Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems OL-17037-01 Authorizing Access Points Using LSCs, Using the GUI to Configure LSC

Models: OL-17037-01

1 80

Download 80 pages 30.82 Kb

Page 19

Authorizing Access Points Using LSCs

Chapter 7 Controlling Lightweight Access Points

Autonomous Access Points Converted to Lightweight Mode

Authorizing Access Points Using LSCs

You can use an LSC if you want your own public key infrastructure (PKI) to provide better security, to have control of your certificate authority (CA), and to define policies, restrictions, and usages on the generated certificates.

The LSC CA certificate is installed on access points and controllers. You need to provision the device certificate on the access point. The access point gets a signed X.509 certificate by sending a certRequest to the controller. The controller acts as a CA proxy and receives the certRequest signed by the CA for the access point.

Note Access points that are configured for bridge mode are not supported.

Using the GUI to Configure LSC

Using the controller GUI, follow these steps to enable the use of LSC on the controller.

Step 1 Click Security > Certificate > LSC to open the Local Significant Certificates (LSC) page (see Figure 7-5).

Figure 7-5 Local Significant Certificates (LSC) Page

Step 2 Click the General tab.

Step 3 To enable LSC on the system, check the Enable LSC on Controller check box.

Step 4 In the CA Server URL field, enter the URL to the CA server. You can enter either a domain name or an IP address.

Step 5 In the Params fields, enter the parameters for the device certificate. The key size is a value from 384 to 2048 (in bits), and the default value is 2048.

Step 6 Click Apply to commit your changes.

		Cisco Wireless LAN Controller Configuration Guide
		Cisco Wireless LAN Controller Configuration Guide
	OL-17037-01			7-19
	OL-17037-01			7-19

Image 19

Cisco Systems OL-17037-01 manual Authorizing Access Points Using LSCs, Using the GUI to Configure LSC, 7-19

