Cisco Systems OL-6415-04 guide

Chapter 8 Configuring VLANs

Configuring VLANs

new cipher suite. Currently, the WPA protocol does not allow the cipher suite to be changed after the initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from the wireless LAN.

The VLAN-mapping process consists of these steps:

1.A client device associates to the access point using any SSID configured on the access point.

2.The client begins RADIUS authentication.

3.When the client authenticates successfully, the RADIUS server maps the client to a specific VLAN, regardless of the VLAN mapping defined for the SSID the client is using on the access point. If the server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified by the SSID mapped locally on the access point.

These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common tag value between 1 and 31 to identify the grouped relationship.

•IETF 64 (Tunnel Type): Set this attribute to VLAN

•IETF 65 (Tunnel Medium Type): Set this attribute to 802

•IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id

Viewing VLANs Configured on the Access Point

In privileged EXEC mode, use the show vlan command to view the VLANs that the access point supports. This is sample output from a show vlan command:

Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interfaces: Dot11Radio0

FastEthernet0

Virtual-Dot11Radio0

This is configured as native Vlan for the following interface(s) :

Dot11Radio0

FastEthernet0

Virtual-Dot11Radio0

Protocols Configured:	Address:		Received:	Transmitted:
Bridging	Bridge Group 1		201688	0
Bridging	Bridge	Group 1	201688	0
Bridging	Bridge	Group 1	201688	0

Virtual LAN ID: 2 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interfaces: Dot11Radio0.2

FastEthernet0.2

Virtual-Dot11Radio0.2

Protocols Configured:

Address:

Received:

Transmitted:

Cisco Wireless ISR and HWIC Access Point Configuration Guide

8-8	OL-6415-04

Image 134

Cisco Systems OL-6415-04 manual Viewing VLANs Configured on the Access Point

Contents

Corporate Headquarters Text Part Number 0L-6415-04Page N T E N T S Ssid Configuration Methods Supported by Cisco IOS Releases Creating Cipher Suites Protocol Filters Local Authenticator Messages Contents Cisco Wireless Router and Hwic Configuration Guide Purpose PrefaceAudience Preface provides information on the following topics Organization Conventions Preface Conventions Related Publications Cisco Product Document Title Obtaining Documentation Cisco.com Ordering Documentation Documentation FeedbackProduct Documentation DVD Reporting Security Problems in Cisco Products Cisco Product Security Overview Cisco Technical Support & Documentation Website Submitting a Service RequestObtaining Technical Assistance Definitions of Service Request Severity Obtaining Additional Publications and Information Preface Obtaining Additional Publications and Information Wireless Device Management Overview Network Configuration Example Root Unit on a Wired LAN Features Overview Features Overview Overview Cisco Wireless Router and Hwic Configuration Guide Configuring Radio Settings Roles in Radio Network Command PurposeEnabling the Radio Interface Cisco Role in Radio Network Eries ISRs Configuring Network or Fallback Role Following is a sample of a Root Bridge Configuration Bridge Features Not SupportedSample Bridging Configuration Following is a sample of Non-Root Bridge Configuration Interface Dot11Radio0/1/0 no ip address Universal Client Mode Configuring Universal Client Mode Virtual interface to aid NAT translation Following configuration is supported on NATNAT Network Address Translation No service password-encryption Hostname C1803WUC Configuring Radio Data Rates Configuring Radio Settings Configuring Radio Data Rates 11.0 2.0 5.5 basic-1.0 Throughput ofdm defaultSpeed 2.0 5.5 6.0 9.0 DBm Configuring Radio Transmit PowerEnd Return to privileged Exec mode 100 125 150 200 250 5 6 7 10 13 15 17 Limiting the Power Level for Associated Client DevicesPower local Maximum 20 30 50 100 maximum Configuring Radio Channel SettingsPower client 10 20 30 50 Maximum Regulatory Domains Identifier MHz CenterChannel 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 Channel DFS Automatically Enabled on Some 5-GHz Radio Channels GHz Channels on Which DFS is Automatically Enabled This example shows how to unblock all frequencies for DFS Enabling and Disabling World ModeConfirming that DFS is Enabled Blocking Channels from DFS Selection Enabling and Disabling Short Radio Preambles Diversity left right Configuring Transmit and Receive AntennasAntenna receive Antenna transmit No dot11 extension aironet Disabling and Enabling Access Point ExtensionsDisable Access Point extensions Set the encapsulation transformation method to RFC1042 Snap or 802.1h dot1h, the default settingPayload-encapsulation Snap dot1h Bridge-group group port-protected Configure terminal Enter global configuration modeEnable Pspf Configuring Beacon Period and Dtim Configuring Protected Ports Rts threshold value Configuring RTS Threshold and RetriesConfiguring Maximum Data Retries Rts retries value Enabling Short Slot Time for 802.11g Radios Configuring Fragmentation ThresholdBytes for the 2.4-GHz radio. Enter a setting from 256 to Fragment-threshold value Performing a Carrier Busy Test OL-6415-04 Configuring Multiple SSIDs Vlan Ssid Configuration Methods Supported by Cisco IOS ReleasesUnderstanding Multiple SSIDs Configuring Multiple SSIDs Creating an Ssid Globally Command Purpose Using Spaces in SSIDs Using a Radius Server to Restrict SSIDsViewing SSIDs Configured Globally Guidelines for Using Multiple BSSIDs Configuring Multiple Basic SSIDsRequirements for Configuring Multiple BSSIDs Enabling Mbssid and Ssidl at the same time CLI Configuration ExampleDisplaying Configured BSSIDs Information-element ssidl Below is a sample configuration for enabling Mbssid Sample Configuration for Enabling Mbssid and SsidlUse the no form of the command to disable Ssidl IEs Below is a sample configuration for enabling Ssidl Interface Dot11Radio0/0/0 no ip address OL-6415-04 Configuring an Access Point as a Local Authenticator Understand Local Authentication Configure a Local Authenticator Configuring the Local Authenticator Access Point Guidelines for Local AuthenticatorsConfiguration Overview Aaa new-model Enable AAA Vlan vlan Reauthentication time secondsRadius-server local Ssid ssid Password nthash password Mac-auth-only This example shows how to set up EAP-FAST authentication End Routerconfig# aaa new-model Configuring EAP-FAST Settings Configuring PAC Settings Possible PAC Failures Caused by Access Point Clock Configuring an Authority IDConfiguring Server Keys This example shows local authenticator statistics Limiting the Local Authenticator to One Authentication TypeViewing Local Authenticator Statistics Unblocking Locked Usernames Using Debug Messages Configuring Encryption Types Understand Encryption Types, Configure Encryption Types, Understand Encryption Types Configure Encryption Types Creating WEP Keys Encryption Security Configuration WEP Key RestrictionWEP Key Restrictions Key Creating Cipher Suites Example WEP Key SetupAccess Point Associated Device Slot Transmit? Key Contents Cipher Suites Compatible with WPA WPA Enabling and Disabling Broadcast Key RotationCompatible Cipher Suites Security Type in Universal Client Mode Security