advertisement
C H A P T E R
10
Using Templates
This chapter describes how to add and apply controller templates. Information on creating (adding) access point templates is also provided.
Templates allow you to set parameters that you can then apply to multiple devices without having to re-enter the common information.
Note
Template information can be overridden on individual devices.
This chapter contains these sections:
•
•
•
Adding Controller Templates, page 10-1
Applying Controller Templates, page 10-67
Adding Access Point Templates, page 10-67
Adding Controller Templates
Follow these steps to add a new controller template.
Step 1
Step 2
Step 3
Step 4
Step 5
Choose Configure > Controller Templates.
Choose Add Template from the Select a command drop-down menu and click GO.
Enter the template name.
Provide a description of the template.
Click Save.
OL-12623-01
A summary of the templates that can be added is highlighted below:
•
Configuring an NTP Server Template, page 10-3
•
•
•
•
•
Configuring General Templates, page 10-3
Configuring QoS Templates, page 10-6
Configuring a Traffic Stream Metrics QoS Template, page 10-7
Configuring WLAN Templates, page 10-9
Configuring a File Encryption Template, page 10-18
Cisco Wireless Control System Configuration Guide
10-1
Chapter 10 Using Templates
Adding Controller Templates
10-2
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Configuring a RADIUS Authentication Template, page 10-20
Configuring a RADIUS Accounting Template, page 10-22
Configuring a LDAP Server Template, page 10-23
Configuring a TACACS+ Server Template, page 10-24
Configuring a Network Access Control Template, page 10-25
Configuring a Local EAP General Template, page 10-26
Configuring a Local EAP Profile Template, page 10-27
Configuring an EAP-FAST Template, page 10-28
Configuring Network User Credential Retrieval Priority Templates, page 10-29
Configuring a Local Network Users Template, page 10-30
Configuring Guest User Templates, page 10-32
Configuring a User Login Policies Template, page 10-33
Configuring a MAC Filter Template, page 10-33
Configuring an Access Point Authorization, page 10-34
Configuring a Manually Disabled Client Template, page 10-35
Configuring a CPU Access Control List (ACL) Template, page 10-36
Configuring a Rogue Policies Template, page 10-37
Configuring a Trusted AP Policies Template, page 10-38
Configuring a Client Exclusion Policies Template, page 10-39
Configuring an Access Point Authentication and MFP Template, page 10-41
Configuring a Web Authentication Template, page 10-42
Configuring Access Control List Templates, page 10-46
Configuring a Policy Name Template (for 802.11a or 802.11b/g), page 10-47
Configuring High Density Templates, page 10-50
Configuring a Voice Parameter Template (for 802.11a or 802.11b/g), page 10-52
Configuring a Video Parameter Template (for 802.11a or 802.11b/g), page 10-53
Configuring a Roaming Parameters Template (for 802.11a or 802.11b/g), page 10-54
Configuring an RRM Threshold Template (for 802.11a or 802.11b/g), page 10-55
Configuring an RRM Interval Template (for 802.11a or 802.11b/g), page 10-56
Configuring an 802.11h Template, page 10-57
Configuring a Mesh Template, page 10-58
Configuring a Known Rogue Access Point Template, page 10-60
Configuring a Trap Receiver Template, page 10-61
Configuring a Trap Control Template, page 10-61
Configuring a Telnet SSH Template, page 10-63
Configuring a Syslog Template, page 10-64
Configuring a Local Management User Template, page 10-65
Configuring a User Authentication Priority Template, page 10-66
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
•
Configuring Access Point/Radio Templates, page 10-68
Configuring an NTP Server Template
Follow these steps to add a new network time protocol (NTP) server template to the controller configuration or make modifications to an existing NTP template. NTP is used to synchronize computer clocks on the internet.
Step 1
Step 2
Choose Configure > Controller Templates.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To modify an existing template, click to select a template in the Template Name column. The NTP
Server Template window appears (see
Figure 10-1 ), and the number of controllers the template is applied
to automatically populates.
Figure 10-1 NTP Servers Template
Step 3
Step 4
Enter the NTP server IP address.
Click Save.
Configuring General Templates
Follow these steps to add a new template with general information for a controller or make a change to an existing template.
Step 1
Step 2
Choose Configure > Controller Templates.
From the left sidebar menu, choose System > General.
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-3
Chapter 10 Using Templates
Adding Controller Templates
Step 3
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To modify an existing template, click to select a template in the Template Name column. The
General Template window appears (see
Figure 10-2 General Template
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Use the drop-down menu to enable or disable flow control mode.
Use the drop-down menu to enable or disable 802.3 bridging.
Specify Layer 2 or Layer 3 transport mode. When set to Layer 3, the LWAPP uses IP addresses to communicate with the access points; these IP addresses are collected from a mandatory DHCP server.
When set to Layer 2, the LWAPP uses proprietary code to communicate with the access points.
At the Ethernet Multicast Support drop-drop menu, choose Disable to disable multicast support on the controller or Multicast to enable multicast support on the controller. Choose Unicast if the controller, upon receiving a multicast packet, forwards the packets to all the associated access points. H-REAP supports only unicast mode.
Choose if you want to enable or disable aggressive load balancing.
Choose to enable or disable peer-to-peer blocking mode. If you choose Disable, any same-subnet clients communicate through the controller. If you choose Enable, any same-subnet clients communicate through a higher-level router.
At the Over Air AP Provision Mode drop-down menu, choose enable or disable.
At the AP Fallback drop-down menu, choose enable or disable. Enabling fallback causes an access point which lost a primary controller connection to automatically return to service when the primary controller returns.
10-4
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Step 12
Step 13
Step 14
Step 15
Step 16
Choose to enable or disable Apple talk bridging.
Choose to enable or disable the fast SSID option. If enabled, the client connects instantly to the controller between SSIDs without having appreciable loss of connectivity. Normally, each client is connected to a particular WLAN identified by the SSID. If the client moves out of reach of the connected access point, the client has to reconnect to the controller using a different access point. This normal process consumes some time as the DHCP (Dynamic Host Configuration Protocol) server has to assign an IP address to the client.
Because the master controller is normally not used in a deployed network, the master controller setting is automatically disabled upon reboot or OS code upgrade. You may enable the controller to be configured as the master controller from the Master Controller Mode drop-down menu.
Choose to enable or disable access to the controller management interface from wireless clients. Because of IPSec operation, management via wireless is only available to operators logging in across WPA, Static
WEP, or VPN Pass Through WLANs. Wireless management is not available to clients attempting to log in via an IPSec WLAN.
Choose to enable or disable link aggregation. Link aggregation allows you to reduce the number of IP addresses needed to configure the ports on your controller by grouping all the physical ports and creating a link aggregation group (LAG). In a 4402 model, two ports are combined to form a LAG whereas in a
4404 model, all four ports are combined to form a LAG.
If LAG is enabled on a controller, the following configuration changes occur:
•
Any dynamic interfaces that you have created will be deleted. This is done to prevent configuration inconsistencies in the interface database.
•
Interfaces cannot be created with the “Dynamic AP Manager” flag set.
Note
You cannot create more than one LAG on a controller.
The advantages of creating a LAG are as follows:
•
It ensures that if one of the links goes down, the traffic is moved to the other links in the LAG.
Hence, as long as one of the physical ports is working, the system remains functional.
•
•
It eliminates the need to configure separate backup ports for each interface.
Multiple AP-manager interfaces are not required since only one logical port is visible to the application.
Note
When you make changes to the LAG configuration, the controller has to be rebooted for the changes to take effect.
Step 17
Choose to enable or disable symmetric mobility tunneling. With symmetric mobility tunneling, the controller provides inter-subnet mobility for clients roaming from one access point to another within a wireless LAN. The client traffic on the wired network is directly routed by the foreign controller. If a router has reverse path filtering (RPF) enabled (which provides additional checks on incoming packets), the communication is blocked. Symmetric mobility tunneling allows the client traffic to reach the controller designated as the anchor, even with RPF enabled.
Note
All controllers in a mobility group should have the same symmetric tunneling mode.
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-5
Chapter 10 Using Templates
Adding Controller Templates
Note
For symmetric tunneling to take effect, you must reboot.
Step 18
Step 19
Enter the operator-defined RF mobility group name in the Default Mobility Domain Name field.
At the Mobility Anchor Group Keep Alive Interval, determine the delay between tries for clients attempting to join another access point. With this guest tunneling N+1 redundancy feature, the time it takes for a client to join another access point following a controller failure is decreased because a failure is quickly identified, the clients are moved away from the problem controller, and the clients are anchored to another controller.
Note
When you hover over the parameter field with the mouse, the valid range for that field appears.
Step 20
At the Mobility Anchor Group Keep Alive Retries, specify the number of queries to anchor before the client declares it unreachable.
Note
When you hover over the parameter field with the mouse, the valid range for that field appears.
Step 21
Step 22
Step 23
Step 24
Step 25
Step 26
Step 27
Step 28
Step 29
Enter the RF network group name between 8 and 19 characters. Radio Resource Management (RRM) neighbor packets are distributed among access points within an RF network group. The Cisco access points only accept RRM neighbor packets sent with this RF network name. The RRM neighbor packets sent with different RF network names will be dropped.
Specify the time out for idle clients. The factory default is 300 seconds. When the timeout expires, the client loses authentication, briefly disassociates from the access point, reassociates, and re-authenticates.
Specify the timeout in seconds for the address resolution protocol. The factory default is 300 seconds.
At the CDP on controller drop-down menu, choose if you want to enable CDP on the controller. CDP is a device discovery protocol that runs on all Cisco manufactured equipment (such as routers, bridges, communication servers, and so on).
At the Global CDP on APs drop-down menu, choose if you want to enable CDP on the access point.
At the Refresh Time Interval parameter, enter the interval at which CDP messages are generated. With the regeneration, the neighbor entries are refreshed.
At the Holdtime parameter, enter the time in seconds before the CDP neighbor entry expires.
At the CDP Advertisement Version parameter, enter which version of the CDP protocol to use.
Click Save.
Configuring QoS Templates
Follow these steps to make modifications to the quality of service profiles.
Step 1
Step 2
Choose Configure > Controller Templates.
On the left sidebar menu, choose System > QoS Profiles. The QoS Template window appears (see
), and the number of controllers the template is applied to automatically populates.
10-6
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-3 QoS Profile Template
Adding Controller Templates
Step 3
Step 4
Step 5
Step 6
Set the following values in the Per-User Bandwidth Contracts portion of the window. All have a default of 0 or Off.
•
Average Data Rate - The average data rate for non-UDP traffic.
•
•
•
Burst Real-time Rate - The peak data rate for UDP traffic.
Set the following values for the Over-the-Air QoS portion of the window.
•
Burst Data Rate - The peak data rate for non-UDP traffic.
Average Real-time Rate - The average data rate for UDP traffic.
•
Maximum QoS RF Usage per AP - The maximum air bandwidth available to clients. The default is
100%.
QoS Queue Depth - The depth of queue for a class of client. The packets with a greater value are dropped at the access point.
Set the following values in the Wired QoS Protocol portion of the window.
•
Wired QoS Protocol - Choose 802.1P to activate 802. 1P priority tags or None to deactivate 802.1P priority flags.
•
802.1P Tag - Choose 802.1P priority tag for a wired connection from 0 to 7. This tag is used for traffic and LWAPP packets.
Click Save.
Configuring a Traffic Stream Metrics QoS Template
Traffic stream metrics are a series of statistics about VoIP over your wireless LAN and informs you of the QoS of the wireless LAN. These statistics are different than the end-to-end statistics provided by
VoIP systems. End-to-end statistics provide information on packet loss and latency covering all the links comprising the call path. However, traffic stream metrics are statistics for only the WLAN segment of the call. Because of this, system administrators can quickly determine whether audio problems are being caused by the WLAN or by other network elements participating in a call. By observing which access
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-7
Chapter 10 Using Templates
Adding Controller Templates
points have impaired QoS, system administrators can quickly determine the physical area where the problem is occurring. This is important when lack of radio coverage or excessive interference is the root problem.
Four QoS values (packet latency, packet jitter, packet loss, and roaming time), which can affect the audio quality of voice calls, are monitored. All the wireless LAN components participate in this process.
Access points and clients measure the metrics, access points collect the measurements and then send them to the controller. The access points update the controller with traffic stream metric information every 90 seconds, and 10 minutes of data is stored at one time. Cisco Wireless Control System queries the controller for the metrics and displays them in the Traffic Stream Metrics QoS Status. These metrics are compared to threshold values to determine their status level and if any of the statistics are displaying a status level of fair (yellow) or degraded (red), the administrator should investigate the QoS of the wireless LAN.
For the access points to collect measurement values, traffic stream metrics must be enabled on the controller.
Step 1
Step 2
Choose Configure > Controller Templates.
On the left sidebar menu, choose System > Traffic Stream Metrics QoS. The Traffic Stream Metrics
QoS Status Configuration window appears (see Figure 10-4
).
Figure 10-4 Traffic Stream Metrics QoS Status Template
10-8
The Traffic Stream Metrics QoS Status Configuration window shows several QoS values. An administrator can monitor voice and video quality of the following:
•
•
•
•
Upstream delay
Upstream packet loss rate
Roaming time
Downstream packet loss rate
•
Downstream delay
Packet Loss Rate (PLR) affects the intelligibility of voice. Packet delay can affect both the intelligibility and conversational quality of the connection. Excessive roaming time produces undesired gaps in audio.
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
There are three levels of measurement:
•
•
Normal: Normal QoS (green)
Fair: Fair QoS (yellow)
•
Degraded: Degraded QoS (red)
System administrators should employ some judgement when setting the green, yellow, and red alarm levels. Some factors to consider are:
•
•
Environmental factors including interference and radio coverage which can affect PLR.
