Cisco Systems 3.2 Configuring Layer 3 Security

6-6

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Chapter 6 Configuring WLANs

Configuring Wireless LANs

Configuring a Wireless LAN for Both Static and Dynamic WEP

You can configure up to four wireless LANs to support static WEP keys, and you can also configure

dynamic WEP on any of these static-WEP wireless LANs. Follow these guidelines when configuring a

wireless LAN for both static and dynamic WEP:

•The static WEP key and the dynamic WEP key must be the same length.

•When you configure static and dynamic WEP as the Layer-2 security policy, no other security

policies can be specified. For example, when you configure only dynamic WEP or only static WEP,

you can also configure web authentication or IPSec. However, when you configure both static and

dynamic WEP, you cannot also configure web authentication or IPSec.

Configuring Layer 3 Security

This section explains how to assign Layer 3 security settings to wireless LANs.

Note To use Layer 3 security on a Cisco 4100 Series Wireless LAN Controller, the controller must be equipped

with a VPN/Enhanced Security Module (Crypto Module). The module plugs into the back of the

controller and provides the extra processing power needed for processor-intensive security algorithms.

IPSec

IPSec (Internet Protocol Security) supports many Layer 3 security protocols. Enter these commands to

enable IPSec on a wireless LAN:

•config wlan security ipsec {enable | disable} wlan-id

•Enter show wlan to verify that IPSec is enabled.

IPSec Authentication

IPSec uses hmac-sha-1 authentication as the default for encrypting wireless LAN data, but can also use

hmac-md5, or no authentication. Enter this command to configure the IPSec IP authentication method:

•config wlan security ipsec authentication {hmac-md5 | hmac-sha-1 | none} wlan-id

•Enter show wlan to verify that the IPSec authentication method is configured.

IPSec Encryption

IPSec uses 3DES encryption as the default for encrypting wireless LAN data, but can also use AES,

DES, or no encryption. Enter this command to configure the IPSec encryption method:

•config wlan security ipsec encryption {3des | aes | des | none} wlan-id

•Enter show wlan to verify that the IPSec encryption method is configured.

