout/3 to see if any clients exist for a particular multicast group. If the controller does not receive a
response through an IGMP report from the client, the controller times out the client entry from the MGID table. When
no clients are left for a particular multicast group, the controller waits for the IGMP timeout value to expire and then
deletes the MGID entry from the controller. The controller always generates a general IGMP query (that is, to destination
address 224.0.0.1) and sends it on all WLANs with an MGID value of 1.
Step 5
Enable or disable Layer 2 Multicast by entering this command:
config network multicast l2mcast {enable {all | interface-name} | disable}
Step 6
Enable or disable MLD snooping by entering this command:
config network multicast mld snooping {enable | disable}
The default value is disabled.
Note
Step 7
To enable MLD snooping, you must enable global multicast mode of the controller.
Set the MLD timeout value by entering this command:
config network multicast mld timeout timeout
Enter the MLD timeout value in seconds. The valid range is between 30 and 7200 seconds.
Step 8
Set the MLD query interval by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
106
System Management
Viewing Multicast Groups (GUI)
config network multicast mld query interval interval
Enter the MLD query interval value in seconds. The valid range is between 15 and 2400 seconds.
Step 9
Save your changes by entering this command:
save config
Viewing Multicast Groups (GUI)
Step 1
Choose Monitor > Multicast. The Multicast Groups page appears.
This page shows all the multicast groups and their corresponding MGIDs.
Step 2
Click the link for a specific MGID (such as MGID 550) to see a list of all the clients joined to the multicast group in that
particular MGID.
Viewing Multicast Groups (CLI)
Step 1
See all the multicast groups and their corresponding MGIDs by entering this command:
show network multicast mgid summary
Information similar to the following appears:
Layer2 MGID Mapping:
------------------InterfaceName
-------------------------------management
test
wired
vlanId
-----0
0
20
MGID
---0
9
8
Layer3 MGID Mapping:
------------------Number of Layer3 MGIDs........................... 1
Group address
--------------239.255.255.250
Step 2
Vlan
---0
MGID
---550
See all the clients joined to the multicast group in a specific MGID by entering this command:
show network multicast mgid detail mgid_value
where the mgid_value parameter is a number between 550 and 4095.
Information similar to the following appears:
Mgid........................................ 550
Multicast Group Address..................... 239.255.255.250
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
107
System Management
Viewing an Access Point’s Multicast Client Table (CLI)
Vlan........................................ 0
Rx Packet Count............................. 807399588
No of clients............................... 1
Client List.................................
Client MAC
Expire Time (mm:ss)
00:13:02:23:82:ad
0:20
Viewing an Access Point’s Multicast Client Table (CLI)
To help troubleshoot roaming events, you can view an access point’s multicast client table from the controller
by performing a remote debug of the access point.
Step 1
Initiate a remote debug of the access point by entering this command:
debug ap enable Cisco_AP
Step 2
See all of the MGIDs on the access point and the number of clients per WLAN by entering this command:
debug ap command “show capwap mcast mgid all” Cisco_AP
Step 3
See all of the clients per MGID on the access point and the number of clients per WLAN by entering this command:
debug ap command “show capwap mcast mgid id mgid_value” Cisco_AP
Configuring Multicast Domain Name System
Multicast Domain Name System
Multicast Domain Name System (mDNS) is a protocol used for service discovery by Apple products (called
Bonjour) and by Google products (called Chromecast). The mDNS service discovery enables wireless clients
to access Apple services such as Apple Printer and Apple TV advertised in a different Layer 3 network. mDNS
performs DNS queries over IP multicast. mDNS supports zero-configuration IP networking. As a standard,
mDNS uses multicast IP address 224.0.0.251 as the destination address and 5353 as the UDP destination port.
Related Documentation
• Cisco Wireless LAN Controller Bonjour Phase IV Deployment Guide: https://www.cisco.com/c/en/us/
td/docs/wireless/controller/technotes/8-1/WLAN-Bonjour-DG/WLAN-Bonjour-DG.html
• mDNS Gateway with Chromecast Support Feature Deployment Guide: https://www.cisco.com/c/en/us/
td/docs/wireless/technology/mesh/8-2/b_mDNS_gateway_chromecast_support_feature_deployment_
guide.html
This section contains the following subsections:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
108
System Management
Restrictions for Configuring Multicast DNS
Restrictions for Configuring Multicast DNS
• mDNS over IPv6 is not supported.
• mDNS snooping is not supported on access points in FlexConnect mode in a locally switched WLAN
and mesh access points. For locally switched WLANs, all multicast traffic including mDNS is simply
bridged between the local VLAN and the SSID.
• mDNS is not supported on remote LANs.
• mDNS is not supported on Cisco AP1240 and Cisco AP1130.
• Third-party mDNS servers or applications are not supported on the controller using the mDNS feature.
Devices that are advertised by the third-party servers or applications are not populated on the mDNS
service or device table correctly on the controller.
• The controller prevents addition or modification of the mDNS-profile when any interface is in use by an
active WLAN in an AP group. When attempting to make changes to the mDNS profile which is already
linked to an active WLAN, the following error message is displayed—Interface is mapped to an AP
Group.
• mDNS snooping is not necessary in order to forward mDNS multicasts, if the network is configured to
forward multicast traffic. However, Apple mDNS (Bonjour) traffic is sent with time to live of 1, so
without mDNS snooping, Bonjour will work within a Layer 2 broadcast domain.
• In a large campus network, if multicast forwarding is enabled, it is recommended to enable mDNS
snooping, and then disable mDNS on all WLANs, except anywhere mDNS is required. This is in order
to prevent Bonjour multicast traffic from overwhelming the network.
Configuring Multicast DNS (GUI)
Step 1
Configure the global mDNS parameters and the Master Services Database by following these steps:
a) Choose Controller > mDNS > General.
b) Select or unselect the mDNS Global Snooping check box to enable or disable snooping of mDNS packets, respectively.
c) Enter the mDNS query interval in minutes. The query interval is the frequency at which the controller queries for a
service.
d) Choose a service from the Select Service drop-down list.
Note
e)
f)
g)
h)
Step 2
To add a new mDNS-supported service to the list, choose Other. Specify the service name and the service
string. The controller snoops and learns about the mDNS service advertisements only if the service is
available in the Master Services Database. The controller can snoop and learn a maximum of 64 services.
Select or unselect the Query Status check box to enable or disable an mDNS query for a service, respectively.
Click Add.
Click Apply.
To view the details of an mDNS service, hover your cursor over the blue drop-down arrow of a service, and choose
Details.
Configure an mDNS profile by following these steps:
a) Choose Controller > mDNS > Profiles.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
109
System Management
Configuring Multicast DNS (GUI)
The controller has a default mDNS profile, which is default-mdns-profile. It is not possible to delete the default
profile.
b) To create a new profile, click New, enter a profile name, and click Apply.
c) To edit a profile, click a profile name on the mDNS Profiles page; from the Service Name drop-down list, choose
a service to be associated with the profile, and click Apply.
You can add multiple services to a profile.
Step 3
Click Save Configuration.
What to do next
After creating a new profile, you must map the profile to an interface group, an interface, or a WLAN. Clients
receive service advertisements only for the services associated with the profile. The highest priority is given
to the profiles associated with interface groups, followed by the interface profiles, and then the WLAN profiles.
Each client is mapped to a profile based on the order of priority.
• Map an mDNS profile to an interface group by following these steps:
1. Choose Controller > Interface Groups.
2. Click the corresponding interface group name.
The Interface Groups > Edit page is displayed.
3. From the mDNS Profile drop-down list, choose a profile.
• Map an mDNS profile to an interface by following these steps:
1. Choose Controller > Interfaces.
2. Click the corresponding interface name.
The Interfaces > Edit page is displayed.
3. From the mDNS Profile drop-down list, choose a profile.
• Map an mDNS profile to a WLAN by following these steps:
1. Choose WLANs. click the WLAN ID to open the WLANs > Edit page.
2. Click the corresponding WLAN ID.
The WLANs > Edit page is displayed.
3. Click the Advanced tab.
4. Select the mDNS Snooping check box.
5. From the mDNS Profile drop-down list, choose a profile.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
110
System Management
Configuring Multicast DNS (CLI)
Note
The wireless controller advertises the services from the wired devices (such as Apple TVs) learnt over VLANs,
when:
• mDNS snooping is enabled in the WLAN Advanced options.
• mDNS profile is enabled either at interface group (if available), interface, or WLAN.
Configuring Multicast DNS (CLI)
• Configure mDNS snooping by entering this command:
config mdns snooping {enable | disable}
• Configure an mDNS service by entering this command:
config mdns service {{create service-name service-string query {enable | disable}} | delete
service-name}
• Configure a query for an mDNS service by entering this command:
config mdns service query {enable | disable} service-name
• Configure a query interval for mDNS services by entering this command:
config mdns query interval value-in-minutes
• Configure an mDNS profile by entering this command:
config mdns profile {create | delete} profile-name
Note
If you try to delete an mDNS profile that is already associated with an interface
group, an interface, or a WLAN, an error message is displayed.
• Configure mDNS services to a profile by entering this command:
config mdns profile service {add | delete} profile-name service-name
• Map an mDNS profile to an interface group by entering this command:
config interface group mdns-profile {interface-group-name | all} {mdns-profile-name | none}
Note
If the mDNS profile name is none, no profiles are attached to the interface group.
Any existing profile that is attached is removed.
• View information about an mDNS profile that is associated with an interface group by entering this
command:
show interface group detailed interface-group-name
• Map an mDNS profile to an interface by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
111
System Management
Configuring Multicast DNS (CLI)
config interface mdns-profile {management | {interface-name | all}} {mdns-profile-name | none}
• View information about the mDNS profile that is associated with an interface by entering this command:
show interface detailed interface-name
• Configure mDNS for a WLAN by entering this command:
config wlan mdns {enable | disable} {wlan-id | all}
• Map an mDNS profile to a WLAN by entering this command:
config wlan mdns profile {wlan-id | all} {mdns-profile-name | none}
• View information about an mDNS profile that is associated with a WLAN by entering this command:
show wlan wlan-id
• View information about all mDNS profiles or a particular mDNS profile by entering this command:
show mdns profile {summary | detailed mdns-profile-name}
• View information about all mDNS services or a particular mDNS service by entering this command:
show mdns service {summary | detailed mdns-service-name}
• View information about the mDNS domain names that are learned by entering this command:
show mdns domain-name-ip summary
• View the mDNS profile for a client by entering this command:
show client detail client-mac-address
• View the mDNS details for a network by entering this command:
show network summary
• Clear the mDNS service database by entering this command:
clear mdns service-database {all | service-name}
• View events related to mDNS by entering this command:
debug mdns message {enable | disable}
• View mDNS details of the events by entering this command:
debug mdns detail {enable | disable}
• View errors related to mDNS processing by entering this command:
debug mdns error {enable | disable}
• Configure debugging of all mDNS details by entering this command:
debug mdns all {enable | disable}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
112
System Management
Bonjour Gateway Based on Access Policy
Bonjour Gateway Based on Access Policy
From 7.4 release WLC supports Bonjour gateway functionality on WLC itself for which you need not even
enable multicast on the controller. The WLC explores all Bonjour discovery packets and does not forward
them on AIR or Infra network.
Bonjour is Apple's version of Zeroconf - it is Multicast Domain Name System (mDNS) with DNS-SD (Domain
Name System-Service Discovery). Apple devices will advertise their services via IPv4 and IPv6 simultaneously
(IPv6 link local and Globally Unique). To address this issue controller acts as a Bonjour Gateway. The WLC
listens for Bonjour services and by caching those Bonjour advertisements (AirPlay, AirPrint etc) from the
source/host e.g. AppleTV and responds to Bonjour clients when they ask/request for a service.
Bonjour gateway has inadequate capabilities to filter cached wired or wireless service instances based on the
credentials of the querying client and its location.
Currently the limitations are:
• Location-Specific Services (LSS) filters the wireless service instances only while responding to a query
from wireless clients. The filtering is based on the radio neighborhood of the querying client.
• LSS cannot filter wired service instance because of no sense of location.
• LSS filtering is per service type and not per client. It means that all clients receive the location based
filtered response if LSS is enabled for the service type and clients cannot override the behavior.
• There is no other filtering mechanism based on client role or user-id.
The requirement is to have configuration per service instance.
Following are the three criteria of the service instance sharing:
• User-id
• Client-role
• Client location
The configuration can be applied to wired and wireless service instances. The response to any query is on the
policy configured for each service instance. The response enables the selective sharing of service instances
based on the location, user-id or role.
As the most service publishing devices are wired, the configuration allows filtering of wired services at par
with the wireless service instances.
There are two levels of filtering client queries:
1. At the service type level by using the mDNS profile
2. At the service instance level using the access policy associated with the service.
Restrictions on Bonjour Gateway Based on Access Policy
• The total number of policies that can be created is same as the number of service instances that are
supported on the platform. Hundred policies can be supported; 99 policies and one default policy.
• The number of rules per policy is limited to one.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
113
System Management
Creating Bonjour Access Policy through Prime Infrastructure
• Policy and rules can be created irrespective of the service instances. The policy is applied only when it
is complete and discovers the target service instances.
• A service instance can be associated with a maximum of five policies.
• Five service groups can be assigned for a MAC address.
Creating Bonjour Access Policy through Prime Infrastructure
The admin user can create the Bonjour access policy using the GUI of the Prime Infrastructure (PI).
Step 1
Log in to the Cisco Prime Infrastructure using the Admin credentials.
Step 2
Choose Administration > AAA > Users > Add User.
Step 3
Choose mDNS Policy Admin.
Step 4
Add or remove the devices in the mDNS Device Filter. Click Save.
Step 5
Add the users for a device in the Users list dialog box. Click Save.
Note
See Cisco Prime Infrastructure Administrator Guide for the release 2.2 for more details.
Configuring mDNS Service Groups (GUI)
Step 1
Choose Controller > mDNS > mDNS Policies.
Step 2
Select service group from the list of Group Names.
Step 3
Under Service Instance List perform the following steps:
a) Enter the service provider MAC address in MAC address.
b) Enter the name of service provider in Name. Click Add.
c) From the Location Type drop-down list, choose the type of location.
Note
If the location is selected as 'Any', the policy checks on the location attribute are not performed.
In the case of mDNS policy filtered by AP groups, the design is for substring match. The policy is applied on
the first substring match.
Note
Step 4
The list of current service instances associated with the service group is shown in a table.
Under Policy / Rule enter the role names and the user names as the criteria of enforcing the policy.
Configuring mDNS Service Groups (CLI)
Step 1
Enable or disable the mDNS policy by entering this command: config mdns policy enable | disable
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
114
System Management
Multicast Configuration for Cisco vWLC, Flex 7510, 5520, 8510, and 8540 WLCs
Step 2
Create or delete a mDNS policy service group by entering this command: config mdns policy service-group create |
delete <service-group-name>
Step 3
Configure the parameters of a service group by entering this command: config mdns policy service-group device-mac
add <service-group-name> <mac-addr> <device name> location-type [<AP_LOCATION | AP_NAME | AP_GROUP>]
device-location [<location string | any | same>]
Step 4
Configure the user role for a service-group by entering this command: config mdns policy service-group user-role add
| delete <service-group-name> <user-role-name>
Step 5
Configure the user name for a service-group by entering this command: config mdns policy service-group user-name
add | delete <service-group-name> <user-name>
Multicast Configuration for Cisco vWLC, Flex 7510, 5520, 8510,
and 8540 WLCs
Switching from Multicast-Unicast Mode to Multicast-Multicast Mode
Step 1
Assign both IPv4 and IPv6 (required only if IPv6 is enabled) multicast addresses by entering this command:
a) config network multicast mode multicast IPv4-multicast-address
b) config ipv6 multicast mode multicast IPv6-multicast-address
Step 2
Enable global multicast by entering this command:
config network multicast global enable
Switching from Multicast-Multicast Mode to Multicast-Unicast Mode
Step 1
Disable global multicast by entering this command:
config network multicast global disable
Step 2
Configure the Multicast-Unicast mode by entering this command (IPv6 configuration is required only when IPv6 is
enabled):
a) config network multicast mode unicast
b) config ipv6 multicast mode unicast
Restrictions
• We recommend that you do not switch from Multicast-Multicast mode to Multicast-Unicast mode on a
loaded network because it can burden the network. We recommend that you use Multicast-Multicast
mode on these platforms because of the scale factor.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
115
System Management
Troubleshooting
• IGMP and MLD snooping cannot be enabled unless global multicast is enabled, and multicast mode is
Multicast-Multicast.
• Global multicast can be enabled only when Multicast-Multicast mode is configured.
• Switching from Multicast-Multicast mode to Multicast-Unicast mode is not allowed if the global multicast
is enabled. You must disable global multicast before switching the mode in this case.
• FlexConnect APs:
• Can join in Multicast-Multicast mode from Release 8.0 onwards.
• Multicast-Unicast mode has to be enabled if IPv6 support is required on FlexConnect APs by the
central-switching clients. Therefore, IGMP or MLD snooping is not supported.
• VideoStream is not supported because it requires IGMP or MLD snooping.
Troubleshooting
Unable to switch to Multicast-Multicast mode as Global Multicast is not getting enabled
Possible issue—IPv6 is configured but not in use. Check if IPv6 is still in Multicast-Unicast mode.
Solution—Disable IPv6 if it is not being used or switch Multicast-Unicast to Multicast-Multicast mode for
IPv6.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
116
CHAPTER
12
Configuring Client Roaming
• Information About Client Roaming, on page 117
• Restrictions for Client Roaming, on page 119
• Configuring CCX Client Roaming Parameters (GUI), on page 119
• Configuring CCX Client Roaming Parameters (CLI), on page 120
• Obtaining CCX Client Roaming Information (CLI), on page 120
• Debugging CCX Client Roaming Issues (CLI), on page 121
Information About Client Roaming
The Cisco UWN solution supports seamless client roaming across lightweight access points managed by the
same controller, between controllers in the same mobility group on the same subnet, and across controllers
in the same mobility group on different subnets. Also, in controller software release 4.1 or later releases, client
roaming with multicast packets is supported.
You can adjust the default RF settings (RSSI, hysteresis, scan threshold, and transition time) to fine-tune the
operation of client roaming using the controller GUI or CLI.
Intra-Controller Roaming
Each controller supports same-controller client roaming across access points managed by the same controller.
This roaming is transparent to the client as the session is sustained, and the client continues using the same
DHCP-assigned or client-assigned IP address. The controller provides DHCP functionality with a relay
function. Same-controller roaming is supported in single-controller deployments and in multiple-controller
deployments.
Inter-Controller Roaming
Multiple-controller deployments support client roaming across access points managed by controllers in the
same mobility group and on the same subnet. This roaming is also transparent to the client because the session
is sustained and a tunnel between controllers allows the client to continue using the same DHCP- or
client-assigned IP address as long as the session remains active. The tunnel is torn down, and the client must
reauthenticate when the client sends a DHCP Discover with a 0.0.0.0 client IP address or a 169.254.*.* client
auto-IP address or when the operator-set session timeout is exceeded.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
117
System Management
Inter-Subnet Roaming
Inter-Subnet Roaming
Multiple-controller deployments support client roaming across access points managed by controllers in the
same mobility group on different subnets. This roaming is transparent to the client because the session is
sustained and a tunnel between the controllers allows the client to continue using the same DHCP-assigned
or client-assigned IP address as long as the session remains active. The tunnel is torn down, and the client
must reauthenticate when the client sends a DHCP Discover with a 0.0.0.0 client IP address or a 169.254.*.*
client auto-IP address or when the operator-set user timeout is exceeded.
Voice-over-IP Telephone Roaming
802.11 voice-over-IP (VoIP) telephones actively seek out associations with the strongest RF signal to ensure
the best quality of service (QoS) and the maximum throughput. The minimum VoIP telephone requirement
of 20-millisecond or shorter latency time for the roaming handover is easily met by the Cisco Wireless solution,
which has an average handover latency of 5 or fewer milliseconds when open authentication is used. This
short latency period is controlled by controllers rather than allowing independent access points to negotiate
roaming handovers.
The Cisco Wireless solution supports 802.11 VoIP telephone roaming across lightweight access points managed
by controllers on different subnets, as long as the controllers are in the same mobility group. This roaming is
transparent to the VoIP telephone because the session is sustained and a tunnel between controllers allows
the VoIP telephone to continue using the same DHCP-assigned IP address as long as the session remains
active. The tunnel is torn down, and the VoIP client must reauthenticate when the VoIP telephone sends a
DHCP Discover with a 0.0.0.0 VoIP telephone IP address or a 169.254.*.* VoIP telephone auto-IP address
or when the operator-set user timeout is exceeded.
CCX Layer 2 Client Roaming
The controller supports five CCX Layer 2 client roaming enhancements:
• Access point assisted roaming—This feature helps clients save scanning time. When a CCXv2 client
associates to an access point, it sends an information packet to the new access point listing the
characteristics of its previous access point. Roaming time decreases when the client recognizes and uses
an access point list built by compiling all previous access points to which each client was associated and
sent (unicast) to the client immediately after association. The access point list contains the channels,
BSSIDs of neighbor access points that support the client’s current SSID(s), and time elapsed since
disassociation.
• Enhanced neighbor list—This feature focuses on improving a CCXv4 client’s roam experience and
network edge performance, especially when servicing voice applications. The access point provides its
associated client information about its neighbors using a neighbor-list update unicast message.
• Enhanced neighbor list request (E2E)—The End-2-End specification is a Cisco and Intel joint program
that defines new protocols and interfaces to improve the overall voice and roaming experience. It applies
only to Intel clients in a CCX environment. Specifically, it enables Intel clients to request a neighbor list
at will. When this occurs, the access point forwards the request to the controller. The controller receives
the request and replies with the current CCX roaming sublist of neighbors for the access point to which
the client is associated.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
118
System Management
Restrictions for Client Roaming
Note
To see whether a particular client supports E2E, choose Wireless > Clients on
the controller GUI, click the Detail link for the desired client, and look at the
E2E Version text box in the Client Properties area.
• Roam reason report—This feature enables CCXv4 clients to report the reason why they roamed to a new
access point. It also allows network administrators to build and monitor a roam history.
• Directed roam request—This feature enables the controller to send directed roam requests to the client
in situations when the controller can better service the client on an access point different from the one
to which it is associated. In this case, the controller sends the client a list of the best access points that it
can join. The client can either honor or ignore the directed roam request. Non-CCX clients and clients
running CCXv3 or below must not take any action. No configuration is required for this feature.
This section contains the following subsections:
Restrictions for Client Roaming
• CCX versions 1 through 5 are supported. CCX support is enabled automatically for every WLAN on the
controller and cannot be disabled. The controller stores the CCX version of the client in its client database
and uses it to generate and respond to CCX frames appropriately. Clients must support CCXv4 or v5 (or
CCXv2 for access point assisted roaming) in order to utilize these roaming enhancements.
The roaming enhancements mentioned above are enabled automatically, with the appropriate CCX
support.
• FlexConnect access points in standalone mode do not support CCX Layer 2 roaming.
• Client roaming between Cisco 600 Series OEAPs is not supported.
• Seamless L2 and L3 roaming is not supported between a Cisco and a third-party wireless infrastructure,
which also includes a Cisco IOS access point.
Configuring CCX Client Roaming Parameters (GUI)
Step 1
Choose Wireless > 802.11a/n or 802.11b/g/n > Client Roaming. The 802.11a (802.11b) > Client Roaming page appears.
Step 2
If you want to fine-tune the RF parameters that affect client roaming, choose Custom from the Mode drop-down list and
go to Step 3. If you want to leave the RF parameters at their default values, choose Default and go to Step 8.
Step 3
In the Minimum RSSI text box, enter a value for the minimum received signal strength indicator (RSSI) required for
the client to associate to an access point. If the client’s average received signal power dips below this threshold, reliable
communication is usually impossible. Therefore, clients must already have found and roamed to another access point
with a stronger signal before the minimum RSSI value is reached.
The range is –90 to –50 dBm.
The default is –85 dBm.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
119
System Management
Configuring CCX Client Roaming Parameters (CLI)
Step 4
In the Hysteresis text box, enter a value to indicate how much greater the signal strength of a neighboring access point
must be in order for the client to roam to it. This parameter is intended to reduce the amount of roaming between access
points if the client is physically located on or near the border between two access points.
The range is 3 to 20 dB.
The default is 3 dB.
Step 5
In the Scan Threshold text box, enter the minimum RSSI that is allowed before the client should roam to a better access
point. When the RSSI drops below the specified value, the client must be able to roam to a better access point within the
specified transition time. This parameter also provides a power-save method to minimize the time that the client spends
in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan
more rapidly when the RSSI is below the threshold.
The range is –90 to –50 dBm.
The default is –72 dBm.
Step 6
In the Transition Time text box, enter the maximum time allowed for the client to detect a suitable neighboring access
point to roam to and to complete the roam, whenever the RSSI from the client’s associated access point is below the scan
threshold.
The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together
with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless
LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.
The range is 1 to 5 seconds.
The default is 5 seconds.
Step 7
Click Apply.
Step 8
Click Save Configuration.
Step 9
Repeat this procedure if you want to configure client roaming for another radio band.
Configuring CCX Client Roaming Parameters (CLI)
Configure CCX Layer 2 client roaming parameters by entering this command:
config {802.11a | 802.11b} l2roam rf-params {default | custom min_rssi roam_hyst scan_thresh trans_time}
Obtaining CCX Client Roaming Information (CLI)
Step 1
View the current RF parameters configured for client roaming for the 802.11a or 802.11b/g network by entering this
command:
show {802.11a | 802.11b} l2roam rf-param
Step 2
View the CCX Layer 2 client roaming statistics for a particular access point by entering this command:
show {802.11a | 802.11b} l2roam statistics ap_mac
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
120
System Management
Debugging CCX Client Roaming Issues (CLI)
This command provides the following information:
• The number of roam reason reports received
• The number of neighbor list requests received
• The number of neighbor list reports sent
• The number of broadcast neighbor updates sent
Step 3
View the roaming history for a particular client by entering this command:
show client roam-history client_mac
This command provides the following information:
• The time when the report was received
• The MAC address of the access point to which the client is currently associated
• The MAC address of the access point to which the client was previously associated
• The channel of the access point to which the client was previously associated
• The SSID of the access point to which the client was previously associated
• The time when the client disassociated from the previous access point
• The reason for the client roam
Note
For non-CCXv4 clients, the Layer 2 roam reason is not displayed in the command output. For more information,
see CSCvv85022.
Debugging CCX Client Roaming Issues (CLI)
If you experience any problems with CCX Layer 2 client roaming, enter this command:
debug l2roam [detail | error | packet | all] {enable | disable}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
121
System Management
Debugging CCX Client Roaming Issues (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
122
CHAPTER
13
Configuring IP-MAC Address Binding
• IP-MAC Address Binding, on page 123
• Configuring IP-MAC Address Binding (CLI), on page 123
IP-MAC Address Binding
The controller enforces strict IP address-to-MAC address binding in client packets. The controller checks the
IP address and MAC address in a packet, compares them to the addresses that are registered with the controller,
and forwards the packet only if they both match. The controller checks only the MAC address of the client
and ignores the IP address. Disable IP-MAC Address Binding if you have a wireless client that has multiple
IP addresses mapped to the same MAC address. Examples include a PC running a VM software in Bridge
mode, or a third-party WGB.
You must disable IP-MAC address binding to use an access point in sniffer mode if the access point is
associated with a Cisco 2504 Wireless Controller, a Cisco 5508 Wireless Controller, or a controller network
module. To disable IP-MAC address binding, enter the config network ip-mac-binding disable.
WLAN must be enabled to use an access point in sniffer mode if the access point is associated with a Cisco
2504 Wireless Controller, a Cisco 5508 Wireless Controller, or a controller network module. If WLAN is
disabled, the access point cannot send packets.
Note
If the IP address or MAC address of the packet has been spoofed, the check does not pass, and the controller
discards the packet. Spoofed packets can pass through the controller only if both the IP and MAC addresses
are spoofed together and changed to that of another valid client on the same controller.
This section contains the following subsection:
Configuring IP-MAC Address Binding (CLI)
Step 1
Enable or disable IP-MAC address binding by entering this command:
config network ip-mac-binding {enable | disable}
The default value is enabled.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
123
System Management
Configuring IP-MAC Address Binding (CLI)
Step 2
Note
You might want to disable this binding check if you have a routed network behind a workgroup bridge (WGB).
Note
You must disable this binding check in order to use an access point in sniffer mode if the access point is joined
to a Cisco 5508 WLC.
Save your changes by entering this command:
save config
Step 3
View the status of IP-MAC address binding by entering this command:
show network summary
Information similar to the following appears:
RF-Network Name.............................
Web Mode....................................
Secure Web Mode.............................
Secure Web Mode Cipher-Option High..........
Secure Web Mode Cipher-Option SSLv2.........
...
ctrl4404
Disable
Enable
Disable
Disable
IP/MAC Addr Binding Check ............... Enabled
...<?Line-Break?><?HardReturn?>
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
124
CHAPTER
14
Configuring Quality of Service
• Configuring Quality of Service, on page 125
• Configuring Quality of Service Roles, on page 129
Configuring Quality of Service
Quality of Service
Quality of service (QoS) refers to the capability of a network to provide better service to selected network
traffic over various technologies. The primary goal of QoS is to provide priority including dedicated bandwidth,
controlled jitter and latency (required by some real-time and interactive traffic), and improved loss
characteristics.
The controller supports four QoS levels:
• Platinum/Voice—Ensures a high quality of service for voice over wireless.
• Gold/Video—Supports high-quality video applications.
• Silver/Best Effort—Supports normal bandwidth for clients. This is the default setting.
• Bronze/Background—Provides the lowest bandwidth for guest services.
Note
VoIP clients should be set to Platinum.
You can configure the bandwidth of each QoS level using QoS profiles and then apply the profiles to WLANs.
The profile settings are pushed to the clients associated to that WLAN. In addition, you can create QoS roles
to specify different bandwidth levels for regular and guest users. Follow the instructions in this section to
configure QoS profiles and QoS roles. You can also define the maximum and default QoS levels for unicast
and multicast traffic when you assign a QoS profile to a WLAN.
The wireless rate limits can be defined on both upstream and downstream traffic. Rate limits can be defined
per SSID and/or specified as a maximum rate limit for all clients. These rate limits can be individually
configured.
This section contains the following subsections:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
125
System Management
Configuring Quality of Service Profiles
Configuring Quality of Service Profiles
You can configure the Platinum, Gold, Silver, and Bronze QoS profiles.
Configuring QoS Profiles (GUI)
Step 1
Disable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles.
To disable the radio networks, choose Wireless > 802.11a/n or 802.11b/g/n > Network, unselect the 802.11a (or
802.11b/g) Network Status check box, and click Apply.
Step 2
Choose Wireless > QoS > Profiles to open the QoS Profiles page.
Step 3
Click the name of the profile that you want to configure to open the Edit QoS Profile page.
Step 4
Change the description of the profile by modifying the contents of the Description text box.
Step 5
Define the data rates on a per-user basis as follows:
a) Define the average data rate for TCP traffic per user by entering the rate in Kbps in the Average Data Rate text
boxes. A value of 0 indicates that the value specified in the selected QoS profile will take effect.
b) Define the peak data rate for TCP traffic per user by entering the rate in Kbps in the Burst Data Rate text boxes. A
value of 0 indicates that the value specified in the selected QoS profile will take effect.
Note
The burst data rate should be greater than or equal to the average data rate. Otherwise, the QoS policy
may block traffic to and from the wireless client.
Ensure that you configure the average data rate before you configure the burst data rate.
c) Define the average real-time rate for UDP traffic per user by entering the rate in Kbps in the Average Real-Time
Rate text boxes. A value of 0 indicates that the value specified in the selected QoS profile will take effect.
Note
Average Data Rate is used to measure TCP traffic while Average Real-time rate is used for UDP traffic.
They are measured in kbps for all the entries. The values for Average Data Rate and Average Real-time
rate can be different because they are applied to different upper layer protocols such as TCP and UDP.
These different values for the rates do not impact the bandwidth.
d) Define the peak real-time rate for UDP traffic per user by entering the rate in Kbps in the Burst Real-Time Rate
text boxes. A value of 0 indicates that the value specified in the selected QoS profile will take effect.
Note
Step 6
The burst real-time rate should be greater than or equal to the average real-time rate. Otherwise, the QoS
policy may block traffic to and from the wireless client.
Define the data rates on a per-SSID basis as follows:
a) Define the average data rate TCP traffic per SSID by entering the rate in Kbps in the Average Data Rate text boxes.
A value of 0 indicates that the value specified in the selected QoS profile will take effect.
b) Define the peak data rate for TCP traffic per SSID by entering the rate in Kbps in the Burst Data Rate text boxes.
A value of 0 indicates that the value specified in the selected QoS profile will take effect.
Note
The burst data rate should be greater than or equal to the average data rate. Otherwise, the QoS policy
may block traffic in the WLANs.
c) Define the average real-time rate for UDP traffic per SSID by entering the rate in Kbps in the Average Real-Time
Rate text boxes. A value of 0 indicates that the value specified in the selected QoS profile will take effect.
d) Define the peak real-time rate for UDP traffic per SSID by entering the rate in Kbps in the Burst Real-Time Rate
text boxes. A value of 0 indicates that the value specified in the selected QoS profile will take effect.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
126
System Management
Configuring QoS Profiles (CLI)
The burst real-time rate should be greater than or equal to the average real-time rate. Otherwise, the QoS
policy may block traffic in the WLANs.
Note
Step 7
Define the maximum and default QoS levels for unicast and multicast traffic when you assign a QoS profile to a WLAN.
a) From the Maximum Priority drop-down list, choose the maximum QoS priority for any data frames transmitted by
the AP to any station in the WLAN.
For example, a QoS profile named ‘gold’ targeted for video applications has the maximum priority set to video by
default.
b) From the Unicast Default Priority drop-down list, choose the QoS priority for unicast data frames transmitted by
the AP to non-WMM stations in the WLAN
c) From the Multicast Default Priority drop-down list, choose the QoS priority for multicast data frames transmitted
by the AP to stations in the WLAN,
The default unicast priority cannot be used for non-WMM clients in a mixed WLAN.
Note
Step 8
Choose 802.1p from the Protocol Type drop-down list and enter the maximum priority value in the 802.1p Tag text
box to define the maximum value (0–7) for the priority tag associated with packets that fall within the profile.
The tagged packets include CAPWAP data packets (between access points and the controller) and packets sent toward
the core network.
Note
If a QoS profile has 802.1p tagging configured and if this QoS profile is assigned to a WLAN that uses an
untagged interface on the controller, the client traffic will be blocked.
Step 9
Click Apply.
Step 10
Click Save Configuration.
Step 11
Reenable the 802.11 networks.
To enable the radio networks, choose Wireless > 802.11a/n or 802.11b/g/n > Network, select the 802.11a (or 802.11b/g)
Network Status check box, and click Apply.
Step 12
Choose WLANs and select a WLAN ID to apply the new QoS profile to it.
Step 13
In the WLAN > Edit page, go to the QoS tab and select the QoS Profile type from the Quality of Service drop-down
list. The QoS profile will add the rate limit values configured on the controller on per WLAN, per radio and per AP
basis.
For example, if upstream rate limit of 5Mbps is configured for a QoS profile of type silver, then every WLAN that has
silver profile will limit traffic to 5Mbps (5Mbps for each wlan) on each radio and on each AP where the WLAN is
applicable.
Step 14
Click Apply.
Step 15
Click Save Configuration.
Configuring QoS Profiles (CLI)
Step 1
Disable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles by entering these commands:
config 802.11{a | b} disable network
Step 2
Change the profile description by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
127
System Management
Configuring QoS Profiles (CLI)
config qos description {bronze | silver | gold | platinum }description
Step 3
Define the average data rate for TCP traffic per user or per SSID by entering this command:
config qos average-data-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream | upstream}
rate
Note
Step 4
For the rate parameter, you can enter a value between 0 and 512,000 Kbps (inclusive). A value of 0 imposes
no bandwidth restriction on the QoS profile.
Define the peak data rate for TCP traffic per user or per SSID by entering this command:
config qos burst-data-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream | upstream}
rate
Step 5
Define the average real-time data rate for UDP traffic per user or per SSID by entering this command:
config qos average-realtime-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream | upstream}
rate
Step 6
Define the peak real-time data rate for UDP traffic per user or per SSID by entering this command:
config qos burst-realtime-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream | upstream}
rate
Step 7
Define the maximum and default QoS levels for unicast and multicast traffic when you assign a QoS profile to a WLAN
by entering this command:
config qos priority {bronze | gold | platinum | silver} maximum-priority default-unicast-priority
default-multicast-priority
You choose from the following options for the maximum-priority, default-unicast-priority, and default-multicast-priority
parameters:
• besteffort
• background
• video
• voice
Step 8
Define the maximum value (0–7) for the priority tag associated with packets that fall within the profile, by entering
these commands:
config qos protocol-type {bronze | silver | gold | platinum} dot1p
config qos dot1p-tag {bronze | silver | gold | platinum} tag
The tagged packets include CAPWAP data packets (between access points and the controller) and packets sent toward
the core network.
Step 9
Note
The 802.1p tagging has impact only on wired packets. Wireless packets are impacted only by the maximum
priority level set for a QoS profile.
Note
If a QoS profile has 802.1p tagging configured and if this QoS profile is assigned to a WLAN that uses an
untagged interface on the controller, the client traffic will be blocked.
Reenable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles by entering these commands:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
128
System Management
Configuring Quality of Service Roles
config 802.11{a | b} enable network
Step 10
Apply the new QoS profile to a WLAN, by entering these commands:
config wlan qos wlan-id {bronze | silver | gold | platinum}
Configuring Quality of Service Roles
Quality of Service Roles
After you configure a QoS profile and apply it to a WLAN, it limits the bandwidth level of clients associated
to that WLAN. Multiple WLANs can be mapped to the same QoS profile, which can result in bandwidth
contention between regular users (such as employees) and guest users. In order to prevent guest users from
using the same level of bandwidth as regular users, you can create QoS roles with different (and presumably
lower) bandwidth contracts and assign them to guest users.
You can configure up to ten QoS roles for guest users.
Note
If you choose to create an entry on the RADIUS server for a guest user and enable RADIUS authentication
for the WLAN on which web authentication is performed rather than adding a guest user to the local user
database from the controller, you need to assign the QoS role on the RADIUS server itself. To do so, a
“guest-role” Airespace attribute called the Airespace-Guest-Role-Name with the attribute identifier value of
11 and the datatype of string, which should match the name of the “guest-role” configured on the controller,
needs to be added on the RADIUS server. This attribute is sent to the controller when authentication occurs.
If a role with the name returned from the RADIUS server is found configured on the controller, the bandwidth
associated with that role is enforced for the guest user after authentication completes successfully.
Ensure that the Layer 3 security of Web Policy is configured on the WLAN before the AAA parameter is
processed by the controller. If the WLAN does not have a Layer 3 Security of Web Policy, the AAA parameter
is ignored.
This section contains the following subsections:
Configuring QoS Roles
Configuring QoS Roles (GUI)
Step 1
Choose Wireless > QoS > Roles to open the QoS Roles for the Guest Users page.
This page shows any existing QoS roles for guest users.
Note
Step 2
If you want to delete a QoS role, hover your cursor over the blue drop-down arrow for that role and choose
Remove.
Click New to create a new QoS role. The QoS Role Name > New page appears.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
129
System Management
Configuring QoS Roles (CLI)
Step 3
In the Role Name text box, enter a name for the new QoS role. The name should uniquely identify the role of the QoS
user (such as Contractor, Vendor, and so on).
Step 4
Click Apply.
Step 5
Click the name of the QoS role to edit the bandwidth of a QoS role. The Edit QoS Role Data Rates page appears.
Note
The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going
downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream
traffic (from the client to the access point).
Note
The Access Points that support per-user bandwidth contracts for upstream (from the client to the access point)
are - AP1140, AP1040, AP3500, AP3600, AP1250, and AP1260.
Step 6
Define the average data rate for TCP traffic on a per-user basis by entering the rate in Kbps in the Average Data Rate
text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction
on the QoS role.
Step 7
Define the peak data rate for TCP traffic on a per-user basis by entering the rate in Kbps in the Burst Data Rate text
box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on
the QoS role.
Note
The burst data rate should be greater than or equal to the average data rate. Otherwise, the QoS policy may
block traffic to and from the wireless client.
Ensure that you configure the average data rate before you configure the burst data rate.
Step 8
Define the average real-time rate for UDP traffic on a per-user basis by entering the rate in Kbps in the Average
Real-Time Rate text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no
bandwidth restriction on the QoS role.
Step 9
Define the peak real-time rate for UDP traffic on a per-user basis by entering the rate in Kbps in the Burst Real-Time
Rate text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth
restriction on the QoS role.
Note
The burst real-time rate should be greater than or equal to the average real-time rate. Otherwise, the QoS
policy may block traffic to and from the wireless client.
Step 10
Click Apply.
Step 11
Click Save Configuration.
Step 12
Apply a QoS role to a guest user by following the instructions in the Configuring Local Network Users for the Controller
(GUI) section.
Configuring QoS Roles (CLI)
Step 1
Create a QoS role for a guest user by entering this command:
config netuser guest-role create role_name
Note
Step 2
If you want to delete a QoS role, enter the config netuser guest-role delete role_name command.
Configure the bandwidth contracts for a QoS role by entering these commands:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
130
System Management
Configuring QoS Roles (CLI)
• config netuser guest-role qos data-rate average-data-rate role_name rate—Configures the average data rate for
TCP traffic on a per-user basis.
• config netuser guest-role qos data-rate burst-data-rate role_name rate—Configures the peak data rate for TCP
traffic on a per-user basis.
The burst data rate should be greater than or equal to the average data rate. Otherwise, the QoS policy
may block traffic to and from the wireless client.
Note
• config netuser guest-role qos data-rate average-realtime-rate role_name rate—Configures the average real-time
rate for UDP traffic on a per-user basis.
• config netuser guest-role qos data-rate burst-realtime-rate role_name rate—Configures the peak real-time rate
for UDP traffic on a per-user basis.
Step 3
Note
The burst real-time rate should be greater than or equal to the average real-time rate. Otherwise, the QoS
policy may block traffic to and from the wireless client.
Note
For the role_name parameter in each of these commands, enter a name for the new QoS role. The name
should uniquely identify the role of the QoS user (such as Contractor, Vendor, and so on). For the rate
parameter, you can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth
restriction on the QoS role.
Apply a QoS role to a guest user by entering this command:
config netuser guest-role apply username role_name
For example, the role of Contractor could be applied to guest user jsmith.
Step 4
Note
If you do not assign a QoS role to a guest user, the Role text box in the User Details shows the role as “default.”
The bandwidth contracts for this user are defined in the QoS profile for the WLAN.
Note
If you want to unassign a QoS role from a guest user, enter the config netuser guest-role apply username
default command. This user now uses the bandwidth contracts defined in the QoS profile for the WLAN.
Save your changes by entering this command:
save config
Step 5
See a list of the current QoS roles and their bandwidth parameters by entering this command:
show netuser guest-roles
Information similar to the following appears:
Role Name........................................
Average Data Rate...........................
Burst Data Rate.............................
Average Realtime Rate.......................
Burst Realtime Rate.........................
Contractor
10
10
100
100
Role Name........................................ Vendor
Average Data Rate........................... unconfigured
Burst Data Rate............................. unconfigured
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
131
System Management
Configuring QoS Roles (CLI)
Average Realtime Rate....................... unconfigured
Burst Realtime Rate...................... unconfigured
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
132
CHAPTER
15
Configuring Application Visibility and Control
• Application Visibility and Control, on page 133
• Restrictions for Application Visibility and Control, on page 134
• Configuring Application Visibility and Control (GUI), on page 134
• Configuring Application Visibility and Control (CLI), on page 135
• Configuring NetFlow, on page 136
Application Visibility and Control
Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with
the Network-Based Application Recognition (NBAR) engine, and provides application-level visibility and
control (QoS) in wireless networks. After the applications are recognized, the AVC feature enables you to
either drop, mark, or police the data traffic.
Using AVC, we can detect more than 1000 applications. AVC enables you to perform real-time analysis and
create policies to reduce network congestion, costly network link usage, and infrastructure upgrades.
Note
You can view list of 30 applications in Top Applications in Monitor Summary section of the UI.
AVC DSCP marks only the DSCP of the original packet in the controller in both directions (upstream and
downstream). It does not affect the outer CAPWAP DCSP. AVC DSCP is applicable only when the application
is classified. For example, based on the AVC profile configuration, if an application is classified as ftp or
http, the corresponding DSCP marking is applied irrespective of the WLAN QoS. For downstream, the DSCP
value of outer CAPWAP header and inner packet’s DSCP are taken from AVC DSCP. WLAN QoS is only
applicable for all traffic from controller to AP through CAPWAP. It does not change the DSCP of the original
packet.
Using AVC rule, you can limit the bandwidth of a particular application for all the clients joined on the WLAN.
These bandwidth contracts coexist with per-client downstream rate limiting with per client downstream rate
limits that takes precedence over the per-application rate limits.
AVC is supported in central switching mode on the following controller platforms: Cisco 2504 WLCs, Cisco
5508 WLCs, Cisco Flex 7510 WLCs, Cisco 8510 WLCs, and Cisco Wireless Services Module 2 (WiSM2).
The number of concurrent flows supported for AVC classification on different controller platforms are noted
in the following table.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
133
System Management
Restrictions for Application Visibility and Control
Controller Platform
Flow
Cisco 2504 Wireless Controller
26,250
Cisco 5508 Wireless Controller
183,750
Cisco WiSM2
393,750
Cisco 8510 Wireless Controller
336,000
Cisco 5520 Wireless Controller
336,000
Cisco 8540 Wireless Controller
336,000
This section contains the following subsections:
Restrictions for Application Visibility and Control
• IPv6 packet classification is not supported.
• Layer 2 roaming is not supported across controllers.
• Multicast traffic is not supported.
• The number of applications that you can apply rate limit is 3.
• Only one rule can be configured per application. An application cannot have both a rate limit as well as
a Mark rule.
• AVC rate limiting is not supported on Cisco 2504 WLC.
Configuring Application Visibility and Control (GUI)
Step 1
Create and configure an AVC profile by following these steps:
a) Choose Wireless > Application Visibility and Control > AVC Profiles.
b) Click New and enter the AVC profile name.
c) Click Apply.
d) On the AVC Profile Name page, click the AVC profile name to open the AVC Profile > Edit page.
e) Click Add New Rule.
f) Choose the application group and the application name from the respective drop-down lists.
See the list of default AVC applications available by choosing Wireless > Application Visibility and Control >
AVC Applications.
g) From the Action drop-down list, choose either of the following:
• Drop—Drops the upstream and downstream packets that correspond to the chosen application.
• Mark—Marks the upstream and downstream packets that correspond to the chosen application with the
Differentiated Services Code Point (DSCP) value that you specify in the DSCP (0 to 63) drop-down list. The
DSCP value helps you provide differentiated services based on the QoS levels.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
134
System Management
Configuring Application Visibility and Control (CLI)
Note
The default action is to permit all applications.
h) If you choose Mark from the Action drop-down list, choose a DSCP value from the DSCP (0 to 63) drop-down list.
The DSCP value is a packet header code that is used to define quality of service across the Internet. The DSCP values
are mapped to the following QoS levels:
• Platinum (Voice)—Assures a high QoS for Voice over Wireless.
• Gold (Video)—Supports the high-quality video applications.
• Silver (Best Effort)—Supports the normal bandwidth for clients.
• Bronze (Background)—Provides the lowest bandwidth for guest services.
You can also choose Custom and specify the DSCP value. The valid range is from 0 to 63.
i) Click Apply.
j) Click Save Configuration.
Step 2
Associate an AVC profile to a WLAN by following these steps:
a) Choose WLANs and click the WLAN ID to open the WLANs > Edit page.
b) In the QoS tab, choose the AVC profile from the AVC Profile drop-down list.
c) Click Apply.
d) Click Save Configuration.
Configuring Application Visibility and Control (CLI)
• Create or delete an AVC profile by entering this command:
config avc profile avc-profile-name {create | delete}
• Add a rule for an AVC profile by entering this command:
config avc profile avc-profile-name rule add application application-name {drop | mark dscp-value
| ratelimit Average Ratelimit value Burst Ratelimit value}
• Remove a rule for an AVC profile by entering this command:
config avc profile avc-profile-name rule remove application application-name
• Configure an AVC profile to a WLAN by entering this command:
config wlan avc wlan-id profile avc-profile-name {enable | disable}
• Configure application visibility for a WLAN by entering this command:
config wlan avc wlan-id visibility {enable | disable}
Note
Application visibility is the subset of an AVC profile. Therefore, visibility is
automatically enabled when you configure an AVC profile on the WLAN.
• View information about all AVC profile or a particular AVC profile by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
135
System Management
Configuring NetFlow
show avc profile {summary | detailed avc-profile-name}
• View information about AVC applications by entering these commands:
• show avc applications [application-group]—Displays all the supported AVC applications for the
application group.
• show avc statistics application application_name top-users [downstream wlan | upstream
wlan | wlan] [wlan_id ]} —Displays AVC statistics for the top users of an application.
• show avc statistics top-apps [upstream | downstream]—Displays the AVC statistics for the
most used application.
• show avc statistics wlan wlan_id {application application_name | top-app-groups [upstream
| downstream] | top-apps [upstream | downstream]}—Displays the AVC statistics of a
WLAN per application or top applications or top application groups.
• show avc statistics client client_MAC {application application_name | top-apps [upstream |
downstream]}—Displays the client AVC statistics per application or top applications.
Note
You can view list of 30 applications using the show avc applications and show
avc statistics commands.
• Configure troubleshooting for AVC events by entering this command:
debug avc events {enable | disable}
• Configure troubleshooting for AVC errors by entering this command:
debug avc error {enable | disable}
Configuring NetFlow
NetFlow
NetFlow is an embedded instrumentation within the controller software to characterize wireless network
flows. NetFlow monitors each IP flow and exports the aggregated flow data to the external NetFlow collectors.
The NetFlow architecture consists of the following components:
• Collector: Entity that collects all the IP traffic information from various NetFlow exporters.
• Exporter: Network entity that exports the template with the IP traffic information. The controller acts as
an exporter.
Note
Controller does not support IPv6 address format when acting as an exporter for
NetFlow.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
136
System Management
Configuring NetFlow (GUI)
Configuring NetFlow (GUI)
Step 1
Configure the Exporter by performing these steps:
a) Choose Wireless > Netflow > Exporter.
b) Click New.
c) Enter the Exporter name, IP address, and the port number.
The valid range for the port number is from 1 to 65535.
d) Click Apply.
e) Click Save Configuration.
Step 2
Configure the NetFlow Monitor by performing these steps:
a) Choose Wireless > Netflow > Monitor.
b) Click New and enter a Monitor name.
c) On the Monitor List window, click the Monitor name to open the Netflow Monitor > Edit window.
d) Choose the exporter name and the record name from the respective drop-down lists.
• Client App Record—Better Performance
e) Click Apply.
f) Click Save Configuration.
Step 3
Associate a NetFlow Monitor to a WLAN by performing these steps:
a) Choose WLANs and click a WLAN ID to open the WLANs > Edit page.
b) In the QoS tab, choose a NetFlow monitor from the Netflow Monitor drop-down list.
c) Click Apply.
d) Click Save Configuration.
Configuring NetFlow (CLI)
• Create an Exporter by entering this command:
config flow create exporter exporter-name ip-addr port-number
• Create a NetFlow Monitor by entering this command:
config flow create monitor monitor-name
• Associate or dissociate a NetFlow monitor with an exporter by entering this command:
config flow {add | delete} monitor monitor-name exporter exporter-name
• Associate or dissociate a NetFlow monitor with a record by entering this command:
config flow {add | delete} monitor monitor-name record ipv4_client_app_flow_record
• Associate or dissociate a NetFlow monitor with a WLAN by entering this command:
config wlan flow wlan-id monitor monitor-name {enable | disable}
• View a summary of NetFlow monitors by entering this command:
show flow monitor summary
• View information about the Exporter by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
137
System Management
Configuring NetFlow (CLI)
show flow exporter {summary | statistics}
• Configure NetFlow debug by entering this command:
debug flow {detail | error | info} {enable | disable}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
138
CHAPTER
16
Configuring Media and EDCA Parameters
• Configuring Voice and Video Parameters, on page 139
• Configuring SIP-Based CAC, on page 151
• Configuring Media Parameters, on page 152
• Configuring Voice Prioritization Using Preferred Call Numbers, on page 153
• Configuring EDCA Parameters, on page 154
Configuring Voice and Video Parameters
Voice and Video Parameters
Three parameters on the controller affect voice and/or video quality:
• Call admission control
• Expedited bandwidth requests
• Unscheduled automatic power save delivery
Each of these parameters is supported in Cisco Compatible Extensions (CCX) v4 and v5.
This section contains the following subsections:
Call Admission Control
Call admission control (CAC) enables an access point to maintain controlled quality of service (QoS) when
the wireless LAN is experiencing congestion. It works by rejecting requested calls (traffic streams) if the
channel lacks the capacity to service the request. It requires that WMM be enabled on the WLAN. CAC is
also known as ACM (Admission Control).
The following two types of CAC are available:
• Load-based CAC (recommended): All channel utilization (QBSS) is considered, including interference
and noise, as well as AP traffic.
• Static CAC: Only the traffic to and from this AP is considered when evaluating the channel’s capacity.
The following restrictions apply:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
139
System Management
Static CAC
• CAC is not supported in FlexConnect local authentication, resulting in voice traffic not getting properly
tagged.
• CAC supports the following PHY rates: 6,11,12,24 megabits per second. If CAC is enabled, then at least
one of these rates should be enabled on the AP.
This section contains the following subsections:
Static CAC
Static CAC enables the client to specify how much bandwidth or shared medium time is required to accept a
new call and in turn enables the access point to determine whether it is capable of accommodating this particular
call. The access point rejects the call if necessary in order to maintain the maximum allowed number of calls
with acceptable quality.
The QoS setting for a WLAN determines the level of static CAC support. To use static CAC with voice
applications, the WLAN must be configured for Platinum QoS. To use static CAC with video applications,
the WLAN must be configured for Gold QoS. Also, make sure that WMM is enabled for the WLAN. See the
802.3 Bridging, on page 99 section for QoS and WMM configuration instructions.
Note
You must enable admission control (ACM) for CCXv4 clients that have WMM enabled. Otherwise, static
CAC does not operate properly.
Load-Based CAC
Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all
traffic types (including that from clients), co-channel access point loads, and collocated channel interference,
for voice applications. Load-based CAC also covers the additional bandwidth consumption resulting from
PHY and channel impairment.
In load-based CAC, the access point continuously measures and updates the utilization of the RF channel
(that is, the percentage of bandwidth that has been exhausted), channel interference, and the additional calls
that the access point can admit. The access point admits a new call only if the channel has enough unused
bandwidth to support that call. By doing so, load-based CAC prevents oversubscription of the channel and
maintains QoS under all conditions of WLAN loading and interference.
Expedited Bandwidth Requests
The expedited bandwidth request feature enables clients to indicate the urgency of a WMM traffic specifications
(TSPEC) request (for example, an e911 call) to the WLAN. When the controller receives this request, it
attempts to facilitate the urgency of the call in any way possible without potentially altering the quality of
other TSPEC calls that are in progress.
You can apply expedited bandwidth requests to load-based CAC. Expedited bandwidth requests are disabled
by default. When this feature is disabled, the controller ignores all expedited requests and processes TSPEC
requests as normal TSPEC requests.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
140
System Management
U-APSD
Table 6: TSPEC Request Handling Examples
CAC Mode
Reserved bandwidth Usage
for voice calls
Normal TSPEC
Request
TSPEC with
Expedited
Bandwidth Request
Static CAC
75% (default
setting)
Admitted
Admitted
Between 75% and Rejected
90% (reserved
bandwidth for voice
calls exhausted)
Admitted
More than 90%
Rejected
Rejected
Less than 75%
Admitted
Admitted
Between 75% and Rejected
85% (reserved
bandwidth for voice
calls exhausted)
Admitted
More than 85%
Rejected
Load-based CAC
1
2
Less than 75%
Rejected
For static CAC, the voice call bandwidth usage is per access point and does not take into account
co-channel access points. For load-based CAC, the voice call bandwidth usage is measured for the entire
channel.
Static CAC (consumed voice and video bandwidth) or load-based CAC (channel utilization [Pb]).
Note
Admission control for TSPEC g711-40ms codec type is supported.
Note
When video ACM is enabled, the controller rejects a video TSPEC if the non-MSDU size in the TSPEC is
greater than 149 or the mean data rate is greater than 1 Kbps.
U-APSD
Unscheduled automatic power save delivery (U-APSD) is a QoS facility defined in IEEE 802.11e that extends
the battery life of mobile clients. In addition to extending battery life, this feature reduces the latency of traffic
flow delivered over the wireless media. Because U-APSD does not require the client to poll each individual
packet buffered at the access point, it allows delivery of multiple downlink packets by sending a single uplink
trigger packet. U-APSD is enabled automatically when WMM is enabled.
Traffic Stream Metrics
In a voice-over-wireless LAN (VoWLAN) deployment, traffic stream metrics (TSM) can be used to monitor
voice-related metrics on the client-access point air interface. It reports both packet latency and packet loss.
You can isolate poor voice quality issues by studying these reports.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
141
System Management
Configuring Voice Parameters
The metrics consist of a collection of uplink (client side) and downlink (access point side) statistics between
an access point and a client device that supports CCX v4 or later releases. If the client is not CCX v4 or CCXv5
compliant, only downlink statistics are captured. The client and access point measure these metrics. The access
point also collects the measurements every 5 seconds, prepares 90-second reports, and then sends the reports
to the controller. The controller organizes the uplink measurements on a client basis and the downlink
measurements on an access point basis and maintains an hour’s worth of historical data. To store this data,
the controller requires 32 MB of additional memory for uplink metrics and 4.8 MB for downlink metrics.
TSM can be configured through either the GUI or the CLI on a per radio-band basis (for example, all 802.11a
radios). The controller saves the configuration in flash memory so that it persists across reboots. After an
access point receives the configuration from the controller, it enables TSM on the specified radio band.
Note
Traffic stream metrics (TSM) can be used to monitor and report issues with voice quality.
Note
Access points support TSM entries in both local and FlexConnect modes.
Table 7: TSM Entries in Cisco 5508 and Flex 7510 WLCs
Note
TSM Entries
5508
Flex 7510
MAX AP TSM entries
100
100
MAX Client TSM entries
250
250
MAX TSM entries
100*250=25000
100*250=25000
Once the upper limit is reached, additional TSM entries cannot be stored and sent to Cisco Prime Infrastructure.
If client TSM entries are full and AP TSM entries are available, then only the AP entries are stored, and vice
versa. This leads to partial output. TSM cleanup occurs every one hour. Entries are removed only for those
APs and clients that are not in the system.
Configuring Voice Parameters
Configuring Voice Parameters (GUI)
Step 1
Ensure that the WLAN is configured for WMM and the Platinum QoS level.
Step 2
Choose Wireless and then Network under 802.11a/n or 802.11b/g/n, uncheck the 802.11a (or 802.11b/g) Network
Status check box, and click Apply to disable the radio network.
Step 3
Choose Wireless > 802.11a/n or 802.11b/g/n > Media. The 802.11a (or 802.11b) > Media page appears. The Voice
tab is displayed by default.
Step 4
(Optional) Check the Admission Control (ACM) check box to enable static CAC for this radio band. The default value
is disabled.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
142
System Management
Configuring Voice Parameters (GUI)
Step 5
(Optional) Select the Admission Control (ACM) you want to use by choosing from the following choices:
• Load-based—To enable channel-based CAC. This is the default option.
• Static—To enable radio-based CAC.
Step 6
In the Max RF Bandwidth field, enter the percentage of the maximum bandwidth allocated to clients for voice
applications on this radio band. Once the client reaches the value specified, the access point rejects new calls on this
radio band.
The range is 5% to 85%. The sum of maximum bandwidth percentage of voice and video should not exceed 85%.
The default is 75%.
Step 7
In the Reserved Roaming Bandwidth field, enter the percentage of maximum allocated bandwidth that is reserved
for roaming voice clients. The controller reserves this bandwidth from the maximum allocated bandwidth for roaming
voice clients.
The range is 0% to 25%.
The default is 6%.
Step 8
To enable expedited bandwidth requests, check the Expedited Bandwidth check box. By default, this field is disabled.
Step 9
To enable SIP CAC support, check the SIP CAC Support check box. By default, SIP CAC support is disabled.
Step 10
From the SIP Codec drop-down list, choose one of the following options to set the codec name. The default value is
G.711. The options are as follows:
• User Defined
• G.711
• G.729
Step 11
In the SIP Bandwidth (kbps) field, enter the bandwidth in kilobits per second.
The possible range is 8 to 64.
The default value is 64.
Note
The SIP Bandwidth (kbps) field is highlighted only when you select the SIP codec as User-Defined. If you
choose the SIP codec as G.711, the SIP Bandwidth (kbps) field is set to 64. If you choose the SIP codec as
G.729, the SIP Bandwidth (kbps) field is set to 8.
Step 12
In the SIP Voice Sample Interval (msecs) field, enter the value for the sample interval.
Step 13
In the Maximum Calls field, enter the maximum number of calls that can be made to this radio. The maximum call
limit includes both direct and roaming-in calls. If the maximum call limit is reached, the new or roaming-in calls result
in failure.
The possible range is 0 to 25.
The default value is 0, which indicates that there is no check for maximum call limit.
Note
Step 14
If SIP CAC is supported and the CAC method is static, the Maximum Possible Voice Calls and Maximum
Possible Roaming Reserved Calls fields appear.
Check the Metrics Collection check box to collect traffic stream metrics. By default, this box is unselected. That is,
the traffic stream metrics is not collected by default.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
143
System Management
Configuring Voice Parameters (CLI)
Step 15
Click Apply.
Step 16
Choose Network under 802.11a/n or 802.11b/g/n, check the 802.11a (or 802.11b/g) Network Status check box, and
click Apply to reenable the radio network.
Step 17
Click Save Configuration.
Step 18
Repeat this procedure if you want to configure voice parameters for another radio band.
Configuring Voice Parameters (CLI)
Before you begin
Ensure that you have configured SIP-based CAC.
Step 1
See all of the WLANs configured on the controller by entering this command:
show wlan summary
Step 2
Make sure that the WLAN that you are planning to modify is configured for WMM and the QoS level is set to Platinum
by entering this command:
show wlan wlan_id
Step 3
Disable the radio network by entering this command:
config {802.11a | 802.11b} disable network
Step 4
Save your settings by entering this command:
save config
Step 5
Enable or disable static CAC for the 802.11a or 802.11b/g network by entering this command:
config {802.11a | 802.11b} cac voice acm {enable | disable}
Step 6
Set the percentage of maximum bandwidth allocated to clients for voice applications on the 802.11a or 802.11b/g
network by entering this command:
config {802.11a | 802.11b} cac voice max-bandwidth bandwidth
The bandwidth range is 5 to 85%, and the default value is 75%. Once the client reaches the value specified, the access
point rejects new calls on this network.
Step 7
Set the percentage of maximum allocated bandwidth reserved for roaming voice clients by entering this command:
config {802.11a | 802.11b} cac voice roam-bandwidth bandwidth
The bandwidth range is 0 to 25%, and the default value is 6%. The controller reserves this much bandwidth from the
maximum allocated bandwidth for roaming voice clients.
Step 8
Configure the codec name and sample interval as parameters and to calculate the required bandwidth per call by entering
this command:
config {802.11a | 802.11b} cac voice sip codec {g711 | g729} sample-interval number_msecs
Step 9
Configure the bandwidth that is required per call by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
144
System Management
Configuring Video Parameters
config {802.11a | 802.11b} cac voice sip bandwidth bandwidth_kbps sample-interval number_msecs
Step 10
Reenable the radio network by entering this command:
config {802.11a | 802.11b} enable network
Step 11
View the TSM voice metrics by entering this command:
show [802.11a | 802.11b] cu-metrics AP_Name
The command also displays the channel utilization metrics.
Step 12
Enter the save config command to save your settings.
Step 13
Configure voice automatically for a WLAN by entering this command:
config auto-configure voice cisco wlan-id radio {802.11a | 802.11b | all}
Step 14
Enter the save config command to save your settings.
Configuring Video Parameters
Configuring Video Parameters (GUI)
Step 1
Ensure that the WLAN is configured for WMM and the Platinum or Gold QoS level.
Step 2
Choose Wireless and then Network under 802.11a/n or 802.11b/g/n, uncheck the 802.11a (or 802.11b/g) Network
Status check box, and click Apply to disable the radio network.
Step 3
Choose Wireless > 802.11a/n or 802.11b/g/n > Media. The 802.11a (or 802.11b) > Media page appears.
Step 4
In the Video tab, check the Admission Control (ACM) check box to enable video CAC for this radio band. The default
value is disabled.
Step 5
From the CAC Method drop-down list, choose between Static and Load Based methods.
The static CAC method is based on the radio and the load-based CAC method is based on the channel.
Note
Step 6
For TSpec and SIP based CAC for video calls, only Static method is supported.
In the Max RF Bandwidth text box, enter the percentage of the maximum bandwidth allocated to clients for video
applications on this radio band. When the client reaches the value specified, the access point rejects new requests on
this radio band.
The range is 5% to 85%. The sum of maximum bandwidth percentage of voice and video should not exceed 85%. The
default is 0%.
Step 7
In the Reserved Roaming Bandwidth text box, enter the percentage of the maximum RF bandwidth that is reserved for
roaming clients for video.
Step 8
Configure the SIP CAC Support by checking or unchecking the SIP CAC Support check box.
SIP CAC is supported only if SIP Snooping is enabled.
Note
Step 9
You cannot enable SIP CAC if you have selected the Load Based CAC method.
Click Apply.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
145
System Management
Configuring Video Parameters (CLI)
Step 10
Choose Network under 802.11a/n or 802.11b/g/n, check the 802.11a (or 802.11b/g) Network Status check box, and
click Apply to reenable the radio network.
Step 11
Click Save Configuration.
Step 12
Repeat this procedure if you want to configure video parameters for another radio band.
Configuring Video Parameters (CLI)
Before you begin
Ensure that you have configured SIP-based CAC.
Step 1
See all of the WLANs configured on the controller by entering this command:
show wlan summary
Step 2
Make sure that the WLAN that you are planning to modify is configured for WMM and the QoS level is set to Gold
by entering this command:
show wlan wlan_id
Step 3
Disable the radio network by entering this command:
config {802.11a | 802.11b} disable network
Step 4
Save your settings by entering this command:
save config
Step 5
Enable or disable video CAC for the 802.11a or 802.11b/g network by entering this command:
config {802.11a | 802.11b} cac video acm {enable | disable}
Step 6
To configure the CAC method as either static or load-based, enter this command:
config {802.11a | 802.11b} cac video cac-method {static | load-based}
Step 7
Set the percentage of maximum bandwidth allocated to clients for video applications on the 802.11a or 802.11b/g
network by entering this command:
config {802.11a | 802.11b} cac video max-bandwidth bandwidth
The bandwidth range is 5 to 85%, and the default value is 5%. However, the maximum RF bandwidth cannot exceed
85% for voice and video. Once the client reaches the value specified, the access point rejects new calls on this network.
Note
Step 8
If this parameter is set to zero (0), the controller assumes that you do not want to do any bandwidth allocation
and, therefore, allows all bandwidth requests.
To configure the percentage of the maximum RF bandwidth that is reserved for roaming clients for video, enter this
command:
config {802.11a | 802.11b} cac video roam-bandwidth bandwidth
Step 9
To configure the CAC parameters for SIP-based video calls, enter this command:
config {802.11a | 802.11b} cac video sip {enable | disable}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
146
System Management
Viewing Voice and Video Settings
Step 10
Process or ignore the TSPEC inactivity timeout received from an access point by entering this command:
config {802.11a | 802.11b} cac video tspec-inactivity-timeout {enable | ignore}
Step 11
Reenable the radio network by entering this command:
config {802.11a | 802.11b} enable network
Step 12
Enter the save config command to save your settings.
Viewing Voice and Video Settings
Viewing Voice and Video Settings (GUI)
Step 1
Choose Monitor > Clients to open the Clients page.
Step 2
Click the MAC address of the desired client to open the Clients > Detail page.
This page shows the U-APSD status (if enabled) for this client under Quality of Service Properties.
Step 3
Click Back to return to the Clients page.
Step 4
See the TSM statistics for a particular client and the access point to which this client is associated as follows:
a) Hover your cursor over the blue drop-down arrow for the desired client and choose 802.11aTSM or 802.11b/g TSM.
The Clients > AP page appears.
b) Click the Detail link for the desired access point to open the Clients > AP > Traffic Stream Metrics page.
This page shows the TSM statistics for this client and the access point to which it is associated. The statistics are
shown in 90-second intervals. The timestamp text box shows the specific interval when the statistics were collected.
Step 5
See the TSM statistics for a particular access point and a particular client associated to this access point, as follows:
a) Choose Wireless > Access Points > Radios > 802.11a/n or 802.11b/g/n. The 802.11a/n Radios or 802.11b/g/n
Radios page appears.
b) Hover your cursor over the blue drop-down arrow for the desired access point and choose 802.11aTSM or 802.11b/g
TSM. The AP > Clients page appears.
c) Click the Detail link for the desired client to open the AP > Clients > Traffic Stream Metrics page.
This page shows the TSM statistics for this access point and a client associated to it. The statistics are shown in
90-second intervals. The timestamp text box shows the specific interval when the statistics were collected.
Viewing Voice and Video Settings (CLI)
Step 1
See the CAC configuration for the 802.11 network by entering this command:
show ap stats {802.11a | 802.11b}
Step 2
See the CAC statistics for a particular access point by entering this command:
show ap stats {802.11a | 802.11b} ap_name
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
147
System Management
Viewing Voice and Video Settings (CLI)
Information similar to the following appears:
Call Admission Control (CAC) Stats
Voice Bandwidth in use(% of config bw)......... 0
Total channel MT free........................ 0
Total voice MT free.......................... 0
Na Direct.................................... 0
Na Roam...................................... 0
Video Bandwidth in use(% of config bw)......... 0
Total num of voice calls in progress........... 0
Num of roaming voice calls in progress......... 0
Total Num of voice calls since AP joined....... 0
Total Num of roaming calls since AP joined..... 0
Total Num of exp bw requests received.......... 5
Total Num of exp bw requests admitted.......... 2
Num of voice calls rejected since AP joined...... 0
Num of roam calls rejected since AP joined..... 0
Num of calls rejected due to insufficient bw....0
Num of calls rejected due to invalid params.... 0
Num of calls rejected due to PHY rate.......... 0
Num of calls rejected due to QoS policy..... 0
In the example above, “MT” is medium time, “Na” is the number of additional calls, and “exp bw” is expedited bandwidth.
Note
Step 3
Suppose an AP has to be rebooted when a voice client associated with the AP is on an active call. After the AP
is rebooted, the client continues to maintain the call, and during the time the AP is down, the database is not
refreshed by the controller. Therefore, we recommend that all active calls are ended before the AP is taken
down.
See the U-APSD status for a particular client by entering this command:
show client detail client_mac
Step 4
See the TSM statistics for a particular client and the access point to which this client is associated by entering this
command:
show client tsm {802.11a | 802.11b} client_mac {ap_mac | all}
The optional all command shows all access points to which this client has associated. Information similar to the following
appears:
Client Interface Mac:
Measurement Duration:
00:01:02:03:04:05
90 seconds
Timestamp
1st Jan 2006, 06:35:80
UpLink Stats
================
Average Delay (5sec intervals)............................35
Delay less than 10 ms.....................................20
Delay bet 10 - 20 ms......................................20
Delay bet 20 - 40 ms......................................20
Delay greater than 40 ms..................................20
Total packet Count.........................................80
Total packet lost count (5sec).............................10
Maximum Lost Packet count(5sec)............................5
Average Lost Packet count(5secs)...........................2
DownLink Stats
================
Average Delay (5sec intervals)............................35
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
148
System Management
Viewing Voice and Video Settings (CLI)
Delay less than 10 ms.....................................20
Delay bet 10 - 20 ms......................................20
Delay bet 20 - 40 ms......................................20
Delay greater than 40 ms..................................20
Total packet Count.........................................80
Total packet lost count (5sec).............................10
Maximum Lost Packet count(5sec)............................5
Average Lost Packet count(5secs)...........................2
Step 5
Note
The statistics are shown in 90-second intervals. The timestamp text box shows the specific interval when the
statistics were collected.
Note
Clear the TSM statistics for a particular access point or all the access points to which this client is associated
by entering this clear client tsm {802.11a | 802.11b} client_mac {ap_mac | all} command.
See the TSM statistics for a particular access point and a particular client associated to this access point by entering this
command:
show ap stats {802.11a | 802.11b} ap_name tsm {client_mac | all}
The optional all command shows all clients associated to this access point. Information similar to the following appears:
AP Interface Mac:
Client Interface Mac:
Measurement Duration:
00:0b:85:01:02:03
00:01:02:03:04:05
90 seconds
Timestamp
1st Jan 2006, 06:35:80
UpLink Stats
================
Average Delay (5sec intervals)............................35
Delay less than 10 ms.....................................20
Delay bet 10 - 20 ms......................................20
Delay bet 20 - 40 ms......................................20
Delay greater than 40 ms..................................20
Total packet Count.........................................80
Total packet lost count (5sec).............................10
Maximum Lost Packet count(5sec)............................5
Average Lost Packet count(5secs)...........................2
DownLink Stats
================
Average Delay (5sec intervals)............................35
Delay less than 10 ms.....................................20
Delay bet 10 - 20 ms......................................20
Delay bet 20 - 40 ms......................................20
Delay greater than 40 ms..................................20
Total packet Count.........................................80
Total packet lost count (5sec).............................10
Maximum Lost Packet count(5sec)............................5
Average Lost Packet count(5secs)...........................2
Note
Step 6
The statistics are shown in 90-second intervals. The timestamp text box shows the specific interval when the
statistics were collected.