End-user expectations and system administrator requirements for audio quality on mobile devices
(lower audio quality can permit greater PLR).
•
•
Different codec types used by the phones have different tolerance for packet loss.
Not all calls will be mobile-to-mobile; therefore, some will have less stringent PLR requirements for the wireless LAN.
Configuring WLAN Templates
WLAN templates allow you to define various WLAN profiles for application to different controllers.
In WCS software release 4.0.96.0 and later releases, you can configure multiple WLANs with the same
SSID. This feature enables you to assign different Layer 2 security policies within the same wireless
LAN. To distinguish among WLANs with the same SSID, you need to create a unique profile name for each WLAN.
These restrictions apply when configuring multiple WLANs with the same SSID:
•
WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a
WLAN selection based on information advertised in the beacons and probes. These are the available
Layer 2 security policies:
–
–
–
–
None (open WLAN)
Static WEP or 802.1
CKIP
WPA/WPA2
•
Broadcast SSID must be enabled on the WLANs that share an SSID so that the access points can generate probe responses for these WLANs.
Hybrid-REAP access points do not support multiple SSIDs.
•
•
The WLAN override feature is not supported for use with multiple SSIDs.
Follow these steps to add a new WLAN template or make modifications to an existing WLAN template.
Step 1
Step 2
Choose Configure > Controller Templates.
Choose WLANs > WLAN from the left sidebar menu.
The WLAN Template window appears with a summary of all existing defined WLANs. The following information headings are used to define the WLANs listed on the WLAN Template General window (see
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-9
Chapter 10 Using Templates
Adding Controller Templates
•
•
Template Name - The user-defined name of the template. Clicking the name displays parameters for this template.
Profile Name - User-defined profile name used to distinguish WLANs with the same SSID.
Note
This heading is not present in software release prior to 4.0.96.0.
Step 3
•
•
SSID - Displays the name of the WLAN.
WLAN Status - Sets the status of the WLAN to enabled when checked.
•
Security Policies - Determines whether 802.1X is enabled. None indicates no 802.1X.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click a URL in the Template Name column. The
WLAN Template window appears (see
).
Figure 10-5 WLAN Template
Step 4
Step 5
Step 6
Step 7
Step 8
Use the Radio Policy drop-down menu to set the WLAN policy to apply to All (802.11a/b/g), 802.11a only, 802.11g only, 802.11b/g only, or 802.11a/g only.
Use the Interface drop-down menu to choose the available names of interfaces created by the Controller
> Interfaces module.
Click the Broadcast SSID to activate SSID broadcasts for this WLAN.
Click Save.
To further configure the WLAN template, choose from the following:
•
Click the Security tab to establish which AAA can override the default servers on this WLAN and to establish the security mode for Layer 2 and 3. Continue to the
“Security” section on page 10-11
.
10-10
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
•
•
Click the QoS tab to establish which quality of service will be expected for this WLAN. Continue to the
.
Click the Advanced tab to configure any other details about the WLAN, such as DHCP assignments and management frame protection. Continue to the
“Advanced” section on page 10-17 .
Security
Layer 2
After choosing Security, you have an additional three tabs: Layer 2, Layer 3, and AAA Servers.
When you choose the Layer 2 tab, the window as shown in
appears.
Figure 10-6 Layer 2 Window
OL-12623-01
Step 1
Use the Layer 2 Security drop-down menu to choose between None, WPA, WPA-2, Static WEP, 802.1X,
Cranite, Fortress, Static WEP-802.1x, CKIP, and WPA1 + WPA2 as described in the table below.
Cisco Wireless Control System Configuration Guide
10-11
Chapter 10 Using Templates
Adding Controller Templates
Table 10-1 Layer 2 Security Options
Parameter
None
802.1X
WPA
WPA-2
Static WEP
Cranite
Fortress
Static WEP-802.1X
Description
No Layer 2 security selected.
WEP 802.1X data encryption type (Note 1):
40/64 bit key.
104/128 bit key.
128/152 bit key.
This is a 3.2 controller code option and is not supported in 4.0 or later versions.
This is a 3.2 controller code option and is not supported in 4.0 or later versions.
Static WEP encryption parameters:
Key sizes: 40/64, 104/128 and 128/152 bit key sizes.
Key Index: 1 to 4 (Note 2).
Encryption key required.
Select encryption key format in ASCII or HEX.
Configure the WLAN to use the FIPS140-2 compliant Cranite WirelessWall
Software Suite, which uses AES encryption and VPN tunnels to encrypt and verify all data frames carried by the Cisco Wireless LAN Solution.
FIPS 40-2 compliant Layer 2 security feature.
Use this setting to enable both Static WEP and 802.1x policies. If this option is selected, static WEP and 802.1x parameters are displayed at the bottom of the page.
Static WEP encryption parameters:
Key sizes: 40/64, 104/128 and 128/152 bit key sizes.
Key Index: 1 to 4 (Note 2).
Enter encryption key.
Select encryption key format in ASCII or HEX.
WEP 802.1X data encryption type (Note 1):
40/64 bit key.
104/128 bit key.
128/152 bit key.
10-12
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Layer 3
Parameter
WPA1+WPA2
CKIP
Description
Use this setting to enable WPA1, WPA2 or both. See the WPA1 and WPA2 parameters displayed on the window when WPA1+WPA2 is selected.
WPA1 enables Wi-Fi Protected Access with TKIP-MIC Data Encryption.
When WPA1+WPA2 is selected, you can use Cisco’s Centralized Key
Management (CCKM) authentication key management, which allows fast exchange when a client roams from one access point to another.
When WPA1+WPA2 is selected as the Layer 2 security policy, and
Pre-Shared Key is enabled, than neither CCKM or 802.1X can be enabled.
Although, both CCKM and 802.1X can be enabled at the same time.
Cisco Key Integrity Protocol (CKIP). A Cisco access point advertises support for CKIP in beacon and probe response packets. CKIP can be configured only when Aironet IE is enabled on the WAN.
When selected, these CKIP parameters are displayed.
Key length: Specify key length.
Key (ASCII or HEX): Specify encryption key.
MMH Mode: Enable or disable (check box).
KP: Enable or disable (check box).
Step 2
Step 3
Step 4
Check the MAC Filtering check box if you want to filter clients by MAC address.
If you selected either WPA1 or WPA2 in Step 1, you must specify the type of WPA encryption: either
TKIP or AES .
Choose the desired type of authentication key management. The choices are 802.1x, CCKM, PSK, or
CCKM+802.1x.
Note
If you choose PSK, you must enter the password and type (ASCII or hexadecimal).
Step 5
Click Save.
When you choose the Layer 3 tab, the window shown in
appears.
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-13
Adding Controller Templates
Figure 10-7 Layer 3 Window
Chapter 10 Using Templates
AAA Servers
Step 1
Step 2
Step 3
Use the Layer 3 security drop-down menu to choose between None and VPN Pass Through. The window parameters change according to the selection you make. If you choose VPN pass through, you must enter the VPN gateway address.
Check the Web Policy check box if you want to select policies like authentication, passthrough, or conditional web redirect.
Click Save.
When you choose the AAA Servers tab, the window shown in
10-14
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-8 AAA Servers Window
Adding Controller Templates
OL-12623-01
Step 4
Step 5
Step 6
Use the drop-down menus in the RADIUS and LDAP servers section to choose authentication and accounting servers. This selects the default RADIUS server for the specified WLAN and overrides the
RADIUS server that is configured for the network. If all three RADIUS servers are configured for a particular WLAN, server 1 has the highest priority and so on. If no LDAP servers are chosen here, WCS uses the default LDAP server order from the database.
Click the Local EAP Authentication check box if you have an EAP profile already configured that you want to enable. Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down.
When AAA Override is enabled, and a client has conflicting AAA and controller WLAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the operating system moves clients from the default Cisco WLAN Solution to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering,
802.1X, and/or WPA operation). In all cases, the operating system also uses QoS, DSCP, 802.1p priority tag values, and ACL provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as identity networking.)
For instance, if the corporate WLAN primarily uses a management interface assigned to VLAN 2, and if AAA override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.
When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is only performed by the AAA server if the controller WLANs do not contain any client-specific authentication parameters.
Cisco Wireless Control System Configuration Guide
10-15
Adding Controller Templates
Step 7
The AAA override values may come from a RADIUS server, for example.
Click Save.
Chapter 10 Using Templates
QoS
When you select the QoS tab from the WLAN Template window, the window as shown in
appears.
Figure 10-9 QoS Window
Step 1
Step 2
Step 3
Step 4
Step 5
Use the QoS drop-down menu to choose Platinum (voice), Gold (video), Silver (best effort), or Bronze
(background). Services such as VoIP should be set to gold while non-discriminating services such as text messaging can be set to bronze.
Use the WMM Policy drop-down menu to choose Disabled, Allowed (so clients can communicate with the WLAN), or Required to make it mandatory for clients to have WMM enabled for communication.
Click the 7920 AP CAC check box if you want to enable support on Cisco 7920 phones.
If you want WLAN to support older versions of the software on 7920 phones, click to enable the 7920
Client CAC check box. The CAC limit is set on the access point for newer versions of software.
Click Save.
10-16
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Advanced
Adding Controller Templates
When you click the Advanced tab on the WLAN Template window, the window shown in
appears.
Figure 10-10 Advanced Window
OL-12623-01
Step 1
Step 2
Step 3
Step 4
Click the check box if you want to enable Hybrid REAP local switching. For more information on
Hybrid REAP, see
“Configuring Hybrid REAP” section on page 12-4
. If you enable it, the hybrid-REAP access point handles client authentication and switches client data packets locally.
H-REAP local switching is only applicable to the Cisco 1130/1240/1250 series access points. It is not supported with L2TP, PPTP, CRANITE, and FORTRESS authentications, and it is not applicable to
WLAN IDs 9-16.
At the Session Timeout parameter, set the maximum time a client session can continue before requiring reauthorization.
Check the Aironet IE check box if you want to enable support for Aironet information elements (IEs) for this WLAN. If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request.
Click if you want to enable IPv6.
Cisco Wireless Control System Configuration Guide
10-17
Chapter 10 Using Templates
Adding Controller Templates
Step 5
Step 6
Note
Layer 3 security must be set to None for this to be enabled.
A list of defined access control lists (ACLs) is provided at the Override Interface ACL drop-down menu.
ACLs.) Upon choosing an ACL from the list, the WLAN associates the ACL to the WLAN. Selecting an
ACL is optional, and the default for this parameter is None.
Click the check box if you want to enable automatic client exclusion. If you enable client exclusion, you must also set the Timeout Value in seconds for disabled client machines. Client machines are excluded by MAC address and their status can be observed. A timeout setting of 0 indicates that administrative control is required to re-enable the client.
Note
When session timeout is not set, it implies that an excluded client remains and won’t timeout from the excluded state. It does not imply that the exclusion feature is disabled.
Step 7
Step 8
Step 9
When you click the check box to override DHCP server, another parameter appears where you can enter the IP address of your DHCP server. For some WLAN configurations, this is required. Three valid configurations are as follows:
•
DHCP Required and a valid DHCP server IP address - All WLAN clients obtain an IP address from the DHCP server.
•
•
DHCP is not required and a valid DHCP server IP address - All WLAN clients obtain an IP address from the DHCP server or use a static IP address.
DHCP not required and DHCP server IP address 0.0.0.0 - All WLAN clients are forced to use a static
IP address. All DHCP requests are dropped.
An invalid combination is clicking to require DHCP address assignment and entering a DHCP server IP address.
If the MFP Signature Generation check box is checked, it enables signature generation for the 802.11 management frames transmitted by an access point associated with this WLAN. Signature generation makes sure that changes to the transmitted management frames by an intruder are detected and reported.
At the MFP Client Protection drop-down menu, choose Optional, Disabled, or Required for configuration of individual WLANs of a controller. If infrastructure MFP is not enabled, this drop-down menu is unavailable.
Note
Client-side MFP is only available for those WLANs configured to support CCXv5 (or later) clients, and WPA2 must first be configured.
Step 10
Click Save.
Configuring a File Encryption Template
This page enables you to add a new file encryption template or make modifications to an existing file encryption template.
Step 1
Choose Configure > Controller Templates.
10-18
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Step 2
Step 3
From the left sidebar menu, choose Security > File Encryption.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name column. The File Encryption Template appears (see
).
Figure 10-11 File Encryption Template
Step 4
Step 5
Step 6
Step 7
Check if you want to enable file encryption.
Enter an encryption key text string of exactly 16 ASCII characters.
Retype the encryption key.
Click Save.
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-19
Chapter 10 Using Templates
Adding Controller Templates
Configuring a RADIUS Authentication Template
This page allows you to add a template for RADIUS authentication server information or make modifications to an existing template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
On the left sidebar menu, choose Security > RADIUS Authentication Servers.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select the template in the Template Name
column. The RADIUS Authentication Server Template window appears (see Figure 10-12 ), and the
number of controllers the template is applied to automatically populates.
The IP address of the RADIUS server and the port number for the interface protocol is also displayed.
Figure 10-12 RADIUS Authentication Server Template
Step 4
Step 5
Step 6
Use the drop-down menu to choose either ASCII or hex shared secret format.
Enter the RADIUS shared secret used by your specified server.
Click if you want to enable key wrap. If this option is enabled, the authentication request is sent to
RADIUS servers that have key encryption key (KEK) and message authenticator code keys (MACK) configured. Also, when enabled, the parameters below appear:
•
Shared Secret Format: Determine whether ASCII or hexadecimal.
•
•
•
KEK Shared Secret: Enter KEK shared secret.
MACK Shared Secret: Enter MACK shared secret.
Each time the controller is notified with the shared secret, the existing shared secret is overwritten with the new shared secret.
10-20
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
OL-12623-01
Note
Each time the controller is notified with the shared secret, the existing shared secret is overwritten with the new shared secret.
