Cisco Systems AIRCAP2602IAK9 - page 10

Contents

8

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-21881-03

Configuring Other Access Points to Use the Local Authenticator 9-6

Configuring EAP-FAST Settings 9-7

Configuring PAC Settings 9-7

Configuring an Authority ID 9-8

Configuring Server Keys 9-8

Possible PAC Failures Caused by Access Point Clock 9-8

Limiting the Local Authenticator to One Authentication Type 9-9

Unblocking Locked Usernames 9-9

Viewing Local Authenticator Statistics 9-9

Using Debug Messages 9-10

CHAPTER

10 Configuring Cipher Suites and WEP 10-1

Understanding Cipher Suites and WEP 10-2

Configuring Cipher Suites and WEP 10-3

Creating WEP Keys 10-3

WEP Key Restrictions 10-5

Example WEP Key Setup 10-5

Enabling Cipher Suites and WEP 10-6

Matching Cipher Suites with WPA or CCKM 10-7

Enabling and Disabling Broadcast Key Rotation 10-8

CHAPTER

11 Configuring Authentication Types 11-1

Understanding Authentication Types 11-2

Open Authentication to the Access Point 11-2

Shared Key Authentication to the Access Point 11-3

EAP Authentication to the Network 11-4

MAC Address Authentication to the Netwo rk 11-5

Combining MAC-Based, EAP, and Open Authentication 11-6

Using CCKM for Authenticated Clients 11-6

Using WPA Key Management 11-7

Software and Firmware Requirements for WPA, CCKM, CKIP, and WPA-TKIP 11-8

Configuring Authentication Types 11-10

Assigning Authentication Types to an SSID 11-10

Configuring WPA Migration Mode 11-13

Configuring Additional WPA Settings 11-14

Configuring MAC Authentication Caching 11-15

Configuring Authentication Holdoffs, Timeouts, and Intervals 11-16

Creating and Applying EAP Method Profiles for the 802.1X Supplicant 11-17

Creating an EAP Method Profile 11-18

Contents

Main Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Audience Purpose Organization Conventions Page xxiii Related Publications Obtaining Documentation, Obtaining Support, and Security Guidelines CHAPTER Overview Features Features Introduced in This Release Page Management Options Roaming Client Devices Network Configuration Examples Root Access Point Repeater Access Point Bridges Workgroup Bridge Central Unit in an All-Wireless Network Access point Page Using the Web-Browser Interface Using the Web-Browser Interface for the First Time Using the Management Pages in the Web-Browser Interface Using Action Buttons Character Restrictions in Entry Fields Enabling HTTPS for Secure Browsing Page Page Page Page Page Page Page Deleting an HTTPS Certificate Using Online Help Changing the Location of Help Files Disabling the Web-Browser Interface Using the Command-Line Interface Cisco IOS Command Modes Getting Help Abbreviating Commands Using no and default Forms of Commands Understanding CLI Messages Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands Through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Opening the CLI with Telnet Opening the CLI with Secure Shell Page Configuring the Access Point for the First Time Before You Start Resetting the Device to Default Settings Resetting to Default Settings Using the MODE Button Resetting to Default Settings Using the GUI Resetting to Default Settings Using the CLI Logging into the Access Point Obtaining and Assigning an IP Address Default IP Address Behavior Connecting to the 1100 Series Access Point Locally Connecting to the 1130 Series Access Point Locally Connecting to the 1040, 1140,1200, 1230, 1240, 1250, 1260, and 2600 Series Access Points Locally Connecting to the 1300 Series Access Point/Bridge Locally Default Radio Settings Assigning Basic Settings Page Page Page Page Page Default Settings on the Express Setup Page Page Configuring Basic Security Settings Understanding Express Security Settings Using VLANs Express Security Types Page Express Security Limitations Using the Express Security Page CLI Configuration Examples 4-22 4-23 Example: EAP Authentication Note The following warning message appears if your radio clients are using EAP-FAST and you do not 4-24 Example: WPA 4-25 Configuring System Power Settings for 1040, 1130, 1140, 1240, 1250, and 1260 Series Access Points Using the AC Power Adapter Using a Switch Capable of IEEE 802.3af Power Negotiation Using a Switch That Does Not Support IEEE 802.3af Power Negotiation Using a Power Injector Support for 802.11n Performance on 1250 Series Access Points with Standard 802.3af PoE 1250 Series Power Modes Assigning an IP Address Using the CLI Using a Telnet Session to Access the CLI Configuring