Enable or disable debugging for call admission control (CAC) messages, events, or packets by entering this command:
debug cac {all | event | packet}{enable | disable}
where all configures debugging for all CAC messages, event configures debugging for all CAC events, and packet
configures debugging for all CAC packets.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
149
System Management
Viewing Voice and Video Settings (CLI)
Step 7
Use the following command to perform voice diagnostics and to view the debug messages between a maximum of two
802.11 clients:
debug voice-diag {enable | disable} mac-id mac-id2 [verbose]
The verbose mode is an optional argument. When the verbose option is used, all debug messages are displayed in the
console. You can use this command to monitor a maximum of two 802.11 clients. If one of the clients is a non-WiFi
client, only the 802.11 client is monitored for debug messages.
Step 8
Note
It is implicitly assumed that the clients being monitored are on call.
Note
The debug command automatically stops after 60 minutes.
Use the following commands to view various voice-related parameters:
• show client voice-diag status
Displays information about whether voice diagnostics is enabled or disabled. If enabled, will also displays information
about the clients in the watch list and the time remaining for the diagnostics of the voice call.
If voice diagnostics is disabled when the following commands are entered, a message indicating that voice diagnostics
is disabled appears.
• show client voice-diag tspec
Displays the TSPEC information sent from the clients that are enabled for voice diagnostics.
• show client voice-diag qos-map
Displays information about the QoS/DSCP mapping and packet statistics in each of the four queues: VO, VI, BE,
BK. The different DSCP values are also displayed.
• show client voice-diag avrg_rssi
Display the client’s RSSI values in the last 5 seconds when voice diagnostics is enabled.
• show client voice-diag roam-history
Displays information about the last three roaming calls. The output contains the timestamp, access point associated
with roaming, roaming reason, and if there is a roaming failure, the reason for the roaming-failure.
• show client calls {active | rejected} {802.11a | 802.11bg | all}
This command lists the details of active TSPEC and SIP calls on the controller.
Step 9
Use the following commands to troubleshoot video debug messages and statistics:
• debug ap show stats {802.11b | 802.11a} ap-name multicast—Displays the access point’s supported multicast
rates.
• debug ap show stats {802.11b | 802.11a} ap-name load—Displays the access point’s QBSS and other statistics.
• debug ap show stats {802.11b | 802.11a} ap-name tx-queue—Displays the access point’s transmit queue traffic
statistics.
• debug ap show stats {802.11b | 802.11a} ap-name client {all | video | client-mac}—Displays the access point’s
client metrics.
• debug ap show stats {802.11b | 802.11a} ap-name packet—Displays the access point’s packet statistics.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
150
System Management
Configuring SIP-Based CAC
• debug ap show stats {802.11b | 802.11a} ap-name video metrics—Displays the access point’s video metrics.
• debug ap show stats video ap-name multicast mgid number —Displays an access point’s Layer 2 MGID database
number.
• debug ap show stats video ap-name admission—Displays an access point’s admission control statistics.
• debug ap show stats video ap-name bandwidth—Displays an access point’s video bandwidth.
Configuring SIP-Based CAC
Restrictions for SIP-Based CAC
• SIP CAC should only be used for phones that support status code 17 and do not support TSPEC-based
admission control.
• SIP CAC will be supported only if SIP snooping is enabled.
Configuring SIP-Based CAC (GUI)
Before you begin
• Ensure that you have set the voice to the platinum QoS level.
• Ensure that you have enabled call snooping for the WLAN.
• Ensure that you have enabled the Admission Control (ACM) for this radio.
Step 1
Choose Wireless > Advanced > SIP Snooping to open the SIP Snooping page.
Step 2
Specify the call-snooping ports by entering the starting port and the ending port.
Step 3
Click Apply and then click Save Configuration.
Configuring SIP-Based CAC (CLI)
Step 1
Set the voice to the platinum QoS level by entering this command:
config wlan qos wlan-id Platinum
Step 2
Enable the call-snooping feature for a particular WLAN by entering this command:
config wlan call-snoop enable wlan-id
Step 3
Enable the ACM to this radio by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
151
System Management
Configuring Media Parameters
config {802.11a | 802.11b} cac {voice | video} acm enable
Step 4
To configure the call snooping ports, enter this command:
config advanced sip-snooping-ports starting-port ending-port
Step 5
To troubleshoot SIP-based CAC events, enter this command:
debug sip event {enable | disable}
Configuring Media Parameters
Configuring Media Parameters (GUI)
Step 1
Ensure that the WLAN is configured for WMM and the Gold QoS level.
Step 2
Disable all WLANs with WMM enabled and click Apply.
Step 3
Choose Wireless and then Network under 802.11a/n or 802.11b/g/n, unselect the 802.11a (or 802.11b/g) Network
Status check box, and click Apply to disable the radio network.
Step 4
Choose Wireless > 802.11a/n or 802.11b/g/n > Media. The 802.11a (or 802.11b) > Media > Parameters page appears.
Step 5
Choose the Media tab to open the Media page.
Step 6
Select the Unicast Video Redirect check box to enable Unicast Video Redirect. The default value is disabled.
Step 7
In the Maximum Media Bandwidth (0-85%) text box, enter the percentage of the maximum bandwidth to be allocated
for media applications on this radio band. Once the client reaches the specified value, the access point rejects new calls
on this radio band.
The default value is 85%; valid values are from 0 to 85%.
Step 8
In the Client Phy Rate text box, enter the value for the rate in kilobits per second at which the client operates.
Step 9
In the Maximum Retry Percent (0-100%) text box, enter the percentage of the maximum retry. The default value is
80.
Step 10
Select the Multicast Direct Enable check box to enable the Multicast Direct Enable text box. The default value is
enabled.
Step 11
From the Max Streams per Radio drop-down list, choose the maximum number of allowed multicast direct streams
per radio. Choose a value between 1 to 20 or No Limit. The default value is set to No Limit.
Step 12
From the Max Streams per Client drop-down list, choose the maximum number of allowed clients per radio. Choose
a value between 1 to 20 or No Limit. The default value is set to No Limit.
Step 13
If you want to enable the best radio queue for this radio, select the Best Effort QoS Admission check box. The default
value is disabled.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
152
System Management
Configuring Voice Prioritization Using Preferred Call Numbers
Configuring Voice Prioritization Using Preferred Call Numbers
Voice Prioritization Using Preferred Call Numbers
You can configure a controller to support calls from clients that do not support TSPEC-based calls. This
feature is known as voice prioritization. These calls are given priority over other clients utilizing the voice
pool. Voice prioritization is available only for SIP-based calls and not for TSPEC-based calls. If the bandwidth
is available, it takes the normal flow and allocates the bandwidth to those calls.
You can configure up to six preferred call numbers. When a call comes to one of the configured preferred
numbers, the controller does not check on the maximum call limit. It invokes the CAC to allocate bandwidth
for the preferred call. The bandwidth allocation is 85 percent of the entire bandwidth pool, not just from the
maximum configured voice pool. The bandwidth allocation is the same even for roaming calls.
This section contains the following subsections:
PrerequisitesforConfiguringVoicePrioritizationUsingPreferredCallNumbers
You must configure the following before configuring voice prioritization:
• Set WLAN QoS to platinum.
• Enable ACM for the radio.
• Enable SIP call snooping on the WLAN.
Configuring a Preferred Call Number (GUI)
Step 1
Set the WLAN QoS profile to Platinum.
Step 2
Enable ACM for the WLAN radio.
Step 3
Enable SIP call snooping for the WLAN.
Step 4
Choose Wireless > Advanced > Preferred Call to open the Preferred Call page.
All calls configured on the controller appear.
Note
To remove a preferred call, hover your cursor over the blue drop-down arrow and choose Remove.
Step 5
Click Add Number to add a new preferred call.
Step 6
In the Call Index text box, enter the index that you want to assign to the call. Valid values are from 1 through 6.
Step 7
In the Call Number text box, enter the number.
Step 8
Click Apply to add the new number.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
153
System Management
Configuring a Preferred Call Number (CLI)
Configuring a Preferred Call Number (CLI)
Step 1
Set the voice to the platinum QoS level by entering this command:
config wlan qos wlan-id Platinum
Step 2
Enable the ACM to this radio by entering this command:
config {802.11a | 802.11b} cac {voice | video} acm enable
Step 3
Enable the call-snooping feature for a particular WLAN by entering this command:
config wlan call-snoop enable wlan-id
Step 4
Add a new preferred call by entering this command:
config advanced sip-preferred-call-no call_index {call_number | none}
Step 5
Remove a preferred call by entering this command:
config advanced sip-preferred-call-no call_index none
Step 6
View the preferred call statistics by entering the following command:
show ap stats {802.11{a | b} | wlan} ap_name
Step 7
Enter the following command to list the preferred call numbers:
show advanced sip-preferred-call-no
Configuring EDCA Parameters
Enhanced Distributed Channel Access Parameters
Enhanced Distributed Channel Access (EDCA) parameters are designed to provide preferential wireless
channel access for voice, video, and other quality of service (QoS) traffic.
This section contains the following subsections:
Configuring EDCA Parameters (GUI)
Step 1
Choose Wireless and then Network under 802.11a/n or 802.11b/g/n, unselect the 802.11a (or 802.11b/g) Network
Status check box, and click Apply to disable the radio network.
Step 2
Click EDCA Parameters under 802.11a/n or 802.11b/g/n.
Step 3
The 802.11a (or 802.11b/g) > EDCA Parameters window is displayed.
Step 4
Choose one of the following options from the EDCA Profile drop-down list:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
154
System Management
Configuring EDCA Parameters (CLI)
• WMM—Enables the Wi-Fi Multimedia (WMM) default parameters. The WMM option is default and we recommend
this setting if you have SpectraLink phones deployed in your network.
• Spectralink Voice Priority—This setting is not recommended.
• Voice Optimized—Enables Enhanced Distributed Channel Access (EDCA) voice-optimized profile parameters.
Choose this option when 8821 phones are deployed in your network, and video services are not in use.
• Voice & Video Optimized—Enables EDCA voice-optimized and video-optimized profile parameters. Choose this
option when 8821 phones are deployed in your network, and video services are not in use.
• Custom Voice—Enables custom voice EDCA parameters for 802.11a. The EDCA parameters under this option
also match the 6.0 WMM EDCA parameters when this profile is applied. This setting is not recommended because
it is deprecated.
If you deploy video services, admission control must be disabled.
Note
Step 5
To enable MAC optimization for voice, check the Enable Low Latency MAC check box. By default, this check box is
not checked. This feature enhances voice performance by controlling packet retransmits and appropriately aging out voice
packets on lightweight access points, which improves the number of voice calls serviced per access point.
Note
We recommend that you do not enable low latency MAC. You should enable low-latency MAC only if the
WLAN allows WMM clients. If WMM is enabled, then low-latency MAC can be used with any of the EDCA
profiles.
Step 6
Click Apply to commit your changes.
Step 7
To re-enable the radio network, click Network under 802.11a/n or 802.11b/g/n, check the 802.11a (or 802.11b/g) Network
Status check box, and click Apply.
Step 8
Click Save Configuration.
Configuring EDCA Parameters (CLI)
Step 1
Disable the radio network by entering this command:
config {802.11a | 802.11b} disable network
Step 2
Save your settings by entering this command:
save config
Step 3
Enable a specific EDCA profile by entering this command:
config advanced {802.11a | 802.11b} edca-parameters {wmm-default | svp-voice | optimized-voice |
optimzed-voice-video | custom-voice }
• wmm-default—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value. Choose this
option if voice or video services are not deployed on your network.
• svp-voice—Enables SpectraLink voice-priority parameters. Choose this option if SpectraLink phones are deployed
on your network to improve the quality of calls.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
155
System Management
Configuring EDCA Parameters (CLI)
• optimized-voice—Enables EDCA voice-optimized profile parameters. Choose this option if voice services other
than SpectraLink are deployed on your network.
• optimized-video-voice—Enables EDCA voice-optimized and video-optimized profile parameters. Choose this
option if both voice and video services are deployed on your network.
• custom-voice—Enables custom voice EDCA parameters for 802.11a. The EDCA parameters under this option also
match the 6.0 WMM EDCA parameters when this profile is applied.
Note
Step 4
If you deploy video services, admission control (ACM) must be disabled.
View the current status of MAC (low latency MAC) optimization for voice by entering this command:
show {802.11a | 802.11b}
Information that is similar to the following example is displayed:
Voice-mac-optimization...................Disabled
Step 5
Enable or disable MAC optimization for voice by entering this command:
config advanced {802.11a | 802.11b} voice-mac-optimization {enable | disable}
Note
The low latency MAC option is not supported.
This feature enhances voice performance by controlling packet retransmits and appropriately aging out voice
packets on lightweight APs. This, in turn improves the number of voice calls serviced per AP. The default value
is disabled.
Step 6
Re-enable the radio network by entering this command:
config {802.11a | 802.11b} enable network
Step 7
Save your settings by entering this command: save config.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
156
CHAPTER
17
Configuring the Cisco Discovery Protocol
• Cisco Discovery Protocol, on page 157
• Restrictions for Cisco Discovery Protocol, on page 157
• Configuring the Cisco Discovery Protocol, on page 159
• Viewing Cisco Discovery Protocol Information, on page 161
• Getting CDP Debug Information, on page 164
Cisco Discovery Protocol
The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on all Cisco-manufactured
equipment. A device enabled with CDP sends out periodic interface updates to a multicast address in order
to make itself known to neighboring devices.
The default value for the frequency of periodic transmissions is 60 seconds, and the default advertised
time-to-live value is 180 seconds. The second and latest version of the protocol, CDPv2, introduces new
time-length-values (TLVs) and provides a reporting mechanism that allows for more rapid error tracking,
which reduces downtime.
Note
We recommend that you disable Cisco Discovery Protocol on the controller and access point when connected
to non-Cisco switches as CDP is unsupported on non-Cisco switches and network elements.
Restrictions for Cisco Discovery Protocol
• CDPv1 and CDPv2 are supported on the following devices:
• Cisco 2504 Wireless Controller
• Cisco 5508 Wireless Controller
• Cisco 5520 Wireless Controller
• Cisco 8510 Wireless Controller
• Cisco 8540 Wireless Controller
• CAPWAP-enabled access points
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
157
System Management
Restrictions for Cisco Discovery Protocol
• An access point connected directly to a Cisco 2504 Wireless Controller
Note
To use the Intelligent Power Management feature, ensure that CDPv2 is enabled
on the Cisco 2504 Wireless Controller. CDP v2 is enabled by default.
• The Cisco 600 Series OEAPs do not support CDP.
• The support of CDPv1 and CDPv2 enables network management applications to discover Cisco devices.
• The following TLVs are supported by both the controller and the access point:
• Device-ID TLV: 0x0001—The hostname of the controller, the access point, or the CDP neighbor.
• Address TLV: 0x0002—The IP address of the controller, the access point, or the CDP neighbor.
• Port-ID TLV: 0x0003—The name of the interface on which CDP packets are sent out.
• Capabilities TLV: 0x0004—The capabilities of the device. The controller sends out this TLV with
a value of Host: 0x10, and the access point sends out this TLV with a value of Transparent Bridge:
0x02.
• Version TLV: 0x0005—The software version of the controller, the access point, or the CDP neighbor.
• Platform TLV: 0x0006—The hardware platform of the controller, the access point, or the CDP
neighbor.
• Power Available TLV: 0x001a— The amount of power available to be transmitted by power sourcing
equipment to permit a device to negotiate and select an appropriate power setting.
• Full/Half Duplex TLV: 0x000b—The full- or half-duplex mode of the Ethernet link on which CDP
packets are sent out.
• These TLVs are supported only by the access point:
• Power Consumption TLV: 0x0010—The maximum amount of power consumed by the access point.
• Power Request TLV:0x0019—The amount of power to be transmitted by a powerable device in
order to negotiate a suitable power level with the supplier of the network power.
• If the switch has provided power through CDP, it continues to provide only with CDP, and vice-versa
with LLDP. (CSCvg86156)
• Changing the CDP configuration on the controller does not change the CDP configuration on the access
points that are connected to the controller. You must enable and disable CDP separately for each access
point.
• You can enable or disable the CDP state on all or specific interfaces and radios. This configuration can
be applied to all access points or a specific access point.
• The following is the behavior assumed for various interfaces and access points:
• CDP is disabled on radio interfaces on indoor (nonindoor mesh) access points.
• Nonmesh access points have CDPs disabled on radio interfaces when they join the controller. The
persistent CDP configuration is used for the APs that had CDP support in its previous image.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
158
System Management
Configuring the Cisco Discovery Protocol
• CDP is enabled on radio interfaces on indoor-mesh and mesh access points.
• Mesh access points will have CDP enabled on their radio interfaces when they join the controller.
The persistent CDP configuration is used for the access points that had CDP support in a previous
image. The CDP configuration for radio interfaces is applicable only for mesh APs.
• CDP over radio backhaul link is not supported in Wave 2 (COS) APs.
• CDP is not supported in radio interfaces of Wave 2 (COS) APs. The GUI configuration of this has no
effect.
• LLDP is enabled on the APs by default and cannot be disabled.
Configuring the Cisco Discovery Protocol
Configuring the Cisco Discovery Protocol (GUI)
Step 1
Choose Controller > CDP > Global Configuration to open the CDP > Global Configuration page.
Step 2
Select the CDP Protocol Status check box to enable CDP on the controller or unselect it to disable this feature. The
default value is selected.
Enabling or disabling this feature is applicable to all controller ports.
Note
Step 3
From the CDP Advertisement Version drop-down list, choose v1 or v2 to specify the highest CDP version supported on
the controller. The default value is v1.
Step 4
In the Refresh-time Interval text box, enter the interval at which CDP messages are to be generated. The range is 5 to
254 seconds, and the default value is 60 seconds.
Step 5
In the Holdtime text box, enter the amount of time to be advertised as the time-to-live value in generated CDP packets.
The range is 10 to 255 seconds, and the default value is 180 seconds.
Step 6
Click Apply to commit your changes.
Step 7
Click Save Configuration to save your changes.
Step 8
Perform one of the following:
• To enable or disable CDP on a specific access point, follow these steps:
Choose Wireless > Access Points > All APs to open the All APs page.
Click the link for the desired access point.
Choose the Advanced tab to open the All APs > Details for (Advanced) page.
Select the Cisco Discovery Protocol check box to enable CDP on this access point or unselect it to disable this
feature. The default value is enabled.
Note
If CDP is disabled in Step 2, a message indicating that the Controller CDP is disabled appears.
• Enable CDP for a specific Ethernet interface, radio, or slot as follows:
Choose Wireless > Access Points > All APs to open the All APs page.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
159
System Management
Configuring the Cisco Discovery Protocol (CLI)
Click the link for the desired access point.
Choose the Interfaces tab and select the corresponding check boxes for the radios or slots from the CDP Configuration
section.
Note
Configuration for radios is only applicable for mesh access points.
Click Apply to commit your changes.
• To enable or disable CDP on all access points currently associated to the controller, follow these steps:
Choose Wireless > Access Points > Global Configuration to open the Global Configuration page.
Select the CDP State check box to enable CDP on all access points associated to the controller or unselect it to
disable CDP on all access points. The default value is selected. You can enable CDP on a specific Ethernet interface,
radio, or slot by selecting the corresponding check box. This configuration will be applied to all access points
associated with the controller.
Click Apply to commit your changes.
Step 9
Click Save Configuration to save your changes.
Configuring the Cisco Discovery Protocol (CLI)
Step 1
Enable or disable CDP on the controller by entering this command:
config cdp {enable | disable}
CDP is enabled by default.
Step 2
Specify the interval at which CDP messages are to be generated by entering this command:
config cdp timer seconds
The range is 5 to 254 seconds, and the default value is 60 seconds.
Step 3
Specify the amount of time to be advertised as the time-to-live value in generated CDP packets by entering this command:
config cdp holdtime seconds
The range is 10 to 255 seconds, and the default value is 180 seconds.
Step 4
Specify the highest CDP version supported on the controller by entering this command:
config cdp advertise {v1 | v2}
The default value is v1.
Step 5
Enable or disable CDP on all access points that are joined to the controller by entering the config ap cdp {enable |
disable} all command.
The config ap cdp disable all command disables CDP on all access points that are joined to the controller and all access
points that join in the future. CDP remains disabled on both current and future access points even after the controller or
access point reboots. To enable CDP, enter the config ap cdp enable all command.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
160
System Management
Viewing Cisco Discovery Protocol Information
Note
Step 6
After you enable CDP on all access points joined to the controller, you may disable and then reenable CDP on
individual access points using the command in Step 6. After you disable CDP on all access points joined to the
controller, you may not enable and then disable CDP on individual access points.
Enable or disable CDP on a specific access point by entering this command:
config ap cdp {enable | disable} Cisco_AP
Step 7
Configure CDP on a specific or all access points for a specific interface by entering this command:
config ap cdp {ethernet | radio} interface_number slot_id {enable | disable} {all | Cisco_AP}
Note
Step 8
When you use the config ap cdp command to configure CDP on radio interfaces, a warning message appears
indicating that the configuration is applicable only for mesh access points.
Save your changes by entering this command:
save config
Viewing Cisco Discovery Protocol Information
Viewing Cisco Discovery Protocol Information (GUI)
Step 1
Choose Monitor > CDP > Interface Neighbors to open the CDP > Interface Neighbors page appears.
This page shows the following information:
• The controller port on which the CDP packets were received
• The name of each CDP neighbor
• The IP address of each CDP neighbor
• The port used by each CDP neighbor for transmitting CDP packets
• The time left (in seconds) before each CDP neighbor entry expires
• The functional capability of each CDP neighbor, defined as follows: R - Router, T - Trans Bridge, B - Source Route
Bridge, S - Switch, H - Host, I - IGMP, r - Repeater, or M - Remotely Managed Device
• The hardware platform of each CDP neighbor device
Step 2
Click the name of the desired interface neighbor to see more detailed information about each interface’s CDP neighbor.
The CDP > Interface Neighbors > Detail page appears.
This page shows the following information:
• The controller port on which the CDP packets were received
• The name of the CDP neighbor
• The IP address of the CDP neighbor
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
161
System Management
Viewing Cisco Discovery Protocol Information (GUI)
• The port used by the CDP neighbor for transmitting CDP packets
• The CDP version being advertised (v1 or v2)
• The time left (in seconds) before the CDP neighbor entry expires
• The functional capability of the CDP neighbor, defined as follows: Router, Trans Bridge,?Source Route Bridge,
Switch, Host, IGMP, Repeater, or Remotely Managed Device
• The hardware platform of the CDP neighbor device
• The software running on the CDP neighbor
Step 3
Choose AP Neighbors to see a list of CDP neighbors for all access points connected to the controller. The CDP AP
Neighbors page appears.
Step 4
Click the CDP Neighbors link for the desired access point to see a list of CDP neighbors for a specific access point. The
CDP > AP Neighbors page appears.
This page shows the following information:
• The name of each access point
• The IP address of each access point
• The name of each CDP neighbor
• The IP address of each CDP neighbor
• The port used by each CDP neighbor
• The CDP version being advertised (v1 or v2)
Step 5
Click the name of the desired access point to see detailed information about an access point’s CDP neighbors. The CDP
> AP Neighbors > Detail page appears.
This page shows the following information:
• The name of the access point
• The MAC address of the access point’s radio
• The IP address of the access point
• The interface on which the CDP packets were received
• The name of the CDP neighbor
• The IP address of the CDP neighbor
• The port used by the CDP neighbor
• The CDP version being advertised (v1 or v2)
• The time left (in seconds) before the CDP neighbor entry expires
• The functional capability of the CDP neighbor, defined as follows: R - Router, T - Trans Bridge,?B - Source Route
Bridge, S - Switch, H - Host, I - IGMP, r - Repeater, or M - Remotely Managed Device
• The hardware platform of the CDP neighbor device
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
162
System Management
Viewing Cisco Discovery Protocol Information (CLI)
• The software running on the CDP neighbor
Step 6
Choose Traffic Metrics to see CDP traffic information. The CDP > Traffic Metrics page appears.
This page shows the following information:
• The number of CDP packets received by the controller
• The number of CDP packets sent from the controller
• The number of packets that experienced a checksum error
• The number of packets dropped due to insufficient memory
• The number of invalid packets
Viewing Cisco Discovery Protocol Information (CLI)
Step 1
See the status of CDP and to view CDP protocol information by entering this command:
show cdp
Step 2
See a list of all CDP neighbors on all interfaces by entering this command:
show cdp neighbors [detail]
The optional detail command provides detailed information for the controller’s CDP neighbors.
Note
Step 3
This command shows only the CDP neighbors of the controller. It does not show the CDP neighbors of the
controller’s associated access points. Additional commands are provided below to show the list of CDP neighbors
per access point.
See all CDP entries in the database by entering this command:
show cdp entry all
Step 4
See CDP traffic information on a given port (for example, packets sent and received, CRC errors, and so on) by entering
this command:
show cdp traffic
Step 5
See the CDP status for a specific access point by entering this command:
show ap cdp ap-name Cisco_AP
Step 6
See the CDP status for all access points that are connected to the controller by entering this command:
show ap cdp all
Step 7
See a list of all CDP neighbors for a specific access point by entering these commands:
• show ap cdp neighbors ap-name Cisco_AP
• show ap cdp neighbors detail Cisco_AP
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
163
System Management
Getting CDP Debug Information
Note
Step 8
The access point sends CDP neighbor information to the controller only when the information changes.
See a list of all CDP neighbors for all access points connected to the controller by entering these commands:
• show ap cdp neighbors all
• show ap cdp neighbors detail all
Note
The access point sends CDP neighbor information to the controller only when the information changes.
Getting CDP Debug Information
• Get debug information related to CDP packets by entering by entering this command:
debug cdp packets
• Get debug information related to CDP events by entering this command:
debug cdp events
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
164
CHAPTER
18
Configuring Authentication for the Controller and
NTP/SNTP Server
• Authentication for the Controller and NTP/SNTP Server, on page 165
• Configuring the NTP/SNTP Server to Obtain the Date and Time (GUI), on page 165
• Configuring the NTP/SNTP Server for Authentication (CLI), on page 166
Authentication for the Controller and NTP/SNTP Server
We highly recommend that controllers synchronize their time with an external NTP/SNTP server. We also
recommend that you authenticate this connection to the NTP/SNTP server, as a best practice. By default, an
MD5 checksum is used in this scenario.
Each NTP/SNTP server IP address is added to the controller database. The respective controller then attempts
to poll an NTP/SNTP server from this database in the index order. The controller then obtains and synchronizes
the current time at each user-defined polling interval, as well as following a reboot event. By default, the NTP
polling interval is 600 seconds.
Guidelines and Restrictions on NTP
• When the time difference between the NTP server and the controller exceeds 1000s, the ntpd process
exits and adds a panic message to the system log. In this situation, set the time on the controller manually.
• NTPv4 protocol is not supported in Cisco 2504 and 5508 Wireless Controllers.
Configuring the NTP/SNTP Server to Obtain the Date and Time
(GUI)
Step 1
Choose Controller > NTP > Server to open the NTP Severs page.
Step 2
Click New to add a new NTP/SNTP Server.
Step 3
(Optional) In the Server Index (Priority) field, enter the NTP/SNTP server index.
The controller tries Index 1 first, then Index 2 through 3, in a descending order. Set this to 1 if your network is using only
one NTP/SNTP server.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
165
System Management
Configuring the NTP/SNTP Server for Authentication (CLI)
Step 4
Enter the server IP address.
You can enter an IPv4 or an IPv6 address or a fully qualified domain name (FQDN), which should meet the following
criteria:
• Contains only a-z , A-Z, and 0-9 characters.
• Does not start with a dot (.) or a hyphen (-).
• Does not end with a dot (.).
• Does not have 2 consecutive dots (..).
Step 5
Enable or disable the NTP/SNTP Authentication.
Step 6
If you enable the NTP/SNTP Authentication, enter the Key Index.
Step 7
Click Apply.
Step 8
Delete an existing NTP server IP address or DNS server by hovering the cursor over the blue drop-down arrow for that
server index and choose Remove.
Step 9
Confirm the deletion by clicking on OK in the dialog box.
Configuring the NTP/SNTP Server for Authentication (CLI)
Procedure
• config time ntp auth enable server-index key-index—Enables NTP/SNTP authentication on a given
NTP/SNTP server.
• config time ntp key-auth add key-index key-typekey-format key—Adds an authentication key. By default
MD5 is used. The key format can be "ascii" or "hex".
• Configure the NTP interval by entering this command:
config time ntp interval interval_seconds
• config time ntp key-auth delete key-index—Deletes authentication keys.
• config time ntp auth disable server-index—Disables NTP/SNTP authentication.
• show ntp-keys—Displays the NTP/SNTP authentication related parameter.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
166
CHAPTER
19
Configuring RFID Tag Tracking
• Information About Configuring RFID Tag Tracking, on page 167
• Configuring RFID Tag Tracking (CLI), on page 168
• Viewing RFID Tag Tracking Information (CLI), on page 169
• Debugging RFID Tag Tracking Issues (CLI), on page 169
Information About Configuring RFID Tag Tracking
The controller enables you to configure radio-frequency identification (RFID) tag tracking. RFID tags are
small wireless devices that are affixed to assets for real-time location tracking. They operate by advertising
their location using special 802.11 packets, which are processed by access points, the controller, and the
mobility services engine.
To know more about the tags supported by controller, see
http://www.cisco.com/c/en/us/products/wireless/compatible-extensions.html. The mobility services engine
receives telemetry and chokepoint information from tags that are compliant with this CCX specification.
Table 8: Cisco Compatible Extensions for RFID Tags Summary
Partners
AeroScout
WhereNet
Pango
(InnerWireless)
Product Name
T2
T3
Wheretag IV
V3
Temperature
X
X
—
X
Pressure
—
—
—
—
Humidity
—
—
—
—
Status
—
—
—
—
Fuel
—
—
—
—
Quantity
—
—
—
—
Distance
—
—
—
—
Telemetry
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
167
System Management
Configuring RFID Tag Tracking (CLI)
Partners
AeroScout
WhereNet
Pango
(InnerWireless)
Motion Detection
X
X
—
X
Number of Panic
Buttons
1
2
0
1
Tampering
X
X
X
Battery Information X
X
X
X
Multiple-Frequency X
Tags
X
X
3
Note
For chokepoint systems, note that the tag can work only with chokepoints coming from the same vendor.
The Network Mobility Services Protocol (NMSP) runs on the mobility services engine. For NMSP to function,
the TCP port (16113) over which the controller and the mobility services engine communicate must be open
(not blocked) on any firewall that exists between these two devices.
The Cisco-approved tags support these capabilities:
• Information notifications—Enables you to view vendor-specific and emergency information.
• Information polling—Enables you to monitor battery status and telemetry data. Many telemetry data
types provide support for sensory networks and a large range of applications for RFID tags.
• Measurement notifications—Enables you to deploy chokepoints at strategic points within your buildings
or campuses. Whenever an RFID tag moves to within a defined proximity of a chokepoint, the tag begins
transmitting packets that advertise its location in relation to the chokepoint.
You can configure and view RFID tag tracking information through the controller CLI.
Configuring RFID Tag Tracking (CLI)
Step 1
Enable or disable RFID tag tracking by entering this command:
config rfid status {enable | disable}
The default value is enabled.
Step 2
Specify a static timeout value (between 60 and 7200 seconds) by entering this command:
config rfid timeout seconds
The static timeout value is the amount of time that the controller maintains tags before expiring them. For example, if a
tag is configured to beacon every 30 seconds, we recommend that you set the timeout value to 90 seconds (approximately
three times the beacon value). The default value is 1200 seconds.
Step 3
Enable or disable RFID tag mobility for specific tags by entering these commands:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
168
System Management
Viewing RFID Tag Tracking Information (CLI)
• config rfid mobility vendor_name enable—Enables client mobility for a specific vendor’s tags. When you enter
this command, tags are unable to obtain a DHCP address for client mode when attempting to select and/or download
a configuration.
• config rfid mobility vendor_name disable—Disables client mobility for a specific vendor’s tags. When you enter
this command, tags can obtain a DHCP address. If a tag roams from one subnet to another, it obtains a new address
rather than retaining the anchor state.
Note
These commands can be used only for Pango tags. Therefore, the only valid entry for vendor_name is
“pango” in all lowercase letters.
Viewing RFID Tag Tracking Information (CLI)
Step 1
See the current configuration for RFID tag tracking by entering this command:
show rfid config
Step 2
See detailed information for a specific RFID tag by entering this command:
show rfid detail mac_address
where mac_address is the tag’s MAC address.
Step 3
See a list of all RFID tags currently connected to the controller by entering this command:
show rfid summary
Step 4
See a list of RFID tags that are associated to the controller as clients by entering this command:
show rfid client
Debugging RFID Tag Tracking Issues (CLI)
If you experience any problems with RFID tag tracking, use these debug commands.
• Configure MAC address debugging by entering this command:
debug mac addr mac_address
Note
We recommend that you perform the debugging on a per-tag basis. If you enable
debugging for all of the tags, the console or Telnet screen is inundated with
messages.
• Enable or disable debugging for the 802.11 RFID tag module by entering this command:
debug dot11 rfid {enable | disable}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
169
System Management
Debugging RFID Tag Tracking Issues (CLI)
• Enable or disable RFID debug options by entering this command:
debug rfid {all | detail | error | nmsp | receive} {enable | disable}
where
• all configures debugging of all RFID messages.
• detail configures debugging of RFID detailed messages.
• error configures debugging of RFID error messages.
• nmsp configures debugging of RFID NMSP messages.
• receive configures debugging of incoming RFID tag messages.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
170
CHAPTER
20
Resetting the Controller to Default Settings
• Resetting the Controller to Default Settings, on page 171
• Resetting the Controller to Default Settings (GUI), on page 171
• Resetting the Controller to Default Settings (CLI), on page 171
Resetting the Controller to Default Settings
You can return the controller to its original configuration by resetting the controller to factory-default settings.
This section contains the following subsections:
Resetting the Controller to Default Settings (GUI)
Step 1
Start your Internet browser.
Step 2
Enter the controller IP address in the browser address line and press Enter. An Enter Network Password dialog box
appears.
Step 3
Enter your username in the User Name text box. The default username is admin.
Step 4
Enter the wireless device password in the Password text box and press Enter. The default password is admin.
Step 5
Choose Commands > Reset to Factory Default.
Step 6
Click Reset.
Step 7
When prompted, confirm the reset.
Step 8
Reboot the controller without saving the configuration.
Step 9
Use the configuration wizard to enter configuration settings.
Resetting the Controller to Default Settings (CLI)
Step 1
Enter the reset system command. At the prompt that asks whether you need to save changes to the configuration, enter
N. The unit reboots.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
171
System Management
Resetting the Controller to Default Settings (CLI)
Step 2
When you are prompted for a username, enter the recover-config command to restore the factory-default configuration.
The controller reboots and displays this message:
Welcome to the Cisco WLAN Solution Wizard Configuration Tool
Step 3
Use the configuration wizard to enter configuration settings.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
172
CHAPTER
21
Managing Controller Software and
Configurations
• Upgrading the Controller Software, on page 173
• Transferring Files to and from a Controller, on page 184
• Saving Configurations, on page 200
• Editing Configuration Files, on page 201
• Clearing the Controller Configuration, on page 202
• Erasing the Controller Configuration, on page 202
• Resetting the Controller, on page 203
Upgrading the Controller Software
When you upgrade the controller software, the software on the access points associated with the controller is
also automatically upgraded. When an access point is loading software, each of its LEDs blinks in succession.
Caution
Do not power down the controller or any access point during this process; otherwise, the software image could
be corrupted. Upgrading a controller with a large number of access points can take as long as 30 minutes,
depending on the size of your network. However, with the increased number of concurrent access point
upgrades supported in the controller software release, the upgrade time should be significantly reduced. The
access points must remain powered, and the controller must not be reset during this time.
Guidelines and Restrictions for Upgrading Controller Software
The following are some of the general guidelines and restrictions that are applicable when upgrading the
controller software. For any release-specific restrictions, see the relevant release notes.
For correct interoperability among Cisco Wireless infrastructure, including but not limited to mobility among
controllers, AP compatibility, see the Cisco Wireless Solutions Software Compatibility Matrix at:
https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
• For every software upgrade, see the corresponding release notes for any caveats, considerations, or
possible interim upgrades required to upgrade your controller to the desired release of software.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
173
System Management
Upgrading Controller Software (GUI)
• We recommend that you have a backup of your configuration in an external repository before any software
upgrade activity.
• The upgrade of the controller software, with a fast connection to your TFTP, SFTP, or FTP file server,
can take approximately 15 to 25 minutes or less from the start of the software transfer to reboot of
controller (might take longer if the upgrade also includes a Field Upgrade Software installation during
the same maintenance window). The time required for the upgrade of the associated APs might vary
from one network to another, due to a variety of deployment-specific factors, such as number of APs
associated with controller, speed of network connectivity between a given AP and the controller, and so
on.
• We recommend that, during the upgrade process, you do not power off controller or any AP associated
with the controller.
• Controllers support standard SNMP Management Information Base (MIB) files. MIBs can be downloaded
from the Download Software area in Cisco.com.
• The objects under the SNMP table bsnAPIfDot11CountersEntry like bsnAPIfDot11RetryCount,
bsnAPIfDot11TransmittedFrameCount, and so on, per SNMP MIB description, are defined to use the
index as 802.3 (Ethernet) MAC address of the AP. However, the controller sends the AP radio MAC
address in snmpget, getnext, and getbulk. This is because the snmpwalk returns index using base radio
MAC address instead of the AP Ethernet MAC address.
• You can reduce the network downtime using the following options:
• You can predownload the AP image.
For more information about predownloading the AP image, see the "Predownloading an Image to
an Access Point" section.
• For FlexConnect access points, use the FlexConnect Efficient AP upgrade feature to reduce traffic
between the controller and the AP (main site and the branch).
For more information about configuring FlexConnect AP upgrades, see the Configuring FlexConnect
AP Upgrades for FlexConnect APs section.
Upgrading Controller Software (GUI)
Before you begin
Before upgrading the controller software, we recommend that you consult relevant release notes for any
release-specific restrictions.
Step 1
Upload your controller configuration files to a server to back them up.
Note
Step 2
We highly recommend that you back up your configuration files of the controller prior to upgrading the
controller software. Otherwise, you must manually reconfigure the controller.
Get the controller software image by following these steps:
a) Browse to http://www.cisco.com/cisco/software/navigator.html.
b) Choose Wireless > Wireless LAN Controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
174
System Management
Upgrading Controller Software (GUI)
The following options are available: Integrated Controllers and Controller Modules, Mobility Express, and
Standalone Controllers.
c) Depending on your controller platform, click one of the above options.
d) Click the controller model number or name. The Download Software page is displayed.
e) Click a controller software release. The software releases are labeled as follows to help you determine which release
to download:
Early Deployment (ED)—These software releases provide new features, new hardware platform support, and bug
fixes.
Maintenance Deployment (MD)—These software releases provide bug fixes and ongoing software maintenance.
Deferred (DF)—These software releases have been deferred. We recommend that you migrate to an upgraded
release.
f)
g)
h)
i)
j)
k)
Step 3
Choose a software release number.
Click the filename (filename.aes).
Click Download.
Read Cisco’s End User Software License Agreement and then click Agree.
Save the file to your hard drive.
Repeat steps a through k to download the remaining file.
Copy the controller software image (filename.aes) to the default directory on your TFTP or FTP server.
Note
In Release 8.1 and later releases, transfer over HTTP is also supported.
Note
In 8.3, 8.4, and 8.5 releases, for Cisco 2504 WLC, 5508 WLC, and WiSM2, the Cisco WLC software image
is split into two images: Base Install Image and Supplementary AP Bundle Image. Therefore, to upgrade to
8.3, 8.4, or 8.5 release, you must repeat Step 2 through Step 14 to complete the installation of both Base
Install Image and Supplementary AP Bundle Image.
Download the Supplementary AP Bundle Image only if you are using any of these APs: AP80x, Cisco Aironet
1550 Series AP (with 64-MB memory), Cisco Aironet 1550 Series AP (with 128-MB memory), Cisco Aironet
1570 Series APs, and/or Cisco Aironet 1600 APs.
Step 4
(Optional) Disable the 802.11 networks.
Note
For busy networks, controllers on high utilization, or small controller platforms, we recommend that you
disable the 802.11 networks as a precautionary measure.
Step 5
Choose Commands > Download File to open the Download File to Controller page.
Step 6
From the File Type drop-down list, choose Code.
Step 7
From the Transfer Mode drop-down list, choose from the following options:
• TFTP
• FTP
• SFTP (available in 7.4 and later releases)
• HTTP (available in 8.1 and later releases)
Step 8
In the IP Address field, enter the IP address of the server.
Step 9
(Optional) If you are using a TFTP server, the default values of 10 retries for the Maximum Retries text field, and 6
seconds for the Timeout text field should work correctly without any adjustment. However, you can change these values
if desired. To do so, enter the maximum number of times that the TFTP server attempts to download the software in
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
175
System Management
Upgrading Controller Software (CLI)
the Maximum Retries field and the amount of time (in seconds) that the TFTP server attempts to download the software
in the Timeout field.
Step 10
In the File Path field, enter the directory path of the software.
Step 11
In the File Name field, enter the name of the controller software file (filename.aes).
Step 12
If you are using an FTP server, follow these steps:
a) In the Server Login Username field, enter the username to log into the FTP server.
b) In the Server Login Password field, enter the password to log into the FTP server.
c) In the Server Port Number field, enter the port number on the FTP server through which the download occurs.
The default value is 21.
Step 13
Click Download to download the software to the controller. A message is displayed indicating the status of the download.
Note
In 8.3, 8.4, and 8.5 releases, for Cisco 2504 WLC, 5508 WLC, and WiSM2, the Cisco WLC software image
is split into two images: Base Install Image and Supplementary AP Bundle Image. Therefore, to upgrade to
8.3, 8.4, or 8.5 release, you must repeat Step 2 through Step 14 to complete the installation of both Base
Install Image and Supplementary AP Bundle Image.
Download the Supplementary AP Bundle Image only if you are using any of these APs: AP80x, Cisco Aironet
1550 Series AP (with 64-MB memory), Cisco Aironet 1550 Series AP (with 128-MB memory), Cisco Aironet
1570 Series APs, and/or Cisco Aironet 1600 APs.
Step 14
(Optional) After the download is complete, you can choose to predownload the image to your access points. For more
information, see the "Predownloading an Image to an Access Point" section.
Step 15
Click Reboot to reboot the controller.
Step 16
If prompted to save your changes, click Save and Reboot.
Step 17
Click OK to confirm.
Step 18
After the controller reboots, repeat step 6 to step 16 to install the remaining file.
Step 19
For Cisco WiSM2, reenable the controller port channel on the Catalyst switch.
Step 20
If you have disabled the 802.11 networks, reenable them.
Step 21
To verify the controller software version, choose Monitor on the controller GUI and see Software Version in the
Controller Summary area.
Upgrading Controller Software (CLI)
Before you begin
Before upgrading the controller software, we recommend that you consult relevant release notes for any
release-specific restrictions.
Step 1
Upload your controller configuration files to a server to back them up.
Note
Step 2
We highly recommend that you back up your controller's configuration files prior to upgrading the controller
software. Otherwise, you must manually reconfigure the controller.
Get the controller software image by following these steps:
a) Browse to http://www.cisco.com/cisco/software/navigator.html.
b) Choose Wireless > Wireless LAN Controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
176
System Management
Upgrading Controller Software (CLI)
The following options are available: Integrated Controllers and Controller Modules, Mobility Express, and
Standalone Controllers.
c) Depending on your controller platform, click one of the above options.
d) Click the controller model number or name. The Download Software page is displayed.
e) Click a controller software release. The software releases are labeled as follows to help you determine which release
to download:
Early Deployment (ED)—These software releases provide new features, new hardware platform support, and bug
fixes.
Maintenance Deployment (MD)—These software releases provide bug fixes and ongoing software maintenance.
Deferred (DF)—These software releases have been deferred. We recommend that you migrate to an upgraded
release.
f)
g)
h)
i)
j)
k)
Step 3
Choose a software release number.
Click the filename (filename.aes).
Click Download.
Read Cisco’s End User Software License Agreement and then click Agree.
Save the file to your hard drive.
Repeat steps a through k to download the remaining file.
Copy the controller software image (filename.aes) to the default directory on your TFTP or FTP server.
Note
In Release 8.3, for Cisco 2504 WLC, 5508 WLC, and WiSM2, the Cisco WLC software image is split into
two images: Base Install Image and Supplementary AP Bundle Image. Therefore, to upgrade to Release 8.3
or later supported releases, you must repeat Step 2 through Step 11 to complete the installation of both Base
Install Image and Supplementary AP Bundle Image.
Download the Supplementary AP Bundle Image only if you are using any of these APs: AP80x, Cisco Aironet
1530 Series AP, Cisco Aironet 1550 Series AP (with 64-MB memory), Cisco Aironet 1550 Series AP (with
128-MB memory), Cisco Aironet 1570 Series APs, and/or Cisco Aironet 1600 Series APs.
Step 4
Log onto the controller CLI.
Step 5
On the controller CLI over Telnet or SSH, enter the ping server-ip-address command to verify that the controller can
contact the TFTP or FTP server.
Step 6
(Optional) Disable the 802.11 networks by entering this command:
config 802.11{a | b} disable network
Note
Step 7
Step 8
For busy networks, controllers on high utilization, or small controller platforms, we recommend that you
disable the 802.11 networks as a precautionary measure.
View current download settings by entering the transfer download start command. Press n at the prompt to view the
current download settings.
Change the download settings, if necessary by entering these commands:
• transfer download mode {tftp | ftp | sftp}
• transfer download datatype code
• transfer download serverip server-ip-address
• transfer download filename filename
• transfer download path server-path-to-file
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
177
System Management
Predownloading an Image to an Access Point
Note
Pathnames on a TFTP or FTP server are relative to the server’s default or root directory. For example,
in the case of the Solaris TFTP server, the path is “/”.
(Optional) If you are using a TFTP server, also enter these commands:
• transfer download tftpMaxRetries retries
• transfer download tftpPktTimeout timeout
Note
The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.
However, you can change these values. To do so, enter the maximum number of times that the TFTP
server attempts to download the software for the retries parameter and the amount of time (in seconds)
that the TFTP server attempts to download the software for the timeout parameter.
If you are using an FTP server, also enter these commands:
• transfer download username username
• transfer download password password
• (Optional) transfer download port port
Note
The default value for the port parameter is 21.
Step 9
View the current updated settings by entering the transfer download start command. Press y at the prompt to confirm
the current download settings and start the software download.
Step 10
(Optional) After the download is complete, you can choose to predownload the image to your access points. For more
information, see the "Predownloading an Image to an Access Point" section.
Step 11
Save the code update to nonvolatile NVRAM and reboot the controller by entering this command:
reset system
The controller completes the bootup process.
Step 12
After the controller reboots, repeat Steps 7 through 11 to install the remaining file.
Step 13
For Cisco WiSM2, re-enable the controller port channel on the Catalyst switch.
Step 14
If you have disabled the 802.11 networks in Step 6, reenable them by entering this command:
config 802.11{a | b} enable network
Step 15
To verify the controller software that is installed, enter the show sysinfo command and see Product Version.
Step 16
(Optional) To verify the Cisco Unified Wireless Network Controller Boot Software file that is installed on the controller,
enter the show sysinfo command on the controller CLI and see Recovery Image Version or Emergency Image Version.
Note
If a Cisco Unified Wireless Network Controller Boot Software ER.aes file is not installed, Recovery Image
Version or Emergency Image Version show 'N/A.'
Predownloading an Image to an Access Point
To minimize network outages, you can download an upgrade image to the access point from the controller
without resetting the access point or losing network connectivity. Previously, you would download an upgrade
image to the controller and reset it, which causes the access point to go into discovery mode. After the access
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
178
System Management
Predownloading an Image to an Access Point
point discovers the controller with the new image, the access point downloads the new image, resets, goes
into discovery mode, and rejoins the controller.
You can now download the upgrade image to the controller and then download the image to the access point
while the network is still operational. You can also schedule a reboot of the controller and access points, either
after a specified amount of time or at a specific date and time. When both devices are up, the access point
discovers and rejoins the controller.
Concurrent Controller to AP Image Upgrade
This table lists the controllers and their maximum concurrent AP image download support.
Controller
Maximum Number of Concurrent AP Image Download
Supported
Cisco 2504 Wireless Controller
75
Cisco 5508 Wireless Controller
500
Cisco 5520 Wireless Controller
1000
Cisco Flex 7510 Wireless Controller
1000
Cisco 8510 Wireless Controller
1000
Cisco 8540 Wireless Controller
1000
Cisco WiSM2
500
Cisco vWLC
1000
Flash Memory Requirements on Access Points
This table lists the Cisco AP models and the minimum amount of free flash memory required for the
predownload process to work:
Cisco AP
Minimum Free Flash Memory Required
3700(I/E)
16 MB
3600(I/E)
14 MB
3502(I/E)
14 MB
2700(I/E)
16 MB
2602(I/E)
14 MB
1700(I/E)
16 MB
1602(I/E)
12 MB
1262
14 MB
1142
12 MB
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
179
System Management
Access Point Predownload Process
Note
• The required flash memory can vary based on the radio type and the number of antennas used.
• This predownload feature is not supported on 1242 and 1131 Cisco AP models.
• Cisco AP1142 has 32 MB of total flash memory and can support the predownload feature.
• During the predownloading of image to APs, some APs do not have enough memory to keep the current
radio firmware available. After the image has been predownloaded, these APs have the image only on
flash memory and no other memory is available to host the current image or version radio firmware. The
APs that have this limitation are as follows: Cisco Aironet 700, 1140, 1260, 1520, 1530, 1550, 1600,
3500, and 3600 Series APs.
For more information about this limitation, see CSCvg41698.
• As part of the fix for CSCvb75682, if the flash memory of Cisco Aironet 1700, 2700, and 3700 Series
APs is less than 10 Mb and a recovery image is present, the backup images in these APs are deleted.
Access Point Predownload Process
The access point predownload feature works as follows:
• The controller image is downloaded.
• (Optional) The primary image becomes the backup image of the controller and the downloaded
image becomes the new primary image. Change the current boot image as the backup image by
using the config boot backup command to ensure that if a system failure occurs, the controller
boots with the last working image of the controller.
• Start the AP image predownload procedure for all joined APs or a specific AP, by entering the
config ap image predownload primary {all | ap-name} command.
• The upgrade image is downloaded as the backup image on the APs. You can verify this by using
the show ap image all command.
• Change the boot image to primary image manually using the config boot primary command and
reboot the controller for the upgrade image to be activated.
or
• You issue a scheduled reboot with the swap keyword. The swap keyword has the following
importance: The swapping occurs to the primary and backup images on the access point and the
currently active image on controller with the backup image.
• When the controller reboots, the access points are disassociated and eventually come up with an
upgraded image. Once the controller responds to the discovery request sent by an access point with
its discovery response packet, the access point sends a join request.
• The actual upgrade of the images occur. The following sequence of actions occur:
• During boot time, the access point sends a join request.
• The controller responds with the join response with the image version that the controller is running.
• The access point compares its running image with the running image on the controller. If the versions
match, the access point joins the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
180
System Management
Guidelines and Restrictions for Predownloading an Image to an Access Point
• If the versions do not match, the access point compares the version of the backup image and if they
match, the access point swaps the primary and backup images and reloads and subsequently joins
the controller.
• If the primary image of the access point is the same as the controller image, the access point reloads
and joins the controller.
• If none of the above conditions are true, the access point sends an image data request to the controller,
downloads the latest image, reloads, and joins the controller.
Note
Normally, when upgrading the image of an AP, you can use the preimage download feature to reduce the
amount of time the AP is unavailable to serve clients. However, it also increases the downtime because the
AP cannot serve clients during an upgrade. The preimage download feature can be used to reduce this downtime.
However, in the case of a branch office set up, the upgrade images are still downloaded to each AP over the
WAN link, which has a higher latency.
A more efficient way is to use the FlexConnect AP Image Upgrade feature. When this feature is enabled, one
AP of each model in the local network first downloads the upgrade image over the WAN link. For more
information about FlexConnect AP upgrades, see the "FlexConnect AP Image Upgrades" chapter.
Guidelines and Restrictions for Predownloading an Image to an Access Point
• The 2600, 3500, and 3600 AP models can store only a single image in the flash. When you reboot the
AP (without rebooting the controller after a pre-download), it will download the current image from the
controller as the current image will be overwritten by the pre-downloaded image in the flash.
• The maximum number of concurrent predownloads is limited to half the number of concurrent normal
image downloads. This limitation allows new access points to join the controller during image
downloading.
• If you reach the predownload limit, then the access points that cannot get an image sleep for a time
between 180 to 600 seconds and then reattempt the predownload.
• Before you predownload, you should change the active controller boot image to the backup image to
ensure that if the controller reboots for some reason, it comes back up with the earlier running image,
not the partially downloaded upgrade image.
• This predownload feature is not supported on 1242 and 1131 Cisco AP models.
• When the system time is changed by using the config time command, the time set for a scheduled reset
is not valid and the scheduled system reset is canceled. You are given an option either to cancel the
scheduled reset before configuring the time or retain the scheduled reset and not configure the time.
• All the primary, secondary, and tertiary controllers should run the same images as the primary and backup
images. That is, the primary image of all three controllers should be X and the secondary image of all
three controllers should be Y or the feature is not effective.
Having different versions of the controller software running on primary, secondary, and tertiary controllers
adds unnecessary and protracted delays to APs failing over and joining the other available controllers in
an N+1 setup. This is due to the APs being forced to download different image versions when failing
over to a secondary or tertiary controller, and joining back to their primary controller when it is available.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
181
System Management
Predownloading an Image to Access Points—Global Configuration (GUI)
• At the time of the reset, if any AP is downloading the controller image, the scheduled reset is canceled.
The following message appears with the reason why the scheduled reset was canceled:
%OSAPI-3-RESETSYSTEM_FAILED: osapi_task.c:4458 System will not reset
as software is being upgraded.
• Predownloading a 7.2 or later version of image on a Cisco Aironet 1240 access point is not supported
when upgrading from a previous controller release. If predownloading is attempted to the Cisco Aironet
1240 access point, the AP gets disconnected.
• There are two images for the1550 Mesh AP - 1550 with 64 MB memory and 1550 with 128 MB memory.
During the controller upgrade to 7.6 and higher versions, the AP images are downloaded and there are
two reboots.
• If you upgrade from a release that is prior to Release 7.5 directly to Release 7.6.X or a later release, the
predownload process on Cisco AP2600 and AP3600 fails. After the controller is upgraded to Release
7.6.X or a later release, the new image is loaded on Cisco AP2600 and AP3600. After the upgrade to a
Release 7.6.X image, the predownload functionality works as expected. The predownload failure is only
a one-time failure.
• If you upgrade from 8.2 to 8.4 release, the predownload process on Cisco AP1700, AP2700, or AP3700
fails with the following error message:
Not enough free space to download.
After the controller is reloaded with 8.4, the backup image version still shows up as 3.0.
• If an AP is in the process of downloading a software image, the status of the download is not shown on
the controller CLI. During the image download process, any configuration performed on the AP via the
controller CLI is not applied. Therefore, we recommend that you do not perform any configuration on
the AP via the controller CLI if an image download on the AP is in progress.
Predownloading an Image to Access Points—Global Configuration (GUI)
To predownload an image to the APs, you must perform the following steps after upgrading your controller
software image and before you reboot the controller for the new image to take effect.
Step 1
To configure the predownloading of access point images globally, choose Wireless > Access Points > Global
Configuration to open the Global Configuration page.
Step 2
In the AP Image Pre-download section, perform one of the following:
• To instruct all the access points to predownload a primary image from the controller, click Download Primary
under the AP Image Pre-download.
• To instruct all the access points to swap their primary and backup images, click Interchange Image.
• To download an image from the controller and store it as a backup image, click Download Backup.
• To terminate the predownload operation, click Abort Predownload.
Step 3
Click OK.
Step 4
Click Apply.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
182
System Management
Predownloading an Image to Access Points (CLI)
Predownloading an Image to Access Points (CLI)
To predownload an image to the APs, you must perform the following steps after upgrading your controller
software image and before you reboot the controller for the new image to take effect.
Step 1
Specify APs that will receive the predownload image by entering one of these commands:
• Specify APs for predownload by entering this command:
config ap image predownload {primary | backup} {ap_name | all}
The primary image is the new image; the backup image is the existing image. APs always boot with the primary
image.
• Swap an AP’s primary and backup images by entering this command:
config ap image swap {ap_name | all}
• Display detailed information on APs specified for predownload by entering this command:
show ap image {all | ap-name}
The output lists APs that are specified for predownloading and provides for each AP, primary and secondary image
versions, the version of the predownload image, the predownload retry time (if necessary), and the number of predownload
attempts. The output also includes the predownload status for each device. The status of the APs is as follows:
• None—The AP is not scheduled for predownload.
• Predownloading—The AP is predownloading the image.
• Not supported—The AP (1120, 1230, and 1310) does not support predownloading.
• Initiated—The AP is waiting to get the predownload image because the concurrent download limit has been reached.
• Failed—The AP has failed 64 predownload attempts.
• Complete—The AP has completed predownloading.
Step 2
Set a reboot time for the controller and the APs.
Use one of these commands to schedule a reboot of the controller and APs:
• Specify the amount of time delay before the devices reboot by entering this command:
reset system in HH:MM:SS image {swap | no-swap} reset-aps [save-config]
Note
The swap operand in the reset command will result in the swapping of the primary and backup images
on both the controller and the AP and sets the default flag on the next controller reboot.
The controller sends a reset message to all joined APs, and then the controller resets.
• Specify a date and time for the devices to reboot by entering this command:
reset system at YYYY-MM-DD HH:MM:SS image {swap | no-swap} reset-aps [save-config]
The controller sends a reset message to all joined APs, and then the controller resets.
Note
The swap operand in the reset command will result in the swapping of the primary and backup images
on both the controller and the AP.
• (Optional) Set up an SNMP trap message that announces the upcoming reset by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
183
System Management
Transferring Files to and from a Controller
reset system notify-time minutes
The controller sends the announcement trap the configured number of minutes before the reset.
• Cancel the scheduled reboot by entering this command:
reset system cancel
Note
If you configure reset times and then use the config time command to change the system time on the
controller, the controller notifies you that any scheduled reset times will be canceled and must be
reconfigured after you set the system time.
Use the show reset command to display scheduled resets.
Information similar to the following appears:
System reset is scheduled for Apr 08 01:01:01 2010.
Current local time and date is Apr 07 02:57:44 2010.
A trap will be generated 10 minutes before each scheduled system reset.
Use 'reset system cancel' to cancel the reset.
Configuration will be saved before the system reset.
Transferring Files to and from a Controller
Controllers have built-in utilities for uploading and downloading various files. Follow the instructions in these
sections to import files using either the controller GUI or CLI:
Downloading a Login Banner File
You can download a login banner file using either the GUI or the CLI. The login banner is the text that appears
on the page before user authentication when you access the controller GUI or CLI using Telnet, SSH, or a
console port connection.
You save the login banner information as a text (*.txt) file. The text file cannot be larger than 1296 characters
and cannot have more than 16 lines of text.
Note
The ASCII character set consists of printable and nonprintable characters. The login banner supports only
printable characters.
Here is an example of a login banner:
Welcome to the Cisco Wireless Controller!
Unauthorized access prohibited.
Contact [email protected] for access.
Follow the instructions in this section to download a login banner to the controller through the GUI or CLI.
However, before you begin, make sure that you have a TFTP or FTP server available for the file download.
Follow these guidelines when setting up a TFTP or FTP server:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
184
System Management
Downloading a Login Banner File (GUI)
• If you are downloading through the service port, the TFTP or FTP server must be on the same subnet as
the service port because the service port is not routable, or you must create static routes on the controller.
• If you are downloading through the distribution system network port, the TFTP or FTP server can be on
the same or a different subnet because the distribution system port is routable.
Downloading a Login Banner File (GUI)
Step 1
Copy the login banner file to the default directory on your server.
Step 2
Choose Commands > Download File to open the Download File to Controller page.
Step 3
From the File Type drop-down list, choose Login Banner.
Step 4
From the Transfer Mode drop-down list, choose from the following options:
• TFTP
• FTP
• SFTP
Step 5
In the IP Address field, enter the IP address of the server type you chose in Step 4.
If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout
fields should work correctly without any adjustment. However, you can change these values.
Step 6
(Optional) Enter the maximum number of times that the TFTP server attempts to download the certificate in the
Maximum Retries field and the amount of time (in seconds) that the TFTP server attempts to download the certificate
in the Timeout field.
Step 7
In the File Path field, enter the directory path of the login banner file.
Step 8
In the File Name field, enter the name of the login banner text (*.txt) file.
Step 9
If you are using an FTP server, follow these steps:
a) In the Server Login Username field, enter the username to log into the FTP server.
b) In the Server Login Password field, enter the password to log into the FTP server.
c) In the Server Port Number field, enter the port number on the FTP server through which the download occurs.
The default value is 21.
Step 10
Click Download to download the login banner file to the controller. A message appears indicating the status of the
download.
Downloading a Login Banner File (CLI)
Step 1
Log onto the controller CLI.
Step 2
Specify the transfer mode used to download the config file by entering this command:
transfer download mode {tftp | ftp | sftp}
Step 3
Download the controller login banner by entering this command:
transfer download datatype login-banner
Step 4
Specify the IP address of the TFTP or FTP server by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
185
System Management
Clearing the Login Banner (GUI)
transfer download serverip server-ip-address
Step 5
Specify the name of the config file to be downloaded by entering this command:
transfer download path server-path-to-file
Step 6
Specify the directory path of the config file by entering this command:
transfer download filename filename.txt
Step 7
(Optional) If you are using a TFTP server, enter these commands:
• transfer download tftpMaxRetries retries
• transfer download tftpPktTimeout timeout
The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.
However, you can change these values. To do so, enter the maximum number of times that the TFTP
server attempts to download the software for the retries parameter and the amount of time (in seconds)
that the TFTP server attempts to download the software for the timeout parameter.
Note
Step 8
If you are using an FTP server, enter these commands:
• transfer download username username
• transfer download password password
• transfer download port port
The default value for the port parameter is 21.
Note
Step 9
View the download settings by entering the transfer download start command. Enter y when prompted to confirm the
current settings and start the download process.
Clearing the Login Banner (GUI)
Step 1
Choose Commands > Login Banner to open the Login Banner page.
Step 2
Click Clear.
Step 3
When prompted, click OK to clear the banner.
To clear the login banner from the controller using the controller CLI, enter the clear login-banner command.
Downloading Device Certificates
Each wireless device (controller, access point, and client) has its own device certificate. For example, the
controller is shipped with a Cisco-installed MIC device certificate.
Note
For more information about configuring local EAP, see the "Configuring Local EAP" section.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
186
System Management
Downloading Device Certificates (GUI)
Follow the instructions in this section to download a vendor-specific device certificate to the controller through
the GUI or CLI. However, before you begin, make sure you have a TFTP or FTP server available for the
certificate download. Follow these guidelines when setting up a TFTP or FTP server:
• If you are downloading through the service port, the TFTP or FTP server must be on the same subnet as
the service port because the service port is not routable, or you must create static routes on the controller.
• If you are downloading through the distribution system network port, the TFTP or FTP server can be on
the same or a different subnet because the distribution system port is routable.
• A third-party TFTP or FTP server cannot run on the same computer as Cisco Prime Infrastructure because
the Prime Infrastructure built-in TFTP or FTP server and the third-party TFTP or FTP server require the
same communication port.
Note
Note
All certificates downloaded to the controller must be in PEM format.
Clients using Microsoft Windows 10 with default (zero-touch config) supplicant fail to connect to controller
when there is no CA certificate to validate the server certificate. This is because the supplicant does not pop
up a window to accept the server certificate and silently rejects the 802.1X authentication. Therefore, we
recommend that you do either of the following:
• Manually install a third-party CA certificate on the AAA server, which the clients using Microsoft
Windows 10 can trust.
• Use any other supplicant, such as Cisco AnyConnect, which pops up a window to trust or not trust the
server certificate. If you accept the trust certificate, then the client is authenticated.
Downloading Device Certificates (GUI)
Step 1
Copy the device certificate to the default directory on your server.
Step 2
Choose Commands > Download File to open the Download File to Controller page.
Step 3
From the File Type drop-down list, choose Vendor Device Certificate.
Step 4
In the Certificate Password text box, enter the password that was used to protect the certificate.
Step 5
From the Transfer Mode drop-down list, choose from the following options:
• TFTP
• FTP
• SFTP (available in 7.4 and later releases)
Step 6
In the IP Address text box, enter the IP address of the server.
If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout
text boxes should work correctly without any adjustment. However, you can change these values.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
187
System Management
Downloading Device Certificates (CLI)
Step 7
Enter the maximum number of times that the TFTP server attempts to download the certificate in the Maximum Retries
text box and the amount of time (in seconds) that the TFTP server attempts to download the certificate in the Timeout
text box.
Step 8
In the File Path text box, enter the directory path of the certificate.
Step 9
In the File Name text box, enter the name of the certificate.
Step 10
If you are using an FTP server, follow these steps:
a) In the Server Login Username text box, enter the username to log into the FTP server.
b) In the Server Login Password text box, enter the password to log into the FTP server.
c) In the Server Port Number text box, enter the port number on the FTP server through which the download occurs.
The default value is 21.
Step 11
Click Download to download the device certificate to the controller. A message appears indicating the status of the
download.
Step 12
After the download is complete, choose Commands > Reboot > Reboot.
Step 13
If prompted to save your changes, click Save and Reboot.
Step 14
Click OK to confirm your decision to reboot the controller.
Downloading Device Certificates (CLI)
Step 1
Log onto the controller CLI.
Step 2
Specify the transfer mode used to download the config file by entering this command:
transfer download mode {tftp | ftp | sftp}
Step 3
Specify the type of the file to be downloaded by entering this command:
transfer download datatype eapdevcert
Step 4
Specify the certificate’s private key by entering this command:
transfer download certpassword password
Step 5
Specify the IP address of the TFTP or FTP server by entering this command:
transfer download serverip server-ip-address
Step 6
Specify the name of the config file to be downloaded by entering this command:
transfer download path server-path-to-file
Step 7
Specify the directory path of the config file by entering this command:
transfer download filename filename.pem
Step 8
(Optional) If you are using a TFTP server, enter these commands:
• transfer download tftpMaxRetries retries
• transfer download tftpPktTimeout timeout
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
188
System Management
Uploading Device Certificates
Note
Step 9
The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.
However, you can change these values. To do so, enter the maximum number of times that the TFTP
server attempts to download the software for the retries parameter and the amount of time (in seconds)
that the TFTP server attempts to download the software for the timeout parameter.
If you are using an FTP server, enter these commands (skip this step if you are not using FTP server):
• transfer download username username
• transfer download password password
• transfer download port port
Note
The default value for the port parameter is 21.
Step 10
View the updated settings by entering the transfer download start command. Answer y when prompted to confirm
the current settings and start the download process.
Step 11
Reboot the controller by entering this command:
reset system
Uploading Device Certificates
Uploading Device Certificates (GUI)
Step 1
Choose Commands > Upload File to open the Upload File from Controller page.
Step 2
From the File Type drop-down list, choose IPSec Device Certificate.
Step 3
From the Transfer Mode drop-down list, choose from the following options:
• TFTP
• FTP
• SFTP
Step 4
In the IP Address text box, enter the IP address of the server.
Step 5
In the File Path text box, enter the directory path of the certificate.
Step 6
In the File Name text box, enter the name of the certificate.
Step 7
If you are using an FTP server, follow these steps (skip this step if you are not using FTP server):
a) In the Server Login Username text box, enter the username to log on to the FTP server.
b) In the Server Login Password text box, enter the password to log on to the FTP server.
c) In the Server Port Number text box, enter the port number on the FTP server through which the download occurs.
The default value is 21. For SFTP, the default value is 22.
Step 8
Click Upload to upload the CA certificate from the controller. A message appears indicating the status of the upload.
Step 9
After the upload is complete, choose Commands > Reboot > Reboot.
Step 10
If prompted to save your changes, click Save and Reboot.
Step 11
Click OK to confirm your decision to reboot the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
189
System Management
Uploading Device Certificates (CLI)
Uploading Device Certificates (CLI)
Step 1
Log on to the controller CLI.
Step 2
Specify the type of the file to be uploaded by entering this command:
transfer upload datatype ipsecdevcert
Step 3
Specify the transfer mode used to upload the file by entering this command:
transfer upload mode {tftp | ftp | sftp}
Step 4
Specify the IP address of the TFTP or FTP server by entering this command:
transfer upload serverip server-ip-address
Step 5
Specify the directory path of the file by entering this command:
transfer upload path server-path-to-file
Step 6
Specify the name of the file to be uploaded by entering this command:
transfer upload filename filename
Step 7
If you are using an FTP server, enter these commands (skip this step if you are not using FTP server):
• transfer upload username username
• transfer upload password password
• transfer upload port port
Note
The default value for the port parameter for is 21. For SFTP, the default value is 22.
Step 8
View the updated settings by entering the transfer upload start command. Answer y when prompted to confirm the
current settings and start the upload process.
Step 9
Reboot the controller by entering the reset system command.
Downloading CA Certificates
Controllers and access points have a Certificate Authority (CA) certificate that is used to sign and validate
device certificates. The controller is shipped with a Cisco-installed CA certificate. This certificate may be
used by EAP-FAST (when not using PACs), EAP-TLS, PEAP-GTC, and PEAP-MSCHAPv2 to authenticate
wireless clients during local EAP authentication. However, if you want to use your own vendor-specific CA
certificate, it must be downloaded to the controller.
Note
For more information about configuring local EAP, see the "Configuring Local EAP" section.
Follow the instructions in this section to download CA certificates to the controller through the GUI or CLI.
However, before you begin, make sure that you have a TFTP or FTP server available for the certificate
download. Follow these guidelines when setting up a TFTP or FTP server:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
190
System Management
Download CA Certificates (GUI)
• If you are downloading through the service port, the TFTP or FTP server must be on the same subnet as
the service port because the service port is not routable, or you must create static routes on the controller.
• If you are downloading through the distribution system network port, the TFTP or FTP server can be on
the same or a different subnet because the distribution system port is routable.
• A third-party TFTP or FTP server cannot run on the same computer as Cisco Prime Infrastructure because
the Prime Infrastructure built-in TFTP or FTP server and the third-party TFTP or FTP server require the
same communication port.
Note
All certificates downloaded to the controller must be in PEM format.
Download CA Certificates (GUI)
Step 1
Copy the CA certificate to the default directory on your server.
Step 2
Choose Commands > Download File to open the Download File to Controller page.
Step 3
From the File Type drop-down list, choose Vendor CA Certificate.
Step 4
From the Transfer Mode drop-down list, choose from the following options:
• TFTP
• FTP
• SFTP (available in 7.4 and later releases)
Step 5
In the IP Address text box, enter the IP address of the server.
If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout
text boxes should work correctly without any adjustment. However, you can change these values.
Step 6
Enter the maximum number of times that the TFTP server attempts to download the certificate in the Maximum Retries
text box and the amount of time (in seconds) that the TFTP server attempts to download the certificate in the Timeout
text box.
Step 7
In the File Path text box, enter the directory path of the certificate.
Step 8
In the File Name text box, enter the name of the certificate.
Step 9
If you are using an FTP server, follow these steps:
a) In the Server Login Username text box, enter the username to log on to the FTP server.
b) In the Server Login Password text box, enter the password to log on to the FTP server.
c) In the Server Port Number text box, enter the port number on the FTP server through which the download occurs.
The default value is 21.
Step 10
Click Download to download the CA certificate to the controller. A message appears indicating the status of the
download.
Step 11
After the download is complete, choose Commands > Reboot > Reboot.
Step 12
If prompted to save your changes, click Save and Reboot.
Step 13
Click OK to confirm your decision to reboot the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
191
System Management
Downloading CA Certificates (CLI)
Downloading CA Certificates (CLI)
Step 1
Log on to the controller CLI.
Step 2
Specify the transfer mode used to download the config file by entering this command:
transfer download mode {tftp | ftp | sftp}
Step 3
Specify the type of the file to be downloaded by entering this command:
transfer download datatype eapdevcert
Step 4
Specify the IP address of the TFTP or FTP server by entering this command:
transfer download serverip server-ip-address
Step 5
Specify the directory path of the config file by entering this command:
transfer download path server-path-to-file
Step 6
Specify the name of the config file to be downloaded by entering this command:
transfer download filename filename
Step 7
(Optional) If you are using a TFTP server, enter these commands:
• transfer download tftpMaxRetries retries
• transfer download tftpPktTimeout timeout
Note
Step 8
The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.
However, you can change these values. To do so, enter the maximum number of times that the TFTP
server attempts to download the software for the retries parameter and the amount of time (in seconds)
that the TFTP server attempts to download the software for the timeout parameter.
If you are using an FTP server, enter these commands (skip this step if you are not using FTP server):
• transfer download username username
• transfer download password password
• transfer download port port
Note
The default value for the port parameter is 21.