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
Step 16
Step 17
Click if you want to enable administration privileges.
Click if you want to enable support for RFC 3576. RFC 3576 is an extension to the Remote
Authentication Dial In User Service (RADIUS) protocol. It allows dynamic changes to a user session and includes support for disconnecting users and changing authorizations applicable to a user session.
With these authorizations, support is provided for Disconnect and Change-of-Authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately, whereas CoA messages modify session authorization attributes such as data filters.
Click if you want to enable network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.
Click if you want to enable management authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the management user.
Specify the time in seconds after which the RADIUS authentication request times out and a retransmission is attempted by the controller. You can specify a value between 2 and 30 seconds.
If you click to enable the IP security mechanism, additional IP security parameters are added to the window, and the additional steps in 13 to 19 are required. If you disable it, click Save and skip Steps 13 to 19.
Use the drop-down menu to choose which IP security authentication protocol to use. The options are
HMAC-SHA1, HMAC-MD5, and None.
Message Authentication Codes (MAC) are used between two parties that share a secret key to validate information transmitted between them. HMAC (Hash MAC) is a mechanism based on cryptographic hash functions and can be used in combination with any iterated cryptographic hash function.
HMAC-MD5 and HMAC-SHA1 are two constructs of the HMAC using the MD5 hash function and the
SHA1 hash function. HMAC also uses a secret key for calculation and verification of the message authentication values.
Set the IP security encryption mechanism to use. Options are as follows:
•
DES—Data Encryption Standard is a method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.
•
•
Triple DES—Data Encryption Standard that applies three keys in succession.
AES 128 CBC—Advanced Encryption Standard uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in
Cipher Clock Chaining (CBC) mode.
•
None—No IP security encryption mechanism.
The IKE authentication is not an editable field. Internet Key Exchange protocol (IKE) is used as a method of distributing the session keys (encryption and authentication), as well as providing a way for the VPN endpoints to agree on how data should be protected. IKE keeps track of connections by assigning a bundle of security associations (SAs) to each connection.
Use the IKE phase 1 drop-down menu to choose either agressive or main. This sets the internet key exchange protocol (IKE). IKE phase 1 is used to negotiate how IKE should be protected. Aggressive mode passes more information in fewer packets, with the benefit of a slightly faster connection, at the cost of transmitting the identities of the security gateways in the clear.
At the Lifetime parameter, set the timeout interval (in seconds) when the session expires.
Cisco Wireless Control System Configuration Guide
10-21
Chapter 10 Using Templates
Adding Controller Templates
Step 18
Step 19
Set the IKE Diffie Hellman group. The options are group 1 (768 bits), group 2 (1024 bits), or group 5
(1536 bits). Diffie-Hellman techniques are used by two devices to generate a symmetric key where you can publicly exchange values and generate the same symmetric key.
Although all three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1 and Group 2 based keys might occur slightly faster because of their smaller prime number size.
Click Save.
Configuring a RADIUS Accounting Template
This page allows you to add a new template for RADIUS accounting server information or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > RADIUS Acct Servers.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name
column. The RADIUS Accounting Template appears (see Figure 10-13 ), and the number of controllers
the template is applied to automatically populates. The IP address of the RADIUS server and the port number for the interface protocols are also displayed.
Figure 10-13 RADIUS Accounting Server Templates
Step 4
Step 5
Step 6
Step 7
Use the Shared Secret Format drop-down menu to choose either ASCII or hexadecimal.
Enter the RADIUS shared secret used by your specified server.
Retype the shared secret.
Click if you want to establish administrative privileges for the server.
10-22
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Step 8
Step 9
Step 10
Click if you want to enable the network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.
Specify the time in seconds after which the RADIUS authentication request will timeout and a retransmission by the controller will occur. You can specify a value between 2 and 30 seconds.
Click Save.
Configuring a LDAP Server Template
This section explains how to configure a Lightweight Directory Access Protocol (LDAP) server as a backend database, similar to a RADIUS or local user database. An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user.
These credentials are then used to authenticate the user. For example, local EAP may use an LDAP server as its backend database to retrieve user credentials. This page allows you to add a new template for an
LDAP server or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > LDAP Servers.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name column. The LDAP Server Template appears (see
). The IP address of the LDAP server and the port number for the interface protocols are displayed.
Figure 10-14 LDAP Server Template
OL-12623-01
Step 4
Step 5
Step 6
In the Server User Base DN field, enter the distinguished name of the subtree in the LDAP server that contains a list of all the users.
In the Server User Attribute field, enter the attribute that contains the username in the LDAP server.
In the Server User Type field, enter the ObjectType attribute that identifies the user.
Cisco Wireless Control System Configuration Guide
10-23
Chapter 10 Using Templates
Adding Controller Templates
Step 7
Step 8
Step 9
Step 10
If you are adding a new server, choose Secure from the Use TLS for Sessions to Server drop-down menu if you want all LDAP transaction to use a secure TLS tunnel. Otherwise, choose none.
In the Retransmit Timeout field, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.
Check the Admin Status check box if you want the LDAP server to have administrative privileges.
Click Save.
Configuring a TACACS+ Server Template
This page allows you to add a new TACACS+ server template or make modifications to an existing template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
On the left sidebar menu, choose Security > TACACS+ Server.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a user in the Template Name column.
The TACACS+ Server Template appears (see
). The IP address and the port number of the
TACACS+ template are displayed.
Figure 10-15 TACACS+ Server Template
10-24
Step 4
Step 5
Step 6
Step 7
Step 8
Select the server type. The choices are authentication, authorization, or accounting.
Use the drop-down menu to choose either ASCII or hex shared secret format.
Enter the TACACS+ shared secret used by your specified server.
Re-enter the shared secret in the Confirm Shared Secret field.
Check the Admin Status check box if you want the TACACS+ server to have administrative privileges.
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Step 9
Step 10
Specify the time in seconds after which the TACACS+ authentication request times out and a retransmission is attempted by the controller.
Click Save.
Configuring a Network Access Control Template
This page allows you to add a new template for network access control or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > Network Access Control.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name column. The Network Access Control Template appears (see
Figure 10-16 ). The IP address and port
number for the interface protocols are displayed.
Figure 10-16 Network Access Control Template
OL-12623-01
Step 4
Step 5
Step 6
Step 7
Enter the shared secret used by your specified server.
Re-enter the shared secret in the Confirm Shared Secret field.
Check the Admin Status check box if you want the server to have administrative privileges.
Click Save.
Cisco Wireless Control System Configuration Guide
10-25
Chapter 10 Using Templates
Adding Controller Templates
Configuring a Local EAP General Template
This page allows you to specify a timeout value for local EAP. You can then add a template with this timeout value or make changes to an existing template.
Note
If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local
EAP.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > Local EAP General.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name
column. The Local EAP General Template appears (see Figure 10-17 ).
Figure 10-17 Local EAP General Template
Step 4
Step 5
In the Local Auth Active Timeout field, enter the amount of time (in seconds) that the controller attempts to authenticate wireless clients using local EAP after any pair of configured RADIUS servers fail. The valid range is 1 to 3600 seconds, and the default setting is 1000 seconds.
Click Save.
10-26
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Configuring a Local EAP Profile Template
This page allows you to add a new template for the local EAP profile or make modifications to an existing template. Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, thereby removing dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users.
Note
The LDAP backend database supports only these local EAP methods: EAP-TLS and EAP-FAST with certificates. LEAP and EAP-FAST with PACs are not supported for use with the LDAP backend database.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > Local EAP Profiles.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name column. The Local EAP Profiles Template appears (see
Figure 10-18 Local EAP Profiles Template
OL-12623-01
Step 4
Each EAP profile must be associated with an authentication type(s). Choose the desired authentication type from the choices below:
•
LEAP — This authentication type leverages Cisco Key Integrity Protocol (CKIP) and MMH message integrity check (MIC) for data protection. A username and password are used to perform mutual authentication with the RADIUS server through the access point.
Cisco Wireless Control System Configuration Guide
10-27
Chapter 10 Using Templates
Adding Controller Templates
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
•
EAP-FAST — This authentication type (Flexile Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1x EAP mutual authentication.
A username, password, and PAC (protected access credential) are used to perform mutual authentication with the RADIUS server through the access point.
•
TLS — This authentication type uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. It requires a client certificate for authentication.
Use the Certificate Issues drop-down menu to determine whether Cisco or another vendor issued the certificate for authentication. Only EAP-FAST and TLS require a certificate.
If you want the incoming certificate from the client to be validated against the certificate authority (CA) certificates on the controller, check the Check Against CA Certificates check box.
If you want the common name (CN) in the incoming certificate to be validated against the CA certificates’ CN on the controller, check the Verify Certificate CN Identity check box.
If you want the controller to verify that the incoming device certificate is still valid and has not expired, check the Check Against Date Validity check box.
If you want the device certificate on the controller to be used for authentication, check the Local
Certificate Required check box. This certification is applicable only to EAP-FAST.
If you want the wireless clients to send their device certificates to the controller in order to authenticate, check the Client Certificate Required check box. This certification is only applicable to EAP-FAST.
Click Save.
Follow these steps to enable local EAP on a WLAN:
a.
Choose WLAN > WLANs from the left sidebar menu.
b.
c.
Click the profile name of the desired WLAN.
Click the Security > AAA Servers tab to access the AAA Servers page.
d.
Check the Local EAP Authentication check box to enable local EAP for this WLAN.
Click Save.
Configuring an EAP-FAST Template
This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1x EAP mutual authentication. A username, password, and PAC are used to perform mutual authentication with the RADIUS server through the access point.
This page allows you to add a new template for the EAP-FAST profile or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > EAP-FAST Parameters.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name column. The EAP-FAST Parameters Template appears (see
).
10-28
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-19 EAP-FAST Parameters Template
Adding Controller Templates
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
In the Time to Live for the PAC field, enter the number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days.
In the Authority ID field, enter the authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal characters, but you must enter an even number of characters.
In the Authority ID field, enter the ID for the authority identifier of the local EAP-FAST server.
In the Authority Info field, enter the authority identifier of the local EAP-FAST server in text format.
In the Server Key and Confirm Server Key fields, enter the key (in hexadecimal characters) used to encrypt and decrypt PACs.
If a local certificate is required, click the check box.
If a client certificate is required, click the check box.
If an anonymous provision is required, click the check box.
If you want to enable anonymous provisioning, check the Client Authentication Provision check box.
This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If you disable this feature, PACs must be manually provisioned.
Click Save.
Configuring Network User Credential Retrieval Priority Templates
You can specify the order that LDAP and local databases use to retrieve user credential information. This page allows you to add a new template for the network user credential retrieval priority or make modifications to an existing template.
Step 1
Step 2
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > Network Users Priority.
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-29
Chapter 10 Using Templates
Adding Controller Templates
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name column. The Network User Credential Retrieval Priority Template appears (see
).
Figure 10-20 Network User Credential Retrieval Priority Order Template
Step 3
Step 4
Step 5
Use the left and right pointing arrows to include or disclude network user credentials in the right-most window.
Use the up and down buttons to determine the order credentials are tried.
Click Save.
Configuring a Local Network Users Template
With this template, you can store the credentials (username and password) of all the local network users.
These credentials are then used to authenticate the users. For example, local EAP may use the local user database as its backend database to retrieve user credentials. This page allows you to add a new local authentication template or make modifications to an existing template. You must create a local net user and define a password when logging in as a web authentication client.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
On the left sidebar menu, choose Security > Local Net Users.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a user in the User Name column. The
Local Net Users Template appears (see
).
10-30
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-21 Local Net Users Template
Adding Controller Templates
OL-12623-01
Step 4
If you keep Import from File enabled, you need to enter a file path or click the Browse button to navigate to the file path. Then continue to Step 8. If you disable the import, continue to Step 5.
Note
You can only import a .csv file. Any other file formats are not supported. See Figure
Figure 10-22 for CSV file format examples.
The first row in the file is the header. The data in the header is not read by the Cisco WCS. The header can either be blank or filled. The Cisco WCS reads data from the second row onwards. It is mandatory to fill the Username and Password fields in all the rows.
Figure 10-22
Username field
CSV File Format
Username
Terry
Robin
Lynn
Password
123 phantom
54639
Description
Testing
Engineering
Sales
Header
Password field
Step 5
Step 6
Step 7
Step 8
Step 9
Enter a username and password.
Use the drop-down menu to choose the SSID which this local user is applied to or choose the any SSID option.
Enter a user-defined description of this interface. Skip to Step 9.
If you want to override the existing template parameter, click to enable this parameter.
Click Save.
Cisco Wireless Control System Configuration Guide
10-31
Chapter 10 Using Templates
Adding Controller Templates
Configuring Guest User Templates
This page allows you to create a new template for guest user information or make modifications to an existing template. The purpose of a guest user account is to provide a user account for a limited amount of time. A Lobby Ambassador is able to configure a specific time frame for the guest user account to be active. After the specified time period, the guest user account automatically expires. Refer to the
“Creating Guest User Accounts” section on page 7-9
for further information on guest access.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > Guest Users.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a user in the User Name column. The
Guest User Template window appears (see
).
Figure 10-23 Guest User Template
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Enter a guest name. Maximum size is 24 characters.
Click the Generate Password check box if you want a password automatically generated. The Password and Confirm Password parameters are automatically populated. If automatic generation is not enabled, you must supply a password twice.
From the SSID drop-down list, choose which SSID this guest user applies to. Only those WLANs for which web security is enabled are listed. The SSID must be a WLAN that has Layer 3 web authentication policy configured.
Enter a description of the guest user account.
If you are adding a new user, enter the amount of time (in seconds) that the guest user account is to remain active in the Lifetime field.
Click Save.