the 802.1X Supplicant Creating a Credentials Profile Applying the Credentials to an Interface or SSID Applying the Credentials Profile to the Wired Port Applying the Credentials Profile to an SSID Used For the Uplink Creating and Applying EAP Method Profiles Administering the Access Point Disabling the Mode Button Preventing Unauthorized Access to Your Access Point Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Setting or Changing a Static Enable Password Page Protecting Enable and Enable Secret Passwords with Encryption Configuring Username and Password Pairs Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Logging Into and Exiting a Privilege Level Controlling Access Point Access with RADIUS Default RADIUS Configuration Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Displaying the RADIUS Configuration Controlling Access Point Access with TACACS+ Default TACACS+ Configuration Configuring TACACS+ Login Authentication Page Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Displaying the TACACS+ Configuration Configuring Ethernet Speed and Duplex Settings Configuring the Access Point for Wireless Network Management Configuring the Access Point for Local Authentication and Authorization Configuring the Authentication Cache and Profile 5-21 Configuring the Access Point to Provide DHCP Service Setting up the DHCP Server Page Monitoring and Maintaining the DHCP Server Access Point Show Commands Clear Commands Debug Command Configuring the Access Point for Secure Shell Understanding SSH Configuring SSH Configuring Client ARP Caching Understanding Client ARP Caching Optional ARP Caching Configuring ARP Caching Managing the System Time and Date Understanding Simple Network Time Protocol Configuring SNTP Configuring Time and Date Manually Setting the System Clock Displaying the Time and Date Configuration Configuring the Time Zone Configuring Summer Time (Daylight Saving Time) Page Defining HTTP Access Configuring a System Name and Prompt Default System Name and Prompt Configuration Configuring a System Name Understanding DNS Default DNS Configuration Setting Up DNS Displaying the DNS Configuration Creating a Banner Default Banner Configuration Configuring a Message-of-the-Day Login Banner Page Configuring a Login Banner Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode Migrating to Japan W52 Domain Page Verifying the Migration Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging CLI Command CHAPT ER Configuring Radio Settings Enabling the Radio Interface Configuring the Role in Radio Network Page Page Universal Workgroup Bridge Mode Point-to-point and Multi Point bridging support for 802.11n platforms Configuring Dual-Radio Fallback Radio Tracking Fast Ethernet Tracking MAC-Address Tracking Bridge Features Not Supported Configuring Radio Data Rates Access Points Send Multicast and Management Frames at Highest Basic Rate Page Configuring MCS Rates Configuring Radio Transmit Power Page Page Limiting the Power Level for Associated Client Devices Configuring Radio Channel Settings 802.11n Channel Widths Dynamic Frequency Selection Radar Detection on a DFS Channel CLI Commands Confirming that DFS is Enabled Configuring a Channel Blocking Channels from DFS Selection Setting the 802.11n Guard Interval Configuring Location-Based Services Understanding Location-Based Services Configuring LBS on Access Points Enabling and Disabling World Mode Disabling and Enabling Short Radio Preambles Configuring Transmit and Receive Antennas Enabling and Disabling Gratuitous Probe Response Disabling and Enabling Aironet Extensions Configuring the Ethernet Encapsulation Transformation Method Enabling and Disabling Reliable Multicast to Workgroup Bridges Enabling and Disabling Public Secure Packet Forwarding Configuring Protected Ports Configuring the Beacon Period and the DTIM Configure RTS Threshold and Retries Configuring the Maximum Data Retries Configuring the Fragmentation Threshold Enabling Short Slot Time for 802.11g Radios Performing a Carrier Busy Test Configuring VoIP Packet Handling Viewing VoWLAN Metrics Viewing Voice Reports Page Viewing Wireless Client Reports Viewing Voice Fault Summary Configuring Voice QoS Settings Configuring Voice Fault Settings Configuring ClientLink Using the CLI to Configure ClientLink Debugging Radio Functions Page Page Configuring Multiple SSIDs Understanding Multiple SSIDs Effect of Software Versions on SSIDs Page Configuring Multiple SSIDs Default SSID Configuration Creating an SSID Globally Page Viewing SSIDs