Contents

Main Cisco Wireless LAN Controller Configuration Guide Page CONTENTS Page Page Page Page Page Page Page Page Page Preface Audience Purpose Organization Conventions xvi Related Publications Obtaining Documentation Cisco.com Product Documentation DVD Ordering Documentation Documentation Feedback Cisco Product Security Overview Reporting Security Problems in Cisco Products Obtaining Technical Assistance Cisco Technical Support & Documentation Website Submitting a Service Request Definitions of Service Request Severity Obtaining Additional Publications and Information Page Overview Cisco Wireless LAN Solution Overview Single-Controller Deployments Multiple-Controller Deployments Operating System Software Operating System Security Cisco WLAN Solution Wired Security Layer 2 and Layer 3 LWAPP Operation Operational Requirements Configuration Requirements Cisco Wireless LAN Controllers Primary, Secondary, and Tertiary Controllers Client Roaming Same-Subnet (Layer 2) Roaming Inter-Controller (Layer 2) Roaming Inter-Subnet (Layer 3) Roaming Special Case: Voice Over IP Telephone Roaming Client Location External DHCP Servers Per-Wireless LAN Assignment Per-Interface Assignment Security Considerations Cisco WLAN Solution Wired Connections Cisco WLAN Solution Wireless LANs Access Control Lists Identity Networking Enhanced Integration with Cisco Secure ACS File Transfers Power over Ethernet Pico Cell Functionality Intrusion Detection Service (IDS) Wireless LAN Controller Platforms Cisco 2000 Series Wireless LAN Controllers Cisco 4100 Series Wireless LAN Controllers Cisco 4400 Series Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controller Model Numbers Cisco 4100 Series Wireless LAN Controller Model Numbers Cisco 4400 Series Wireless LAN Controller Model Numbers Startup Wizard Cisco Wireless LAN Controller Memory Cisco Wireless LAN Controller Failover Protection Cisco Wireless LAN Controller Automatic Time Setting Cisco Wireless LAN Controller Time Zones Network Connections to Cisco Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controllers Cisco 4100 Series Wireless LAN Controllers Cisco 4400 Series Wireless LAN Controllers VPN and Enhanced Security Modules for 4100 Series Controllers Rogue Access Points Rogue Access Point Location, Tagging, and Containment Web User Interface and the CLI Web User Interface Command Line Interface Using the Web-Browser and CLI Interfaces Using the Web-Browser Interface Guidelines for Using the GUI Opening the GUI Enabling Web and Secure Web Modes Configuring the GUI for HTTPS Loading an Externally Generated HTTPS Certificate Page Disabling the GUI Using Online Help Using the CLI Logging into the CLI Using a Local Serial Connection Using a Remote Ethernet Connection Logging Out of the CLI Navigating the CLI Enabling Wireless Connections to the Web-Browser and CLI Interfaces Configuring Ports and Interfaces 3-2 Overview of Ports and Interfaces Ports Distribution System Ports Service Port Interfaces Management Interface AP-Manager Interface Virtual Interface Service-Port Interface Dynamic Interface WLANs Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces Using the GUI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces Page Page Using the CLI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces Using the CLI to Configure the Management Interface Using the CLI to Configure the AP-Manager Interface Using the CLI to Configure the Virtual Interface Using the CLI to Configure the Service-Port Interface Configuring Dynamic Interfaces Using the GUI to Configure Dynamic Interfaces Page Using the CLI to Configure Dynamic Interfaces Configuring Ports Page Page Configuring Port Mirroring Configuring Spanning Tree Protocol Using the GUI to Configure Spanning Tree Protocol Page Page Page Using the CLI to Configure Spanning Tree Protocol Enabling Link Aggregation Link Aggregation Guidelines Using the GUI to Enable Link Aggregation Using the CLI to Enable Link Aggregation Configuring Neighbor Devices to Support LAG Configuring a 4400 Series Controller to Support More Than 48 Access Points Using Link Aggregation Using Multiple AP-Manager Interfaces Page Page Page Page Connecting Additional Ports Configuring Controller Settings Using the Configuration Wizard Before You Start Resetting the Device to Default Settings Resetting to Default Settings Using the CLI Resetting to Default Settings Using the GUI Running the Configuration Wizard on the CLI Managing the System Time and Date Configuring Time and Date Manually Configuring NTP Configuring a Country Code Enabling and Disabling 802.11 Bands Configuring Administrator Usernames and Passwords Configuring RADIUS Settings Configuring SNMP Settings Enabling 802.3x Flow Control Enabling System Logging Enabling Dynamic Transmit Power Control Configuring Multicast Mode Understanding Multicast Mode Guidelines for Using Multicast Mode Enabling Multicast Mode Configuring the Supervisor 720 to Support the WiSM General WiSM Guidelines Configuring the Supervisor Page Using the Wireless LAN Controller Network Module Page Configuring Security Solutions Cisco WLAN Solution Security Security Overview Layer 1 Solutions Layer 2 Solutions Layer 3 Solutions Rogue Access Point Solutions Rogue Access Point Challenges Tagging and Containing Rogue Access Points Integrated Security Solutions Configuring the System for SpectraLink NetLink Telephones Using the GUI to Enable Long Preambles Using the CLI to Enable Long Preambles Using Management over Wireless Using the GUI to Enable Management over Wireless Using the CLI to Enable Management over Wireless Configuring DHCP Using the GUI to Configure DHCP Using the CLI to Configure DHCP Customizing the Web Authentication Login Screen Default Web Authentication Operation Page Customizing Web Authentication Operation Hiding and Restoring the Cisco WLAN Solution Logo Changing the Web Authentication Login Window Title Changing the Web Message Changing the Logo Preparing the TFTP Server Copying the Logo or Graphic to the TFTP Server Downloading the Logo or Graphic Hiding the Logo Creating a Custom URL Redirect Verifying Web Authentication Changes 5-15 Example: Sample Customized Web Authentication Login Window Figure 5-4 Example of a Customized Web Authentication Login Window These are the CLI commands used to