10-32
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Configuring a User Login Policies Template
This page allows you to add a new user login policies template or make modifications to an existing template. On this template you set the maximum number of concurrent logins that each single user can have.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > User Login Policies.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a user login policy in the Template
Name column. The User Login Policies Template window appears (see
Figure 10-24 User Login Policies Template
Step 4
Step 5
You can adjust the maximum number of concurrent logins each single user can have.
Click Save to keep this template.
Configuring a MAC Filter Template
This page allows you to add a new MAC filter template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > MAC Filtering.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a MAC address in the MAC Address column. The MAC Filter Templates window appears (see
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-33
Adding Controller Templates
Figure 10-25 MAC Filter Templates
Chapter 10 Using Templates
Step 5
Step 6
Step 7
Step 8
Step 9
Step 4
If you keep Import From File enabled, you need to enter a file path or click the Browse button to navigate to the file path. Skip to Step 9. If you disable Import from File, continue to Step 5.
The client MAC address appears.
Choose the SSID which this MAC filter is applied to or choose the any SSID option.
Use the drop-down menu to choose from the available interface names.
Enter a user-defined description of this interface. Skip to Step 9.
If you want to override the existing template parameter, click to enable this parameter.
Click Save.
Configuring an Access Point Authorization
Follow these steps to add an access point authorization template or make changes to an existing template.
These templates are devised for Cisco 11xx/12xx series access points converted from IOS to LWAPP or for 1030 access points connecting in bridge mode.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the Security selections in the left sidebar menu, choose AP authorization.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click a MAC address in the AP Base Radio MAC column. The AP Authorization Template appears (see
Figure 10-26 ), and the number of controllers the
template is applied to automatically populates.
10-34
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-26 AP Authorization Templates
Adding Controller Templates
Step 4
Select the Import from File check box if you want to import a file containing access point MAC addresses.
Note
You can only import a .csv file. Any other file formats are not supported.
Step 5
Step 6
Enter the file path from where you want to import the file.
Click Save.
Configuring a Manually Disabled Client Template
This page allows you to add a new manually disabled client template or make modifications to an existing template.
Step 1
Step 2
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > Disabled Clients.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a disabled client in the Template
Name column. The Manually Disabled Clients Template window appears (see
).
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-35
Adding Controller Templates
Figure 10-27 Manually Disabled Clients Template
Chapter 10 Using Templates
Step 3
Step 4
Step 5
Enter the MAC address of the client you want to disable.
Enter a description of the client you are setting to disabled.
Click Save.
Configuring a CPU Access Control List (ACL) Template
is used to set traffic controls between the central processing unit (CPU) and network processing unit (NPU). Follow these steps to add a CPU ACL template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
Choose Security > CPU Access Control List in the left sidebar menu.
If you want to create a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template name in
the ACL Name column. The CPU Access Control List Template appears (see Figure 10-28 ).
10-36
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-28 CPU Access Control List Template
Adding Controller Templates
Step 4
Step 5
Step 6
Step 7
If you click the check box to enable CPU ACL, two more parameters appear. When CPU ACL is enabled and applied on the controller, WCS displays the details of the CPU ACL against that controller.
From the ACL Name drop-down menu, choose a name from the list of defined names.
From the CPU ACL Mode drop-down menu, choose which data traffic direction this CPU ACL list controls. The choices are the wired side of the data traffic, the wireless side of the data traffic, or both wired and wireless.
Click Save.
Configuring a Rogue Policies Template
This window enables you to configure the rogue policy (for access points and clients) applied to the controller. Follow these steps to add a rogue policy template or modify an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > Rogue Policies.
If you want to create a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template name in the Template Name column. The Rogue Policy Setup Template appears (see
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-37
Adding Controller Templates
Figure 10-29 Rogue Policy Setup Template
Chapter 10 Using Templates
Step 4
Step 5
Step 6
Step 7
Step 8
Check the Rogue Location Discovery Protocol to enable the discovery of rogue access points.
Set the timeout (in seconds) for rogue access point entries.
Check the Validate rogue clients against AAA check box to enable the AAA validation of rogue clients.
Check the Detect and report Adhoc networks check box to enable detection and reporting of rogue clients participating in adhoc networking.
Click Save.
Configuring a Trusted AP Policies Template
Follow these steps to add a trusted AP policy template or modify an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > Trusted AP Policies.
If you want to create a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template name in the Template Name column. The Trusted AP Policies Template appears (see
10-38
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-30 Trusted AP Policies Template
Adding Controller Templates
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Use the drop-down menu to choose which action to take with misconfigured access points. The choices are alarm only or contain.
At the Enforced Encryption Policy drop-down menu, choose between none, open, WEP, and
WPA.802.11i.
At the Rogue Enforced Preamble Policy, choose none, short, or long.
Check the Validate SSID checkbox to enable.
Check if you want alerted when the trusted access point is missing.
Determine an expiration timeout for trusted access point entries. The range is from 120 to 3600 seconds.
Click Save.
Configuring a Client Exclusion Policies Template
Follow these steps to add a client exclusion policies template or modify an existing template.
Step 1
Step 2
Choose Configure > Controller Templates.
Choose Security > Client Exclusion Policies in the left sidebar menu.
If you want to create a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template name in the Template Name column. The Client Exclusion Policies Template appears (see
).
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-39
Adding Controller Templates
Figure 10-31 Client Exclusion Policies Template
Chapter 10 Using Templates
Step 3
To edit an existing client exclusion policies template, click its name in the Template Name column to go the Client Exclusion Policies Template window. Create or edit a client exclusion policies template by configuring its parameters.
Table 10-2 Client Exclusion Policies Template Parameters
Parameter
Template Name
Description
Enter a name for the client exclusion policy.
Excessive 802.11 Association Failures Enable to exclude clients with excessive 802.11 association failures.
Excessive 802.11 Authentication Failures Enable to exclude clients with excessive 802.11 authentication failures.
Excessive 802.1X Authentication
Failures
External Policy Server Failures
Enable to exclude clients with excessive 802.1X authentication failures.
Enable to exclude clients with excessive external policy server failures.
Excessive 802.11 Web Authentication
Failures
IP Theft or Reuse
Enable to exclude clients with excessive 802.11 web authentication failures.
Enable to exclude clients exhibiting IP theft or reuse symptoms.
Step 4
Click Save.
10-40
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Configuring an Access Point Authentication and MFP Template
Management frame protection (MFP) provides for the authentication of 802.11 management frames by the wireless network infrastructure. Management frames can be protected in order to detect adversaries who are invoking denial of service attacks, flooding the network with associations and probes, interjecting as rogue access points, and affecting the network performance by attacking the QoS and radio measurement frames.
When enabled, the access point protects the management frames it transmits by adding a message integrity check information element (MIC IE) to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, causing any receiving access point configured to detect MFP frames to report the discrepancy. An access point must be a member of a WDS to transmit MFP frames.
When MFP detection is enabled, the access point validates every management frame that it receives from other access points in the network. It ensures that the MIC IE is present (when the originator is configured to transmit MFP frames) and matches the content of the management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID belonging to an access point that is configured to transmit MFP frames, it reports the discrepancy to the network management system.
Follow these steps to add a new template for the access point authentication and management frame protection (MFP) or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, select Security > AP Authentication and MFP.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a MAC address in the AP Base Radio
MAC column. The AP Authentication Policy Template appears (see
Figure 10-32 ), and the number of
controllers the template is applied to automatically populates.
Figure 10-32 AP Authentication Policy Template
OL-12623-01
Step 4
From the Protection Type drop-down menu, choose one of the following authentication policies:
Cisco Wireless Control System Configuration Guide
10-41
Chapter 10 Using Templates
Adding Controller Templates
Step 5
Step 6
Step 7
•
•
None: No access point authentication policy.
AP Authentication: Apply authentication policy.
MFP: Apply management frame protection.
•
Check to enable AP neighbor authentication. With this feature enabled, the access points sending RRM neighbor packets with different RF network names are reported as rogues.
Alarm trigger threshold appears only when AP authentication is selected as a protection type. Set the number of hits to be ignored from an alien access point before raising an alarm.
The valid range is from 1 to 255. The default value is 255.
Click Save.
Configuring a Web Authentication Template
With web authentication, guests are automatically redirected to a web authentication page when they launch their browsers. Guests gain access to the WLAN through this web portal. Wireless LAN administrators using this authentication mechanism should have the option of providing unencrypted or encrypted guest access. Guest users can then log into the wireless network using a valid username and password, which is encrypted with SSL. Web authentication accounts may be created locally or managed by a RADIUS server. The Cisco Wireless LAN controllers can be configured to support a web authentication client. You can use this template to replace the Web authentication page provided on the controller.
Follow these steps to add a web authentication template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Security > Web Auth Configuration.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name column. The Web Authentication Configuration Template window appears (see
), and the number of controllers the template is applied to automatically populates.
10-42
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-33 Web Authentication Configuration Template
Adding Controller Templates
Step 4
Choose the appropriate web authentication type from the drop-down menu. The choices are default internal, customized web authentication, or external.
•
If you choose default internal, you can still alter the page title, message, and redirect URL, as well as whether the logo displays. Continue to Step 5.
•
If you choose customized web authentication, click Save and apply this template to the controller.
You are prompted to download the web authentication bundle.
Note
Before you can choose customized web authentication, you must first download the bundle by going to Config > Controller and choose Download Customized Web Authentication from the Select a command drop-down menu and click GO.
Step 5
Step 6
Step 7
Step 8
Step 9
•
If you choose external, you need to enter the URL you want to redirect to after a successful authentication. For example, if the value entered for this field is http://www.company.com, the user would be directed to the company home page.
Click to enable Logo Display if you want your company logo displayed.
Enter the title you want displayed on the Web authentication page.
Enter the message you want displayed on the Web authentication page.
Provide the URL where the user is redirected after a successful authentication. For example, if the value entered for this field is http://www.company.com, the user would be directed to the company home page.
Click Save.
Downloading a Customized Web Authentication Page
You can download a customized Web authentication page to the controller. A customized web page is created to establish a username and password for user web access.
When downloading customized web authentication, these strict guidelines must be followed:
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-43
Chapter 10 Using Templates
Adding Controller Templates
•
•
A username must be provided.
A password must be provided.
A redirect URL must be retained as a hidden input item after extracting from the original URL.
•
•
•
The action URL must be extracted and set from the original URL.
Scripts to decode the return status code must be included.
•
All paths used in the main page should be of relative type.
Before downloading, the following steps are required:
Step 1
Download the sample login.html bundle file from the server. The .html file is shown in
The login page is presented to web users the first time they access the WLAN if web authentication is turned on.
Figure 10-34 Login.html
Step 2
Edit the login.html file and save it as a .tar or .zip file.
Note
You can change the text of the Submit button to read Accept terms and conditions and Submit.
Step 3
Step 4
Make sure you have a Trivial File Transfer Protocol (TFTP) server available for the download. Keep these guidelines in mind when setting up a TFTP server:
•
If you are downloading through the service port, the TFTP server must be on the same subnet as the service port because the service port is not routable. However, if you want to put the TFTP server on a different network while the management port is down, add a static route if the subnet where the service port resides has a gateway (config route add IP address of TFTP server).
•
•
If you are downloading through the distribution system network port, the TFTP server can be on the same or a different subnet because the distribution system port is routable.
A third-party TFTP server cannot run on the same computer as the Cisco WCS because WCS’s built-in TFTP server and third-party TFTP server use the same communication port.
Download the .tar or .zip file to the controller(s).
Note
The controller allows you to download up to 1 MB of a tar file containing the pages and image files required for the Web authentication display. The 1 MB limit includes the total size of uncompressed files in the bundle.
10-44
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
You can now continue with the download.
Copy the file to the default directory on your TFTP server.
Choose Configure > Controllers.
Choose a controller by clicking the URL for the corresponding IP address. If you select more than one
IP address, the customized Web authentication page is downloaded to multiple controllers.
From the left sidebar menu, choose System > Commands.
From the Upload/Download Commands drop-down menu, choose Download Customized Web Auth and click GO.
The IP address of the controller to receive the bundle and the current status are displayed (see
).
Figure 10-35 Download Customized Web Auth Bundle to Controller
OL-12623-01
Step 11
Choose local machine from the File is Located On parameter. If you know the filename and path relative to the server’s root directory, you can also select TFTP server.
Note
For a local machine download, either .zip or .tar file options exists, but the WCS does the conversion of .zip to .tar automatically. If you chose a TFTP server download, only .tar files would be specified.
Step 12
Step 13
Step 14
Step 15
Enter the maximum number of times the controller should attempt to download the file in the Maximum
Retries parameter.
Enter the maximum amount of time in seconds before the controller times out while attempting to download the file in the Timeout parameter.
The files are uploaded to the c:\tftp directory. Specify the local file name in that directory or use the
Browse button to navigate to it.
Click OK.
Cisco Wireless Control System Configuration Guide
10-45
Chapter 10 Using Templates
Adding Controller Templates
Step 16
Step 17
If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is
Located On parameter, and the Server File Name will be populated for you and retried. The local machine option initiates a two-step operation. First, the local file is copied from the administrator’s workstation to WCS’s own built-in TFTP server. Then the controller retrieves that file. For later operations, the file is already in the WCS server’s TFTP directory, and the download web page now automatically populates the filename.
Click the “Click here to download a sample tar file” to get an option to open or save the login.tar file.
After completing the download, you are directed to the new page and able to authenticate.
Configuring Access Control List Templates
An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller). ACLs can be applied to data traffic to and from wireless clients or to all traffic destined for the controller central processing unit (CPU) and can now support reusable grouped IP addresses and reusable protocols. After ACLs are configured in the template, they can be applied to the management interface, the AP-manager interface, or any of the dynamic interfaces for client data traffic; to the network processing unit (NPU) interface for traffic to the controller CPU; or to a WAN. Follow these steps to add an ACL template or make modifications to an existing template.