Configured Globally Using Spaces in SSIDs Using a RADIUS Server to Restrict SSIDs Configuring Multiple Basic SSIDs Requirements for Configuring Multiple BSSIDs Guidelines for Using Multiple BSSIDs Configuring Multiple BSSIDs Page Displaying Configured BSSIDs Assigning IP Redirection for an SSID Guidelines for Using IP Redirection Configuring IP Redirection Including an SSID in an SSIDL IE NAC Support for MBSSID Page Page Configuring NAC for MBSSID 7-17 Page Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol STP Overview 1300 and 350 Series Bridge Interoperability Access Point/Bridge Protocol Data Units Election of the Spanning-Tree Root Spanning-Tree Timers Creating the Spanning-Tree Topology Spanning-Tree Interface States Page Blocking State Listening State Learning State Forwarding State Disabled State Configuring STP Features Default STP Configuration Configuring STP Settings 8-10 STP Configuration Examples Root Bridge Without VLANs This example shows the configuration of a root bridge with no VLANs configured and with STP enabled: 8-11 Non-Root Bridge Without VLANs Root Bridge with VLANs This example shows the configuration of a root bridge with VLANs configured with STP enabled: 8-12 8-13 Non-Root Bridge with VLANs This example shows the configuration of a non-root bridge with VLANs configured with STP enabled: Displaying Spanning-Tree Status Configuring an Access Point as a Local Authenticator Understanding Local Authentication Configuring a Local Authenticator Guidelines for Local Authenticators Configuration Overview Configuring the Local Authenticator Access Point Page Page Configuring Other Access Points to Use the Local Authenticator Configuring EAP-FAST Settings Configuring PAC Settings PAC Expiration Times Generating PACs Manually Configuring an Authority ID Configuring Server Keys Possible PAC Failures Caused by Access Point Clock Limiting the Local Authenticator to One Authentication Type Unblocking Locked Usernames Viewing Local Authenticator Statistics Using Debug Messages Configuring Cipher Suites and WEP Understanding Cipher Suites and WEP Configuring Cipher Suites and WEP Creating WEP Keys Page WEP Key Restrictions Example WEP Key Setup Enabling Cipher Suites and WEP Matching Cipher Suites with WPA or CCKM Enabling and Disabling Broadcast Key Rotation Page Page Configuring Authentication Types Understanding Authentication Types Open Authentication to the Access Point Shared Key Authentication to the Access Point EAP Authentication to the Network MAC Address Authentication to the Network Combining MAC-Based, EAP, and Open Authentication Using CCKM for Authenticated Clients Using WPA Key Management 11-8 Figure 11-6 shows the WPA key management process. Software and Firmware Requirements for WPA, CCKM, CKIP, and WPA-TKIP Page Configuring Authentication Types Assigning Authentication Types to an SSID Page Page Configuring WPA Migration Mode Configuring Additional WPA Settings Setting a Pre-Shared Key Configuring Group Key Updates Configuring MAC Authentication Caching Configuring Authentication Holdoffs, Timeouts, and Intervals Creating and Applying EAP Method Profiles for the 802.1X Supplicant Creating an EAP Method Profile Applying an EAP Profile to the Fast Ethernet Interface Applying an EAP Profile to an Uplink SSID Matching Access Point and Client Device Authentication Types Page Page Page Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Understanding WDS Role of the WDS Device Role of Access Points Using the WDS Device Understanding Fast Secure Roaming Page Understanding Radio Management Understanding Layer 3 Mobility Understanding Wireless Intrusion Detection Services Configuring WDS Guidelines for WDS Requirements for WDS Configuration Overview Configuring Access Points as Potential WDS Devices Page Page Page Page Configuring Access Points to use the WDS Device Configuring the Authentication Server to Support WDS Page Page Page Configuring WDS Only Mode Viewing WDS Information Using Debug Messages Configuring Fast Secure Roaming Requirements for Fast Secure Roaming Configuring Access Points to Support Fast Secure Roaming Page CLI Configuration Example Configuring Management Frame Protection Management Frame Protection Overview Protection of Unicast Management Frames Protection of Broadcast Management Frames Client MFP For Access Points in Root mode Configuring Client MFP Configuring Radio Management CLI Configuration Example Configuring Access Points to Participate in WIDS Configuring the Access Point for Scanner