create the window in Figure 5-4: Configuring Identity Networking Identity Networking Overview RADIUS Attributes Used in Identity Networking QoS-Level ACL-Name Interface-Name VLAN-Tag Tunnel Attributes Page Configuring WLANs Wireless LAN Overview Configuring Wireless LANs Displaying, Creating, Disabling, and Deleting Wireless LANs Activating Wireless LANs Assigning a Wireless LAN to a DHCP Server Configuring MAC Filtering for Wireless LANs Enabling MAC Filtering Creating a Local MAC Filter Assigning Wireless LANs to VLANs Configuring Layer 2 Security Dynamic 802.1X Keys and Authorization WEP Keys Dynamic WPA Keys and Encryption Configuring a Wireless LAN for Both Static and Dynamic WEP Configuring Layer 3 Security IPSec IPSec Authentication IPSec Encryption IKE Authentication IKE Diffie-Hellman Group IKE Phase 1 Aggressive and Main Modes IKE Lifetime Timeout IPSec Passthrough Configuring Quality of Service Configuring QoS Enhanced BSS (QBSS) Enabling WMM Mode Enabling 7920 Support Mode QBSS Information Elements Sometimes Degrade 7920 Phone Performance Controlling Lightweight Access Points Lightweight Access Point Overview Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points Cisco 1030 Remote Edge Lightweight Access Points Cisco 1000 Series Lightweight Access Point Part Numbers Cisco 1000 Series Lightweight Access Point External and Internal Antennas External Antenna Connectors Antenna Sectorization Cisco 1000 Series Lightweight Access Point LEDs Cisco 1000 Series Lightweight Access Point Connectors Cisco 1000 Series Lightweight Access Point Power Requirements Cisco 1000 Series Lightweight Access Point External Power Supply Cisco 1000 Series Lightweight Access Point Mounting Options Cisco 1000 Series Lightweight Access Point Physical Security Using the DNS for Controller Discovery Dynamic Frequency Selection Autonomous Access Points Converted to Lightweight Mode Guidelines for Using Access Points Converted to Lightweight Mode Reverting from Lightweight Mode to Autonomous Mode Using a Controller to Return to a Previous Release Using the MODE Button and a TFTP Server to Return to a Previous Release Controllers Accept SSCs from Access Points Converted to Lightweight Mode Using DHCP Option 43 Using a Controller to Send Debug Commands to Access Points Converted to Lightweight Mode Converted Access Points Send Crash Information to Controller Converted Access Points Send Radio Core Dumps to Controller Enabling Memory Core Dumps from Converted Access Points Display of MAC Addresses for Converted Access Points Page Page Managing Controller Software and Configurations Transferring Files to and from a Controller Upgrading Controller Software Page Saving Configurations Clearing the Controller Configuration Erasing the Controller Configuration Resetting the Controller Page Configuring Radio Resource Management Overview of Radio Resource Management Radio Resource Monitoring Dynamic Channel Assignment Dynamic Transmit Power Control Coverage Hole Detection and Correction Client and Network Load Balancing RRM Benefits Overview of RF Groups RF Group Leader RF Group Name Configuring an RF Group Using the GUI to Configure an RF Group Using the CLI to Configure RF Groups Viewing RF Group Status Using the GUI to View RF Group Status Page Page Using the CLI to View RF Group Status Enabling Rogue Access Point Detection Using the GUI to Enable Rogue Access Point Detection Page Page Using the CLI to Enable Rogue Access Point Detection Configuring Dynamic RRM Using the GUI to Configure Dynamic RRM Page Page Page Page Page Using the CLI to Configure Dynamic RRM Overriding Dynamic RRM Statically Assigning Channel and Transmit Power Settings to Access Point Radios Using the GUI to Statically Assign Channel and Transmit Power Settings Page Using the CLI to Statically Assign Channel and Transmit Power Settings Disabling Dynamic Channel and Power Assignment Globally for a Controller Using the GUI to Disable Dynamic Channel and Power Assignment Using the CLI to Disable Dynamic Channel and Power Assignment Viewing Additional RRM Settings Using the CLI Configuring Mobility Groups Overview of Mobility Page Page Overview of Mobility Groups Page Determining When to Include Controllers in a Mobility Group Configuring Mobility Groups Prerequisites Using the GUI to Configure Mobility Groups Page Page Using the CLI to Configure Mobility Groups Configuring Auto-Anchor Mobility Guidelines for Using Auto-Anchor Mobility Using the GUI to Configure Auto-Anchor Mobility Page Using the CLI to Configure Auto-Anchor Mobility A Safety Considerations and Translated Safety Warnings Safety Considerations Warning Definition A-3 A-4 A-5 Class 1 Laser Product Warning A-6 A-7 Ground Conductor Warning A-8 A-9 Chassis Warning for Rack-Mounting and Servicing A-10 A-11 A-12 Page Page A-15 Page Page A-18 Battery Handling Warning for 4400 Series Controllers A-19 A-20 Equipment Installation Warning A-21 Page A-23 More Than One Power Supply Warning for 4400 Series Controllers A-24 Page Page B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points Manufacturers Federal Communication Commission Declaration of Conformity Statement Tested To Comply With FCC Standards FOR HOME OR OFFICE USE Department of CommunicationsCanada Canadian Compliance Statement European Community, Switzerland, Norway, Iceland, and Liechtenstein Declaration of Conformity with Regard to the R&TTE Directive 1999/5/EC Declaration of Conformity for RF Exposure Guidelines for Operating Cisco Aironet Access Points in Japan Japanese Translation English Translation 03-5549-6500 Administrative Rules for Cisco Aironet Access Points in Taiwan Access Points with IEEE 802.11a Radios All Access Points English Translation Declaration of Conformity Statements FCC Statements for Cisco 2000 Series Wireless LAN Controllers Page Page C End User License and Warranty End User License Agreement Page Limited Warranty Page Disclaimer of Warranty General Terms Applicable to the Limited Warranty Statement and End User License Agreement Additional Open Source Terms Page D System Messages and Access Point LED Patterns System Messages Page Using Client Reason and Status Codes in Trap Logs Client Reason Codes Client Status Codes Using Lightweight Access Point LEDs INDEX Numerics A B Page D E F G H I N P Q R S T U V W