Step 1
Step 2
Step 3
Step 4
Step 5
Choose Configure > Controller Templates.
Choose Access Control > Access Control Lists in the left sidebar menu.
If you want to create a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template name in the ACL Name column. The Access Control List name appears in the window.
To create reusable grouped IP addresses and protocols, choose Access Control > IP Groups from the left sidebar menu.
All the IP address groups are listed. One IP address group can have a maximum of 128 IP address and netmask combinations. To define a new IP address group, choose Add IP Group from the Select a command drop-down menu and click GO. To view or modify an existing IP address group, click the URL of the IP address group. The IP address group window opens.
Note
For the IP address of any, an any group is predefined.
Step 6
Step 7
Step 8
To define an additional protocol that is not a standard predefined one, choose Access Control > Protocol
Groups from the left sidebar menu. The protocol groups with their source and destination port and
DSCP are displayed.
To create a new protocol group, choose Add Protocol Group from the Select a command drop-down menu and click GO. To view or modify an existing protocol group, click the URL of the group. The
Protcol Groups window appears.
The rule name is provided for the existing rules, or you can now enter a name for a new rule. ACLs are not required to have rules defined. When a packet matches all the parameters of a rule, the action for this rule is exercised.
10-46
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Step 9
In the Start Port parameter, enter a value (between 1 and 64) to determine the order of this rule in relation to any other rules defined for this ACL. The rules for each ACL are listed in contiguous sequence from
1 to 64. That is, if rules 1 through 4 are already defined and you add rule 29, it is added as rule 5.
Note
If you add or change a sequence number, the operating system adjusts the other rule sequence numbers to retain the contiguous sequence. For instance, if you have sequence numbers 1 through 7 defined and change number 7 to 5, the operating system automatically reassigns sequence 5 to 6 and sequence 6 to 7. Any rules generated can be edited individually and resequenced in the desired order.
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
Step 16
Step 17
Step 18
From the Source Port drop-down menu, specify the source of the packets to which this ACL applies.
For the Destination drop-down menu, specify the destination of the packets to which this ACL applies.
In the DSCP drop-down menu, choose any or a specific IP address. DSCP is a packet header code that can be used to define the quality of service across the Internet.
Click Save.
You can now create new mappings from the defined IP address groups and protocol groups. To define a new mapping, choose the ACL template to which you want to map the new groups. All ACL mappings appear on the top of the window, and all ACL rules appear on the bottom.
To define a new mapping, choose Add Rule Mappings from the Select a command drop-down menu.
The Add Rule Mapping windows appears.
Choose the desired IP address groups, protocol groups, and action and click Add. The new mappings will populate the bottom table.
Click Save.
You can now automatically generate rules from the rule mappings you created. Choose the mappings for which you want to generate rules and click Generate. This automatically creates the rules. These rules are generated with contiguous sequence. That is, if rules 1 through 4 are already defined and you add rule 29, it is added as rule 5.
Existing ACL templates can duplicated into a new ACL template. This duplication clones all the ACL rules and mappings defined in the source ACL template.
Configuring a Policy Name Template (for 802.11a or 802.11b/g)
Follow these steps to add a new policy name template for 802.11a or 802.11b/g or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose either 802.11a > Parameters or 802.11b/g > Parameters.
To add a new template, choose Add Template from the Select a command drop-down menu. To make modifications to an existing template, click to select a policy name in the Policy Name column. The
802.11a or b/g Parameters Template window appears (see
Figure 10-36 ), and the number of controllers
the template is applied to automatically populates.
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-47
Adding Controller Templates
Figure 10-36 802.11a Parameters Template
Chapter 10 Using Templates
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Click the check box if you want to enable 802.11a or b/g network status.
Enter the amount of time between beacons in kilomicroseconds. The valid range is from 100 to 600 milliseconds.
Enter the number of beacon intervals that may elapse between transmission of beacon frames containing a traffic indicator message (TIM) element whose delivery count field is 0. This value is transmitted in the DTIM period field of beacon frames. When client devices receive a beacon that contains a DTIM, they normally wake up to check for pending packets. Longer intervals between DTIMS let clients sleep longer and preserve power. Conversely, shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.
At the Fragmentation Threshold parameter, determine the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference.
Enter the percentage for 802.11e maximum bandwidth.
Click if you want short preamble enabled.
Click the Pico Cell Mode check box if you want it enabled. This feature enables automatic operating system parameter reconfiguration, allowing the operating system to function efficiently in pico cell deployments.
Click the Fast Roaming Mode check box if you want to enable it. Enabling Cisco’s Centralized Key
Management (CCKM) authentication key management allows fast exchange when a client roams from one access point to another.
At the Dynamic Assignment drop-down menu, choose one of three modes:
•
Automatic - The transmit power is periodically updated for all access points that permit this operation.
•
•
On Demand - Transmit power is updated when the Assign Now button is selected.
Disabled - No dynamic transmit power assignments occur, and values are set to their global default.
10-48
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
OL-12623-01
Step 13
Use the Tx Level drop-down menu to determine the access point’s transmit power level. The available options are as follows:
•
•
•
•
•
1 - Maximum power allowed per country code setting
2 - 50% power
3 - 25% power
4 - 6.25 to 12.5% power
5 - 0.195 to 6.25% power
Note
The power levels and available channels are defined by the country code setting and are regulated on a country by country basis.
Step 14
Step 15
Step 16
Step 17
Step 18
Step 19
The Assignment Mode drop-down menu has three dynamic channel modes:
•
Automatic - The channel assignment is periodically updated for all access points that permit this operation. This is also the default mode.
•
•
On Demand - Channel assignments are updated when desired.
OFF - No dynamic channel assignments occur, and values are set to their global default.
At the Avoid Foreign AP Interference check box, click if you want to enable it. Enable this parameter to have RRM consider interference from foreign Cisco access points (those non-Cisco access points outside
RF/mobility domain) when assigning channels. This radio resource management (RRM) parameter monitors foreign 802.11 interference. Disable this parameter to have RRM ignore this interference.
In certain circumstances with significant interference energy (dB) and load (utilization) from foreign access points, RRM may adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the foreign access points. This increases capacity and reduces variability for the Cisco Wireless LAN Solution.
Click the Avoid Cisco AP Load check box if you want it enabled. Enable this RRM bandwidth-sensing parameter to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points. Disable this parameter to have RRM ignore this value.
In certain circumstances and with denser deployments, there may not be enough channels to properly create perfect channel re-use. In these circumstances, RRM can assign better re-use patterns to those access points that carry more traffic load.
Click the Avoid non 802.11 Noise check box if you want to enable it. Enable this RRM noise-monitoring parameter to have access points avoid channels that have interference from non-access point sources, such as microwave ovens or Bluetooth devices. Disable this parameter to have RRM ignore this interference.
In certain circumstances with significant interference energy (dB) from non-802.11 noise sources, RRM may adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources. This increases capacity and reduces variability for the Cisco Wireless
LAN Solution.
The Signal Strength Contribution check box is always enabled (not configurable). RRM constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel re-use. The net effect is an increase in Cisco Wireless LAN Solution capacity and a reduction in co-channel and adjacent channel interference.
Data rates are negotiated between the client and the controller. If the data rate is set to Mandatory, the client must support it in order to use the network. If a data rate is set as Supported by the controller, any associated client that also supports that same rate may communicate with the access point using that rate.
Cisco Wireless Control System Configuration Guide
10-49
Chapter 10 Using Templates
Adding Controller Templates
Step 20
Step 21
Step 22
However, it is not required that a client be able to use all the rates marked supported in order to associate.
For each rate, a pull-down selection of Mandatory or Supported is available. Each data rate can also be set to Disabled to match client settings.
At the Channel List drop-down menu in the Noise/Interference/Rogue Monitoring Channels section, choose between all channels, country channels, or DCA channels based on the level of monitoring you want. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation amongst a set of managed devices connected to the controller.
The CCX location measurement interval can only be changed when measurement mode is enabled to broadcast radio measurement requests. When enabled, this enhances the location accuracy of clients.
Click Save.
Configuring High Density Templates
A method to mitigate the inter-cell contention problem in high-density networks is to adjust the access point and client station receiver sensitivity, CCA sensitivity, and transmit power parameters in a relatively cooperative manner.
By adjusting these variables, the effective cell size can be reduced, not by lowering the transmit power but by increasing the necessary received power before an access point and client consider the channel sufficiently clear for packet transfer. Follow these steps to add a enable high density on a template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose either 802.11a > Parameters.
In the General portion of this window, you see a Pico Cell Mode parameter. Click the check box to enable pico cell.
Note
In order for this check box to have validity, you must have software version 4.1 or later. If you have an earlier version, this check box value is ignored.
Step 4
Choose 802.11a > Pico Cell from the left sidebar menu. Click which template in the Template Name column you want to modify or choose Add Template from the Select a command drop-down menu and click GO. The window as shown in
appears.
10-50
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-37 Pico Cell Parameters Window
Adding Controller Templates
OL-12623-01
Note
If the Pico Cell Mode parameter is set to Disabled or V1, the Pico Cell V2 parameters are grayed out.
Note
For pico cell V2 to work with Intel 3945 clients, the QBSS feature also has to be enabled (i.e., WMM clients must be set to allowed), and fast roaming cannot be enabled.
Step 5
Step 6
Go to 802.11a > Parameters and ensure that the 802.11a Network Status check box is not enabled.
From the Pico Cell Mode drop-down menu, choose V2. By choosing V2, the parameters for access point and clients share the same values and make communication symmetrical. This selection also allows you to put in values for Rx sensitivity, CCA sensitivity, and transmit power although the defaulted minimum and maximum values represent the Cisco recommended values for most networks.
Note
You can only choose V2 if you have software version 4.1 or later.
Step 7
Step 8
Set the Rx sensitivity based on the desired receiver sensitivity for 802.11a radios. The Current column shows what is currently set on the access point and clients, and the Min and Max columns show the range to which the access points and clients should adapt. Receiver signal strength values falling outside of this range are normally disregarded.
Set the CCA sensitivity based on when the access point or client considers the channel clear enough for activity. The current column shows what is currently set on the access point and clients, and Min and
Max columns show the range to which the access points and clients should adapt. CCA values falling outside of this range are normally disregarded.
Cisco Wireless Control System Configuration Guide
10-51
Chapter 10 Using Templates
Adding Controller Templates
Step 9
Click Save to save these values. Before choosing Reset to Defaults you must turn off the 802.11 network.
Configuring a Voice Parameter Template (for 802.11a or 802.11b/g)
Follow these steps to add a template for either 802.11a or 802.11b/g voice parameters, such as call admission control and traffic stream metrics, or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose either 802.11a > Voice Parameters or 802.11b/g > Voice
Parameters.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name column. The 802.11a or 802.11b/g Voice Parameters window appears (see
), and the number of controllers the template is applied to automatically populates.
Figure 10-38 802.11b/g Voice Parameters Template
Step 4
For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity. Click the check box to enable CAC.
10-52
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference.
Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment. To enable load-based CAC for this radio band, check the Use Load-based AC check box.
Enter the percentage of maximum bandwidth allowed.
Enter the percentage of reserved roaming bandwidth.
Click if you want to enable expedited bandwidth as an extension of CAC for emergency calls. You must have an expedited bandwidth IE that is CCXv5 compliant so that a TSPEC request is given higher priority.
Click the check box if you want to enable metric collection. Traffic stream metrics are a series of statistics about VoIP over your wireless LAN and informs you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.
Click Save.
Configuring a Video Parameter Template (for 802.11a or 802.11b/g)
Follow these steps to add a template for either 802.11a or 802.11b/g video parameters or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose either 802.11a > Video Parameters or 802.11b/g > Video
Parameters.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name column. The 802.11a or 802.11b/g Video Parameters window appears (see
number of controllers the template is applied to automatically populates.
Figure 10-39 802.11a Video Parameters Template
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-53
Chapter 10 Using Templates
Adding Controller Templates
Step 4
Step 5
Step 6
Step 7
For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity. Click the check box to enable CAC.
Enter the percentage of maximum bandwidth allowed.
Enter the percentage of reserved roaming bandwidth.
Click Save.
Configuring a Roaming Parameters Template (for 802.11a or 802.11b/g)
Follow these steps to add a roaming parameters template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose 802.11a > RRM Thresholds or 802.11b/g > RRM Thresholds.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template name in the Template
Name column. The Roaming Parameters Template appears (see Figure 10-40 ), and the number of
controllers the template is applied to automatically populates.
Figure 10-40 802.11 Roaming Parameters Template
Step 4
Use the Mode drop-down menu to choose one of the configurable modes: default values and custom values. When the default values option is chosen, the roaming parameters are unavailable with the default values displayed in the text boxes. When the custom values option is selected, the roaming parameters can be edited in the text boxes. To edit the parameters, continue to Step 5.
10-54
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Step 5
Step 6
Step 7
Step 8
Step 9
In the Minimum RSSI field, enter a value for the minimum received signal strength indicator (RSSI) required for the client to associate to an access point. If the client’s average received signal power dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.
Range: -80 to -90 dBm
Default: -85 dBm
In the Hysteresis field, enter a value to indicate how strong the signal strength of a neighboring access point must be in order for the client to roam to it. This parameter is intended to reduce the amount of
“ping ponging” between access points if the client is physically located on or near the border between two access points.
Range: 2 to 4 dB
Default: 2 dB
In the Adaptive Scan Threshold field, enter the RSSI value, from a client’s associated access point, below which the client must be able to roam to a neighboring access point within the specified transition time.
This parameter also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.
Range: -70 to -77 dB
Default: -72 dB
In the Transition Time field, enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client’s associated access point is below the scan threshold.
The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.
Range: 1 to 10 seconds
Default: 5 seconds
Click Save.