Contents

Embedded Access Points, page Access Point Communication Protocols, pageConfiguring Global Credentials for Access Points, page Configuring Authentication for Access Points, pageGuidelines for Using CAPWAP Access Point Communication ProtocolsThe Controller Discovery Process with one discovery type CAPWAP or LWAPP exceeds the maximum discovery count and the access point does not receive a discovery response, the discovery type changes to the other type. For example, if the access point does not discover the controller in LWAPP, it starts the discovery process in CAPWAP config network master-base enable Verifying that Access Points Join the ControllerUsing the GUI to Verify that Access Points Join the Controller Using the CLI to Verify that Access Points Join the ControllerViewing CAPWAP MTU Information Configuring Global Credentials for Access PointsDebugging CAPWAP Figure 7-1 Global Configuration Page Using the GUI to Configure Global Credentials for Access PointsStep 6 Click Save Configuration to save your changes show ap summary Using the CLI to Configure Global Credentials for Access Pointssave config show ap config general CiscoAPlwapp ap dot1x username username password password Configuring Authentication for Access Points7-10 Using the GUI to Configure Authentication for Access PointsFigure 7-3 Global Configuration Page Cisco Wireless LAN Controller Configuration Guide 7-11Figure 7-4 All APs Details for Credentials Page 7-12 Using the CLI to Configure Authentication for Access Pointsconfig ap dot1xuser add username user password password all config ap dot1xuser add username user password password CiscoAPshow ap summary config ap dot1xuser disable all CiscoAP7-13 show ap config general CiscoAPSwitchconfig# aaa authentication dot1x default group radius Embedded Access PointsConfiguring the Switch for Authentication Switch# configure terminal Switchconfig# dot1x system-auth-controloption 43 hex controlleripaddressinhex dns-server ipaddress default-router ipaddressip dhcp pool poolname network ipaddress subnetmaskAutonomous Access Points Converted to Lightweight Mode Guidelines for Using Access Points Converted to Lightweight Modehtml 7-16Using a Controller to Return to a Previous Release Reverting from Lightweight Mode to Autonomous Mode7-17 7-18 Authorizing Access PointsAuthorizing Access Points Using SSCs Authorizing Access Points Using MICsUsing the GUI to Configure LSC Authorizing Access Points Using LSCs7-19 config certificate lsc ca-cert add delete Using the CLI to Configure LSCconfig certificate lsc enable disable config certificate lsc ca-server http//urlport/path7-21 config certificate lsc ap-provision auth-list add APmacaddrconfig certificate lsc ap-provision revert-cert retries show certificate lsc summaryshow certificate lsc ap-provision Using the GUI to Authorize Access Points7-22 show auth-list Using the CLI to Authorize Access Pointsconfig auth-list ap-policy mic ssc lsc enable disable config auth-list add mic ssc lsc apmac apkeyVCI String Using DHCP Option 43 and DHCP OptionTroubleshooting the Access Point Join Process Access PointYou can view join-related information for the following numbers of access points 7-25show ap join stats summary all Configuring the Syslog Server for Access PointsViewing Access Point Join Information show ap config globalInformation similar to the following appears 7-27where apmac is the MAC address of the 802.11 radio interface Chapter 7 Controlling Lightweight Access Points7-28 Converted Access Points Send Crash Information to ControllerConverted Access Points Send Radio Core Dumps to Controller debug ap enable disable command cmd CiscoAP7-29 Using the CLI to Retrieve Radio Core DumpsUsing the GUI to Upload Radio Core Dumps show ap crash-filetransfer upload datatype radio-core-dump Using the CLI to Upload Radio Core Dumpstransfer upload username username transfer upload password password transfer upload mode tftp ftpUsing the GUI to Upload Access Point Core Dumps Uploading Memory Core Dumps from Converted Access Points7-31 save config Display of MAC Addresses for Converted Access PointsUsing the CLI to Upload Access Point Core Dumps 7-327-33 Supporting Oversized Access Point Imagesconfig ap reset-button enable disable ap-name all config ap static-ip enable ap-name ip-address mask gateway7-34 Cisco Workgroup Bridges7-35 Guidelines for Using WGBsexit end 7-36configure terminal bridge bridge-group-number aging-time seconds7-37 Sample WGB ConfigurationUsing the GUI to View the Status of Workgroup Bridges show dot11 associationFigure 7-11 Clients Detail Page 7-38Clients Page Figure 7-12 WGB Wired Clients Page 7-39Figure 7-13 Clients Detail Page debug dot11 mobile enable debug dot11 state enable Using the CLI to View the Status of Workgroup BridgesUsing the CLI to Debug WGB Issues debug dhcp message enable debug dhcp packet enable7-41 Configuring Backup Controllers7-42 Using the GUI to Configure Backup ControllersFigure 7-14 Global Configuration Page Figure 7-15 All APs Details for High Availability Page 7-43config ap tertiary-base controllername CiscoAP controlleripaddress Using the CLI to Configure Backup Controllersconfig ap primary-base controllername CiscoAP controlleripaddress config ap secondary-base controllername CiscoAP controlleripaddressshow advanced timers config advanced timers ap-discovery-timeout intervalconfig advanced timers auth-timeout interval show ap config general CiscoAP show advanced backup-controllerUsing the GUI to Configure Failover Priority for Access Points Configuring Failover Priority for Access Points7-46 Step 3 Click Apply to commit your changes 7-47save config Using the CLI to Configure Failover Priority for Access PointsUsing the CLI to View Failover Priority Settings 7-48Guidelines for Configuring Multiple Country Codes Configuring Country Codes7-49 b. Uncheck the 802.11a Network Status check box Using the GUI to Configure Country Codesa. Click Wireless 802.11a/n Network d. Click Wireless 802.11b/g/n NetworkFigure 7-19 All APs Details for Advanced Page 7-51show country supported Using the CLI to Configure Country Codesconfig 802.11a disable network config 802.11b disable network config country code1,code2,code3Configuring Country Codes show country channels7-53 Chapter 7 Controlling Lightweight Access Pointssave config config 802.11a enable network config 802.11b enable network7-54 config 802.11a enable network config 802.11b enable networkJ52 = 34 5170 MHz, 38 5190 MHz, 42 5210 MHz, 46 5230 MHz 7-55show ap migrate Migrating Access Points to the -U Regulatory Domainconfig country J3 Guidelines for Migrationshow ap migrate config ap migrate j52w52 all apname7-57 config 802.11a enable network config 802.11b enable networkChannel Using the W56 Band in JapanMaximum Power for Dynamic Frequency SelectionUsing the GUI to Optimize RFID Tracking on Access Points Optimizing RFID Tracking on Access Points7-59 Figure 7-20 802.11b/g/n Cisco APs Configure Page 7-607-61 Using the CLI to Optimize RFID Tracking on Access Pointsconfig ap monitor-mode tracking-opt CiscoAP config 802.11b enable CiscoAPshow ap monitor-mode summary Configuring Probe Request Forwardingconfig advanced probe filter enable disable config advanced probe limit numprobes intervalThe orderable product identifier PID 7-637-64 Performing a Link Test7-65 Using the GUI to Perform a Link TestThis page shows the results of the CCX link test 7-66config linktest num-of-frame numberoflink-testrequestframespertest Configuring Link LatencyUsing the CLI to Perform a Link Test config linktest frame-size sizeoflink-testframes7-68 Using the GUI to Configure Link LatencyFigure 7-25 All APs Details for Advanced Page config ap link-latency enable disable CiscoAP all Using the CLI to Configure Link Latency7-69 show ap config general CiscoAP Configuring Power over Ethernetconfig ap link-latency reset CiscoAP 7-707-71 Using the GUI to Configure Power over EthernetStep 3 Perform one of the following 7-72config ap power injector enable CiscoAP all switchportmacaddress Using the CLI to Configure Power over Ethernetconfig ap power injector enable CiscoAP all installed config ap power injector enable CiscoAP all overrideViewing Clients Configuring Flashing LEDsUsing the GUI to View Clients debug ap command “led flash seconds” CiscoAPThe MAC address of the client 7-757-76 Radio Type-Choose 802.11a, 802.11b, 802.11g, 802.11n, or MobileFigure 7-29 Clients Detail Page 7-77Chapter 7 Controlling Lightweight Access Points Viewing Clients Cisco Wireless LAN Controller Configuration Guide7-78 Using the CLI to View ClientsCisco Wireless LAN Controller Configuration Guide 7-79Chapter 7 Controlling Lightweight Access Points Viewing Clients DisabledOL-17037-01 7-80Chapter 7 Controlling Lightweight Access Points Viewing Clients Cisco Wireless LAN Controller Configuration Guide