Step 9
View the updated settings by entering the transfer download start command. Answer y when prompted to confirm
the current settings and start the download process.
Step 10
Reboot the controller by entering the reset system command.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
192
System Management
Uploading CA Certificates
Uploading CA Certificates
Uploading CA Certificates (GUI)
Step 1
Choose Commands > Upload File to open the Upload File from Controller page.
Step 2
From the File Type drop-down list, choose IPSec CA Certificate.
Step 3
From the Transfer Mode drop-down list, choose from the following options:
• TFTP
• FTP
• SFTP
Step 4
In the IP Address field, enter the IP address of the server.
Step 5
In the File Path field, enter the directory path of the certificate.
Step 6
In the File Name field, enter the name of the certificate.
Step 7
(Optional) If you are using an FTP server, follow these steps (skip this step if you are not using FTP server):
a) In the Server Login Username field, enter the username to log on to the FTP server.
b) In the Server Login Password field, enter the password to log on to the FTP server.
c) In the Server Port Number field, enter the port number on the FTP server through which the download occurs. The
default value is 21. For SFTP, the default value is 22.
Step 8
Click Upload to upload the CA certificate from the controller. A message appears indicating the status of the upload.
Step 9
If prompted to save your changes, click Save.
Uploading CA Certificates (CLI)
Step 1
Log on to the controller CLI.
Step 2
Specify the type of the file to be uploaded by entering this command:
transfer upload datatype ipseccacert
Step 3
Specify the transfer mode used to upload the file by entering this command:
transfer upload mode {tftp | ftp | sftp}
Step 4
Specify the IP address of the TFTP or FTP server by entering this command:
transfer upload serverip server-ip-address
Step 5
Specify the directory path of the file by entering this command:
transfer upload path server-path-to-file
Step 6
Specify the name of the file to be uploaded by entering this command:
transfer upload filename filename
Step 7
(Optional) If you are using an FTP server, enter these commands (skip this step if you are not using FTP server):
• transfer upload username username
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
193
System Management
Uploading PACs for EAP-FAST
• transfer upload password password
• transfer upload port port
Note
The default value for the port parameter is 21. For SFTP, the default value is 22.
Step 8
View the updated settings by entering the transfer upload start command. Answer y when prompted to confirm the
current settings and start the upload process.
Step 9
Reboot the controller by entering the reset system command.
Uploading PACs for EAP-FAST
Protected access credentials (PACs) are credentials that are either automatically or manually provisioned and
used to perform mutual authentication with a local EAP authentication server during EAP-FAST authentication.
When manual PAC provisioning is enabled, the PAC file is manually generated on the controller.
Follow the instructions in this section to generate and load PACs from the controller through the GUI or CLI.
However, before you begin, make sure you have a TFTP or FTP server available for the PAC upload. Follow
these guidelines when setting up a TFTP or FTP server:
• If you are uploading through the service port, the TFTP or FTP server must be on the same subnet as the
service port because the service port is not routable, or you must create static routes on the controller.
• If you are uploading through the distribution system network port, the TFTP or FTP server can be on
the same or a different subnet because the distribution system port is routable.
This section contains the following subsections:
Uploading PACs (GUI)
Step 1
Choose Commands > Upload File to open the Upload File from Controller page.
Step 2
From the File Type drop-down list, choose PAC (Protected Access Credential).
Step 3
In the User field, enter the name of the user who will use the PAC.
Step 4
In the Validity field, enter the number of days for the PAC to remain valid. The default setting is zero (0).
Step 5
In the Password and Confirm Password text boxes, enter a password to protect the PAC.
Step 6
From the Transfer Mode drop-down list, choose from the following options:
• TFTP
• FTP
• SFTP (available in 7.4 and later releases)
Step 7
In the IP Address (IPv4/IPv6) field, enter the IPv4/IPv6 address of the server.
Step 8
In the File Path field, enter the directory path of the PAC.
Step 9
In the File Name field, enter the name of the PAC file. PAC files have a .pac extension.
Step 10
If you are using an FTP server, follow these steps:
a) In the Server Login Username field, enter the username to log into the FTP server.
b) In the Server Login Password field, enter the password to log into the FTP server.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
194
System Management
Uploading PACs (CLI)
c) In the Server Port Number field, enter the port number on the FTP server through which the upload occurs. The
default value is 21.
Step 11
Click Upload to upload the PAC from the controller. A message appears indicating the status of the upload.
Step 12
Follow the instructions for your wireless client to load the PAC on your client devices. Make sure to use the password
that you entered above.
Uploading PACs (CLI)
Step 1
Log on to the controller CLI.
Step 2
Specify the transfer mode used to upload the config file by entering this command:
transfer upload mode {tftp | ftp | sftp}
Step 3
Upload a Protected Access Credential (PAC) by entering this command:
transfer upload datatype pac
Step 4
Specify the identification of the user by entering this command:
transfer upload pac username validity password
Step 5
Specify the IP address of the TFTP or FTP server by entering this command:
transfer upload serverip server-ip-address
The server supports both, IPv4 and IPv6.
Note
Step 6
Specify the directory path of the config file by entering this command:
transfer upload path server-path-to-file
Step 7
Specify the name of the config file to be uploaded by entering this command:
transfer upload filename manual.pac.
Step 8
If you are using an FTP server, enter these commands:
• transfer upload username username
• transfer upload password password
• transfer upload port port
Note
The default value for the port parameter is 21.
Step 9
View the updated settings by entering the transfer upload start command. Answer y when prompted to confirm the
current settings and start the upload process.
Step 10
Follow the instructions for your wireless client to load the PAC on your client devices. Make sure to use the password
that you entered above.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
195
System Management
Backing Up and Restoring Controller Configuration
Backing Up and Restoring Controller Configuration
We recommend that you upload your controller's configuration file to a server to back it up. If you lose your
configuration, you can then download the saved configuration to the controller.
Caution
Do not download a configuration file to your controller directly that was uploaded from a different controller
platform. For example, a Cisco 5508 controller does not support the configuration file from a Cisco 2504
controller. To properly convert the configuration files from one controller platform to another, use the WLC
Config Converter tool available at https://cway.cisco.com/tools/WirelessConfigConverter/.
Note
While controller configuration backup is in progress, we recommend you do not initiate any new configuration
or modify any existing configuration settings. This is to avoid corrupting the configuration file.
Follow these guidelines when working with configuration files:
• Any CLI with an invalid value is filtered out and set to default by the XML validation engine. Validation
occurs during bootup. A configuration may be rejected if the validation fails. A configuration may fail
if you have an invalid CLI. For example, if you have a CLI where you try to configure a WLAN without
adding appropriate commands to add the WLAN.
• A configuration may be rejected if the dependencies are not addressed. For example, if you try to configure
dependent parameters without using the add command. The XML validation may succeed but the
configuration download infrastructure will immediately reject the configuration with no validation errors.
• An invalid configuration can be verified by using the show invalid-config command. The show
invalid-config command reports the configuration that is rejected by the controller either as part of
download process or by XML validation infrastructure.
Note
You can also read and modify the configuration file via a text editor, to correct
any incorrect configuration commands. After you are done, you can save the
changes and once again try the configuration download to the controller in
question.
• A wireless client that connects to the controller when Management over Wireless has been enabled can
still conduct an upgrade using the newer HTTP transfer method.
Uploading Configuration Files
You can upload configuration files using either the GUI or the CLI.
Uploading the Configuration Files (GUI)
Step 1
Choose Commands > Upload File to open the Upload File from Controller page.
Step 2
From the File Type drop-down list, choose Configuration.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
196
System Management
Uploading the Configuration Files (CLI)
Step 3
(Optional) Encrypt the configuration file by checking the Configuration File Encryption check box and entering the
encryption key in the Encryption Key field.
Step 4
From the Transfer Mode drop-down list, choose from the following options:
• TFTP
• FTP
• SFTP
Step 5
In the IP Address field, enter the IP address of the server.
Step 6
In the File Path field, enter the directory path of the configuration file.
Step 7
In the File Name field, enter the name of the configuration file.
Step 8
If you are using an FTP server, follow these steps:
a) In the Server Login Username field, enter the username to log into the FTP server.
b) In the Server Login Password field, enter the password to log into the FTP server.
c) In the Server Port Number field, enter the port number on the FTP server through which the upload occurs. The
default value is 21.
Step 9
Click Upload to upload the configuration file to the server. A message appears indicating the status of the upload. If the
upload fails, repeat this procedure and try again.
Uploading the Configuration Files (CLI)
Step 1
Specify the transfer mode used to upload the configuration file by entering this command:
transfer upload mode {tftp | ftp | sftp}
Step 2
Specify the type of file to be uploaded by entering this command:
transfer upload datatype config
Step 3
(Optional) Encrypt the configuration file by entering these commands:
• transfer encrypt enable
• transfer encrypt set-key key, where key is the encryption key used to encrypt the file.
Step 4
Specify the IP address of the server by entering this command:
transfer upload serverip server-ip-address
Step 5
Specify the directory path of the configuration file by entering this command:
transfer upload path server-path-to-file
Step 6
Specify the name of the configuration file to be uploaded by entering this command:
transfer upload filename filename
Step 7
If you are using an FTP server, enter these commands to specify the username and password used to log into the FTP
server and the port number through which the upload occurs:
• transfer upload username username
• transfer upload password password
• transfer upload port port
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
197
System Management
Downloading Configuration Files
The default value for the port parameter is 21.
Note
Step 8
Initiate the upload process by entering this command:
transfer upload start
Step 9
When prompted to confirm the current settings, answer y.
Information similar to the following appears:
Mode.............................................
TFTP Server IP...................................
TFTP Path........................................
TFTP Filename....................................
Data Type........................................
Encryption.......................................
TFTP
224.0.0.1
Config/
AS_5520_x_Config.xml
Config File
Disabled
**************************************************
*** WARNING: Config File Encryption Disabled ***
**************************************************
Are you sure you want to start? (y/N) Y
File transfer operation completed successfully.
If the upload fails, repeat this procedure and try again.
Downloading Configuration Files
You can download configuration files using either the GUI or the CLI.
Downloading the Configuration Files (GUI)
Step 1
Choose Commands > Download File to open the Download File to Controller page.
Step 2
From the File Type drop-down list, choose Configuration.
Step 3
If the configuration file is encrypted, check the Configuration File Encryption check box and enter the encryption
key used to decrypt the file in the Encryption Key field.
Note
Step 4
The key that you enter here should match the one entered during the upload process.
From the Transfer Mode drop-down list, choose from the following options:
• TFTP
• FTP
• SFTP
Step 5
In the IP Address field, enter the IP address of the server.
If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout
fields should work correctly without any adjustment. However, you can change these values.
Step 6
(Optional) Enter the maximum number of times that the TFTP server attempts to download the configuration file in
the Maximum Retries field and the amount of time (in seconds) that the TFTP server attempts to download the
configuration file in the Timeout field.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
198
System Management
Downloading the Configuration Files (CLI)
Step 7
In the File Path field, enter the directory path of the configuration file.
Step 8
In the File Name field, enter the name of the configuration file.
Step 9
If you are using an FTP server, follow these steps:
a) In the Server Login Username field, enter the username to log into the FTP server.
b) In the Server Login Password field, enter the password to log into the FTP server.
c) In the Server Port Number field, enter the port number on the FTP server through which the download occurs.
The default value is 21.
Step 10
Click Download to download the file to the controller. A message appears indicating the status of the download, and
the controller reboots automatically. If the download fails, repeat this procedure and try again.
Downloading the Configuration Files (CLI)
Note
The controller does not support incremental configuration downloads. The configuration file contains all
mandatory commands (all interface address commands, mgmtuser with read-write permission commands,
and interface port or LAG enable or disable commands) required to successfully complete the download. For
example, if you download only the config time ntp server index server_address command as part of the
configuration file, the download fails. Only the commands present in the configuration file are applied to the
controller, and any configuration in the controller prior to the download is removed.
Step 1
Specify the transfer mode used to download the configuration file by entering this command:
transfer download mode {tftp | ftp | sftp}
Step 2
Specify the type of file to be downloaded by entering this command:
transfer download datatype config
Step 3
If the configuration file is encrypted, enter these commands:
• transfer encrypt enable
• transfer encrypt set-key key, where key is the encryption key used to decrypt the file.
Note
The key that you enter here should match the one entered during the upload process.
Step 4
Specify the IP address of the TFTP or FTP server by entering this command:
transfer download serverip server-ip-address
Step 5
Specify the directory path of the configuration file by entering this command:
transfer download path server-path-to-file
Step 6
Specify the name of the configuration file to be downloaded by entering this command:
transfer download filename filename
Step 7
(Optional) If you are using a TFTP server, enter these commands:
• transfer download tftpMaxRetries retries
• transfer download tftpPktTimeout timeout
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
199
System Management
Saving Configurations
Note
Step 8
The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.
However, you can change these values. To do so, enter the maximum number of times that the TFTP
server attempts to download the software for the retries parameter and the amount of time (in seconds)
that the TFTP server attempts to download the software for the timeout parameter.
If you are using an FTP server, enter these commands to specify the username and password used to log into the FTP
server and the port number through which the download occurs:
• transfer upload username username
• transfer upload password password
• transfer upload port port
Note
The default value for the port parameter is 21.
Step 9
View the updated settings by entering this command:
transfer download start
Step 10
When prompted to confirm the current settings and start the download process, answer y.
Information similar to the following appears:
Mode.............................................
TFTP Server IP...................................
TFTP Path........................................
TFTP Filename....................................
Data Type........................................
Encryption.......................................
TFTP
224.0.0.1
Config/
AS_5520_x_Config.xml
Config File
Disabled
**************************************************
*** WARNING: Config File Encryption Disabled ***
**************************************************
Are you sure you want to start? (y/N)
y
File transfer operation completed successfully.
If the download fails, repeat this procedure and try again.
Saving Configurations
Controllers contain two types of memory: volatile RAM and NVRAM. At any time, you can save the
configuration changes from active volatile RAM to nonvolatile RAM (NVRAM). You are prompted to save
your configuration automatically whenever you initiate a reboot of the controller or log out of a GUI or a CLI
session. The following are some examples of the corresponding commands:
• save config—Saves the configuration from volatile RAM to NVRAM without resetting the controller.
• reset system—Prompts you to confirm that you want to save configuration changes before the controller
reboots.
• logout—Prompts you to confirm that you want to save configuration changes before you log out.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
200
System Management
Editing Configuration Files
Editing Configuration Files
When you save the controller’s configuration, the controller stores it in XML format in flash memory. Controller
software release 5.2 or later releases enable you to easily read and modify the configuration file by converting
it to CLI format. When you upload the configuration file to a TFTP/FTP/SFTP server, the controller initiates
the conversion from XML to CLI. You can then read or edit the configuration file in a CLI format on the
server. When you are finished, you download the file back to the controller, where it is reconverted to an
XML format and saved.
Step 1
Upload the configuration file to a TFTP/FTP/SFTP server by performing one of the following:
• Upload the file using the controller GUI.
• Upload the file using the controller CLI.
Step 2
Read or edit the configuration file on the server. You can modify or delete existing CLI commands and add new CLI
commands to the file.
Note
To edit the configuration file, you can use your text editor of choice such as Notepad or Wordpad on Windows
platforms, VI editor on Linux, and so forth.
Step 3
Save your changes to the configuration file on the server.
Step 4
Download the configuration file to the controller by performing one of the following:
• Download the file using the controller GUI.
• Download the file using the controller CLI.
The controller converts the configuration file to an XML format, saves it to flash memory, and then reboots using the
new configuration. CLI commands with known keywords and proper syntax are converted to XML while improper CLI
commands are ignored and saved to flash memory. Any CLI commands that have invalid values are replaced with default
values. To see any ignored commands or invalid configuration values, enter this command:
show invalid-config
Note
Step 5
You cannot execute this command after the clear config or save config command.
If the downloaded configuration contains a large number of invalid CLI commands, you might want to upload the invalid
configuration to the TFTP or FTP server for analysis. To do so, perform one of the following:
• Upload the invalid configuration using the controller GUI. Follow the instructions in the Uploading Configuration
Files (GUI) section but choose Invalid Config from the File Type drop-down list in Step 2 and skip Step 3.
• Upload the invalid configuration using the controller CLI. Follow the instructions in the Uploading Configuration
Files (CLI) section but enter the transfer upload datatype invalid-config command in Step 2 and skip Step 3.
Step 6
The controller does not support the uploading and downloading of port configuration CLI commands. If you want to
configure the controller ports, enter these commands:
• config port linktrap {port | all} {enable | disable}—Enables or disables the up and down link traps for a specific
controller port or for all ports.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
201
System Management
Clearing the Controller Configuration
• config port adminmode {port | all} {enable | disable}—Enables or disables the administrative mode for a specific
controller port or for all ports.
Step 7
Save your changes by entering this command:
save config
Clearing the Controller Configuration
Step 1
Clear the configuration by entering this command:
clear config
Enter y at the confirmation prompt to confirm the action.
Step 2
Reboot the system by entering this command:
reset system
Enter n to reboot without saving configuration changes. When the controller reboots, the configuration wizard starts
automatically.
Step 3
Follow the instructions in the Configuring the Controller-Using the Configuration Wizard section to complete the initial
configuration.
Erasing the Controller Configuration
Step 1
Reset the configuration by entering this command:
reset system
At the confirmation prompt, enter y to save configuration changes to NVRAM. The controller reboots.
Step 2
When you are prompted for a username, restore the factory-default settings by entering this command:
recover-config
The controller reboots and the configuration wizard starts automatically.
Step 3
Follow the instructions in the Configuring the Controller-Using the Configuration Wizard section to complete the initial
configuration.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
202
System Management
Resetting the Controller
Resetting the Controller
You can reset the controller and view the reboot process on the CLI console using one of the following two
methods:
• Turn the controller off and then turn it back on.
• On the CLI, enter reset system. At the confirmation prompt, enter y to save configuration changes to
NVRAM. The controller reboots.
When the controller reboots, the CLI console displays the following reboot information:
• Initializing the system.
• Verifying the hardware configuration.
• Loading microcode into memory.
• Verifying the operating system software load.
• Initializing with its stored configurations.
• Displaying the login prompt.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
203
System Management
Resetting the Controller
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
204
CHAPTER
22
Managing User Accounts
• Configuring Guest User Accounts, on page 205
• Configuring Administrator Usernames and Passwords, on page 208
• Changing the Default Values for SNMP v3 Users, on page 210
• Generating a Certificate Signing Request using OpenSSL, on page 212
Configuring Guest User Accounts
Guest Accounts
The controller can provide guest user access on WLANs for which you must create guest user accounts. Guest
user accounts can be created by network administrators, or, if you would like a non-administrator to be able
to create guest user accounts on demand, you can do so through a lobby administrator account. The lobby
ambassador has limited configuration privileges and has access only to the web pages used to manage the
guest user accounts.
The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the
specified time elapses, the guest user accounts expire automatically.
This section contains the following subsections:
Restrictions on Managing User Accounts
• The local user database is limited to a maximum of 2048 entries, which is also the default value. This
database is shared by local management users (including lobby ambassadors), local network users
(including guest users), MAC filter entries, exclusion list entries, and access point authorization list
entries. Together they cannot exceed the configured maximum value.
• For net user accounts or guest user accounts, the following special characters are allowed along with
alphanumeric characters: ~, @, #, $, %, ^, &, (, ), !, _, -, `, ., [, ], =, +, *, :, ;, {, }, ,, /, and \.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
205
System Management
Creating a Lobby Ambassador Account
Creating a Lobby Ambassador Account
Creating a Lobby Ambassador Account (GUI)
Step 1
Choose Management > Local Management Users to open the Local Management Users page.
This page lists the names and access privileges of the local management users.
Note
If you want to delete any of the user accounts from the controller, hover your cursor over the blue drop-down
arrow and choose Remove. However, deleting the default administrative user prohibits both GUI and CLI
access to the controller. Therefore, you must create a user with administrative privileges (ReadWrite) before
you remove the default user.
Step 2
Click New to create a lobby ambassador account. The Local Management Users > New page appears.
Step 3
In the User Name text box, enter a username for the lobby ambassador account.
Note
Step 4
Management usernames must be unique because they are stored in a single database.
In the Password and Confirm Password text boxes, enter a password for the lobby ambassador account.
Note
Passwords are case sensitive. The settings for the management User Details parameters depends on the settings
that you make in the Password Policy page. The following requirements are enforced on the password:
• The password should contain characters from at least three of the following classes: lowercase letters, uppercase
letters, digits, and special characters.
• No character in the password can be repeated more than three times consecutively.
• The password should not contain a management username or the reverse letters of a username.
• The password should not contain words like Cisco, oscic, admin, nimda, or any variant obtained by changing the
capitalization of letters by substituting 1, |, or ! or substituting 0 for o or substituting $ for s.
• If you want to downgrade from Release 8.6 to Release 8.5 or an earlier release, ensure that you have a management
user account password that is less than or equal to 24 characters to be compatible with the earlier releases. Else,
during the downgrade and before you can reboot the controller, you will be prompted with the following message:
"Warning!!! Please Configure Mgmt user compatible with older release"
Step 5
Choose LobbyAdmin from the User Access Mode drop-down list. This option enables the lobby ambassador to create
guest user accounts.
Note
The ReadOnly option creates an account with read-only privileges, and the ReadWrite option creates an
administrative account with both read and write privileges.
Step 6
Click Apply to commit your changes. The new lobby ambassador account appears in the list of local management users.
Step 7
Click Save Configuration to save your changes.
Creating a Lobby Ambassador Account (CLI)
Procedure
• To create a lobby ambassador account use the following command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
206
System Management
Creating Guest User Accounts as a Lobby Ambassador (GUI)
config mgmtuser add lobbyadmin_username lobbyadmin_pwd lobby-admin
Note
Replacing lobby-admin with read-only creates an account with read-only privileges. Replacing lobby-admin
with read-write creates an administrative account with both read and write privileges.
Creating Guest User Accounts as a Lobby Ambassador (GUI)
Step 1
Log into the controller as the lobby ambassador, using the username and password. The Lobby Ambassador Guest
Management > Guest Users List page appears.
Step 2
Click New to create a guest user account. The Lobby Ambassador Guest Management > Guest Users List > New page
appears.
Step 3
In the User Name text box, enter a name for the guest user. You can enter up to 24 characters.
Step 4
Perform one of the following:
• If you want to generate an automatic password for this guest user, select the Generate Password check box. The
generated password is entered automatically in the Password and Confirm Password text boxes.
• If you want to create a password for this guest user, leave the Generate Password check box unselected and enter
a password in both the Password and Confirm Password text boxes.
Passwords can contain up to 24 characters (Release 8.5 and earlier releases) and 127 characters (Release
8.6 and later releases) and are case sensitive.
Note
Step 5
From the Lifetime drop-down lists, choose the amount of time (in days, hours, minutes, and seconds) that this guest user
account is to remain active. A value of zero (0) for all four text boxes creates a permanent account.
Default: 1 day
Range: 5 minutes to 30 days
Step 6
Note
The smaller of this value or the session timeout for the guest WLAN, which is the WLAN on which the guest
account is created, takes precedence. For example, if a WLAN session timeout is due to expire in 30 minutes
but the guest account lifetime has 10 minutes remaining, the account is deleted in 10 minutes upon guest account
expiry. Similarly, if the WLAN session timeout expires before the guest account lifetime, the client experiences
a recurring session timeout that requires reauthentication.
Note
You can change a guest user account with a nonzero lifetime to another lifetime value at any time while the
account is active. However, to make a guest user account permanent using the controller GUI, you must delete
the account and create it again. If desired, you can use the config netuser lifetime user_name 0 command to
make a guest user account permanent without deleting and recreating it.
From the WLAN SSID drop-down list, choose the SSID that will be used by the guest user. The only WLANs that are
listed are those WLANs for which Layer 3 web authentication has been configured.
Note
Step 7
We recommend that you create a specific guest WLAN to prevent any potential conflicts. If a guest account
expires and it has a name conflict with an account on the RADIUS server and both are on the same WLAN,
the users associated with both accounts are disassociated before the guest account is deleted.
In the Description text box, enter a description of the guest user account. You can enter up to 32 characters.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
207
System Management
Viewing Guest User Accounts
Step 8
Click Apply to commit your changes. The new guest user account appears in the list of guest users on the Guest Users
List page.
From this page, you can see all of the guest user accounts, their WLAN SSID, and their lifetime. You can also edit or
remove a guest user account. When you remove a guest user account, all of the clients that are using the guest WLAN
and are logged in using that account’s username are deleted.
Step 9
Repeat this procedure to create any additional guest user accounts.
Viewing Guest User Accounts
Viewing the Guest Accounts (GUI)
Choose Security > AAA > Local Net Users. The Local Net Users page appears.
From this page, you can see all of the local net user accounts (including guest user accounts) and can edit or remove them
as desired. When you remove a guest user account, all of the clients that are using the guest WLAN and are logged in
using that account’s username are deleted.
Viewing the Guest Accounts (CLI)
Procedure
• To see all of the local net user accounts (including guest user accounts) using the controller CLI, enter
this command:
show netuser summary
Configuring Administrator Usernames and Passwords
Administrator Usernames and Passwords
You can configure administrator usernames and passwords to prevent unauthorized users from reconfiguring
the controller and viewing configuration information. This section provides instructions for initial configuration
and for password recovery.
Configuring Usernames and Passwords (GUI)
Step 1
Choose Management > Local Management Users.
Step 2
Click New.
Step 3
Enter the username and password, and confirm the password.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
208
System Management
Configuring Usernames and Passwords (CLI)
Usernames and passwords are case-sensitive and can contain up to 24 ASCII characters. Usernames and passwords cannot
contain spaces.
Step 4
Choose the User Access Mode as one of the following:
• ReadOnly
• ReadWrite
• LobbyAdmin
Step 5
Click Apply.
Configuring Usernames and Passwords (CLI)
Procedure
• Configure a username and password by entering one of these commands:
• config mgmtuser add username password read-write description—Creates a username-password
pair with read-write privileges.
• config mgmtuser add username password read-only description—Creates a username-password
pair with read-only privileges.
Usernames and passwords are case-sensitive and can contain up to 24 ASCII characters. Usernames
and passwords cannot contain spaces.
Note
If you ever need to change the password for an existing username, enter the config
mgmtuser password username new_password command.
• config mgmtuser add username password lobby-admin description—Creates a username-password
pair with Lobby Administrator privileges.
• config mgmtuser type5-add username md5-crypt_password { read-write | read-only |
lobby-admin } description —Creates a management username-password pair with type-5
encryption.
• config mgmtuser type5-password username md5-crypt_password —Configures type-5 encrypted
password for an existing management user account.
• List the configured users by entering this command:
show mgmtuser
• View the type of password encryption used for the current user by entering this command:
debug aaa detail enable
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
209
System Management
Restoring Passwords
Restoring Passwords
Before you begin
Ensure that you are accessing the controller CLI through the console port.
Step 1
After the controller boots up, enter Restore-Password at the User prompt.
For security reasons, the text that you enter does not appear on the controller console.
Note
Step 2
At the Enter User Name prompt, enter a new username.
Step 3
At the Enter Password prompt, enter a new password.
Step 4
At the Re-enter Password prompt, reenter the new password. The controller validates and stores your entries in the
database.
Step 5
When the User prompt reappears, enter your new username.
Step 6
When the Password prompt appears, enter your new password. The controller logs you in with your new username and
password.
Changing the Default Values for SNMP v3 Users
Information About Changing the Default Values for SNMP v3 Users
The controller uses a default value of “default” for the username, authentication password, and privacy
password for SNMP v3 users. Using these standard values presents a security risk. Therefore, Cisco strongly
advises that you change these values.
Note
SNMP v3 is time sensitive. Ensure that you configure the correct time and time zone on your controller.
Changing the SNMP v3 User Default Values (GUI)
Step 1
Choose Management > SNMP > SNMP V3 Users to open the SNMP V3 Users page.
Step 2
If “default” appears in the User Name column, hover your cursor over the blue drop-down arrow for the desired user
and choose Remove to delete this SNMP v3 user.
Step 3
Click New to add a new SNMP v3 user. The SNMP V3 Users > New page appears.
Step 4
In the User Profile Name text box, enter a unique name. Do not enter “default.”
Step 5
Choose Read Only or Read Write from the Access Mode drop-down list to specify the access level for this user. The
default value is Read Only.
Step 6
From the Authentication Protocol drop-down list, choose the desired authentication method: None, HMAC-MD5
(Hashed Message Authentication Coding-Message Digest 5), or HMAC-SHA (Hashed Message Authentication
Coding-Secure Hashing Algorithm). The default value is HMAC-SHA.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
210
System Management
Changing the SNMP v3 User Default Values (CLI)
Step 7
In the Auth Password and Confirm Auth Password text boxes, enter the shared secret key to be used for authentication.
You must enter at least 12 characters that include both letters and numbers.
Step 8
From the Privacy Protocol drop-down list, choose the desired encryption method: None, CBC-DES (Cipher Block
Chaining-Digital Encryption Standard), or CFB-AES-128 (Cipher Feedback Mode-Advanced Encryption Standard-128).
The default value is CFB-AES-128.
Note
In order to configure CBC-DES or CFB-AES-128 encryption, you must have selected either HMAC-MD5
or HMAC-SHA as the authentication protocol in Step 6.
Step 9
In the Priv Password and Confirm Priv Password text boxes, enter the shared secret key to be used for encryption. You
must enter at least 12 characters that include both letters and numbers.
Step 10
Click Apply.
Step 11
Click Save Configuration.
Step 12
Reboot the controller so that the SNMP v3 user that you added takes effect.
Changing the SNMP v3 User Default Values (CLI)
Step 1
See the current list of SNMP v3 users for this controller by entering this command:
show snmpv3user
Step 2
If “default” appears in the SNMP v3 User Name column, enter this command to delete this user:
config snmp v3user delete username
The username parameter is the SNMP v3 username (in this case, “default”).
Step 3
Create a new SNMP v3 user by entering this command:
config snmp v3user create username {ro | rw} {none | hmacmd5 | hmacsha} {none | des | aescfb128} auth_key
encrypt_key
where
• username is the SNMP v3 username.
• ro is read-only mode and rw is read-write mode.
• none, hmacmd5, and hmacsha are the authentication protocol options.
• none, des, and aescfb128 are the privacy protocol options.
• auth_key is the authentication shared secret key.
• encrypt_key is the encryption shared secret key.
Do not enter “default” for the username, auth_key, and encrypt_key parameters.
Step 4
Enter the save config command.
Step 5
Reboot the controller so that the SNMP v3 user that you added takes effect by entering reset system command.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
211
System Management
Generating a Certificate Signing Request using OpenSSL
Generating a Certificate Signing Request using OpenSSL
Step 1
Install and open the OpenSSL application.
Step 2
Enter the command:
OpenSSL> req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
Generating the CSR by the controller itself will use a 2048-bit key size and the maximum ECDSA key size is 256 bits.
Note
You must provide the correct Common Name. Ensure that the host name that is used to create the certificate
(Common Name) matches the Domain Name System (DNS) host name entry for the virtual interface IP on the
controller. This name should exist in the DNS as well. Also, after you make the change to the VIP interface,
you must reboot the system in order for this change to take effect.
After you issue the command, you are prompted to enter information such as country name, state, city, and so on.
Information similar to the following appears:
OpenSSL> req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
................................................................++++++
...................................................++++++
writing new private key to 'mykey.pem'
----You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:San Jose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC
Organizational Unit Name (eg, section) []:CDE
Common Name (eg, YOUR name) []:XYZ.ABC
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Test123
An optional company name []:
OpenSSL>
After you provide all the required details two files are generated:
• A new private key that includes the name mykey.pem
• A CSR that includes the name myreq.pem
Step 3
Copy and paste the Certificate Signing Request (CSR) information into any CA enrollment tool. After you submit the
CSR to a third party CA, the third party CA digitally signs the certificate and sends back the signed certificate chain
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
212
System Management
Downloading Third-Party Certificate (GUI)
through e-mail. In case of chained certificates, you receive the entire chain of certificates from the CA. If you only have
one intermediate certificate similar to the example above, you will receive the following three certificates from the CA:
• Root certificate.pem
• Intermediate certificate.pem
• Device certificate.pem
Note
Step 4
Ensure that the certificate is Apache-compatible with SHA1 encryption.
Once you have all the three certificates, copy and paste into another file the contents of each .pem file in this order:
------BEGIN CERTIFICATE-----*Device cert*
------END CERTIFICATE-----------BEGIN CERTIFICATE-----*Intermediate CA cert *
------END CERTIFICATE-------------BEGIN CERTIFICATE-----*Root CA cert *
------END CERTIFICATE------
Step 5
Save the file as All-certs.pem.
Step 6
Combine the All-certs.pem certificate with the private key that you generated along with the CSR (the private key of the
device certificate, which is mykey.pem in this example), and save the file as final.pem.
Step 7
Create the All-certs.pem and final.pem files by entering these commands:
openssl> pkcs12 -export -in All-certs.pem -inkey mykey.pem
-out All-certs.p12 -clcerts -passin pass:check123
-passout pass:check123
openssl> pkcs12 -in All-certs.p12 -out final.pem
-passin pass:check123 -passout pass:check123
final.pem is the file that we need to download to the controller.
Note
You must enter a password for the parameters -passin and -passout. The password that is configured for the
-passout parameter must match the certpassword parameter that is configured on the controller. In the above
example, the password that is configured for both the -passin and -passout parameters is check123.
What to do next
Download the final.pem file to the controller either using CLI or GUI.
Downloading Third-Party Certificate (GUI)
Step 1
Copy the device certificate final.pem to the default directory on your TFTP server.
Step 2
Choose Security > Web Auth > Certificate to open the Web Authentication Certificate page.
Step 3
Check the Download SSL Certificate check box to view the Download SSL Certificate From Server parameters.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
213
System Management
Downloading Third-Party Certificate (CLI)
Step 4
In the Server IP Address text box, enter the IP address of the TFTP server.
Step 5
In the File Path text box, enter the directory path of the certificate.
Step 6
In the File Name text box, enter the name of the certificate.
Step 7
In the Certificate Password text box, enter the password to protect the certificate.
Step 8
Click Apply.
Step 9
After the download is complete, choose Commands > Reboot and click Save and Reboot.
Step 10
Click OK in order to confirm your decision to reboot the controller.
Downloading Third-Party Certificate (CLI)
Step 1
Move the final.pem file to the default directory on your TFTP server. Change the download settings by entering the
following commands:
(Cisco
(Cisco
(Cisco
(Cisco
(Cisco
Step 2
Controller)
Controller)
Controller)
Controller)
Controller)
>
>
>
>
>
transfer
transfer
transfer
transfer
transfer
download
download
download
download
download
mode tftp
datatype webauthcert
serverip <TFTP server IP address>
path <absolute TFTP server path to the update file>
filename final.pem
Enter the password for the .pem file so that the operating system can decrypt the SSL key and certificate.
(Cisco Controller) > transfer download certpassword password
Ensure that the value for certpassword is the same as the -passout parameter when you generate a CSR.
Note
Step 3
Start the certificate and key download by entering the this command:
transfer download start
Example:
(Cisco Controller) > transfer download start
Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 10.77.244.196
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................./
TFTP Filename.................................... final.pem
This may take some time.
Are you sure you want to start? (y/N) y
TFTP EAP Dev cert transfer starting.
Certificate installed.
Reboot the switch to use new certificate.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
214
System Management
Downloading Third-Party Certificate (CLI)
Step 4
Reboot the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
215
System Management
Downloading Third-Party Certificate (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
216
CHAPTER
23
Managing Web Authentication
• Obtaining a Web Authentication Certificate, on page 217
• Web Authentication Process, on page 220
• Choosing the Default Web Authentication Login Page, on page 223
• Using a Customized Web Authentication Login Page from an External Web Server, on page 229
• Downloading a Customized Web Authentication Login Page, on page 230
• Assigning Login, Login Failure, and Logout Pages per WLAN, on page 234
Obtaining a Web Authentication Certificate
Information About Web Authentication Certificates
The operating system of the controller automatically generates a fully functional web authentication certificate,
so you do not need to do anything in order to use certificates with Layer 3 web authentication. However, if
desired, you can prompt the operating system to generate a new web authentication certificate, or you can
download an externally generated SSL certificate.
Starting with 7.0.250.0 and 7.3.101.0 releases (but not in 7.2.x release), SHA2 certificates are supported.
Note
The WEB UI home page may not load when ip http access class command is enabled. When you encounter
this issue, we recommend that you do the following:
1. Run the show iosd liin command.
2. Get the internet-address and configure the same ip as permit in the access-list.
Note
For WEB UI access using TACACS+ server, custom method-list for authentication and authorization pointing
to the TACACS+ server group does not work. You should use the default authorization method-list pointing
to the same TACACS+ server group for the WEB UI to work.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
217
System Management
Support for Chained Certificate
Support for Chained Certificate
Cisco WLC allows the device certificate to be downloaded as a chained certificate (up to a level of 2) for web
authentication. Wildcard certificates are also supported. For more information about chained certificates, see
the Generate CSR for Third-Party Certificates and Download Chained Certificates to the WLC document at
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/
109597-csr-chained-certificates-wlc-00.html.
Note
While installing certificate for web authentication for Release 7.6, certificate load fails due to Missing Root
CA cert error. Please download a chained certificate that includes intermediate Certificate Authority (CA) &
root CA and install it on the Cisco WLC.
Obtaining a Web Authentication Certificate (GUI)
Step 1
Choose Security > Web Auth > Certificate to open the Web Authentication Certificate page.
This page shows the details of the current web authentication certificate.
Step 2
If you want to use a new operating system-generated web authentication certificate, follow these steps:
a) Click Regenerate Certificate. The operating system generates a new web authentication certificate, and a successfully
generated web authentication certificate message appears.
b) Reboot the controller to register the new certificate.
Step 3
If you prefer to use an externally generated web authentication certificate, follow these steps:
a) Verify that the controller can ping the TFTP server.
b) Select the Download SSL Certificate check box.
c) In the Server IP Address text box, enter the IP address of the TFTP server.
The default values of 10 retries and 6 seconds for the Maximum Retries and Timeout text boxes should work correctly
without any adjustment. However, you can change these values.
d) Enter the maximum number of times that each download can be attempted in the Maximum Retries text box and the
amount of time (in seconds) allowed for each download in the Timeout text box.
e) In the Certificate File Path text box, enter the directory path of the certificate.
f) In the Certificate File Name text box, enter the name of the certificate (certname.pem).
g) In the Certificate Password text box, enter the password for the certificate.
h) Click Apply to commit your changes. The operating system downloads the new certificate from the TFTP server.
i) Reboot the controller to register the new certificate.
Obtaining a Web Authentication Certificate (CLI)
Step 1
See the current web authentication certificate by entering this command:
show certificate summary
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
218
System Management
Obtaining a Web Authentication Certificate (CLI)
Information similar to the following appears:
Web Administration Certificate................... Locally Generated
Web Authentication Certificate................... Locally Generated
Certificate compatibility mode:............... off
Step 2
If you want the operating system to generate a new web authentication certificate, follow these steps:
a) To generate the new certificate, enter this command:
config certificate generate webauth
b) To reboot the controller to register the new certificate, enter this command:
reset system
Step 3
If you prefer to use an externally generated web authentication certificate, follow these steps:
Note
We recommend that the Common Name (CN) of the externally generated web authentication certificate be
1.1.1.1 (or the equivalent virtual interface IP address) in order for the client’s browser to match the domains
of the web authentication URL and the web authentication certificate.
a. Specify the name, path, and type of certificate to be downloaded by entering these commands:
transfer download mode tftp
transfer download datatype webauthcert
transfer download serverip server_ip_address
transfer download path server_path_to_file
transfer download filename certname.pem
transfer download certpassword password
transfer download tftpMaxRetries retries
transfer download tftpPktTimeout timeout
Note
The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.
However, you can change these values. To do so, enter the maximum number of times that each download
can be attempted for the retries parameter and the amount of time (in seconds) allowed for each download
for the timeout parameter.
b. Start the download process by entering this command:
transfer download start
c. Reboot the controller to register the new certificate by entering this command:
reset system
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
219
System Management
Web Authentication Process
Web Authentication Process
Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic (except
DHCP-related packets) from a particular client until that client has correctly supplied a valid username and
password. When you use web authentication to authenticate clients, you must define a username and password
for each client. When the clients attempt to join the wireless LAN, their users must enter the username and
password when prompted by a login page.
Note
If a client uses more than 20 DNS resolved addresses, the controller overwrites the 21st address in the first
address space in the Mobile Station Control Block (MSCB) table, but the first address is still retained in the
client. If the client again tries to use the first address, it will not be reachable because the controller does not
have this address in the list of allowed addresses for the client's MSCB table.
Note
One-Time Passwords (OTP) are not supported on web authentication.
When a client is associated with 802.1X + WebAuth Security and when the client roams, the 802.1X username
is updated in the client information.
Note
Web Authentication does not work with IPv6 URL when WLAN is LS however IPv4 with LS and IPv6 with
CS works.. The re-directed web-auth page is not displayed when IPv6 URL is typed in the browser and WLAN
is in Local Switching.
Disabling Security Alert for Web Authentication Process
When web authentication is enabled (under Layer 3 Security), users might receive a web-browser security
alert the first time that they attempt to access a URL.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
220
System Management
Disabling Security Alert for Web Authentication Process
Figure 16: Typical Web-Browser Security Alert
Note
When clients connect to a WebAuth SSID with preauthorization ACL configured to allow VPN users, the
clients will get disconnected from the SSID every few minutes. Webauth SSIDs must not connect without
authenticating on the web page.
After the user clicks Yes to proceed (or if the client’s browser does not display a security alert), the web
authentication system redirects the client to a login page.
Step 1
Click View Certificate on the Security Alert page.
Step 2
Click Install Certificate.
Step 3
When the Certificate Import Wizard appears, click Next.
Step 4
Choose Place all certificates in the following store and click Browse.
Step 5
Expand the Trusted Root Certification Authorities folder and choose Local Computer.
Step 6
Click OK.
Step 7
Click Next > Finish.
Step 8
When the “The import was successful” message appears, click OK.
Because the issuer text box is blank on the controller self-signed certificate, open Internet Explorer, choose Tools >
Internet Options > Advanced, unselect the Warn about Invalid Site Certificates check box under Security, and click
OK.
Step 9
Reboot the PC. On the next web authentication attempt, the login page appears.
Figure 17: Default Web Authentication Login Page
The following figure shows the default web authentication login page.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
221
System Management
Disabling Security Alert for Web Authentication Process
The default login page contains a Cisco logo and Cisco-specific text. You can choose to have the web authentication
system display one of the following:
• The default login page
• A modified version of the default login page
• A customized login page that you configure on an external web server
• A customized login page that you download to the controller
The Choosing the Default Web Authentication Login Page section provides instructions for choosing how the web
authentication login page appears.
When the user enters a valid username and password on the web authentication login page and clicks Submit, the web
authentication system displays a successful login page and redirects the authenticated client to the requested URL.
Figure 18: Successful Login Page
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
222
System Management
Choosing the Default Web Authentication Login Page
The default successful login page contains a pointer to a virtual gateway address URL in the https://<IP
address>/logout.html format. The IP address that you set for the controller virtual interface serves as the redirect address
for the login page
Choosing the Default Web Authentication Login Page
Default Web Authentication Login Page
If you are using a custom web-auth bundle that is served by the internal controller web server, the page should
not contain more than 5 elements (including HTML, CSS, and Images). This is because the internal controller
web server implements a DoS protection mechanism that limits each client to open a maximum of 5 (five)
concurrent TCP connections depending on the load. Some browsers may try to open more than 5 TCP sessions
at the same time if the page contains more elements and this may result in the page loading slowly depending
on how the browser handles the DoS protection.
If you do not want users to connect to a web page using a browser that is configured with SSLv2 only, you
can disable SSLv2 for web authentication by entering the config network secureweb cipher-option sslv2
disable command. If you enter this command, users must use a browser that is configured to use a more
secure protocol such as SSLv3 or later releases. The default value is disabled.
Note
Cisco TAC is not responsible for creating a custom webauth bundle.
If you have a complex custom web authentication module, it is recommended that you use an external web-auth
config on the controller, where the full login page is hosted at an external web server.
This section contains the following subsections:
Choosing the Default Web Authentication Login Page (GUI)
Step 1
Choose Security > Web Auth > Web Login Page to open the Web Login page.
Step 2
From the Web Authentication Type drop-down list, choose Internal (Default).
Step 3
If you want to use the default web authentication login page as is, go to Step 8. If you want to modify the default login
page, go to Step 4.
Step 4
If you want to hide the Cisco logo that appears in the top right corner of the default page, choose the Cisco Logo Hide
option. Otherwise, click the Show option.
Step 5
If you want the user to be directed to a particular URL (such as the URL for your company) after login, enter the desired
URL in the Redirect URL After Login text box. You can enter up to 254 characters.
Step 6
If you want to create your own headline on the login page, enter the desired text in the Headline text box. You can enter
up to 127 characters. The default headline is “Welcome to the Cisco wireless network.”
Step 7
If you want to create your own message on the login page, enter the desired text in the Message text box. You can enter
up to 2047 characters. The default message is “Cisco is pleased to provide the Wireless LAN infrastructure for your
network. Please login and put your air space to work.”
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
223
System Management
Choosing the Default Web Authentication Login Page (CLI)
Step 8
Click Apply to commit your changes.
Step 9
Click Preview to view the web authentication login page.
Step 10
If you are satisfied with the content and appearance of the login page, click Save Configuration to save your changes.
Otherwise, repeat any of the previous steps as necessary to achieve your desired results.
Choosing the Default Web Authentication Login Page (CLI)
Step 1
Specify the default web authentication type by entering this command:
config custom-web webauth_type internal
Step 2
If you want to use the default web authentication login page as is, go to Step 7. If you want to modify the default login
page, go to Step 3.
Step 3
To show or hide the Cisco logo that appears in the top right corner of the default login page, enter this command:
config custom-web weblogo {enable | disable}
Step 4
If you want the user to be directed to a particular URL (such as the URL for your company) after login, enter this
command:
config custom-web redirecturl url
You can enter up to 130 characters for the URL. To change the redirect back to the default setting, enter the clear
redirecturl command.
Step 5
If you want to create your own headline on the login page, enter this command:
config custom-web webtitle title
You can enter up to 130 characters. The default headline is “Welcome to the Cisco wireless network.” To reset the
headline to the default setting, enter the clear webtitle command.
Step 6
If you want to create your own message on the login page, enter this command:
config custom-web webmessage message
You can enter up to 130 characters. The default message is “Cisco is pleased to provide the Wireless LAN infrastructure
for your network. Please login and put your air space to work.” To reset the message to the default setting, enter the
clear webmessage command.
Step 7
To enable or disable the web authentication logout popup window, enter this command:
config custom-web logout-popup {enable | disable}
Step 8
Enter the save config command to save your settings.
Step 9
Import your own logo into the web authentication login page as follows:
a. Make sure that you have a Trivial File Transfer Protocol (TFTP) server available for the file download. Follow
these guidelines when setting up a TFTP server:
• If you are downloading through the service port, the TFTP server must be on the same subnet as the service
port because the service port is not routable, or you must create static routes on the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
224
System Management
Example: Creating a Customized Web Authentication Login Page
• If you are downloading through the distribution system network port, the TFTP server can be on the same or
a different subnet because the distribution system port is routable.
• A third-party TFTP server cannot run on the same computer as the Cisco Prime Infrastructure because the
Prime Infrastructure built-in TFTP server and the third-party TFTP server require the same communication
port.
b. Ensure that the controller can contact the TFTP server by entering this command:
ping ip-address
c. Copy the logo file (in .jpg, .gif, or .png format) to the default directory on your TFTP server. The maximum file
size is 30 kilobits. For an optimal fit, the logo should be approximately 180 pixels wide and 360 pixels high.
d. Specify the download mode by entering this command:
transfer download mode tftp
e. Specify the type of file to be downloaded by entering this command:
transfer download datatype image
f.
Specify the IP address of the TFTP server by entering this command:
transfer download serverip tftp-server-ip-address
Note
Some TFTP servers require only a forward slash (/) as the TFTP server IP address, and the TFTP server
automatically determines the path to the correct directory.
g. Specify the download path by entering this command:
transfer download path absolute-tftp-server-path-to-file
h. Specify the file to be downloaded by entering this command:
transfer download filename {filename.jpg | filename.gif | filename.png}
i.
View your updated settings and answer y to the prompt to confirm the current download settings and start the
download by entering this command:
transfer download start
j.
Save your settings by entering this command:
save config
Note
Step 10
If you ever want to remove this logo from the web authentication login page, enter the clear webimage
command.
Follow the instructions in the Verifying the Web Authentication Login Page Settings (CLI), on page 233 section to
verify your settings.
Example: Creating a Customized Web Authentication Login Page
This section provides information on creating a customized web authentication login page, which can then
be accessed from an external web server.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
225
System Management
Example: Creating a Customized Web Authentication Login Page
Here is a web authentication login page template. It can be used as a model when creating your own customized
page:
Note
We recommend that you follow the Cisco guidelines to create a customized web authentication login page.
If you have upgraded to the latest versions of Google Chrome or Mozilla Firefox browsers, ensure that your
webauth bundle has the following line in the login.html file:
<body onload="loadAction();">
For more information about this issue, see CSCvj17640.
<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<title>Web Authentication</title>
<script>
function submitAction(){
var link = document.location.href;
var searchString = "redirect=";
var equalIndex = link.indexOf(searchString);
var redirectUrl = "";
if (document.forms[0].action == "") {
var url = window.location.href;
var args = new Object();
var query = location.search.substring(1);
var pairs = query.split("&");
for(var i=0;i<pairs.length;i++){
var pos = pairs[i].indexOf('=');
if(pos == -1) continue;
var argname = pairs[i].substring(0,pos);
var value = pairs[i].substring(pos+1);
args[argname] = unescape(value);
}
document.forms[0].action = args.switch_url;
}
if(equalIndex >= 0) {
equalIndex += searchString.length;
redirectUrl = "";
redirectUrl += link.substring(equalIndex);
}
if(redirectUrl.length > 255)
redirectUrl = redirectUrl.substring(0,255);
document.forms[0].redirect_url.value = redirectUrl;
document.forms[0].buttonClicked.value = 4;
document.forms[0].submit();
}
function loadAction(){
var url = window.location.href;
var args = new Object();
var query = location.search.substring(1);
var pairs = query.split("&");
for(var i=0;i<pairs.length;i++){
var pos = pairs[i].indexOf('=');
if(pos == -1) continue;
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
226
System Management
Example: Creating a Customized Web Authentication Login Page
var argname = pairs[i].substring(0,pos);
var value = pairs[i].substring(pos+1);
args[argname] = unescape(value);
}
//alert( "AP MAC Address is " + args.ap_mac);
//alert( "The Switch URL to post user credentials is " + args.switch_url);
document.forms[0].action = args.switch_url;
// This is the status code returned from webauth login action
// Any value of status code from 1 to 5 is error condition and user
// should be shown error as below or modify the message as it suits
// the customer
if(args.statusCode == 1){
alert("You are already logged in. No further action is required on your part.");
}
else if(args.statusCode == 2){
alert("You are not configured to authenticate against web portal. No further action
is required on your part.");
}
else if(args.statusCode == 3){
alert("The username specified cannot be used at this time. Perhaps the username is
already logged into the system?");
}
else if(args.statusCode == 4){
alert("The User has been excluded. Please contact the administrator.");
}
else if(args.statusCode == 5){
alert("Invalid username and password. Please try again.");
}
else if(args.statusCode == 6){
alert("Invalid email address format. Please try again.");
}
}
</script>
</head>
<body topmargin="50" marginheight="50" onload="loadAction();">
<form method="post" action="https://209.165.200.225/login.html">
<input TYPE="hidden" NAME="buttonClicked" SIZE="16" MAXLENGTH="15" value="0">
<input TYPE="hidden" NAME="redirect_url" SIZE="255" MAXLENGTH="255" VALUE="">
<input TYPE="hidden" NAME="err_flag" SIZE="16" MAXLENGTH="15" value="0">
<div align="center">
<table border="0" cellspacing="0" cellpadding="0">
<tr> <td> </td></tr>
<tr align="center"> <td colspan="2"><font size="10" color="#336699">Web
Authentication</font></td></tr>
<tr align="center">
<td colspan="2"> User Name <input type="TEXT" name="username" SIZE="25"
MAXLENGTH="63" VALUE="">
</td>
</tr>
<tr align="center" >
<td colspan="2"> Password <input type="Password" name="password"
SIZE="25" MAXLENGTH="24">
</td>
</tr>
<tr align="center">
<td colspan="2"><input type="button" name="Submit" value="Submit" class="button"
onclick="submitAction();">
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
227
System Management
Example: Modified Default Web Authentication Login Page Example
</td>
</tr>
</table>
</div>
</form>
</body>
</html>
These parameters are added to the URL when the user’s Internet browser is redirected to the customized login
page:
• ap_mac—The MAC address of the access point to which the wireless user is associated.
• switch_url—The URL of the controller to which the user credentials should be posted.
• redirect—The URL to which the user is redirected after authentication is successful.
• statusCode—The status code returned from the controller’s web authentication server.
• wlan—The WLAN SSID to which the wireless user is associated.
The available status codes are as follows:
• Status Code 1: “You are already logged in. No further action is required on your part.”
• Status Code 2: “You are not configured to authenticate against web portal. No further action is required
on your part.”
• Status Code 3: “The username specified cannot be used at this time. Perhaps the username is already
logged into the system?”
• Status Code 4: “You have been excluded.”
• Status Code 5: “The User Name and Password combination you have entered is invalid. Please try again.”
Note
For additional information, see the External Web Authentication with Wireless
LAN Controllers Configuration Example at
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71881-ext-web-auth-wlc.html.
Example: Modified Default Web Authentication Login Page Example
Figure 19: Modified Default Web Authentication Login Page Example
This figure shows an example of a modified default web authentication login page.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
228
System Management
Using a Customized Web Authentication Login Page from an External Web Server
These CLI commands were used to create this login page:
• config custom-web weblogo disable
• config custom-web webtitle Welcome to the AcompanyBC Wireless LAN!
• config custom-web webmessage Contact the System Administrator for a Username and Password.
• transfer download start
• config custom-web redirecturl url
Using a Customized Web Authentication Login Page from an
External Web Server
Information About Customized Web Authentication Login Page
You can customize the web authentication login page to redirect to an external web server. When you enable
this feature, the user is directed to your customized login page on the external web server.
You must configure a preauthentication access control list (ACL) on the WLAN for the external web server
and then choose this ACL as the WLAN preauthentication ACL under Layer 3 Security > Web Policy on
the WLANs > Edit page.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
229
System Management
Choosing a Customized Web Authentication Login Page from an External Web Server (GUI)
Choosing a Customized Web Authentication Login Page from an External Web
Server (GUI)
Step 1
Choose Security > Web Auth > Web Login Page to open the Web Login page.
Step 2
From the Web Authentication Type drop-down list, choose External (Redirect to external server).
Step 3
In the Redirect URL after Login field, enter the URL that you want the user to be redirected after a login.
For example, you may enter your company's URL here and the users will be directed to that URL after login. The maximum
length is 254 characters. By default, the user is redirected to the URL that was entered in the user's browser before the
login page was served. of the customized web authentication login page on your web server. You can enter up to 252
characters.
Step 4
In the External Webauth URL field, enter the URL that is to be used for external web authentication.
Step 5
Click Apply.
Step 6
Click Save Configuration.
Choosing a Customized Web Authentication Login Page from an External Web
Server (CLI)
Step 1
Specify the web authentication type by entering this command:
config custom-web webauth_type external
Step 2
Specify the URL of the customized web authentication login page on your web server by entering this command:
config custom-web ext-webauth-url url
You can enter up to 252 characters for the URL.
Step 3
Specify the IP address of your web server by entering this command:
config custom-web ext-webserver {add | delete} server_IP_address
Step 4
Enter the save config command to save your settings.
Step 5
Follow the instructions in the Verifying the Web Authentication Login Page Settings (CLI), on page 233 section to verify
your settings.
Downloading a Customized Web Authentication Login Page
You can compress the page and image files used for displaying a web authentication login page into a.tar file
for download to a controller. These files are known as the webauth bundle. The maximum allowed size of the
files in their uncompressed state is 1 MB. When the .tar file is downloaded from a local TFTP server, it enters
the controller’s file system as an untarred file.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
230
System Management
Prerequisites for Downloading a Customized Web Authentication Login Page
You can download a login page example from Cisco Prime Infrastructure and use it as a starting point for
your customized login page. For more information, see the Cisco Prime Infrastructure documentation.
Note
If you load a webauth bundle with a .tar compression application that is not GNU compliant, the controller
cannot extract the files in the bundle and the following error messages appear: “Extracting error” and “TFTP
transfer failed.” Therefore, we recommend that you use an application that complies with GNU standards,
such as PicoZip, to compress the .tar file for the webauth bundle.
Note
Configuration backups do not include extra files or components, such as the webauth bundle or external
licenses, that you download and store on your controller, so you should manually save external backup copies
of those files or components.
Note
If the customized webauth bundle has more than 3 separated elements, we advise you to use an external server
to prevent page load issues that may be caused because of TCP rate-limiting policy on the controller.
Prerequisites for Downloading a Customized Web Authentication Login Page
• Name the login page login.html. The controller prepares the web authentication URL based on this
name. If the server does not find this file after the webauth bundle has been untarred, the bundle is
discarded, and an error message appears.
• Include input text boxes for both a username and password.
• Retain the redirect URL as a hidden input item after extracting from the original URL.
• Extract and set the action URL in the page from the original URL.
• Include scripts to decode the return status code.
• Ensure that all paths used in the main page (to refer to images, for example).
• Ensure that no filenames within the bundle are greater than 30 characters.
Downloading a Customized Web Authentication Login Page (GUI)
Step 1
Copy the .tar file containing your login page to the default directory on your server.
Step 2
Choose Commands > Download File to open the Download File to Controller page.
Step 3
From the File Type drop-down list, choose Webauth Bundle.
Step 4
From the Transfer Mode drop-down list, choose from the following options:
• TFTP
• FTP
• SFTP
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
231
System Management
Downloading a Customized Web Authentication Login Page (CLI)
Step 5
In the IP Address field, enter the IP address of the server.
Step 6
If you are using a TFTP server, enter the maximum number of times the controller should attempt to download the .tar
file in the Maximum Retries field.
The range is 1 to 254.
The default is 10.
Step 7
If you are using a TFTP server, enter the amount of time in seconds before the controller times out while attempting
to download the *.tar file in the Timeout field.
The range is 1 to 254 seconds.
The default is 6 seconds.
Step 8
In the File Path field, enter the path of the .tar file to be downloaded. The default value is “/.”
Step 9
In the File Name field, enter the name of the .tar file to be downloaded.
Step 10
If you are using an FTP server, follow these steps:
a. In the Server Login Username field, enter the username to log into the FTP server.
b. In the Server Login Password field, enter the password to log into the FTP server.
c. In the Server Port Number field, enter the port number on the FTP server through which the download occurs.
The default value is 21.
Step 11
Click Download to download the .tar file to the controller.
Step 12
Choose Security > Web Auth > Web Login Page to open the Web Login page.
Step 13
From the Web Authentication Type drop-down list, choose Customized (Downloaded).
Step 14
Click Apply.
Step 15
Click Preview to view your customized web authentication login page.
Step 16
If you are satisfied with the content and appearance of the login page, click Save Configuration.
Downloading a Customized Web Authentication Login Page (CLI)
Step 1
Copy the .tar file containing your login page to the default directory on your server.
Step 2
Specify the download mode by entering this command:
transfer download mode {tftp | ftp | sftp}
Step 3
Specify the type of file to be downloaded by entering this command:
transfer download datatype webauthbundle
Step 4
Specify the IP address of the TFTP server by entering this command:
transfer download serverip tftp-server-ip-address.
Note
Some TFTP servers require only a forward slash (/) as the TFTP server IP address, and the TFTP server
automatically determines the path to the correct directory.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
232
System Management
Example: Customized Web Authentication Login Page
Step 5
Specify the download path by entering this command:
transfer download path absolute-tftp-server-path-to-file
Step 6
Specify the file to be downloaded by entering this command:
transfer download filename filename.tar
Step 7
View your updated settings and answer y to the prompt to confirm the current download settings and start the download
by entering this command:
transfer download start
Step 8
Specify the web authentication type by entering this command:
config custom-web webauth_type customized
Step 9
Enter the save config command to save your settings.
Example: Customized Web Authentication Login Page
Figure 20: Customized Web Authentication Login Page Example
This figure shows an example of a customized web authentication login
page.
Verifying the Web Authentication Login Page Settings (CLI)
Verify your changes to the web authentication login page by entering this command:
show custom-web
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
233
System Management
Assigning Login, Login Failure, and Logout Pages per WLAN
Assigning Login, Login Failure, and Logout Pages per WLAN
Assigning Login, Login Failure, and Logout Pages per WLAN
You can display different web authentication login, login failure, and logout pages to users per WLAN. This
feature enables user-specific web authentication pages to be displayed for a variety of network users, such as
guest users or employees within different departments of an organization.
Different login pages are available for all web authentication types (internal, external, and customized).
However, different login failure and logout pages can be specified only when you choose customized as the
web authentication type.
This section contains the following subsections:
Assigning Login, Login Failure, and Logout Pages per WLAN (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN to which you want to assign a web login, login failure, or logout page.
Step 3
Choose Security > Layer 3.
Step 4
Make sure that Web Policy and Authentication are selected.
Step 5
To override the global authentication configuration web authentication pages, select the Override Global Config check
box.
Step 6
When the Web Auth Type drop-down list appears, choose one of the following options to define the web authentication
pages for wireless guest users:
• Internal—Displays the default web login page for the controller. This is the default value.
• Customized—Displays custom web login, login failure, and logout pages. If you choose this option, three separate
drop-down lists appear for login, login failure, and logout page selection. You do not need to define a customized
page for all three options. Choose None from the appropriate drop-down list if you do not want to display a
customized page for that option.
Note
These optional login, login failure, and logout pages are downloaded to the controller as webauth.tar
files.
• External—Redirects users to an external server for authentication. If you choose this option, you must also enter
the URL of the external server in the URL text box.
You can choose specific RADIUS or LDAP servers to provide external authentication on the WLANs > Edit
(Security > AAA Servers) page. Additionally, you can define the priority in which the servers provide authentication.
Step 7
If you chose External as the web authentication type in Step 6, choose AAA Servers and choose up to three RADIUS
and LDAP servers using the drop-down lists.
Note
The RADIUS and LDAP external servers must already be configured in order to be selectable options on the
WLANs > Edit (Security > AAA Servers) page. You can configure these servers on the RADIUS
Authentication Servers page and LDAP Servers page.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
234
System Management
Assigning Login, Login Failure, and Logout Pages per WLAN (CLI)
Step 8
Establish the priority in which the servers are contacted to perform web authentication as follows:
Note
The default order is local, RADIUS, LDAP.
a. Highlight the server type (local, RADIUS, or LDAP) that you want to be contacted first in the box next to the Up
and Down buttons.
b. Click Up and Down until the desired server type is at the top of the box.
c. Click the < arrow to move the server type to the priority box on the left.
d. Repeat these steps to assign priority to the other servers.
Step 9
Click Apply to commit your changes.
Step 10
Click Save Configuration to save your changes.
Assigning Login, Login Failure, and Logout Pages per WLAN (CLI)
Step 1
Determine the ID number of the WLAN to which you want to assign a web login, login failure, or logout page by entering
this command:
show wlan summary
Step 2
If you want wireless guest users to log into a customized web login, login failure, or logout page, enter these commands
to specify the filename of the web authentication page and the WLAN for which it should display:
• config wlan custom-web login-page page_name wlan_id—Defines a customized login page for a given WLAN.
• config wlan custom-web loginfailure-page page_name wlan_id—Defines a customized login failure page for a
given WLAN.
Note
To use the controller’s default login failure page, enter the config wlan custom-web loginfailure-page
none wlan_id command.
• config wlan custom-web logout-page page_name wlan_id—Defines a customized logout page for a given WLAN.
Note
Step 3
To use the controller’s default logout page, enter the config wlan custom-web logout-page none wlan_id
command.
Redirect wireless guess users to an external server before accessing the web login page by entering this command to
specify the URL of the external server:
config wlan custom-web ext-webauth-url ext_web_url wlan_id
Note
Step 4
For the external web authentication URL, the CLI does not accept the ? character. For example, if the URL is
https://example.com?text, the CLI saves the URL as https://example.comtext. For more information, see
CSCvu53350.
Define the order in which web authentication servers are contacted by entering this command:
config wlan security web-auth server-precedence wlan_id {local | ldap | radius} {local | ldap | radius} {local | ldap
| radius}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
235
System Management
Assigning Login, Login Failure, and Logout Pages per WLAN (CLI)
The default order of server web authentication is local, RADIUS and LDAP.
All external servers must be preconfigured on the controller. You can configure them on the RADIUS
Authentication Servers page and the LDAP Servers page.
Note
Step 5
Define which web authentication page displays for a wireless guest user by entering this command:
config wlan custom-web webauth-type {internal | customized | external} wlan_id
where
• internal displays the default web login page for the controller. This is the default value.
• customized displays the custom web login page that was configured in Step 2.
You do not need to define the web authentication type in Step 5 for the login failure and logout pages as
they are always customized.
Note
• external redirects users to the URL that was configured in Step 3.
Step 6
Use a WLAN-specific custom web configuration rather than a global custom web configuration by entering this command:
config wlan custom-web global disable wlan_id
Note
Step 7
If you enter the config wlan custom-web global enable wlan_id command, the custom web authentication
configuration at the global level is used.
Save your changes by entering this command:
save config
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
236
CHAPTER
24
Configuring Wired Guest Access
• Wired Guest Access, on page 237
• Prerequisites for Configuring Wired Guest Access, on page 238
• Restrictions for Configuring Wired Guest Access, on page 238
• Configuring Wired Guest Access (GUI), on page 238
• Configuring Wired Guest Access (CLI), on page 240
• Supporting IPv6 Client Guest Access, on page 243
Wired Guest Access
Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection
designated and configured for guest access. Wired guest access ports might be available in a guest office or
through specific ports in a conference room. Like wireless guest user accounts, wired guest access ports are
added to the network using the lobby ambassador feature.
Wired guest access can be configured in a standalone configuration or in a dual-controller configuration that
uses both an anchor controller and a foreign controller. This latter configuration is used to further isolate wired
guest access traffic but is not required for deployment of wired guest access.
Wired guest access ports initially terminate on a Layer 2 access switch or switch port configured with VLAN
interfaces for wired guest access traffic. The wired guest traffic is then trunked from the access switch to a
controller. This controller is configured with an interface that is mapped to a wired guest access VLAN on
the access switch.
Note
Although wired guest access is managed by anchor and foreign anchors when two controllers are deployed,
mobility is not supported for wired guest access clients. In this case, DHCP and web authentication for the
client are handled by the anchor controller.
Note
You can specify the amount of bandwidth allocated to a wired guest user in the network by configuring a QoS
role and a bandwidth contract.
You can create a basic peer to peer WLAN ACL and apply it to the wired guest WLAN. This will not block
peer to peer traffic and the guest users can still communicate with each other.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
237
System Management
Prerequisites for Configuring Wired Guest Access
This section contains the following subsections:
Prerequisites for Configuring Wired Guest Access
To configure wired guest access on a wireless network, you must perform the following:
1. Configure a dynamic interface (VLAN) for wired guest user access
2. Create a wired LAN for guest user access
3. Configure the controller
4. Configure the anchor controller (if terminating traffic on another controller)
5. Configure security for the guest LAN
6. Verify the configuration
Restrictions for Configuring Wired Guest Access
• Wired guest access interfaces must be tagged.
• Wired guest access ports must be in the same Layer 2 network as the foreign controller.
• Up to five wired guest access LANs can be configured on a controller. Also in a wired guest access LAN,
multiple anchors are supported.
• Layer 3 web authentication and web passthrough are supported for wired guest access clients. Layer 2
security is not supported.
• Do not trunk a wired guest VLAN to multiple foreign controllers, as it might produce unpredictable
results.
• The controller does not use the callStationIDType parameter configured for the Radius server while
authenticating wired clients, instead the controller uses the system MAC address configured for the
callStationIDType parameter.
Configuring Wired Guest Access (GUI)
Step 1
To create a dynamic interface for wired guest user access, choose Controller > Interfaces. The Interfaces page appears.
Step 2
Click New to open the Interfaces > New page.
Step 3
Enter a name and VLAN ID for the new interface.
Step 4
Click Apply to commit your changes.
Step 5
In the Port Number text box, enter a valid port number. You can enter a number between 0 and 25 (inclusive).
Step 6
Select the Guest LAN check box.
Step 7
Click Apply to commit your changes.
Step 8
To create a wired LAN for guest user access, choose WLANs.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
238
System Management
Configuring Wired Guest Access (GUI)
Step 9
On the WLANs page, choose Create New from the drop-down list and click Go. The WLANs > New page appears.
Step 10
From the Type drop-down list, choose Guest LAN.
Step 11
In the Profile Name text box, enter a name that identifies the guest LAN. Do not use any spaces.
Step 12
From the WLAN ID drop-down list, choose the ID number for this guest LAN.
You can create up to five guest LANs, so the WLAN ID options are 1 through 5 (inclusive).
Note
Step 13
Click Apply to commit your changes.
Step 14
Select the Enabled check box for the Status parameter.
Step 15
Web authentication (Web-Auth) is the default security policy. If you want to change this to web passthrough, choose
the Security tab after completing Step 16 and Step 17.
Step 16
From the Ingress Interface drop-down list, choose the VLAN that you created in Step 3. This VLAN provides a path
between the wired guest client and the controller by way of the Layer 2 access switch.
Step 17
From the Egress Interface drop-down list, choose the name of the interface. This WLAN provides a path out of the
controller for wired guest client traffic.
Step 18
If you want to change the authentication method (for example, from web authentication to web passthrough), choose
Security > Layer 3. The WLANs > Edit (Security > Layer 3) page appears.
Step 19
From the Layer 3 Security drop-down list, choose one of the following:
• None—Layer 3 security is disabled.
• Web Authentication—Causes users to be prompted for a username and password when connecting to the wireless
network. This is the default value.
• Web Passthrough—Allows users to access the network without entering a username and password.
Note
There should not be a Layer 3 gateway on the guest wired VLAN, as this would bypass the web
authentication done through the controller.
Step 20
If you choose the Web Passthrough option, an Email Input check box appears. Select this check box if you want users
to be prompted for their e-mail address when attempting to connect to the network.
Step 21
To override the global authentication configuration set on the Web Login page, select the Override Global Config
check box.
Step 22
When the Web Auth Type drop-down list appears, choose one of the following options to define the web authentication
pages for wired guest users:
• Internal—Displays the default web login page for the controller. This is the default value.
• Customized—Displays custom web login, login failure, and logout pages. If you choose this option, three separate
drop-down lists appear for login, login failure, and logout page selection. You do not need to define a customized
page for all three options. Choose None from the appropriate drop-down list if you do not want to display a
customized page for that option.
Note
These optional login, login failure, and logout pages are downloaded to the controller as webauth.tar
files.
• External—Redirects users to an external server for authentication. If you choose this option, you must also enter
the URL of the external server in the URL text box.
You can choose specific RADIUS or LDAP servers to provide external authentication on the WLANs > Edit
(Security > AAA Servers) page. Additionally, you can define the priority in which the servers provide authentication.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
239
System Management
Configuring Wired Guest Access (CLI)
Step 23
If you chose External as the web authentication type in Step 22, choose Security > AAA Servers and choose up to
three RADIUS and LDAP servers using the drop-down lists.
Step 24
Note
You can configure the Authentication and LDAP Server using both IPv4 and IPv6 addresses.
Note
The RADIUS and LDAP external servers must already be configured in order to be selectable options on the
WLANs > Edit (Security > AAA Servers) page. You can configure these servers on the RADIUS
Authentication Servers page and LDAP Servers page.
To establish the priority in which the servers are contacted to perform web authentication as follows:
Note
The default order is local, RADIUS, LDAP.
a. Highlight the server type (local, RADIUS, or LDAP) that you want to be contacted first in the box next to the Up
and Down buttons.
b. Click Up and Down until the desired server type is at the top of the box.
c. Click the < arrow to move the server type to the priority box on the left.
d. Repeat these steps to assign priority to the other servers.
Step 25
Click Apply.
Step 26
Click Save Configuration.
Step 27
Repeat this process if a second (anchor) controller is being used in the network.
Configuring Wired Guest Access (CLI)
Step 1
Create a dynamic interface (VLAN) for wired guest user access by entering this command:
config interface create interface_name vlan_id
Step 2
If link aggregation trunk is not configured, enter this command to map a physical port to the interface:
config interface port interface_name primary_port {secondary_port}
Step 3
Enable or disable the guest LAN VLAN by entering this command:
config interface guest-lan interface_name {enable | disable}
This VLAN is later associated with the ingress interface created in Step 5.
Step 4
Create a wired LAN for wired client traffic and associate it to an interface by entering this command:
config guest-lan create guest_lan_id interface_name
The guest LAN ID must be a value between 1 and 5 (inclusive).
Note
Step 5
To delete a wired guest LAN, enter the config guest-lan delete guest_lan_id command.