Configuring an RRM Threshold Template (for 802.11a or 802.11b/g)
Follow these steps to add a new 802.11a or 802.11b/g RRM threshold template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose 802.11a > RRM Thresholds or 802.11b/g > RRM Thresholds.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template name in the Template
Name column. The 802.11a or 802.11b/g RRM Thresholds Template appears (see Figure 10-41 ), and the
number of controllers the template is applied to automatically populates.
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-55
Adding Controller Templates
Figure 10-41 802.11b/g RRM Thresholds Template
Chapter 10 Using Templates
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Enter the minimum percentage of failed clients that are currently associated with the controller.
Enter the minimum number of failed clients that are currently associated with the controller.
At the Min SNR Level parameter, enter the minimum signal-to-noise ratio of the client RF session.
Enter the maximum number of clients currently associated with the controller.
At the RF Utilization parameter, enter the percentage of threshold for either 802.11a or 802.11b/g.
Enter an interference threshold.
Enter a noise threshold between -127 and 0 dBm. When outside of this threshold, the controller sends an alarm to WCS.
At the Channel List drop-down menu in the Noise/Interference/Rogue Monitoring Channels section, choose between all channels, country channels, or DCA channels based on the level of monitoring you want. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation amongst a set of managed devices connected to the controller.
Click Save.
Configuring an RRM Interval Template (for 802.11a or 802.11b/g)
Follow these steps to add an 802.11a or 802.11b/g RRM interval template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose 802.11a > RRM Intervals or 802.11b/g > RRM Intervals.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template name from the Template
Name column. The 802.11a or 802.11b/g RRM Threshold Template appears (see Figure 10-42 ), and the
number of controllers the template is applied to automatically populates.
10-56
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-42 802.11a RRM Intervals Template
Adding Controller Templates
Step 4
Step 5
Step 6
Step 7
Step 8
Enter at which interval you want strength measurements taken for each access point. The default is 300 seconds.
Enter at which interval you want noise and interference measurements taken for each access point. The default is 300 seconds.
Enter at which interval you want load measurements taken for each access point. The default is 300 seconds.
Enter at which interval you want coverage measurements taken for each access point. The default is 300 seconds.
Click Save.
Configuring an 802.11h Template
Follow these steps to add an 802.11h template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose 802.11a > 802.11h.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template name from the Template
Name column. The 802.11h Template appears (see Figure 10-43 ), and the number of controllers the
template is applied to automatically populates.
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-57
Adding Controller Templates
Figure 10-43 802.11h Template
Chapter 10 Using Templates
Step 4
Step 5
Step 6
Check the power constraint check box to enable TPC.
Check the channel announcement check box to enable channel announcement. Channel announcement is a method in which the access point announces when it is switching to a new channel and the new channel number.
Click Save.
Configuring a Mesh Template
This section provides a template for configuring the access point to establish a connection with the controller. Follow these steps to add a mesh template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Mesh.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click a specific template name. The Mesh
Configuration Template window appears (see
10-58
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-44 Mesh Configuration Template
Adding Controller Templates
OL-12623-01
Step 4
Step 5
The Root AP to Mesh AP Range is 12,000 feet by default. Enter the optimum distance (in feet) that should exist between the root access point and the mesh access point. This global parameter applies to all access points when they join the controller and all existing access points in the network.
The Mesh Mac Filter is enabled by default. When enabled, this feature secures your network against any rogue access points by not allowing access point that are not defined in the MAC Filter List to attach.
However, if you disable this feature, mesh access points can join the controller.
Note
The ability to join a controller without specification within a MAC filter list is only supported on mesh access points.
Note
For releases prior to 4.1.82.0, mesh access points do not join the controller unless they are defined in the MAC filter list.
Step 6
You may want to disable the MAC filter list to allow newly added access points to join the controller.
Before enabling the MAC filter list again, you should enter the MAC addresses of the new access points.
After you check the Enable Mesh MAC Filter check box, the access points reboot and then rejoin the controller if defined in the MAC filter list. Access points that are not defined in the MAC list cannot join the controller.
The Enable Client Access on Backhaul Link check box is not checked by default. When this option is enabled, mesh access points are able to associate with 802.11a wireless clients over the 802.11a backhaul. This client association is in addition to the existing communication on the 802.11a backhaul between the root and mesh access points.
Note
This feature is only applicable to access points with two radios.
Cisco Wireless Control System Configuration Guide
10-59
Chapter 10 Using Templates
Adding Controller Templates
Step 7
Click Save.
Configuring a Known Rogue Access Point Template
If you have an established list of known rogue devices, you can configure a template to pass these rogue details to multiple controllers. Follow these steps to add a known rogue template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Known Rogues.
To add a new template, choose Add Known Rogue from the Select a command drop-down menu and click GO. To make modifications to an existing template, click a specific MAC address in the MAC
Address column. The Known Rogues Template window appears (see
Figure 10-45 Known Rogues Template
Step 4
Step 5
Step 6
Step 7
Step 8
The Import from File check box is enabled. This enables you to import a .csv file which contains the
MAC addresses of access points into the Cisco WCS. If you click to disable the check box, you are required to enter the MAC address of the access point manually (enter this and skip to Step 6). If you are importing a .csv file, continue to Step 5.
Enter the file path where the .csv file exists or use the Browse button to navigate there. Skip to Step 9.
Use the Status drop-down menu to specify whether the rogue is known or acknowledged.
Enter a comment that may be useful to you later.
Click the Suppress Alarms check box if you do not want an alarm sent to WCS.
10-60
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Step 9
Click Save.
Configuring a Trap Receiver Template
Follow these steps to add a new trap receiver template or make modifications to an existing template. If you have monitoring devices on your network that receive SNMP traps, you may want to add a trap receiver template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Management > Trap Receivers.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click a specific template in the Template Name column. The Trap Receiver Template window appears (see
Figure 10-46 ), and the number of controllers
the template is applied to automatically populates.
Figure 10-46 Trap Receiver Template
Step 4
Step 5
Step 6
Enter the IP address of the server.
Click to enable the admin status if you want SNMP traps to be sent to the receiver.
Click Save.
Configuring a Trap Control Template
Follow these steps to add a trap control template or make modifications to an existing template.
Step 1
Choose Configure > Controller Templates.
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-61
Chapter 10 Using Templates
Adding Controller Templates
Step 2
Step 3
From the left sidebar menu, choose Management > Trap Control.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name column. The Trap Controls Template window appears (see
Figure 10-47 ), and the number of controllers
the template is applied to automatically populates.
Figure 10-47 Trap Controls Template
10-62
Step 4
Step 5
Check the appropriate check box to enable any of the following miscellaneous traps:
•
•
•
SNMP Authentication - The SNMPv2 entity has received a protocol message that is not properly authenticated. When a user who is configured in SNMP V3 mode tries to access the controller with an incorrect password, the authentication fails and a failure message is displayed. However, no trap logs are generated for the authentication failure.
Link (Port) Up/Down - Link changes states from up or down.
•
Multiple Users - Two users log in with the same login ID.
Spanning Tree - Spanning Tree traps. Refer to the STP specification for descriptions of individual parameters.
•
•
Check the appropriate check box to enable any of the following client-related traps:
•
802.11 Disassociation - The disassociate notification is sent when the client sends a disassociation frame.
•
Rogue AP - Whenever a rogue access point is detected or when a rogue access point was detected earlier and no longer exists, this trap is sent with its MAC address.
Controller Config Save - Notification sent when the configuration is modified.
•
802.11 Deauthentication - The deauthenticate notification is sent when the client sends a deauthentication frame.
802.11 Failed Authentication - The authenticate failure notification is sent when the client sends an authentication frame with a status code other than successful.
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Controller Templates
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
•
•
Excluded - The associate failure notification is sent when a client is excluded.
Check the appropriate check box to enable any of the following access point traps:
•
802.11 Failed Association - The associate failure notification is sent when the client sends an association frame with a status code other than successful.
•
AP Register - Notification sent when an access point associates or disassociates with the controller.
AP Interface Up/Down - Notification sent when access point interface (802.11a or 802.11b/) status goes up or down.
Check the appropriate check box to enable any of the following auto RF profile traps:
•
Load Profile - Notification sent when Load Profile state changes between PASS and FAIL.
•
•
Noise Profile - Notification sent when Noise Profile state changes between PASS and FAIL.
Interference Profile - Notification sent when Interference Profile state changes between PASS and
FAIL.
•
Coverage Profile - Notification sent when Coverage Profile state changes between PASS and FAIL.
Check the appropriate check box to enable any of the following auto RF update traps:
•
•
Channel Update - Notification sent when access point’s dynamic channel algorithm is updated.
Tx Power Update - Notification sent when access point’s dynamic transmit power algorithm is updated.
•
Antenna Update - Notification sent when access point’s dynamic antenna algorithm is updated.
Check the appropriate check box to enable any of the following AAA traps:
•
•
User Auth Failure - This trap is to inform you that a client RADIUS authentication failure has occurred.
RADIUS Server No Response - This trap is to indicate that no RADIUS server(s) are responding to authentication requests sent by the RADIUS client.
Check the appropriate check box to enable the following 802.11 security trap:
•
WEP Decrypt Error - Notification sent when the controller detects a WEP decrypting error.
Check the appropriate check box to enable the following WPS trap:
•
Rogue Auto Containment - Notification sent when a rogue access point is auto-contained.
Click Save.
Configuring a Telnet SSH Template
Follow these steps to add a Telnet SSH configuration template or make changes to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Management > Telnet SSH.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name column. The Telnet SSH Configuration Template window appears (see
), and the number of controllers the template is applied to automatically populates.
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-63
Adding Controller Templates
Figure 10-48 Telnet SSH Configuration Template
Chapter 10 Using Templates
Step 4
Step 5
Step 6
Step 7
Step 8
Enter the number of minutes a Telnet session is allowed to remain inactive before being logged off. A zero means there is no timeout. The valid range is 0 to 160, and the default is 5.
At the Maximum Sessions parameter, enter the number of simultaneous Telnet sessions allowed. The valid range is 0 to 5, and the default is 5. New Telnet sessions can be allowed or disallowed on the DS
(network) port. New Telnet sessions are always allowed on the service port.
Use the Allow New Telnet Session drop-down menu to determine if you want new Telnet sessions allowed on the DS port. New Telnet sessions can be allowed or disallowed on the DS (network) port.
New Telnet sessions are always allowed on the service port. The default is no.
Use the Allow New SSH Session drop-down menu to determine if you want Secure Shell Telnet sessions allowed. The default is yes.
Click Save.
Configuring a Syslog Template
Follow these steps to add a syslog configuration template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Management > Syslog.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a template in the Template Name column. The Syslog Configuration Template window appears (see
Figure 10-49 ), and the number of
controllers the template is applied to automatically populates.
10-64
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-49 Syslog Configuration Template
Adding Controller Templates
Step 4
Step 5
Step 6
Enter a template name. The number of controllers to which this template is applied is displayed.
Click to enable syslog.
Click Save.
Configuring a Local Management User Template
Follow these steps to add a local management user template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Management > Local Management Users.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a username in the User Name column.
The Local Management Users Template appears (see
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-65
Adding Controller Templates
Figure 10-50 Local Management Users Template
Chapter 10 Using Templates
Step 4
Step 5
Step 6
Step 7
Step 8
Enter a template username.
Enter a password for this local management user template.
Re-enter the password.
Use the Access Level drop-down menu to choose either Read Only or Read Write.
Click Save.
Configuring a User Authentication Priority Template
Management user authentication priority templates control the order in which authentication servers are used to authenticate a controller’s management users. Follow these steps to add a user authentication priority template or make modifications to an existing template.
Step 1
Step 2
Step 3
Choose Configure > Controller Templates.
From the left sidebar menu, choose Management > Authentication Priority.
To add a new template, choose Add Template from the Select a command drop-down menu and click
GO. To make modifications to an existing template, click to select a username in the Template Name
column. The Local Management Users Template appears ( Figure 10-51 ).
10-66
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Figure 10-51 Authentication Priority Template
Applying Controller Templates
Step 4
Step 5
Step 6
Enter a template name.
The local server is tried first. Choose either RADIUS or TACACS+ to try if local authentication fails.
Click Save.
Applying Controller Templates
You can apply a controller template to a controller.
Step 1
Step 2
Step 3
Step 4
Go to Configure > Controller Templates.
Using the left sidebar menu, choose the category of templates to apply.
Click the URL from the Template Name column that you want to apply to the controller.
Click the Apply to Controllers button.
Adding Access Point Templates
This page allows you to add a new access point template.
Step 1
Step 2
Step 3
Step 4
Step 5
Choose Configure > Access Point Templates.
Choose Add Template from the Select a command drop-down menu and click GO.
Enter the template name.
Provide a description of the template.
Click Save.
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-67
Chapter 10 Using Templates
Adding Access Point Templates
Configuring Access Point/Radio Templates
This page allows you to configure a template of access point information that you can apply to one or more access points.
Step 1
Step 2
Step 3
Choose Configure > Access Point Templates.
From the Template Name column, click on the template name you want to configure.
Choose the AP Parameters tab. The AP/Radio Templates window appears (see
).
Figure 10-52 AP/Radio Templates
Step 4
Step 5
Step 6
Click the Location check box and enter the access point location.
Click both the Admin Status and Enabled check box to enable access point administrative status.
Click the AP Mode check box and use the drop-down menu to set the operational mode of the access point as follows:
•
Local - Default
•
•
Monitor - Monitor mode only
REAP - Cisco 1030 remote edge lightweight access point (REAP) used for Cisco 1030 IEEE
802.11a/b/g remote edge lightweight access points.
•
Rogue Detected - Monitors the rogue access points but does not transmit or contain rogue access points.
