Cisco Systems OL-6415-04 manual

Corporate Headquarters Cisco Systems, In c. 170 West Tasman Drive San Jose, CA 951 34-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553-NETS (638 7) Fax: 408 526-4100 Cisco Wireless ISR and HWIC A ccess P oint Conf iguration Guide December 20 06 Text Part Number: 0L -6415-04[...]

THE SPECIFICATION S AND INFORMATION RE GARDING THE P RODUCTS IN THIS MA NUAL ARE SUBJECT TO CHANGE WITH OUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMMENDATI ONS IN THI S MANUAL ARE BE LIEVED TO BE A CCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSI BILITY FOR THEIR APPLICATION OF ANY P[...]

3 Cisco Wirele ss Router and HWIC Con figuration Gu ide OL-6415-04 CONTENTS Preface 9 Audience 9 Purpose 9 Organization 10 Conventi ons 10 Related Publication s 12 Obtaining Documentation 13 Cisco.com 13 Product Documentation DVD 14 Ordering Documentation 14 Documentation Feedback 14 Cisco Product Security Overview 15 Reporting Security Problems in[...]

Contents 4 Cisco Wireless Router and HWIC Confi guration Gu ide OL-6415-04 Configuring Universal Client Mode 7 Configuring Radio Data Rates 10 Configuring Radio Transmit Power 12 Limiting the Power Le vel for Associated Client Devices 13 Configuring Radio Channel Settings 14 DFS Automatically Enabled on Som e 5-GHz Radio Channels 19 Enabling and Di[...]

Contents 5 Cisco Wirele ss Router and HWIC Con figuration Gu ide OL-6415-04 Configuration Overview 3 Configuring the Local Authenticator Access Po int 3 Configuring Other Access Points to Use the Local Authenticator 8 Configuring EAP-FAST Settings 9 Limiting the Local Authenticato r to One Authentication Type 11 Unblocking Locked Usernames 11 Viewi[...]

Contents 6 Cisco Wireless Router and HWIC Confi guration Gu ide OL-6415-04 RADIUS Attribu tes Sent by the Access Poin t 18 CHAPTER 8 Configuring VLANs 1 Understanding VLANs 2 Related Documents 3 Incorporating Wireless Devices into VLANs 4 Configuring VLANs 4 Configuring a VLAN 5 Assigning Names to VLANs 7 Using a RADIUS Server to Assign Users to VL[...]

Contents 7 Cisco Wirele ss Router and HWIC Con figuration Gu ide OL-6415-04 Message Traceback Reports 2 Association Managem ent Messages 2 802.11 Subsys tem Messages 3 Local Authenticator Messages 12 G LOSSARY I NDEX[...]

Contents 8 Cisco Wireless Router and HWIC Confi guration Gu ide OL-6415-04[...]

9 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 Preface The Preface pro vides information on th e follo wing topics: • Audience • Purpose • Organization • Related Pu blications • Obtaining Documen tation Audience This guide is for the n etworking profession al who installs and manages Cisco st ationary routers[...]

10 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Preface Organization Organization This guide consists of t he followin g chapters: Chapter 1, “Overview , ” lists the software and hardware f eatures of the wireless device and describe s the role of the wireless de vice in your netw ork. Chapter 2, “Configuring Radi[...]

11 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 Preface Conventions Interactiv e examples use these con ventions: • T erminal sessions and system displays are in screen font. • Information you enter is in boldface screen font. • Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).[...]

12 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Preface Related Publications Related Publications Related Cisco technical documentation include the follo wing: Warnung Dieses Warnsymbol bede utet Gefahr . Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mi t der Arbeit an i[...]

13 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 Preface Obtaining Documentation Obtaining Documentation Cisco documentation and additi onal literature are a v ailable on Cisco.com. Cisco also pro vides sev eral ways to obtain technical assistance and oth er techni cal resources. These sections explain ho w to obtain te[...]

14 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Preface Documentation Feedba ck Y ou can access the Cisco website at this URL: http://www .cisco .com Y ou can access internationa l Cisco websites at this URL: http://www .cisco.co m/public/countries_languages.shtml Product Documentation DVD Cisco documentation and ad dit[...]

15 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 Preface Cisco Product Security Overview Y ou can send comments about Cisco do cumentation to b ug-doc@cisco.com. Y ou can submit comments b y using the response card (if present) behind the front cov er of your document or by writ ing to the follo wing address: Cisco Syst[...]