Configure the wired guest VLAN’s ingress interface, which provides a path between the wired guest client and the
controller by way of the Layer 2 access switch by entering this command:
config guest-lan ingress-interface guest_lan_id interface_name
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
240
System Management
Configuring Wired Guest Access (CLI)
Step 6
Configure an egress interface to transmit wired guest traffic out of the controller by entering this command:
config guest-lan interface guest_lan_id interface_name
If the wired guest traffic is terminating on another controller, repeat Step 4 and Step 6 for the terminating
(anchor) controller and Step 1 through Step 5 for the originating (foreign) controller. Additionally, configure
the config mobility group anchor add {guest-lan guest_lan_id | wlan wlan_id} IP_address command for
both controllers.
Note
Step 7
Configure the security policy for the wired guest LAN by entering this command:
config guest-lan security {web-auth enable guest_lan_id | web-passthrough enable guest_lan_id}
Web authentication is the default setting.
Note
Step 8
Enable or disable a wired guest LAN by entering this command:
config guest-lan {enable | disable} guest_lan_id
Step 9
If you want wired guest users to log into a customized web login, login failure, or logout page, enter these commands
to specify the filename of the web authentication page and the guest LAN for which it should display:
• config guest-lan custom-web login-page page_name guest_lan_id—Defines a web login page.
• config guest-lan custom-web loginfailure-page page_name guest_lan_id—Defines a web login failure page.
Note
To use the controller’s default login failure page, enter the config guest-lan custom-web
loginfailure-page none guest_lan_id command.
• config guest-lan custom-web logout-page page_name guest_lan_id—Defines a web logout page.
Note
Step 10
To use the controller’s default logout page, enter the config guest-lan custom-web logout-page none
guest_lan_id command.
If you want wired guest users to be redirected to an external server before accessing the web login page, enter this
command to specify the URL of the external server:
config guest-lan custom-web ext-webauth-url ext_web_url guest_lan_id
Step 11
If you want to define the order in which local (controller) or external (RADIUS, LDAP) web authentication servers
are contacted, enter this command:
config wlan security web-auth server-precedence wlan_id {local | ldap | radius} {local | ldap | radius} {local |
ldap | radius}
The default order of server web authentication is local, RADIUS, LDAP.
Note
Step 12
All external servers must be preconfigured on the controller. You can configure them on the RADIUS
Authentication Servers page or the LDAP Servers page.
Define the web login page for wired guest users by entering this command:
config guest-lan custom-web webauth-type {internal | customized | external} guest_lan_id
where
• internal displays the default web login page for the controller. This is the default value.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
241
System Management
Configuring Wired Guest Access (CLI)
• customized displays the custom web pages (login, login failure, or logout) that were configured in Step 9.
• external redirects users to the URL that was configured in Step 10.
Step 13
Use a guest-LAN specific custom web configuration rather than a global custom web configuration by entering this
command:
config guest-lan custom-web global disable guest_lan_id
Note
Step 14
If you enter the config guest-lan custom-web global enable guest_lan_id command, the custom web
authentication configuration at the global level is used.
Save your changes by entering this command:
save config
Note
Step 15
Information on the configured web authentication appears in both the show run-config and show
running-config commands.
Display the customized web authentication settings for a specific guest LAN by entering this command:
show custom-web {all | guest-lan guest_lan_id}
Note
Step 16
If internal web authentication is configured, the Web Authentication Type displays as internal rather than
external (controller level) or customized (WLAN profile level).
Display a summary of the local interfaces by entering this command:
show interface summary
Note
The interface name of the wired guest LAN in this example is wired-guest and its VLAN ID is 236.
Display detailed interface information by entering this command:
show interface detailed interface_name
Step 17
Display the configuration of a specific wired guest LAN by entering this command:
show guest-lan guest_lan_id
Note
Step 18
Enter the show guest-lan summary command to see all wired guest LANs configured on the controller.
Display the active wired guest LAN clients by entering this command:
show client summary guest-lan
Step 19
Display detailed information for a specific client by entering this command:
show client detail client_mac
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
242
System Management
Supporting IPv6 Client Guest Access
Supporting IPv6 Client Guest Access
The client is in WebAuth Required state until the client is authenticated. The controller intercepts both IPv4
and IPv6 traffic in this state and redirects it to the virtual IP address of the controller. Once authenticated, the
user's MAC address is moved to the run state and both IPv4 and IPv6 traffic is allowed to pass.
In order to support the redirection of IPv6-only clients, the controller automatically creates an IPv6 virtual
address based on the IPv4 virtual address configured on the controller. The virtual IPv6 address follows the
convention of [::ffff:<virtual IPv4 address>]. For example, a virtual IP address of 192.0.2.1 would translate
into [::ffff:192.0.2.1]. For an IPv6 captive portal to be displayed, the user must request an IPv6 resolvable
DNS entry such as ipv6.google.com which returns a DNSv6 (AAAA) record.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
243
System Management
Supporting IPv6 Client Guest Access
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
244
CHAPTER
25
Troubleshooting
• Interpreting LEDs, on page 245
• System Messages, on page 246
• Viewing System Resources, on page 249
• Using the CLI to Troubleshoot Problems, on page 251
• Configuring System and Message Logging, on page 252
• Viewing Access Point Event Logs, on page 260
• Uploading Logs and Crash Files, on page 261
• Uploading Core Dumps from the Controller, on page 263
• Uploading Packet Capture Files, on page 266
• Monitoring Memory Leaks, on page 269
• Troubleshooting CCXv5 Client Devices, on page 270
• Using the Debug Facility, on page 280
• Configuring Wireless Sniffing, on page 285
• Troubleshooting Access Points Using Telnet or SSH, on page 287
• Debugging the Access Point Monitor Service, on page 289
• Troubleshooting Memory Leaks, on page 289
• Troubleshooting OfficeExtend Access Points, on page 290
Interpreting LEDs
Information About Interpreting LEDs
This section describes how to interpret controller LEDs and lightweight access point LEDs.
Interpreting Controller LEDs
See the quick start guide for your specific controller for a description of the LED patterns. See the list of
controllers and the respective documentation at http://www.cisco.com/c/en/us/products/wireless/index.html.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
245
System Management
Interpreting Lightweight Access Point LEDs
Interpreting Lightweight Access Point LEDs
See the quick start guide or hardware installation guide for your specific access point for a description of the
LED patterns. See the list of access points and the respective documentation at
http://www.cisco.com/c/en/us/products/wireless/index.html.
System Messages
Information About System Messages
This table lists some common system messages and their descriptions. For a complete list of system messages,
see the Cisco Wireless LAN Controller System Message Guide, Release 7.0.
Table 9: System Messages and Descriptions
Error Message
Description
apf_utils.c 680: Received a CIF field
A client is sending an association request on a security-enabled
without the protected bit set from mobile WLAN with the protected bit set to 0 (in the Capability field of
xx:xx:xx:xx:xx:xx
the association request). As designed, the controller rejects the
association request, and the client sees an association failure.
dtl_arp.c 480: Got an idle-timeout message The controller’s network processing unit (NPU) sends a timeout
from an unknown client xx:xx:xx:xx:xx:xx message to the central processing unit (CPU) indicating that a
particular client has timed out or aged out. This situation typically
occurs when the CPU has removed a wireless client from its
internal database but has not notified the NPU. Because the client
remains in the NPU database, it ages out on the network processor
and notifies the CPU. The CPU finds the client that is not present
in its database and then sends this message.
STATION_DISASSOCIATE
The client may have intentionally terminated usage or may have
experienced a service disruption.
STATION_DEAUTHENTICATE
The client may have intentionally terminated usage or this
message could indicate an authentication issue.
STATION_AUTHENTICATION_FAIL
Check disable, key mismatch, or other configuration issues.
STATION_ASSOCIATE_FAIL
Check load on the Cisco radio or signal quality issues.
LRAD_ASSOCIATED
The associated lightweight access point is now managed by this
controller.
LRAD_DISASSOCIATED
The lightweight access point may have associated to a different
controller or may have become completely unreachable.
LRAD_UP
The lightweight access point is operational; no action required.
LRAD_DOWN
The lightweight access point may have a problem or is
administratively disabled.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
246
System Management
Information About System Messages
Error Message
Description
LRADIF_UP
The Cisco radio is UP.
LRADIF_DOWN
The Cisco radio may have a problem or is administratively
disabled.
LRADIF_LOAD_PROFILE_FAILED
The client density may have exceeded system capacity.
LRADIF_NOISE_PROFILE_FAILED
The non-802.11 noise has exceeded the configured threshold.
LRADIF_INTERFERENCE_PROFILE_FAILED 802.11 interference has exceeded threshold on channel; check
channel assignments.
LRADIF_COVERAGE_PROFILE_FAILED A possible coverage hole has been detected. Check the
lightweight access point history to see if it is a common problem
and add lightweight access points if necessary.
LRADIF_LOAD_PROFILE_PASSED
The load is now within threshold limits.
LRADIF_NOISE_PROFILE_PASSED
The detected noise is now less than threshold.
LRADIF_INTERFERENCE_PROFILE_PASSED The detected interference is now less than threshold.
LRADIF_COVERAGE_PROFILE_PASSED The number of clients receiving a poor signal are within
threshold.
LRADIF_CURRENT_TXPOWER_CHANGED Informational message.
LRADIF_CURRENT_CHANNEL_CHANGED Informational message.
LRADIF_RTS_THRESHOLD_CHANGED Informational message.
LRADIF_ED_THRESHOLD_CHANGED Informational message.
LRADIF_FRAGMENTATION_THRESHOLD_ Informational message.
CHANGED
RRM_DOT11_A_GROUPING_DONE
Informational message.
RRM_DOT11_B_GROUPING_DONE
Informational message.
ROGUE_AP_DETECTED
May be a security issue. Use maps and trends to investigate.
ROGUE_AP_REMOVED
A detected rogue access point has timed out. The unit might have
shut down or moved out of the coverage area.
AP_MAX_ROGUE_COUNT_EXCEEDED The current number of active rogue access points has exceeded
system threshold.
LINK_UP
Positive confirmation message.
LINK_DOWN
A port may have a problem or is administratively disabled.
LINK_FAILURE
A port may have a problem or is administratively disabled.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
247
System Management
Information About System Messages
Error Message
Description
AUTHENTICATION_FAILURE
An attempted security breech has occurred. Investigate.
STP_NEWROOT
Informational message.
STP_TOPOLOGY_CHANGE
Informational message.
IPSEC_ESP_AUTH_FAILURE
Check WLAN IPsec configuration.
IPSEC_ESP_REPLAY_FAILURE
Check for an attempt to spoof an IP address.
IPSEC_ESP_POLICY_FAILURE
Check for a IPsec configuration mismatch between WLAN and
client.
IPSEC_ESP_INVALID_SPI
Informational message.
IPSEC_OTHER_POLICY_FAILURE
Check for a IPsec configuration mismatch between WLAN and
client.
IPSEC_IKE_NEG_FAILURE
Check for a IPsec IKE configuration mismatch between WLAN
and client.
IPSEC_SUITE_NEG_FAILURE
Check for a IPsec IKE configuration mismatch between WLAN
and client.
IPSEC_INVALID_COOKIE
Informational message.
RADIOS_EXCEEDED
The maximum number of supported Cisco radios has been
exceeded. Check for a controller failure in the same Layer 2
network or add another controller.
SENSED_TEMPERATURE_HIGH
Check fan, air conditioning, and/or other cooling arrangements.
SENSED_TEMPERATURE_LOW
Check room temperature and/or other reasons for low
temperature.
TEMPERATURE_SENSOR_FAILURE
Replace temperature sensor as soon as possible.
TEMPERATURE_SENSOR_CLEAR
The temperature sensor is operational.
POE_CONTROLLER_FAILURE
Check ports; a possible serious failure has been detected.
MAX_ROGUE_COUNT_EXCEEDED
The current number of active rogue access points has exceeded
system threshold.
SWITCH_UP
The controller is responding to SNMP polls.
SWITCH_DOWN
The controller is not responding to SNMP polls; check controller
and SNMP settings.
RADIUS_SERVERS_FAILED
Check network connectivity between RADIUS and the controller.
CONFIG_SAVED
The running configuration has been saved to flash; it will be
active after a reboot.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
248
System Management
Viewing System Resources
Error Message
Description
MULTIPLE_USERS
Another user with the same username has logged in.
FAN_FAILURE
Monitor controller temperature to avoid overheating.
POWER_SUPPLY_CHANGE
Check for a power-supply malfunction.
COLD_START
The controller may have been rebooted.
WARM_START
The controller may have been rebooted.
Viewing System Resources
Viewing System Resources
You can determine the amount of system resources being used by the controller. Specifically, you can view
the current controller CPU usage, system buffers, and web server buffers.
The controllers have multiple CPUs, so you can view individual CPU usage. For each CPU, you can see the
percentage of the CPU in use and the percentage of the CPU time spent at the interrupt level (for example,
0%/3%).
Viewing System Resources (GUI)
On the controller GUI, choose Management > Tech Support > System Resource Information. The System
Resource Information page appears.
Figure 21: System Resource Information Page
The following system information is displayed:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
249
System Management
Viewing System Resources (CLI)
• System Resource Information: Displays current and individual CPU usage, system buffers, and web
server buffers.
• Controller Crash Information: Displays information present in the controller crash log file.
• Core Dump: Configures the core dump transfer through FTP. You must enter the server details to where
the core dump has to be transferred.
• AP Crash Logs: Displays AP crash log information.
• System Statistics:
• IO Stats: Displays CPU and input/output statistics for the controller.
• Top: Displays the CPU usage.
• Dx LCache Summary: Displays database and local cache statistics.
Viewing System Resources (CLI)
On the controller CLI, enter these commands:
• show cpu: Displays current CPU usage information.
The first number is the CPU percentage that the controller spent on the user application and the second
number is the CPU percentage that the controller spent on the OS services.
• show tech-support: Displays system resource information.
• show system dmesg clear: Clears the dmesg logs after first printing its contents. The dmesg file contains
the kernel log-messages.
• show system interfaces: Displays information about the configured network interfaces.
• show system interrupts: Displays the number of interrupts.
• show system iostat {summary | detail}: Displays CPU and input/output statistics.
• show system ipv6:
• show system ipv6 neighbours: Displays the IPv6 neighbor cache.
• show system ipv6 netstat: Displays system network IPv6 stats.
• show system ipv6 route: Displays the IPv6 route information.
• show system meminfo: Displays system memory information.
• show system neighbours: Displays the IPv6 neighbor cache.
• show system netstat: Displays system network stats.
• show system portstat:
• show system portstat all verbose: Displays all system active service or port statistics.
• show system portstat tcp verbose: Displays system active service or port statistics related to TCP.
• show system portstat udp verbose: Displays system active service or port statistics related to UDP.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
250
System Management
Using the CLI to Troubleshoot Problems
• show system process:
• show system process maps pid: Displays region of contiguous virtual memory in the PID.
• show system process stat {all | pid}: Displays statistics for all or a particular process.
• show system process summary : Displays a summary of processes.
• show system route: Displays system routing table.
• show system slabs: Displays memory usage on slab level.
• show system slabtop: Displays the slab usage.
• show system timer ticks: Displays the number of ticks and seconds since the timer lib started.
• show system top: Provides an ongoing look at processor activity in real time. It displays a list of the
most CPU-intensive tasks performed on the system.
• show system usb: Displays configuration of USB.
• show system vmstat: Displays system virtual memory statistics.
Using the CLI to Troubleshoot Problems
If you experience any problems with your controller, you can use the commands in this section to gather
information and debug issues.
• The debug command enables diagnostic logging of specific events. The log output is directed to the
terminal session in which the debug command is entered.
• Only one debug session at a time is active. If one terminal has debugging running, and a debug command
is entered on another terminal, the debug session on the first terminal is terminated.
• To turn off all debugs, use the debug disable-all command.
• To filter the debugs based on client or AP MAC addresses, use the debug mac addr mac-address
command. Up to 10 MAC addresses are supported.
Procedure
• show process cpu: Shows how various tasks in the system are using the CPU at that instant in time. This
command is helpful in understanding if any single task is monopolizing the CPU and preventing other
tasks from being performed.
The Priority field shows two values: 1) the original priority of the task that was created by the actual
function call and 2) the priority of the task that is divided by a range of system priorities.
The CPU Use field shows the CPU usage of a particular task.
The Reaper field shows three values: 1) the amount of time for which the task is scheduled in user mode
operation, 2) the amount of time for which the task is scheduled in a system mode operation, and 3)
whether the task is being watched by the reaper task monitor (indicated by a “T”). If the task is being
watched by the reaper task monitor, this field also shows the timeout value (in seconds) before which
the task needs to alert the task monitor.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
251
System Management
Configuring System and Message Logging
Note
If you want to see the total CPU usage as a percentage, enter the show cpu command.
• show process memory: Shows the allocation and deallocation of memory from various processes in the
system at that instant in time.
In the example above, the following fields provide information:
The Name field shows the tasks that the CPU is to perform.
The Priority field shows two values: 1) the original priority of the task that was created by the actual
function call and 2) the priority of the task that is divided by a range of system priorities.
The BytesInUse field shows the actual number of bytes used by dynamic memory allocation for a particular
task.
The BlocksInUse field shows the chunks of memory that are assigned to perform a particular task.
The Reaper field shows three values: 1) the amount of time for which the task is scheduled in user mode
operation, 2) the amount of time for which the task is scheduled in system mode operation, and 3) whether
the task is being watched by the reaper task monitor (indicated by a “T”). If the task is being watched
by the reaper task monitor, this field also shows the timeout value (in seconds) before which the task
needs to alert the task monitor.
• show tech-support: Shows an array of information that is related to the state of the system, including
the current configuration, last crash file, CPU utilization, and memory utilization.
• show run-config: Shows the complete configuration of the controller. To exclude access point
configuration settings, use the show run-config no-ap command.
Note
If you want to see the passwords in clear text, enter the config passwd-cleartext enable command. To execute
this command, you must enter an admin password. This command is valid only for this particular session. It
is not saved following a reboot.
• show run-config commands: Shows the list of configured commands on the controller. This command
shows only values that you configured. It does not show system-configured default values.
Configuring System and Message Logging
System and Message Logging
System logging allows controllers to log their system events to up to three remote syslog servers. The controller
sends a copy of each syslog message as it is logged to each syslog server configured on the controller. Being
able to send the syslog messages to multiple servers ensures that the messages are not lost due to the temporary
unavailability of one syslog server. Message logging allows system messages to be logged to the controller
buffer or console.
For more information about system messages and trap logs, see http://www.cisco.com/c/en/us/support/wireless/
wireless-lan-controller-software/products-system-message-guides-list.html.
This section contains the following subsections:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
252
System Management
Configuring System and Message Logging (GUI)
Configuring System and Message Logging (GUI)
Step 1
Choose Management > Logs > Config. The Syslog Configuration page appears.
Figure 22: Syslog Configuration Page
Step 2
In the Syslog Server IP Address (IPv4/IPv6) field, enter the IPv4/IPv6 address of the server to which to send the
syslog messages and click Add. You can add up to three syslog servers to the controller. The list of syslog servers that
have already been added to the controller appears below this field.
Note
Step 3
If you want to remove a syslog server from the controller, click Remove to the right of the desired server.
To set the severity level for filtering syslog messages to the syslog servers, choose one of the following options from
the Syslog Level drop-down list:
• Emergencies = Severity level 0
• Alerts = Severity level 1 (default value)
• Critical = Severity level 2
• Errors = Severity level 3
• Warnings = Severity level 4
• Notifications = Severity level 5
• Informational = Severity level 6
• Debugging = Severity level 7
If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog
servers. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is
between 0 and 4 are sent to the syslog servers.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
253
System Management
Configuring System and Message Logging (GUI)
Note
Step 4
If you have enabled logging of debug messages to the logging buffer, some messages from application debug
could be listed in message log with severity that is more than the level set. For example, if you execute the
debug client mac-addr command, the client event log could be listed in message log even though the message
severity level is set to Errors.
To set the facility for outgoing syslog messages to the syslog servers, choose one of the following options from the
Syslog Facility drop-down list:
• Kernel = Facility level 0
• User Process = Facility level 1
• Mail = Facility level 2
• System Daemons = Facility level 3
• Authorization = Facility level 4
• Syslog = Facility level 5 (default value)
• Line Printer = Facility level 6
• USENET = Facility level 7
• Unix-to-Unix Copy = Facility level 8
• Cron = Facility level 9
• FTP Daemon = Facility level 11
• System Use 1 = Facility level 12
• System Use 2 = Facility level 13
• System Use 3 = Facility level 14
• System Use 4 = Facility level 15
• Local Use 0 = Facility level 16
• Local Use 2 = Facility level 17
• Local Use 3 = Facility level 18
• Local Use 4 = Facility level 19
• Local Use 5 = Facility level 20
• Local Use 5 = Facility level 21
• Local Use 5 = Facility level 22
• Local Use 5 = Facility level 23
Step 5
Click Apply.
Step 6
To set the severity level for logging messages to the controller buffer and console, choose one of the following options
from both the Buffered Log Level and Console Log Level drop-down lists:
• Emergencies = Severity level 0
• Alerts = Severity level 1
• Critical = Severity level 2
• Errors = Severity level 3 (default value)
• Warnings = Severity level 4
• Notifications = Severity level 5
• Informational = Severity level 6
• Debugging = Severity level 7
• Disable— This option is available only for Console Log level. Select this option to disable console logging.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
254
System Management
Viewing Message Logs (GUI)
If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the
controller. For example, if you set the logging level to Warnings (severity level 4), only those messages whose severity
is between 0 and 4 are logged.
Step 7
Select the File Info check box if you want the message logs to include information about the source file. The default
value is enabled.
Step 8
Select the Trace Info check box if you want the message logs to include traceback information. The default is disabled.
Step 9
Click Apply.
Step 10
Click Save Configuration.
Viewing Message Logs (GUI)
To view message logs using the controller GUI, choose Management > Logs > Message Logs. The Message
Logs page appears.
Note
To clear the current message logs from the controller, click Clear.
Configuring System and Message Logging (CLI)
Step 1
Enable system logging and set the IP address of the syslog server to which to send the syslog messages by entering this
command:
config logging syslog host server_IP_address
You can add up to three syslog servers to the controller.
Note
Step 2
To remove a syslog server from the controller by entering this command: config logging syslog host
server_IP_address delete.
Set the severity level for filtering syslog messages to the syslog server by entering this command:
config logging syslog level severity_level
where severity_level is one of the following:
• emergencies = Severity level 0
• alerts = Severity level 1
• critical = Severity level 2
• errors = Severity level 3
• warnings = Severity level 4
• notifications = Severity level 5
• informational = Severity level 6
• debugging = Severity level 7
Note
As an alternative, you can enter a number from 0 through 7 for the severity_level parameter.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
255
System Management
Configuring System and Message Logging (CLI)
If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the
syslog server. For example, if you set the syslog level to Warnings (severity level 4), only those messages
whose severity is between 0 and 4 are sent to the syslog server.
Note
Step 3
Set the severity level for filtering syslog messages for a particular access point or for all access points by entering this
command:
config ap logging syslog level severity_level {Cisco_AP | all}
where severity_level is one of the following:
• emergencies = Severity level 0
• alerts = Severity level 1
• critical = Severity level 2
• errors = Severity level 3
• warnings = Severity level 4
• notifications = Severity level 5
• informational = Severity level 6
• debugging = Severity level 7
Note
Step 4
If you set a syslog level, only those messages whose severity is equal to or less than that level are sent
to the access point. For example, if you set the syslog level to Warnings (severity level 4), only those
messages whose severity is between 0 and 4 are sent to the access point.
Set the facility for outgoing syslog messages to the syslog server by entering this command:
config logging syslog facility facility-code
where facility-code is one of the following:
• ap = AP related traps.
• authorization = Authorization system. Facility level = 4.
• auth-private = Authorization system (private). Facility level = 10.
• cron = Cron/at facility. Facility level = 9.
• daemon = System daemons. Facility level = 3.
• ftp = FTP daemon. Facility level = 11.
• kern = Kernel. Facility level = 0.
• local0 = Local use. Facility level = 16.
• local1 = Local use. Facility level = 17.
• local2 = Local use. Facility level = 18.
• local3 = Local use. Facility level = 19.
• local4 = Local use. Facility level = 20.
• local5 = Local use. Facility level = 21.
• local6 = Local use. Facility level = 22.
• local7 = Local use. Facility level = 23.
• lpr = Line printer system. Facility level = 6.
• mail = Mail system. Facility level = 2.
• news = USENET news. Facility level = 7.
• sys12 = System use. Facility level = 12.
• sys13 = System use. Facility level = 13.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
256
System Management
Configuring System and Message Logging (CLI)
• sys14 = System use. Facility level = 14.
• sys15 = System use. Facility level = 15.
• syslog = The syslog itself. Facility level = 5.
• user = User process. Facility level = 1.
• uucp = Unix-to-Unix copy system. Facility level = 8.
Step 5
Configure the syslog facility for AP using the following command:
config logging syslog facility AP
where AP can be:
• associate= Associated sys log for AP
• disassociate=Disassociate sys log for AP
Step 6
Configure the syslog facility for an AP or all APs by entering this command:
config ap logging syslog facility facility-level {Cisco_AP | all}
where facility-level is one of the following:
• auth = Authorization system
• cron = Cron/at facility
• daemon = System daemons
• kern = Kernel
• local0 = Local use
• local1 = Local use
• local2 = Local use
• local3 = Local use
• local4 = Local use
• local5 = Local use
• local6 = Local use
• local7 = Local use
• lpr = Line printer system
• mail = Mail system
• news = USENET news
• sys10 = System use
• sys11 = System use
• sys12 = System use
• sys13 = System use
• sys14 = System use
• sys9 = System use
• syslog = Syslog itself
• user = User process
• uucp = Unix-to-Unix copy system
Step 7
Configure the syslog facility for client by entering this command:
config logging syslog facility client {assocfail | associate | authentication | authfail | deauthenticate | disassociate
| excluded} {enable | disable}
where:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
257
System Management
Configuring System and Message Logging (CLI)
• assocfail: 802.11 association fail syslog for clients.
• authentication: Authentication success syslog for clients
• authfail: 802.11 authentication fail syslog for clients
• deauthenticate: 802.11 deauthentication syslog for clients
• disassociate: 802.11 disassociation syslog for clients
• excluded: Excluded syslog for clients
Step 8
Configure transmission of syslog messages over IPSec by entering this command:
config logging syslog ipsec {enable | disable}
Step 9
Configure transmission of syslog messages over transport layer security (TLS) by entering this command:
config logging syslog tls {enable | disable}
Enabling syslog over TLS on the controller enables the feature for all syslog hosts defined in the controller. You can
define up to three syslog hosts per controller. The controller transmits messages concurrently to all the configured
syslog hosts.
Check if the controller has an active TLS connection to the syslog server by entering the show logging command. The
following is a sample output:
- syslog over tls................................
- Host 0.......................................
- TLS auth status............................
- packets sent...............................
- packets dropped............................
- Host 1.......................................
- Host 2.......................................
Caution
Enabled
209.165.200.224
connected
3879
2
Issue: Some messages are not transmitted to the syslog server even though it is reachable.
Analysis: This issue occurs because syslog over TLS is enabled in the controller, multiple syslog hosts are
defined in the controller, the number of syslog messages generated are high, and one of the syslog hosts is
not reachable over TLS.
Step 10
Set the severity level for logging messages to the controller buffer and console by entering these commands:
• config logging buffered severity_level
• config logging console severity_level
where severity_level is one of the following:
• emergencies = Severity level 0
• alerts = Severity level 1
• critical = Severity level 2
• errors = Severity level 3
• warnings = Severity level 4
• notifications = Severity level 5
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
258
System Management
Configuring System and Message Logging (CLI)
• informational = Severity level 6
• debugging = Severity level 7
As an alternative, you can enter a number from 0 through 7 for the severity_level parameter.
Note
Note
Step 11
If you set a logging level, only those messages whose severity is equal to or less than that level are logged
by the controller. For example, if you set the logging level to Warnings (severity level 4), only those messages
whose severity is between 0 and 4 are logged.
Save debug messages to the controller buffer, the controller console, or a syslog server by entering these commands:
• config logging debug buffered {enable | disable}
• config logging debug console {enable | disable}
• config logging debug syslog {enable | disable}
By default, the console command is enabled, and the buffered and syslog commands are disabled.
Step 12
To cause the controller to include information about the source file in the message logs or to prevent the controller
from displaying this information by entering this command:
config logging fileinfo {enable | disable}
The default value is enabled.
Step 13
Configure the controller to include process information in the message logs or to prevent the controller from displaying
this information by entering this command:
config logging procinfo {enable | disable}
The default value is disabled.
Step 14
Configure the controller to include traceback information in the message logs or to prevent the controller from displaying
this information by entering this command:
config logging traceinfo {enable | disable}
The default value is disabled.
Step 15
Enable or disable timestamps in log messages and debug messages by entering these commands:
• config service timestamps log {datetime | disable}
• config service timestamps debug {datetime | disable}
where
• datetime = Messages are timestamped with the standard date and time. This is the default value.
• disable = Messages are not timestamped.
Step 16
Save your changes by entering this command:
save config
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
259
System Management
Viewing System and Message Logs (CLI)
Viewing System and Message Logs (CLI)
To see the logging parameters and buffer contents, enter this command:
show logging
Viewing Access Point Event Logs
Information About Access Point Event Logs
Access points log all system messages (with a severity level greater than or equal to notifications) to the access
point event log. The event log can contain up to 1024 lines of messages, with up to 128 characters per line.
When the event log becomes filled, the oldest message is removed to accommodate a new event message.
The event log is saved in a file on the access point flash, which ensures that it is saved through a reboot cycle.
To minimize the number of writes to the access point flash, the contents of the event log are written to the
event log file during normal reload and crash scenarios only.
Viewing Access Point Event Logs (CLI)
Use these CLI commands to view or clear the access point event log from the controller:
• To see the contents of the event log file for an access point that is joined to the controller, enter this
command:
show ap eventlog ap-name
Information similar to the following appears:
AP event log download has been initiated
Waiting for download to complete
AP event log download completed.
======================= AP Event log Contents =====================
*Sep 22 11:44:00.573: %CAPWAP-5-CHANGED: CAPWAP changed state to IMAGE
*Sep 22 11:44:01.514: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0,
changed state to down
*Sep 22 11:44:01.519: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1,
changed state to down
*Sep 22 11:44:53.539: *** Access point reloading. Reason: NEW IMAGE DOWNLOAD ***
*Mar 1 00:00:39.078: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:00:42.142: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:00:42.151: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:42.158: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:43.143: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed
state to up
*Mar 1 00:00:43.151: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed
state to up
*Mar 1 00:00:48.078: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Mar 1 00:01:42.144: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:01:48.121: %CAPWAP-3-CLIENTERRORLOG: Set Transport Address: no more AP manager
IP addresses remain
*Mar 1 00:01:48.122: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Mar 1 00:01:48.122: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to
administratively down
*Mar 1 00:01:48.122: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
260
System Management
Uploading Logs and Crash Files
administratively down
• To delete the existing event log and create an empty event log file for all access points or for a specific
access point joined to the controller, enter this command:
clear ap eventlog {all | ap-name}
Uploading Logs and Crash Files
Upload Logs and Crash Files
• Follow the instructions in this section to upload logs and crash files from the controller. However, before
you begin, ensure you have a TFTP or FTP server available for the file upload. Follow these guidelines
when setting up a TFTP or FTP server:
• If you are uploading through the service port, the TFTP or FTP server must be on the same subnet
as the service port because the service port is not routable, or you must create static routes on the
controller.
• If you are uploading through the distribution system network port, the TFTP or FTP server can be
on the same or a different subnet because the distribution system port is routable.
• A third-party TFTP or FTP server cannot run on the same computer as Cisco Prime Infrastructure
because the Prime Infrastructure built-in TFTP or FTP server and the third-party TFTP or FTP
server require the same communication port.
This section contains the following subsections:
Uploading Logs and Crash Files (GUI)
Step 1
Choose Command > Upload File. The Upload File from Controller page appears.
Step 2
From the File Type drop-down list, choose one of the following:
• Event Log
• Message Log
• Trap Log
• Crash File
Step 3
From the Transfer Mode drop-down list, choose from the following options:
• TFTP
• FTP
• SFTP
Step 4
In the IP Address text box, enter the IP address of the server.
Step 5
In the File Path text box, enter the directory path of the log or crash file.
Step 6
In the File Name text box, enter the name of the log or crash file.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
261
System Management
Uploading Logs and Crash Files (CLI)
Step 7
If you chose FTP as the Transfer Mode, follow these steps:
a. In the Server Login Username text box, enter the FTP server login name.
b. In the Server Login Password text box, enter the FTP server login password.
c. In the Server Port Number text box, enter the port number of the FTP server. The default value for the server port
is 21.
Step 8
Click Upload to upload the log or crash file from the controller. A message appears indicating the status of the upload.
Uploading Logs and Crash Files (CLI)
Step 1
To transfer the file from the controller to a server, enter this command:
transfer upload mode {tftp | ftp | sftp}
Step 2
To specify the type of file to be uploaded, enter this command:
transfer upload datatype datatype
where datatype is one of the following options:
• crashfile—Uploads the system’s crash file.
• errorlog—Uploads the system’s error log.
• panic-crash-file—Uploads the kernel panic information if a kernel panic occurs.
• systemtrace—Uploads the system’s trace file.
• traplog—Uploads the system’s trap log.
• watchdog-crash-file—Uploads the console dump resulting from a software-watchdog-initiated reboot of the controller
following a crash. The software watchdog module periodically checks the integrity of the internal software and
makes sure that the system does not stay in an inconsistent or nonoperational state for a long period of time.
Step 3
To specify the path to the file, enter these commands:
• transfer upload serverip server_ip_address
• transfer upload path server_path_to_file
• transfer upload filename filename
Step 4
If you are using an FTP server, also enter these commands:
• transfer upload username username
• transfer upload password password
• transfer upload port port
Note
The default value for the port parameter is 21.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
262
System Management
Uploading Core Dumps from the Controller
Step 5
To see the updated settings, enter this command:
transfer upload start
Step 6
When prompted to confirm the current settings and start the software upload, answer y.
Uploading Core Dumps from the Controller
Uploading Core Dumps from the Controller
To help troubleshoot controller crashes, you can configure the controller to automatically upload its core dump
file to an FTP server after experiencing a crash. However, you cannot automatically send crash files to an
FTP server.
This section contains the following subsections:
Configuring the Controller to Automatically Upload Core Dumps to an FTP
Server (GUI)
Step 1
Choose Management > Tech Support > Core Dump to open the Core Dump page.
Figure 23: Core Dump Page
Step 2
To enable the controller to generate a core dump file following a crash, select the Core Dump Transfer check box.
Step 3
To specify the type of server to which the core dump file is uploaded, choose FTP from the Transfer Mode drop-down
list.
Step 4
In the IP Address text box, enter the IP address of the FTP server.
Note
The controller must be able to reach the FTP server.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
263
System Management
Configuring the Controller to Automatically Upload Core Dumps to an FTP Server (CLI)
Step 5
In the File Name text box, enter the name that the controller uses to label the core dump file.
Step 6
In the User Name text box, enter the username for FTP login.
Step 7
In the Password text box, enter the password for FTP login.
Step 8
Click Apply to commit your changes.
Step 9
Click Save Configuration to save your changes.
Configuring the Controller to Automatically Upload Core Dumps to an FTP
Server (CLI)
Step 1
To enable or disable the controller to generate a core dump file following a crash, enter this command:
config coredump {enable | disable}
Step 2
To specify the FTP server to which the core dump file is uploaded, enter this command:
config coredump ftp server_ip_address filename
where
• server_ip_address is the IP address of the FTP server to which the controller sends its core dump file.
Note
The controller must be able to reach the FTP server.
• filename is the name that the controller uses to label the core dump file.
Step 3
To specify the username and password for FTP login, enter this command:
config coredump username ftp_username password ftp_password
Step 4
To save your changes, enter this command:
save config
Step 5
To see a summary of the controller’s core dump file, enter this command:
show coredump summary
Example:
Information similar to the following appears:
Core Dump is enabled
FTP
FTP
FTP
FTP
Server IP.................................... 10.10.10.17
Filename..................................... file1
Username..................................... ftpuser
Password.................................. *********
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
264
System Management
Uploading Core Dumps from Controller to a Server (CLI)
Uploading Core Dumps from Controller to a Server (CLI)
Step 1
To see information about the core dump file in flash memory, enter this command:
show coredump summary
Information similar to the following appears:
Core Dump is disabled
Core Dump file is saved on flash
Sw Version.................................... 6.0.83.0
Time Stamp.................................... Wed Feb 4 13:23:11 2009
File Size..................................... 9081788
File Name Suffix........................... filename.gz
Step 2
To transfer the file from the controller to a server, enter these commands:
• transfer upload mode {tftp | ftp | sftp}
• transfer upload datatype coredump
• transfer upload serverip server_ip_address
• transfer upload path server_path_to_file
• transfer upload filename filename
Note
Step 3
After the file is uploaded, it ends with a .gz suffix. If desired, you can upload the same core dump file
multiple times with different names to different servers.
If you are using an FTP server, also enter these commands:
• transfer upload username username
transfer upload password password
• transfer upload port port
Note
Step 4
The default value for the port parameter is 21.
To view the updated settings, enter this command:
transfer upload start
Step 5
When prompted to confirm the current settings and start the software upload, answer y.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
265
System Management
Uploading Packet Capture Files
Uploading Packet Capture Files
Uploading Crash Packet Capture Files
When a controller's data plane crashes, it stores the last 50 packets that the controller received in flash memory.
This information can be useful in troubleshooting the crash.
When a crash occurs, the controller generates a new packet capture file (*.pcap) file, and a message similar
to the following appears in the controller crash file:
Last 5 packets processed at each core are stored in
"last_received_pkts.pcap" captured file.
- Frame 36,38,43,47,49, processed at core #0.
- Frame 14,27,30,42,45, processed at core #1.
- Frame 15,18,20,32,48, processed at core #2.
- Frame 11,29,34,37,46, processed at core #3.
- Frame 7,8,12,31,35, processed at core #4.
- Frame 21,25,39,41,50, processed at core #5.
- Frame 16,17,19,22,33, processed at core #6.
- Frame 6,10,13,23,26, processed at core #7.
- Frame 9,24,28,40,44, processed at core #8.
- Frame 1,2,3,4,5, processed at core #9.
You can use the controller GUI or CLI to upload the packet capture file from the controller. You can then use
Wireshark or another standard packet capture tool to view and analyze the contents of the file.
Figure 24: Sample Output of Packet Capture File in Wireshark
This figure shows a sample output of the packet capture in Wireshark.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
266
System Management
Restrictions for Uploading Crash Packet Capture Files
This section contains the following subsections:
Restrictions for Uploading Crash Packet Capture Files
• Only Cisco 5508 WLCs generate crash packet capture files. This feature is not available on other controller
platforms.
• Ensure that you have a TFTP or FTP server available for the file upload. Follow these guidelines when
setting up a TFTP or FTP server:
• If you are uploading through the service port, the TFTP or FTP server must be on the same subnet
as the service port because the service port is not routable, or you must create static routes on the
controller.
• If you are uploading through the distribution system network port, the TFTP or FTP server can be
on the same or a different subnet because the distribution system port is routable.
• A third-party TFTP or FTP server cannot run on the same computer as Cisco Prime Infrastructure
because the Prime Infrastructure built-in TFTP or FTP server and the third-party TFTP or FTP
server require the same communication port.
Uploading Crash Packet Capture Files (GUI)
Step 1
Choose Commands > Upload File to open the Upload File from Controller page.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
267
System Management
Uploading Crash Packet Capture Files (CLI)
Step 2
From the File Type drop-down list, choose Packet Capture.
Step 3
From the Transfer Mode drop-down list, choose from the following options:
• TFTP
• FTP
• SFTP
Step 4
In the IP Address field, enter the IP address of the server.
Step 5
In the File Path field, enter the directory path of the packet capture file.
Step 6
In the File Name field, enter the name of the packet capture file. These files have a .pcap extension.
Step 7
If you are using an FTP server, follow these steps:
a) In the Server Login Username field, enter the username to log into the FTP server.
b) In the Server Login Password field, enter the password to log into the FTP server.
c) In the Server Port Number field, enter the port number on the FTP server through which the upload occurs. The
default value is 21.
Step 8
Click Upload to upload the packet capture file from the controller. A message is displayed indicating the status of the
upload.
Step 9
Use Wireshark or another standard packet capture tool to open the packet capture file and see the last 50 packets that
were received by the controller.
Uploading Crash Packet Capture Files (CLI)
Step 1
Log on to the controller CLI.
Step 2
Enter the transfer upload mode {tftp | ftp | sftp} command.
Step 3
Enter the transfer upload datatype packet-capture command.
Step 4
Enter the transfer upload serverip server-ip-address command.
Step 5
Enter the transfer upload path server-path-to-file command.
Step 6
Enter the transfer upload filename last_received_pkts.pcap command.
Step 7
If you are using an FTP server, enter these commands:
• transfer upload username username
• transfer upload password password
• transfer upload port port
Note
The default value for the port parameter is 21.
Step 8
Enter the transfer upload start command to see the updated settings and then answer y when prompted to confirm the
current settings and start the upload process.
Step 9
Use Wireshark or another standard packet capture tool to open the packet capture file and see the last 50 packets that
were received by the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
268
System Management
Monitoring Memory Leaks
Monitoring Memory Leaks
This section provides instructions for troubleshooting hard-to-solve or hard-to-reproduce memory problems.
Caution
The commands in this section can be disruptive to your system and should be run only when you are advised
to do so by the Cisco Technical Assistance Center (TAC).
This section contains the following subsection:
Monitoring Memory Leaks (CLI)
Step 1
To enable or disable monitoring for memory errors and leaks, enter this command:
config memory monitor errors {enable | disable}
The default value is disabled.
Note
Step 2
Your changes are not saved across reboots. After the controller reboots, it uses the default setting for this feature.
If you suspect that a memory leak has occurred, enter this command to configure the controller to perform an auto-leak
analysis between two memory thresholds (in kilobytes):
config memory monitor leaks low_thresh high_thresh
If the free memory is lower than the low_thresh threshold, the system crashes, generating a crash file. The default value
for this parameter is 10000 kilobytes, and you cannot set it below this value.
Set the high_thresh threshold to the current free memory level or higher so that the system enters auto-leak-analysis
mode. After the free memory reaches a level lower than the specified high_thresh threshold, the process of tracking and
freeing memory allocation begins. As a result, the debug memory events enable command shows all allocations and
frees, and the show memory monitor detail command starts to detect any suspected memory leaks. The default value
for this parameter is 30000 kilobytes.
Step 3
To see a summary of any discovered memory issues, enter this command:
show memory monitor
Information similar to the following appears:
Memory Leak Monitor Status:
low_threshold(10000), high_threshold(30000), current status(disabled)
------------------------------------------Memory Error Monitor Status:
Crash-on-error flag currently set to (disabled)
No memory error detected.
Step 4
To see the details of any memory leaks or corruption, enter this command:
show memory monitor detail
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
269
System Management
Troubleshooting CCXv5 Client Devices
Information similar to the following appears:
Memory error detected. Details:
------------------------------------------------ Corruption detected at pmalloc entry address:
(0x179a7ec0)
- Corrupt entry:headerMagic(0xdeadf00d),trailer(0xabcd),poison(0xreadceef),
entrysize(128),bytes(100),thread(Unknown task name, task id = (332096592)),
file(pmalloc.c),line(1736),time(1027)
Previous 1K memory dump from error location.
-----------------------------------------------(179a7ac0): 00000000 00000000 00000000 ceeff00d readf00d
(179a7ae0): 17958b20 00000000 1175608c 00000078 00000000
(179a7b00): 00000003 00000006 00000001 00000004 00000001
(179a7b20): 00000001 00000002 00000002 00000001 00000004
(179a7b40): cbddf004 192f465e 7791acc8 e5032242 5365788c
(179a7b60): 00000000 00000000 00000000 00000000 00000000
(179a7b80): 00000000 00000000 17958dc0 00000000 1175608c
(179a7ba0): 179a7ba4 00000001 00000003 00000006 00000001
(179a7bc0): 00000002 00000002 00000010 00000001 00000002
(179a7be0): 0000001a 00000089 00000000 00000000 000000d8
(179a7c00): 1722246c 1722246c 00000000 00000000 00000000
(179a7c20): readf00d 00000080 00000000 00000000 179a7b78
Step 5
00000080
readceef
00000009
00000000
a1b7cee6
ceeff00d
00000078
00000004
00000000
00000000
00000000
00000000
00000000
179a7afc
00000009
00000000
00000000
readf00d
00000000
00000001
0000001e
00000000
00000000
1175608c
00000000
00000001
0000020d
5d7b9aba
00000000
00000080
readceef
00003763
00000013
17222194
ceeff00d
00000078
If a memory leak occurs, enter this command to enable debugging of errors or events during memory allocation:
debug memory {errors | events} {enable | disable}
Troubleshooting CCXv5 Client Devices
Information About Troubleshooting CCXv5 Client Devices
The controller supports three features designed to help troubleshoot communication problems with CCXv5
clients: diagnostic channel, client reporting, and roaming and real-time diagnostics.
Restrictions for CCXv5 Client Devices
Diagnostic channel, client reporting, and roaming and real-time diagnostics features are supported only on
CCXv5 clients. They are not supported for use with non-CCX clients or with clients running an earlier version
of CCX.
Configuring Diagnostic Channel
You can choose a diagnostic channel to troubleshoot why the client is having communication problems with
a WLAN. You can test the client and access points to identify the difficulties that the client is experiencing
and allow corrective measures to be taken to make the client operational on the network. You can use the
controller GUI or CLI to enable the diagnostic channel, and you can use the controller diag-channel CLI to
run the diagnostic tests.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
270
System Management
Configuring the Diagnostic Channel (GUI)
Note
We recommend that you enable the diagnostic channel feature only for nonanchored SSIDs that use the
management interface. CCX Diagnostic feature has been tested only with clients having Cisco ADU card
Configuring the Diagnostic Channel (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Create a new WLAN or click the ID number of an existing WLAN.
Note
Step 3
We recommend that you create a new WLAN on which to run the diagnostic tests.
When the WLANs > Edit page appears, choose the Advanced tab to open the WLANs > Edit (Advanced) page.
Figure 25: WLANs > Edit (Advanced) Page
Step 4
If you want to enable diagnostic channel troubleshooting on this WLAN, select the Diagnostic Channel check box.
Otherwise, leave this check box unselected, which is the default value.
Note
You can use the CLI to initiate diagnostic tests on the client.
Step 5
Click Apply to commit your changes.
Step 6
Click Save Configuration to save your changes.
Configuring the Diagnostic Channel (CLI)
Step 1
To enable diagnostic channel troubleshooting on a particular WLAN, enter this command:
config wlan diag-channel {enable | disable} wlan_id
Step 2
To verify that your change has been made, enter this command:
show wlan wlan_id
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
271
System Management
Configuring the Diagnostic Channel (CLI)
Information similar to the following appears:
WLAN Identifier..................................
Profile Name.....................................
Network Name (SSID)..............................
Status...........................................
MAC Filtering....................................
Broadcast SSID...................................
AAA Policy Override..............................
Number of Active Clients.........................
Exclusionlist Timeout............................
Session Timeout..................................
Interface........................................
WLAN ACL.........................................
DHCP Server......................................
DHCP Address Assignment Required.................
Quality of Service...............................
WMM..............................................
CCX - AironetIe Support..........................
CCX - Gratuitous ProbeResponse (GPR).............
CCX - Diagnostics Channel Capability.............
...
Step 3
1
employee1
employee
Disabled
Disabled
Enabled
Disabled
0
60 seconds
Infinity
virtual
unconfigured
Default
Disabled
Silver (best effort)
Disabled
Enabled
Disabled
Enabled
To send a request to the client to perform the DHCP test, enter this command:
config client ccx dhcp-test client_mac_address
Note
Step 4
This test does not require the client to use the diagnostic channel.
To send a request to the client to perform the default gateway ping test, enter this command:
config client ccx default-gw-ping client_mac_address
Note
Step 5
This test does not require the client to use the diagnostic channel.
To send a request to the client to perform the DNS server IP address ping test, enter this command:
config client ccx dns-ping client_mac_address
Note
Step 6
This test does not require the client to use the diagnostic channel.
To send a request to the client to perform the DNS name resolution test to the specified host name, enter this command:
config client ccx dns-resolve client_mac_address host_name
Note
Step 7
This test does not require the client to use the diagnostic channel.
To send a request to the client to perform the association test, enter this command:
config client ccx test-association client_mac_address ssid bssid {802.11a | 802.11b | 802.11g} channel
Step 8
To send a request to the client to perform the 802.1X test, enter this command:
config client ccx test-dot1x client_mac_address profile_id bssid {802.11a | 802.11b | 802.11g} channel
Step 9
To send a request to the client to perform the profile redirect test, enter this command:
config client ccx test-profile client_mac_address profile_id
The profile_id should be from one of the client profiles for which client reporting is enabled.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
272
System Management
Configuring the Diagnostic Channel (CLI)
Note
Step 10
Users are redirected back to the parent WLAN, not to any other profile. The only profile shown is the user’s
parent profile. Note however that parent WLAN profiles can have one child diagnostic WLAN.
Use these commands if necessary to terminate or clear a test:
• To send a request to the client to terminate the current test, enter this command:
config client ccx test-abort client_mac_address
Only one test can be pending at a time, so this command terminates the current pending test.
• To clear the test results on the controller, enter this command:
config client ccx clear-results client_mac_address
Step 11
To send a message to the client, enter this command:
config client ccx send-message client_mac_address message_id
where message_id is one of the following:
• 1 = The SSID is invalid.
• 2 = The network settings are invalid.
• 3 = There is a WLAN credibility mismatch.
• 4 = The user credentials are incorrect.
• 5 = Please call support.
• 6 = The problem is resolved.
• 7 = The problem has not been resolved.
• 8 = Please try again later.
• 9 = Please correct the indicated problem.
• 10 = Troubleshooting is refused by the network.
• 11 = Retrieving client reports.
• 12 = Retrieving client logs.
• 13 = Retrieval complete.
• 14 = Beginning association test.
• 15 = Beginning DHCP test.
• 16 = Beginning network connectivity test.
• 17 = Beginning DNS ping test.
• 18 = Beginning name resolution test.
• 19 = Beginning 802.1X authentication test.
• 20 = Redirecting client to a specific profile.
• 21 = Test complete.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
273
System Management
Configuring the Diagnostic Channel (CLI)
• 22 = Test passed.
• 23 = Test failed.
• 24 = Cancel diagnostic channel operation or select a WLAN profile to resume normal operation.
• 25 = Log retrieval refused by the client.
• 26 = Client report retrieval refused by the client.
• 27 = Test request refused by the client.
• 28 = Invalid network (IP) setting.
• 29 = There is a known outage or problem with the network.
• 30 = Scheduled maintenance period.
• 31 = The WLAN security method is not correct.
• 32 = The WLAN encryption method is not correct.
• 33 = The WLAN authentication method is not correct.
Step 12
To see the status of the last test, enter this command:
show client ccx last-test-status client_mac_address
Information similar to the following appears for the default gateway ping test:
Test Type........................................ Gateway Ping Test
Test Status...................................... Pending/Success/Timeout
Dialog Token..................................... 15
Timeout.......................................... 15000 ms
Request Time..................................... 1329 seconds since system boot
Step 13
To see the status of the last test response, enter this command:
show client ccx last-response-status client_mac_address
Information similar to the following appears for the 802.1X authentication test:
Test Status...................................... Success
Response
Response
Response
Response
Step 14
Dialog Token............................
Status..................................
Test Type...............................
Time....................................
87
Successful
802.1x Authentication Test
3476 seconds since system boot
To see the results from the last successful diagnostics test, enter this command:
show client ccx results client_mac_address
Information similar to the following appears for the 802.1X authentication test:
dot1x Complete................................... Success
EAP Method....................................... *1,Host OS Login Credentials
dot1x Status.................................. 255
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
274
System Management
Configuring the Diagnostic Channel (CLI)
Step 15
To see the relevant data frames captured by the client during the previous test, enter this command:
show client ccx frame-data client_mac_address
Information similar to the following appears:
LOG Frames:
Frame Number:....................................
Last Frame Number:...............................
Direction:.......................................
Timestamp:.......................................
Frame Length:....................................
Frame Data:
00000000: 80 00 00 00 ff ff ff ff ff ff 00 12 44
00000010: 00 12 44 bd bd b0 f0 af 43 70 00 f2 82
00000020: 64 00 11 08 00 01 00 01 08 8c 12 98 24
00000030: 6c 05 04 01 02 00 00 85 1e 00 00 89 00
00000040: 03 19 00 41 50 32 33 2d 31 30 00 00 00
00000050: 00 00 00 00 00 00 26 96 06 00 40 96 00
00000060: 18 00 50 f2 01 01 00 00 50 f2 05 01 00
00000070: 05 01 00 00 40 96 00 28 00 dd 06 00 40
1
1120
1
0d 00h 50m 39s 863954us
197
bd
01
b0
0f
00
ff
00
96
bd
00
48
00
00
ff
50
01
b0
00
60
ff
00
dd
f2
01
............D...
..D.....Cp......
d...........$.H`
l...............
...AP23-10......
......&...@.....
..P.....P.....P.
....@..(....@...
00000080:
00000090:
000000a0:
000000b0:
04
32
01
62
00
00
01
32
02
00
82
2f
....@......@....
....#...BC..b2..
[email protected].....
.....'...BC^.b2/
00
07
dd
00
dd
a4
05
03
05
00
00
a4
00
00
40
00
40
23
96
00
96
a4
0b
27
03
00
01
a4
04
00
dd
00
dd
42
18
00
16
43
00
42
00
00
50
43
40
00
f2
5e
96
62
02
00
LOG Frames:
Frame Number:....................................
Last Frame Number:...............................
Direction:.......................................
Timestamp:.......................................
Frame Length:....................................
Frame Data:
00000000: 80 00 00 00 ff ff ff ff ff ff 00 0d ed
00000010: 00 0d ed c3 a0 22 00 bd 4d 50 a5 f7 78
00000020: 64 00 01 00 00 01 00 01 08 8c 12 98 24
00000030: 6c 05 04 01 02 00 00 85 1e 00 00 84 00
00000040: 03 19 00 72 6f 67 75 65 2d 74 65 73 74
00000050: 00 00 00 00 00 00 23 96 06 00 40 96 00
00000060: 06 00 40 96 01 01 00 dd 05 00 40 96 03
00000070: 00 40 96 0b 01 dd 18 00 50 f2 02 01 01
00000080: a4 00 00 27 a4 00 00 42
00000090: b4 ab 84
2
1120
1
0d 00h 50m 39s 878289us
147
c3
08
b0
0f
31
10
04
81
a0
00
48
00
00
00
dd
00
22
00
60
ff
00
dd
05
03
..............."
....."..MP..x...
d...........$.H`
l...............
...rogue-test1..
......#...@.....
..@.......@.....
[email protected].......
43 5e 00 62 32 2f 00 d2
...'...BC^.b2/..
...
LOG Frames:
Frame Number:....................................
Last Frame Number:...............................
Direction:.......................................
Timestamp:.......................................
Frame Length:....................................
Frame Data:
00000000: 80 00 00 00 ff ff ff ff ff ff 00 12 44
00000010: 00 12 44 bd 80 30 60 f7 46 c0 8b 4b d1
00000020: 64 00 11 08 00 01 00 01 08 8c 12 98 24
00000030: 6c 05 04 00 02 00 00 85 1e 00 00 89 00
00000040: 03 19 00 41 50 34 30 2d 31 37 00 00 00
00000050: 00 00 00 00 00 00 26 dd 18 00 50 f2 01
00000060: 50 f2 05 01 00 00 50 f2 05 01 00 00 40
00000070: 00 dd 06 00 40 96 01 01 00 dd 05 00 40
3
1120
1
0d 00h 50m 39s 881513us
189
bd
05
b0
0f
00
01
96
96
80
00
48
00
00
00
00
03
30
00
60
ff
00
00
28
04
............D..0
..D..0`.F..K....
d...........$.H`
l...............
...AP40-17......
......&...P.....
P.....P.....@..(
....@.......@...
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
275
System Management
Configuring Client Reporting
00000080:
00000090:
000000a0:
000000b0:
...
dd
42
18
00
16
43
00
42
00
00
50
43
40
00
f2
5e
96
62
02
00
04
32
01
62
00
00
01
32
05
00
85
2f
07
dd
00
00
a4
05
03
0b
00
00
a4
9a
00
40
00
1d
23 a4 00 00
96 0b 01 dd
00 27 a4 00
6f
...@........#...
BC..b2.....@....
..P..........'..
.BC^.b2/....o
Configuring Client Reporting
The client reporting protocol is used by the client and the access point to exchange client information. Client
reports are collected automatically when the client associates. You can use the controller GUI or CLI to send
a client report request to any CCXv5 client any time after the client associates. There are four types of client
reports:
• Client profile—Provides information about the configuration of the client.
• Operating parameters—Provides the details of the client’s current operational modes.
• Manufacturers’ information—Provides data about the wireless LAN client adapter in use.
• Client capabilities—Provides information about the client’s capabilities.
Configuring Client Reporting (GUI)
Step 1
Choose Monitor > Clients to open the Clients page.
Step 2
Click the MAC address of the desired client. The Clients > Detail page appears.
Step 3
To send a report request to the client, click Send CCXV5 Req.
Note
You must create a Trusted Profile using ACAU for Cisco CB21AG or equivalent software from your CCXv5
vendor.
Step 4
To view the parameters from the client, click Display. The Client Reporting page appears.
Step 5
Click the link for the desired client profile. The Profile Details page appears displaying the client profile details, including
the SSID, power save mode, radio channel, data rates, and 802.11 security settings.
Configuring Client Reporting (CLI)
Step 1
To send a request to the client to send its profiles, enter this command:
config client ccx get-profiles client_mac_address
Step 2
To send a request to the client to send its current operating parameters, enter this command:
config client ccx get-operating-parameters client_mac_address
Step 3
To send a request to the client to send the manufacturer’s information, enter this command:
config client ccx get-manufacturer-info client_mac_address
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
276
System Management
Configuring Roaming and Real-Time Diagnostics
Step 4
To send a request to the client to send its capability information, enter this command:
config client ccx get-client-capability client_mac_address
Step 5
To clear the client reporting information, enter this command:
config client ccx clear-reports client_mac_address
Step 6
To see the client profiles, enter this command:
show client ccx profiles client_mac_address
Step 7
To see the client operating parameters, enter this command:
show client ccx operating-parameters client_mac_address
Step 8
To see the client manufacturer information, enter this command:
show client ccx manufacturer-info client_mac_address
Step 9
To see the client’s capability information, enter this command:
show client ccx client-capability client_mac_address
Note
This command displays the client’s available capabilities, not current settings for the capabilities.
Configuring Roaming and Real-Time Diagnostics
You can use roaming and real-time logs and statistics to solve system problems. The event log enables you
to identify and track the behavior of a client device. It is especially useful when attempting to diagnose
difficulties that a user may be having on a WLAN. The event log provides a log of events and reports them
to the access point. There are three categories of event logs:
• Roaming log—This log provides a historical view of the roaming events for a given client. The client
maintains a minimum of five previous roaming events including failed attempts and successful roams.
• Robust Security Network Association ( RSNA) log—This log provides a historical view of the
authentication events for a given client. The client maintains a minimum of five previous authentication
attempts including failed attempts and successful ones.
• Syslog—This log provides internal system information from the client. For example, it may indicate
problems with 802.11 operation, system operation, and so on.
The statistics report provides 802.1X and security information for the client. You can use the controller CLI
to send the event log and statistics request to any CCXv5 client any time after the client associates.
Configuring Roaming and Real-Time Diagnostics (CLI)
Step 1
To send a log request, enter this command:
config client ccx log-request log_type client_mac_address
where log_type is roam, rsna, or syslog.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
277
System Management
Configuring Roaming and Real-Time Diagnostics (CLI)
Step 2
To view a log response, enter this command:
show client ccx log-response log_type client_mac_address
where log_type is roam, rsna, or syslog.
Information similar to the following appears for a log response with a log_type of roam:
Tue Jun 26 18:28:48 2007
Roaming Response LogID=133: Status=Successful
Event Timestamp=0d 00h 00m 13s 322396us
Source BSSID=00:0b:85:81:06:c2, Target BSSID=00:0b:85:81:06:c2, Transition
Time=3125(ms)
Transition Reason: Normal roam, poor link
Transition Result: Success
Tue Jun 26 18:28:48 2007 Roaming Response LogID=133: Status=Successful
Event Timestamp=0d 00h 00m 16s 599006us
Source BSSID=00:0b:85:81:06:c2, Target BSSID=00:0b:85:81:06:c2, Transition
Time=3235(ms)
Transition Reason: Normal roam, poor link
Transition Result: Success
Event Timestamp=0d 00h 00m 19s 882921us
Source BSSID=00:0b:85:81:06:c2, Target BSSID=00:0b:85:81:06:c2, Transition
Time=3234(ms)
Transition Reason: Normal roam, poor link
Transition Result: Success
Tue Jun 26 18:28:48 2007 Roaming Response LogID=133: Status=Successful
Event Timestamp=0d 00h 00m 08s 815477us
Source BSSID=00:0b:85:81:06:c2, Target BSSID=00:0b:85:81:06:d2, Transition
Time=3281(ms)
Transition Reason: First association to WLAN
Transition Result: Success
Event Timestamp=0d 00h 00m 26s 637084us
Source BSSID=00:0b:85:81:06:d2, Target BSSID=00:0b:85:81:06:c2, Transition
Time=3313(ms)
Information similar to the following appears for a log response with a log_type of rsna:
Tue Jun 26 18:24:09 2007
Tue Jun 26 18:24:09 2007
Tue Jun 26 18:24:09 2007
RSNA Response LogID=132: Status=Successful
Event Timestamp=0d 00h 00m 00s 246578us
Target BSSID=00:14:1b:58:86:cd
RSNA Version=1
Group Cipher Suite=00-0f-ac-02
Pairwise Cipher Suite Count = 1
Pairwise Cipher Suite 0 = 00-0f-ac-04
AKM Suite Count = 1
AKM Suite 0 = 00-0f-ac-01
RSN Capability = 0x0
RSNA Result: Success
RSNA Response LogID=132: Status=Successful
Event Timestamp=0d 00h 00m 00s 246625us
Target BSSID=00:14:1b:58:86:cd
RSNA Version=1
Group Cipher Suite=00-0f-ac-02
Pairwise Cipher Suite Count = 1
Pairwise Cipher Suite 0 = 00-0f-ac-04
AKM Suite Count = 1
AKM Suite 0 = 00-0f-ac-01
RSN Capability = 0x0
RSNA Result: Success
RSNA Response LogID=132: Status=Successful
Event Timestamp=0d 00h 00m 01s 624375us
Target BSSID=00:14:1b:58:86:cd
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
278
System Management
Configuring Roaming and Real-Time Diagnostics (CLI)
RSNA Version=1
Group Cipher Suite=00-0f-ac-02
Pairwise Cipher Suite Count = 1
Pairwise Cipher Suite 0 = 00-0f-ac-04
AKM Suite Count = 1
AKM Suite 0 = 00-0f-ac-01
RSN Capability = 0x0
RSNA Result: Success
Information similar to the following appears for a log response with a log_type of syslog:
Tue Jun 26 18:07:48 2007
SysLog Response LogID=131: Status=Successful
Event Timestamp=0d 00h 19m 42s 278987us
Client SysLog = '<11> Jun 19 11:49:47 uraval3777 Mandatory elements missing
in the OID response'
Event Timestamp=0d 00h 19m 42s 278990us
Client SysLog = '<11> Jun 19 11:49:50 uraval3777 Mandatory elements missing
in the OID response'
Tue Jun 26 18:07:48 2007
SysLog Response LogID=131: Status=Successful
Event Timestamp=0d 00h 19m 42s 278993us
Client SysLog = '<11> Jun 19 11:49:53 uraval3777 Mandatory elements missing
in the OID response'
Event Timestamp=0d 00h 19m 42s 278996us
Client SysLog = '<11> Jun 19 11:49:56 uraval3777 Mandatory elements missing
in the OID response'
Tue Jun 26 18:07:48 2007
SysLog Response LogID=131: Status=Successful
Event Timestamp=0d 00h 19m 42s 279000us
Client SysLog = '<11> Jun 19 11:50:00 uraval3777 Mandatory elements missing
in the OID response'
Event Timestamp=0d 00h 19m 42s 279003us
Client SysLog = '<11> Jun 19 11:50:03 uraval3777 Mandatory elements missing
in the OID response'
Tue Jun 26 18:07:48 2007
SysLog Response LogID=131: Status=Successful
Event Timestamp=0d 00h 19m 42s 279009us
Client SysLog = '<11> Jun 19 11:50:09 uraval3777 Mandatory elements missing
in the OID response'
Event Timestamp=0d 00h 19m 42s 279012us
Client SysLog = '<11> Jun 19 11:50:12 uraval3777 Mandatory elements missing
in the OID response'
Step 3
To send a request for statistics, enter this command:
config client ccx stats-request measurement_duration stats_name client_mac_address
where stats_name is dot11 or security.
Step 4
To view the statistics response, enter this command:
show client ccx stats-report client_mac_address
Information similar to the following appears:
Measurement duration = 1
dot11TransmittedFragmentCount
dot11MulticastTransmittedFrameCount
dot11FailedCount
dot11RetryCount
dot11MultipleRetryCount
dot11FrameDuplicateCount
dot11RTSSuccessCount
dot11RTSFailureCount
=
=
=
=
=
=
=
=
1
2
3
4
5
6
7
8
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
279
System Management
Using the Debug Facility
dot11ACKFailureCount
dot11ReceivedFragmentCount
dot11MulticastReceivedFrameCount
dot11FCSErrorCount
dot11TransmittedFrameCount
=
=
=
=
=
9
10
11
12
13
Using the Debug Facility
Using the Debug Packet Logging Facility
The debug packet logging facility enables you to display all packets going to and from the controller CPU.
You can enable it for received packets, transmitted packets, or both. By default, all packets received by the
debug facility are displayed. However, you can define access control lists (ACLs) to filter packets before they
are displayed. Packets not passing the ACLs are discarded without being displayed.
Each ACL includes an action (permit, deny, or disable) and one or more fields that can be used to match the
packet. The debug facility provides ACLs that operate at the following levels and on the following values:
• Driver ACL
• NPU encapsulation type
• Port
• Ethernet header ACL
• Destination address
• Source address
• Ethernet type
• VLAN ID
• IP header ACL
• Source address
• Destination address
• Protocol
• Source port (if applicable)
• Destination port (if applicable)
• EoIP payload Ethernet header ACL
• Destination address
• Source address
• Ethernet type
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
280
System Management
Configuring the Debug Facility (CLI)
• VLAN ID
• EoIP payload IP header ACL
• Source address
• Destination address
• Protocol
• Source port (if applicable)
• Destination port (if applicable)
• CAPWAP payload 802.11 header ACL
• Destination address
• Source address
• BSSID
• SNAP header type
• CAPWAP payload IP header ACL
• Source address
• Destination address
• Protocol
• Source port (if applicable)
• Destination port (if applicable)
At each level, you can define multiple ACLs. The first ACL that matches the packet is the one that is selected.
This section contains the following subsection:
Configuring the Debug Facility (CLI)
Step 1
To enable the debug facility, enter this command:
• debug packet logging enable {rx | tx | all} packet_count display_size
where
• rx displays all received packets, tx displays all transmitted packets, and all displays both transmitted and
received packets.
• packet_count is the maximum number of packets to log. You can enter a value between 1 and 65535 packets,
and the default value is 25 packets.
• display_size is the number of bytes to display when printing a packet. By default, the entire packet is displayed.
Note
To disable the debug facility, enter this command: debug packet logging disable.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
281
System Management
Configuring the Debug Facility (CLI)
• debug packet logging acl driver rule_index action npu_encap port
where
• rule_index is a value between 1 and 6 (inclusive).
• action is permit, deny, or disable.
• npu_encap specifies the NPU encapsulation type, which determines how packets are filtered. The possible
values include dhcp, dot11-mgmt, dot11-probe, dot1x, eoip-ping, iapp, ip, lwapp, multicast, orphan-from-sta,
orphan-to-sta, rbcp, wired-guest, or any.
• port is the physical port for packet transmission or reception.
• Use these commands to configure packet-logging ACLs:
debug packet logging acl eth rule_index action dst src type vlan
where
• rule_index is a value between 1 and 6 (inclusive).
• action is permit, deny, or disable.
• dst is the destination MAC address.
• src is the source MAC address.
• type is the two-byte type code (such as 0x800 for IP, 0x806 for ARP). This parameter also accepts a few common
string values such as “ip” (for 0x800) or “arp” (for 0x806).
• vlan is the two-byte VLAN ID.
• debug packet logging acl ip rule_index action src dst proto src_port dst_port
where
• proto is a numeric or any string recognized by getprotobyname(). The controller supports the following strings:
ip, icmp, igmp, ggp, ipencap, st, tcp, egp, pup, udp, hmp, xns-idp, rdp, iso-tp4, xtp, ddp, idpr-cmtp, rspf, vmtp,
ospf, ipip, and encap.
• src_port is the UDP/TCP two-byte source port (for example, telnet, 23) or “any.” The controller accepts a
numeric or any string recognized by getservbyname(). The controller supports the following strings: tcpmux,
echo, discard, systat, daytime, netstat, qotd, msp, chargen, ftp-data, ftp, fsp, ssh, telnet, smtp, time, rlp,
nameserver, whois, re-mail-ck, domain, mtp, bootps, bootpc, tftp, gopher, rje, finger, www, link, kerberos,
supdup, hostnames, iso-tsap, csnet-ns, 3com-tsmux, rtelnet, pop-2, pop-3, sunrpc, auth, sftp, uucp-path, nntp,
ntp, netbios-ns, netbios-dgm, netbios-ssn, imap2, snmp, snmp-trap, cmip-man, cmip-agent, xdmcp, nextstep,
bgp, prospero, irc, smux, at-rtmp, at-nbp, at-echo, at-zis, qmtp, z3950, ipx, imap3, ulistserv, https, snpp, saft,
npmp-local, npmp-gui, and hmmp-ind.
• dst_port is the UDP/TCP two-byte destination port (for example, telnet, 23) or “any.” The controller accepts
a numeric or any string recognized by getservbyname(). The controller supports the same strings as those for
the src_port.
• debug packet logging acl eoip-eth rule_index action dst src type vlan
• debug packet logging acl eoip-ip rule_index action src dst proto src_port dst_port
• debug packet logging acl lwapp-dot11 rule_index action dst src bssid snap_type
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
282
System Management
Configuring the Debug Facility (CLI)
where
• bssid is the Basic Service Set Identifier.
• snap_type is the Ethernet type.
• debug packet logging acl lwapp-ip rule_index action src dst proto src_port dst_port
Note
Step 2
To remove all configured ACLs, enter this command: debug packet logging acl clear-all.
To configure the format of the debug output, enter this command:
debug packet logging format {hex2pcap | text2pcap}
The debug facility supports two output formats: hex2pcap and text2pcap. The standard format used by IOS supports the
use of hex2pcap and can be decoded using an HTML front end. The text2pcap option is provided as an alternative so that
a sequence of packets can be decoded from the same console log file.
Figure 26: Sample Hex2pcap Output
This figure shows an example of hex2pcap output.
Figure 27: Sample Text2pcap Output
This figure shows an example of text2pcap output.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
283
System Management
Configuring the Debug Facility (CLI)
Step 3
To determine why packets might not be displayed, enter this command:
debug packet error {enable | disable}
Step 4
To display the status of packet debugging, enter this command:
show debug packet
Information similar to the following appears:
Status...........................................
Number of packets to display.....................
Bytes/packet to display..........................
Packet display format............................
Driver ACL:
[1]: disabled
[2]: disabled
[3]: disabled
[4]: disabled
[5]: disabled
[6]: disabled
Ethernet ACL:
[1]: disabled
[2]: disabled
[3]: disabled
[4]: disabled
[5]: disabled
[6]: disabled
IP ACL:
[1]: disabled
[2]: disabled
[3]: disabled
[4]: disabled
[5]: disabled
[6]: disabled
EoIP-Ethernet ACL:
[1]: disabled
[2]: disabled
[3]: disabled
[4]: disabled
[5]: disabled
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
284
disabled
25
0
text2pcap
System Management
Configuring Wireless Sniffing
[6]: disabled
EoIP-IP ACL:
[1]: disabled
[2]: disabled
[3]: disabled
[4]: disabled
[5]: disabled
[6]: disabled
LWAPP-Dot11 ACL:
[1]: disabled
[2]: disabled
[3]: disabled
[4]: disabled
[5]: disabled
[6]: disabled
LWAPP-IP ACL:
[1]: disabled
[2]: disabled
[3]: disabled
[4]: disabled
[5]: disabled
[6]: disabled?
Configuring Wireless Sniffing
Wireless Sniffing
The controller enables you to configure an AP as a network sniffer, which captures and forwards all the packets
on a particular channel to a remote machine that runs packet analyzer software. These packets contain
information on time stamps, signal strength, packet sizes, and so on. Sniffers allow you to monitor and record
network activity and to detect problems.
For more information about wireless sniffing using Cisco APs in Sniffer mode, see https://www.cisco.com/
c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html#anc11.
This section contains the following subsections:
Prerequisites for Wireless Sniffing
To perform wireless sniffing, you need the following hardware and software:
• A dedicated access point—An access point configured as a sniffer cannot simultaneously provide wireless
access service on the network. To avoid disrupting coverage, use an access point that is not part of your
existing wireless network.
• A remote monitoring device—A computer capable of running the analyzer software.