Mode Configuring the Access Point for Monitor Mode Displaying Monitor Mode Statistics Configuring Monitor Mode Limits Configuring an Authentication Failure Limit Configuring WLSM Failover Resilient Tunnel Recovery Active/Standby WLSM Failover Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Understanding RADIUS RADIUS Operation Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Page Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Configuring Packet of Disconnect Starting RADIUS Accounting m Selecting the CSID Format Configuring Settings for All RADIUS Servers Configuring the Access Point to Use Vendor-Specific RADIUS Attributes Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication Configuring WISPr RADIUS Attributes Displaying the RADIUS Configuration RADIUS Attributes Sent by the Access Point Page Page Configuring and Enabling TACACS+ Understanding TACACS+ TACACS+ Operation Configuring TACACS+ Default TACACS+ Configuration Identifying the TACACS+ Server Host and Setting the Authentication Key Configuring TACACS+ Login Authentication Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting Displaying the TACACS+ Configuration Page Configuring VLANs Understanding VLANs Related Documents Incorporating Wireless Devices into VLANs Configuring VLANs Configuring a VLAN Page Assigning Names to VLANs Guidelines for Using VLAN Names Creating a VLAN Name Using a RADIUS Server to Assign Users to VLANs Using a RADIUS Server for Dynamic Mobility Group Assignment Viewing VLANs Configured on the Access Point VLAN Configuration Example Page 14-12 Table14-3 Results of Example Configuration Commands VLAN 1 Interfaces VLAN 2 Interfaces VLAN 3 Interfaces Configuring QoS Understanding QoS for Wireless LANs QoS for Wireless LANs Versus QoS on Wired LANs Impact of QoS on a Wireless LAN Precedence of QoS Settings Using Wi-Fi Multimedia Mode Configuring QoS Configuration Guidelines Configuring QoS Using the Web-Browser Interface Page Page Page The QoS Policies Advanced Page QoS Element for Wireless Phones IGMP Snooping AVVID Priority Mapping WiFi Multimedia (WMM) Adjusting Radio Access Categories Page Configuring Nominal Rates Optimized Voice Settings Configuring Call Admission Control Configuring the Radio Enabling Admission Control Troubleshooting Admission Control QoS Configuration Examples Giving Priority to Voice Traffic Giving Priority to Video Traffic Page Configuring Filters Understanding Filters Configuring Filters Using the CLI Configuring Filters Using the Web-Browser Interface Configuring and Enabling MAC Address Filters Creating a MAC Address Filter Page Using MAC Address ACLs to Block or Allow Client Association to the Access Point Page Creating a Time-Based ACL ACL Logging Configuring and Enabling IP Filters Page Creating an IP Filter Configuring and Enabling Ethertype Filters Creating an Ethertype Filter Page Configuring CDP Understanding CDP Configuring CDP Default CDP Configuration Configuring the CDP Characteristics Disabling and Enabling CDP Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP Page 17-6 17-7 Page Configuring SNMP Understanding SNMP SNMP Versions SNMP Manager Functions SNMP Agent Functions SNMP Community Strings Using SNMP to Access MIB Variables Configuring SNMP Default SNMP Configuration Enabling the SNMP Agent Configuring Community Strings Specifying SNMP-Server Group Names Configuring SNMP-Server Hosts Configuring SNMP-Server Users Configuring Trap Managers and Enabling Traps Page Setting the Agent Contact and Location Information Using the snmp-server view Command SNMP Examples Page Displaying SNMP Status Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Repeater Access Points Configuring a Repeater Access Point Default Configuration Guidelines for Repeaters Setting Up a Repeater Aligning Antennas Verifying Repeater Operation Setting Up a Repeater As a LEAP Client Setting Up a Repeater As a WPA Client Understanding Hot Standby Configuring a Hot Standby Access Point Page Verifying Standby Operation Understanding Workgroup Bridge Mode Page Treating Workgroup Bridges as Infrastructure Devices or as Client Devices Configuring a Workgroup Bridge for Roaming Configuring a Workgroup Bridge for Limited Channel Scanning Configuring the Limited Channel Set Ignoring the CCX Neighbor List Configuring a Client VLAN Workgroup Bridge VLAN Tagging Configuring Workgroup Bridge Mode Page Using Workgroup Bridges in a Lightweight Environment Guidelines for Using Workgroup Bridges in a Lightweight Environment Page Sample Workgroup