16 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Preface Obtaining Technica l Assistance Ne ver use a re v oked or an e xpired encryption key . Th e correct publi c key to use in your co rrespondence with PSIR T is the one linked in the Contact Summary section of the Secur ity V ulnerability Polic y page at this URL: htt[...]

17 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 Preface Obtaining Additional Public ations and Information For S1 or S2 service requests or if you do not have Internet access, co ntact the Cisco T A C by telephone. (S1 or S2 service requests are those in which you r production netwo rk is do wn or se verely de graded.)[...]

18 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Preface Obtaining Additional Publ ications and Information • iQ Magazine is the quarterly pub lication from Ci sco Systems designed to help gro wing companies learn ho w they can use technolog y to increase re venue, streamline their busi ness, and expand services. The p[...]

CH A P T E R 1-1 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 1 Overview Cisco wireless de vices provide a secure, af fordab le, and easy-to-use wireless LAN solution that combines mobility and fl exibility wi th the enterprise-class features required by netw orking professionals. W ith a management system based on Cisco[...]

1-2 Cisco Wireless Router an d HWIC Configuration Guide OL-6415-04 Chapter 1 Overvi ew Network Configuratio n Example Network Configuration Example This section describes the wireless de vice role in common wireless network conf igurations. The access point default config uration is as a root unit connected to a wired LAN or as the centr al unit in[...]

1-3 Cisco Wireless Router and HWIC Configuratio n Guide OL-6415-04 Chapter 1 Overview Features Features This section lists features supported on access points running Cisco IOS software. • Access Point Link Role Fle xibility—This feature al l ows the u ser to configure root an d non-root bridging mode functionality , uni v ersal client mode, an[...]

1-4 Cisco Wireless Router an d HWIC Configuration Guide OL-6415-04 Chapter 1 Overvi ew Features • VLANs—Assign VLANs to the SSIDs on t he wireless de vice (one VLAN per SSID) to dif ferentiate policies a nd services among users. • QoS—Use this feature to suppor t quality of service f or prioritizing traf f ic from the Ethernet to th e acces[...]

1-5 Cisco Wireless Router and HWIC Configuratio n Guide OL-6415-04 Chapter 1 Overview • Microsoft WPS IE SSIDL—This feature allows the access point to broadcast a list of conf igured SSIDs (the SSIDL) in the Microsoft W ireless Provisioning Services I nform ation Element (WPS IE). A client with the ability t o read the SSIDL can alert the user [...]

1-6 Cisco Wireless Router an d HWIC Configuration Guide OL-6415-04 Chapter 1 Overvi ew[...]

CH A P T E R 2-1 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 2 Configuring Radio Settings This chapter descri bes how to configure radio settin gs for the wireless de vice. This chapter incl udes these sections: • Enabling the Radio Interf ace, page 2-2 • Roles in Radio Network , page 2-2 • Config uring Networ k o[...]

2-2 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Enabling the Radio Inte rface Enabling the Radio Interface The wireless de vice radios are disabled b y default. Note In Cisco IOS Release 12.4 there i s no default SSI D. Y ou must create a Radio Service Set Identif ier (SSID) before[...]

2-3 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Configuring Network or Fallback Role Configuring Network or Fallback Role Y ou can also configure a fallback role for root access points. The wi reless de vice automatically assumes the fallback role when its Ethernet port is disabled o[...]

2-4 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Configuring Network or Fallback Role Bridge Features Not Supported The follo wing features are not supported when a Cisco ISR series access point is configured as a bridge: • Clear Channel Assessment (CCA) • Interoperability with [...]

2-5 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Configuring Network or Fallback Role ip address 30.0.0.1 255.0.0.0 duplex auto speed auto ! interface Dot11Radio0/0/0 no ip address ! encryption vlan 1 mode ciphers tkip ! ssid airlink2-bridge ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9[...]

2-6 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Configuring Network or Fallback Role ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! dot11 ssid airlink2-bridge vlan 1 authentication open authentication key-management wpa wpa-psk a[...]

2-7 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Universal Client Mode line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end Universal Client Mode Univ ersal client mode is a wireless ra dio statio[...]

2-8 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Configuring Universal Client Mode c2801(config-if)#station-role ? non-root Non-root (bridge) root Root access point or bridge c2801(config-if)#station-role non-root ? bridge Bridge non-rootThis CLI enables non-root bridge mode. <cr[...]

2-9 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Configuring Universal Client Mode no service password-encryption ! hostname C1803W_UC ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging no logging console ! no aaa new-model ! resource policy ! ! dot11 ssid hurricane[...]