• Software and supporting files, plug-ins, or adapters—Your analyzer software may require specialized
files before you can successfully enable
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
285
System Management
Restrictions on Wireless Sniffing
Restrictions on Wireless Sniffing
• Supported third-party network analyzer software applications are as follows:
• Wildpackets Omnipeek or Airopeek
• AirMagnet Enterprise Analyzer
• Wireshark
• The latest version of Wireshark can decode the packets by going to the Analyze mode. Select decode
as, and switch UDP5555 to decode as PEEKREMOTE..
• You must disable IP-MAC address binding in order to use an access point in sniffer mode if the access
point is joined to a Cisco WLC. To disable IP-MAC address binding, enter the config network
ip-mac-binding disable command in the controller CLI.
• You must enable WLAN 1 in order to use an access point in sniffer mode if the access point is joined to
a Cisco WLC. If WLAN 1 is disabled, the access point cannot send packets.
Configuring Sniffing on an Access Point (GUI)
Step 1
Choose Wireless > Access Points > All APs to open the All APs page.
Step 2
Click the name of the access point that you want to configure as the sniffer. The All APs > Details for page appears.
Step 3
From the AP Mode drop-down list, choose Sniffer.
Step 4
Click Apply.
Step 5
Click OK when prompted that the access point will be rebooted.
Step 6
Choose Wireless > Access Points > Radios > 802.11a/n (or 802.11b/g/n) to open the 802.11a/n/ac (or 802.11b/g/n)
Radios page.
Step 7
Hover your cursor over the blue drop-down arrow for the desired access point and choose Configure. The 802.11a/n/ac
(or 802.11b/g/n) Cisco APs > Configure page appears.
Step 8
Select the Sniff check box to enable sniffing on this access point, or leave it unselected to disable sniffing. The default
value is unchecked.
Step 9
If you enabled sniffing in Step 8, follow these steps:
a) From the Channel drop-down list, choose the channel on which the access point sniffs for packets.
b) In the Server IP Address text box, enter the IP address of the remote machine running Omnipeek, Airopeek,
AirMagnet, or Wireshark.
Step 10
Click Apply.
Step 11
Click Save Configuration.
Configuring Sniffing on an Access Point (CLI)
Step 1
Configure the access point as a sniffer by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
286
System Management
Troubleshooting Access Points Using Telnet or SSH
config ap mode sniffer Cisco_AP
where Cisco_AP is the access point configured as the sniffer.
Step 2
When warned that the access point will be rebooted and asked if you want to continue, enter Y. The access point reboots
in sniffer mode.
Step 3
Enable sniffing on the access point by entering this command:
config ap sniff {802.11a | 802.11b} enable channel server_IP_address Cisco_AP
where
• channel is the radio channel on which the access point sniffs for packets. The default values are 36 (802.11a/n) and
1 (802.11b/g/n).
• server_IP_address is the IP address of the remote machine running Omnipeek, Airopeek, AirMagnet, or Wireshark.
• Cisco_AP is the access point configured as the sniffer.
To disable sniffing on the access point, enter the config ap sniff {802.11a | 802.11b} disable Cisco_AP
command.
Note
Step 4
Save your changes by entering this command:
save config
Step 5
See the sniffer configuration settings for an access point by entering this command:
show ap config {802.11a | 802.11b} Cisco_AP
Troubleshooting Access Points Using Telnet or SSH
The controller supports the use of the Telnet and Secure Shell (SSH) protocols to troubleshoot Cisco APs.
Using these protocols makes debugging easier, especially when the AP is unable to join the controller.
• Telnet is not supported on Cisco Wave 2 and 802.11ax APs.
Information About Troubleshooting Access Points Using Telnet or SSH
The controller supports the use of the Telnet and Secure Shell (SSH) protocols to troubleshoot lightweight
access points. Using these protocols makes debugging easier, especially when the access point is unable to
connect to the controller.
• To avoid potential conflicts and security threats to the network, the following commands are unavailable
while a Telnet or SSH session is enabled: config terminal, telnet, ssh, rsh, ping, traceroute, clear,
clock, crypto, delete, fsck, lwapp, mkdir, radius, release, reload, rename, renew, rmdir, save, set,
test, upgrade.
• Commands available during a Telnet or SSH session include debug, disable, enable, help, led, login,
logout, more, no debug, show, systat, undebug and where.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
287
System Management
Troubleshooting Access Points Using Telnet or SSH (GUI)
Note
For instructions on configuring Telnet or SSH sessions on the controller, see the
"Telnet and Secure Shell Sessions" section.
You can configure Telnet or SSH by using the controller CLI in software release 5.0 or later releases or using
the controller GUI in software release 6.0 or later releases.
Troubleshooting Access Points Using Telnet or SSH (GUI)
Step 1
Choose Wireless > Access Points > All APs to open the All APs page.
Step 2
Click the name of the access point for which you want to enable Telnet or SSH.
Step 3
Choose the Advanced tab to open the All APs > Details for (Advanced) page.
Step 4
Select the Telnet check box to enable Telnet connectivity on this access point. The default value is unchecked.
Step 5
Select the SSH check box to enable SSH connectivity on this access point. The default value is unchecked.
Step 6
Click Apply.
Step 7
Click Save Configuration.
Troubleshooting Access Points Using Telnet or SSH (CLI)
Step 1
Enable Telnet or SSH connectivity on an access point by entering this command:
config ap {telnet | ssh} enable Cisco_AP
The default value is disabled.
Note
Step 2
Disable Telnet or SSH connectivity on an access point by entering this command: config ap {telnet | ssh}
disable Cisco_AP
Save your changes by entering this command:
save config
Step 3
See whether Telnet or SSH is enabled on an access point by entering this command:
show ap config general Cisco_AP
Information similar to the following appears:
Cisco AP Identifier..............................
Cisco AP Name....................................
Country code.....................................
Reg. Domain allowed by Country...................
AP Country code..................................
AP Regulatory Domain.............................
Switch Port Number ..............................
MAC Address......................................
IP Address Configuration.........................
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
288
5
AP33
Multiple Countries:US,AE,AR,AT,AU,BH
802.11bg:-ABCENR 802.11a:-ABCEN
US - United States
802.11bg:-A 802.11a:-A
2
00:19:2f:11:16:7a
Static IP assigned
System Management
Debugging the Access Point Monitor Service
IP Address.......................................
IP NetMask.......................................
Gateway IP Addr..................................
Domain...........................................
Name Server......................................
Telnet State.....................................
Ssh State........................................
...
10.22.8.133
255.255.248.0
10.22.8.1
Enabled
Enabled
Debugging the Access Point Monitor Service
Debugging the Access Point Monitor Service
The controller sends access point status information to the Cisco 3300 Series Mobility Services Engine (MSE)
using the access point monitor service.
The MSE sends a service subscription and an access point monitor service request to get the status of all access
points currently known to the controller. When any change is made in the status of an access point, a notification
is sent to the MSE.
This section contains the following subsection:
Debugging Access Point Monitor Service Issues (CLI)
If you experience any problems with the access point monitor service, enter this command:
debug service ap-monitor {all | error | event | nmsp | packet} {enable | disable}
where
• all configures debugging of all access point status messages.
• error configures debugging of access point monitor error events.
• event configures debugging of access point monitor events.
• nmsp configures debugging of access point monitor NMSP events.
• packet configures debugging of access point monitor packets.
• enable enables the debub service ap-monitor mode.
• disable disables the debug service ap-monitor mode.
Troubleshooting Memory Leaks
Troubleshooting Memory Leaks
To investigate the cause for low memory state, follow these steps:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
289
System Management
Troubleshooting OfficeExtend Access Points
Step 1
show memory statistics
Step 2
test system cat /proc/meminfo
Step 3
show system top
PID
1078 root
1081 root
18
20
0
0
4488 888
980m 557m
756 S
24m S
0 0.1
0 56.9
0:00.00 gettyOrMwar
41:33.32 switchdrvr
In this example, the PID to focus on is 1081.
Step 4
test system cat /proc/1081/smaps
Step 5
show system timers ticks-exhausted
Timer Ticks ..................................... 3895180 ticks
(779036 seconds)
Here focus on the seconds value 779036.
Step 6
show memory allocations [all/<pid>] [all/<pool-size>] [<start_time>] [<end_time>]
If you see any allocations, they are probable memory leak candidates. You need to check if these are valid allocations
made earlier to the low memory state issue.
Troubleshooting OfficeExtend Access Points
Troubleshooting OfficeExtend Access Points
This section provides troubleshooting information if you experience any problems with your OfficeExtend
access points.
For information about troubleshooting Cisco 600 Series OfficeExtend APs, see http://www.cisco.com/c/en/
us/support/docs/wireless/aironet-600-series-officeextend-access-point/
113003-office-extend-config-00.html#troubleshoot.
This section contains the following subsections:
Interpreting OfficeExtend LEDs
The LED patterns are different for 1130 series and 1140 series OfficeExtend access points. For a description
of the LED patterns, see the Cisco OfficeExtend Access Point Quick Start Guide at
http://www.cisco.com/c/en/us/products/wireless/index.html.
Positioning OfficeExtend Access Points for Optimal RF Coverage
When positioning your OfficeExtend access point, consider that its RF signals are emitted in a cone shape
spreading outward from the LED side of the access point. Ensure to mount the access point so that air can
flow behind the metal back plate and prevent the access point from overheating.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
290
System Management
Troubleshooting Common Problems with OfficeExtend Access Points
Figure 28: OfficeExtend Access Point Radiation Patterns
Troubleshooting Common Problems with OfficeExtend Access Points
Most of the problems experienced with OfficeExtend access points are one of the following:
• The access point cannot join the controller because of network or firewall issues.
Resolution: Follow the instructions in the Viewing Access Point Join Information section to see join
statistics for the OfficeExtend access point, or find the access point’s public IP address and perform pings
of different packet sizes from inside the company.
• The access point joins but keeps dropping off. This behavior usually occurs because of network problems
or when the network address translation (NAT) or firewall ports close because of short timeouts.
Resolution: Ask the teleworker for the LED status.
• Clients cannot associate because of NAT issues.
Resolution: Ask the teleworker to perform a speed test and a ping test. Some servers do not return big
packet pings.
• Clients keep dropping data. This behavior usually occurs because the home router closes the port because
of short timeouts.
Resolution: Perform client troubleshooting in Cisco Prime Infrastructure to determine if the problem is
related to the OfficeExtend access point or the client.
• The access point is not broadcasting the enterprise WLAN.
Resolution: Ask the teleworker to check the cables, power supply, and LED status. If you still cannot
identify the problem, ask the teleworker to try the following:
• Connect to the home router directly and see if the PC is able to connect to an Internet website such
as https://www.cisco.com/. If the PC cannot connect to the Internet, check the router or modem. If
the PC can connect to the Internet, check the home router configuration to see if a firewall or
MAC-based filter is enabled that is blocking the access point from reaching the Internet.
• Log on to the home router and check to see if the access point has obtained an IP address. If it has,
the access point’s LED normally blinks orange.
• The access point cannot join the controller, and you cannot identify the problem.
Resolution: A problem could exist with the home router. Ask the teleworker to check the router manual
and try the following:
• Assign the access point a static IP address based on the access point’s MAC address.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
291
System Management
Troubleshooting Common Problems with OfficeExtend Access Points
• Put the access point in a demilitarized zone (DMZ), which is a small network inserted as a neutral
zone between a company’s private network and the outside public network. It prevents outside users
from getting direct access to a server that has company data.
• If problems still occur, contact your company’s IT department for assistance.
• The teleworker experiences problems while configuring a personal SSID on the access point.
Resolution: Clear the access point configuration and return it to factory default settings by clicking Clear
Config on the access point GUI or by entering the clear ap config Cisco_AP command and then
configuring a personal SSID on an OfficeExtend Access Point. If problems still occur, contact your
company’s IT department for assistance.
• The home network needs to be rebooted.
Resolution: Ask the teleworker to follow these steps:
Leave all devices networked and connected, and then power down all the devices.
Turn on the cable or DSL modem, and then wait for 2 minutes. (Check the LED status.)
Turn on the home router, and then wait for 2 minutes. (Check the LED status.)
Turn on the access point, and then wait for 5 minutes. (Check the LED status.)
Turn on the client.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
292
PA R T
II
Ports and Interfaces
• Overview of Ports and Interfaces, on page 295
• Configuring the Management Interface, on page 303
• Configuring the AP-Manager Interface, on page 309
• Configuring Virtual Interfaces, on page 315
• Configuring Service-Port Interfaces, on page 317
• Configuring Dynamic Interfaces, on page 321
• Configuring Ports (GUI), on page 327
• Configuring Link Aggregation, on page 329
• Configuring Multiple AP-Manager Interfaces, on page 335
• Configuring VLAN Select, on page 339
• Configuring Interface Groups, on page 343
• Configuring Multicast Optimization, on page 347
CHAPTER
26
Overview of Ports and Interfaces
Three concepts are key to understanding how controllers connect to a wireless network: ports, interfaces, and
WLANs.
• Ports, on page 295
• Distribution System Ports, on page 296
• Interfaces, on page 298
• Dynamic AP Management, on page 299
• WLANs, on page 299
Ports
A port is a physical entity that is used for connections on the controller platform. controllers have two types
of ports:
• Distribution system ports
• Service port
Figure 29: Ports on the Cisco 5508 Wireless Controllers
1
Redundant port (RJ-45)
6
SFP distribution system
ports 1–8
2
Service port (RJ-45)
7
Management port LEDs
3
Console port (RJ-45)
8
SFP distribution port Link
and Activity LEDs
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
295
Ports and Interfaces
Distribution System Ports
4
USB ports 0 and 1 (Type 9
A)
Power supply (PS1 and
PS2), System (SYS), and
Alarm (ALM) LEDs
5
Console port (Mini USB 10
Type B)
Expansion module slot
Note
You can use
only one
console port
(either RJ-45
or mini USB).
When you
connect to one
console port,
the other is
disabled.
For more information about Cisco Unified Wireless Network Protocol and Port Matrix, see
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html.
Note
For a comparison of ports in different controllers, see https://www.cisco.com/c/en/us/products/wireless/
wireless-lan-controller/product-comparison.html.
This section contains the following subsections:
Distribution System Ports
A distribution system port connects the controller to a neighbor switch and serves as the data path between
these two devices.
Restrictions for Configuring Distribution System Ports
• Each distribution system port is, by default, an 802.1Q VLAN trunk port. The VLAN trunking
characteristics of the port are not configurable.
Note
Some controllers support link aggregation (LAG), which bundles all of the
controller’s distribution system ports into a single 802.3ad port channel. Cisco
5508 Wireless Controllers support LAG, and LAG is enabled automatically on
the controllers within the Cisco WiSM2.
• Controller configuration in access mode is not supported. We recommend that you configure controllers
in trunk mode when you configure controller ports on a switch.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
296
Ports and Interfaces
Service Port
• If an IPv6 packet is destined to controller management IPv6 address and the client VLAN is different
from the controller management VLAN, then the IPv6 packet is switched out of the controller box. If
the same IPv6 packet comes as a network packet to the controller, management access is not denied.
Service Port
The service port can be used management purposes, primarily for out-of-band management. However, AP
management traffic is not possible across the service port. In most cases, the service port is used as a "last
resort" means of accessing the controller GUI for management purposes. For example, in the case where the
system distribution ports on the controller are down or their communication to the wired network is otherwise
degraded.
The service port is controlled by the service-port interface and is reserved for out-of-band management of the
controller and system recovery and maintenance in the event of a network failure. It is also the only port that
is active when the controller is in boot mode. The service port is not capable of carrying 802.1Q tags, so it
must be connected to an access port on the neighbor switch. Use of the service port is optional.
Service ports are not intended for high volume of traffic. We recommend that you use the management interface
through the system distribution ports (dedicated or LAG).
Service ports can be used for SNMP polling.
Note
Caution
Note
The service port is not auto-sensing. You must use the correct straight-through or crossover Ethernet cable
to communicate with the service port.
Do not configure wired clients in the same VLAN or subnet of the service port of the controller on the network.
If you configure wired clients on the same subnet or VLAN as the service port, it is not possible to access the
management interface of the controller. We recommend that you place the service port in a VLAN or a subnet
that is dedicated to out-of-band management.
For Cisco 5520 and 8540 Wireless Controllers, the disabling of administrative mode of the port does not
physically disable the port. Only the packets are blocked due to which switchover does not happen.
For information about service ports in the applicable controllers, see the respective controller documentation:
• Cisco 3504 Wireless Controller Deployment Guide
• Cisco 5508 Wireless Controller Installation Guide
• Cisco WiSM2 Deployment Guide
• Cisco Flex 7510 Wireless Controller Deployment Guide
• Cisco 5520 Wireless Controller Deployment Guide
• Cisco 8510 Wireless Controller Installation Guide
• Cisco 8540 Wireless Controller Deployment Guide
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
297
Ports and Interfaces
Interfaces
Interfaces
An interface is a logical entity on the controller. An interface has multiple parameters associated with it,
including an IP address, default gateway (for the IP subnet), primary physical port, secondary physical port,
VLAN identifier, and DHCP server.
These five types of interfaces are available on the controller. Four of these are static and are configured at
setup time:
Note
An interface that is static means that at least one must exist in the controller and cannot be deleted. However,
you can choose to modify the parameters for these interfaces after the initial setup.
• Management interface (static and configured at setup time; mandatory)
• AP-manager interface (static and configured at setup time; mandatory)
Note
You are not required to configure an AP-manager interface on Cisco 5508 and
later controller models explicitly because this function can be enabled by default
on the management interface itself.
• Virtual interface (static and configured at setup time; mandatory)
• Service-port interface (static and configured at setup time; optional)
• Dynamic interface (user-defined)
Note
Typically, you define the management, AP-manager, virtual, and service-port interface parameters using the
Startup Wizard. However, you can display and configure interface parameters through either the GUI or CLI
after the controller is running.
When LAG is disabled, each interface is mapped to at least one primary port, and some interfaces (management
and dynamic) can be mapped to an optional secondary (or backup) port. If the primary port for an interface
fails, the interface automatically moves to the backup port. In addition, multiple interfaces can be mapped to
a single controller port.
The Cisco 5508 and later controller models mark packets greater than 1500 bytes as long. However, the
packets are not dropped. The workaround for this is to configure the MTU on a switch to less than 1500 bytes.
Note
Interfaces that are quarantined are not displayed on the Controller > Interfaces page. For example, if there
are 6 interfaces and one of them is quarantined, the quarantined interface is not displayed and the details of
the other 5 interfaces are displayed on the GUI. You can get the total number of interfaces that is inclusive
of quarantined interfaces through the count displayed on the top-right corner of the GUI.
This section contains the following subsections:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
298
Ports and Interfaces
Restrictions for Configuring Interfaces
Restrictions for Configuring Interfaces
• Each physical port on the wireless controller can have only one AP-manager configured with it. For the
Cisco 5508 controllers, the management interface with AP-management enabled cannot fail over to the
backup port, which is primary for the AP-manager on the management or dynamic VLAN interface.
• Cisco 5508 controllers do not support fragmented pings on any interface.
• When the port comes up in VMware ESXi with configuration for NIC teaming, the vWLC may lose
connectivity. However, the Cisco vWLC resumes connectivity after a while.
• IPv4 address needs to be configured on the interface prior to configuring the IPv6 address.
Dynamic AP Management
A dynamic interface is created as a WLAN interface by default. However, any dynamic interface can be
configured as an AP-manager interface, with one AP-manager interface allowed per physical port. A dynamic
interface with the Dynamic AP Management option enabled is used as the tunnel source for packets from the
controller to the access point and as the destination for CAPWAP packets from the access point to the controller.
Note
If link aggregation (LAG) is enabled, there can be only one AP-manager interface.
WLANs
A WLAN associates a service set identifier (SSID) to an interface or an interface group. It is configured with
security, quality of service (QoS), radio policies, and other wireless network parameters. Up to 512 WLANs
can be configured per controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
299
Ports and Interfaces
WLANs
Figure 30: Relationship between Ports, Interfaces, and WLANs
Each controller port connection is an 802.1Q trunk and should be configured as such on the neighbor switch.
On Cisco switches, the native VLAN of an 802.1Q trunk is an untagged VLAN. If you configure an interface
to use the native VLAN on a neighboring Cisco switch, make sure you configure the interface on the controller
to be untagged.
Note
A zero value for the VLAN identifier (on the Controller > Interfaces page) means that the interface is
untagged.
The default (untagged) native VLAN on Cisco switches is VLAN 1. When controller interfaces are configured
as tagged (meaning that the VLAN identifier is set to a nonzero value), the VLAN must be allowed on the
802.1Q trunk configuration on the neighbor switch and not be the native untagged VLAN.
We recommend that tagged VLANs be used on the controller. You should also allow only relevant VLANs
on the neighbor switch’s 802.1Q trunk connections to controller ports. All other VLANs should be disallowed
or pruned in the switch port trunk configuration. This practice is extremely important for optimal performance
of the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
300
Ports and Interfaces
WLANs
Note
We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for management
interfaces to ensure that controllers properly route VLAN traffic.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
301
Ports and Interfaces
WLANs
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
302
CHAPTER
27
Configuring the Management Interface
• Management Interface, on page 303
• Configuring the Management Interface (GUI), on page 304
• Configuring the Management Interface (CLI), on page 305
Management Interface
The management interface is the default interface for in-band management of the controller and connectivity
to enterprise services such as AAA servers. It is also used for communications between the controller and
access points, for all CAPWAP or intercontroller mobility messaging and tunneling traffic. You can access
the GUI of the controller by entering the management interface IP address of the controller in the address
field of your browser. The AP management is enabled by default on the management interface.
For CAPWAP, the controller requires one management interface to control all inter-controller communications
and one AP-manager interface to control all controller-to-access point communications, regardless of the
number of ports.
Note
Caution
To prevent or block a wired or wireless client from accessing the management network on a controller (from
the wireless client dynamic interface or VLAN), the network administrator should ensure that only authorized
clients gain access to the management network through proper CPU ACLs, or use a firewall between the client
dynamic interface and the management network.
Do not map a guest WLAN to the management interface. If the EoIP tunnel breaks, the client could obtain
an IP and be placed on the management subnet.
In a High Availability environment with Release 8.0 or a later release, ensure that the management interface
and the redundancy management interface (RMI) are tagged for the HA-SSO to work as expected.
This section contains the following subsections:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
303
Ports and Interfaces
Configuring the Management Interface (GUI)
Configuring the Management Interface (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Step 2
Click the management link.
The Interfaces > Edit page appears.
Step 3
Set the management interface parameters:
The management interface uses the controller’s factory-set distribution system MAC address.
Note
• Quarantine and quarantine VLAN ID, if applicable
• NAT address (only Cisco 2504 and 5508 controllers are configured for dynamic AP management.)
Note
Check the Enable NAT Address check box and enter the external NAT IP address if you want to be able
to deploy your Cisco 2504 and 5508 controllers behind a router or other gateway device that is using
one-to-one mapping network address translation (NAT). NAT allows a device, such as a router, to act as
an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s
intranet IP addresses to a corresponding external address. The controller’s dynamic AP-manager interface
must be configured with the external NAT IP address so that the controller can send the correct IP address
in the Discovery Response.
Note
If a Cisco 2504 or 5508 controller is configured with an external NAT IP address under the management
interface, the APs in local mode cannot associate with the controller. The workaround is to either ensure
that the management interface has a globally valid IP address or ensure that external NAT IP address is
valid internally for the local APs.
Note
The NAT parameters are supported for use only with one-to-one-mapping NAT, where each private client
has a direct and fixed mapping to a global address. The NAT parameters do not support one-to-many
NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.
• VLAN identifier
Note
Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged
VLANs for the management interface.
• Configuring Management Interface using IPv4— Fixed IP address, IP netmask, and default gateway.
• Configuring Management Interface using IPv6—Fixed IPv6 address, prefix-length (interface subnet mask for
IPv6) and the link local address of the IPv6 gateway router.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
304
Ports and Interfaces
Configuring the Management Interface (CLI)
• In a setup where IPv6 is used, we recommend the APs to be at least one hop away from the controller.
As the IPv6 packets are always sent to the Gateway, if the AP and controller are in the same subnet,
it increases the packet hops and impacts the performance.
Note
• Once the primary IPv6 Address, prefix length, and primary IPv6 gateway are configured on the
management interface, they cannot be changed back to default values (:: /128).
• In a setup where IPv6 CAPWAP is used, we recommend that the APs are at least 1 hop away from
the controller because all IPv6 traffic is first forwarded to the gateway.
• A configuration backup must be carried out before configuring IPv6 in case the user wants to revert
back to IPv4 only management interface.
• When more than 1300 IPv6 APs are in use, on a single Catalyst 6000 Switch, then assign APs on
multiple VLANs.
• Dynamic AP management (for Cisco 2504 or 5508 controllers only)
For Cisco 5508 controllers, the dynamic AP management parameter is enabled by default. If needed, this
function can be disabled on the management interface and enabled for another dynamic interface.
Note
• Physical port assignment (for all controllers except the Cisco 2504 or 5508 controllers)
• Primary and secondary DHCP servers
• Access control list (ACL) setting, if required
Step 4
Click Save Configuration.
Step 5
If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Configuring the Management Interface (CLI)
Step 1
Enter the show interface detailed management command to view the current management interface settings.
Note
The management interface uses the controller’s factory-set distribution system MAC address.
Note
This command output shows the port MAC address.
Step 2
Enter the config wlan disable wlan-number command to disable each WLAN that uses the management interface for
distribution system communication.
Step 3
Enter these commands to define the management interface:
a) Using IPv4 Address
• config interface address management ip-addr ip-netmask gateway
• config interface quarantine vlan management vlan_id
Note
Use the config interface quarantine vlan management vlan_id command to configure a quarantine
VLAN on the management interface.
• config interface vlan management {vlan-id | 0}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
305
Ports and Interfaces
Configuring the Management Interface (CLI)
Note
Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged
VLANs for the management interface.
• config interface ap-manager management {enable | disable}
Note
Use the config interface ap-manager management {enable | disable} command to enable or disable
dynamic AP management for the management interface. For Cisco 5508 controllers, the management
interface acts like an AP-manager interface by default. If required, you can disable the management
interface as an AP-manager interface and create another dynamic interface as an AP manager.
• config interface port management primary-port [secondary-port] (for all controllers except the 5508 controller)
• config interface dhcp management ip-address-of-primary-dhcp-server [ip-address-of-secondary-dhcp-server]
• config interface acl management access-control-list-name
b) Using IPv6 Address
we recommend the APs to be at least one hop away from the controller. As the IPv6 packets are always
sent to the Gateway, if the AP and controller are in same subnet, it increases the packet hops and impacts
the performance.
Note
• config ipv6 interface address management primary ip-address prefix-length IPv6_Gateway_Address
Note
Once the Primary IPv6 Address, Prefix Length, and Primary IPv6 Gateway are configured on the
management interface, they cannot be changed back to default values (:: /128). A configuration backup
must be carried out before configuring IPv6 in case the user wants to revert back to IPv4 only
management interface.
• config interface quarantine vlan management vlan_id
Note
Use the config interface quarantine vlan management vlan_id command to configure a quarantine
VLAN on the management interface.
• config interface vlan management {vlan-id | 0}
Note
Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged
VLANs for the management interface.
• config interface ap-manager management {enable | disable}
Note
Use the config interface ap-manager management {enable | disable} command to enable or disable
dynamic AP management for the management interface. For Cisco 5508 WLCs, the management
interface acts like an AP-manager interface by default. If desired, you can disable the management
interface as an AP-manager interface and create another dynamic interface as an AP manager.
• config interface port management physical-ds-port-number (for all controllers except the 5508 WLC)
• config interface dhcp management ip-address-of-primary-dhcp-server [ip-address-of-secondary-dhcp-server]
• config ipv6 interface acl management access-control-list-name
Step 4
Enter these commands if you want to be able to deploy your controller behind a router or other gateway device that is
using one-to-one mapping network address translation (NAT):
• config interface nat-address management {enable | disable}
• config interface nat-address management set public_IP_address
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
306
Ports and Interfaces
Configuring the Management Interface (CLI)
NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In
this case, it maps the controller's intranet IP addresses to a corresponding external address. The controller’s dynamic
AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct
IP address in the Discovery Response.
Note
These commands are supported for use only with one-to-one-mapping NAT, where each private client has a
direct and fixed mapping to a global address. These commands do not support one-to-many NAT, which uses
source port mapping to enable a group of clients to be represented by a single IP address.
Step 5
Enter the save config command.
Step 6
Enter the show interface detailed management command to verify that your changes have been saved.
Step 7
If you made any changes to the management interface, enter the reset system command to reboot the controller in order
for the changes to take effect.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
307
Ports and Interfaces
Configuring the Management Interface (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
308
CHAPTER
28
Configuring the AP-Manager Interface
• AP-Manager Interface, on page 309
• Restrictions for Configuring AP Manager Interface, on page 309
• Configuring the AP-Manager Interface (GUI), on page 310
• Configuring the AP Manager Interface (CLI), on page 311
• Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller, on page 311
AP-Manager Interface
A controller configured with IPv4 has one or more AP-manager interfaces, which are used for all Layer 3
communications between the controller and lightweight access points after the access points have joined the
controller. The AP-manager IP address is used as the tunnel source for CAPWAP packets from the controller
to the access point and as the destination for CAPWAP packets from the access point to the controller.
Note
A controller configured with IPv6 has only one AP-manager and is applicable on management interface. You
cannot remove the AP-manager configured on management interface.
Note
The controller does not support jumbo frames. To avoid having the controller transmit CAPWAP packets to
the AP that will necessitate fragmentation and reassembly, reduce MTU/MSS on the client side.
A controller configured with IPv6 does not support Dynamic AP-Manager. By default, the management
interface acts like an AP-manager interface. Link Aggregation (LAG) is used for IPv6 AP load balancing.
This section contains the following subsections:
Restrictions for Configuring AP Manager Interface
• For IPv4—The MAC address of the management interface and the AP-manager interface is the same as
the base LAG MAC address.
• An AP-manager interface is not required to be configured. The management interface acts like an
AP-manager interface by default, and the access points can join on this interface.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
309
Ports and Interfaces
Configuring the AP-Manager Interface (GUI)
• If link aggregation (LAG) is enabled, there can be only one AP-manager interface. But when LAG is
disabled, one or more AP-manager interfaces can be created, generally one per physical port.
• When LAG is enabled—Supports only one AP Manager, which can either be on the management
or dynamic interface with AP management.
• When LAG is disabled—Supports one AP Manager per port. The Dynamic Interface tied to a VLAN
can act as an AP Manager (when enabled).
Note
When you enable LAG, all the ports would lose their AP Manager status and the
AP management reverts back onto the Management interface.
• Port redundancy for the AP-manager interface is not supported. You cannot map the AP-manager interface
to a backup port.
• It is not possible to have APs and a non-AP-manager interface on the same VLAN. If they are in the
same VLAN, the controller will move the traffic up on the incorrect VLAN as the controller gets the
CAPWAP discovery on the non-AP-manager interface.
Configuring the AP-Manager Interface (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Step 2
Click AP-Manager Interface.
The Interface > Edit page is displayed.
For IPv6 only—A controller configured with IPv6 address does not support Dynamic AP-Manager. By default,
the management interface acts like an AP-manager interface.
Note
Step 3
Set the AP-Manager Interface parameters:
For Cisco 5508 WLCs, you are not required to configure an AP-manager interface. The management interface
acts like an AP-manager interface by default.
Note
• Physical port assignment
• VLAN identifier
Note
Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged
VLANs for the AP-manager interface.
Note
The gig/wired subinterface is numbered with VLAN number and dot11 subinterface is numbered with the
WLAN ID. The first configured WLAN becomes dot11 0.1 & dot11 1.1 and second WLAN ID subinterface
becomes dot11 0.2 & dot11 1.2 onwards. This dot11 sub interface number cannot be mapped with a VLAN
ID because multiple WLANs can be assigned with a same VLAN number. We cannot have duplicate
subinterface created in the system. The native subinterface configuration in wired interface is the AP native
VLAN configuration, if VLAN support is enabled in FlexConnect mode or else the native interface is
always gig prime interface in AP (Local / Flex with no VLAN support).
• Fixed IP address, IP netmask, and default gateway
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
310
Ports and Interfaces
Configuring the AP Manager Interface (CLI)
• Primary and secondary DHCP servers
• Access control list (ACL) name, if required
Step 4
Click Save Configuration to save your changes.
Step 5
If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Configuring the AP Manager Interface (CLI)
Before you begin
For Cisco 5508 WLCs, you are not required to configure an AP-manager interface. The management interface
acts like an AP-manager interface by default.
A controller configured with IPv6 address does not support Dynamic AP-Manager. The management interface
acts like an AP-manager interface by default.
Step 1
Enter the show interface summary command to view the current interfaces.
Step 2
Enter the show interface detailed interface-name command to view the current AP-manager interface settings.
Step 3
Enter the config wlan disable wlan-id command to disable each WLAN that uses the AP-manager interface for distribution
system communication.
Step 4
Enter these commands to define the AP-manager interface:
• config interface address management ip-addr ip-netmask gateway
• config interface vlan management {vlan-id | 0}
Note
Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged
VLANs for the AP-manager interface.
• config interface port management physical-ds-port-number
• config interface dhcp management ip-address-of-primary-dhcp-server [ip-address-of-secondary-dhcp-server]
• config interface acl management access-control-list-name
Step 5
Enter the save config command to save your changes.
Step 6
Enter the show interface detailed interface-name command to verify that your changes have been saved.
Configuration Example: Configuring AP-Manager on a Cisco
5500 Series Controller
For a Cisco 5508 WLC, we recommend that you have eight dynamic AP-manager interfaces and associate
them to the eight Gigabit ports of the controller when LAG is not used. If you are using the management
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
311
Ports and Interfaces
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller
interface, which acts like an AP-manager interface by default, you must create only seven more dynamic
AP-manager interfaces and associate them to the remaining seven Gigabit ports.
Note
For IPv6 only—A controller configured with IPv6 address does not support Dynamic AP-Manager. By default,
the management interface acts like an AP-manager interface. Use LAG for IPv6 AP load balancing.
Figure 31: Dynamic Interface Example with Dynamic AP Management
This figure shows a dynamic interface that is enabled as a dynamic AP-manager interface and associated to
port number 2.
Figure 32: Cisco 5508 WLC Interface Configuration Example
This figure shows a Cisco 5508 WLC with LAG disabled, the management interface used as one dynamic
AP-manager interface, and seven additional dynamic AP-manager interfaces, each mapped to a different
Gigabit port.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
312
Ports and Interfaces
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
313
Ports and Interfaces
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
314
CHAPTER
29
Configuring Virtual Interfaces
• Virtual Interface, on page 315
• Configuring Virtual Interfaces (GUI), on page 316
• Configuring Virtual Interfaces (CLI), on page 316
Virtual Interface
The virtual interface is used to support mobility management, Dynamic Host Configuration Protocol (DHCP)
relay, and embedded Layer 3 security such as guest web authentication. It also maintains the DNS gateway
host name used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3
web authorization is enabled.
Specifically, the virtual interface plays these two primary roles:
• Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP server.
• Serves as the redirect address for the web authentication login page.
The virtual interface IP address is used only in communications between the controller and wireless clients.
It never appears as the source or destination address of a packet that goes out a distribution system port and
onto the switched network. For the system to operate correctly, the virtual interface IP address must be set (it
cannot be 0.0.0.0), and no other device on the network can have the same address as the virtual interface.
Therefore, the virtual interface must be configured with an unassigned and unused gateway IP address. The
virtual interface IP address is not pingable and should not exist in any routing table in your network. In addition,
the virtual interface cannot be mapped to a physical port.
We recommend that you configure a non-routable IP address for the virtual interface, ideally not overlapping
with the network infrastructure addresses or external. Use one of the options proposed on RFC5737, for
example, 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24 networks. This is to avoid using an IP address
that is assigned to another device or system.
Restrictions
• All controllers within a mobility group must be configured with the same virtual interface IP address.
Otherwise, inter-controller roaming may appear to work, but the handoff does not complete, and the
client loses connectivity for a period of time.
This section contains the following subsections:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
315
Ports and Interfaces
Configuring Virtual Interfaces (GUI)
Configuring Virtual Interfaces (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Step 2
Click Virtual.
The Interfaces > Edit page appears.
Step 3
Enter the following parameters:
• Any valid unassigned, and unused gateway IP address
• DNS gateway hostname
Note
To ensure connectivity and web authentication, the DNS server should always point to the virtual interface.
If a DNS hostname is configured for the virtual interface, then the same DNS host name must be configured
on the DNS server(s) used by the client.
Step 4
Click Save Configuration.
Step 5
If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Configuring Virtual Interfaces (CLI)
Step 1
Enter the show interface detailed virtual command to view the current virtual interface settings.
Step 2
Enter the config wlan disable wlan-number command to disable each WLAN that uses the virtual interface for distribution
system communication.
Step 3
Enter these commands to define the virtual interface:
• config interface address virtual ip-address
Note
For ip-address, enter a valid, unassigned, and unused gateway IP address.
• config interface hostname virtual dns-host-name
Step 4
Enter the reset system command. At the confirmation prompt, enter Y to save your configuration changes to NVRAM.
The controller reboots.
Step 5
Enter the show interface detailed virtual command to verify that your changes have been saved.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
316
CHAPTER
30
Configuring Service-Port Interfaces
• Service-Port Interfaces, on page 317
• Restrictions on Configuring Service-Port Interfaces, on page 318
• Configuring Service-Port Interfaces Using IPv4 (GUI), on page 318
• Configuring Service-Port Interfaces Using IPv4 (CLI), on page 318
• Configuring Service-Port Interface Using IPv6 (GUI), on page 319
• Configuring Service-Port Interfaces Using IPv6 (CLI), on page 320
Service-Port Interfaces
The service-port interface controls communications through and is statically mapped by the system to the
service port. The service port can be used for out-of-band management.
The service port can obtain an IPv4 address using DHCP, or it can be assigned a static IPv4 address, but a
default gateway cannot be assigned to the service-port interface. Static IPv4 routes can be defined through
the controller for remote network access to the service port.
If the service port is in use, the management interface must be on a different supernet from the service-port
interface.
Similarly, the service port can be statically assigned an IPv6 address or select an IPv6 address using Stateless
Address Auto-Configuration (SLAAC). The default gateway cannot be assigned to the service-port interface.
Static IPv6 routes can be defined through the controller for remote network access to the service port.
Note
This is the only SLAAC interface on the controller, all other interfaces must be statically assigned (just like
for IPv4).
Note
User does not require IPv6 static routes to reach service port from the same network, but IPv6 routes requires
to access service port from different network. The IPv6 static routes should be as same as IPv4.
The service-port interface supports the following protocols:
• SSH and Telnet
• HTTP and HTTPS
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
317
Ports and Interfaces
Restrictions on Configuring Service-Port Interfaces
• SNMP
• FTP, TFTP, and SFTP
• Syslog
• ICMP (ping)
• NTP
Note
TACACS+ and RADIUS are not supported through the service port.
This section contains the following subsections:
Restrictions on Configuring Service-Port Interfaces
• Only Cisco Flex 7510 and Cisco 5508 WLCs have a physical service-port interface that is reachable
from the external network.
• You must not use the service-port for continuous SNMP polling and management functions except when
the management interface of the controller is unreachable.
Configuring Service-Port Interfaces Using IPv4 (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Step 2
Click the service-port link to open the Interfaces > Edit page.
Step 3
Enter the Service-Port Interface parameters:
Note
The service-port interface uses the controller’s factory-set service-port MAC address.
• DHCP protocol (enabled)
• DHCP protocol (disabled) and IP address and IP netmask
Step 4
Click Save Configuration to save your changes.
Step 5
If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Configuring Service-Port Interfaces Using IPv4 (CLI)
Step 1
To view the current service-port interface settings, enter this command:
show interface detailed service-port
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
318
Ports and Interfaces
Configuring Service-Port Interface Using IPv6 (GUI)
The service-port interface uses the controller’s factory-set service-port MAC address.
Note
Step 2
Enter these commands to define the service-port interface:
• To configure the DHCP server, enter this command:
config interface dhcp service-port enable
• To disable the DHCP server, enter this command:
config interface dhcp service-port disable
• To configure the IPv4 address, enter this command:
config interface address service-port ip-addr ip-netmask
The service port is used for out-of-band management of the controller. If the management workstation is in a remote
subnet, you may need to add a IPv4 route on the controller in order to manage the controller from that remote workstation.
To do so, enter this command:
config route add network-ip-addr ip-netmask gateway
To remove the IPv4 route on the controller, enter this command:
config route delete ip_address
Caution
Communication through the management interface might not work as expected if subnet that is added to static
route overlaps with other infrastructure or devices.
Step 3
Enter the save config command to save your changes.
Step 4
Enter the show interface detailed service-port command to verify that your changes have been saved.
Configuring Service-Port Interface Using IPv6 (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Step 2
Click the service-port link to open the Interfaces > Edit page.
Step 3
Enter the Service-Port Interface parameters:
Note
The service-port interface uses the controller’s factory-set service-port MAC address. Service Port can be
statically assigned an address or select an address using SLAAC.
• SLACC(enabled)
• SLACC (disabled) and Primary Address and Prefix Length
Step 4
Click Save Configuration to save your changes.
Step 5
If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
319
Ports and Interfaces
Configuring Service-Port Interfaces Using IPv6 (CLI)
Configuring Service-Port Interfaces Using IPv6 (CLI)
Step 1
To view the current service-port interface settings, enter this command:
show interface detailed service-port
Note
Step 2
The service-port interface uses the controller’s factory-set service-port MAC address.
Enter these commands to define the service-port interface:
• To configure the service port using SLACC , enter this command:
config ipv6 interface slacc service-port enable
• To disable the service port from using SLACC, enter this command:
config ipv6 interface slacc service-port disable
• To configure the IPv6 address, enter this command:
config ipv6 interface address service-port iipv6_address prefix-length
Step 3
The service port is used for out-of-band management of the controller. If the management workstation is in a remote
subnet, you may need to add a route on the controller in order to manage the controller from that remote workstation. To
do so, enter this command:
config ipv6 route add network_ipv6_addr prefix-len ipv6_gw_addr
Step 4
To remove the IPv6 route on the controller, enter this command:
config ipv6 route delete network _ipv6 addr
Step 5
Enter the save config command to save your changes.
Step 6
Enter the show interface detailed service-port command to verify that your changes have been saved.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
320
CHAPTER
31
Configuring Dynamic Interfaces
• Dynamic Interface, on page 321
• Prerequisites for Configuring Dynamic Interfaces, on page 322
• Restrictions for Configuring Dynamic Interfaces, on page 322
• Configuring Dynamic Interfaces (GUI), on page 322
• Configuring Dynamic Interfaces (CLI), on page 323
Dynamic Interface
Dynamic interfaces are created by users and designed to be analogous to VLANs for wireless LAN clients.
In a LAG setup, the dynamic interface on a controller is conceptually analogous to an SVI on a switch or
router associated with a single VLAN and single subnet, although the controller does not have any routing
capabilities. A controller can support up to 512 dynamic interfaces (VLANs). Each dynamic interface is
individually configured and allows separate communication streams to exist on any or all of a controller’s
distribution system ports. A dynamic interface is a Layer 3 interface on the controller to map a WLAN to a
particular VLAN and subnet. If DHCP relay is enabled on the controller, then the applicable dynamic interface
is used as the relay address. The dynamic interface will also be the interface through which network
communication to and from the controller will occur if the destination address is in the same subnet assigned
to a dynamic interface. Alternatively, a dynamic interface can also be configured as an AP management
interface as well, in place of the default management interface on a separate port in a non-LAG setup. You
can assign dynamic interfaces to distribution system ports, WLANs, the Layer 2 management interface, and
the Layer 3 AP-manager interface, and you can map the dynamic interface to a backup port.
Management traffic such as Telnet or SSH, HTTP or HTTPS, and so on, can use a dynamic interface as their
destination address if management by dynamic interface option is enabled.
You can configure zero, one, or multiple dynamic interfaces on a distribution system port. However, all
dynamic interfaces must be on a different VLAN or IP subnet from all other interfaces configured on the port.
If the port is untagged, all dynamic interfaces must be on a different IP subnet from any other interface
configured on the port.
For information about maximum number of VLANs supported on a controller platform, see the respective
controller platform's datasheet.
Note
You must not configure a dynamic interface in the same network as that of Local Mobility Anchor (LMA).
If you do so, the GRE tunnel between the controller and LMA does not come up.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
321
Ports and Interfaces
Prerequisites for Configuring Dynamic Interfaces
This section contains the following subsections:
Prerequisites for Configuring Dynamic Interfaces
While configuring on the dynamic interface of the controller, you must ensure the following:
• You must use tagged VLANs for dynamic interfaces.
Restrictions for Configuring Dynamic Interfaces
The following restrictions apply for configuring the dynamic interfaces on the controller:
• Wired clients cannot access management interface of the Cisco WLC 2500 series using the IP address
of the AP Manager interface .
• For SNMP requests that come from a subnet that is configured as a dynamic interface, the controller
responds but the response does not reach the device that initiated the conversation.
• If you are using DHCP proxy and/or a RADIUS source interface, ensure that the dynamic interface has
a valid routable address. Duplicate or overlapping addresses across controller interfaces are not supported.
• You must not use ap-manager as the interface name while configuring dynamic interfaces as
ap-manager is a reserved name.
Configuring Dynamic Interfaces (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Step 2
Perform one of the following:
• To create a new dynamic interface, click New. The Interfaces > New page appears. Go to Step 3.
• To modify the settings of an existing dynamic interface, click the name of the interface. The Interfaces > Edit page
for that interface appears. Go to Step 5.
• To delete an existing dynamic interface, hover your cursor over the blue drop-down arrow for the desired interface
and choose Remove.
Step 3
Enter an interface name and a VLAN ID.
Note
You cannot enter ap-manager as the interface name while configuring a dynamic interface as ap-manager
is a reserved name.
Step 4
Click Apply to commit your changes. The Interfaces > Edit page is displayed.
Step 5
Configure the following parameters:
• Guest LAN, if applicable
• Quarantine and quarantine VLAN ID, if applicable
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
322
Ports and Interfaces
Configuring Dynamic Interfaces (CLI)
Note
Select the Quarantine check box if you want to configure this VLAN as unhealthy or you want to configure
network access control (NAC) out-of-band integration. Doing so causes the data traffic of any client that
is assigned to this VLAN to pass through the controller.
• Physical port assignment (for all controllers except the Cisco 5508 controller)
• NAT address (only for Cisco 5508 controllers configured for dynamic AP management)
Note
Check the Enable NAT Address check box and enter the external NAT IP address if you want to be able
to deploy your controller behind a router or other gateway device that is using one-to-one mapping network
address translation (NAT). NAT allows a device, such as a router, to act as an agent between the Internet
(public) and a local network (private). In this case, it maps the controller’s intranet IP addresses to a
corresponding external address. The controller’s dynamic AP-manager interface must be configured with
the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.
The NAT parameters are supported for use only with one-to-one-mapping NAT, where each private client
has a direct and fixed mapping to a global address. The NAT parameters do not support one-to-many
NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.
• Dynamic AP management
Note
When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one
AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager
interface cannot be used as a WLAN interface.
Set the APs in a VLAN that is different than the dynamic interface configured on the controller. If the
APs are in the same VLAN as the dynamic interface, the APs are not registered on the controller and the
“LWAPP discovery rejected” and “Layer 3 discovery request not received on management VLAN” errors
are logged on the controller.
• VLAN identifier
• Fixed IP address, IP netmask, and default gateway.
Note
Enter valid IP addresses in these fields.
• Primary and secondary DHCP servers
• Access control list (ACL) name, if required
Note
To ensure proper operation, you must set the Port Number and Primary DHCP Server parameters.
Step 6
Click Save Configuration to save your changes.
Step 7
Repeat this procedure for each dynamic interface that you want to create or edit.
Configuring Dynamic Interfaces (CLI)
Step 1
Enter the show interface summary command to view the current dynamic interfaces.
Step 2
View the details of a specific dynamic interface by entering this command:
show interface detailed operator_defined_interface_name.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
323
Ports and Interfaces
Configuring Dynamic Interfaces (CLI)
Interface names that contain spaces must be enclosed in double quotes. For example: config interface create
"vlan 25"
Note
Step 3
Enter the config wlan disable wlan_id command to disable each WLAN that uses the dynamic interface for distribution
system communication.
Step 4
Enter these commands to configure dynamic interfaces:
• config interface create operator_defined_interface_name {vlan_id | x}
• config interface address interface ip_addr ip_netmask [gateway]
• config interface vlan operator_defined_interface_name {vlan_id | o}
• config interface port operator_defined_interface_name physical_ds_port_number
• config interface ap-manager operator_defined_interface_name {enable | disable}
Note
Use the config interface ap-manager operator_defined_interface_name {enable | disable} command
to enable or disable dynamic AP management. When you enable this feature, this dynamic interface is
configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A
dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface. You
cannot use ap-manager as the operator_defined_interface_name while configuring a dynamic interface
as ap-manager is a reserved name.
• config interface dhcp operator_defined_interface_name ip_address_of_primary_dhcp_server
[ip_address_of_secondary_dhcp_server]
• config interface quarantine vlan interface_name vlan_id
Note
Use the config interface quarantine vlan interface_name vlan_id command to configure a quarantine
VLAN on any interface.
• config interface acl operator_defined_interface_name access_control_list_name
Step 5
Enter these commands if you want to be able to deploy your controller behind a router or other gateway device that is
using one-to-one mapping network address translation (NAT):
• config interface nat-address dynamic-interface operator_defined_interface_name {enable | disable}
• config interface nat-address dynamic-interface operator_defined_interface_name set public_IP_address
NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In
this case, it maps the controller’s intranet IP addresses to a corresponding external address. The controller’s dynamic
AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct
IP address in the Discovery Response.
Note
These commands are supported for use only with one-to-one-mapping NAT, whereby each private client has
a direct and fixed mapping to a global address. These commands do not support one-to-many NAT, which uses
source port mapping to enable a group of clients to be represented by a single IP address.
Step 6
Enter the config wlan enable wlan_id command to reenable each WLAN that uses the dynamic interface for distribution
system communication.
Step 7
Enter the save config command to save your changes.
Step 8
Enter the show interface detailed operator_defined_interface_name command and show interface summary command
to verify that your changes have been saved.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
324
Ports and Interfaces
Configuring Dynamic Interfaces (CLI)
Note
If desired, you can enter the config interface delete operator_defined_interface_name command to delete a
dynamic interface.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
325
Ports and Interfaces
Configuring Dynamic Interfaces (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
326
CHAPTER
32
Configuring Ports (GUI)
• Configuring Ports (GUI), on page 327
Configuring Ports (GUI)
The controller’s ports are configured with factory-default settings designed to make the controllers’ ports
operational without additional configuration. However, you can view the status of the controller’s ports and
edit their configuration parameters at any time.
Step 1
Choose Controller > Ports to open the Ports page.
This page shows the current configuration for each of the controller’s ports.
If you want to change the settings of any port, click the number for that specific port. The Port > Configure page appears.
Note
If the management and AP-manager interfaces are mapped to the same port and are members of the same
VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management
and AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.
Note
The number of parameters available on the Port > Configure page depends on your controller type.
The following show the current status of the port:
• Port Number—Number of the current port.
• Admin Status—Current state of the port. Values: Enable or Disable
• Physical Mode—Configuration of the port physical interface. The mode varies by the controller type.
• Physical Status—The data rate being used by the port. The available data rates vary based on controller type.
• Cisco 2504 WLC—1 Gbps full duplex
• Cisco WiSM2—10 Gbps full duplex
• Cisco 7510 WLC—10 Gbps full duplex
• Link Status—Link status of the port. Values: Link Up or Link Down
• Link Trap—Whether the port is set to send a trap when the link status changes. Values: Enable or Disable
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
327
Ports and Interfaces
Configuring Ports (GUI)
• Power over Ethernet (PoE)—If the connecting device is equipped to receive power through the Ethernet cable and
if so, provides –48 VDC. Values: Enable or Disable
Note
Some older Cisco access points do not draw PoE even if it is enabled on the controller port. In such cases,
contact the Cisco Technical Assistance Center (TAC).
The following is a list of the port’s configurable parameters.
a. Admin Status—Enables or disables the flow of traffic through the port. Options: Enable or Disable, with default
option of Enable.
Note
When a primary port link goes down, messages may get logged internally only and not be posted to a syslog
server. It may take up to 40 seconds to restore logging to the syslog server.
b. Physical Mode—Determines whether the port’s data rate is set automatically or specified by the user. The supported
data rates vary based on the controller type. Default: Auto.
c. Link Trap—Causes the port to send a trap when the port’s link status changes. Options: Enable or Disable, with
default option of Enable.
Step 2
Click Apply.
Step 3
Click Save Configuration.
Step 4
Click Back to return to the Ports page and review your changes.
Step 5
Repeat this procedure for each additional port that you want to configure.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
328
CHAPTER
33
Configuring Link Aggregation
• Link Aggregation, on page 329
• Restrictions on Link Aggregation, on page 329
• Configuring Link Aggregation (GUI), on page 331
• Configuring Link Aggregation (CLI), on page 332
• Verifying Link Aggregation Settings (CLI), on page 332
• Configuring Neighbor Devices to Support Link Aggregation, on page 332
• Choosing Between Link Aggregation and Multiple AP-Manager Interfaces, on page 333
Link Aggregation
Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all
of the controller’s distribution system ports into a single 802.3ad port channel. This reduces the number of
IP addresses required to configure the ports on your controller. When LAG is enabled, the system dynamically
manages port redundancy and load balances access points transparently to the user.
LAG simplifies controller configuration because you no longer require to configure primary and secondary
ports for each interface. If any of the controller ports fail, traffic is automatically migrated to one of the other
ports. As long as at least one controller port is functioning, the system continues to operate, access points
remain connected to the network, and wireless clients continue to send and receive data.
You can use fast restart for any LAG changes.
Controller does not send CDP advertisements on a LAG interface.
Note
LAG is supported across switches.
This section contains the following subsections:
Restrictions on Link Aggregation
• You can bundle all eight ports on a Cisco 5508 Controller into a single link.
• Terminating on two different modules within a single Catalyst 6500 series switch provides redundancy
and ensures that connectivity between the switch and the controller is maintained when one module fails.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
329
Ports and Interfaces
Restrictions on Link Aggregation
The controller’s port 1 is connected to Gigabit interface 3/1, and the controller’s port 2 is connected to
Gigabit interface 2/1 on the Catalyst 6500 series switch. Both switch ports are assigned to the same
channel group.
• The controller relies on the switch for the load balancing decisions on traffic that come from the network,
with “source-destination IP” as the typically recommended option. It is important to select a correct
balancing configuration on the switch side, as some variations might have an impact on controller
performance or cause packet drops on some scenarios, where traffic from different ports is split across
different data planes internally.
• When using Link aggregation (LAG) make sure all ports of the controller have the same Layer 2
configuration on the switch side. For example, avoid filtering some VLANs in one port, and not the
others.
• LAG requires the EtherChannel to be configured for 'mode on' on both the controller and the Catalyst
switch.
• Once the EtherChannel is configured as on at both ends of the link, the Catalyst switch should not be
configured for either Link Aggregation Control Protocol (LACP) or Cisco proprietary Port Aggregation
Protocol (PAgP) but be set unconditionally to LAG. Because no channel negotiation is done between
the controller and the switch, the controller does not answer to negotiation frames and the LAG is not
formed if a dynamic form of LAG is set on the switch. Additionally, LACP and PAgP are not supported
on the controller.
• If the recommended load-balancing method cannot be configured on the Catalyst switch, then configure
the LAG connection as a single member link or disable LAG on the controller.
Figure 33: Link Aggregation with the Catalyst 6500 Series Neighbor Switch
• You cannot configure the controller’s ports into separate LAG groups. Only one LAG group is supported
per controller.
• When you enable LAG or make any changes to the LAG configuration, you must immediately reboot
the controller.
• When you enable LAG, you can configure only one AP-manager interface because only one logical port
is needed.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
330
Ports and Interfaces
Configuring Link Aggregation (GUI)
• When you enable LAG, all dynamic AP-manager interfaces and untagged interfaces are deleted, and all
WLANs are disabled and mapped to the management interface. Also, the management, static AP-manager,
and VLAN-tagged dynamic interfaces are moved to the LAG port.
• Multiple untagged interfaces to the same port are not allowed.
• When you enable LAG, all ports participate in LAG by default. You must configure LAG for all of the
connected ports in the neighbor switch.
• When you enable LAG, if any single link goes down, traffic migrates to the other links.
• When you enable LAG, only one functional physical port is needed for the controller to pass client traffic.
• When you enable LAG, access points remain connected to the controller until you reboot the controller,
which is needed to activate the LAG mode change, and data service for users continues uninterrupted.
• When you enable LAG, you eliminate the need to configure primary and secondary ports for each
interface.
• When you enable LAG, the controller sends packets out on the same port on which it received them. If
a CAPWAP packet from an access point enters the controller on physical port 1, the controller removes
the CAPWAP wrapper, processes the packet, and forwards it to the network on physical port 1. This may
not be the case if you disable LAG.
• When you disable LAG, the management, static AP-manager, and dynamic interfaces are moved to port
1.
• When you disable LAG, you must configure primary and secondary ports for all interfaces.
• When you enable LAG on Cisco 2504 WLC to which the direct-connect access point is associated, the
direct connect access point is disconnected since LAG enabling is still in the transition state. You must
reboot the controller immediately after enabling LAG.
• In Cisco 8510 WLCs, when more than 1000 APs join the controller, flapping occurs. To avoid this, we
recommend that you do not add more than 1000 APs on a single Cisco Catalyst switch for CAPWAP
IPv6.
• If you have configured a port-channel on the switch and you have not configured the AP for LAG, the
AP moves to standalone mode.
• We recommend that you configure LAG with HA-SSO in disabled state. Therefore, you must enable
LAG before placing the controllers in HA-SSO pair or schedule a maintenance window to break the
HA-SSO (requires controller reboot) and then enable LG and re enable HA-SSO thereafter (incurs
multiple controller reboots in the process).
Configuring Link Aggregation (GUI)
Step 1
Choose Controller > General to open the General page.
Step 2
Set the LAG Mode on next reboot parameter to Enabled.
Step 3
Save the configuration.
Step 4
Reboot the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
331
Ports and Interfaces
Configuring Link Aggregation (CLI)
Configuring Link Aggregation (CLI)
Step 1
Enter the config lag enable command to enable LAG.
Note
Enter the config lag disable command if you want to disable LAG.
Step 2
Enter the save config command to save your settings.
Step 3
Reboot controller.
Verifying Link Aggregation Settings (CLI)
Verify your LAG settings by entering this command:
show lag summary
Information similar to the following appears:
LAG Enabled
Configuring Neighbor Devices to Support Link Aggregation
The controller’s neighbor devices must also be properly configured to support LAG.
• Each neighbor port to which the controller is connected should be configured as follows:
interface GigabitEthernet <interface id>
switchport
channel-group <id> mode on
no shutdown
• The port channel on the neighbor switch should be configured as follows:
interface port-channel <id>
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan <native vlan id>
switchport trunk allowed vlan <allowed vlans>
switchport mode trunk
no shutdown
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
332
Ports and Interfaces
Choosing Between Link Aggregation and Multiple AP-Manager Interfaces
Choosing Between Link Aggregation and Multiple AP-Manager
Interfaces
controllers have no restrictions on the number of access points per port, but we recommend that you use link
aggregation (LAG) or multiple AP-manager interfaces on each Gigabit Ethernet port to automatically balance
the load.
The following factors should help you decide which method to use if your controller is set for Layer 3 operation:
• With LAG, all of the controller ports need to connect to the same neighbor switch. If the neighbor switch
goes down, the controller loses connectivity.
• With multiple AP-manager interfaces, you can connect your ports to different neighbor devices. If one
of the neighbor switches goes down, the controller still has connectivity. However, using multiple
AP-manager interfaces presents certain challenges when port redundancy is a concern.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
333
Ports and Interfaces
Choosing Between Link Aggregation and Multiple AP-Manager Interfaces
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
334
CHAPTER
34
Configuring Multiple AP-Manager Interfaces
• Information About Multiple AP-Manager Interfaces, on page 335
• Restrictions on Configuring Multiple AP Manager Interfaces, on page 335
• Creating Multiple AP-Manager Interfaces (GUI), on page 336
• Creating Multiple AP-Manager Interfaces (CLI), on page 336
Information About Multiple AP-Manager Interfaces
When you create two or more AP-manager interfaces, each one is mapped to a different port. We recommend
that you configure the ports in sequential order so that AP-manager interface 2 is on port 2, AP-manager
interface 3 is on port 3, and AP-manager interface 4 is on port 4.
Before an access point joins a controller, it sends out a discovery request. From the discovery response that
it receives, the access point can tell the number of AP-manager interfaces on the controller and the number
of access points on each AP-manager interface. The access point generally joins the AP-manager with the
least number of access points. In this way, the access point load is dynamically distributed across the multiple
AP-manager interfaces.
Note
Access points may not be distributed completely evenly across all of the AP-manager interfaces, but a certain
level of load balancing occurs.
Multiple AP-Manager interfaces are also supported in non-LAG setups, only if you are not going to configure
the controller for either LAG or IPv6.
Restrictions on Configuring Multiple AP Manager Interfaces
The following restrictions apply while configuring the multiple AP manager interfaces in the controller:
• You must assign an AP-manager interface to each port on the controller.
• Before implementing multiple AP-manager interfaces, you should consider how they would impact your
controller’s port redundancy.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
335
Ports and Interfaces
Creating Multiple AP-Manager Interfaces (GUI)
• AP-manager interfaces do not need to be on the same VLAN or IP subnet, and they may or may not be
on the same VLAN or IP subnet as the management interface. However, we recommend that you configure
all AP-manager interfaces on the same VLAN or IP subnet.
• If the port of one of the AP-manager interfaces fails, the controller clears the state of the access points,
and the access points must reboot to reestablish communication with the controller using the normal
controller join process. The controller no longer includes the failed AP-manager interface in the CAPWAP
or LWAPP discovery responses. The access points then rejoin the controller and are load balanced among
the available AP-manager interfaces.
In the case of management interface, because there is support for backup port, APs already connected
to management interface continue to be in connected state (falling to backup port) rather than dropping
off. However, AP-Mgr will get disabled any new APs will associate with the current AP-Mgr.
Creating Multiple AP-Manager Interfaces (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Step 2
Click New.
The Interfaces > New page appears.
Step 3
Enter an AP-manager interface name and a VLAN identifier.
Step 4
Click Apply to commit your changes. The Interfaces > Edit page appears.
Step 5
Enter the appropriate interface parameters.
Note
Every interface supports primary and backup port with the following exceptions:
• Dynamic interface is converted to AP manager which does not support backup of port configuration.
• If AP manager is enabled on management interface and when management interface moves to backup
port because of primary port failure, the AP manager will be disabled.
Step 6
To make this interface an AP-manager interface, check the Enable Dynamic AP Management check box.
Note
Only one AP-manager interface is allowed per physical port. A dynamic interface that is marked as an
AP-manager interface cannot be used as a WLAN interface.
Step 7
Click Save Configuration to save your settings.
Step 8
Repeat this procedure for each additional AP-manager interface that you want to create.
Creating Multiple AP-Manager Interfaces (CLI)
Step 1
Enter these commands to create a new interface:
• config interface create operator_defined_interface_name {vlan_id | x}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
336
Ports and Interfaces
Creating Multiple AP-Manager Interfaces (CLI)
• config interface address operator_defined_interface_name ip_addr ip_netmask [gateway]
• config interface vlan operator_defined_interface_name vlan_id
• config interface port operator_defined_interface_name physical_ds_port_number
• config interface dhcp operator_defined_interface_name ip_address_of_primary_dhcp_server
[ip_address_of_secondary_dhcp_server]
• (Optional) config interface quarantine vlan interface_name vlan_id
Note
Use this command to configure a quarantine VLAN on any interface.
• (Optional) config interface acl operator_defined_interface_name access_control_list_name
Step 2
To make this interface an AP-manager interface, enter this command:
{config interface ap-manager operator_defined_interface_name enable | disable}
Note
Only one AP-manager interface is allowed per physical port. A dynamic interface that is marked as an
AP-manager interface cannot be used as a WLAN interface.
Step 3
Enter save config command to save your changes.
Step 4
Repeat this procedure for each additional AP-manager interface that you want to create.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
337
Ports and Interfaces
Creating Multiple AP-Manager Interfaces (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
338
CHAPTER
35
Configuring VLAN Select
• Information About VLAN Select, on page 339
• Restrictions for Configuring VLAN Select, on page 340
• Configuring Interface Groups, on page 340
Information About VLAN Select
Whenever a wireless client connects to a wireless network (WLAN), the client is placed in a VLAN that is
associated with the WLAN. In a large venue such as an auditorium, a stadium, or a conference where there
may be numerous wireless clients, having only a single WLAN to accommodate many clients might be a
challenge.
The VLAN select feature enables you to use a single WLAN that can support multiple VLANs. Clients can
get assigned to one of the configured VLANs. This feature enables you to map a WLAN to a single or multiple
interface VLANs using interface groups. Wireless clients that associate to the WLAN get an IP address from
a pool of subnets identified by the interfaces. The IP address is derived by an algorithm based on the MAC
address of the wireless client. This feature also extends the current AP group architecture where AP groups
can override an interface or interface group to which the WLAN is mapped to, with multiple interfaces using
the interface groups. This feature also provides the solution to auto anchor restrictions where a wireless guest
user on a foreign location can get an IP address from multiple subnets based on their foreign locations or
foreign controllers from the same anchor controller.
When a client roams from one controller to another, the foreign controller sends the VLAN information as
part of the mobility announce message. Based on the VLAN information received, the anchor decides whether
the tunnel should be created between the anchor controller and the foreign controller. If the same VLAN is
available on the foreign controller, the client context is completely deleted from the anchor and the foreign
controller becomes the new anchor controller for the client.
If an interface (int-1) in a subnet is untagged in one controller (Vlan ID 0) and the interface (int-2) in the same
subnet is tagged to another controller (Vlan ID 1), then with the VLAN select, client joining the first controller
over this interface may not undergo an L2 roam while it moves to the second controller. Hence, for L2 roaming
to happen between two controllers with VLAN select, all the interfaces in the same subnet should be either
tagged or untagged.
As part of the VLAN select feature, the mobility announce message carries an additional vendor payload that
contains the list of VLAN interfaces in an interface group mapped to a foreign controller’s WLAN. This
VLAN list enables the anchor to differentiate from a local to local or local to foreign handoff.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
339
Ports and Interfaces
Restrictions for Configuring VLAN Select
Note
VLAN pooling applies to wireless clients and centrally switched WLANs.
Restrictions for Configuring VLAN Select
• The VLAN select feature enables you to use a single WLAN that can support multiple VLANs.
Configuring Interface Groups
Interface Groups
Interface groups are logical groups of interfaces. Interface groups facilitate user configuration where the same
interface group can be configured on multiple WLANs or while overriding a WLAN interface per AP group.
An interface group can exclusively contain either quarantine or nonquarantine interfaces. An interface can be
part of multiple interface groups.
A WLAN can be associated with an interface or interface group. The interface group name and the interface
name cannot be the same.
This feature also enables you to associate a client to specific subnets based on the foreign controller that they
are connected to. The anchor controller WLAN can be configured to maintain a mapping between foreign
controller MAC and a specific interface or interface group (Foreign maps) as needed. If this mapping is not
configured, clients on that foreign controller gets VLANs associated in a round robin fashion from interface
group configured on WLAN.
You can also configure AAA override for interface groups. This feature extends the current access point group
and AAA override architecture where access point groups and AAA override can be configured to override
the interface group WLAN that the interface is mapped to. This is done with multiple interfaces using interface
groups.
Controller marks VLAN as dirty when the clients are unable to receive IP address using DHCP. The VLAN
interface is marked as dirty based on two methods:
Aggressive Method—When only one failure is counted per association per client and controller marks VLAN
as dirty interface when a failure occurs three times for a client or for three different clients.
Non-Aggressive Method—When only one failure is counted per association per client and controller marks
VLAN as a dirty interface only when three or more clients fail.
This section contains the following subsections:
Restrictions on Configuring Interface Groups
• The priority order for configuring interface groups for WLAN is:
• AAA override
• AP group
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
340
Ports and Interfaces
Creating Interface Groups (GUI)
• Interface group
Note
AP group interface mapping for a WLAN is not supported in an anchor-foreign
scenario.
• Dual stack clients with a static-IPv4 address is not supported.
Creating Interface Groups (GUI)
Step 1
Choose Controller > Interface Groups.
The Interface Groups page appears with the list of interface groups already created.
Note
Step 2
To remove an interface group, hover your mouse pointer over the blue drop-down icon and choose Remove.
Click Add Group.
The Add New Interface Group page appears.
Step 3
Enter the details of the interface group:
• Interface Group Name—Specify the name of the interface group.
• Description—Add a brief description of the interface group.
Step 4
Click Add.
Creating Interface Groups (CLI)
Step 1
config interface group {create | delete} interface_group_name—Creates or deletes an interface group
Step 2
config interface group description interface_group_name description—Adds a description to the interface group
Adding Interfaces to Interface Groups (GUI)
Step 1
Choose Controller > Interface Groups.
The Interface Groups page appears with a list of all interface groups.
Step 2
Click the name of the interface group to which you want to add interfaces.
The Interface Groups > Edit page appears.
Step 3
Choose the interface name that you want to add to this interface group from the Interface Name drop-down list.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
341
Ports and Interfaces
Adding Interfaces to Interface Groups (CLI)
Step 4
Click Add Interface to add the interface to the Interface group.
Step 5
Repeat Steps 2 and 3 if you want to add multiple interfaces to this interface group.
Note
To remove an interface from the interface group, hover your mouse pointer over the blue drop-down arrow and
choose Remove.
Adding Interfaces to Interface Groups (CLI)
Add interfaces to interface groups by entering this command:
config interface group interface add interface_group interface_name
Viewing VLANs in Interface Groups (CLI)
View a list of VLANs in the interface groups by entering this command:
show interface group detailed interface-group-name
Adding an Interface Group to a WLAN (GUI)
Step 1
Choose the WLAN tab.
The WLANs page appears listing the available WLANs.
Step 2
Click the WLAN ID of the WLAN to which you want to add the interface group.
Step 3
In the General tab, choose the interface group from the Interface/Interface Group (G) drop-down list.
Step 4
Click Apply.
Note
Suppose that the interface group that you add to a WLAN has RADIUS Server Overwrite interface enabled.
In this case, when a client requests for authentication, the controller selects the first IP address from the interface
group as the RADIUS server.
Adding an Interface Group to a WLAN (CLI)
Add an interface group to a WLAN by entering this command:
config wlan interface wlan_id interface_group_name
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
342
CHAPTER
36
Configuring Interface Groups
• Interface Groups, on page 343
• Restrictions on Configuring Interface Groups, on page 344
• Creating Interface Groups (GUI), on page 344
• Creating Interface Groups (CLI), on page 344
• Adding Interfaces to Interface Groups (GUI), on page 345
• Adding Interfaces to Interface Groups (CLI), on page 345
• Viewing VLANs in Interface Groups (CLI), on page 345
• Adding an Interface Group to a WLAN (GUI), on page 345
• Adding an Interface Group to a WLAN (CLI), on page 346
Interface Groups
Interface groups are logical groups of interfaces. Interface groups facilitate user configuration where the same
interface group can be configured on multiple WLANs or while overriding a WLAN interface per AP group.
An interface group can exclusively contain either quarantine or nonquarantine interfaces. An interface can be
part of multiple interface groups.
A WLAN can be associated with an interface or interface group. The interface group name and the interface
name cannot be the same.
This feature also enables you to associate a client to specific subnets based on the foreign controller that they
are connected to. The anchor controller WLAN can be configured to maintain a mapping between foreign
controller MAC and a specific interface or interface group (Foreign maps) as needed. If this mapping is not
configured, clients on that foreign controller gets VLANs associated in a round robin fashion from interface
group configured on WLAN.
You can also configure AAA override for interface groups. This feature extends the current access point group
and AAA override architecture where access point groups and AAA override can be configured to override
the interface group WLAN that the interface is mapped to. This is done with multiple interfaces using interface
groups.
Controller marks VLAN as dirty when the clients are unable to receive IP address using DHCP. The VLAN
interface is marked as dirty based on two methods:
Aggressive Method—When only one failure is counted per association per client and controller marks VLAN
as dirty interface when a failure occurs three times for a client or for three different clients.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
343
Ports and Interfaces
Restrictions on Configuring Interface Groups
Non-Aggressive Method—When only one failure is counted per association per client and controller marks
VLAN as a dirty interface only when three or more clients fail.
This section contains the following subsections:
Restrictions on Configuring Interface Groups
• The priority order for configuring interface groups for WLAN is:
• AAA override
• AP group
• Interface group
Note
AP group interface mapping for a WLAN is not supported in an anchor-foreign
scenario.
• Dual stack clients with a static-IPv4 address is not supported.
Creating Interface Groups (GUI)
Step 1
Choose Controller > Interface Groups.
The Interface Groups page appears with the list of interface groups already created.
Note
Step 2
To remove an interface group, hover your mouse pointer over the blue drop-down icon and choose Remove.
Click Add Group.
The Add New Interface Group page appears.
Step 3
Enter the details of the interface group:
• Interface Group Name—Specify the name of the interface group.
• Description—Add a brief description of the interface group.
Step 4
Click Add.