10-68
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
Adding Access Point Templates
•
Sniffer - The access point “sniffs” the air on a given channel. It captures and forwards all the packets from the client on that channel to a remote machine that runs airopeek (a packet analyzer for IEEE
802.11 wireless LANs). It includes information on timestamp, signal strength, packet size, and so on. If you choose Sniffer as an operation mode, you are required to enter a channel and server IP address on the AP/Radio Templates 802.11b/g or 802.11a parameters tab.
Note
The sniffer feature can be enabled only if you are running Airopeek, which is a third-party network analyzer software that supports decoding of data packets. For more information on
Airopeek, see http://www.wildpackets.com/products .
Step 7
Step 8
You must click both the Mirror Mode and Enabled check box to enable access point mirroring mode.
Click the check box to enable the country code drop-down menu. A list of country codes is returned. For this access point, choose which country code selection to allow. Access points are designed for use in many countries with varying regulatory requirements. You can configure a country code to ensure that it complies with your country’s regulations.
Note
Access points may not operate properly if they are not designed for use in your country of operation. For example, an access point with part number AIR-AP1030-A-K9 (which is included in the Americas regulatory domain) cannot be used in Australia. Always be sure to purchase access points that match your country’s regulatory domain. For a complete list of country codes supported per product, refer to http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html
.
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
Step 16
Step 17
Click to enable Stats Collection Interval and then enter the collection period (in seconds) for access point statistics.
Choose the bridging option if you want the access point to act as a bridging access point. This feature applies only to Mesh access points.
Use the Data Rate drop-down menu to choose a data rate of 6, 9, 12, 18, 24, 36, 48, or 54 Mbps.
Use the Ethernet Bridging drop-down menu to choose to enabled or disabled.
Click the Cisco Discovery Protocol check box and click Enabled to allow CDP on a single access point or all access points. CDP is a device discovery protocol that runs on all Cisco manufactured equipment
(such as routers, bridges, communication servers, and so on).
Click the Controllers check box, and then you will be required to enter the Primary, Secondary, and
Tertiary Controller names.
Click the Group VLAN Name check box and then use the drop-down menu to select an established
Group VLAN name.
Enable local switching by checking the H-REAP Configuration check box. When you enable local switching, any remote access point that advertises this WLAN is able to locally switch data packets
(instead of tunneling to the controller).
Check the VLAN Support check box to enable it and enter the number of the native VLAN on the remote network (such as 100) in the Native VLAN ID field. This value cannot be zero.
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-69
Chapter 10 Using Templates
Adding Access Point Templates
Note
By default, a VLAN is not enabled on the hybrid-REAP access point. Once hybrid REAP is enabled, the access point inherits the VLAN name (interface name) and the VLAN ID associated to the WLAN. This configuration is saved in the access point and received after the successful join response. By default, the native VLAN is 1. One native VLAN must be configured per hybrid-REAP access point in a VLAN-enabled domain. Otherwise, the access point cannot send and receive packets to and from the controller. When the client is assigned a VLAN from the
RADIUS server, that VLAN is associated to the locally switched WLAN.
Step 18
Step 19
Step 20
Step 21
The SSID-VLAN Mappings section lists all the SSIDs of the controllers which are currently enabled for
HREAP local switching. You can edit the number of VLANs from which the clients will get an IP address by clicking the check box and adjusting the value.
Save the template.
If the updates require a reboot to be reflected, click to check the Reboot AP check box.
Choose the Select APs tab. Use the drop-down menu to apply the parameters by controller, floor area, outdoor area, or all. Click Apply.
Note
When you apply the template to the access point, WCS checks to see if the access point supports REAP mode and displays the application status accordingly.
10-70
Cisco Wireless Control System Configuration Guide
OL-12623-01
Chapter 10 Using Templates
OL-12623-01
Cisco Wireless Control System Configuration Guide
10-71
Chapter 10 Using Templates
10-72
Cisco Wireless Control System Configuration Guide
OL-12623-01
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 1 Cisco Wireless Control System Configuration Guide
- 3 Contents
- 17 Preface
- 18 Audience
- 18 Purpose
- 18 Organization
- 19 Conventions
- 19 Related Publications
- 19 Obtaining Documentation, Obtaining Support, and Security Guidelines
- 21 Overview
- 22 Overview of the Cisco Unified Wireless Network Solution
- 23 Overview of WCS
- 24 WCS Versions
- 24 WCS Base
- 25 WCS Base + Location
- 25 Relationship with Cisco Location Appliances
- 26 Comparison of WCS Base and WCS Location
- 27 WCS User Interface
- 27 Cisco WCS Navigator
- 29 Getting Started
- 30 Prerequisites
- 30 System Requirements
- 32 Installing WCS for Windows
- 32 Guidelines Before Installing WCS
- 37 Installing WCS for Linux
- 39 Starting WCS
- 39 Starting WCS on Windows
- 40 Starting WCS on Linux
- 40 Logging into the WCS User Interface
- 42 Using the Cisco WCS User Interface
- 42 Menu Bar
- 43 Monitor Menu
- 43 Configure Menu
- 43 Administration Menu
- 43 Location Menu
- 43 Help Menu
- 44 Sidebar Area
- 44 Alarm Dashboard
- 44 Command Buttons
- 44 Main Data Page
- 45 Administrative Tools
- 47 Configuring Security Solutions
- 48 Cisco Unified Wireless Network Solution Security
- 48 Layer 1 Solutions
- 48 Layer 2 Solutions
- 48 Layer 3 Solutions
- 49 Single Point of Configuration Policy Manager Solutions
- 49 Rogue Access Point Solutions
- 49 Rogue Access Point Challenges
- 49 Tagging and Containing Rogue Access Points
- 49 Integrated Security Solutions
- 50 Using WCS to Convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 Mode
- 51 Configuring a Firewall for WCS
- 51 Access Point Authorization
- 52 Management Frame Protection (MFP)
- 53 Guidelines for Using MFP
- 54 Configuring Intrusion Detection Systems (IDS)
- 54 Viewing IDS Sensors
- 54 Viewing Shunned Clients
- 55 Configuring IDS Signatures
- 55 Uploading IDS Signatures
- 56 Downloading IDS Signatures
- 57 Enabling or Disabling IDS Signatures
- 60 Viewing IDS Signature Events
- 60 Enabling Web Login
- 61 Downloading Customized Web Authentication
- 64 Connecting to the Guest WLAN
- 64 Deleting a Guest User
- 67 Performing System Tasks
- 68 Adding System Components to the WCS Database
- 68 Adding a Controller to the WCS Database
- 68 Adding a Location Appliance to the WCS Database
- 69 Additional Functionality with Location Appliance
- 70 Using WCS to Update System Software
- 70 Downloading Vendor Device Certificates
- 71 Downloading Vendor CA Certificates
- 72 Using WCS to Enable Long Preambles for SpectraLink NetLink Phones
- 73 Creating an RF Calibration Model
- 75 Adding and Using Maps
- 76 Creating Maps
- 76 Adding a Campus
- 77 Adding Buildings
- 77 Adding a Building to a Campus Map
- 78 Adding a Standalone Building
- 78 Adding Outdoor Areas
- 79 Searching Maps
- 80 Adding and Enhancing Floor Plans
- 80 Adding Floor Plans to a Campus Building
- 82 Adding Floor Plans to a Standalone Building
- 83 Using the Map Editor to Enhance Floor Plans
- 83 General Notes and Guidelines for Using the Map Editor
- 84 Using the Map Editor to Draw Polygon Areas
- 87 Using Planning Mode to Calculate Access Point Requirements
- 92 Adding Access Points
- 94 Access Point Placement
- 95 Guidelines for Placing Access Points
- 97 Creating a Network Design
- 97 Designing a Network
- 103 Changing Access Point Positions by Importing and Exporting a File
- 104 Using Chokepoints to Enhance Tag Location Reporting
- 104 Adding Chokepoints to the WCS Database and Map
- 110 Removing Chokepoints from the WCS Database and Map
- 111 Monitoring Maps
- 112 Monitoring Predicted Coverage
- 113 Access Point Layer
- 114 AP Mesh Info Layer
- 115 Clients Layer
- 116 802.11 Tags Layer
- 117 Rogue APs Layer
- 118 Rogue Clients Layer
- 119 Monitoring Channels on a Floor Map
- 119 Monitoring Transmit Power Levels on a Floor Map
- 120 Monitoring Coverage Holes on a Floor Map
- 121 Monitoring Clients on a Floor Map
- 122 Monitoring Outdoor Areas
- 123 Importing or Exporting WLSE Map Data
- 127 Creating and Applying Calibration Models
- 130 Modifying the Appearance of Floor Maps
- 130 Monitoring Calibration Models
- 131 Analyzing Element Location Accuracy Using Testpoints
- 132 Assigning Testpoints to a Selected Area
- 137 Monitoring Wireless Devices
- 138 Monitoring Rogue Access Points
- 138 Rogue AP Details
- 138 Rogue Access Point Location, Tagging, and Containment
- 139 Detecting and Locating Rogue Access Points
- 141 Acknowledging Rogue Access Points
- 141 WLAN Client Troubleshooting
- 152 Finding Clients
- 155 Receiving Radio Measurements
- 156 Finding Coverage Holes
- 156 Pinging a Network Device from a Controller
- 157 Viewing Controller Status and Configurations
- 158 Monitoring Mesh Networks Using Maps
- 158 Monitoring Mesh Link Statistics Using Maps
- 161 Monitoring Mesh Access Points Using Maps
- 163 Monitoring Mesh Access Point Neighbors Using Maps
- 164 Monitoring Mesh Health
- 166 Mesh Security Statistics for an Access Point
- 168 Viewing the Mesh Network Hierarchy
- 170 Using Filtering to Modify Map Display
- 172 Running a Link Test
- 174 Retrieving the Unique Device Identifier on Controllers and Access Points
- 179 Managing WCS User Accounts
- 180 Adding WCS User Accounts
- 182 Changing Passwords
- 182 Monitoring Active Sessions
- 184 Viewing or Editing User Information
- 184 Viewing or Editing Group Information
- 186 Viewing the Audit Trail
- 187 Deleting WCS User Accounts
- 187 Creating Guest User Accounts
- 187 Creating a Lobby Ambassador Account
- 188 Logging in to the WCS User Interface
- 189 Managing WCS Guest User Accounts
- 189 Adding Guest User Accounts
- 190 Viewing and Editing Guest Users
- 191 Deleting Guest User Templates
- 192 Scheduling WCS Guest User Accounts
- 193 Print or Email WCS Guest User Details
- 193 Logging the Lobby Ambassador Activities
- 195 Configuring Mobility Groups
- 196 Overview of Mobility
- 199 Symmetric Tunneling
- 199 Overview of Mobility Groups
- 201 When to Include Controllers in a Mobility Group
- 201 Configuring Mobility Groups
- 202 Prerequisites
- 204 Mobility Anchors
- 204 Configuring Mobility Anchors
- 206 Configuring Multiple Country Codes
- 209 Creating Config Groups
- 209 Adding New Group
- 210 Configuring Config Groups
- 211 Adding or Removing Controllers from Config Group
- 211 Adding or Removing Templates from the Config Group
- 212 Applying Config Groups
- 212 Auditing Config Groups
- 213 Rebooting Config Groups
- 213 Downloading Software
- 214 Downloading IDS Signatures
- 215 Downloading Customized WebAuth
- 219 Configuring Controllers and Access Points
- 220 Adding Controllers