2-10 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Configuring Radio Data Rates ! encryption mode ciphers tkip ! ssid hurricane ! speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role non-root ! End Configuring Radio Data Rates Y ou use the data rate settings to [...]

2-11 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Configuri ng Radio Data R ates Step 3 speed These option s are a v ailable for th e 802.11b, 2.4-GHz radio: {[ 1.0 ] [ 11.0 ] [ 2.0 ] [ 5.5 ] [ basic-1.0 ] [ basic-11.0 ] [ basic- 2.0 ] [ basic-5.5 ] | range | thro ughput } These optio[...]

2-12 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Configuring Radio Tr ansmit Power Use the no form of the speed command to remov e one or more data rates from the conf iguration. This exam ple shows ho w to remove data rates basic-2.0 an d basic-5.5 from the conf iguratio n: router[...]

2-13 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Configuring Ra dio Transmit Po wer Beginni ng in priv ileged EXEC mode, follo w these steps to set the transmit po wer on access point radios: Command Purpose Step 1 configur e terminal Enter global conf iguration mode. Step 2 interfac[...]

2-14 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Configuring Ra dio Channel Settings Use the no form of the client power command to disabl e the maximum po wer le vel for associated clients. Note Access Point extensio ns must be enabled to limit th e po wer lev el on associat ed cl[...]

2-15 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Configuring Radio Channel Settings Beginning in priv ileged EXEC mode, foll ow these steps to set the wireless de vice’ s radio channel: Command Purpose Step 1 configur e terminal Enter global conf iguration mod e. Step 2 interface d[...]

2-16 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Configuring Ra dio Channel Settings Ta b l e 2-4 shows the a v ailable freq uencies for the 802.11g 2.4 GHz radio . Ta b l e 2-4 Ch annels and A v ailabl e Fr equencies f or 802.1 1g 2.4 GHz Rad io Channel Identifier Center Frequency[...]

2-17 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Configuring Radio Channel Settings 13 2472 – – X X X X 14 2484 – – – – X – Channel Identifier Center Frequency (MHz) Regulatory Domains Americas (–A) EMEA ( – N) Japan ( – P) CCK OFDM CCK OFDM CCK OFDM[...]

2-18 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Configuring Ra dio Channel Settings Ta b l e 2-6 shows the a v ailable freque ncies for the RM21A and RM22A IEEE 802.11a 5-GHz radios. Ta b l e 2-6 Channe ls and A v ailabl e Fr equenc ies for the 802.1 1a 5-GH z Radios Channel ID Ce[...]

2-19 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Configuring Radio Channel Settings DFS Automatically Enabled on Some 5-GHz Radio Channels Access points with 5-GHz radios configured at the factory for use in Europe no w comply with regul ations that require radio de vices to use Dyna[...]

2-20 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Enabling and Disa bling World Mode Confirming that DFS is Enabled Use the show controller dot11radio1 command to confirm that DFS is enabled. Th is example sho ws a line from the output for the sho w controller command for a chann el[...]

2-21 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Enabling and Disabling Short Rad io Preambles Beginning in priv ileged EXEC mode, foll ow these steps to enable world mode: Command Purpose Step 1 configur e terminal Enter global conf iguration mode. Step 2 interface dot11radio { 0 | [...]

2-22 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Configuring Tr ansm it and Receive A ntennas Short preambles are enabled by default. Use the preamble-short command to en able short preambles if they are disa bled. Configuring Transmit and Receive Antennas Y ou can select the anten[...]

2-23 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Disabling and En abling Access Point Extension s Disabling and Enabling Access Point Extensions By default, the w ireless devi ce uses Cisco Access Point extensions to detect the capabilities of Cisco Access Point client devices and to[...]

2-24 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Enabling and Di sabling Reliable Mu lticast to Workgroup Bridges Beginning in pri vileged EXEC mode, follow these steps to conf igure the encapsulation tran sformation method: Command Purpose Step 1 configur e terminal Enter global c[...]

2-25 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Enabling and Disabling Pu blic Secure Packet Forwarding Beginning in pri vileged EXEC mod e, follo w these steps to conf igure the encapsulation transf ormation method: Command Purpose Step 1 configur e terminal Enter global conf igura[...]

2-26 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Configuring Beacon Pe riod and DTIM Use the no form of the command to disable PSPF . Configuring Protected Ports T o pre vent communication between clie nt de vices associated to different access points on your wireless LAN, you must[...]