Creating Interface Groups (CLI)
Step 1
config interface group {create | delete} interface_group_name—Creates or deletes an interface group
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
344
Ports and Interfaces
Adding Interfaces to Interface Groups (GUI)
Step 2
config interface group description interface_group_name description—Adds a description to the interface group
Adding Interfaces to Interface Groups (GUI)
Step 1
Choose Controller > Interface Groups.
The Interface Groups page appears with a list of all interface groups.
Step 2
Click the name of the interface group to which you want to add interfaces.
The Interface Groups > Edit page appears.
Step 3
Choose the interface name that you want to add to this interface group from the Interface Name drop-down list.
Step 4
Click Add Interface to add the interface to the Interface group.
Step 5
Repeat Steps 2 and 3 if you want to add multiple interfaces to this interface group.
Note
To remove an interface from the interface group, hover your mouse pointer over the blue drop-down arrow and
choose Remove.
Adding Interfaces to Interface Groups (CLI)
Add interfaces to interface groups by entering this command:
config interface group interface add interface_group interface_name
Viewing VLANs in Interface Groups (CLI)
View a list of VLANs in the interface groups by entering this command:
show interface group detailed interface-group-name
Adding an Interface Group to a WLAN (GUI)
Step 1
Choose the WLAN tab.
The WLANs page appears listing the available WLANs.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
345
Ports and Interfaces
Adding an Interface Group to a WLAN (CLI)
Step 2
Click the WLAN ID of the WLAN to which you want to add the interface group.
Step 3
In the General tab, choose the interface group from the Interface/Interface Group (G) drop-down list.
Step 4
Click Apply.
Note
Suppose that the interface group that you add to a WLAN has RADIUS Server Overwrite interface enabled.
In this case, when a client requests for authentication, the controller selects the first IP address from the interface
group as the RADIUS server.
Adding an Interface Group to a WLAN (CLI)
Add an interface group to a WLAN by entering this command:
config wlan interface wlan_id interface_group_name
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
346
CHAPTER
37
Configuring Multicast Optimization
• Multicast VLAN, on page 347
• Configuring a Multicast VLAN (GUI), on page 348
• Configuring a Multicast VLAN (CLI), on page 348
Multicast VLAN
If VLAN groups are in use, we recommend that you enable multicast VLAN to limit multicast on the air to
a single copy on a predefined multicast VLAN.
With VLAN select and VLAN pooling, there is a possibility that you might increase duplicate packets. With
the VLAN select feature, every client listens to the multicast stream on a different VLAN. As a result, the
controller creates different MGIDs for each multicast address and VLAN. Therefore, the upstream router
sends one copy for each VLAN, which results, in the worst case, in as many copies as there are VLANs in
the pool. Since the WLAN is still the same for all clients, multiple copies of the multicast packet are sent over
the air. To suppress the duplication of a multicast stream on the wireless medium and between the controller
and access points, you can use the multicast VLAN feature.
Multicast optimization enables you to create a multicast VLAN which you can use for multicast traffic. You
can configure one of the VLANs of the WLAN as a multicast VLAN where multicast groups are registered.
Clients are allowed to listen to a multicast stream on the multicast VLAN. The MGID is generated using
mulicast VLAN and multicast IP addresses. If multiple clients on the VLAN pool of the same WLAN are
listening to a single multicast IP address, a single MGID is generated. The controller makes sure that all
multicast streams from the clients on this VLAN pool always go out on the multicast VLAN to ensure that
the upstream router has one entry for all the VLANs of the VLAN pool. Only one multicast stream hits the
VLAN pool even if the clients are on different VLANs. Therefore, the multicast packets that are sent out over
the air is just one stream.
If the WLAN is anchored, then the interface mapping at the anchored side is used for client connections. For
anchored guest WLANs, it is a best practice to use a black hole dynamic interface at the foreign controller.
For more information, see https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-6/b_Cisco_
Wireless_LAN_Controller_Configuration_Best_Practices.html#concept_
331FB2E819654D62BC998FF00BFA3FF3
This section contains the following subsections:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
347
Ports and Interfaces
Configuring a Multicast VLAN (GUI)
Configuring a Multicast VLAN (GUI)
Step 1
Choose WLANs > WLAN ID. The WLAN > Edit page appears.
Step 2
In the General tab, select the Multicast VLAN feature check box to enable multicast VLAN for the WLAN.
The Multicast Interface drop-down list appears.
Step 3
Choose the VLAN from the Multicast Interface drop-down list.
Step 4
Click Apply.
Configuring a Multicast VLAN (CLI)
Use the config wlan multicast interface wlan_id enable interface_name command to configure the multicast
VLAN feature.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
348
PA R T
III
VideoStream
• VideoStream, on page 351
CHAPTER
38
VideoStream
• Information about Media Stream, on page 351
• Prerequisites for Media Stream, on page 351
• Restrictions for Configuring VideoStream, on page 351
• Configuring Media Stream (GUI), on page 352
• Configuring Media Stream (CLI), on page 355
• Viewing and Debugging Media Stream, on page 356
Information about Media Stream
The IEEE 802.11 wireless multicast delivery mechanism does not provide a reliable way to acknowledge lost
or corrupted packets. As a result, if any multicast packet is lost in the air, it is not sent again which may cause
an IP multicast stream unviewable.
The Media Stream feature makes the delivery of the IP multicast stream reliable over air, by converting the
multicast frame to a unicast frame over the air. Each Media Stream client acknowledges receiving a video IP
multicast stream.
Prerequisites for Media Stream
• Make sure that the Multicast feature is enabled. We recommend that you configure IP multicast on the
controller in multicast-multicast mode.
• Check for the IP address on the client machine. The machine should have an IP address from the respective
VLAN.
• Verify that the access points have joined the controllers .
• Make sure that the clients are able to associate to the configured WLAN at 802.11n speed.
Restrictions for Configuring VideoStream
VideoStream is supported in the 7.0.98.0 and later controller software releases.
The Cisco OEAP-600 does not support VideoStream. All other access points support VideoStream.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
351
VideoStream
Configuring Media Stream (GUI)
Configuring Media Stream (GUI)
Step 1
Configure the multicast feature by following these steps:
a) Choose Wireless > MediaStream > General.
b) Select or unselect the Multicast Direct feature check box. The default value is disabled.
Note
Enabling the multicast direct feature does not automatically reset the existing client state. The wireless
clients must rejoin the multicast stream after enabling the multicast direct feature on the controller.
c) In the Session Message Config area, select Session announcement State check box to enable the session
announcement mechanism. If the session announcement state is enabled, clients are informed each time a controller
is not able to serve the multicast direct data to the client.
d) In the Session announcement URL text box, enter the URL where the client can find more information when an
error occurs during the multicast media stream transmission.
e) In the Session announcement e-mail text box, enter the e-mail address of the person who can be contacted.
f) In the Session announcement Phone text box, enter the phone number of the person who can be contacted.
g) In the Session announcement Note text box, enter a reason as to why a particular client cannot be served with a
multicast media.
h) Click Apply.
Step 2
Add a media stream by following these steps:
a) Choose Wireless > Media Stream > Streams to open the Media Stream page.
b) Click Add New to configure a new media stream. The Media Stream > New page appears.
Note
The Stream Name, Multicast Destination Start IP Address (IPv4 or IPv6), and Multicast Destination End
IP Address (IPv4 or IPv6) text boxes are mandatory. You must enter information in these text boxes.
c) In the Stream Name text box, enter the media stream name. The stream name can be up to 64 characters.
d) In the Multicast Destination Start IP Address (IPv4 or IPv6) text box, enter the start (IPv4 or IPv6) address of
the multicast media stream.
e) In the Multicast Destination End IP Address (IPv4 or IPv6) text box, enter the end (IPv4 or IPv6) address of
the multicast media stream.
Note
Ensure that the Multicast Destination Start and End IP addresses are of the same type, that is both addresses
should be of either IPv4 or IPv6 type.
f) In the Maximum Expected Bandwidth text box, enter the maximum expected bandwidth that you want to assign
to the media stream. The values can range between 1 to 35000 kbps.
Note
We recommend that you use a template to add a media stream to the controller.
g) From the Select from Predefined Templates drop-down list under Resource Reservation Control (RRC) Parameters,
choose one of the following options to specify the details about the resource reservation control:
• Very Coarse (below 300 kbps)
• Coarse (below 500 kbps)
• Ordinary (below 750 kbps)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
352
VideoStream
Configuring Media Stream (GUI)
• Low (below 1 Mbps)
• Medium (below 3 Mbps)
• High (below 5 Mbps)
Note
When you select a predefined template from the drop-down list, the following text boxes under the
Resource Reservation Control (RRC) Parameters list their default values that are assigned with the
template.
• Average Packet Size (100-1500 bytes)—Specifies the average packet size. The value can be in the range of
100 to 1500 bytes. The default value is 1200.
• RRC Periodic update—Enables the RRC (Resource Reservation Control Check) Periodic update. By default,
this option is enabled. RRC periodically updates the admission decision on the admitted stream according to
the correct channel load. As a result, it may deny certain low priority admitted stream requests.
• RRC Priority (1-8)—Specifies the priority bit set in the media stream. The priority can be any number between
1 and 8. The larger the value means the higher the priority is. For example, a priority of 1 is the lowest value
and a value of 8 is the highest value. The default priority is 4. The low priority stream may be denied in the
RRC periodic update.
• Traffic Profile Violation—Specifies the action to perform in case of a violation after a re-RRC. Choose an
action from the drop-down list. The possible values are as follows:
Drop—Specifies that a stream is dropped on periodic revaluation.
Fallback—Specifies that a stream is demoted to Best Effort class on periodic reevaluation.
The default value is drop.
h) Click Apply.
Step 3
Enable the media stream for multicast-direct by following these steps:
a) Choose WLANs > WLAN ID to open the WLANs > Edit page.
b) Click the QoS tab and select Gold (Video) from the Quality of Service (QoS) drop-down list.
c) Click Apply.
Step 4
Set the EDCA parameters to voice and video optimized (optional) by following these steps:
a) Choose Wireless > 802.11a/n or 802.11b/g/n > EDCA Parameters.
b) From the EDCA Profile drop-down list, choose the Voice and Video Optimized option.
c) Click Apply.
Step 5
Enable the admission control on a band for video (optional) by following these steps:
Note
Keep the voice bandwidth allocation to a minimum for better performance.
a) Choose Wireless > 802.11a/n or 802.11b/g/n > Media to open the 802.11a (5 GHZ) or 802.11b > Media page.
b) Click the Video tab.
c) Select the Admission Control (ACM) check box to enable static CAC for this radio band. The default value is
disabled.
d) Click Apply.
Step 6
Configure the video bandwidth by following these steps:
Note
The template bandwidth that is configured for a media stream should be more than the bandwidth for the
source media stream.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
353
VideoStream
Configuring Media Stream (GUI)
Note
a)
b)
c)
d)
e)
f)
g)
h)
i)
The voice configuration is optional. Keep the voice bandwidth allocation to a minimum for better performance.
Disable all WMM WLANs.
Choose Wireless > 802.11a/n or 802.11b/g/n > Media to open the 802.11a (5 GHZ) or 802.11b > Media page.
Click the Video tab.
Select the Admission Control (ACM) check box to enable the video CAC for this radio band. The default value
is disabled.
In the Max RF Bandwidth field, enter the percentage of the maximum bandwidth allocated to clients for video
applications on this radio band. Once the client reaches the value specified, the access point rejects new requests
on this radio band.
The range is 5 to 85%.
The default value is 9%.
Click Apply.
Reenable all WMM WLANs and click Apply.
Step 7
Configure the media bandwidth by following these steps:
a) Choose Wireless > 802.11a/n or 802.11b/g/n > Media to open the 802.11a (or 802.11b) > Media > Parameters
page.
b) Click the Media tab to open the Media page.
c) Select the Unicast Video Redirect check box to enable Unicast Video Redirect. The default value is disabled.
d) In the Maximum Media Bandwidth (0-85%) text box, enter the percentage of the maximum bandwidth to be
allocated for media applications on this radio band. Once the client reaches a specified value, the access point rejects
new calls on this radio band.
e) The default value is 85%; valid values are from 0% to 85%.
f) In the Client Minimum Phy Rate text box, enter the minimum transmission data rate to the client. If the transmission
data rate is below the phy rate, either the video will not start or the client may be classified as a bad client. The bad
client video can be demoted for better effort QoS or subject to denial.
g) In the Maximum Retry Percent (0-100%) text box, enter the percentage of maximum retries that are allowed.
The default value is 80. If it exceeds 80, either the video will not start or the client might be classified as a bad
client. The bad client video can be demoted for better effort QoS or subject to denial.
h) Select the Multicast Direct Enable check box to enable the Multicast Direct Enable field. The default value is
enabled.
i) From the Max Streams per Radio drop-down list, choose the maximum number of streams allowed per radio
from the range 0 to 20. The default value is set to No-limit. If you choose No-limit, there is no limit set for the
number of client subscriptions.
j) From the Max Streams per Client drop-down list, choose the maximum number of streams allowed per client
from the range 0 to 20. The default value is set to No-limit. If you choose No-limit, there is no limit set for the
number of client subscriptions.
k) Select the Best Effort QoS Admission check box to enable best-effort QoS admission.
l) Click Apply.
Step 8
Enable a WLAN by following these steps:
a) Choose WLANs > WLAN ID.
The WLANs > Edit page appears.
b) Select the Status check box.
c) Click Apply.
Step 9
Enable the 802.11 a/n or 802.11 b/g/n network by following these steps:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
354
VideoStream
Configuring Media Stream (CLI)
a) Choose Wireless > 802.11a/n or 802.11b/g/n > Network.
b) Select the 802.11a or 802.11b/g Network Status check box to enable the network status.
c) Click Apply.
Step 10
Verify that the clients are associated with the multicast groups and group IDs by following these steps:
a) Choose Monitor > Clients.
The Clients page appears.
b)
c)
d)
e)
Check if the 802.11a/n or 802.11b/g/n network clients have the associated access points.
Choose Monitor > Multicast. The Multicast Groups page appears.
Select the MGID check box for the Media Stream to the clients.
Click MGID. The Multicast Group Detail page appears. Check the Multicast Status details.
Configuring Media Stream (CLI)
Step 1
Configure the multicast-direct feature on WLANs media stream by entering this command:
config wlan media-stream multicast-direct {wlan_id | all} {enable | disable}
Step 2
Enable or disable the multicast feature by entering this command:
config media-stream multicast-direct {enable | disable}
Step 3
Configure various message configuration parameters by entering this command:
config media-stream message {state [enable | disable] | url url | email email | phone phone _number | note note}
Step 4
Save your changes by entering this command:
save config
Step 5
Configure various global media-stream configurations by entering this command:
config media-stream add multicast-direct stream-name media_stream_name start_IP end_IP [template {very-coarse
| coarse | ordinary | low-resolution | med-resolution | high-resolution} | detail {Max_bandwidth bandwidth | packet
size packet_size | Re-evaluation re-evaluation {periodic | initial}} video video priority {drop | fallback}
• The Resource Reservation Control (RRC) parameters are assigned with the predefined values based on the values
assigned to the template.
• The following templates are used to assign RRC parameters to the media stream:
• Very Coarse (below 3000 kbps)
• Coarse (below 500 kbps)
• Ordinary (below 750 kbps)
• Low Resolution (below 1 mbps)
• Medium Resolution (below 3 mbps)
• High Resolution (below 5 mbps)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
355
VideoStream
Viewing and Debugging Media Stream
Step 6
Delete a media stream by entering this command:
config media-stream delete media_stream_name
Step 7
Enable a specific enhanced distributed channel access (EDC) profile by entering this command:
config advanced{ 801.11a | 802.11b} edca-parameters optimized-video-voice
Step 8
Enable the admission control on the desired bandwidth by entering the following commands:
• Enable bandwidth-based voice CAC for 802.11a or 802.11b/g network by entering this command:
config {802.11a | 802.11b} cac voice acm enable
• Set the percentage of the maximum bandwidth allocated to clients for voice applications on the 802.11a or 802.11b/g
network by entering this command:
config {802.11a | 802.11b} cac voice max-bandwidth bandwidth
• Configure the percentage of the maximum allocated bandwidth reserved for roaming voice clients on the 802.11a
or 802.11b/g network by entering this command:
config {802.11a | 802.11b} cac voice roam-bandwidth bandwidth
Note
Step 9
For TSpec and SIP based CAC for video calls, only Static method is supported.
Set the maximum number of streams per radio and/or per client by entering these commands:
• Set the maximum limit to the number multicast streams per radio by entering this command:
config {802.11a | 802.11b} media-stream multicast-direct radio-maximum [value | no-limit]
• Set the maximum number of multicast streams per client by entering this command:
config {802.11a | 802.11b} media-stream multicast-direct client-maximum [value | no-limit]
Step 10
Save your changes by entering this command:
save config
Viewing and Debugging Media Stream
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
See the configured media streams by entering this command:
See the details of the media stream name by entering this command:
See the clients for a media stream by entering this command:
See a summary of the media stream and client information by entering this command:
See details about a particular media stream group by entering this command:
See details of the 802.11a or 802.11b media resource reservation configuration by entering this command:
Enable debugging of the media stream history by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
356
VideoStream
Viewing and Debugging Media Stream
DETAILED STEPS
Step 1
See the configured media streams by entering this command:
show wlan wlan_id
Step 2
See the details of the media stream name by entering this command:
show 802.11{a | b | h} media-stream media-stream_name
Step 3
See the clients for a media stream by entering this command:
show 802.11a media-stream client media-stream-name
Step 4
See a summary of the media stream and client information by entering this command:
show media-stream group summary
Step 5
See details about a particular media stream group by entering this command:
show media-stream group detail media_stream_name
Step 6
See details of the 802.11a or 802.11b media resource reservation configuration by entering this command:
show {802.11a | 802.11b} media-stream rrc
Step 7
Enable debugging of the media stream history by entering this command:
debug media-stream history {enable | disable}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
357
VideoStream
Viewing and Debugging Media Stream
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
358
PA R T
IV
Security Solutions
• Cisco Unified Wireless Network Solution Security, on page 361
• Configuring RADIUS, on page 363
• Configuring TACACS+, on page 385
• Configuring Maximum Local Database Entries, on page 393
• Configuring Local Network Users on the Controller, on page 395
• Configuring Password Policies, on page 399
• Configuring LDAP, on page 401
• Configuring Local EAP, on page 407
• Configuring the System for SpectraLink NetLink Telephones, on page 417
• Configuring RADIUS NAC Support, on page 421
• Using Management Over Wireless, on page 427
• Using Dynamic Interfaces for Management, on page 429
• Configuring DHCP Option 82, on page 431
• Configuring and Applying Access Control Lists, on page 435
• Configuring Management Frame Protection, on page 443
• Configuring Client Exclusion Policies, on page 449
• Configuring Identity Networking, on page 453
• Configuring AAA Override, on page 459
• Managing Rogue Devices, on page 463
• Classifying Rogue Access Points, on page 473
• Configuring Cisco TrustSec SXP, on page 489
• Configuring Cisco Intrusion Detection System, on page 495
• Configuring IDS Signatures, on page 501
• Configuring wIPS, on page 509
• Configuring Wi-Fi Direct Client Policy, on page 519
• Configuring Web Auth Proxy, on page 521
• Detecting Active Exploits, on page 525
CHAPTER
39
Cisco Unified Wireless Network Solution
Security
• Security Overview, on page 361
• Layer 1 Solutions, on page 361
• Layer 2 Solutions, on page 361
• Layer 3 Solutions, on page 362
• Integrated Security Solutions, on page 362
Security Overview
The Cisco Unified Wireless Network (UWN) security solution bundles potentially complicated Layer 1, Layer
2, and Layer 3 802.11 Access Point security components into a simple policy manager that customizes
system-wide security policies on a per-WLAN basis. The Cisco UWN security solution provides simple,
unified, and systematic security management tools.
One of the biggest hurdles to WLAN deployment in the enterprise is WEP encryption, which is a weak
standalone encryption method. A newer problem is the availability of low-cost access points, which can be
connected to the enterprise network and used to mount man-in-the-middle and denial-of-service attacks.
Layer 1 Solutions
The Cisco UWN security solution ensures that all clients gain access within a user-set number of attempts. If
a client fails to gain access within that limit, it is automatically excluded (blocked from access) until the
user-set timer expires. The operating system can also disable SSID broadcasts on a per-WLAN basis.
Layer 2 Solutions
If a higher level of security and encryption is required, you can also implement industry-standard security
solutions such as Extensible Authentication Protocol (EAP), Wi-Fi Protected Access (WPA), and WPA2. The
Cisco UWN solution WPA implementation includes AES (Advanced Encryption Standard), TKIP and Michael
(temporal key integrity protocol and message integrity code checksum) dynamic keys, or WEP (Wired
Equivalent Privacy) static keys. Disabling is also used to automatically block Layer 2 access after a user-set
number of failed authentication attempts.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
361
Security Solutions
Restrictions for Layer 2 Solutions
Regardless of the wireless security solution selected, all Layer 2 wired communications between controllers
and lightweight access points are secured by passing data through CAPWAP tunnels.
Restrictions for Layer 2 Solutions
Cisco Aironet client adapter version 4.2 does not authenticate if WPA/WPA2 is used with CCKM as auth key
management and a 2 second latency between the controller and AP.
Layer 3 Solutions
The WEP problem can be further solved using industry-standard Layer 3 security solutions such as passthrough
VPNs (virtual private networks).
The Cisco UWN solution supports local and RADIUS MAC (media access control) filtering. This filtering
is best suited to smaller client groups with a known list of 802.11 access card MAC addresses.
The Cisco UWN solution supports local and RADIUS user/password authentication. This authentication is
best suited to small to medium client groups.
Integrated Security Solutions
The integrated security solutions are as follows:
• Cisco Unified Wireless Network (UWN) solution operating system security is built around a 802.1X
AAA (authorization, authentication and accounting) engine, which allows users to rapidly configure and
enforce a variety of security policies across the Cisco UWN solution.
• The controllers and lightweight access points are equipped with system-wide authentication and
authorization protocols across all ports and interfaces, maximizing system security.
• Operating system security policies are assigned to individual WLANs, and lightweight access points
simultaneously broadcast all (up to 16) configured WLANs, which can eliminate the need for additional
access points, which can increase interference and degrade system throughput.
• Operating system security uses the RRM function to continually monitor the air space for interference
and security breaches and to notify the user when they are detected.
• Operating system security works with industry-standard authorization, authentication, and accounting
(AAA) servers.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
362
CHAPTER
40
Configuring RADIUS
• Setting up RADIUS for Management Users, on page 363
• Configuring RADIUS (GUI), on page 365
• Configuring RADIUS (CLI), on page 369
• RADIUS Authentication Attributes Sent by the Controller, on page 373
• Authentication Attributes Honored in Access-Accept Packets (Airespace), on page 376
• RADIUS Accounting Attributes, on page 382
Setting up RADIUS for Management Users
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized
security for users attempting to gain management access to a network. It serves as a backend database similar
to local and TACACS+ and provides authentication and accounting services:
• Authentication: The process of verifying users when they attempt to log into the controller.
Users must enter a valid username and password in order for the controller to authenticate users to the
RADIUS server. If multiple databases are configured, you can specify the sequence in which the backend
database must be tried.
Note
Clients using Microsoft Windows 10 with default (zero-touch config) supplicant
fail to connect to controller when there is no CA certificate to validate the server
certificate. This is because the supplicant does not pop up a window to accept
the server certificate and silently rejects the 802.1X authentication. Therefore,
we recommend that you do either of the following:
• Manually install a third-party CA certificate on the AAA server, which the
clients using Microsoft Windows 10 can trust.
• Use any other supplicant, such as Cisco AnyConnect, which pops up a
window to trust or not trust the server certificate. If you accept the trust
certificate, then the client is authenticated.
• Accounting: The process of recording user actions and changes.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
363
Security Solutions
Setting up RADIUS for Management Users
Whenever a user successfully executes an action, the RADIUS accounting server logs the changed
attributes, the user ID of the person who made the change, the remote host where the user is logged in,
the date and time when the command was executed, the authorization level of the user, and a description
of the action performed and the values provided. If the RADIUS accounting server becomes unreachable,
users are able to continue their sessions uninterrupted.
RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP
port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The
controller, which requires access control, acts as the client and requests AAA services from the server. The
traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared
secret key configured on both devices.
You can configure multiple RADIUS accounting and authentication servers. For example, you may want to
have one central RADIUS authentication server but several RADIUS accounting servers in different regions.
If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller
automatically tries the second one, then the third one if necessary, and so on.
When a management user is authenticated using a RADIUS server, only the PAP protocol is used. For web
authentication users, PAP, MSCHAPv2 and MD5 security mechanisms are supported.
RADIUS Server Support
• You can configure up to 17 RADIUS authentication and accounting servers.
• If multiple RADIUS servers are configured for redundancy, the user database must be identical in all the
servers for the backup to work properly.
• One Time Passwords (OTPs) are supported on the controller using RADIUS. In this configuration, the
controller acts as a transparent passthrough device. The controller forwards all client requests to the
RADIUS server without inspecting the client behavior. When using OTP, the client must establish a
single connection to the controller to function properly. The controller currently does not have any
intelligence or checks to correct a client that is trying to establish multiple connections.
• To create a read-only controller user on the RADIUS sever, you must set the service type to NAS prompt
instead of Callback NAS prompt. If you set the service type to Callback NAS Prompt, the user
authentication fails while setting it to NAS prompt gives the user read-only access to the controller.
Also, the Callback Administrative service type gives the user the lobby ambassador privileges to the
controller.
• If RADIUS servers are mapped per WLAN, then controller do not use RADIUS server from the global
list on that WLAN.
• To configure the RADIUS server:
• Using Access Control Server (ACS): See the latest Cisco Secure Access Control System guide at
https://www.cisco.com/c/en/us/support/security/secure-access-control-system/
products-user-guide-list.html.
• Using Identity Services Engine (ISE): See the Configuring External RADIUS Servers section in
the Cisco Identity Services Engine Administrator Guide at https://www.cisco.com/c/en/us/support/
security/identity-services-engine/products-installation-and-configuration-guides-list.html.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
364
Security Solutions
Configuring RADIUS (GUI)
Primary and Fallback RADIUS Servers
The primary RADIUS server (the server with the lowest server index) is assumed to be the most preferable
server for the controller. If the primary server becomes unresponsive, the controller switches to the next active
backup server (the server with the next lowest server index). The controller continues to use this backup server,
unless you configure the controller to fall back to the primary RADIUS server when it recovers and becomes
responsive or to a more preferable server from the available backup servers.
Note
Functionality change introduced in Release 8.5.140.0:
When RADIUS aggressive failover for controller is disabled: Packet is retried for six times unless there is a
termination from clients. The RADIUS server (both AUTH and ACCT) is marked unreachable after three
timeout events (18 consecutive retries) from multiple clients (previously, from exactly three clients).
When RADIUS aggressive failover for controller is enabled: Packet is retried for six times unless there is a
termination from clients. The RADIUS server (both AUTH and ACCT) is marked unreachable after one
timeout event (6 consecutive retries) from multiple clients (previously, from exactly one client).
It means 18 consecutive retries per RADIUS server (both AUTH and ACCT) can be from multiple clients.
Therefore, it is not always guaranteed that each packet will be retried for six times.
This section contains the following subsections:
Configuring RADIUS (GUI)
Step 1
Choose Security > AAA > RADIUS.
Step 2
Perform one of the following:
• If you want to configure a RADIUS server for authentication, choose Authentication.
• If you want to configure a RADIUS server for accounting, choose Accounting.
Note
The pages used to configure authentication and accounting contain mostly the same text boxes. Therefore,
these instructions walk through the configuration only once, using the Authentication pages as examples.
You would follow the same steps to configure multiple services and/or multiple servers.
The RADIUS Authentication (or Accounting) Servers page appears.
This page lists any RADIUS servers that have already been configured.
• If you want to delete an existing server, hover your cursor over the blue drop-down arrow for that server and
choose Remove.
• If you want to make sure that the controller can reach a particular server, hover your cursor over the blue drop-down
arrow for that server and choose Ping.
Step 3
From the Call Station ID Type drop-down list, choose the option that is sent to the RADIUS server in the
Access-Request message. The following options are available:
• IP Address
• System MAC Address
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
365
Security Solutions
Configuring RADIUS (GUI)
• AP MAC Address
• AP MAC Address:SSID
• AP Name:SSID
• AP Name
• AP Group
• Flex Group
• AP Location
• VLAN ID
Note
The AP Name:SSID, AP Name, AP Group, Flex Group, AP Location, and VLAN ID options are added in
the 7.4 release.
Step 4
Enable RADIUS-to-controller key transport using AES key wrap protection by checking the Use AES Key Wrap
check box. The default value is unchecked. This feature is required for FIPS customers.
Step 5
From the MAC Delimiter drop-down list, choose the option that is sent to the RADIUS server in the Access-Request
message. The following options are available:
• Colon
• Hyphen
• Single-hyphen
• None
Step 6
Click Apply. Perform one of the following:
• To edit an existing RADIUS server, click the server index number for that server. The RADIUS Authentication
(or Accounting) Servers > Edit page appears.
• To add a RADIUS server, click New. The RADIUS Authentication (or Accounting) Servers > New page appears.
Step 7
If you are adding a new server, choose a number from the Server Index (Priority) drop-down list to specify the priority
order of this server in relation to any other configured RADIUS servers providing the same service.
Step 8
If you are adding a new server, enter the IP address of the RADIUS server in the Server IP Address text box.
Note
Auto IPv6 is not supported on RADIUS server. The RADIUS server must not be configured with Auto IPv6
address. Use fixed IPv6 address instead.
Step 9
From the Shared Secret Format drop-down list, choose ASCII or Hex to specify the format of the shared secret key
to be used between the controller and the RADIUS server. The default value is ASCII.
Step 10
In the Shared Secret and Confirm Shared Secret text boxes, enter the shared secret key to be used for authentication
between the controller and the server.
Note
Step 11
The shared secret key must be the same on both the server and the controller.
If you are configuring a new RADIUS authentication server and want to enable AES key wrap, which makes the shared
secret between the controller and the RADIUS server more secure, follow these steps:
Note
AES key wrap is designed for Federal Information Processing Standards (FIPS) customers and requires a
key-wrap compliant RADIUS authentication server.
a) Check the Key Wrap check box.
b) From the Key Wrap Format drop-down list, choose ASCII or HEX to specify the format of the AES key wrap
keys: Key Encryption Key (KEK) and Message Authentication Code Key (MACK).
c) In the Key Encryption Key (KEK) text box, enter the 16-byte KEK.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
366
Security Solutions
Configuring RADIUS (GUI)
d) In the Message Authentication Code Key (MACK) text box, enter the 20-byte KEK.
Step 12
If you are adding a new server, enter the RADIUS server’s UDP port number for the interface protocols in the Port
Number text box. The valid range is 1 to 65535, and the default value is 1812 for authentication and 1813 for accounting.
Step 13
From the Server Status text box, choose Enabled to enable this RADIUS server or choose Disabled to disable it. The
default value is enabled.
Step 14
If you are configuring a new RADIUS authentication server, from the Support for RFC 3576 drop-down list, choose
Enabled to enable change of authorization, which is an extension to the RADIUS protocol that allows dynamic changes
to a user session, or choose Disabled to disable this feature. By default, this is set to Disabled state. Support for RFC
3576 includes support for disconnecting users and changing authorizations applicable to a user session and supports
disconnect and change of authorization (CoA) messages. Disconnect messages cause a user session to be terminated
immediately where CoA messages modify session authorization attributes such as data filters.
Step 15
In the Server Timeout text box, enter the number of seconds between retransmissions. The valid range is 2 to 30
seconds, and the default value is 2 seconds.
Check the Key Wrap check box.
Note
We recommend that you increase the timeout value if you experience repeated reauthentication attempts or
the controller falls back to the backup server when the primary server is active and reachable.
Step 16
Check the Network User check box to enable network user authentication (or accounting), or uncheck it to disable
this feature. The default value is unchecked. If you enable this feature, this entry is considered the RADIUS authentication
(or accounting) server for network users. If you did not configure a RADIUS server entry on the WLAN, you must
enable this option for network users.
Step 17
If you are configuring a RADIUS authentication server, check the Management check box to enable management
authentication, or uncheck the check box to disable this feature. The default value is checked. If you enable this feature,
this entry is considered the RADIUS authentication server for management users, and authentication requests go to the
RADIUS server.
Step 18
Enter the Management Retransmit Timeout value, which denotes the network login retransmission timeout for the
server.
Step 19
Check the IPSec check box to enable the IP security mechanism, or uncheck the check box to disable this feature. The
default value is unchecked.
Note
Step 20
IPSec is not supported for IPv6. Use this only if you have used IPv4 for Server IP Address.
If you enabled IPsec, follow these steps to configure additional IPsec parameters:
a) From the IPSec drop-down list, choose one of the following options as the authentication protocol to be used for
IP security: HMAC MD5 or HMAC SHA1. The default value is HMAC SHA1.
A message authentication code (MAC) is used between two parties that share a secret key to validate information
transmitted between them. HMAC (Hash MAC) is based on cryptographic hash functions. It can be used in
combination with any iterated cryptographic hash function. HMAC MD5 and HMAC SHA1 are two constructs of
the HMAC using the MD5 hash function and the SHA1 hash function. HMAC also uses a secret key for calculation
and verification of the message authentication values.
b) From the IPSec Encryption drop-down list, choose one of the following options to specify the IP security encryption
mechanism:
• DES—Data Encryption Standard that is a method of data encryption using a private (secret) key. DES applies
a 56-bit key to each 64-bit block of data.
• 3DES—Data Encryption Standard that applies three keys in succession. This is the default value.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
367
Security Solutions
Configuring RADIUS (GUI)
• AES CBC—Advanced Encryption Standard that uses keys with a length of 128, 192, or 256 bits to encrypt
data blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in Cipher Block
Chaining (CBC) mode.
• 256-AES—Advanced Encryption Standard that uses keys with a length of 256 bits.
c) From the IKE Phase 1 drop-down list, choose one of the following options to specify the Internet Key Exchange
(IKE) protocol: Aggressive or Main. The default value is Aggressive.
IKE Phase 1 is used to negotiate how IKE should be protected. Aggressive mode passes more information in fewer
packets with the benefit of slightly faster connection establishment at the cost of transmitting the identities of the
security gateways in the clear.
d) In the Lifetime text box, enter a value (in seconds) to specify the timeout interval for the session. The valid range
is 1800 to 57600 seconds, and the default value is 1800 seconds.
e) From the IKE Diffie Hellman Group drop-down list, choose one of the following options to specify the IKE Diffie
Hellman group: Group 1 (768 bits), Group 2 (1024 bits), or Group 5 (1536 bits). The default value is Group 1
(768 bits).
Diffie-Hellman techniques are used by two devices to generate a symmetric key through which they can publicly
exchange values and generate the same symmetric key. Although all three groups provide security from conventional
attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group
1 and Group 2 based keys might occur slightly faster because of their smaller prime number size.
Note
If the shared secret for IPSec is not configured, the default radius shared secret is used. If the authentication
method is PSK, WLANCC should be enabled to use the IPSec shared secret, default value is used otherwise.
You can view the status for the WLANCC and UCAPL prerequisite modes in Controller > Inventory.
Step 21
Click Apply.
Step 22
Click Save Configuration.
Step 23
Repeat the previous steps if you want to configure any additional services on the same server or any additional RADIUS
servers.
Step 24
Specify the RADIUS server fallback behavior, as follows:
a) Choose Security > AAA > RADIUS > Fallback to open the RADIUS > Fallback Parameters to open the fallback
parameters page.
b) From the Fallback Mode drop-down list, choose one of the following options:
• Off—Disables RADIUS server fallback. This is the default value.
• Passive—Causes the controller to revert to a server with a lower priority from the available backup servers
without using extraneous probe messages. The controller ignores all inactive servers for a time period and
retries later when a RADIUS message needs to be sent.
• Active—Causes the controller to revert to a server with a lower priority from the available backup servers by
using RADIUS probe messages to proactively determine whether a server that has been marked inactive is
back online. The controller ignores all inactive servers for all active RADIUS requests. Once the primary
server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends
probe messages to the server requesting the active probe authentication.
c) If you enabled Active fallback mode in Step b, enter the name to be sent in the inactive server probes in the Username
text box. You can enter up to 16 alphanumeric characters. The default value is “cisco-probe.”
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
368
Security Solutions
Configuring RADIUS (CLI)
d) If you enabled Active fallback mode in Step b, enter the probe interval value (in seconds) in the Interval in Sec text
box. The interval serves as inactive time in passive mode and probe interval in active mode. The valid range is 180
to 3600 seconds, and the default value is 300 seconds.
Step 25
Specify the order of authentication when multiple databases are configured by choosing Security > Priority Order >
Management User. The Priority Order > Management User page appears.
Step 26
In the Order Used for Authentication text box, specify which servers have priority when the controller attempts to
authenticate management users. Use the > and < buttons to move servers between the Not Used and Order Used for
Authentication text boxes. After the desired servers appear in the Order Used for Authentication text box, use the Up
and Down buttons to move the priority server to the top of the list.
By default, the local database is always queried first. If the username is not found, the controller switches to the RADIUS
server if configured for RADIUS or to the TACACS+ server if configured for TACACS+. The default setting is local
and then RADIUS.
Step 27
Click Apply.
Step 28
Click Save Configuration.
Related Topics
Configuring TACACS+ (GUI), on page 387
Configuring RADIUS (CLI)
Procedure
• Specify whether the IP address, system MAC address, AP MAC address, AP Ethernet MAC address of
the originator will be sent to the RADIUS server in the Access-Request message by entering this command:
config radius callStationIdType {ipaddr | macaddr | ap-macaddr-only | ap-macaddr-ssid | | |
ap-group-name | ap-location | ap-name | ap-name-ssid | flex-group-name | vlan-id}
Note
Caution
The default is System MAC Address.
Do not use Called Station ID Type for IPv6-only clients.
• Specify the delimiter to be used in the MAC addresses that are sent to the RADIUS authentication or
accounting server in Access-Request messages by entering this command:
config radius {auth | acct} mac-delimiter {colon | hyphen | single-hyphen | none}
where
• colon sets the delimiter to a colon (the format is xx:xx:xx:xx:xx:xx).
• hyphen sets the delimiter to a hyphen (the format is xx-xx-xx-xx-xx-xx). This is the default value.
• single-hyphen sets the delimiter to a single hyphen (the format is xxxxxx-xxxxxx).
• none disables delimiters (the format is xxxxxxxxxxxx).
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
369
Security Solutions
Configuring RADIUS (CLI)
• Configure a RADIUS authentication server by entering these commands:
• config radius auth add index server_ip_address port_number {ascii | hex} shared_secret—Adds
a RADIUS authentication server.
• config radius auth keywrap {enable | disable}—Enables AES key wrap, which makes the shared
secret between the controller and the RADIUS server more secure. AES key wrap is designed for
Federal Information Processing Standards (FIPS) customers and requires a key-wrap compliant
RADIUS authentication server.
• config radius auth keywrap add {ascii | hex} kek mack index—Configures the AES key wrap
attributes
where
• kek specifies the 16-byte Key Encryption Key (KEK).
• mack specifies the 20-byte Message Authentication Code Key (MACK).
• index specifies the index of the RADIUS authentication server on which to configure the AES
key wrap.
• config radius auth rfc3576 {enable | disable} index—Enables or disables RFC 3576, which is an
extension to the RADIUS protocol that allows dynamic changes to a user session. RFC 3576 includes
support for disconnecting users and changing authorizations applicable to a user session and supports
disconnect and change-of-authorization (CoA) messages. Disconnect messages cause a user session
to be terminated immediately where CoA messages modify session authorization attributes such as
data filters.
• config radius auth retransmit-timeout index timeout—Configures the retransmission timeout
value for a RADIUS authentication server.
• config radius auth mgmt-retransmit-timeout index timeout—Configures the default management
login retransmission timeout for a RADIUS authentication server.
• config radius auth network index {enable | disable}—Enables or disables network user
authentication. If you enable this feature, this entry is considered the RADIUS authentication server
for network users. If you did not configure a RADIUS server entry on the WLAN, you must enable
this option for network users.
• config radius auth management index {enable | disable}—Enables or disables management
authentication. If you enable this feature, this entry is considered the RADIUS authentication server
for management users, and authentication requests go to the RADIUS server.
• config radius auth ipsec {enable | disable} index—Enables or disables the IP security mechanism.
• config radius auth ipsec authentication {hmac-md5 | hmac-sha1} index—Configures the
authentication protocol to be used for IP security.
• config radius auth ipsec encryption {3des | aes | des | none} index—Configures the IP security
encryption mechanism.
• config radius auth ipsec ike dh-group {group-1 | group-2 | group-5} index—Configures the IKE
Diffie-Hellman group.
• config radius auth ipsec ike lifetime interval index—Configures the timeout interval for the session.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
370
Security Solutions
Configuring RADIUS (CLI)
• config radius auth ipsec ike phase1{aggressive | main} index—Configures the Internet Key
Exchange (IKE) protocol.
• config radius auth ipsec ike auth-method {PSK | certificate} index—Configures the IKE
authentication methods. By default PSK is be used for IPSEC sessions.
• config radius auth ipsec ike auth-mode pre-shared-key index hex/asciisecret—Configures the
IPSEC pre-shared key.
• config radius auth ipsec ike auth-mode {pre-shared-key index hex-ascii-index shared-secret |
certificate index} —Configures the IKE authentication method. By default, preshared key is used
for IPSEC sessions.
• config radius auth {enable | disable} index—Enables or disables a RADIUS authentication server.
• config radius auth delete index—Deletes a previously added RADIUS authentication server.
• Configure a RADIUS accounting server by entering these commands:
• config radius acct add index server_ip_address port# {ascii | hex} shared_secret—Adds a RADIUS
accounting server.
• config radius acct server-timeout index timeout—Configures the retransmission timeout value
for a RADIUS accounting server.
• config radius acct network index {enable | disable}—Enables or disables network user accounting.
If you enable this feature, this entry is considered the RADIUS accounting server for network users.
If you did not configure a RADIUS server entry on the WLAN, you must enable this option for
network users.
• config radius acct ipsec {enable | disable} index—Enables or disables the IP security mechanism.
• config radius acct ipsec authentication {hmac-md5 | hmac-sha1} index—Configures the
authentication protocol to be used for IP security.
• config radius acct ipsec encryption { 3des | aes | des | none} index—Configures the IP
security encryption mechanism.
• config radius acct ipsec ike dh-group {group-1 | group-2 | group-5} index—Configures the IKE
Diffie Hellman group.
• config radius acct ipsec ike lifetime interval index—Configures the timeout interval for the session.
• config radius acct ipsec ike phase1{aggressive | main} index—Configures the Internet Key
Exchange (IKE) protocol.
• config radius acct {enable | disable} index—Enables or disables a RADIUS accounting server.
• config radius acct delete index—Deletes a previously added RADIUS accounting server.
• config radius auth callStationIdType ap-group-name —Sets the Called Station ID type to use
the AP group name. If the AP is not part of any AP group, default-group is taken as the AP group
name.
• config radius auth callStationIdType ap-location—Sets the Called Station ID to the AP Location.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
371
Security Solutions
Configuring RADIUS (CLI)
• config radius auth callStationIdType {ap-macaddr-only | ap-macaddr-ssid}—Sets the Called
Station ID type to be AP’s radio MAC address or AP’s radio MAC address with SSID in the <AP
radio MAC address>:<SSID> format.
• config radius auth callStationIdType {ap-name | ap-name-ssid}—Sets the Called Station ID
type to be AP name or AP name with SSID in the <AP name>:<SSID> format.
• config radius auth callStationIdType flex-group-name—Sets the Called Station ID type to the
FlexConnect group name.
• config radius auth callStationIdType {ipaddr | macaddr}—Sets the Called Station ID type to
use the IP address (only Layer 3) or system's MAC address.
• config radius auth callStationIdType vlan-id—Sets the Called Station ID type to the system's
VLAN ID.
• Configure the RADIUS server fallback behavior by entering this command:
config radius fallback-test mode {off | passive | active}
where
• off disables RADIUS server fallback.
• passive causes the controller to revert to a server with a lower priority from the available backup
servers without using extraneous probe messages. The controller simply ignores all inactive servers
for a time period and retries later when a RADIUS message needs to be sent.
• active Causes the controller to revert to a server with a lower priority from the available backup
servers by using RADIUS probe messages to proactively determine whether a server that has been
marked inactive is back online. The controller ignores all inactive servers for all active RADIUS
requests. Once the primary server receives a response from the recovered ACS server, the active
fallback RADIUS server no longer sends probe messages to the server requesting the active probe
authentication.
Note
RADIUS server is probed if you enable probing at every probing time interval irrespective of the probe
response. For more information, see CSCvc01761.
• If you enabled Active mode in Step 5, enter these commands to configure additional fallback parameters:
• config radius fallback-test username username—Specifies the name to be sent in the inactive
server probes. You can enter up to 16 alphanumeric characters for the username parameter.
• config radius fallback-test interval interval—Specifies the probe interval value (in seconds).
• Save your changes by entering this command:
save config
• Configure the order of authentication when multiple databases are configured by entering this command:
config aaa auth mgmt AAA_server_type AAA_server_type
where AAA_server_type is local, RADIUS, or TACACS+.
To see the current management authentication server order, enter the show aaa auth command.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
372
Security Solutions
RADIUS Authentication Attributes Sent by the Controller
• See RADIUS statistics by entering these commands:
• show radius summary—Shows a summary of RADIUS servers and statistics with AP Ethernet
MAC configurations.
• show radius auth statistics—Shows the RADIUS authentication server statistics.
• show radius acct statistics—Shows the RADIUS accounting server statistics.
• show radius rfc3576 statistics—Shows a summary of the RADIUS RFC-3576 server.
• See active security associations by entering these commands:
• show ike {brief | detailed} ip_or_mac_addr—Shows a brief or detailed summary of active IKE
security associations.
• show ipsec {brief | detailed} ip_or_mac_addr—Shows a brief or detailed summary of active IPSec
security associations.
• Clear the statistics for one or more RADIUS servers by entering this command:
clear stats radius {auth | acct} {index | all}
• Make sure that the controller can reach the RADIUS server by entering this command:
ping server_ip_address
Related Topics
Configuring TACACS+ (CLI), on page 389
RADIUS Authentication Attributes Sent by the Controller
The following tables identify the RADIUS authentication attributes sent between the controller and the
RADIUS server in access-request and access-accept packets.
Table 10: Authentication Attributes Sent in Access-Request Packets
Attribute ID
Description
1
User-Name
2
Password
3
CHAP-Password
4
NAS-IP-Address
5
NAS-Port
6
Service-Type
12
Framed-MTU
30
Called-Station-ID (MAC address)
31
Calling-Station-ID (MAC address)
32
NAS-Identifier
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
373
Security Solutions
RADIUS Authentication Attributes Sent by the Controller
Attribute ID
Description
33
Proxy-State
60
CHAP-Challenge
61
NAS-Port-Type
79
EAP-Message
4
To specify read-only or read-write access to controllers through RADIUS authentication, you must set
the Service-Type attribute (6) on the RADIUS server to Callback NAS Prompt for read-only access
or to Administrative for read-write privileges.
Table 11: Authentication Attributes Honored in Access-Accept Packets (Cisco)
Note
Attribute ID
Description
1
Cisco-LEAP-Session-Key
2
Cisco-Keywrap-Msg-Auth-Code
3
Cisco-Keywrap-NonCE
4
Cisco-Keywrap-Key
5
Cisco-URL-Redirect
6
Cisco-URL-Redirect-ACL
These Cisco-specific attributes are not supported: Auth-Algo-Type and SSID.
Table 12: Authentication Attributes Honored in Access-Accept Packets (Standard)
Attribute ID
Description
6
Service-Type. To specify read-only or read-write access to controllers
through RADIUS authentication, you must set the Service-Type attribute
(6) on the RADIUS server to Callback NAS Prompt for read-only access
or to Administrative for read-write privileges.
8
Framed-IP-Address
25
Class
26
Vendor-Specific
27
Timeout
29
Termination-Action
40
Acct-Status-Type
64
Tunnel-Type
79
EAP-Message
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
374
Security Solutions
RADIUS Authentication Attributes Sent by the Controller
Note
Attribute ID
Description
81
Tunnel-Group-ID
Message authentication is not supported.
Table 13: Authentication Attributes Honored in Access-Accept Packets (Microsoft)
Attribute ID
Description
11
MS-CHAP-Challenge
16
MS-MPPE-Send-Key
17
MS-MPPE-Receive-Key
25
MS-MSCHAP2-Response
26
MS-MSCHAP2-Success
Table 14: Authentication Attributes Honored in Access-Accept Packets (Airespace)
Attribute ID
Description
1
VAP-ID
3
DSCP
4
8021P-Type
5
VLAN-Interface-Name
6
ACL-Name
7
Data-Bandwidth-Average-Contract
8
Real-Time-Bandwidth-Average-Contract
9
Data-Bandwidth-Burst-Contract
10
Real-Time-Bandwidth-Burst-Contract
11
Guest-Role-Name
Note
Guest-Role-Name is honored only on L3 security web
authentication with AAA over-ride enabled on the controller.
13
Data-Bandwidth-Average-Contract-US
14
Real-Time-Bandwidth-Average-Contract-US
15
Data-Bandwidth-Burst-Contract-US
16
Real-Time-Bandwidth-Burst-Contract-US
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
375
Security Solutions
Authentication Attributes Honored in Access-Accept Packets (Airespace)
Authentication Attributes Honored in Access-Accept Packets
(Airespace)
This section lists the RADIUS authentication Airespace attributes currently supported on the controller.
VAP ID
This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID
attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client
station after it authenticates. The WLAN ID is sent by the controller in all instances of authentication except
IPsec. In case of web authentication, if the controller receives a WLAN-ID attribute in the authentication
response from the AAA server, and it does not match the ID of the WLAN, authentication is rejected. The
802.1X/MAC filtering is also rejected. The rejection, based on the response from the AAA server, is because
of the SSID Cisco AVPair support. The fields are transmitted from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type
| Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
WLAN ID (VALUE)
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
• Type – 26 for Vendor-Specific
• Length – 10
• Vendor-Id – 14179
• Vendor type – 1
• Vendor length – 4
• Value – ID of the WLAN to which the client should belong.
QoS-Level
This attribute indicates the QoS level to be applied to the mobile client's traffic within the switching fabric,
as well as over the air. This example shows a summary of the QoS-Level Attribute format. The fields are
transmitted from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type
| Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
QoS Level
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
• Type – 26 for Vendor-Specific
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
376
Security Solutions
Authentication Attributes Honored in Access-Accept Packets (Airespace)
• Length – 10
• Vendor-Id – 14179
• Vendor type – 2
• Vendor length – 4
• Value – Three octets:
• 3 – Bronze (Background)
• 0 – Silver (Best Effort)
• 1 – Gold (Video)
• 2 – Platinum (Voice)
Differentiated Services Code Point (DSCP)
DSCP is a packet header code that can be used to provide differentiated services based on the QoS levels.
This attribute defines the DSCP value to be applied to a client. When present in a RADIUS Access Accept,
the DSCP value overrides the DSCP value specified in the WLAN profile. The fields are transmitted from
left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
DSCP (VALUE)
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
• Type – 26 for Vendor-Specific
• Length – 10
• Vendor-Id – 14179
• Vendor type – 3
• Vendor length – 4
• Value – DSCP value to be applied for the client.
802.1p Tag Type
802.1p VLAN tag received from the client, defining the access priority. This tag maps to the QoS Level for
client-to-network packets. This attribute defines the 802.1p priority to be applied to the client. When present
in a RADIUS Access Accept, the 802.1p value overrides the default specified in the WLAN profile. The fields
are transmitted from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
377
Security Solutions
Authentication Attributes Honored in Access-Accept Packets (Airespace)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
802.1p (VALUE)
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
• Type – 26 for Vendor-Specific
• Length – 10
• Vendor-Id – 14179
• Vendor type – 4
• Vendor length – 3
• Value – 802.1p priority to be applied to a client.
VLAN Interface Name
This attribute indicates the VLAN interface a client is to be associated to. A summary of the Interface-Name
Attribute format is shown below. The fields are transmitted from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Interface Name...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
• Type – 26 for Vendor-Specific
• Length – >7
• Vendor-Id – 14179
• Vendor type – 5
• Vendor length – >0
• Value – A string that includes the name of the interface the client is to be assigned to.
Note
This attribute only works when MAC filtering is enabled or if 802.1X or WPA
is used as the security policy.
ACL-Name
This attribute indicates the ACL name to be applied to the client. A summary of the ACL-Name Attribute
format is shown below. The fields are transmitted from left to right.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
378
Security Solutions
Authentication Attributes Honored in Access-Accept Packets (Airespace)
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type
| Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
ACL Name...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
• Type – 26 for Vendor-Specific
• Length – >7
• Vendor-Id – 14179
• Vendor type – 6
• Vendor length – >0
• Value – A string that includes the name of the ACL to use for the client
AAA Override for IPv6 ACLs
In order to support centralized access control through a centralized AAA server such as the Cisco Identity
Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis using AAA Override
attributes. In order to use this feature, the IPv6 ACL must be configured on the controller and the WLAN
must be configured with the AAA Override feature enabled. The actual named AAA attribute for an IPv6
ACL is Airespace-IPv6-ACL-Name, which is similar to the Airespace-ACL-Name attribute that is used for
provisioning an IPv4-based ACL. The AAA attribute returned contents should be a string equal to the name
of the IPv6 ACL as configured on the controller.
Data Bandwidth Average Contract
This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied
for a client for non-realtime traffic such as TCP. This value is specific for downstream direction from wired
to wireless. When present in a RADIUS Access Accept, the Data Bandwidth Average Contract value overrides
the Average Data Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to
right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type
| Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Data Bandwidth Average Contract...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
• Type – 26 for Vendor-Specific
• Length – 10
• Vendor-Id – 14179
• Vendor type – 7
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
379
Security Solutions
Authentication Attributes Honored in Access-Accept Packets (Airespace)
• Vendor length – 4
• Value – A value in kbps
Real Time Bandwidth Average Contract
This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied
to a client for realtime traffic such as UDP. This value is specific for downstream direction from wired to
wireless. When present in a RADIUS Access Accept, the Real Time Bandwidth Average Contract value
overrides the Average Real-Time Rate value present in the WLAN or QoS Profile. The fields are transmitted
from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type
| Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Real Time Bandwidth Average Contract...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
• Type – 26 for Vendor-Specific
• Length – 10
• Vendor-Id – 14179
• Vendor type – 8
• Vendor length – 4
• Value – A value in kbps
Data Bandwidth Burst Contract
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to
a client for non-realtime traffic such as TCP. This value is specific to downstream direction from wired to
wireless. When present in a RADIUS Access Accept, the Data Bandwidth Burst Contract value overrides the
Burst Data Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type
| Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Data Bandwidth Burst Contract...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
• Type – 26 for Vendor-Specific
• Length – 10
• Vendor-Id – 14179
• Vendor type – 9
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
380
Security Solutions
Authentication Attributes Honored in Access-Accept Packets (Airespace)
• Vendor length – 4
• Value – A value in kbps
Real Time Bandwidth Burst Contract
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to
a client for realtime traffic such as UDP. This value is specific to downstream direction from wired to wireless.
When present in a RADIUS Access Accept, the Real Time Bandwidth Burst Contract value overrides the
Burst Real-Time Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right.
Note
If you try to implement Average Data Rate and Burst Data Rate as AAA override parameters to be pushed
from a AAA server, both Average Data Rate and Burst Data Rate have to be sent from ISE.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type
| Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Real Time Bandwidth Burst Contract...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
• Type – 26 for Vendor-Specific
• Length – 10
• Vendor-Id – 14179
• Vendor type – 10
• Vendor length – 4
• Value – A value in kbps
Guest Role Name
This attribute provides the bandwidth contract values to be applied for an authenticating user. When present
in a RADIUS Access Accept, the bandwidth contract values defined for the Guest Role overrides the bandwidth
contract values (based on QOS value) specified for the WLAN. The fields are transmitted from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type
| Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
GuestRoleName ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
• Type – 26 for Vendor-Specific
• Length – 10
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
381
Security Solutions
RADIUS Accounting Attributes
• Vendor-Id – 14179
• Vendor type – 11
• Vendor length – Variable based on the Guest Role Name length
• Value – A string of alphanumeric characters
RADIUS Accounting Attributes
This table identifies the RADIUS accounting attributes for accounting requests sent from a controller to the
RADIUS server.
Table 15: Accounting Attributes for Accounting Requests
Attribute ID
Description
1
User-Name
4
NAS-IP-Address
5
NAS-Port
8
Framed-IP-Address
25
Class
30
Called-Station-ID (MAC address)
31
Calling-Station-ID (MAC address)
32
NAS-Identifier
40
Accounting-Status-Type
41
Accounting-Delay-Time (Stop and interim messages only)
42
Accounting-Input-Octets (Stop and interim messages only)
43
Accounting-Output-Octets (Stop and interim messages only)
44
Accounting-Session-ID
45
Accounting-Authentic
46
Accounting-Session-Time (Stop and interim messages only)
47
Accounting-Input-Packets (Stop and interim messages only)
48
Accounting-Output-Packets (Stop and interim messages only)
49
Accounting-Terminate-Cause (Stop messages only)
52
Accounting-Input-Gigawords
53
Accounting-Output-Gigawords
55
Event-Timestamp
64
Tunnel-Type
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
382
Security Solutions
RADIUS Accounting Attributes
Attribute ID
Description
65
Tunnel-Medium-Type
81
Tunnel-Group-ID
This table lists the different values for the Accounting-Status-Type attribute (40).
Table 16: Accounting-Status-Type Attribute Values
Attribute ID
Description
1
Start
2
Stop
3
Interim-Update
Note
RADIUS Accounting Interim updates are sent upon each client
authentication, even if the RADIUS Server Accounting - Interim
Update feature is not enabled on the client's WLAN.
Interim updates can also be triggered by events such as mobility
events, every time clients receive IPv4 addresses, PEM state
changes, and so on.
7
Accounting-On
8
Accounting-Off
9-14
Reserved for Tunneling Accounting
15
Reserved for Failed
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
383
Security Solutions
RADIUS Accounting Attributes
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
384
CHAPTER
41
Configuring TACACS+
• Setting up TACACS+, on page 385
• Configuring TACACS+ (GUI), on page 387
• Configuring TACACS+ (CLI), on page 389
• Viewing the TACACS+ Administration Server Logs, on page 390
Setting up TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) is a client/server protocol that provides
centralized security for users attempting to gain management access to a controller. It serves as a backend
database similar to local and RADIUS. However, local and RADIUS provide only authentication support and
limited authorization support while TACACS+ provides three services:
• Authentication: The process of verifying users when they attempt to log into the controller.
Users must enter a valid username and password in order for the controller to authenticate users to the
TACACS+ server. The authentication and authorization services are tied to one another. For example,
if authentication is performed using the local or RADIUS database, then authorization would use the
permissions that are associated with the user in the local or RADIUS database (which are read-only,
read-write, and lobby-admin) and not use TACACS+. Similarly, when authentication is performed using
TACACS+, authorization is tied to TACACS+.
Note
When multiple databases are configured, you can use the controller GUI or CLI
to specify the sequence in which the backend databases should be tried.
• Authorization: The process of determining the actions that users are allowed to take on the controller
based on their level of access.
For TACACS+, authorization is based on privilege (or role) rather than specific actions. The available
roles correspond to the seven menu options on the controller GUI: MONITOR, WLAN, CONTROLLER,
WIRELESS, SECURITY, MANAGEMENT, and COMMANDS. An additional role, LOBBY, is available
for users who require only lobby ambassador privileges. The roles to which users are assigned are
configured on the TACACS+ server. Users can be authorized for one or more roles.
• The minimum authorization is MONITOR only, and the maximum is ALL, which authorizes the user to
execute the functionality associated with all seven menu options. For example, a user who is assigned
the role of SECURITY can make changes to any items appearing on the Security menu (or designated
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
385
Security Solutions
Setting up TACACS+
as security commands in the case of the CLI). If users are not authorized for a particular role (such as
WLAN), they can still access that menu option in read-only mode (or the associated CLI show commands).
If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to
log into the controller.
Note
If users attempt to make changes on a controller GUI page that are not permitted
for their assigned role, a message appears indicating that they do not have
sufficient privilege. If users enter a controller CLI command that is not permitted
for their assigned role, a message may appear indicating that the command was
successfully executed although it was not. In this case, the following additional
message appears to inform users that they lack sufficient privileges to successfully
execute the command: “Insufficient Privilege! Cannot execute command!”
• Accounting—The process of recording user actions and changes.
Whenever a user successfully executes an action, the TACACS+ accounting server logs the changed
attributes, the user ID of the person who made the change, the remote host where the user is logged in,
the date and time when the command was executed, the authorization level of the user, and a description
of the action performed and the values provided. If the TACACS+ accounting server becomes unreachable,
users are able to continue their sessions uninterrupted.
Note
The logs under TACACS+ records the configurations as user readable statements.
TACACS+ uses Transmission Control Protocol (TCP) for its transport, unlike RADIUS which uses User
Datagram Protocol (UDP). It maintains a database and listens on TCP port 49 for incoming requests. The
controller, which requires access control, acts as the client and requests AAA services from the server. The
traffic between the controller and the server is encrypted by an algorithm that is defined in the protocol and
a shared secret key that is configured on both devices.
You can configure up to three TACACS+ authentication, authorization, and accounting servers each. For
example, you may want to have one central TACACS+ authentication server but several TACACS+
authorization servers in different regions. If you configure multiple servers of the same type and the first one
fails or becomes unreachable, the controller automatically tries the second one and then the third one if
necessary.
Note
If multiple TACACS+ servers are configured for redundancy, the user database must be identical in all the
servers for the backup to work properly.
The following are some guidelines about TACACS+:
• You must configure TACACS+ on both your CiscoSecure Access Control Server (ACS) and your
controller. You can configure the controller through either the GUI or the CLI.
• TACACS+ is supported on CiscoSecure ACS version 3.2 and later releases. See the CiscoSecure ACS
documentation for the version that you are running.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
386
Security Solutions
TACACS+ VSA
• One Time Passwords (OTPs) are supported on the controller using TACACS. In this configuration, the
controller acts as a transparent passthrough device. The controller forwards all client requests to the
TACACS server without inspecting the client behavior. When using OTP, the client must establish a
single connection to the controller to function properly. The controller currently does not have any
intelligence or checks to correct a client that is trying to establish multiple connections.
• We recommend that you increase the retransmit timeout value for TACACS+ authentication, authorization,
and accounting servers if you experience repeated reauthentication attempts or the controller falls back
to the backup server when the primary server is active and reachable. The default retransmit timeout
value is 2 seconds and you can increase the retransmit timeout value to a maximum of 30 seconds.
• If you want to migrate your configuration from a Cisco 5508 WLC to a Cisco 5520 WLC, the RADIUS
or TACACS+ configuration present in Cisco 5508 WLC does not work in Cisco 5520 WLC. We
recommend that you configure the RADIUS or TACACS+ configuration again after migration.
• To configure the TACACS+ server:
• Using Access Control Server (ACS)—See the latest Cisco Secure Access Control System guide at
http://www.cisco.com/c/en/us/support/security/secure-access-control-system/
products-user-guide-list.html.
• Using Identity Services Engine (ISE)—See the ISE TACACS+ Configuration Guide for Wireless
LAN Controllers at http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/
HowTo-TACACS_for_WLC.pdf.
This section contains the following subsections:
TACACS+ VSA
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific attributes (VSAs) between the network access server and the TACACS+ server. The IETF
uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general
use.
The Cisco TACACS+ implementation supports one vendor-specific option using the format recommended
in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named
cisco-av-pair. The value is a string with the following format:
protocol : attribute separator value *
The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for
mandatory attributes, and * (asterisk) indicates optional attributes.
Configuring TACACS+ (GUI)
Step 1
Choose Security > AAA > TACACS+.
Step 2
Perform one of the following:
• If you want to configure a TACACS+ server for authentication, choose Authentication.
• If you want to configure a TACACS+ server for authorization, choose Authorization.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
387
Security Solutions
Configuring TACACS+ (GUI)
• If you want to configure a TACACS+ server for accounting, choose Accounting.
Note
The pages used to configure authentication, authorization, and accounting all contain the same text boxes.
Therefore, these instructions walk through the configuration only once, using the Authentication pages as
examples. You would follow the same steps to configure multiple services and/or multiple servers.
For basic management authentication via TACACS+ to succeed, it is required to configure authentication
and authorization servers on the WLC. Accounting configuration is optional.
The TACACS+ (Authentication, Authorization, or Accounting) Servers page appears. This page lists any TACACS+
servers that have already been configured.
• If you want to delete an existing server, hover your cursor over the blue drop-down arrow for that server and
choose Remove.
• If you want to make sure that the controller can reach a particular server, hover your cursor over the blue drop-down
arrow for that server and choose Ping.
Step 3
Perform one of the following:
• To edit an existing TACACS+ server, click the server index number for that server. The TACACS+
(Authentication, Authorization, or Accounting) Servers > Edit page appears.
• To add a TACACS+ server, click New. The TACACS+ (Authentication, Authorization, or Accounting) Servers
> New page appears.
Step 4
If you are adding a new server, choose a number from the Server Index (Priority) drop-down list to specify the priority
order of this server in relation to any other configured TACACS+ servers providing the same service. You can configure
up to three servers. If the controller cannot reach the first server, it tries the second one in the list and then the third if
necessary.
Step 5
If you are adding a new server, enter the IP address of the TACACS+ server in the Server IP Address text box.
Step 6
From the Shared Secret Format drop-down list, choose ASCII or Hex to specify the format of the shared secret key
to be used between the controller and the TACACS+ server. The default value is ASCII.
Step 7
In the Shared Secret and Confirm Shared Secret text boxes, enter the shared secret key to be used for authentication
between the controller and the server.
Note
The shared secret key must be the same on both the server and the controller.
Step 8
If you are adding a new server, enter the TACACS+ server’s TCP port number for the interface protocols in the Port
Number text box. The valid range is 1 to 65535, and the default value is 49.
Step 9
In the Server Status text box, choose Enabled to enable this TACACS+ server or choose Disabled to disable it. The
default value is Enabled.
Step 10
In the Server Timeout text box, enter the number of seconds between retransmissions. The valid range is 5 to 30
seconds, and the default value is 5 seconds.
Note
We recommend that you increase the timeout value if you experience repeated reauthentication attempts or
the controller falls back to the backup server when the primary server is active and reachable.
Step 11
Click Apply.
Step 12
Click Save Configuration.
Step 13
Repeat the previous steps if you want to configure any additional services on the same server or any additional TACACS+
servers.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
388
Security Solutions
Configuring TACACS+ (CLI)
Step 14
Specify the order of authentication when multiple databases are configured by choosing Security > Priority Order >
Management User. The Priority Order > Management User page appears.
Step 15
In the Order Used for Authentication text box, specify which servers have priority when the controller attempts to
authenticate management users.
Use the > and < buttons to move servers between the Not Used and Order Used for Authentication text boxes. After
the desired servers appear in the Order Used for Authentication text box, use the Up and Down buttons to move the
priority server to the top of the list. By default, the local database is always queried first. If the username is not found,
the controller switches to the RADIUS server if configured for RADIUS or to the TACACS+ server if configured for
TACACS+. The default setting is local and then RADIUS.
Step 16
Click Apply.
Step 17
Click Save Configuration.
Related Topics
Configuring RADIUS (GUI), on page 365
Configuring TACACS+ (CLI)
Procedure
• Configure a TACACS+ authentication server by entering these commands:
• config tacacs auth add index server_ip_address port# {ascii | hex} shared_secret—Adds a
TACACS+ authentication server.
• config tacacs auth delete index—Deletes a previously added TACACS+ authentication server.
• config tacacs auth (enable | disable} index—Enables or disables a TACACS+ authentication
server.
• config tacacs auth server-timeout index timeout—Configures the retransmission timeout value
for a TACACS+ authentication server.
• Configure a TACACS+ authorization server by entering these commands:
• config tacacs athr add index server_ip_address port# {ascii | hex} shared_secret—Adds a
TACACS+ authorization server.
• config tacacs athr delete index—Deletes a previously added TACACS+ authorization server.
• config tacacs athr (enable | disable} index—Enables or disables a TACACS+ authorization server.
• config tacacs athr server-timeout index timeout—Configures the retransmission timeout value
for a TACACS+ authorization server.
• Configure a TACACS+ accounting server by entering these commands:
• config tacacs acct add index server_ip_address port# {ascii | hex} shared_secret—Adds a
TACACS+ accounting server.
• config tacacs acct delete index—Deletes a previously added TACACS+ accounting server.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
389
Security Solutions
Viewing the TACACS+ Administration Server Logs
• config tacacs acct (enable | disable} index—Enables or disables a TACACS+ accounting server.
• config tacacs acct server-timeout index timeout—Configures the retransmission timeout value for
a TACACS+ accounting server.
• See TACACS+ statistics by entering these commands:
• show tacacs summary—Shows a summary of TACACS+ servers and statistics.
• show tacacs auth stats—Shows the TACACS+ authentication server statistics.
• show tacacs athr stats—Shows the TACACS+ authorization server statistics.
• show tacacs acct stats—Shows the TACACS+ accounting server statistics.
• Clear the statistics for one or more TACACS+ servers by entering this command:
clear stats tacacs [auth | athr | acct] {index | all}
• Configure the order of authentication when multiple databases are configured by entering this command.
The default setting is local and then radius.
config aaa auth mgmt [radius | tacacs]
See the current management authentication server order by entering the show aaa auth command.
• Make sure the controller can reach the TACACS+ server by entering this command:
ping server_ip_address
• Enable or disable TACACS+ debugging by entering this command:
debug aaa tacacs {enable | disable}
• Save your changes by entering this command:
save config
Related Topics
Configuring RADIUS (CLI), on page 369
Viewing the TACACS+ Administration Server Logs
Step 1
On the ACS main page, in the left navigation pane, choose Reports and Activity.
Step 2
Under Reports, choose TACACS+ Administration.
Click the .csv file corresponding to the date of the logs you want to view. The TACACS+ Administration .csv page
appears.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
390
Security Solutions
Viewing the TACACS+ Administration Server Logs
Figure 34: TACACS+ Administration .csv Page on CiscoSecure ACS
This page displays the following information:
• Date and time the action was taken
• Name and assigned role of the user who took the action
• Group to which the user belongs
• Specific action that the user took
• Privilege level of the user who executed the action
• IP address of the controller
• IP address of the laptop or workstation from which the action was executed
Sometimes a single action (or command) is logged multiple times, once for each parameter in the command. For example,
if you enter the snmp community ipaddr ip_address subnet_mask community_name command, the IP address may be
logged on one line while the subnet mask and community name are logged as “E.” On another line, the subnet mask
maybe logged while the IP address and community name are logged as “E.” See the first and third lines in the example
in this figure.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
391
Security Solutions
Viewing the TACACS+ Administration Server Logs
Figure 35: TACACS+ Administration .csv Page on CiscoSecure ACS
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
392
CHAPTER
42
Configuring Maximum Local Database Entries
• Maximum Local Database Entries, on page 393
• Configuring Maximum Local Database Entries (GUI), on page 393
• Configuring Maximum Local Database Entries (CLI), on page 393
Maximum Local Database Entries
You can configure the controller to specify the maximum number of local database entries that are used for
storing user authentication information. The database entries include local management users (including lobby
ambassadors), local network users (including guest users), MAC filter entries, exclusion list entries, and access
point authorization list entries. Together they cannot exceed the configured maximum value.
This section contains the following subsections:
Configuring Maximum Local Database Entries (GUI)
Step 1
Choose Security > AAA > General to open the General page.
Step 2
In the Maximum Local Database Entries text box, enter a value for the maximum number of entries that can be added to
the local database the next time the controller reboots. The currently configured value appears in parentheses to the right
of the text box. The valid range is 512 to 2048, and the default setting is 2048.
The Number of Entries, Already Used text box shows the number of entries currently in the database.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your settings.
Configuring Maximum Local Database Entries (CLI)
Step 1
Specify the maximum number of entries that can be added to the local database the next time the controller reboots by
entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
393
Security Solutions
Configuring Maximum Local Database Entries (CLI)
config database size max_entries
Step 2
Save your changes by entering this command:
save config
Step 3
View the maximum number of database entries and the current database contents by entering this command:
show database summary
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
394
CHAPTER
43
Configuring Local Network Users on the
Controller
• Local Network Users on Controller, on page 395
• Configuring Local Network Users for the Controller (GUI), on page 395
• Configuring Local Network Users for the Controller (CLI), on page 396
Local Network Users on Controller
You can add local network users to the local user database on the controller. The local user database stores
the credentials (username and password) of all the local network users. These credentials are then used to
authenticate the users. Local network user entries can be used to authenticate clients through web authentication
or local EAP.
This section contains the following subsections:
Configuring Local Network Users for the Controller (GUI)
Step 1
Choose Security > AAA > Local Net Users to open the Local Net Users page.
Note
Step 2
If you want to delete an existing user, hover your cursor over the blue drop-down arrow for that user and
choose Remove.
Perform one of the following:
• To edit an existing local network user, click the username for that user. The Local Net Users > Edit page appears.
• To add a local network user, click New. The Local Net Users > New page appears.
Step 3
If you are adding a new user, enter a username for the local user in the User Name text box. You can enter up to 49
alphanumeric characters.
Note
Local network usernames must be unique because they are all stored in the same database.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
395
Security Solutions
Configuring Local Network Users for the Controller (CLI)
Step 4
In the Password and Confirm Password text boxes, enter a password for the local user. You can enter up to 49
alphanumeric characters.