Bridge Configuration Enabling VideoStream Support on Workgroup Bridges Page Managing Firmware and Configurations Working with the Flash File System Displaying Available File Systems Setting the Default File System Displaying Information About Files on a File System Changing Directories and Displaying the Working Directory Creating and Removing Directories Copying Files Deleting Files Creating, Displaying, and Extracting tar Files Creating a tar File Displaying the Contents of a tar File Extracting a tar File Displaying the Contents of a File Working with Configuration Files Guidelines for Creating and Using Configuration Files Configuration File Types and Location Creating a Configuration File by Using a Text Editor Copying Configuration Files by Using TFTP Preparing to Download or Upload a Configuration File by Using TFTP Downloading the Configuration File by Using TFTP Uploading the Configuration File by Using TFTP Copying Configuration Files by Using FTP Preparing to Download or Upload a Configuration File by Using FTP Downloading a Configuration File by Using FTP Uploading a Configuration File by Using FTP Copying Configuration Files by Using RCP Preparing to Download or Upload a Configuration File by Using RCP Downloading a Configuration File by Using RCP Uploading a Configuration File by Using RCP Clearing Configuration Information Deleting a Stored Configuration File Working with Software Images Image Location on the Access Point tar File Format of Images on a Server or Cisco.com Copying Image Files by Using TFTP Preparing to Download or Upload an Image File by Using TFTP Downloading an Image File by Using TFTP Page Uploading an Image File by Using TFTP Copying Image Files by Using FTP Preparing to Download or Upload an Image File by Using FTP Downloading an Image File by Using FTP Page Uploading an Image File by Using FTP Copying Image Files by Using RCP Preparing to Download or Upload an Image File by Using RCP Page Downloading an Image File by Using RCP Page Uploading an Image File by Using RCP Reloading the Image Using the Web Browser Interface Browser HTTP Interface Browser TFTP Interface Page Configuring System Message Logging Understanding System Message Logging Configuring System Message Logging System Log Message Format Default System Message Logging Configuration Disabling and Enabling Message Logging Setting the Message Display Destination Device Enabling and Disabling Timestamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages Defining the Message Severity Level Limiting Syslog Messages Sent to the History Table and to SNMP Setting a Logging Rate Limit Configuring UNIX Syslog Servers Logging Messages to a UNIX Syslog Daemon Configuring the UNIX System Logging Facility Page Displaying the Logging Configuration CHAPT ER Troubleshooting Checking the Top Panel Indicators 22-3 Page Indicators on 1130 Series Access Points Page Page Indicators on 1040 or 1140 Series Access Point 2 3 41 Page Indicators on 1240 Series Access Points Page Indicators on 1250 Access Points Page Indicators on 1260 Series Access Points Page Indicators on 1300 Outdoor Access Point/Bridges 1300 Series AP Mode LED Indications Page Power Injector Checking Power Low Power Condition Checking Basic Settings SSID WEP Keys Security Settings Resetting to the Default Configuration Using the MODE Button Using the Web Browser Interface Using the CLI Reloading the Access Point Image Using the MODE button Using the Web Browser Interface Browser HTTP Interface Browser TFTP Interface Using the CLI Obtaining the Access Point Image File Obtaining TFTP Server Software Image Recovery on the 1520 Access Point Page 22-32 Note If the ENABLE_BREAK=no environmental variable is set, you will not be able to escape to the bootloader. tftpd32 installed. Step9 Copy the image using TFTP to the 1520 access points flash: 22-33 Page A Protocol Filters Page Page Page Page Page B Supported MIBs MIB List Using FTP to Access the MIB Files C Error and Event Messages Conventions Software Auto Upgrade Messages Page Association Management Messages Unzip Messages System Log Messages 802.11 Subsystem Messages Page Page Page Page Page Page Page Page Page Page Page Page Inter-Access Point Protocol Messages Local Authenticator Messages Page WDS Messages Mini IOS Messages Access Point/Bridge Messages Cisco Discovery Protocol Messages External Radius Server Error Messages LWAPP Error Messages Sensor Messages SNMP Error Messages SSH Error Messages Page Page GLOSSARY A B C D E F G I M O P Q S T U W