WEP 40-bit WEP 128-bit Universal client configurationTkip AES TKIP+AES Debugging Caveats WEP OL-6415-04 Configuring Authentication Types Understand Authentication Types Open Authentication to Access Point Shared Key Authentication to Access Point Traffic from client EAP Authentication to Network Sequence for EAP Authentication MAC Address Authentication to the Network Combining MAC-Based, EAP, and Open Authentication Using WPA Key Management 5shows the WPA key management process Third Party Host Supplicant WPA-PSK Mode Windows XP YesSoftware and Firmware Requirements for WPA and WPA-TKIP Protocol Required? Systems Configure Authentication Types Assigning Authentication Types to an Ssid Mac-address list-name alternate Authentication openOptional Set the authentication type to open for this Ssid Optional eap list-name Authentication key-management Authentication sharedAuthentication network-eap Mac-address list-name Configuring WPA Migration Mode Configuring Additional WPA Settings Wpa-psk hex ascii 0 Configuring MAC Authentication Caching Dot1x reauth-period seconds Dot1x client-timeout secondsDot11 holdoff-time seconds Server Tkip clients on that interface for the holdtime period Security Feature Client Setting Access Point SettingDetects two MIC failures within 60 seconds, it blocks all WPA-PSK Security Feature Client Setting Access Point Setting Configuring Radius Servers Configuring and Enabling Radius Understanding Radius Radius Operation Configuring Radius Default Radius Configuration Identifying the Radius Server Host Radius-server timeout command is used Acct-port port-number timeoutPort for authentication requests.Optional For acct-port Radius-server host hostname Configuring Radius Login Authentication Show running-config Verify your entries Authentication login command Aaa authentication login defaultLogin authentication default Include-in-access-req format %h Defining AAA Server Groups Aaa group server radius group-name Port for authentication requestsPort for accounting requests Define the AAA server-group with a group name Radius Starting Radius Accounting Option MAC Address Example Configuring Settings for All Radius ServersSelecting the Csid Format Show running-config Verify your settings Radius-server host hostname ip-address non-standard AuthenticationRadius-server vsa send accounting Configuring WISPr Radius Attributes Radius-server key string Displaying the Radius Configuration Snmp-server location location Radius Attributes Sent by the Access Point Attribute ID Description VLAN-ID Acct-Terminate-Cause VSA attribute NAS-Location Disc-Cause-Ext Configuring VLANs Understanding VLANs LAN and Vlan Segmentation with Wireless Devices Related Documents Configuring VLANs Incorporating Wireless Devices into VLANs Configuring a Vlan Interface dot11radio 0.x Encapsulation dot1q vlan-id Assigning Names to VLANs Using a Radius Server to Assign Users to VLANsGuidelines for Using Vlan Names Creating a Vlan Name Viewing VLANs Configured on the Access Point Vlan Configuration Example Ssid Vlan ID Configuring Vlan Vlan 1 Interfaces Vlan 2 Interfaces Vlan 3 Interfaces Configuring VLANs Vlan Configuration Example OL-6415-04 Configuring QoS Understanding QoS for Wireless LANs, Configuring QoS, Impact of QoS on a Wireless LAN Understanding QoS for Wireless LANsQoS for Wireless LANs Versus QoS on Wired LANs Precedence of QoS Settings Upstream and Downstream Traffic Flow Using Wi-Fi Multimedia Mode Adjusting Radio Access Categories Configuring QoSConfiguration Guidelines Fixed Slot Time Sample Configuration Using the CLI Disabling Igmp Snooping Helper Center Frequency Americas Channel SettingsIeee 802.11b 2.4-GHz Band Japan Center Regulatory Domains Ieee 802.11g 2.4-GHz BandIeee 802.11a 5-GHz Band Americas -A Emea -E Japan -J Frequency Frequency North America OL-6415-04 Protocol Filters Protocol TCP IcmpIgmp EGP PUP Chaos ISO Designator POP3 TsapPOP2 IMAP2 Uucp RIPRPC CVS IEEE802dot11-MIB Supported MIBsMIB List Using FTP to Access the MIB Files RFC1213-MIB RFC1398-MIB SNMPv2-MIB SNMPv2-SMI SNMPv2-TC This appendix lists the CLI error and event messages Error and Event MessagesHow to Read System Messages Level Description Message Traceback Reports Explanation a station associated to an access pointExplanation a station disassociated from an access point Association Management Messages Subsystem Messages Recommended Action None Explanation The device has begun its DFS scanning process Recommended Action None Error Message DOT11-4-RMINCAPABLE Interface interface Recommended Action Reload the system Error Message DOT11-4-CANTASSOC Cannot associate characters Recommended Action None Recommended Action Local Authenticator Messages Access Point Network with wireless stationsWireless network composed of stations without Access Points Operating in the 2.4-GHz band Hoc mode GL-2 An antenna that radiates its signal in a spherical pattern LAN 802.11 specificationsWired Ethernet network Corresponding IP addresses Transmission at 6, 9, 12, 18, 24, 36, 48, and 54 Mbps Transmission at 2 Mbps While maintaining an unbroken connection to the LAN That of a cable 802.1X for authenticated key management Wireless MultiMediaComputing device with an installed client adapter EAP AES-CCMP EAP-FAST 1 IN-2 FTP Leap Qbss Names, Vlan Network-EAPOfdm Regulatory Domains Guest mode Multiple SSIDs Support Using spacesLocal authentication Names Ssid 4 Vlan command 4 Radius RFC World-mode command WPA migration mode Wpa-psk command IN-7 IN-8 IN-9 IN-10 IN-11 IN-12 IN-13 IN-14