Step 5
If you are adding a new user, select the Guest User check box if you want to limit the amount of time that the user has
access to the local network. The default setting is unselected.
Step 6
If you are adding a new user and you selected the Guest User check box, enter the amount of time (in seconds) that
the guest user account is to remain active in the Lifetime text box. The valid range is 60 to 2,592,000 seconds (30 days)
inclusive, and the default setting is 86,400 seconds.
Step 7
If you are adding a new user, you selected the Guest User check box, and you want to assign a QoS role to this guest
user, select the Guest User Role check box. The default setting is unselected.
If you do not assign a QoS role to a guest user, the bandwidth contracts for this user are defined in the QoS
profile for the WLAN.
Note
Step 8
If you are adding a new user and you selected the Guest User Role check box, choose the QoS role that you want to
assign to this guest user from the Role drop-down list.
Step 9
From the WLAN Profile drop-down list, choose the name of the WLAN that is to be accessed by the local user. If you
choose Any WLAN, which is the default setting, the user can access any of the configured WLANs.
If you are deleting a WLAN associated with network users, then the system prompts you to delete all network
users associated with the WLAN before deleting the WLAN itself.
Note
Step 10
In the Description text box, enter a descriptive title for the local user (such as “User 1”).
Step 11
Click Apply to commit your changes.
Step 12
Click Save Configuration to save your changes.
Configuring Local Network Users for the Controller (CLI)
Procedure
• Configure a local network user by entering these commands:
• config netuser add username password wlan wlan_id userType permanent description
description—Adds a permanent user to the local user database on the controller.
• config netuser add username password {wlan | guestlan} {wlan_id | guest_lan_id} userType
guestlifetime seconds description description—Adds a guest user on a WLAN or wired guest LAN
to the local user database on the controller.
Note
Instead of adding a permanent user or a guest user to the local user database from the controller, you can
choose to create an entry on the RADIUS server for the user and enable RADIUS authentication for the WLAN
on which web authentication is performed.
• config netuser delete {username username | wlan-id wlan-id}
• username—Deletes a user from the local user database on the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
396
Security Solutions
Configuring Local Network Users for the Controller (CLI)
Note
Local network usernames must be unique because they are all stored in the same
database.
• wlan-id—Delete all the network users associated with the WLAN ID.
Note
When a WLAN associated with network users is deleted, the system prompts to
delete all network users associated with the WLAN first. After deleting the
network users, you can delete the WLAN.
• See information related to the local network users configured on the controller by entering these commands:
• show netuser detail username—Shows the configuration of a particular user in the local user
database.
• show netuser summary—Lists all the users in the local user database.
• Save your changes by entering this command:
save config
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
397
Security Solutions
Configuring Local Network Users for the Controller (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
398
CHAPTER
44
Configuring Password Policies
• Password Policies, on page 399
• Configuring Password Policies (GUI), on page 400
• Configuring Password Policies (CLI), on page 400
Password Policies
The password policies allows you to enforce strong password checks on newly created passwords for additional
management users of controller and access point. The following are the requirements enforced on the new
password:
• When the controller is upgraded from old version, all the old passwords are maintained as it is, even
though the passwords are weak. After the system upgrade, if strong password checks are enabled, the
same is enforced from that time and the strength of previously added passwords will not be checked or
altered.
• Depending on the settings done in the Password Policy page, the local management and access point
user configuration is affected.
Guidelines and Restrictions for Password Policies
• Strong password requirement based on WLAN-CC requirement is applicable only to WLAN admin login
passwords and is not applicable to AP Management user passwords.
• The valid length of AP Management user passwords is minimum of 8 characters and maximum of 127
characters. Also, it is not possible to change the AP Management user password. Therefore, the restrictions
of local net users for strong password does not apply to AP Management user passwords.
• Strong password: lockout feature is not applied if you try to access the controller through a serial
connection or a terminal server connection and it has unlimited attempts.
This section contains the following subsections:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
399
Security Solutions
Configuring Password Policies (GUI)
Configuring Password Policies (GUI)
Step 1
Choose Security > AAA > Password Policies to open the Password Policies page.
Step 2
Select the Password must contain characters from at least 3 different classes check box if you want your password
to contain characters from at least three of the following classes: lower case letters, upper case letters, digits, and special
characters.
Step 3
Select the No character can be repeated more than 3 times consecutively check box if you do not want character in
the new password to repeat more than three times consecutively.
Step 4
Select the Password cannot be the default words like cisco, admin check box if you do not want the password to
contain words such as Cisco, ocsic, admin, nimda, or any variant obtained by changing the capitalization of letters or by
substituting 1, |, or! or substituting 0 for o or substituting $ for s.
Step 5
Select the Password cannot contain username or reverse of username check box if you do not want the password to
contain a username or the reverse letters of a username.
Step 6
Click Apply to commit your changes.
Step 7
Click Save Configuration to save your changes.
Configuring Password Policies (CLI)
Procedure
• Enable or disable strong password check for AP and WLC by entering this command:
config switchconfig strong-pwd {case-check | consecutive-check | default-check | username-check
| all-checks} {enable | disable}
where
• case-check—Checks the occurrence of same character thrice consecutively
• consecutive-check—Checks the default values or its variants are being used.
• default-check—Checks either username or its reverse is being used.
• all-checks—Enables/disables all the strong password checks.
• See the configured options for strong password check by entering this command:
show switchconfig
Information similar to the following appears:
802.3x Flow Control Mode......................... Disabled
FIPS prerequisite features....................... Disabled
secret obfuscation............................... Enabled
Strong Password Check Features:
case-check ...........Enabled
consecutive-check ....Enabled
default-check .......Enabled
username-check ......Enabled
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
400
CHAPTER
45
Configuring LDAP
• LDAP, on page 401
• Configuring LDAP (GUI), on page 401
• Configuring LDAP (CLI), on page 403
LDAP
An LDAP backend database allows the controller to query an LDAP server for the credentials (username and
password) of a particular user. These credentials are then used to authenticate the user. For example, local
EAP may use an LDAP server as its backend database to retrieve user credentials.
Note
From Release 8.0, IPv6 can also be used to configure the LDAP server on the controller.
Fallback LDAP Servers
The LDAP servers are configured on a WLAN for authentication. You require at least two LDAP servers to
configure them for fallback behavior. A maximum of three LDAP servers can be configured for the fallback
behavior per WLAN. The servers are listed in the priority order for authentication. If the first LDAP server
becomes irresponsive, then the controller switches to the next LDAP server. If the second LDAP server
becomes irresponsive, then the controller switches again to the third LDAP server.
The LDAP backend database supports these local EAP methods: EAP-TLS, EAP-FAST/GTC, and
PEAPv1/GTC. LEAP, EAP-FAST/MSCHAPv2, EAP-FAST/EAP-GTC and PEAPv0/MSCHAPv2 are also
supported, but only if the LDAP server is set up to return a clear-text password.
Controllers support Local EAP authentication against external LDAP databases such as Microsoft Active
Directory and Novell’s eDirectory.
This section contains the following subsections:
Configuring LDAP (GUI)
Step 1
Choose Security > AAA > LDAP to open the LDAP Servers page.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
401
Security Solutions
Configuring LDAP (GUI)
• If you want to delete an existing LDAP server, hover your cursor over the blue drop-down arrow for that server
and choose Remove.
• If you want to make sure that the controller can reach a particular server, hover your cursor over the blue drop-down
arrow for that server and choose Ping.
Step 2
Perform one of the following:
• To edit an existing LDAP server, click the index number for that server. The LDAP Servers > Edit page is
displayed.
• To add an LDAP server, click New. The LDAP Servers > New page is displayed. If you are adding a new server,
choose a number from the Server Index (Priority) drop-down list to specify the priority order of this server in
relation to any other configured LDAP servers. You can configure up to 17 servers. If the controller cannot reach
the first server, it tries the second one in the list and so on.
Step 3
If you are adding a new server, enter the IP address of the LDAP server in the Server IP Address field. Both IPv4 and
IPv6 addresses are supported.
Step 4
If you are adding a new server, enter the LDAP server’s TCP port number in the Port Number field. The valid range
is 1 to 65535, and the default value is 389.
Only LDAP port 389 is supported on Cisco WLC. No other ports are supported for LDAP.
Note
Step 5
From the Server Mode drop-down list, choose None.
Step 6
Check the Enable Server Status check box to enable this LDAP server or unselect it to disable it. The default value
is disabled.
Step 7
From the Simple Bind drop-down list, choose Anonymous or Authenticated to specify the local authentication bind
method for the LDAP server. The Anonymous method allows anonymous access to the LDAP server. The Authenticated
method requires that a username and password be entered to secure access. The default value is Anonymous.
Step 8
If you chose Authenticated in the previous step, follow these steps:
a) In the Bind Username field, enter a username to be used for local authentication to the LDAP server. The username
can contain up to 80 characters.
Note
If the username starts with “cn=” (in lowercase letters), the controller assumes that the username includes
the entire LDAP database path and does not append the user base DN. This designation allows the
authenticated bind user to be outside the user base DN.
b) In the Bind Username field, enter a username to be used for local authentication to the LDAP server. The username
can contain up to 80 characters.
Step 9
In the User Base DN field, enter the distinguished name (DN) of the subtree in the LDAP server that contains a list of
all the users. For example, ou=organizational unit, .ou=next organizational unit, and o=corporation.com. If the tree
containing users is the base DN, type.
o=corporation.com
or
dc=corporation, dc=com
Step 10
In the User Attribute field, enter the name of the attribute in the user record that contains the username. You can obtain
this attribute from your directory server.
Step 11
In the User Object Type field, enter the value of the LDAP objectType attribute that identifies the record as a user.
Often, user records have several values for the objectType attribute, some of which are unique to the user and some of
which are shared with other object types.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
402
Security Solutions
Configuring LDAP (CLI)
Step 12
In the Server Timeout field, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds,
and the default value is 2 seconds.
Step 13
Click Apply to commit your changes.
Step 14
Click Save Configuration to save your changes.
Step 15
Specify LDAP as the priority backend database server for local EAP authentication as follows:
a) Choose Security > Local EAP > Authentication Priority to open the Priority Order > Local-Auth page.
b) Highlight LOCAL and click < to move it to the left User Credentials field.
c) Highlight LDAP and click > to move it to the right User Credentials field. The database that is displayed at the
top of the right User Credentials field is used when retrieving user credentials.
Note
If both LDAP and LOCAL appear in the right User Credentials field with LDAP on the top and LOCAL
on the bottom, local EAP attempts to authenticate clients using the LDAP backend database and fails
over to the local user database if the LDAP servers are not reachable. If the user is not found, the
authentication attempt is rejected. If LOCAL is on the top, local EAP attempts to authenticate using only
the local user database. It does not fail over to the LDAP backend database.
d) Click Apply to commit your changes.
e) Click Save Configuration to save your changes.
Step 16
(Optional) Assign specific LDAP servers to a WLAN as follows:
a) Choose WLANs to open the WLANs page.
b) Click the ID number of the desired WLAN.
c) When the WLANs > Edit page is displayed, choose the Security > AAA Servers tabs to open the WLANs > Edit
(Security > AAA Servers) page.
d) From the LDAP Servers drop-down lists, choose the LDAP server(s) that you want to use with this WLAN. You
can choose up to three LDAP servers, which are tried in priority order.
Note
These LDAP servers apply only to WLANs with web authentication enabled. They are not used by local
EAP.
e) Click Apply to commit your changes.
f) Click Save Configuration to save your changes.
Step 17
Specify the LDAP server fallback behavior, as follows:
a) Choose WLAN > AAA Server to open the Fallback Parameters page.
b) From the LDAP Servers drop-down list, choose the LDAP server in the order of priority when the controller
attempts to authenticate management users. The order of authentication is from server.
c) Choose Security > AAA > LDAP to view the list of global LDAP servers configured for the controller.
Configuring LDAP (CLI)
Procedure
• Configure an LDAP server by entering these commands:
• config ldap add index server_ip_address port# user_base user_attr user_type — Adds an LDAP
server.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
403
Security Solutions
Configuring LDAP (CLI)
• config ldap delete index—Deletes a previously added LDAP server.
• config ldap {enable | disable} index—Enables or disables an LDAP server.
• config ldap simple-bind {anonymous index | authenticated index username username password
password}—Specifies the local authentication bind method for the LDAP server. The anonymous
method allows anonymous access to the LDAP server whereas the authenticated method requires
that a username and password be entered to secure access. The default value is anonymous. The
username can contain up to 80 characters.
If the username starts with “cn=” (in lowercase letters), the controller assumes that the username
includes the entire LDAP database path and does not append the user base DN. This designation
allows the authenticated bind user to be outside the user base DN.
• config ldap retransmit-timeout index timeout—Configures the number of seconds between
retransmissions for an LDAP server.
• Specify LDAP as the priority backend database server by entering this command:
config local-auth user-credentials ldap
If you enter the config local-auth user-credentials ldap local command, local EAP attempts to
authenticate clients using the LDAP backend database and fails over to the local user database if the
LDAP servers are not reachable. If the user is not found, the authentication attempt is rejected. If you
enter the config local-auth user-credentials local ldap command, local EAP attempts to authenticate
using only the local user database. It does not fail over to the LDAP backend database.
• (Optional) Assign specific LDAP servers to a WLAN by entering these commands:
• config wlan ldap add wlan_id server_index—Links a configured LDAP server to a WLAN.
The LDAP servers specified in this command apply only to WLANs with web authentication enabled.
They are not used by local EAP.
• config wlan ldap delete wlan_id {all | index}—Deletes a specific or all configured LDAP server(s)
from a WLAN.
• View information pertaining to configured LDAP servers by entering these commands:
• show ldap summary—Shows a summary of the configured LDAP servers.
Idx
--1
2
Server Address
--------------2.3.1.4
10.10.20.22
Port
---389
389
Enabled
------No
Yes
• show ldap index—Shows detailed LDAP server information. Information like the following appears:
Server Index..................................... 2
Address.......................................... 10.10.20.22
Port............................................. 389
Enabled.......................................... Yes
User DN.......................................... ou=active,ou=employees,ou=people,
o=cisco.com
User Attribute................................... uid
User Type........................................ Person
Retransmit Timeout............................... 2 seconds
Bind Method ..................................... Authenticated
Bind Username................................. user1
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
404
Security Solutions
Configuring LDAP (CLI)
• show ldap statistics—Shows LDAP server statistics.
Server Index.....................................
Server statistics:
Initialized OK.................................
Initialization failed..........................
Initialization retries.........................
Closed OK......................................
Request statistics:
Received.......................................
Sent...........................................
OK.............................................
Success........................................
Authentication failed..........................
Server not found...............................
No received attributes.........................
No passed username.............................
Not connected to server........................
Internal error.................................
Retries........................................
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Server Index..................................... 2
..
• show wlan wlan_id—Shows the LDAP servers that are applied to a WLAN.
• Make sure the controller can reach the LDAP server by entering this command:
ping server_ip_address
• Save your changes by entering this command:
save config
• Enable or disable debugging for LDAP by entering this command:
debug aaa ldap {enable | disable}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
405
Security Solutions
Configuring LDAP (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
406
CHAPTER
46
Configuring Local EAP
• Local EAP, on page 407
• Restrictions for Local EAP, on page 407
• Configuring Local EAP (GUI), on page 408
• Configuring Local EAP (CLI), on page 411
Local EAP
Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is
designed for use in remote offices that want to maintain connectivity to wireless clients when the backend
system becomes disrupted or the external authentication server goes down. When you enable local EAP, the
controller serves as the authentication server and the local user database, which removes dependence on an
external authentication server. Local EAP retrieves user credentials from the local user database to authenticate
users. Local EAP supports LEAP, EAP-FAST, EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC
authentication between the controller and wireless clients.
This section contains the following subsections:
Restrictions for Local EAP
• Local EAP profiles are not supported on Cisco 600 Series OfficeExtend access points.
• Timer restrictions for local and central authentication using EAP: The EAP timeout cannot be configured
on Wave 2 APs. Even though you can configure the EAP timeout on the controller, for Wave 2 APs, the
EAP timeout is hardcoded to 30 seconds. This is due to the following reasons:
• Clients get stuck in 8021X state indefinitely if AP moves from connected to standalone mode while
EAP is in process.
• Controller does not send EAP frames due to some issue, resulting in clients getting stuck indefinitely
at AP.
This has impact on clients, such as Windows clients, that wait for EAP identity request to pop up and
are prompted for username and password. This issue is not seen on clients such as Apple, Samsung,
Zebra, or WPA supplicants because they take the username and password beforehand.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
407
Security Solutions
Configuring Local EAP (GUI)
• For mesh APs, you cannot configure EAP parameters. The mesh APs have the following static EAP
configuration: EAP request timeout set to 60 seconds and the maximum number of EAP identity request
retries set to 2.
• Legacy clients that require RC4 or 3DES encryption type are not supported in Local EAP authentication.
Configuring Local EAP (GUI)
Before you begin
Note
EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC use certificates for authentication, and EAP-FAST uses
either certificates or PACs. The controller is shipped with Cisco-installed device and Certificate Authority
(CA) certificates. However, if you want to use your own vendor-specific certificates, they must be imported
on the controller.
Step 1
If you are configuring local EAP to use one of the EAP types listed in the note above, make sure that the appropriate
certificates and PACs (if you will use manual PAC provisioning) have been imported on the controller.
Step 2
If you want the controller to retrieve user credentials from the local user database, make sure that you have properly
configured the local network users on the controller.
Step 3
If you want the controller to retrieve user credentials from an LDAP backend database, make sure that you have properly
configured an LDAP server on the controller.
Step 4
Specify the order in which user credentials are retrieved from the backend database servers as follows:
a) Choose Security > Local EAP > Authentication Priority to open the Priority Order > Local-Auth page.
b) Determine the priority order in which user credentials are to be retrieved from the local and/or LDAP databases.
For example, you may want the LDAP database to be given priority over the local user database, or you may not
want the LDAP database to be considered at all.
c) When you have decided on a priority order, highlight the desired database. Then use the left and right arrows and
the Up and Down buttons to move the desired database to the top of the right User Credentials box.
Note
If both LDAP and LOCAL appear in the right User Credentials box with LDAP on the top and LOCAL
on the bottom, local EAP attempts to authenticate clients using the LDAP backend database and fails
over to the local user database if the LDAP servers are not reachable. If the user is not found, the
authentication attempt is rejected. If LOCAL is on the top, local EAP attempts to authenticate using only
the local user database. It does not fail over to the LDAP backend database.
d) Click Apply to commit your changes.
Step 5
Specify values for the local EAP timers as follows:
a) Choose Security > Local EAP > General to open the General page.
b) In the Local Auth Active Timeout field, enter the amount of time (in seconds) in which the controller attempts to
authenticate wireless clients using local EAP after any pair of configured RADIUS servers fails. The valid range
is 1 to 3600 seconds, and the default setting is 300 seconds.
Step 6
Specify values for the Advanced EAP parameters as follows:
a) Choose Security> Advanced EAP.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
408
Security Solutions
Configuring Local EAP (GUI)
b) In the Identity Request Timeout field, enter the amount of time (in seconds) in which the controller attempts to
send an EAP identity request to wireless clients using local EAP. The valid range is 1 to 120 seconds, and the
default setting is 30 seconds.
c) In the Identity Request Max Retries field, enter the maximum number of times that the controller attempts to
retransmit the EAP identity request to wireless clients using local EAP. The valid range is 1 to 20 retries, and the
default setting is 2 retries.
d) In the Dynamic WEP Key Index field, enter the key index used for dynamic wired equivalent privacy (WEP).
The default value is 0, which corresponds to a key index of 1; the valid values are 0 to 3 (key index of 1 to 4).
This feature is no longer supported.
e) In the Request Timeout field, enter the amount of time (in seconds) in which the controller attempts to send an
EAP request to wireless clients using local EAP. The valid range is 1 to 120 seconds, and the default setting is 30
seconds.
f) In the Request Max Retries field, enter the maximum number of times that the controller attempts to retransmit
the EAP request to wireless clients using local EAP. The valid range is 1 to 120 retries, and the default setting is
2 retries.
g) From the Max-Login Ignore Identity Response drop-down list, enable the feature if you want to ignore the EAP
identity responses when enforcing the net user login limit.
h) In the EAPOL-Key Timeout field, enter the amount of time (in seconds) in which the controller attempts to send
an EAP key over the LAN to wireless. The valid range is 200 to 5000 milliseconds, and the default setting is 1000
milliseconds.
i) In the EAPOL-Key Max Retries field, enter the maximum number of times that the controller attempts to send
an EAP key over the LAN to wireless clients using local EAP. The valid range is 0 to 4 retries, and the default
setting is 2 retries.
j) In the EAP-Broadcast Key Interval field, enter the interval between the Group Temporal Key (GTK) key rotation
for all the stations on a BSSID that is using WPA protocol. The default interval is 3600 seconds.
k) Click Apply to commit your changes.
Step 7
Create a local EAP profile, which specifies the EAP authentication types that are supported on the wireless clients as
follows:
a) Choose Security > Local EAP > Profiles to open the Local EAP Profiles page.
This page lists any local EAP profiles that have already been configured and specifies their EAP types. You can
create up to 16 local EAP profiles.
Note
If you want to delete an existing profile, hover your cursor over the blue drop-down arrow for that profile
and choose Remove.
b) Click New to open the Local EAP Profiles > New page.
c) In the Profile Name field, enter a name for your new profile and then click Apply.
Note
You can enter up to 63 alphanumeric characters for the profile name. Make sure not to include spaces.
d) When the Local EAP Profiles page is displayed again, click the name of your new profile. The Local EAP Profiles
> Edit page is displayed.
e) Check the LEAP, EAP-FAST, EAP-TLS, and/or PEAP check boxes to specify the EAP type that can be used for
local authentication.
Note
You can specify more than one EAP type per profile. However, if you choose multiple EAP types that
use certificates (such as EAP-FAST with certificates, EAP-TLS, PEAPv0/MSCHAPv2, and PEAPv1/GTC),
all the EAP types must use the same certificate (from either Cisco or another vendor).
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
409
Security Solutions
Configuring Local EAP (GUI)
Note
If you check the PEAP check box, both PEAPv0/MSCHAPv2 or PEAPv1/GTC are enabled on the
controller.
f) If you chose EAP-FAST and want the device certificate on the controller to be used for authentication, check the
Local Certificate Required check box. If you want to use EAP-FAST with PACs instead of certificates, leave
this check box unselected, which is the default setting.
Note
This option applies only to EAP-FAST because device certificates are not used with LEAP and are
mandatory for EAP-TLS and PEAP.
g) If you chose EAP-FAST and want the wireless clients to send their device certificates to the controller in order to
authenticate, check the Client Certificate Required check box. If you want to use EAP-FAST with PACs instead
of certificates, leave this check box unchecked, which is the default setting.
Note
This option applies only to EAP-FAST because client certificates are not used with LEAP or PEAP and
are mandatory for EAP-TLS.
h) If you chose EAP-FAST with certificates, EAP-TLS, or PEAP, choose which certificates will be sent to the client,
the ones from Cisco or the ones from another Vendor, from the Certificate Issuer drop-down list. The default
setting is Cisco.
i) If you chose EAP-FAST with certificates or EAP-TLS and want the incoming certificate from the client to be
validated against the CA certificates on the controller, check the Check against CA certificates check box. The
default setting is enabled.
j) If you chose EAP-FAST with certificates or EAP-TLS and want the common name (CN) in the incoming certificate
to be validated against the Local Net Users configured on the controller, check the Verify Certificate CN Identity
check box. The default setting is disabled.
k) If you chose EAP-FAST with certificates or EAP-TLS and want the controller to verify that the incoming device
certificate is still valid and has not expired, check the Check Certificate Date Validity check box. The default
setting is enabled.
Note
Certificate date validity is checked against the current UTC (GMT) time that is configured on the controller.
Timezone offset will be ignored.
l) Click Apply to commit your changes.
Step 8
If you created an EAP-FAST profile, follow these steps to configure the EAP-FAST parameters:
a) Choose Security > Local EAP > EAP-FAST Parameters to open the EAP-FAST Method Parameters page.
b) In the Server Key and Confirm Server Key fields, enter the key (in hexadecimal characters) used to encrypt and
decrypt PACs.
c) In the Time to Live for the PAC field, enter the number of days for the PAC to remain viable. The valid range is
1 to 1000 days, and the default setting is 10 days.
d) In the Authority ID field, enter the authority identifier of the local EAP-FAST server in hexadecimal characters.
You can enter up to 32 hexadecimal characters, but you must enter an even number of characters.
e) In the Authority ID Information field, enter the authority identifier of the local EAP-FAST server in text format.
f) If you want to enable anonymous provisioning, check the Anonymous Provision check box. This feature allows
PACs to be sent automatically to clients that do not have one during PAC provisioning. If you disable this feature,
PACS must be manually provisioned. The default setting is enabled.
Note
If the local and/or client certificates are required and you want to force all EAP-FAST clients to use
certificates, uncheck the Anonymous Provision check box.
g) Click Apply to commit your changes.
Step 9
Enable local EAP on a WLAN as follows:
a) Choose WLANs to open the WLANs page.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
410
Security Solutions
Configuring Local EAP (CLI)
b) Click the ID number of the desired WLAN.
c) When the WLANs > Edit page is displayed, choose the Security > AAA Servers tabs to open the WLANs > Edit
(Security > AAA Servers) page.
d) Uncheck the Enabled check boxes for RADIUS Authentication Servers and Accounting Server to disable RADIUS
accounting and authentication for this WLAN.
e) Check the Local EAP Authentication check box to enable local EAP for this WLAN.
f) From the EAP Profile Name drop-down list, choose the EAP profile that you want to use for this WLAN.
g) If desired, choose the LDAP server that you want to use with local EAP on this WLAN from the LDAP Servers
drop-down lists.
h) Click Apply to commit your changes.
Step 10
Click Save Configuration to save your changes.
Configuring Local EAP (CLI)
Before you begin
Note
EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC use certificates for authentication, and EAP-FAST uses
either certificates or PACbs. The controller is shipped with Cisco-installed device and Certificate Authority
(CA) certificates. However, if you want to use your own vendor-specific certificates, they must be imported
on the controller.
Step 1
If you are configuring local EAP to use one of the EAP types listed in the note above, make sure that the appropriate
certificates and PACs (if you will use manual PAC provisioning) have been imported on the controller.
Step 2
If you want the controller to retrieve user credentials from the local user database, make sure that you have properly
configured the local network users on the controller.
Step 3
If you want the controller to retrieve user credentials from an LDAP backend database, make sure that you have properly
configured an LDAP server on the controller.
Step 4
Specify the order in which user credentials are retrieved from the local and/or LDAP databases by entering this command:
config local-auth user-credentials {local | ldap}
Note
Step 5
If you enter the config local-auth user-credentials ldap local command, local EAP attempts to authenticate
clients using the LDAP backend database and fails over to the local user database if the LDAP servers are
not reachable. If the user is not found, the authentication attempt is rejected. If you enter the config local-auth
user-credentials local ldap command, local EAP attempts to authenticate using only the local user database.
It does not fail over to the LDAP backend database.
Specify values for the local EAP timers by entering these commands:
• config advanced eap identity-request-timeout timeout—Specifies the amount of time (in seconds) in which the
controller attempts to send an EAP identity request to wireless clients using local EAP. The valid range is 1 to
120 seconds, and the default setting is 30 seconds.
• config advanced eap bcast-key-interval seconds—Configures EAP-broadcast key renew interval time in seconds.
The valid range is 120 to 86400 seconds.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
411
Security Solutions
Configuring Local EAP (CLI)
• config advanced eap identity-request-retries retries—Specifies the maximum number of times that the controller
attempts to retransmit the EAP identity request to wireless clients using local EAP. The valid range is 1 to 20
retries, and the default setting is 20 retries.
• config advanced eap key-index index—Specifies the key index used for dynamic wired equivalent privacy (WEP).
The default value is 0, which corresponds to a key index of 1; the valid values are 0 to 3 (key index of 1 to 4).
• config advanced eap request-timeout timeout—Specifies the amount of time (in seconds) in which the controller
attempts to send an EAP request to wireless clients using local EAP. The valid range is 1 to 120 seconds, and the
default setting is 30 seconds.
• config advanced eap request-retries retries—Specifies the maximum number of times that the controller attempts
to retransmit the EAP request to wireless clients using local EAP. The valid range is 1 to 120 retries, and the default
setting is 20 retries.
• config advanced eap eapol-key-timeout timeout—Specifies the amount of time (in seconds) in which the controller
attempts to send an EAP key over the LAN to wireless clients. The valid range is 200 to 5000 milliseconds, and
the default setting is 1000 milliseconds.
Note
If the controller and access point are separated by a WAN link, the default timeout of 1 second may not
be sufficient.
• config advanced eap eapol-key-retries retries—Specifies the maximum number of times that the controller
attempts to send an EAP key over the LAN to wireless clients using local EAP. The valid range is 0 to 4 retries,
and the default setting is 2 retries.
• config advanced eap max-login-ignore-identity-response {enable | disable}—
Enable the feature if you want to ignore the EAP identity responses when enforcing the net user login limit. See
the User Login Policies section for details.
Step 6
Create a local EAP profile by entering this command:
config local-auth eap-profile add profile_name
Step 7
Note
Do not include spaces within the profile name.
Note
To delete a local EAP profile, enter the config local-auth eap-profile delete profile_name command.
Add an EAP method to a local EAP profile by entering this command:
config local-auth eap-profile method add method profile_name
The supported methods are leap, fast, tls, and peap.
Step 8
Note
If you choose peap, both P EAPv0/MSCHAPv2 or PEAPv1/GTC are enabled on the controller.
Note
You can specify more than one EAP type per profile. However, if you create a profile with multiple EAP
types that use certificates (such as EAP-FAST with certificates, EAP-TLS, PEAPv0/MSCHAPv2, and
PEAPv1/GTC), all of the EAP types must use the same certificate (from either Cisco or another vendor).
Note
To delete an EAP method from a local EAP profile, enter the config local-auth eap-profile method delete
method profile_name command.
Configure EAP-FAST parameters if you created an EAP-FAST profile by entering this command:
config local-auth method fast ?
where ? is one of the following:
• anon-prov {enable | disable}—Configures the controller to allow anonymous provisioning, which allows PACs
to be sent automatically to clients that do not have one during PAC provisioning.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
412
Security Solutions
Configuring Local EAP (CLI)
• authority-id auth_id—Specifies the authority identifier of the local EAP-FAST server.
• pac-ttl days—Specifies the number of days for the PAC to remain viable.
• server-key key—Specifies the server key used to encrypt and decrypt PACs.
Step 9
Configure certificate parameters per profile by entering these commands:
• config local-auth eap-profile method fast local-cert {enable | disable} profile_name— Specifies whether the
device certificate on the controller is required for authentication.
This command applies only to EAP-FAST because device certificates are not used with LEAP and are
mandatory for EAP-TLS and PEAP.
Note
• config local-auth eap-profile method fast client-cert {enable | disable} profile_name— Specifies whether
wireless clients are required to send their device certificates to the controller in order to authenticate.
This command applies only to EAP-FAST because client certificates are not used with LEAP or PEAP
and are mandatory for EAP-TLS.
Note
• config local-auth eap-profile cert-issuer {cisco | vendor} profile_name—If you specified EAP-FAST with
certificates, EAP-TLS, or PEAP, specifies whether the certificates that will be sent to the client are from Cisco or
another vendor.
• config local-auth eap-profile cert-verify ca-issuer {enable | disable} profile_name—If you chose EAP-FAST
with certificates or EAP-TLS, specifies whether the incoming certificate from the client is to be validated against
the CA certificates on the controller.
• config local-auth eap-profile cert-verify cn-verify {enable | disable} profile_name—If you chose EAP-FAST
with certificates or EAP-TLS, specifies whether the common name (CN) in the incoming certificate is to be
validated against the CA certificates’ CN on the controller.
• config local-auth eap-profile cert-verify date-valid {enable | disable} profile_name—If you chose EAP-FAST
with certificates or EAP-TLS, specifies whether the controller is to verify that the incoming device certificate is
still valid and has not expired.
Step 10
Enable local EAP and attach an EAP profile to a WLAN by entering this command:
config wlan local-auth enable profile_name wlan_id
Note
Step 11
To disable local EAP for a WLAN, enter the config wlan local-auth disable wlan_id command.
Save your changes by entering this command:
save config
Step 12
View information pertaining to local EAP by entering these commands:
• show local-auth config—Shows the local EAP configuration on the controller.
User credentials database search order:
Primary ..................................... Local DB
Timer:
Active timeout .............................. 300
Configured EAP profiles:
Name ........................................ fast-cert
Certificate issuer ........................ vendor
Peer verification options:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
413
Security Solutions
Configuring Local EAP (CLI)
Check against CA certificates ...........
Verify certificate CN identity ..........
Check certificate date validity .........
EAP-FAST configuration:
Local certificate required ..............
Client certificate required .............
Enabled methods ...........................
Configured on WLANs .......................
Name ........................................
Certificate issuer ........................
Peer verification options:
Check against CA certificates ...........
Verify certificate CN identity ..........
Check certificate date validity .........
EAP-FAST configuration:
Local certificate required ..............
Client certificate required .............
Enabled methods ...........................
Configured on WLANs .......................
Enabled
Disabled
Enabled
Yes
Yes
fast
1
tls
vendor
Enabled
Disabled
Enabled
No
No
tls
2
EAP Method configuration:
Low-Cipher Support(TLSv1.0 for local EAP)..... Enabled
EAP-FAST:
Server key ................................ <hidden>
TTL for the PAC ........................... 10
Anonymous provision allowed ............... Yes
Accept client on auth prov ................ No
Authority ID ...... 436973636f0000000000000000000000
Authority Information ..................... Cisco A-ID
• show local-auth statistics—Shows the local EAP statistics.
• show local-auth certificates—Shows the certificates available for local EAP.
• show local-auth user-credentials—Shows the priority order that the controller uses when retrieving user credentials
from the local and/or LDAP databases.
• show advanced eap—Shows the timer values for local EAP.
EAP-Identity-Request Timeout (seconds)...........
EAP-Identity-Request Max Retries.................
EAP Key-Index for Dynamic WEP....................
EAP Max-Login Ignore Identity Response...........
EAP-Request Timeout (seconds)....................
EAP-Request Max Retries..........................
EAPOL-Key Timeout (seconds)......................
EAPOL-Key Max Retries......................... 2
1
20
0
enable
20
20
1
• show ap stats wlan Cisco_AP—Shows the EAP timeout and failure counters for a specific access point for each
WLAN.
• show client detail client_mac—Shows the EAP timeout and failure counters for a specific associated client. These
statistics are useful in troubleshooting client association issues.
...
Client Statistics:
Number of Bytes Received...................
Number of Bytes Sent.......................
Number of Packets Received.................
Number of Packets Sent.....................
Number of EAP Id Request Msg Timeouts......
Number of EAP Id Request Msg Failures......
Number of EAP Request Msg Timeouts.........
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
414
10
10
2
2
0
0
2
Security Solutions
Configuring Local EAP (CLI)
Number of EAP Request Msg Failures.........
Number of EAP Key Msg Timeouts.............
Number of EAP Key Msg Failures.............
Number of Policy Errors....................
Radio Signal Strength Indicator............
Signal to Noise Ratio......................
1
0
0
0
Unavailable
Unavailable
• show wlan wlan_id—Shows the status of local EAP on a particular WLAN.
Step 13
(Optional) Troubleshoot local EAP sessions by entering these commands:
• debug aaa local-auth eap method {all | errors | events | packets | sm} {enable | disable}— Enables or disables
debugging of local EAP methods.
• debug aaa local-auth eap framework {all | errors | events | packets | sm} {enable | disable}— Enables or
disables debugging of the local EAP framework.
Note
In these two debug commands, sm is the state machine.
• clear stats local-auth—Clears the local EAP counters.
• clear stats ap wlan Cisco_AP—Clears the EAP timeout and failure counters for a specific access point for each
WLAN.
WLAN
1
EAP Id Request Msg Timeouts...................
EAP Id Request Msg Timeouts Failures..........
EAP Request Msg Timeouts......................
EAP Request Msg Timeouts Failures.............
EAP Key Msg Timeouts..........................
EAP Key Msg Timeouts Failures.................
WLAN
2
EAP Id Request Msg Timeouts...................
EAP Id Request Msg Timeouts Failures..........
EAP Request Msg Timeouts......................
EAP Request Msg Timeouts Failures.............
EAP Key Msg Timeouts..........................
EAP Key Msg Timeouts Failures.............. 1
0
0
2
1
0
0
1
0
0
0
3
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
415
Security Solutions
Configuring Local EAP (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
416
CHAPTER
47
Configuring the System for SpectraLink NetLink
Telephones
• Information About SpectraLink NetLink Telephones, on page 417
• Configuring SpectraLink NetLink Phones, on page 417
Information About SpectraLink NetLink Telephones
For the best integration with the Cisco UWN solution, SpectraLink NetLink Telephones require an extra
operating system configuration step: enable long preambles. The radio preamble (sometimes called a header)
is a section of data at the head of a packet that contains information that wireless devices need when sending
and receiving packets. Short preambles improve throughput performance, so they are enabled by default.
However, some wireless devices, such as SpectraLink NetLink phones, require long preambles.
Configuring SpectraLink NetLink Phones
Enabling Long Preambles (GUI)
Step 1
Choose Wireless > 802.11b/g/n > Network to open the 802.11b/g Global Parameters page.
Step 2
If the Short Preamble check box is selected, continue with this procedure. However, if the Short Preamble check box
is unselected (which means that long preambles are enabled), the controller is already optimized for SpectraLink NetLink
phones and you do not need to continue this procedure.
Step 3
Unselect the Short Preamble check box to enable long preambles.
Step 4
Click Apply to update the controller configuration.
Note
Step 5
If you do not already have an active CLI session to the controller, we recommend that you start a CLI session
to reboot the controller and watch the reboot process. A CLI session is also useful because the GUI loses its
connection when the controller reboots.
Choose Commands > Reboot > Reboot > Save and Reboot to reboot the controller. Click OK in response to this
prompt:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
417
Security Solutions
Enabling Long Preambles (CLI)
Configuration will be saved and the controller will be rebooted. Click ok to confirm.
The controller reboots.
Step 6
Log back onto the controller GUI to verify that the controller is properly configured.
Step 7
Choose Wireless > 802.11b/g/n > Network to open the 802.11b/g Global Parameters page. If the Short Preamble check
box is unselected, the controller is optimized for SpectraLink NetLink phones.
Enabling Long Preambles (CLI)
Step 1
Log on to the controller CLI.
Step 2
Enter the show 802.11b command and select the Short preamble mandatory parameter. If the parameter indicates that
short preambles are enabled, continue with this procedure. This example shows that short preambles are enabled:
Short Preamble mandatory....................... Enabled
However, if the parameter shows that short preambles are disabled (which means that long preambles are enabled), the
controller is already optimized for SpectraLink NetLink phones and you do not need to continue this procedure.
Step 3
Disable the 802.11b/g network by entering this command:
config 802.11b disable network
You cannot enable long preambles on the 802.11a network.
Step 4
Enable long preambles by entering this command:
config 802.11b preamble long
Step 5
Reenable the 802.11b/g network by entering this command:
config 802.11b enable network
Step 6
Enter the reset system command to reboot the controller. Enter y when the prompt to save the system changes is displayed.
The controller reboots.
Step 7
Verify that the controller is properly configured by logging back into the CLI and entering the show 802.11b command
to view these parameters:
802.11b Network................................ Enabled
Short Preamble mandatory....................... Disabled
These parameters show that the 802.11b/g network is enabled and that short preambles are disabled.
Configuring Enhanced Distributed Channel Access (CLI)
To configure 802.11 enhanced distributed channel access (EDCA) parameters to support SpectraLink phones,
use the following CLI commands:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
418
Security Solutions
Configuring Enhanced Distributed Channel Access (CLI)
config advanced edca-parameter {custom-voice | optimized-video-voice | optimized-voice | svp-voice |
wmm-default}
where
• custom-voice enables custom voice EDCA parameters
• optimized-video-voice enables combined video-voice-optimized parameters
• optimized-voice enables non-SpectraLink voice-optimized parameters
• svp-voice enables SpectraLink voice priority (SVP) parameters
• wmm-default enables wireless multimedia (WMM) default parameters
Note
To propagate this command to all access points connected to the controller, make sure to disable and then
reenable the 802.11b/g network after entering this command.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
419
Security Solutions
Configuring Enhanced Distributed Channel Access (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
420
CHAPTER
48
Configuring RADIUS NAC Support
• ISE NAC Support, on page 421
• Guidelines and Restrictions on ISE NAC Support, on page 423
• Configuring ISE NAC Support (GUI), on page 424
• Configuring ISE NAC Support (CLI), on page 425
ISE NAC Support
The Cisco Identity Services Engine (ISE) is a next-generation, context-based access control solution that
provides the functions of Cisco Secure Access Control System (ACS) and Cisco Network Admission Control
(NAC) in one integrated platform.
Cisco ISE was introduced in Cisco Wireless Release 7.0.116.0. Cisco ISE can be used to provide advanced
security for your deployed network. It is an authentication server that you can configure on your controller.
When a client associates with a controller on a ISE NAC–enabled WLAN with OPEN/Layer 2 + MAC
Filtering, the controller forwards the request to the Cisco ISE server without verifying in the local database.
Note
ISE NAC was previously known as RADIUS NAC.
This section contains the following subsections:
Device Registration
Device registration enables you to authenticate and provision new devices on the WLAN with RADIUS NAC
enabled. When a device is registered on the WLAN, it can use the network based on the configured ACL.
Central Web Authentication
In the case of Central Web Authentication (CWA), web authentication occurs on the Cisco ISE server. The
web portal in the Cisco ISE server provides a login page to a client. After the credentials are verified on the
Cisco ISE server, the client is provisioned. The client remains in the POSTURE_REQD state until a change
of authorization (CoA) is reached. The credentials and ACLs are received from Cisco ISE server.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
421
Security Solutions
Central Web Authentication
Note
• In a CWA and MAC filtering configuration scenario, if a change in VLAN occurs during pre-authentication
and post-authentication, dissociation request is sent to clients and the clients are forced to go through
DHCP again.
• Inter-controller roaming with non-802.1X L2 security, with MAC filtering and CWA, is not supported
prior to 8.9.
For new clients, the RADIUS access accept message carries redirected URL for port 80 and pre-auth ACLs
or quarantine VLAN. Definition of ACL is defined in the controller (IP addresses and ports).
Clients will be redirected to the URL provided in the access accept message and put into a new state until
posture validation is done. Clients in this state validate themselves against ISE server and the policies configured
on the ISE NAC server.
The NAC agent on the clients initiates posture validation (traffic to port 80): The agent sends HTTP discovery
request to port 80, which the controller redirects to the URL provided in the access accept message. Cisco
ISE knows that the client is trying to reach and responds directly to the client. This way, the client learns about
the Cisco ISE IP address and from now on, the client talks directly with the Cisco ISE.
The controller allows this traffic because the ACL is configured to allow this traffic. In case of VLAN override,
the traffic is bridged so that it reaches the Cisco ISE.
ISE NAC
After the client completes the assessment, a RADIUS CoA-Req with reauth service is sent to the controller.
This initiates reauthentication of the client (by sending EAP-START). Once reauthentication succeeds, the
Cisco ISE sends an access accept message with a new ACL (if any) and no URL redirect, or access VLAN.
The controller has support for CoA-Req and Disconnect-Req as per RFC 3576. The controller needs to support
CoA-Req for re-auth service, as per RFC 5176.
Instead of downloadable ACLs, pre-configured ACLs are used on the controller. Cisco ISE sends the ACL
name, which is already configured in the controller.
This design should work for both VLAN and ACL cases. In case of VLAN override, the port 80 is redirected
and allows (bridge) rest of the traffic on the quarantine VLAN. For the ACL, the pre-auth ACL received in
the access accept message is applied.
Here is the workflow:
1. The guest user associates with the controller.
2. The controller sends a MAB Request to ISE.
3. ISE matches the first authorization rules, and sends the redirect parameters (ACL and URL).
4. The controller redirects the GUEST to ISE.
5. After the guest is authenticated, ISE makes a second authorization, which is called RADIUS Change of
Authorization (CoA). In this second authorization, a profile must be returned so that the guest is permitted
access to the network. We can use usecase: guestflow to easily match this second authorization.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
422
Security Solutions
Local Web Authentication
Note
Guest clients connecting to a web-auth WLAN in a CWA setup may also reach the internal virtual interface
web-auth login page using port 80 or by using port 443 when the web authentication secure web is enabled
in the Cisco AireOS controllers. This behavior is in line with how Cisco AireOS controllers handle all web
authentication redirect scenarios and have no potential risk or vulnerability.
Local Web Authentication
Local web authentication is not supported for RADIUS NAC.
Table 17: ISE Network Authentication Flow
WLAN Configuration
CWA
LWA
Device Registration
RADIUS NAC Enabled
Yes
No
Yes
L2 PSK
802.1X
PSK
No
L3 None
N/A
Internal/External
N/A
MAC Filtering Enabled
Yes
No
Yes
Guidelines and Restrictions on ISE NAC Support
Guidelines
• When a client moves from one WLAN to another, the Cisco WLC retains the client’s audit session ID
if it returns to the WLAN before the idle timeout occurs. As a result, when the client associates with the
Cisco WLC before the idle timeout session expires, it is immediately moved to Run state. The client is
validated if it reassociates with the Cisco WLC after the session timeout.
• If you have two WLANs, and WLAN 1 is configured on a Cisco WLC (WLC1) and WLAN2 is configured
on another Cisco WLC (WLC2) and both are ISE NAC enabled, the client first connects to WLC1 and
moves to the RUN state after posture validation. Assume that the client now moves to WLC2. If the
client connects back to WLC1 before the PMK expires for this client in WLC1, the posture validation
is skipped for the client. The client directly moves to Run state by passing posture validation because
the Cisco WLC retains the old audit session ID for the client that is already known to Cisco ISE.
• When deploying ISE NAC in your wireless network, do not configure a primary and secondary Cisco
ISE server. Instead, we recommend that you configure High Availability (HA) between the two Cisco
ISE servers. Having a primary and secondary ISE setup will require posture validation to occur before
the clients move to the Run state. If HA is configured, the client is automatically moved to the Run state
in the fallback Cisco ISE server.
• Do not swap AAA server indexes in a live network because clients might get disconnected and have to
reconnect to the RADIUS server, which might result in log messages to be appended to the ISE server
logs.
• Enable AAA override on the WLAN to use ISE NAC.
• ISE NAC is supported with open authentication/Layer 2 (PSK/802.1x) + MAC Filtering security types.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
423
Security Solutions
Configuring ISE NAC Support (GUI)
• During slow roaming, clients go through posture validation.
• If the AAA url-redirect-acl and url-redirect attributes are expected from the AAA server, the AAA
override feature must be enabled on the controller.
Restrictions
• For ISE NAC WLANs, the MAC authentication request is always sent to the external RADIUS server.
The MAC authentication is not validated against the local database. This functionality is applicable to
Releases 8.5, 8.7, 8.8, and later releases via the fix for CSCvh85830.
• The ISE NAC functionality does not work if the configured accounting server is different from the
authentication (Cisco ISE) server. You should configure the same server as the authentication and
accounting server if Cisco ISE functionalities are used. If Cisco ISE is used only for Cisco ACS
functionality, the accounting server can be flexible.
• The controller software configured with ISE NAC does not support a CoA on the service port.
• Guest tunneling mobility is supported only for ISE NAC–enabled WLANs.
• VLAN select is not supported.
• Workgroup bridges are not supported.
• The AP Group over NAC is not supported in ISE NAC.
• When ISE NAC is enabled, the RADIUS server overwrite interface is not supported.
• Audit session ID is not supported across mobility domains if the controller belongs to a different mobility
domain.
Configuring ISE NAC Support (GUI)
Step 1
Choose WLANs.
Step 2
Click the WLAN ID.
The WLANs > Edit page appears.
Step 3
Click the Advanced tab.
Step 4
From the NAC State drop-down list, choose from the following options:
• None
• SNMP NAC—Uses SNMP NAC for the WLAN.
• ISE NAC—Uses ISE NAC for the WLAN.
Note
Step 5
AAA override is automatically enabled when you use ISE NAC on a WLAN.
Save the configuration.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
424
Security Solutions
Configuring ISE NAC Support (CLI)
Configuring ISE NAC Support (CLI)
Enter the following command:
config wlan nac radius {enable | disable} wlan_id
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
425
Security Solutions
Configuring ISE NAC Support (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
426
CHAPTER
49
Using Management Over Wireless
• Management over Wireless, on page 427
• Enabling Management over Wireless (GUI), on page 427
• Enabling Management over Wireless (CLI), on page 428
Management over Wireless
The management over wireless feature allows you to monitor and configure local controllers using a wireless
client. This feature is supported for all management tasks except uploads to and downloads from (transfers
to and from) the controller.
This feature blocks wireless management access to the same controller that the wireless client device is
currently associated with. It does not prevent management access for a wireless client associated with another
controller entirely. To completely block management access to wireless clients based on VLAN and so on,
we recommend that you use access control lists (ACLs) or similar mechanism.
Restrictions on Management over Wireless
• Management over Wireless can be disabled only if clients are on central switching.
• Management over Wireless is not supported for FlexConnect local switching clients. However,
Management over Wireless works for non-web authentication clients if you have a route to the controller
from the FlexConnect site.
This section contains the following subsections:
Enabling Management over Wireless (GUI)
Step 1
Choose Management > Mgmt Via Wireless to open the Management Via Wireless page.
Step 2
Check the Enable Controller Management to be accessible from Wireless Clients check box to enable management
over wireless for the WLAN or unselect it to disable this feature. By default, it is in disabled state.
Step 3
Save the configuration.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
427
Security Solutions
Enabling Management over Wireless (CLI)
Enabling Management over Wireless (CLI)
Step 1
Verify whether the management over wireless interface is enabled or disabled by entering this command:
show network summary
• If disabled: Enable management over wireless by entering this command: config network mgmt-via-wireless enable
• Otherwise, use a wireless client to associate with an access point connected to the controller that you want to manage.
Step 2
Log into the CLI to verify that you can manage the WLAN using a wireless client by entering this command:
telnet wlc-ip-addr CLI-command
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
428
CHAPTER
50
Using Dynamic Interfaces for Management
• Using Dynamic Interfaces for Management, on page 429
• Configuring Management using Dynamic Interfaces (CLI), on page 430
Using Dynamic Interfaces for Management
You can access the controller with one of its dynamic interface IP addresses. Both the wired and wireless
clients can access the dynamic interface of the controller using the CLI and GUI. To access the GUI of the
controller enter the dynamic interface IP address of the controller in the address field of either Internet Explorer
or Mozilla Firefox browser. For wired clients, you must enable management of dynamic interface and must
ensure that the wired client is in the VLAN that is mapped to the dynamic interface.
A device, when the management using dynamic interfaces is disabled, can open an SSH connection, if the
protocol is enabled. However, you are not prompted to log on. Additionally, the management address remains
accessible from a dynamic interface VLAN, unless a CPU ACL is in place. When management using dynamic
interface is enabled along with CPU ACL, the CPU ACL has more priority.
The following are some examples of management access and management access using dynamic interfaces,
here the management VLAN IP address of the Cisco WLC is 209.165. 201.1 and dynamic VLAN IP address
of the Cisco WLC is 209.165. 202.129:
• Source wired client from Cisco WLC's dynamic interface VLAN accesses the management interface
VLAN and tries for management access.
• Source wired client from Cisco WLC's management interface VLAN accesses the dynamic interface
VLAN and tries for management access.
• Source wired client from Cisco WLC's dynamic interface VLAN accesses the dynamic interface VLAN
tries and tries for management access.
• Source wired client from Layer 3 VLAN interface accesses the dynamic interface or the management
interface and tries for management access.
Here, management is not the management interface but the configuration access. If the Cisco WLC configuration
is accessed from any other IP address on the Cisco WLC other than the management IP, it is management
using dynamic interface.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
429
Security Solutions
Configuring Management using Dynamic Interfaces (CLI)
Configuring Management using Dynamic Interfaces (CLI)
Dynamic interface is disabled by default and can be enabled if needed to be also accessible for most or all of
management functions. Once enabled, all dynamic interfaces are available for management access to controller.
You can use access control lists (ACLs) to limit this access as required.
Procedure
• Enable or disable management using dynamic interfaces by entering this command:
config network mgmt-via-dynamic-interface {enable | disable}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
430
CHAPTER
51
Configuring DHCP Option 82
• DHCP Option 82, on page 431
• Restrictions on DHCP Option 82, on page 432
• Configuring DHCP Option 82 (GUI), on page 432
• Configuring DHCP Option 82 (CLI), on page 432
DHCP Option 82
DHCP option 82 provides additional security when DHCP is used to allocate network addresses. It enables
the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can
configure the controller to add option 82 information to DHCP requests from clients before forwarding the
requests to the DHCP server.
Figure 36: DHCP Option 82
The access point forwards all DHCP requests from a client to the controller. The controller adds the DHCP
option 82 payload and forwards the request to the DHCP server. The payload can contain the MAC address
or the MAC address and SSID of the access point, depending on how you configure this option.
Note
Any DHCP packets that already include a relay agent option are dropped at the controller.
For DHCP option 82 to operate correctly, DHCP proxy must be enabled.
This section contains the following subsections:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
431
Security Solutions
Restrictions on DHCP Option 82
Restrictions on DHCP Option 82
• DHCP option 82 is not supported for use with auto-anchor mobility.
Configuring DHCP Option 82 (GUI)
Step 1
Choose Controller > Advanced > DHCP to open the DHCP Parameters page.
Step 2
Select the Enable DHCP Proxy check box to enable DHCP proxy.
Step 3
Choose a DHCP Option 82 format from the drop-down list. You can choose either binary or ascii to specify the format
of the DHCP option 82 payload.
Step 4
Choose a DHCP Option 82 Remote ID field format from the drop-down list to specify the format of the DHCP option
82 payload.
For more information about the options available, see the Controller Online Help.
Step 5
Enter the DHCP timeout value in the DHCP Timeout field. The timeout value is globally applicable. You can specify
the DHCP timeout value in range from 5 to 120 seconds.
Step 6
Click Apply.
Step 7
Click Save Configuration .
What to do next
On the controller CLI, you can enable DHCP option 82 on the dynamic interface to which the WLAN is
associated by entering this command:
config interface dhcp dynamic-interface interface-name option-82 enable
Configuring DHCP Option 82 (CLI)
Procedure
• Configure the format of the DHCP option 82 payload by entering one of these commands:
• config dhcp opt-82 remote-id ap_mac—Adds the radio MAC address of the access point to the
DHCP option 82 payload.
• config dhcp opt-82 remote-id ap_mac:ssid—Adds the radio MAC address and SSID of the access
point to the DHCP option 82 payload.
• config dhcp opt-82 remote-id ap-ethmac—Adds the Ethernet MAC address of the access point to
the DHCP option 82 payload.
• config dhcp opt-82 remote-id apname:ssid—Adds the AP name and SSID of the access point to
the DHCP option 82 payload.
• config dhcp opt-82 remote-id ap-group-name—Adds the AP group name to the DHCP option 82
payload.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
432
Security Solutions
Configuring DHCP Option 82 (CLI)
• config dhcp opt-82 remote-id flex-group-name—Adds the FlexConnect group name to the DHCP
option 82 payload.
• config dhcp opt-82 remote-id ap-location—Adds the AP location to the DHCP option 82 payload.
• config dhcp opt-82 remote-id apmac-vlan-id—Adds the radio MAC address of the access point
and the VLAN ID to the DHCP option 82 payload.
• config dhcp opt-82 remote-id apname-vlan-id—Adds the AP name and its VLAN ID to the DHCP
option 82 payload.
• config dhcp opt-82 remote-id ap-ethmac-ssid—Adds the Ethernet MAC address of the access
point and the SSID to the DHCP option 82 payload.
• Configure the format of the DHCP option 82 as binary or ASCII by entering this command:
config dhcp opt-82 format {binary |ascii}
• Enable DHCP Option 82 on the dynamic interface to which the WLAN is associated by entering this
command:
config interface dhcp dynamic-interface interface-name option-82 enable
• See the status of DHCP option 82 on the dynamic interface by entering the show interface detailed
dynamic-interface-namecommand.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
433
Security Solutions
Configuring DHCP Option 82 (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
434
CHAPTER
52
Configuring and Applying Access Control Lists
• Information about Access Control Lists, on page 435
• Guidelines and Restrictions on Access Control Lists, on page 435
• Configuring and Applying Access Control Lists (GUI), on page 436
• Configuring and Applying Access Control Lists (CLI), on page 440
Information about Access Control Lists
An Access Control List (ACL) is a set of rules used to limit access to a particular interface (for example, if
you want to restrict a wireless client from pinging the management interface of the controller). After ACLs
are configured on the controller, they can be applied to the management interface, the AP-manager interface,
any of the dynamic interfaces, or a WLAN to control data traffic to and from wireless clients or to the controller
central processing unit (CPU) to control all traffic destined for the CPU.
You may also want to create a preauthentication ACL for web authentication. Such an ACL could be used to
allow certain types of traffic before authentication is complete.
Both IPv4 and IPv6 ACL are supported. IPv6 ACLs support the same options as IPv4 ACLs including source,
destination, source and destination ports.
Note
You can enable only IPv4 traffic in your network by blocking IPv6 traffic. That is, you can configure an IPv6
ACL to deny all IPv6 traffic and apply it on specific or all WLANs.
Guidelines and Restrictions on Access Control Lists
• You can define up to 64 ACLs, each with up to 64 rules (or filters) for both IPv4 and IPv6. Each rule
has parameters that affect its action. When a packet matches all of the parameters for a rule, the action
set for that rule is applied to the packet.
• When you apply CPU ACLs on a Cisco 5508 WLC or a Cisco WiSM2, you must permit traffic towards
the virtual interface IP address for web authentication.
• All ACLs have an implicit “deny all rule” as the last rule. If a packet does not match any of the rules, it
is dropped by the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
435
Security Solutions
Configuring and Applying Access Control Lists (GUI)
• If you are using an external web server with a Cisco 5508 WLC or a WLC network module, you must
configure a preauthentication ACL on the WLAN for the external web server.
• Multicast traffic received from wired networks that is destined to wireless clients is not processed by
WLC ACLs. Multicast traffic initiated from wireless clients, destined to wired networks or other wireless
clients on the same controller, is processed by WLC ACLs.
• ACLs are configured on the controller directly or configured through templates. The ACL name must
be unique.
• You can configure ACL per client (AAA overridden ACL) or on either an interface or a WLAN. The
AAA overridden ACL has the highest priority. However, each interface, WLAN, or per client ACL
configuration that you apply can override one another.
• If peer-to-peer blocking is enabled, traffic is blocked between peers even if the ACL allows traffic between
them.
• When you create an ACL, it is recommended to perform the two actions (create an ACL or ACL ruleand
apply the ACL or ACL rule) continuously either from CLI or GUI.
• Mobility pings on ports 16666 and 16667 are notable exemptions and these ports cannot be blocked by
any ACL.
• When high priority for an ACL is enabled, two types of rules are possible as follows:
• Deny: If you add the Deny rule, all the relevant services under the rule are blocked or disabled. This
does not depend on the configuration status of the services.
• Permit: If you add the Permit rule, all the relevant services might require more configuration that
are based on the nature of the service, for the service to be functional. For example, Telnet/SSH do
not require more configuration for their services to be functional, whereas HTTP/HTTPS do require
more configuration for their services to be functional.
• ACLs do not affect the service ports of controllers.
• URL domain configuration for IPv6 ACLs is not supported. However, it is supported in the case of IPv4
ACLs.
• DNS traffic is permitted by default with or without ACL entries for clients that are awaiting web
authentication.
Configuring and Applying Access Control Lists (GUI)
Configuring Access Control Lists (GUI)
Step 1
Choose Security > Access Control Lists > Access Control Lists to open the Access Control Lists page.
Step 2
If you want to see if packets are hitting any of the ACLs configured on your controller, select the Enable Counters
check box and click Apply. Otherwise, leave the check box unselected, which is the default value. This feature is useful
when troubleshooting your system.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
436
Security Solutions
Configuring Access Control Lists (GUI)
If you want to clear the counters for an ACL, hover your cursor over the blue drop-down arrow for that ACL
and choose Clear Counters.
Note
Step 3
Add a new ACL by clicking New. The Access Control Lists > New page appears.
Step 4
In the Access Control List Name text box, enter a name for the new ACL. You can enter up to 32 alphanumeric
characters.
Step 5
Choose the ACL type. There are two types of ACL supported, IPv4 and IPv6.
Step 6
Click Apply. When the Access Control Lists page reappears, click the name of the new ACL.
Step 7
When the Access Control Lists > Edit page appears, click Add New Rule. The Access Control Lists > Rules > New
page appears.
Step 8
Configure a rule for this ACL as follows:
a) The controller supports up to 64 rules for each ACL. These rules are listed in order from 1 to 64. In the Sequence
text box, enter a value (between 1 and 64) to determine the order of this rule in relation to any other rules defined
for this ACL.
If rules 1 through 4 are already defined and you add rule 29, it is added as rule 5. If you add or change a
sequence number for a rule, the sequence numbers for other rules adjust to maintain a continuous sequence.
For instance, if you change a rule’s sequence number from 7 to 5, the rules with sequence numbers 5 and
6 are automatically reassigned as 6 and 7, respectively.
Note
b) From the Source drop-down list, choose one of these options to specify the source of the packets to which this ACL
applies:
• Any—Any source (this is the default value).
• IP Address—A specific source. If you choose this option, enter the IP address and netmask of the source in
the text boxes. If you are configuring IPv6 ACL, enter the IPv6 address and prefix length of the destination
in the text boxes.
c) From the Destination drop-down list, choose one of these options to specify the destination of the packets to which
this ACL applies:
• Any—Any destination (this is the default value).
• IP Address—A specific destination. If you choose this option, enter the IP address and netmask of the
destination in the text boxes. If you are configuring IPv6 ACL, enter the IPv6 address and prefix length of the
destination in the text boxes.
d) From the Protocol drop-down list, choose the protocol ID of the IP packets to be used for this ACL. These are the
protocol options:
• Any—Any protocol (this is the default value)
• TCP—Transmission Control Protocol
• UDP—User Datagram Protocol
• ICMP/ICMPv6—Internet Control Message Protocol
Note
ICMPv6 is only available for IPv6 ACL.
• ESP—IP Encapsulating Security Payload
• AH—Authentication Header
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
437
Security Solutions
Configuring Access Control Lists (GUI)
• GRE—Generic Routing Encapsulation
• IP in IP—Internet Protocol (IP) in IP (permits or denies IP-in-IP packets)
• Eth Over IP—Ethernet-over-Internet Protocol
• OSPF—Open Shortest Path First
• Other—Any other Internet Assigned Numbers Authority (IANA) protocol
Note
If you choose Other, enter the number of the desired protocol in the Protocol text box. You can find
the list of available protocols in the INAI website.
The controller can permit or deny only IP packets in an ACL. Other types of packets (such as ARP packets) cannot
be specified.
e) If you chose TCP or UDP in the previous step, two additional parameters appear: Source Port and Destination Port.
These parameters enable you to choose a specific source port and destination port or port ranges. The port options
are used by applications that send and receive data to and from the networking stack. Some ports are designated
for certain applications such as Telnet, SSH, HTTP, and so on.
Note
Source and Destination ports based on the ACL type.
f) From the DSCP drop-down list, choose one of these options to specify the differentiated services code point (DSCP)
value of this ACL. DSCP is an IP header text box that can be used to define the quality of service across the Internet.
• Any—Any DSCP (this is the default value)
• Specific—A specific DSCP from 0 to 63, which you enter in the DSCP edit box
g) From the Direction drop-down list, choose one of these options to specify the direction of the traffic to which this
ACL applies:
• Any—Any direction (this is the default value)
• Inbound—From the client
• Outbound—To the client
Note
If you are planning to apply this ACL to the controller CPU, the packet direction does not have any
significance, it is always ‘Any’.
h) From the Action drop-down list, choose Deny to cause this ACL to block packets or Permit to cause this ACL to
allow packets. The default value is Deny.
i) Click Apply to commit your changes. The Access Control Lists > Edit page reappears, showing the rules for this
ACL.
The Deny Counters fields shows the number of times that packets have matched the explicit deny ACL rule. The
Number of Hits field shows the number of times that packets have matched an ACL rule. You must enable ACL
counters on the Access Control Lists page to enable these fields.
Note
If you want to edit a rule, click the sequence number of the desired rule to open the Access Control Lists
> Rules > Edit page. If you want to delete a rule, hover your cursor over the blue drop-down arrow for
the desired rule and choose Remove.
j) Repeat this procedure to add any additional rules for this ACL.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
438
Security Solutions
Applying an Access Control List to an Interface (GUI)
Step 9
Click Save Configuration to save your changes.
Step 10
Repeat this procedure to add any additional ACLs.
Applying an Access Control List to an Interface (GUI)
Step 1
Choose Controller > Interfaces.
Step 2
Click the name of the desired interface. The Interfaces > Edit page for that interface appears.
Step 3
Choose the desired ACL from the ACL Name drop-down list and click Apply. The default is None.
Note
Step 4
IPv6 ACLs are supported only on management interface.
Click Save Configuration to save your changes.
Applying an Access Control List to the Controller CPU (GUI)
Before you begin
Before you apply ACL rules, ensure that you have explicitly set the following RRM ports to allow in the CPU
ACL:
• 12124-12125
• 12134-12135
Also ensure that you add these ACL rules specifically at the top of the ACL list.
If you do not set these RRM ports to allow, the ports are blocked by default.
Step 1
Choose Security > Access Control Lists > CPU Access Control Lists to open the CPU Access Control Lists page.
Step 2
Select the Enable CPU ACL check box to enable a designated ACL to control the IPv4 traffic to the controller CPU or
unselect the check box to disable the CPU ACL feature and remove any ACL that had been applied to the CPU. The
default value is unselected.
Step 3
From the ACL Name drop-down list, choose the ACL that will control the IPv4 traffic to the controller CPU. None is
the default value when the CPU ACL feature is disabled. If you choose None while the Enable CPU ACL check box is
selected, an error message appears indicating that you must choose an ACL.
Step 4
Note
This parameter is available only if you have selected the CPU ACL Enable check box.
Note
When CPU ACL is enabled, it is applicable to both wireless and wired traffic.
Select the Enable CPU IPv6 ACL check box to enable a designated ACL to control the IPv6 traffic to the controller
CPU or unselect the check box to disable the CPU ACL feature and remove any ACL that had been applied to the CPU.
The default value is unselected.
Note
For CPU IPv6 ACL, along with permit rules for HTTP/Telnet, you must add a rule to allow ICMPv6 (NA/ND
uses ICMPv6) for the CPU IPv6 ACLs to work.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
439
Security Solutions
Applying an Access Control List to a WLAN (GUI)
Step 5
From the IPv6 ACL Name drop-down list, choose the ACL that will control the IPv6 traffic to the controller CPU. None
is the default value when the CPU ACL feature is disabled. If you choose None while the Enable CPU IPv6 ACL check
box is selected, an error message appears indicating that you must choose an ACL.
Step 6
Click Apply to commit your changes.
Step 7
Click Save Configuration to save your changes.
Applying an Access Control List to a WLAN (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the desired WLAN to open the WLANs > Edit page.
Step 3
Choose the Advanced tab to open the WLANs > Edit (Advanced) page.
Step 4
From the Override Interface ACL drop-down list, choose the IPv4 or IPv6 ACL that you want to apply to this WLAN.
The ACL that you choose overrides any ACL that is configured for the interface. None is the default value.
Note
To support centralized access control through AAA server such as ISE or ACS, IPv6 ACL must be configured
on the controller and the WLAN must be configured with AAA override enabled feature.
Step 5
Click Apply.
Step 6
Click Save Configuration.
Applying a Preauthentication Access Control List to a WLAN (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the desired WLAN to open the WLANs > Edit page.
Step 3
Choose the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page.
Step 4
Select the Web Policy check box.
Step 5
From the Preauthentication ACL drop-down list, choose the desired ACL and click Apply. None is the default value.
Step 6
Save the configuration.
Configuring and Applying Access Control Lists (CLI)
Configuring Access Control Lists (CLI)
Step 1
See all of the ACLs that are configured on the controller by entering this command:
show [ipv6] acl summary
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
440
Security Solutions
Applying Access Control Lists (CLI)
Step 2
See detailed information for a particular ACL by entering this command:
show [ipv6] acl detailed acl_name
The Counter text box increments each time a packet matches an ACL rule, and the DenyCounter text box increments
each time a packet does not match any of the rules.
If a traffic/request is allowed from the controller by a permit rule, then the response to the traffic/request in the
opposite direction also is allowed and cannot be blocked by a deny rule in the ACL.
Note
Step 3
Enable or disable ACL counters for your controller by entering this command:
config acl counter {start | stop}
If you want to clear the current counters for an ACL, enter the clear acl counters acl_name command.
Note
Step 4
Add a new ACL by entering this command:
config [ipv6] acl create acl_name.
You can enter up to 32 alphanumeric characters for the acl_name parameter.
When you try to create an interface name with space, the controller CLI does not create an interface. For
example, if you want to create an interface name int 3, the CLI will not create this since there is a space between
int and 3. If you want to use int 3 as the interface name, you need to enclose within single quotes like ‘int 3’.
Note
Step 5
Add a rule for an ACL by entering this command:
config [ipv6] acl rule add acl_name rule_index
Step 6
Configure an ACL rule by entering config [ipv6] acl rule command:
Step 7
Save your settings by entering this command:
save config
To delete an ACL, enter the config [ipv6] acl delete acl_name command. To delete an ACL rule, enter the
config [ipv6] acl rule delete acl_name rule_index command.
Note
Applying Access Control Lists (CLI)
Step 1
Perform the following to apply an IPv4 ACL:
• To apply an ACL to the IPv4 data path, enter this command:
config acl apply acl_name
• To apply an ACL to the controller CPU to restrict the IPv4 type of traffic (wired, wireless, or both) reaching the
CPU, enter this command:
config acl cpu acl_name {wired | wireless | both}
Note
To see the ACL that is applied to the controller CPU, enter the show acl cpu command. To remove the
ACL that is applied to the controller CPU, enter the config acl cpu none command.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
441
Security Solutions
Applying Access Control Lists (CLI)
Note
Step 2
For 2504 and 4400 series WLC, the CPU ACL cannot be used to control the CAPWAP traffic. Use the
access-list on the network to control CAPWAP traffic.
Perform the following to apply an IPv6 ACL:
• To apply an ACL to an IPv6 data path, enter this command:
config ipv6 acl apply name
• To apply an ACL to the controller CPU to restrict the IPv6 type of traffic (wired, wireless, or both) reaching the
CPU, enter this command:
config ipv6 acl cpu {name|none}
Step 3
To apply an ACL to a WLAN, enter this command:
• config wlan acl wlan_id acl_name
Note
Step 4
To see the ACL that is applied to a WLAN, enter the show wlan wlan_id command. To remove the ACL
that is applied to a WLAN, enter the config wlan acl wlan_id none command.
To apply a pre-authentication ACL to a WLAN, enter this command:
• config wlan security web-auth acl wlan_id acl_name
Step 5
Save your changes by entering this command:
save config
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
442
CHAPTER
53
Configuring Management Frame Protection
• Protected Management Frames (Management Frame Protection), on page 443
• Restrictions for Management Frame Protection, on page 444
• Configuring Infrastructure MFP (GUI), on page 445
• Viewing the Management Frame Protection Settings (GUI), on page 445
• Configuring Infrastructure MFP (CLI), on page 446
• Viewing the Management Frame Protection Settings (CLI), on page 446
• Debugging Management Frame Protection Issues (CLI), on page 446
ProtectedManagementFrames(ManagementFrameProtection)
By default, 802.11 management frames are unauthenticated and hence not protected against spoofing.
Infrastructure management frame protection (MFP) and 802.11w protected management frames (PMF) provide
protection against such attacks.
Infrastructure MFP
Infrastructure MFP protects management frames by detecting adversaries that are invoking denial-of-service
attacks, flooding the network with associations and probes, interjecting as rogue APs, and affecting network
performance by attacking the QoS and radio measurement frames. Infrastructure MFP is a global setting that
provides a quick and effective means to detect and report phishing incidents.
Specifically, infrastructure MFP protects 802.11 session management functions by adding message integrity
check information elements (MIC IEs) to the management frames emitted by APs (and not those emitted by
clients), which are then validated by other APs in the network. Infrastructure MFP is passive, can detect and
report intrusions but has no means to stop them.
Infrastructure MFP consists of three main components:
• Management frame protection: The AP protects the management frames it transmits by adding a MIC
IE to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, causing any
receiving AP configured to detect MFP frames to report the discrepancy. MFP is supported for use with
Cisco Aironet lightweight APs.
• Management frame validation: In infrastructure MFP, the AP validates every management frame that
it receives from other APs in the network. It ensures that the MIC IE is present (when the originator is
configured to transmit MFP frames) and matches the content of the management frame. If it receives
any frame that does not contain a valid MIC IE from a BSSID belonging to an AP that is configured to
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
443
Security Solutions
Restrictions for Management Frame Protection
transmit MFP frames, it reports the discrepancy to the network management system. In order for the
timestamps to operate properly, all controllers must be Network Time Protocol (NTP) synchronized.
• Event reporting: The AP notifies the controller when it detects an anomaly, and the controller aggregates
the received anomaly events and can report the results through SNMP traps to the network management
system.