- 221 Setting Multiple Country Codes
- 222 Searching Controllers
- 223 Managing User Authentication Order
- 223 Configuring Audit Reports
- 223 Enabling Load-Based CAC for Controllers
- 225 Enabling High Density
- 225 Requirements
- 225 Optimizing the Controller to Support High Density
- 228 Configuring 802.3 Bridging
- 228 Configuring Access Points
- 232 Searching Access Points
- 235 Using Templates
- 235 Adding Controller Templates
- 237 Configuring an NTP Server Template
- 237 Configuring General Templates
- 240 Configuring QoS Templates
- 241 Configuring a Traffic Stream Metrics QoS Template
- 243 Configuring WLAN Templates
- 245 Security
- 245 Layer 2
- 247 Layer 3
- 248 AAA Servers
- 250 QoS
- 251 Advanced
- 252 Configuring a File Encryption Template
- 254 Configuring a RADIUS Authentication Template
- 256 Configuring a RADIUS Accounting Template
- 257 Configuring a LDAP Server Template
- 258 Configuring a TACACS+ Server Template
- 259 Configuring a Network Access Control Template
- 260 Configuring a Local EAP General Template
- 261 Configuring a Local EAP Profile Template
- 262 Configuring an EAP-FAST Template
- 263 Configuring Network User Credential Retrieval Priority Templates
- 264 Configuring a Local Network Users Template
- 266 Configuring Guest User Templates
- 267 Configuring a User Login Policies Template
- 267 Configuring a MAC Filter Template
- 268 Configuring an Access Point Authorization
- 269 Configuring a Manually Disabled Client Template
- 270 Configuring a CPU Access Control List (ACL) Template
- 271 Configuring a Rogue Policies Template
- 272 Configuring a Trusted AP Policies Template
- 273 Configuring a Client Exclusion Policies Template
- 275 Configuring an Access Point Authentication and MFP Template
- 276 Configuring a Web Authentication Template
- 277 Downloading a Customized Web Authentication Page
- 280 Configuring Access Control List Templates
- 281 Configuring a Policy Name Template (for 802.11a or 802.11b/g)
- 284 Configuring High Density Templates
- 286 Configuring a Voice Parameter Template (for 802.11a or 802.11b/g)
- 287 Configuring a Video Parameter Template (for 802.11a or 802.11b/g)
- 288 Configuring a Roaming Parameters Template (for 802.11a or 802.11b/g)
- 289 Configuring an RRM Threshold Template (for 802.11a or 802.11b/g)
- 290 Configuring an RRM Interval Template (for 802.11a or 802.11b/g)
- 291 Configuring an 802.11h Template
- 292 Configuring a Mesh Template
- 294 Configuring a Known Rogue Access Point Template
- 295 Configuring a Trap Receiver Template
- 295 Configuring a Trap Control Template
- 297 Configuring a Telnet SSH Template
- 298 Configuring a Syslog Template
- 299 Configuring a Local Management User Template
- 300 Configuring a User Authentication Priority Template
- 301 Applying Controller Templates
- 301 Adding Access Point Templates
- 302 Configuring Access Point/Radio Templates
- 307 Maintaining WCS
- 308 Checking the Status of WCS
- 308 Checking the Status of WCS on Windows
- 308 Checking the Status of WCS on Linux
- 309 Stopping WCS
- 309 Stopping WCS on Windows
- 309 Stopping WCS on Linux
- 310 Backing Up the WCS Database
- 310 Scheduling Automatic Backups
- 311 Performing a Manual Backup
- 311 Backing Up the WCS Database (for Windows)
- 311 Backing Up the WCS Database (for Linux)
- 312 Restoring the WCS Database
- 312 Restoring the WCS Database (for Windows)
- 313 Restoring the WCS Database (for Linux)
- 313 Importing the Location Appliance into WCS
- 316 Importing and Exporting Asset Information
- 316 Importing Asset Information
- 316 Exporting Asset Information
- 317 Auto-Synchronizing Location Appliances
- 318 Backing Up Location Appliance Data
- 320 Uninstalling WCS
- 320 Uninstalling WCS on Windows
- 320 Uninstalling WCS on Linux
- 321 Upgrading WCS
- 321 Upgrading WCS on Windows
- 322 Upgrading WCS on Linux
- 322 Upgrading the Network
- 322 Recovering the WCS Password
- 325 Configuring Hybrid REAP
- 326 Overview of Hybrid REAP
- 326 Hybrid-REAP Authentication Process
- 328 Hybrid REAP Guidelines
- 328 Configuring Hybrid REAP
- 328 Configuring the Switch at the Remote Site
- 330 Configuring the Controller for Hybrid REAP
- 333 Configuring an Access Point for Hybrid REAP
- 336 Connecting Client Devices to the WLANs
- 337 Running Reports
- 337 Choosing a Report
- 338 Enabling or Disabling a Schedule
- 339 Deleting a Report
- 339 Accessing the Schedule Panel
- 340 Access Point Reports
- 340 Viewing or Modifying Access Point Reports
- 341 Creating a New Access Point Report
- 341 Client Reports
- 342 Viewing or Modifying Client Reports
- 342 Creating a New Client Report
- 343 Inventory Reports
- 343 Viewing or Modifying Inventory Reports
- 343 Creating a New Inventory Report
- 344 Mesh Reports
- 344 Viewing or Modifying Mesh Reports
- 345 Creating a New Mesh Report
- 345 Performance Reports
- 346 Viewing or Modifying Performance Reports
- 346 Creating a New Performance Report
- 347 Security Reports
- 347 Viewing or Modifying Security Reports
- 347 Creating a New Security Report
- 349 Alarms and Events
- 350 Alarm Dashboard
- 352 Setting Search Filters for Alarms
- 356 Alarm and Event Dictionary
- 356 Notification Format
- 357 Traps Added in Release 2.0
- 357 AP_BIG_NAV_DOS_ATTACK
- 357 AP_CONTAINED_AS_ROGUE
- 357 AP_DETECTED_DUPLICATE_IP
- 357 AP_HAS_NO_RADIOS
- 358 AP_MAX_ROGUE_COUNT_CLEAR
- 358 AP_MAX_ROGUE_COUNT_EXCEEDED
- 359 AUTHENTICATION_FAILURE (From MIB-II standard)
- 359 BSN_AUTHENTICATION_FAILURE
- 359 COLD_START (FROM MIB-II STANDARD)
- 359 CONFIG_SAVED
- 360 IPSEC_IKE_NEG_FAILURE
- 360 IPSEC_INVALID_COOKIE
- 360 LINK_DOWN (FROM MIB-II STANDARD)
- 360 LINK_UP (FROM MIB-II STANDARD)
- 361 LRAD_ASSOCIATED
- 361 LRAD_DISASSOCIATED
- 361 LRADIF_COVERAGE_PROFILE_FAILED
- 362 LRADIF_COVERAGE_PROFILE_PASSED
- 362 LRADIF_CURRENT_CHANNEL_CHANGED
- 362 LRADIF_CURRENT_TXPOWER_CHANGED
- 363 LRADIF_DOWN
- 363 LRADF_INTERFERENCE_PROFILE_FAILED
- 363 LRADIF_INTERFERENCE_PROFILE_PASSED
- 364 LRADIF_LOAD_PROFILE_FAILED
- 364 LRADIF_LOAD_PROFILE_PASSED
- 364 LRADIF_NOISE_PROFILE_FAILED
- 365 LRADIF_NOISE_PROFILE_PASSED
- 365 LRADIF_UP
- 365 MAX_ROGUE_COUNT_CLEAR
- 366 MAX_ROGUE_COUNT_EXCEEDED
- 366 MULTIPLE_USERS
- 366 NETWORK_DISABLED
- 366 NO_ACTIVITY_FOR_ROGUE_AP
- 367 POE_CONTROLLER_FAILURE
- 367 RADIOS_EXCEEDED
- 367 RADIUS_SERVERS_FAILED
- 368 ROGUE_AP_DETECTED
- 368 ROGUE_AP_NOT_ON_NETWORK
- 369 ROGUE_AP_ON_NETWORK
- 369 ROGUE_AP_REMOVED
- 369 RRM_DOT11_A_GROUPING_DONE
- 370 RRM_DOT11_B_GROUPING_DONE
- 370 SENSED_TEMPERATURE_HIGH
- 370 SENSED_TEMPERATURE_LOW
- 371 STATION_ASSOCIATE
- 371 STATION_ASSOCIATE_FAIL
- 371 STATION_AUTHENTICATE
- 371 STATION_AUTHENTICATION_FAIL
- 372 STATION_BLACKLISTED
- 372 STATION_DEAUTHENTICATE
- 372 STATION_DISASSOCIATE
- 373 STATION_WEP_KEY_DECRYPT_ERROR
- 373 STATION_WPA_MIC_ERROR_COUNTER_ACTIVATED
- 373 SWITCH_DETECTED_DUPLICATE_IP
- 374 SWITCH_DOWN
- 374 SWITCH_UP
- 374 TEMPERATURE_SENSOR_CLEAR
- 375 TEMPERATURE_SENSOR_FAILURE
- 375 TOO_MANY_USER_UNSUCCESSFUL_LOGINS
- 376 Traps Added in Release 2.1
- 376 ADHOC_ROGUE_AUTO_CONTAINED
- 376 ADHOC_ROGUE_AUTO_CONTAINED_CLEAR
- 376 NETWORK_ENABLED
- 377 ROGUE_AP_AUTO_CONTAINED
- 377 ROGUE_AP_AUTO_CONTAINED_CLEAR
- 377 TRUSTED_AP_INVALID_ENCRYPTION
- 378 TRUSTED_AP_INVALID_ENCRYPTION_CLEAR
- 378 TRUSTED_AP_INVALID_RADIO_POLICY
- 378 TRUSTED_AP_INVALID_RADIO_POLICY_CLEAR
- 378 TRUSTED_AP_INVALID_SSID
- 379 TRUSTED_AP_INVALID_SSID_CLEAR
- 379 TRUSTED_AP_MISSING
- 379 TRUSTED_AP_MISSING_CLEAR
- 379 Traps Added in Release 2.2
- 379 AP_IMPERSONATION_DETECTED
- 380 AP_RADIO_CARD_RX_FAILURE
- 380 AP_RADIO_CARD_RX_FAILURE_CLEAR
- 380 AP_RADIO_CARD_TX_FAILURE
- 380 AP_RADIO_CARD_TX_FAILURE_CLEAR
- 381 SIGNATURE_ATTACK_CLEARED
- 381 SIGNATURE_ATTACK_DETECTED
- 381 TRUSTED_AP_HAS_INVALID_PREAMBLE
- 382 TRUSTED_HAS_INVALID_PREAMBLE_CLEARED
- 382 Traps Added in Release 3.0
- 382 AP_FUNCTIONALITY_DISABLED
- 382 AP_IP_ADDRESS_FALLBACK
- 383 AP_REGULATORY_DOMAIN_MISMATCH
- 383 RX_MULTICAST_QUEUE_FULL
- 384 Traps Added in Release 3.1
- 384 AP_AUTHORIZATION_FAILURE
- 384 HEARTBEAT_LOSS_TRAP
- 385 INVALID_RADIO_INTERFACE
- 385 RADAR_CLEARED
- 385 RADAR_DETECTED
- 386 RADIO_CORE_DUMP
- 386 RADIO_INTERFACE_DOWN
- 386 RADIO_INTERFACE_UP
- 387 UNSUPPORTED_AP
- 387 Traps Added in Release 3.2
- 387 LOCATION_NOTIFY_TRAP
- 388 Traps Added In Release 4.0
- 388 CISCO_LWAPP_MESH_POOR_SNR
- 388 CISCO_LWAPP_MESH_PARENT_CHANGE
- 388 CISCO_LWAPP_MESH_CHILD_MOVED
- 389 CISCO_LWAPP_MESH_CONSOLE_LOGIN
- 389 CISCO_LWAPP_MESH_AUTHORIZATION_FAILURE
- 389 CISCO_LWAPP_MESH_CHILD_EXCLUDED_PARENT
- 390 CISCO_LWAPP_MESH_EXCESSIVE_PARENT_CHANGE
- 390 IDS_SHUN_CLIENT_TRAP
- 390 IDS_SHUN_CLIENT_CLEAR_TRAP
- 391 MFP_TIMEBASE_STATUS_TRAP
- 391 MFP_ANOMALY_DETECTED_TRAP
- 391 GUEST_USER_REMOVED_TRAP
- 392 Traps Added/Updated in Release 4.0.96.0
- 392 AP_IMPERSONATION_DETECTED
- 392 RADIUS_SERVER_DEACTIVATED
- 392 RADIUS_SERVER_ACTIVATED
- 393 RADIUS_SERVER_WLAN_DEACTIVATED
- 393 RADIUS_SERVER_WLAN_ACTIVATED
- 393 RADIUS_SERVER_TIMEOUT
- 393 DECRYPT_ERROR_FOR_WRONG_WPA_WPA2
- 394 Traps Added or Updated in Release 4.1
- 394 AP_IMPERSONATION_DETECTED
- 394 INTERFERENCE_DETECTED
- 394 INTERFERENCE_CLEAR
- 395 ONE_ANCHOR_ON_WLAN_UP
- 395 RADIUS_SERVER_DEACTIVATED
- 395 RADIUS_SERVER_ACTIVATED
- 395 RADIUS_SERVER_WLAN_DEACTIVATED
- 396 RADIUS_SERVER_WLAN_ACTIVATED
- 396 RADIUS_SERVER_TIMEOUT
- 396 MOBILITY_ANCHOR_CTRL_PATH_DOWN
- 396 MOBILITY_ANCHOR_CTRL_PATH_UP
- 397 MOBILITY_ANCHOR_DATA_PATH_DOWN
- 397 MOBILITY_ANCHOR_DATA_PATH_UP
- 397 WLAN_ALL_ANCHORS_TRAP_DOWN
- 397 MESH_AUTHORIZATIONFAILURE
- 398 MESH_CHILDEXCLUDEDPARENT
- 398 MESH_PARENTCHANGE
- 398 MESH_CHILDMOVED
- 399 MESH_EXCESSIVEPARENTCHANGE
- 399 MESH_POORSNR
- 399 MESH_POORSNRCLEAR
- 400 MESH_CONSOLELOGIN
- 400 LRADIF_REGULATORY_DOMAIN
- 400 LRAD_CRASH
- 401 LRAD_UNSUPPORTED
- 401 Unsupported Traps
- 402 Configuring Alarm Severity
- 403 Viewing MFP Events and Alarms
- 403 Alarm Emails
- 404 Viewing IDS Signature Attacks
- 405 Wireless LAN IDS Event Correlation
- 407 Administrative Tasks
- 408 Running Background Tasks
- 408 Performing a Task
- 410 Importing Tasks Into ACS
- 410 Adding WCS to an ACS Server
- 411 Adding WCS as a TACACS+ Server
- 412 Adding WCS UserGroups into ACS for TACACS+
- 414 Adding WCS to ACS server for use with RADIUS
- 415 Adding WCS UserGroups into ACS for RADIUS
- 417 Adding WCS to a non-Cisco ACS server for use with RADIUS
- 418 Setting AAA Mode
- 419 Turning Password Rules On or Off
- 420 Configuring TACACS+ Servers
- 421 Configuring RADIUS Servers
- 423 Establishing Logging Options
- 423 Performing Data Management Tasks
- 424 Data Management
- 424 Report
- 425 Mail Server
- 427 Setting User Preferences
- 430 WCS and End User Licenses
- 431 WCS Licenses
- 431 Types of Licenses
- 432 Licensing Enforcement
- 432 Product Authorization Key Certificate
- 433 Determining Which License To Use
- 433 Installing a License
- 434 Managing Licenses
- 434 Adding a License
- 435 Deleting a License
- 435 Backup and Restore License
- 435 End User License Agreement
- 443 Conversion of a WLSE Autonomous Deployment to a WCS Controller Deployment
- 444 Supported Hardware
- 444 Supported Cisco WLSE Management Stations
- 444 Autonomous Access Points Convertible to LWAPP
- 444 Installation and Configuration
- 444 Installing Cisco WCS
- 445 Upgrading to Red Hat Enterprise Linux 4
- 445 Configuring the Converted Appliance
- 448 Licensing
- 448 WLSE Upgrade License
- 449 Index