Infrastructure MFP is disabled by default, and you can enable it globally. When you upgrade from a previous
software release, infrastructure MFP is disabled globally if you have enabled AP authentication because the
two features are mutually exclusive. When you enable infrastructure MFP globally, signature generation
(adding MICs to outbound frames) can be disabled for selected WLANs, and validation can be disabled for
selected APs.
Note
CCXv5 client MFP is no longer supported. Client MFP is enabled as optional by default on WLANs that are
configured for WPA2. However, client MFP is not supported on Wave 2 APs or 802.11ax Wi-Fi6 APs, and
there exist no clients that support CCXv5.
802.11w PMF
802.11w standard protects the transmission of control and management frames, between APs and clients,
against forgery and replay attacks. The frame types protected include Disassociation, Deauthentication, and
Robust Action frames such as:
• Spectrum Management
• Quality of Service (QoS)
• Block Ack
• Radio measurement
• Fast Basic Service Set (BSS) Transition
Additional Reference: Configure 802.11w Management Frame Protection on WLC
This section contains the following subsections:
Restrictions for Management Frame Protection
• Lightweight access points support infrastructure MFP in local and monitor modes and in FlexConnect
mode when the access point is connected to a controller. They support client MFP in local, FlexConnect,
and bridge modes.
• Client MFP is supported for use only with CCXv5 clients using WPA2 with TKIP or AES-CCMP.
• Non-CCXv5 clients may associate to a WLAN if client MFP is disabled or optional.
• Error reports generated on a FlexConnect access point in standalone mode cannot be forwarded to the
controller and are dropped.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
444
Security Solutions
Configuring Infrastructure MFP (GUI)
Configuring Infrastructure MFP (GUI)
Step 1
Choose Security> Wireless Protection Policies > AP Authentication/MFP to open the AP Authentication Policy page.
Step 2
Enable infrastructure MFP globally for the controller by choosing Management Frame Protection from the Protection
Type drop-down list.
Step 3
Click Apply to commit your changes.
Note
Step 4
If more than one controller is included in the mobility group, you must configure an NTP/SNTP server on all
controllers in the mobility group that are configured for infrastructure MFP.
Configure client MFP for a particular WLAN after infrastructure MFP has been enabled globally for the controller as
follows:
a)
b)
c)
d)
Choose WLANs.
Click the profile name of the desired WLAN. The WLANs > Edit page appears.
Choose Advanced. The WLANs > Edit (Advanced) page is displayed.
From the MFP Client Protection drop-down list, choose Disabled, Optional, or Required . The default value is
Optional. If you choose Required, clients are allowed to associate only if MFP is negotiated (that is, if WPA2 is
configured on the controller and the client supports CCXv5 MFP and is also configured for WPA2).
Note
For Cisco OEAP 600, MFP is not supported. It should either be Disabled or Optional.
e) Click Apply to commit your changes.
Step 5
Save the configuration.
Viewing the Management Frame Protection Settings (GUI)
To see the controller’s current global MFP settings, choose Security > Wireless Protection Policies >
Management Frame Protection. The Management Frame Protection Settings page appears.
On this page, you can see the following MFP settings:
• The Management Frame Protection field shows if infrastructure MFP is enabled globally for the
controller.
• The Controller Time Source Valid field indicates whether the controller time is set locally (by manually
entering the time) or through an external source (such as the NTP/SNTP server). If the time is set by an
external source, the value of this field is “True.” If the time is set locally, the value is “False.” The time
source is used for validating the timestamp on management frames between access points of different
controllers within a mobility group.
• The Client Protection field shows if client MFP is enabled for individual WLANs and whether it is
optional or required.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
445
Security Solutions
Configuring Infrastructure MFP (CLI)
Configuring Infrastructure MFP (CLI)
Procedure
• Enable or disable infrastructure MFP globally for the controller by entering this command:
config wps mfp infrastructure {enable | disable}
• Enable or disable client MFP on a specific WLAN by entering this command:
config wlan mfp client {enable | disable} wlan_id [required ]
If you enable client MFP and use the optional required parameter, clients are allowed to associate only
if MFP is negotiated.
Viewing the Management Frame Protection Settings (CLI)
Procedure
• See the controller’s current MFP settings by entering this command:
show wps mfp summary
• See the current MFP configuration for a particular WLAN by entering this command:
show wlan wlan_id
• See whether client MFP is enabled for a specific client by entering this command:
show client detail client_mac
• See MFP statistics for the controller by entering this command:
show wps mfp statistics
Note
This report contains no data unless an active attack is in progress. This table is cleared every 5 minutes when
the data is forwarded to any network management stations.
Debugging Management Frame Protection Issues (CLI)
Procedure
• Use this command if you experience any problems with MFP:
debug wps mfp ? {enable | disable}
where ? is one of the following:
client—Configures debugging for client MFP messages.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
446
Security Solutions
Debugging Management Frame Protection Issues (CLI)
capwap—Configures debugging for MFP messages between the controller and access points.
detail—Configures detailed debugging for MFP messages.
report—Configures debugging for MFP reporting.
mm—Configures debugging for MFP mobility (inter-controller) messages.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
447
Security Solutions
Debugging Management Frame Protection Issues (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
448
CHAPTER
54
Configuring Client Exclusion Policies
• Configuring Client Exclusion Policies (GUI), on page 449
• Configuring Client Exclusion Policies (CLI), on page 450
Configuring Client Exclusion Policies (GUI)
Step 1
Choose Security > Wireless Protection Policies > Client Exclusion Policies to open the Client Exclusion Policies page.
Step 2
Select any of these check boxes if you want the controller to exclude clients for the condition specified. The default value
for each exclusion policy is enabled.
• Excessive 802.11 Association Failures: Clients are excluded on the sixth 802.11 association attempt, after five
consecutive failures.
• Excessive 802.11 Authentication Failures: Clients are excluded on the sixth 802.11 authentication attempt, after
five consecutive failures.
• Excessive 802.1X Authentication Failures: Clients are excluded on the fourth 802.1X authentication attempt, after
three consecutive failures.
Note
In some configurations, 802.1X exclusion may not occur. For more information, see https://www.cisco.com/
c/en/us/support/docs/lan-switching/8021x/214466-802-1x-client-exclusion-on-an-aireos-wlc.html.
• Maximum 802.1x-AAA Failure Attempts: Clients are excluded after a maximum number of 802.1X-AAA failure
attempts with the RADIUS server. Valid range of maximum number of 802.1X-AAA failure attempts that you can
configure is 1 to 10 with the default value being 3.
• IP Theft or IP Reuse—Clients are excluded if the IP address is already assigned to another device.
• Excessive Web Authentication Failures—Clients are excluded on the fourth web authentication attempt, after
three consecutive failures.
Step 3
Save your configuration.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
449
Security Solutions
Configuring Client Exclusion Policies (CLI)
Configuring Client Exclusion Policies (CLI)
Step 1
Enable or disable the controller to exclude clients on the sixth 802.11 association attempt, after five consecutive failures
by entering this command:
config wps client-exclusion 802.11-assoc {enable | disable}
Step 2
Enable or disable the controller to exclude clients on the sixth 802.11 authentication attempt, after five consecutive
failures by entering this command:
config wps client-exclusion 802.11-auth {enable | disable}
Step 3
Enable or disable the controller to exclude clients on the fourth 802.1X authentication attempt, after three consecutive
failures by entering this command:
config wps client-exclusion 802.1x-auth {enable | disable}
Step 4
Configure the controller to exclude clients after a maximum number of 802.1X-AAA failure attempts with the RADIUS
server by entering this command:
config wps client-exclusion 802.1x-auth max-1x-aaa-fail-attempts num-of-attempts
Valid range for the maximum number of 802.1X-AAA failure attempts with the RADIUS is 1 to 10 with the default
value being 3.
Step 5
Enable or disable the controller to exclude clients if the IP address is already assigned to another device by entering
this command:
config wps client-exclusion ip-theft {enable | disable}
Step 6
Enable or disable the controller to exclude clients on the fourth web authentication attempt, after three consecutive
failures by entering this command:
config wps client-exclusion web-auth {enable | disable}
Step 7
Enable or disable the controller to exclude clients for all of the above reasons by entering this command:
config wps client-exclusion all {enable | disable}
Step 8
Use the following command to add or delete client exclusion entries.
config exclusionlist {add mac-addr description | delete mac-addr | description mac-addr description}
• add: Creates a local exclusion-list entry.
• delete: Deletes a local exclusion-list entry.
• description: Sets the description for an exclusion-list entry.
Step 9
Save your changes by entering this command:
save config
Step 10
See a list of clients that have been dynamically excluded, by entering this command:
show exclusionlist
Information similar to the following appears:
Dynamically Disabled Clients
----------------------------
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
450
Security Solutions
Configuring Client Exclusion Policies (CLI)
MAC Address
----------00:40:96:b4:82:55
Step 11
Exclusion Reason
---------------802.1X Failure
Time Remaining (in secs)
-----------------------51
See the client exclusion policy configuration settings by entering this command:
show wps summary
Information similar to the following appears:
Auto-Immune
Auto-Immune.............................. Disabled
Client Exclusion Policy
Excessive 802.11-association failures..........
Excessive 802.11-authentication failures.......
Excessive 802.1x-authentication................
IP-theft.......................................
Excessive Web authentication failure...........
Maximum 802.1x-AAA failure attempts............
Enabled
Enabled
Enabled
Enabled
Enabled
3
Signature Policy
Signature Processing........................ Enabled
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
451
Security Solutions
Configuring Client Exclusion Policies (CLI)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
452
CHAPTER
55
Configuring Identity Networking
• AAA Override (Identity Networking), on page 453
• RADIUS Attributes Used in Identity Networking, on page 454
AAA Override (Identity Networking)
In most wireless LAN systems, each WLAN has a static policy that applies to all clients associated with an
SSID. Although powerful, this method has limitations because it requires clients to associate with different
SSIDs to inherit different QoS and security policies.
However, the Cisco Wireless LAN solution supports identity networking, which allows the network to advertise
a single SSID but allows specific users to inherit different QoS or security policies based on their user profiles.
The specific policies that you can control using identity networking are as follows:
• ACL—When the ACL attribute is present in the RADIUS Access Accept, the system applies the ACL
name to the client station after it authenticates, which overrides any ACLs that are assigned to the interface.
• VLAN—When a VLAN Interface-name or VLAN tag is present in a RADIUS Access Accept, the system
places the client on a specific interface.
Note
The VLAN feature only supports MAC filtering, 802.1X, and WPA. The VLAN
feature does not support web authentication or IPsec.
• Tunnel Attributes.
Note
When any of the other RADIUS attributes (QoS-Level, ACL-Name,
Interface-Name, or VLAN-Tag), which are described later in this section, are
returned, the Tunnel Attributes must also be returned.
The operating system’s local MAC filter database has been extended to include the interface name, allowing
local MAC filters to specify to which interface the client should be assigned. A separate RADIUS server can
also be used, but the RADIUS server must be defined using the Security menus.
This section contains the following subsection:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
453
Security Solutions
RADIUS Attributes Used in Identity Networking
RADIUS Attributes Used in Identity Networking
QoS-Level
This section explains the RADIUS attributes used in identity networking.
This attribute indicates the QoS level to be applied to the mobile client's traffic within the switching fabric,
as well as over the air. This example shows a summary of the QoS-Level Attribute format. The text boxes
are transmitted from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type
| Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
QoS Level
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
• Type – 26 for Vendor-Specific
• Length – 10
• Vendor-Id – 14179
• Vendor type – 2
• Vendor length – 4
• Value – Three octets:
• 3 – Bronze (Background)
• 0 – Silver (Best Effort)
• 1 – Gold (Video)
• 2 – Platinum (Voice)
ACL-Name
This attribute indicates the ACL name to be applied to the client. A summary of the ACL-Name Attribute
format is shown below. The text boxes are transmitted from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type
| Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
ACL Name...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
• Type – 26 for Vendor-Specific
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
454
Security Solutions
RADIUS Attributes Used in Identity Networking
• Length – >7
• Vendor-Id – 14179
• Vendor type – 6
• Vendor length – >0
• Value – A string that includes the name of the ACL to use for the client
Interface Name
This attribute indicates the VLAN Interface a client is to be associated to. A summary of the Interface-Name
Attribute format is shown below. The text boxes are transmitted from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Interface Name...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
• Type – 26 for Vendor-Specific
• Length – >7
• Vendor-Id – 14179
• Vendor type – 5
• Vendor length – >0
• Value – A string that includes the name of the interface the client is to be assigned to.
Note
This Attribute only works when MAC filtering is enabled or if 802.1X or WPA
is used as the security policy.
VLAN Tag
This attribute indicates the group ID for a particular tunneled session and is also known as the
Tunnel-Private-Group-ID attribute.
This attribute might be included in the Access-Request packet if the tunnel initiator can predetermine the
group resulting from a particular connection and should be included in the Access-Accept packet if this tunnel
session is to be treated as belonging to a particular private group. Private groups may be used to associate a
tunneled session with a particular group of users. For example, it may be used to facilitate routing of unregistered
IP addresses through a particular interface. It should be included in Accounting-Request packets which contain
Acct-Status-Type attributes with values of either Start or Stop and which pertain to a tunneled session.
A summary of the Tunnel-Private-Group-ID Attribute format is shown below. The text boxes are transmitted
from left to right.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
455
Security Solutions
RADIUS Attributes Used in Identity Networking
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
|
Length
|
Tag
|
String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
• Type – 81 for Tunnel-Private-Group-ID.
• Length – >= 3
• Tag – The Tag text box is one octet in length and is intended to provide a means of grouping attributes
in the same packet which refer to the same tunnel. If the value of the Tag text box is greater than 0x00
and less than or equal to 0x1F, it should be interpreted as indicating which tunnel (of several alternatives)
this attribute pertains. If the Tag text box is greater than 0x1F, it should be interpreted as the first byte
of the following String text box.
• String – This text box must be present. The group is represented by the String text box. There is no
restriction on the format of group IDs.
Note
When any of the other RADIUS attributes (QoS-Level, ACL-Name,
Interface-Name, or VLAN-Tag) are returned, the Tunnel Attributes must also be
returned.
Tunnel Attributes
RFC 2868 defines RADIUS tunnel attributes used for authentication and authorization, and RFC2867 defines
tunnel attributes used for accounting. Where the IEEE 802.1X authenticator supports tunneling, a compulsory
tunnel may be set up for the Supplicant as a result of the authentication.
In particular, it may be desirable to allow a port to be placed into a particular VLAN, defined in IEEE 8021Q,
based on the result of the authentication. This configuration can be used, for example, to allow a wireless host
to remain on the same VLAN as it moves within a campus network.
The RADIUS server typically indicates the desired VLAN by including tunnel attributes within the
Access-Accept. However, the IEEE 802.1X authenticator may also provide a hint as to the VLAN to be
assigned to the Supplicant by including Tunnel attributes within the AccessRequest.
For use in VLAN assignment, the following tunnel attributes are used:
• Tunnel-Type=VLAN (13)
• Tunnel-Medium-Type=802
• Tunnel-Private-Group-ID=VLANID
The VLAN ID is 12 bits, with a value between 1 and 4094, inclusive. Because the Tunnel-Private-Group-ID
is of type String as defined in RFC 2868, for use with IEEE 802.1X, the VLANID integer value is encoded
as a string.
When Tunnel attributes are sent, it is necessary to fill in the Tag text box. As noted in RFC 2868, section 3.1:
• The Tag text box is one octet in length and is intended to provide a means of grouping attributes in the
same packet that refer to the same tunnel. Valid values for this text box are 0x01 through 0x1F, inclusive.
If the Tag text box is unused, it must be zero (0x00).
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
456
Security Solutions
RADIUS Attributes Used in Identity Networking
• For use with Tunnel-Client-Endpoint, Tunnel-Server-Endpoint, Tunnel-Private-Group-ID,
Tunnel-Assignment-ID, Tunnel-Client-Auth-ID or Tunnel-Server-Auth-ID attributes (but not Tunnel-Type,
Tunnel-Medium-Type, Tunnel-Password, or Tunnel-Preference), a tag text box of greater than 0x1F is
interpreted as the first octet of the following text box.
• Unless alternative tunnel types are provided, (e.g. for IEEE 802.1X authenticators that may support
tunneling but not VLANs), it is only necessary for tunnel attributes to specify a single tunnel. As a result,
where it is only desired to specify the VLANID, the tag text box should be set to zero (0x00) in all tunnel
attributes. Where alternative tunnel types are to be provided, tag values between 0x01 and 0x1F should
be chosen.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
457
Security Solutions
RADIUS Attributes Used in Identity Networking
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
458
CHAPTER
56
Configuring AAA Override
• AAA Override, on page 459
• Restrictions for AAA Override, on page 459
• Updating the RADIUS Server Dictionary File for Proper QoS Values, on page 460
• Configuring AAA Override (GUI), on page 461
• Configuring AAA Override (CLI), on page 461
AAA Override
The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It enables
you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients
based on the returned RADIUS attributes from the AAA server.
Most of the configuration to allow AAA override is done at the RADIUS server, where you should configure
the Access Control Server (ACS) with the override properties you would like it to return to the controller (for
example, Interface-Name, QoS-Level, and VLAN-Tag).
On the controller, enable the Allow AAA Override configuration parameter using the GUI or CLI. Enabling
this parameter allows the controller to accept the attributes returned by the RADIUS server. The controller
then applies these attributes to its clients.
This section contains the following subsections:
Restrictions for AAA Override
• If a client moves to a new interface due to the AAA override and then you apply an ACL to that interface,
the ACL does not take effect until the client reauthenticates. To work around this issue, apply the ACL
and then enable the WLAN so that all clients connect to the ACL that is already configured on the
interface, or disable and then reenable the WLAN after you apply the interface so that the clients can
reauthenticate.
• If the ACL returned from the AAA server does not exist on the controller or if the ACL is configured
with an incorrect name, then the clients are not allowed to be authenticated.
• With FlexConnect local switching, Multicast is forwarded only for the VLAN that the SSID is mapped
to and not to any overridden VLANs. Therefore, IPv6 does not work as expected because Multicast
traffic is forwarded from the incorrect VLAN. Use the following command to have multicast traffic
forwarded for the overridden VLAN:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
459
Security Solutions
Updating the RADIUS Server Dictionary File for Proper QoS Values
config flexconnect group group-name multicast overridden-interface enable
• Most of the configuration for allowing AAA override is done at the RADIUS server, where you should
configure the Access Control Server (ACS) with the override properties you would like it to return to
the controller (for example, Interface-Name, QoS-Level, and VLAN-Tag).
• On the controller, enable the Allow AAA Override configuration parameter using the GUI or CLI.
Enabling this parameter allows the controller to accept the attributes returned by the RADIUS server.
The controller then applies these attributes to its clients.
Updating the RADIUS Server Dictionary File for Proper QoS
Values
If you are using a Steel-Belted RADIUS (SBR), FreeRadius, or similar RADIUS server, clients may not obtain
the correct QoS values after the AAA override feature is enabled. For these servers, which allow you to edit
the dictionary file, you need to update the file to reflect the proper QoS values: Silver is 0, Gold is 1, Platinum
is 2, and Bronze is 3. To update the RADIUS server dictionary file, follow these steps:
Note
This issue does not apply to the Cisco Secure Access Control Server (ACS).
To update the RADIUS server dictionary file, follow these steps:
1. Stop the SBR service (or other RADIUS service).
2. Save the following text to the Radius_Install_Directory\Service folder as ciscowlan.dct:
################################################################################
# CiscoWLAN.dct- Cisco Wireless Lan Controllers
#
# (See README.DCT for more details on the format of this file)
################################################################################
# Dictionary - Cisco WLAN Controllers
#
# Start with the standard Radius specification attributes
#
@radius.dct
#
# Standard attributes supported by Airespace
#
# Define additional vendor specific attributes (VSAs)
#
MACRO Airespace-VSA(t,s) 26 [vid=14179 type1=%t% len1=+2 data=%s%]
ATTRIBUTE
WLAN-Id
ATTRIBUTE
Aire-QoS-Level
VALUE Aire-QoS-Level Bronze
VALUE Aire-QoS-Level Silver
VALUE Aire-QoS-Level Gold
VALUE Aire-QoS-Level Platinum
ATTRIBUTE
DSCP
Airespace-VSA(1, integer)
Airespace-VSA(2, integer)
cr
r
Airespace-VSA(3, integer)
r
3
0
1
2
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
460
Security Solutions
Configuring AAA Override (GUI)
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
802.1P-Tag
Interface-Name
ACL-Name
Airespace-VSA(4, integer)
Airespace-VSA(5, string)
Airespace-VSA(6, string)
r
r
r
# This should be last.
################################################################################
# CiscoWLAN.dct - Cisco WLC dictionary
##############################################################################
3. Open the dictiona.dcm file (in the same directory) and add the line “@ciscowlan.dct.”
4. Save and close the dictiona.dcm file.
5. Open the vendor.ini file (in the same directory) and add the following text:
vendor-product
dictionary
ignore-ports
port-number-usage
help-id
=
=
=
=
=
Cisco WLAN Controller
ciscowlan
no
per-port-type
6. Save and close the vendor.ini file.
7. Start the SBR service (or other RADIUS service).
8. Launch the SBR Administrator (or other RADIUS Administrator).
9. Add a RADIUS client (if not already added). Choose Cisco WLAN Controller from the Make/Model
drop-down list.
Configuring AAA Override (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN that you want to configure. The WLANs > Edit page appears.
Step 3
Choose the Advanced tab.
Step 4
Select the Allow AAA Override check box to enable AAA override or unselect it to disable this feature. The default
value is disabled.
Step 5
Click Apply.
Step 6
Click Save Configuration.
Configuring AAA Override (CLI)
Procedure
• Configure override of user policy through AAA on a WLAN by entering this command:
config wlan aaa-override {enable | disable} wlan-id
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
461
Security Solutions
Configuring AAA Override (CLI)
For wlan-id, enter a value between 1 and 16.
• Configure debugging of 802.1X AAA interactions by entering this command:
debug dot1x aaa {enable | disable}
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
462
CHAPTER
57
Managing Rogue Devices
• Rogue Devices, on page 463
• Configuring Rogue Detection (GUI), on page 468
• Configuring Rogue Detection (CLI), on page 469
Rogue Devices
Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using plain-text
or other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to
capture sensitive information, such as usernames and passwords. The hacker can then transmit a series of
Clear to Send (CTS) frames. This action mimics an access point, informing a particular client to transmit, and
instructing all the other clients to wait, which results in legitimate clients being unable to access network
resources. Wireless LAN service providers have a strong interest in banning rogue access points from the air
space.
Because rogue access points are inexpensive and readily available, employees sometimes plug unauthorized
rogue access points into existing LANs and build ad hoc wireless networks without their IT department's
knowledge or consent. These rogue access points can be a serious breach of network security because they
can be plugged into a network port behind the corporate firewall. Because employees generally do not enable
any security settings on the rogue access point, it is easy for unauthorized users to use the access point to
intercept network traffic and hijack client sessions. There is an increased chance of enterprise security breach
when wireless users connect to access points in the enterprise network.
The following are some guidelines to manage rogue devices:
• The containment frames are sent immediately after the authorization and associations are detected. The
enhanced containment algorithm provides more effective containment of ad hoc clients.
• In a dense RF environment, where maximum rogue access points are suspected, the chances of detecting
rogue access points by a local mode access point and FlexConnect mode access point in channel 157 or
channel 161 are less when compared to other channels. To mitigate this problem, we recommend that
you use dedicated monitor mode access points.
• The local and FlexConnect mode access points are designed to serve associated clients. These access
points spend relatively less time performing off-channel scanning: about 50 milliseconds on each channel.
If you want to perform high rogue detection, a monitor mode access point must be used. Alternatively,
you can reduce the scan intervals from 180 seconds to a lesser value, for example, 120 or 60 seconds,
ensuring that the radio goes off-channel more frequently, which improves the chances of rogue detection.
However, the access point continues to spend about 50 milliseconds on each channel.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
463
Security Solutions
Rogue Devices
• Rogue detection is disabled by default for OfficeExtend access points because these access points, which
are deployed in a home environment, are likely to detect many rogue devices.
• Client card implementations might mitigate the effectiveness of ad hoc containment.
• It is possible to classify and report rogue access points by using rogue states and user-defined classification
rules that enable rogues to automatically move between states.
• Each controller limits the number of rogue containments to three per radio (or six per radio for access
points in the monitor mode).
• Rogue Location Discovery Protocol (RLDP) detects rogue access points that are configured for open
authentication.
• RLDP detects rogue access points that use a broadcast Basic Service Set Identifier (BSSID), that is, the
access point broadcasts its Service Set Identifier in beacons.
• RLDP detects only those rogue access points that are on the same network. If an access list in the network
prevents the sending of RLDP traffic from the rogue access point to the controller , RLDP does not work.
• RLDP does not work on 5-GHz Dynamic Frequency Selection (DFS) channels. However, RLDP works
when the managed access point is in the monitor mode on a DFS channel.
• If RLDP is enabled on mesh APs, and the APs perform RLDP tasks, the mesh APs are dissociated from
the controller . The workaround is to disable RLDP on mesh APs.
• If RLDP is enabled on non-monitor APs, client connectivity outages occur when RLDP is in process.
• If the rogue is manually contained, the rogue entry is retained even after the rogue expires.
• If the rogue is contained by any other means, such as auto, rule, and AwIPS preventions, the rogue entry
is deleted when it expires.
• The controller requests to the AAA server for rogue client validation only once. As a result, if rogue
client validation fails on the first attempt then the rogue client will not be detected as a threat any more.
To avoid this, add the valid client entries in the authentication server before enabling Validate Rogue
Clients Against AAA.
• In the 7.4 and earlier releases, if a rogue that was already classified by a rule was not reclassified. In the
7.5 release, this behavior is enhanced to allow reclassification of rogues based on the priority of the rogue
rule. The priority is determined by using the rogue report that is received by the controller .
• The rogue detector AP fails to co-relate and contain the wired rogue AP on a 5Mhz channel because the
MAC address of the rogue AP for WLAN, LAN, 11a radio and 11bg radio are configured with a difference
of +/-1 of the rogue BSSID. In the 8.0 release, this behavior is enhanced by increasing the range of MAC
address, that the rogue detector AP co-relates the wired ARP MAC and rogue BSSID, by +/-3.
• The rogue access points with open authentication can be detected on wire. The NAT wired or rogue
wired detection is not supported in by WLC (both RLDP and rogue detector AP). The non-adjacent MAC
address is supported by rogue detector mode of AP and not by RLDP.
• In a High Availability scenario, if the rogue detection security level is set to either High or Critical, the
rogue timer on the standby controller starts only after the rogue detection pending stabilization time,
which is 300 seconds. Therefore, the active configurations on the standby controller are reflected only
after 300 seconds.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
464
Security Solutions
Rogue Devices
• After an AP is moved from rogue detection mode to any other mode or after an AP is moved from sniffer
mode to local or monitor mode, the rogue detection functionality is not retained on the AP. To enable
rogue detection functionality on the AP, you have to explicitly move the AP to the rogue detection mode.
• Some rogue devices exhibit RSSI value of –128 dBm although the minimum RSSI has seen configured
to a higher value. In some scenarios, APs show the RSSI value of 0 for some rogue devices. If the
controller receives the RSSI value as 0, the controller invalidates the value and replaces it with –128
dBm so that rogue rules or policies are not applied to the rogue device.
• Even though rogue events are reported to Cisco DNA Center instantly, due to a big number of rogue
events, the rogue sync occurs only on detection, on moving to contained state, and every half hour. The
rogue sync does not occur for any other rogue event.
Note
A rogue AP or client or adhoc containment configuration is not saved after the reload. You have to configure
all the rogues again after the reload.
Note
No separate command exists for controlling rogue client traps. However, you can enable or disable rogue
client traps using the config trapflags rogueap {enable | disable} command, which is also used for rouge
APs. In GUI configuration also, you should use the rogue AP flag under Management > SNMP > TrapControl
> Security > Rogue AP to control rogue clients.
Restrictions on Rogue Detection
• Rogue containment is not supported on DFS channels.
Rogue Location Discovery Protocol
Rogue Location Discovery Protocol (RLDP) is an active approach, which is used when rogue AP has no
authentication (Open Authentication) configured. This mode, which is disabled by default, instructs an active
AP to move to the rogue channel and connect to the rogue as a client. During this time, the active AP sends
de-authentication messages to all connected clients and then shuts down the radio interface. Then, it associates
to the rogue AP as a client. The AP then tries to obtain an IP address from the rogue AP and forwards a User
Datagram Protocol (UDP) packet (port 6352) that contains the local AP and rogue connection information to
the controller through the rogue AP. If the controller receives this packet, the alarm is set to notify the network
administrator that a rogue AP was discovered on the wired network with the RLDP feature.
RLDP has 100 % accuracy in rouge AP detection. It detects Open APs and NAT APs.
Note
Use the debug dot11 rldp enable command in order to check if the Lightweight AP associates and receives
a DHCP address from the rogue AP. This command also displays the UDP packet sent by the Lightweight
AP to the controller .
A sample of a UDP (destination port 6352) packet sent by the Lightweight AP is shown here: 0020 0a 01 01
0d 0a 01 .......(.*...... 0030 01 1e 00 07 85 92 78 01 00 00 00 00 00 00 00 00 ......x......... 0040 00 00 00 00 00
00 00 00 00 00
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
465
Security Solutions
Rogue Devices
The first 5 bytes of the data contain the DHCP address given to the local mode AP by the rogue AP. The next
5 bytes are the IP address of the controller , followed by 6 bytes that represent the rogue AP MAC address.
Then, there are 18 bytes of zeroes.
The following steps describe the functioning of RLDP:
1. Identify the closest Unified AP to the rogue using signal strength values.
2. The AP then connects to the rogue as a WLAN client, attempting three associations before timing out.
3. If association is successful, the AP then uses DHCP to obtain an IP address.
4. If an IP address was obtained, the AP (acting as a WLAN client) sends a UDP packet to each of the
controller 's IP addresses.
5. If the controller receives even one of the RLDP packets from the client, that rogue is marked as on-wire.
Note
The RLDP packets are unable to reach the controller if filtering rules are placed between the controller 's
network and the network where the rogue device is located.
Restrictions for RLDP:
• RLDP only works with open rogue APs broadcasting their SSID with authentication and encryption
disabled.
• RLDP requires that the Managed AP acting as a client is able to obtain an IP address via DHCP on the
rogue network.
• Manual RLDP can be used to attempt an RLDP trace on a rogue multiple number of times.
• During RLDP process, the AP is unable to serve clients. This negatively impacts performance and
connectivity for local mode APs. To avoid this case, RLDP can be selectively enabled for Monitor Mode
AP only.
• RLDP does not attempt to connect to a rogue AP operating in a 5GHz DFS channel.
• RLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the
DHCP Discover request sent by the RLDP client. Also, RLDP is not supported if the rogue access point
channel requires dynamic frequency selection (DFS). If the automatic RLDP attempt does not detect the
rogue (due to a noisy RF environment, for example), the controller does not retry. However, you can
initiate RLDP manually on a rogue device.
Detecting Rogue Devices
The controller continuously monitors all the nearby access points and automatically discovers and collects
information on rogue access points and clients. When the controller discovers a rogue access point, it uses
the Rogue Location Discovery Protocol (RLDP) and the rogue detector mode access point is connected to
determine if the rogue is attached to your network.
Controller initiates RLDP on rogue devices that have open authenticated and configured. If RLDP uses
FlexConnect or local mode access points, then clients are disconnected for that moment. After the RLDP
cycle, the clients are reconnected to the access points. As and when rogue access points are seen
(auto-configuration), the RLDP process is initiated.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
466
Security Solutions
Rogue Devices
You can configure the controller to use RLDP on all the access points or only on the access points configured
for the monitor (listen-only) mode. The latter option facilitates automated rogue access point detection in a
crowded radio frequency (RF) space, allowing monitoring without creating unnecessary interference and
without affecting the regular data access point functionality. If you configure the controller to use RLDP on
all the access points, the controller always chooses the monitor access point for RLDP operation if a monitor
access point and a local (data) access point are both nearby. If RLDP determines that the rogue is on your
network, you can choose to contain the detected rogue either manually or automatically.
RLDP detects on wire presence of the rogue access points that are configured with open authentication only
once, which is the default retry configuration. Retries can be configured using the config rogue ap rldp
retries command.
You can initiate or trigger RLDP from controller in three ways:
1. Enter the RLDP initiation command manually from the controller CLI. The equivalent GUI option for
initiating RLDP is not supported.
config rogue ap rldp initiate mac-address
2. Schedule RLDP from the controller CLI. The equivalent GUI option for scheduling RLDP is not supported.
config rogue ap rldp schedule
3. Auto RLDP. You can configure auto RLDP on controller either from controller CLI or GUI but keep in
mind the following guidelines:
• The auto RLDP option can be configured only when the rogue detection security level is set to custom.
• Either auto RLDP or schedule of RLDP can be enabled at a time.
A rogue access point is moved to a contained state either automatically or manually. The controller selects
the best available access point for containment and pushes the information to the access point. The access
point stores the list of containments per radio. For auto containment, you can configure the controller to use
only the monitor mode access point. The containment operation occurs in the following two ways:
• The container access point goes through the list of containments periodically and sends unicast containment
frames. For rogue access point containment, the frames are sent only if a rogue client is associated.
• Whenever a contained rogue activity is detected, containment frames are transmitted.
Individual rogue containment involves sending a sequence of unicast disassociation and deauthentication
frames.
Cisco Prime Infrastructure Interaction and Rogue Detection
Cisco Prime Infrastructure supports rule-based classification and uses the classification rules configured on
the controller. The controller sends traps to Cisco Prime Infrastructure after the following events:
• If an unknown access point moves to the Friendly state for the first time, the controller sends a trap to
Cisco Prime Infrastructure only if the rogue state is Alert. It does not send a trap if the rogue state is
Internal or External.
• If a rogue entry is removed after the timeout expires, the controller sends a trap to Cisco Prime
Infrastructure for rogue access points that are categorized as Malicious (Alert, Threat) or Unclassified
(Alert). The controller does not remove rogue entries with the following rogue states: Contained, Contained
Pending, Internal, and External.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
467
Security Solutions
Configuring Rogue Detection (GUI)
This section contains the following subsections:
Configuring Rogue Detection (GUI)
Step 1
Make sure that rogue detection is enabled on the corresponding access points. Rogue detection is enabled by default
for all access points joined to the controller (except for OfficeExtend access points). However, you can enable or disable
rogue detection for individual access points by selecting or unselecting the Rogue Detection check box on the All APs
> Details for (Advanced) page.
Step 2
Choose Security > Wireless Protection Policies > Rogue Policies > General.
The Rogue Policies page is displayed.
Step 3
Choose one of the following options from the Rogue Location Discovery Protocol drop-down list:
• Disable—Disables RLDP on all the access points. This is the default value.
• All APs—Enables RLDP on all the access points.
• Monitor Mode APs—Enables RLDP only on the access points in the monitor mode.
Step 4
In the Expiration Timeout for Rogue AP and Rogue Client Entries text box, enter the number of seconds after
which the rogue access point and client entries expire and are removed from the list. The valid range is 240 to 3600
seconds, and the default value is 1200 seconds.
Note
Step 5
If a rogue access point or client entry times out, it is removed from the controller only if its rogue state is
Alert or Threat for any classification type.
To use the AAA server or local database to validate if rogue clients are valid clients, select the Validate Rogue Clients
Against AAA check box. By default, the check box is unselected.
Note
To validate a rogue client against AAA, the format of the Cisco AVP pair is mandatory. The free RADIUS
format is:
• e09d3166fb2c Cleartext-Password := "e09d3166fb2c"
• Cisco-AVPair := "rogue-ap-state=threat"
Step 6
If necessary, select the Detect and Report Ad-Hoc Networks check box to enable ad hoc rogue detection and reporting.
By default, the check box is selected.
Step 7
In the Rogue Detection Report Interval text box, enter the time interval, in seconds, at which APs send the rogue
detection report to the Cisco WLC. The valid range is 10 to 300 seconds, and the default value is 10 seconds.
Note
Step 8
The minimum value of 10 seconds is applicable only to APs in monitor mode. For the APs in Local mode,
the minimum interval value that you can set is 30 seconds.
In the Rogue Detection Minimum RSSI text box, enter the minimum Received Signal Strength Indicator (RSSI) value
for APs to detect the rogue and for a rogue entry to be created in the controller. The valid range is –128 dBm to –0
dBm, and the default value is 0 dBm.
Note
This feature is applicable to all the AP modes. There can be many rogues with weak RSSI values that do not
provide any valuable information in rogue analysis. Therefore, you can use this option to filter rogues by
specifying the minimum RSSI value at which APs detect rogues.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
468
Security Solutions
Configuring Rogue Detection (CLI)
Step 9
In the Rogue Detection Transient Interval text box, enter the time interval at which a rogue should be scanned for
by the AP after the first time the rogue is scanned. After the rogue is scanned for consistently, updates are sent periodically
to the controller. Thus, the APs filter the transient rogues, which are active for a short period and are then silent. The
valid range is between 120 to 1800 seconds, and the default value is 0.
The rogue detection transient interval is applicable to the monitor mode APs only.
This feature has the following advantages:
• Rogue reports from APs to the controller are shorter.
• Transient rogue entries are avoided in the controller.
• Unnecessary memory allocation for transient rogues is avoided.
Step 10
If you want the controller to automatically contain certain rogue devices, enable the following parameters. By default,
these parameters are in disabled state.
Caution
When you select any of the Auto Contain parameters and click Apply, the following message is displayed:
“Using this feature may have legal consequences. Do you want to continue?”
The 2.4-GHz and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the
public and can be used without a license. As such, containing devices on another party’s network could have
legal consequences.
• Auto Containment Level—Set the auto containment level. By default, the auto containment level is set to 1.
• Auto Containment only for Monitor mode APs—Configure the monitor mode access points for auto-containment.
• Rogue on Wire—Configure the auto containment of rogues that are detected on the wired network.
• Using Our SSID—Configure the auto containment of rogues that are advertising your network’s SSID. If you
leave this parameter unselected, the controller only generates an alarm when such a rogue is detected.
• Valid Client on Rogue AP—Configure the auto containment of a rogue access point to which trusted clients are
associated. If you leave this parameter unselected, the controller only generates an alarm when such a rogue is
detected.
• AdHoc Rogue AP—Configure the auto containment of ad hoc networks detected by the controller. If you leave
this parameter unselected, the controller only generates an alarm when such a network is detected.
Step 11
Click Apply.
Step 12
Click Save Configuration.
Configuring Rogue Detection (CLI)
Step 1
Ensure that rogue detection is enabled on the desired access points. Rogue detection is enabled by default for all the
access points that are associated with the controller. You can enable or disable rogue detection for individual access
points by entering this command:
config rogue detection {enable | disable} cisco-ap command.
Note
To see the current rogue detection configuration for a specific access point, enter the show ap config general
Cisco_AP command.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
469
Security Solutions
Configuring Rogue Detection (CLI)
Note
Step 2
Rogue detection is disabled by default for OfficeExtend access points because these access points, which are
deployed in a home environment, are likely to detect a large number of rogue devices.
Enable, disable, or initiate RLDP by entering these commands:
• config rogue ap rldp enable alarm-only—Enables RLDP on all the access points.
• config rogue ap rldp enable alarm-only monitor_ap_only—Enables RLDP only on the access points in the
monitor mode.
• config rogue ap rldp initiate rogue_mac_address—Initiates RLDP on a specific rogue access point.
• config rogue ap rldp disable—Disables RLDP on all the access points.
• config rogue ap rldp retries—Specifies the number of times RLDP to be tried per rogue access point. The range
is from 1 to 5 and default is 1.
Step 3
Specify the number of seconds after which the rogue access point and client entries expire and are removed from the
list by entering this command:
config rogue ap timeout seconds
The valid range for the seconds parameter is 240 to 3600 seconds (inclusive). The default value is 1200 seconds.
Note
Step 4
If a rogue access point or client entry times out, it is removed from the controller only if its rogue state is
Alert or Threat for a classification type.
Enable or disable ad hoc rogue detection and reporting by entering this command:
config rogue adhoc {enable | disable}
Step 5
Enable or disable the AAA server or local database to validate if rogue clients are valid clients by entering this command:
config rogue client aaa {enable | disable}
Step 6
Specify the time interval, in seconds, at which APs should send the rogue detection report to the controller by entering
this command:
config rogue detection monitor-ap report-interval time in sec
The valid range for the time in sec parameter is 10 seconds to 300 seconds. The default value is 10 seconds.
Note
Step 7
This feature is applicable only to the monitor mode APs.
Specify the minimum RSSI value that rogues should have for APs to detect them and for the rogue entries to be created
in the controller by entering this command:
config rogue detection min-rssi rssi in dBm
The valid range for the rssi in dBm parameter is –128 dBm to 0 dBm. The default value is 0 dBm.
Note
Step 8
This feature is applicable to all the AP modes. There can be many rogues with very weak RSSI values that
do not provide any valuable information in rogue analysis. Therefore, you can use this option to filter rogues
by specifying the minimum RSSI value at which APs should detect rogues.
Specify the time interval at which rogues have to be consistently scanned for by APs after the first time the rogues are
scanned for by entering this command:
config rogue detection monitor-ap transient-rogue-interval time in sec
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
470
Security Solutions
Configuring Rogue Detection (CLI)
The valid range for the time in sec parameter is 120 seconds to 1800 seconds. The default value is 0.
This feature is applicable only to the monitor mode APs.
Note
Using the transient interval values, you can control the time interval at which APs should scan for rogues.
APs can also filter rogues based on their transient interval values.
This feature has the following advantages:
• Rogue reports from APs to the controller are shorter.
• Transient rogue entries are avoided in the controller.
• Unnecessary memory allocation for transient rogues are avoided.
Step 9
If you want the controller to automatically contain certain rogue devices, enter these commands.
Caution
When you enter any of these commands, the following message is displayed: Using this feature
may have legal consequences. Do you want to continue? The 2.4-GHz and 5-GHz
frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used
without a license. As such, containing devices on another party’s network could have legal consequences.
• config rogue ap rldp enable auto-contain—Automatically contains the rogues that are detected on the wired
network.
• config rogue ap ssid auto-contain—Automatically contains the rogues that are advertising your network’s SSID.
Note
If you want the controller to only generate an alarm when such a rogue is detected, enter the config
rogue ap ssid alarm command.
• config rogue ap valid-client auto-contain—Automatically contains a rogue access point to which trusted clients
are associated.
Note
If you want the controller to only generate an alarm when such a rogue is detected, enter the config
rogue ap valid-client alarm command.
• config rogue adhoc auto-contain—Automatically contains ad hoc networks detected by the controller.
Note
If you want the controller to only generate an alarm when such a network is detected, enter the config
rogue adhoc alert command.
• config rogue auto-contain level level monitor_mode_ap_only—Sets the auto containment level for the monitor
mode access points. The default value is 1.
Step 10
Configure ad hoc rogue classification by entering these commands:
• config rogue adhoc classify friendly state {internal | external} mac-addr
• config rogue adhoc classify malicious state {alert | contain} mac-addr
• config rogue adhoc classify unclassified state {alert | contain} mac-addr
The following is a brief description of the parameters:
• internal—Trusts a foreign ad hoc rogue.
• external—Acknowledges the presence of an ad hoc rogue.
• alert—Generates a trap when an ad hoc rogue is detected.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
471
Security Solutions
Configuring Rogue Detection (CLI)
• contain—Starts containing a rogue ad hoc.
Step 11
Configure RLDP scheduling by entering this command:
config rogue ap rldp schedule { add | delete | disable | enable }
• add—Enables you to schedule RLDP on a particular day of the week. You must enter the day of the week (for
example, mon, tue, wed, and so on) on which you want to schedule RLDP and the start time and end time in
HH:MM:SS format. For example: config rogue ap rldp schedule add mon 22:00:00 23:00:00.
• delete—Enables you to delete the RLDP schedule. You must enter the number of days.
• disable— Configure to disable RLDP scheduling.
• enable— Configure to enable RLDP scheduling.
Note
Step 12
When you configure RLDP scheduling, it is assumed that the scheduling will occur in the future, that is, after
the configuration is saved.
Save your changes by entering this command:
save config
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
472
CHAPTER
58
Classifying Rogue Access Points
• Rogue Access Point Classification, on page 473
• Guidelines and Restrictions for Classifying Rogue Access Points, on page 476
• Configuring Rogue Classification Rules (GUI), on page 477
• Viewing and Classifying Rogue Devices (GUI), on page 479
• Configuring Rogue Classification Rules (CLI), on page 483
• Viewing and Classifying Rogue Devices (CLI), on page 485
Rogue Access Point Classification
The controller software enables you to create rules that can organize and display rogue access points as
Friendly, Malicious, Custom, or Unclassified. For the Custom type, you must specify a severity score and a
classification name.
Note
Manual classification and classification that is the result of auto-containment or rogue-on-wire overrides the
rogue rule. If you have manually changed the class and/or the state of a rogue AP, then to apply rogue rules
to the AP, you must change it to unclassified and alert condition.
Note
If you manually move any rogue device to contained state (any class) or friendly state, this information is
stored in the standby Cisco WLC flash memory; however, the database is not updated. When HA switchover
occurs, the rogue list from the previously standby Cisco WLC flash memory is loaded.
By default, none of the classification rules are enabled. Therefore, all unknown access points are categorized
as Unclassified. When you create a rule, configure conditions for it, and enable the rule, the unclassified access
points are reclassified. Whenever you change a rule, it is applied to all access points (friendly, malicious,
custom, and unclassified) in the Alert state only.
You can configure up to 64 rogue classification rules per controller.
You can also apply rogue rules to ad hoc rogues except for client count condition.
The number of rogue clients that can be stored in the database table of a rogue access point is 256.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
473
Security Solutions
Rogue Access Point Classification
If a rogue AP or an ad hoc rogue is classified because of an RSSI rogue rule condition, the RSSI value that
caused the trigger is displayed on the controller GUI/CLI. The controller includes the classified RSSI, the
classified AP MAC address, and rule name in the trap. A new trap is generated for every new classification
or change of state due to rogue rule but³ is rate limited to every half hour for every rogue AP or ad hoc rogue.
However, if there is a change of state in containment by rogue rule, the trap is sent immediately. The ‘classified
by,’ ‘classified at,’ and ‘classified by rule name’ are valid for the non-default classification types, which are
Friendly, Malicious, and Custom classifications. For the unclassified types, these fields are not displayed.
Note
For the RSSI condition of rogue rule, reclassification occurs only if the RSSI change is more than 2 dBm of
the configured RSSI value.
The rogue rule may not work properly if friendly rogue rule is configured with RSSI as a condition. Then,
you need to modify the rules with the expectation that friendly rule is using maximum RSSI and modify rules
accordingly.
When the controller receives a rogue report from one of its managed access points, it responds as follows:
1. The controller verifies that the unknown access point is in the friendly MAC address list. If it is, the
controller classifies the access point as Friendly.
2. If the unknown access point is not in the friendly MAC address list, the controller starts applying rogue
classification rules.
3. If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller does
not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it automatically
only if the rogue is in the Alert state.
4. The controller applies the first rule based on priority. If the rogue access point matches the criteria specified
by the rule, the controller classifies the rogue according to the classification type configured for the rule.
5. If the rogue access point does not match any of the configured rules, the controller classifies the rogue as
Unclassified.
6. The controller repeats the previous steps for all rogue access points.
7. If RLDP determines that the rogue access point is on the network, the controller marks the rogue state as
Threat and classifies it as Malicious automatically, even if no rules are configured. You can then manually
contain the rogue (unless you have configured RLDP to automatically contain the rogue), which would
change the rogue state to Contained. If the rogue access point is not on the network, the controller marks
the rogue state as Alert, and you can manually contain the rogue.
8. If desired, you can manually move the access point to a different classification type and rogue state.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
474
Security Solutions
Rogue Access Point Classification
Table 18: Classification Mapping
Rule-Based
Rogue States
Classification Type
Friendly
• Internal—If the unknown access point is inside the network and poses no threat
to WLAN security, you would manually configure it as Friendly, Internal. An
example is the access points in your lab network.
• External—If the unknown access point is outside the network and poses no threat
to WLAN security, you would manually configure it as Friendly, External. An
example is an access point that belongs to a neighboring coffee shop.
• Alert—The unknown access point is moved to Alert if it is not in the neighbor
list or in the user-configured friendly MAC list.
Malicious
• Alert—The unknown access point is moved to Alert if it is not in the neighbor
list or in the user-configured friendly MAC list.
• Contained—The unknown access point is contained.
Custom
• Alert—The unknown access point is moved to Alert if it is not in the neighbor
list or in the user-configured friendly MAC list.
• Contained—The unknown access point is contained.
Unclassified
• Pending—On first detection, the unknown access point is put in the Pending state
for 3 minutes. During this time, the managed access points determine if the
unknown access point is a neighbor access point.
• Alert—The unknown access point is moved to Alert if it is not in the neighbor
list or in the user-configured friendly MAC list.
• Contained—The unknown access point is contained.
• Contained Pending—The unknown access point is marked Contained, but the
action is delayed due to unavailable resources.
The classification and state of the rogue access points are configured as follows:
• From Known to Friendly, Internal
• From Acknowledged to Friendly, External
• From Contained to Malicious, Contained
If the rogue state is Contained, you have to uncontain the rogue access point before you can change the
classification type. If you want to move a rogue access point from Malicious to Unclassified, you must delete
the access point and allow the controller to reclassify it.
This section contains the following subsections:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
475
Security Solutions
Guidelines and Restrictions for Classifying Rogue Access Points
GuidelinesandRestrictionsforClassifyingRogueAccessPoints
• Classifying Custom type rogues is tied to rogue rules. Therefore, it is not possible to manually classify
a rogue as Custom. Custom class change can occur only when rogue rules are used.
• Some are sent for containment by rule and every 30 minutes for rogue classification change. For custom
classification, the first trap does not contain the severity score because the trap has existed before the
custom classification. The severity score is obtained from the subsequent trap that is generated after 30
minutes if the rogue is classified.
• Rogue rules are applied on every incoming new rogue report in the controller in the order of their priority.
• After a rogue satisfies a higher priority rule and is classified, it does not move down the priority list for
the same report.
• Previously classified rogue gets re-classified on every new rogue report with the following restrictions:
• Rogues which are classified as friendly by rule and whose state is set to ALERT, go through
re-classification on receiving the new rogue report.
• If a rogue is classified as friendly by the administrator manually, then the state is INTERNAL and
it does not get re-classified on successive rogue reports.
• If rogue is classified as malicious, irrespective of the state it does not get re-classified on subsequent
rogue reports.
• Transition of the rogue's state from friendly to malicious is possible by multiple rogue rules if some
attribute is missing in new rogue report.
• Transition of the rogue's state from malicious to any other classification is not possible by any rogue
rule.
• If a rogue AP is classified as friendly, it means that the rogue AP exists in the vicinity, is a known AP,
and need not be tracked. Therefore, all the rogue clients are either deleted or not tracked if they are
associated with the friendly rogue AP.
• Until the controller discovers all the APs through neighbor reports from APs, the rogue APs are kept in
unconfigured state for three minutes after they are detected. After 3 minutes, the rogue policy is applied
on the rogue APs and the APs are moved to unclassified, friendly, malicious, or custom class. Rogue
APs kept in unconfigured state means that no rogue policy has yet been applied on them.
• When a rogue BSSID is submitted for a containment on Cisco Catalyst 9800 Series Wireless Controller,
if the controller has enough resources, it will contain. The APs that detect the particular contained rogue
AP starts broadcasting the DEAUTH packets.
Wireless client connected to the contained rogue BSSID will disconnect once DEAUTH packets are
received. However, when the client assumes being in a connected state, repeatedly tries to reconnect and
the wireless client's user browsing experience would be badly affected.
Also, in a high RF environment like that of a stadium, though DEAUTH packets are broadcasted, client
does not receive all of them because of RF disturbance. In this scenario, the client may not be fully
disconnected but will be affected badly.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
476
Security Solutions
Configuring Rogue Classification Rules (GUI)
Configuring Rogue Classification Rules (GUI)
Step 1
Choose Security > Wireless Protection Policies > Rogue Policies > Rogue Rules to open the Rogue Rules page.
Any rules that have already been created are listed in priority order. The name, type, and status of each rule is provided.
To delete a rule, hover your cursor over the blue drop-down arrow for that rule and click Remove.
Note
Step 2
Create a new rule as follows:
a) Click Add Rule. An Add Rule section appears at the top of the page.
b) In the Rule Name text box, enter a name for the new rule. Ensure that the name does not contain any spaces.
c) From the Rule Type drop-down list, choose from the following options to classify rogue access points matching this
rule as friendly or malicious:
• Friendly
• Malicious
• Custom
d) Configure the notification when the rule is matched from the Notify drop-down list to All, Global, Local, or None.
Rule description:
• All—Notifies the Cisco WLC and a trap receiver such as Cisco Prime Infrastructure.
• Global—Notifies only a trap receiver such as Cisco Prime Infrastructure.
• Local—Notifies only Cisco WLC.
• None—No notifications are sent.
Note
Rogue Rule Notification options All, Global, Local, and None can control only the following rogue traps
mentioned:
• Rogue AP Detected (Rogue AP: XX:XX:XX:XX:XX:XX detected on Base Radio MAC:
XX:XX:XX:XX:XX:XX Interface no: 0(1) Channel: 6 RSSI: 45 SNR: 10 Classification: unclassified,
State: alert, RuleClassified : unclassified, Severity Score: 100, RuleName: rule1, Classified AP MAC:
XX:XX:XX:XX:XX:XX, Classified RSSI: 45)
• Rogue Adhoc Detected (Adhoc Rogue : XX:XX:XX:XX:XX:XX detected on Base Radio MAC :
XX:XX:XX:XX:XX:XX Interface no: 0(1) on Channel 6 with RSSI: 45 and SNR: 10 Classification:
unclassified, State: alert, RuleClassified: unclassified, Severity Score: 100, RuleName: rule1,Classified
APMAC: XX:XX:XX:XX:XX:XX, Classified RSSI: 45)
• Rogue AP contained (Rogue AP: Rogue with MAC Address: XX:XX:XX:XX:XX:XX has been
contained due to rule with containment Level : 1)
• Rogue AP clear contained (Rogue AP: Rogue with MAC Address: XX:XX:XX:XX:XX:XX is no
longer contained due to rule
e) Configure the state of the rogue AP when the rule is matched from the State drop-down list.
f) If you choose the Rule Type as Custom, enter the Severity Score and the Classification Name.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
477
Security Solutions
Configuring Rogue Classification Rules (GUI)
g) Click Add to add this rule to the list of existing rules, or click Cancel to discard this new rule.
Step 3
Edit a rule as follows:
a) Click the name of the rule that you want to edit. The Rogue Rule > Edit page appears.
b) From the Type drop-down list, choose from the following options to classify rogue access points matching this rule:
• Friendly
• Malicious
• Custom
c) Configure the notification when the rule is matched from the Notify drop-down list to All, Global, Local, or None.
d) Configure the state of the rogue AP when the rule is matched from the State drop-down list.
e) From the Match Operation text box, choose one of the following:
Match All—If this rule is enabled, a detected rogue access point must meet all of the conditions specified by the rule
in order for the rule to be matched and the rogue to adopt the classification type of the rule.
Match Any—If this rule is enabled, a detected rogue access point must meet any of the conditions specified by the
rule in order for the rule to be matched and the rogue to adopt the classification type of the rule. This is the default
value.
f) To enable this rule, select the Enable Rule check box. The default value is unselected.
g) If you choose the Rule Type as Custom, enter the Severity Score and the Classification Name.
h) From the Add Condition drop-down list, choose one or more of the following conditions that the rogue access point
must meet and click Add Condition.
• SSID—Requires that the rogue access point have a specific user-configured SSID. If you choose this option,
enter the SSID in the User Configured SSID text box, and click Add SSID.
Note
To delete an SSID, highlight the SSID and click Remove.
• RSSI—Requires that the rogue access point have a minimum received signal strength indication (RSSI) value.
For example, if the rogue access point has an RSSI that is greater than the configured value, then the access
point could be classified as malicious. If you choose this option, enter the minimum RSSI value in the Minimum
RSSI text box. The valid range is 0 to –128 dBm (inclusive).
• Duration—Requires that the rogue access point be detected for a minimum period of time. If you choose this
option, enter a value for the minimum detection period in the Time Duration text box. The valid range is 0 to
3600 seconds (inclusive), and the default value is 0 seconds.
• Client Count—Requires that a minimum number of clients be associated to the rogue access point. For example,
if the number of clients associated to the rogue access point is greater than or equal to the configured value, then
the access point could be classified as malicious. If you choose this option, enter the minimum number of clients
to be associated to the rogue access point in the Minimum Number of Rogue Clients text box. The valid range
is 1 to 10 (inclusive), and the default value is 0.
• No Encryption—Requires that the rogue access point’s advertised WLAN does not have encryption enabled.
If a rogue access point has encryption disabled, it is likely that more clients will try to associate to it. No further
configuration is required for this option.
Note
Cisco Prime Infrastructure refers to this option as “Open Authentication.”
• Managed SSID—Requires that the rogue access point’s managed SSID (the SSID configured for the WLAN)
be known to the controller. No further configuration is required for this option.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
478
Security Solutions
Viewing and Classifying Rogue Devices (GUI)
Note
The SSID and Managed SSID conditions cannot be used with the Match All operation because these
two SSID lists are mutually exclusive. If you define a rule with Match All and have these two conditions
configured, the rogue access points are never classified as friendly or malicious because one of the
conditions can never be met.
You can add up to six conditions per rule. When you add a condition, it appears under the Conditions
section.
Note
To delete a condition from this rule, hover your cursor over the blue drop-down arrow for that condition
and click Remove.
i) Click Apply.
Step 4
Click Save Configuration.
Step 5
If you want to change the order in which rogue classification rules are applied, follow these steps:
a. Click Back to return to the Rogue Rules page.
b. Click Change Priority to access the Rogue Rules > Priority page.
The rogue rules are listed in priority order in the Change Rules Priority text box.
c. Highlight the rule for which you want to change the priority, and click Up to raise its priority in the list or Down to
lower its priority in the list.
d. Continue to move the rules up or down until the rules are in the desired order.
e. Click Apply.
Step 6
Classify any rogue access points as friendly and add them to the friendly MAC address list as follows:
• Choose Security > Wireless Protection Policies > Rogue Policies > Friendly Rogue to open the Friendly Rogue
> Create page.
• In the MAC Address text box, enter the MAC address of the friendly rogue access point.
• Click Apply.
• Click Save Configuration. This access point is added to the controller’s list of friendly access points and should
now appear on the Friendly Rogue APs page.
Viewing and Classifying Rogue Devices (GUI)
Before you begin
Caution
When you choose to contain a rogue device, the following warning appears: “There may be legal issues
following this containment. Are you sure you want to continue?” The 2.4- and 5-GHz frequencies in the
Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As
such, containing devices on another party’s network could have legal consequences.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
479
Security Solutions
Viewing and Classifying Rogue Devices (GUI)
Step 1
Choose Monitor > Rogues.
Step 2
Choose the following options to view the different types of rogue access points detected by the controller:
• Friendly APs
• Malicious APs
• Unclassified APs
• Custom APs
The respective rogue APs pages provide the following information: the MAC address and SSID of the rogue access
point, channel number, the number of radios that detected the rogue access point, the number of clients connected to
the rogue access point, and the current status of the rogue access point.
Step 3
Note
To remove acknowledged rogues from the database, change the rogue state to Alert. If the rogue is no longer
present, the rogue data is deleted from the database in 20 minutes.
Note
To delete a rogue access point from one of these pages, hover your cursor over the blue drop-down arrow
and click Remove. To delete multiple rogue access points, select the check box corresponding to the row
you want to delete and click Remove.
Note
You can move the Malicious or Unclassified rogue APs that are being contained or were contained back to
Alert state by clicking the Move to Alert button on the respective pages.
Get more details about a rogue access point by clicking the MAC address of the access point. The Rogue AP Detail
page appears.
This page provides the following information: the MAC address of the rogue device, the type of rogue device (such as
an access point), whether the rogue device is on the wired network, the dates and times when the rogue device was first
and last reported, and the current status of the device.
The Class Type text box shows the current classification for this rogue access point:
• Friendly—An unknown access point that matches the user-defined friendly rules or an existing known and
acknowledged rogue access point. Friendly access points cannot be contained.
• Malicious—An unknown access point that matches the user-defined malicious rules or is moved manually by the
user from the Friendly or Unclassified classification type.
Note
Once an access point is classified as Malicious, you cannot apply rules to it in the future, and it cannot
be moved to another classification type. If you want to move a malicious access point to the Unclassified
classification type, you must delete the access point and allow the controller to reclassify it.
• Unclassified—An unknown access point that does not match the user-defined friendly or malicious rules. An
unclassified access point can be contained. It can also be moved to the Friendly or Malicious classification type
automatically in accordance with user-defined rules or manually by the user.
• Custom—A user-defined classification type that is tied to rogue rules. It is not possible to manually classify a
rogue as Custom. Custom class change can occur only using rogue rules.
Step 4
If you want to change the classification of this device, choose a different classification from the Class Type drop-down
list.
Note
A rogue access point cannot be moved to another class if its current state is Contain.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
480
Security Solutions
Viewing and Classifying Rogue Devices (GUI)
Step 5
From the Update Status drop-down list, choose one of the following options to specify how the controller should respond
to this rogue access point:
• Internal—The controller trusts this rogue access point. This option is available if the Class Type is set to Friendly.
• External—The controller acknowledges the presence of this rogue access point. This option is available if the
Class Type is set to Friendly.
• Contain—The controller contains the offending device so that its signals no longer interfere with authorized
clients. This option is available if the Class Type is set to Malicious or Unclassified.
• Alert—The controller forwards an immediate alert to the system administrator for further action. This option is
available if the Class Type is set to Malicious or Unclassified.
The bottom of the page provides information on both the access points that detected this rogue access point and any
clients that are associated to it. To see more details for any of the clients, click Edit to open the Rogue Client Detail
page.
Step 6
Click Apply.
Step 7
Click Save Configuration.
Step 8
View any rogue clients that are connected to the controller by choosing Rogue Clients. The Rogue Clients page appears.
This page shows the following information: the MAC address of the rogue client, the MAC address of the access point
to which the rogue client is associated, the SSID of the rogue client, the number of radios that detected the rogue client,
the date and time when the rogue client was last reported, and the current status of the rogue client.
Step 9
Obtain more details about a rogue client by clicking the MAC address of the client. The Rogue Client Detail page
appears.
This page provides the following information: the MAC address of the rogue client, the MAC address of the rogue
access point to which this client is associated, the SSID and IP address of the rogue client, the dates and times when
the rogue client was first and last reported, and the current status of the rogue client.
Step 10
From the Update Status drop-down list, choose one of the following options to specify how the controller should respond
to this rogue client:
• Contain—The controller contains the offending device so that its signals no longer interfere with authorized
clients.
• Alert—The controller forwards an immediate alert to the system administrator for further action.
The bottom of the page provides information on the access points that detected this rogue client.
Step 11
Click Apply.
Step 12
If desired, you can test the controller’s connection to this client by clicking Ping.
Step 13
Click Save Configuration.
Step 14
See any ad-hoc rogues detected by the controller by choosing Adhoc Rogues. The Adhoc Rogues page appears.
This page shows the following information: the MAC address, BSSID, and SSID of the ad-hoc rogue, the number of
radios that detected the ad-hoc rogue, and the current status of the ad-hoc rogue.
Step 15
Obtain more details about an ad-hoc rogue by clicking the MAC address of the rogue. The Adhoc Rogue Detail page
appears.
This page provides the following information: the MAC address and BSSID of the ad-hoc rogue, the dates and times
when the rogue was first and last reported, and the current status of the rogue.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
481
Security Solutions
Viewing and Classifying Rogue Devices (GUI)
Step 16
From the Update Status drop-down list, choose one of the following options to specify how the controller should respond
to this ad-hoc rogue:
• Contain—The controller contains the offending device so that its signals no longer interfere with authorized
clients.
• Alert—The controller forwards an immediate alert to the system administrator for further action.
• Internal—The controller trusts this rogue access point.
• External—The controller acknowledges the presence of this rogue access point.
Step 17
From the Maximum number of APs to contain the rogue drop-down list, choose one of the following options to specify
the maximum number of access points used to contain this ad-hoc rogue: 1, 2, 3, or 4.
The bottom of the page provides information on the access points that detected this ad-hoc rogue.
• 1—Specifies targeted rogue access point is contained by one access point. This is the lowest containment level.
• 2—Specifies targeted rogue access point is contained by two access points.
• 3—Specifies targeted rogue access point is contained by three access points.
• 4—Specifies targeted rogue access point is contained by four access points. This is the highest containment level.
Step 18
Click Apply.
Step 19
Click Save Configuration.
Step 20
View any access points that have been configured to be ignored by choosing Rogue AP Ignore-List. The Rogue AP
Ignore-List page appears.
This page shows the MAC addresses of any access points that are configured to be ignored. The rogue-ignore list
contains a list of any autonomous access points that have been manually added to Cisco Prime Infrastructure maps by
the users. The controller regards these autonomous access points as rogues even though the Prime Infrastructure is
managing them. The rogue-ignore list allows the controller to ignore these access points. The list is updated as follows:
• When the controller receives a rogue report, it checks to see if the unknown access point is in the rogue-ignore
access point list.
• If the unknown access point is in the rogue-ignore list, the controller ignores this access point and continues to
process other rogue access points.
• If the unknown access point is not in the rogue-ignore list, the controller sends a trap to the Prime Infrastructure.
If the Prime Infrastructure finds this access point in its autonomous access point list, the Prime Infrastructure sends
a command to the controller to add this access point to the rogue-ignore list. This access point is then ignored in
future rogue reports.
• If a user removes an autonomous access point from the Prime Infrastructure, the Prime Infrastructure sends a
command to the controller to remove this access point from the rogue-ignore list.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
482
Security Solutions
Configuring Rogue Classification Rules (CLI)
Configuring Rogue Classification Rules (CLI)
Step 1
Create a rule by entering this command:
config rogue rule add ap priority priority classify {friendly | malicious} rule-name
If you later want to change the priority of this rule and shift others in the list accordingly, enter the config rogue rule
priority priority rule-name command.
If you later want to change the classification of this rule, enter the config rogue rule classify {friendly | malicious}
rule-name command.
If you ever want to delete all of the rogue classification rules or a specific rule, enter the {config rogue rule delete {all
| rule-name} command.
Step 2
Create a rule by entering these commands:
• Configure a rule for friendly rogues by entering this command:
config rogue rule add ap priority priority classify friendly notify {all | global | local | none} state {alert |
internal | external} rule-name
• Configure a rule for malicious rogues by entering this command:
config rogue rule add ap priority priority classify malicious notify {all | global | local | none} state {alert |
contain} rule-name
• Configure a rule for custom rogues by entering this command:
config rogue rule add ap priority priority classify custom severity-score classification-name notify {all | global
| local | none} state {alert | contain} rule-name
If you later want to change the priority of this rule and shift others in the list accordingly, enter the config rogue rule
priority priority rule-name command.
If you later want to change the classification of this rule, enter the config rogue rule classify {friendly | malicious |
custom severity-score classification-name} rule-name command.
If you ever want to delete all of the rogue classification rules or a specific rule, enter the {config rogue rule delete {all
| rule-name} command.
Step 3
Configure the state on the rogue AP upon rule match by entering this command:
config rogue rule state {alert | contain | internal | external} rule-name
Step 4
Configure the notification upon rule match by entering this command:
config rogue rule notify {all | global | local | none} rule-name
Step 5
Disable all rules or a specific rule by entering this command:
config rogue rule disable {all | rule_name}
Note
Step 6
A rule must be disabled before you can modify its attributes.
Add conditions to a rule that the rogue access point must meet by entering this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
483
Security Solutions
Configuring Rogue Classification Rules (CLI)
config rogue rule condition ap set condition_type condition_value rule_name
The following condition types are available:
• ssid—Requires that the rogue access point have a specific SSID. You should add SSIDs that are not managed by
the controller. If you choose this option, enter the SSID for the condition_value parameter. The SSID is added to
the user-configured SSID list.
Note
If you ever want to delete all of the SSIDs or a specific SSID from the user-configured SSID list, enter
the config rogue rule condition ap delete ssid {all | ssid} rule_name command.
Note
The sub-string should be specified in full or part of SSID (without any asterisks). This sub-string is
matched in the same sequence to its occurrence in the rogue AP SSID. Once the condition is met, the
rogue AP is classified (depending on OR or AND match condition).
• rssi—Requires that the rogue access point have a minimum RSSI value. For example, if the rogue access point
has an RSSI that is greater than the configured value, then the access point could be classified as malicious. If you
choose this option, enter the minimum RSSI value for the condition_value parameter.
In Release 8.0 and later releases, for friendly rogue rules, you are required to set a maximum RSSI value. The
RSSI value of the rogue AP must be less than the RSSI value set, for the rogue AP to be classified as a friendly
rogue. For malicious and custom rogue rules, there is no change in functionality.
For example, for a friendly rogue rule, the RSSI value is set at –80 dBm. All the rogue APs that are detected and
have RSSI value that is less than –80 dBm are classified as friendly rogues. For malicious and custom rogue rules,
the RSSI value is set at –80 dBm. All the rogue APs that are detected and have RSSI value that is more than –80
dBm are classified as malicious or custom rogue APs.
• duration—Requires that the rogue access point be detected for a minimum period of time. If you choose this
option, enter a value for the minimum detection period for the condition_value parameter. The valid range is 0 to
3600 seconds (inclusive), and the default value is 0 seconds.
• client-count—Requires that a minimum number of clients be associated to the rogue access point. For example,
if the number of clients associated to the rogue access point is greater than or equal to the configured value, then
the access point could be classified as malicious. If you choose this option, enter the minimum number of clients
to be associated to the rogue access point for the condition_value parameter. The valid range is 1 to 10 (inclusive),
and the default value is 0.
• managed-ssid—Requires that the rogue access point’s SSID be known to the controller. A condition_value
parameter is not required for this option.
Note
Step 7
You can add up to six conditions per rule. If you ever want to delete all of the conditions or a specific
condition from a rule, enter the config rogue rule condition ap delete all condition_type condition_value
rule_name command.
Specify whether a detected rogue access point must meet all or any of the conditions specified by the rule in order for
the rule to be matched and the rogue access point to adopt the classification type of the rule by entering this command:
config rogue rule match {all | any} rule_name
Step 8
Enable all rules or a specific rule by entering this command:
config rogue rule enable {all | rule_name}
Note
For your changes to become effective, you must enable the rule.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
484
Security Solutions
Viewing and Classifying Rogue Devices (CLI)
Step 9
Add a new friendly access point entry to the friendly MAC address list or delete an existing friendly access point entry
from the list by entering this command:
config rogue ap friendly {add | delete} ap_mac_address
Step 10
Save your changes by entering this command:
save config
Step 11
View the rogue classification rules that are configured on the controller by entering this command:
show rogue rule summary
Step 12
View detailed information for a specific rogue classification rule by entering this command:
show rogue rule detailed rule_name
Viewing and Classifying Rogue Devices (CLI)
Procedure
• View a list of all rogue access points detected by the controller by entering this command:
show rogue ap summary
• See a list of the friendly rogue access points detected by the controller by entering this command:
show rogue ap friendly summary
• See a list of the malicious rogue access points detected by the controller by entering this command:
show rogue ap malicious summary
• See a list of the unclassified rogue access points detected by the controller by entering this command:
show rogue ap unclassified summary
• See detailed information for a specific rogue access point by entering this command:
show rogue ap detailed ap_mac_address
• See the rogue report (which shows the number of rogue devices detected on different channel widths)
for a specific 802.11a/n radio by entering this command:
show ap auto-rf 802.11a Cisco_AP
• See a list of all rogue clients that are associated to a rogue access point by entering this command:
show rogue ap clients ap_mac_address
• See a list of all rogue clients detected by the controller by entering this command:
show rogue client summary
• See detailed information for a specific rogue client by entering this command:
show rogue client detailed Rogue_AP client_mac_address
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
485
Security Solutions
Viewing and Classifying Rogue Devices (CLI)
• See a list of all ad-hoc rogues detected by the controller by entering this command:
show rogue adhoc summary
• See detailed information for a specific ad-hoc rogue by entering this command:
show rogue adhoc detailed rogue_mac_address
• See a summary of ad hoc rogues based on their classification by entering this command:
show rogue adhoc {friendly | malicious | unclassified} summary
• See a list of rogue access points that are configured to be ignore by entering this command:
show rogue ignore-list
• Classify a rogue access point as friendly by entering this command:
config rogue ap classify friendly state {internal | external} ap_mac_address
where
internal means that the controller trusts this rogue access point.
external means that the controller acknowledges the presence of this rogue access point.
Note
A rogue access point cannot be moved to the Friendly class if its current state is Contain.
• Mark a rogue access point as malicious by entering this command:
config rogue ap classify malicious state {alert | contain} ap_mac_address
where
alert means that the controller forwards an immediate alert to the system administrator for further action.
contain means that the controller contains the offending device so that its signals no longer interfere
with authorized clients.
Note
Caution
A rogue access point cannot be moved to the Malicious class if its current state is Contain.
Performing rogue containment might be illegal if the target of the attack is a device that you do not own.
Enable rogue containment only if none of your APs can transmit radio signals outside of your property.
• Mark a rogue access point as unclassified by entering this command:
config rogue ap classify unclassified state {alert | contain} ap_mac_address
Cisco Wireless LAN Controller Configuration Guide, Release 