2-27 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Configuring RTS Threshold and Retries Configuring RTS Threshold and Retries The R TS threshold determines the p ack et size at which the wire less de vi ce issues a request to send (R TS) before sending the p acket. A lo w R TS Thre sh[...]

2-28 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Configuring Fragme ntation Threshold Use the no form of the command to reset the setting t o defaults. Configuring Fragmentation Threshold The fragmentation thresh old determin es the size at which packets are fra gmented (sent as se[...]

2-29 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 2 Configuring Radio Settings Performing a Carrie r Busy Test Performing a Carrier Busy Test Y ou can perform a carrier busy test to check the radi o acti vity on wireless channels. During the carrie r busy test, the wireless de vice drops all associations with wir[...]

2-30 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 2 Configuring Ra dio Settings Performing a Carr ier Busy Test[...]

CH A P T E R 3-1 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 3 Configuring Multiple SSIDs This chapter describe s how to conf igure and man age multiple service set iden tifiers (SSIDs) on the access point. This chapter contains the following sections: • Understanding Multiple SSIDs, page 3-2 • Config uring Multiple[...]

3-2 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 3 Configur ing Multiple SS IDs Understanding Multiple SSIDs Understanding Multiple SSIDs The SSID is a unique identif ier that wireless networ ki ng devices use to esta blish and mai ntain wireless connectivity . Multiple access points on a network or subnetwork c[...]

3-3 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 3 Configuring Multiple SSIDs Configuring Multiple SSIDs Configuring Multiple SSIDs This section contain s conf iguration information for multiple SSIDs: • Creating an SSID Globally , page 3-3 • Using a RADIU S Server to Restrict SSIDs, page 3-5 Note In Cisco IO[...]

3-4 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 3 Configur ing Multiple SS IDs Configuring Multiple SSIDs Note Y ou use the ssid command’ s authentication options to conf igure an auth entication type for each SSID. See Chapter 6, “Conf iguring A uthentication T yp es, ” for instructions on conf iguring a[...]

3-5 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 3 Configuring Multiple SSIDs Configuring Multiple SSIDs Viewing SSIDs Configured Globally Use this command to vie w conf iguration det ails for SSIDs that are conf igured globally: router# show running-config ssid ssid-string Using Spaces in SSIDs In Cisco IOS Rele[...]

3-6 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 3 Configur ing Multiple SS IDs Configuring Multiple Basic SSIDs The allo wed list of SSIDs from the RADIUS serv er are in the form of Cisco VSAs. The Internet Engineering T ask Force (IETF) draft sta ndard specifies a method for commu nicating vendor-specific info[...]

3-7 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 3 Configuring Multiple SSIDs Enabling MBSSID and SSIDL at th e same time • When multiple BSSIDs are enable d on the access point, the SSIDL IE does not contain a list of SSIDs; it contains only e xtended capabil ities. • Any W i-Fi certif ied client device can [...]

3-8 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 3 Configur ing Multiple SS IDs Enabling MBSSID an d SSIDL at the same time Use the no form of the command to disable SSIDL IEs. Sample Configuration for Enabling MBSSID and SSIDL Belo w is a sample conf iguration for enabling MBSSID: dot11 ssid 181x_gvlan01 vlan 1[...]

3-9 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 3 Configuring Multiple SSIDs Enabling MBSSID and SSIDL at th e same time ! dot11 ssid 1841-tkip-psk vlan 2 authentication open authentication key-management wpa wpa-psk ascii 0 12345678 information-element ssidl advertisement ! dot11 ssid 1841-aes-psk vlan 3 authen[...]

3-10 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 3 Configur ing Multiple SS IDs Enabling MBSSID an d SSIDL at the same time[...]

CH A P T E R 4-1 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 4 Configuring an Access Point as a Local Authenticator This chapter describes how to config ure the access poin t as a local authenticator to serv e as a stand-alone authenticator for a small wireless LAN or to pro v ide backup authentication service. As a loc[...]

4-2 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 4 Config uring an Ac cess Point as a Local Authenticator Understand Lo cal Authentication Understand Local Authentication Many smal l wireless LANs that could be made more secure with 802.1x authentication do not hav e access to a RADIUS server . On many wireless [...]

4-3 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 4 Configuring an Acce ss Point as a Local Auth enticator Configure a Local Auth enticator Guidelines for Local Authenticators Follo w these guidelines when configuring an access point as a local authenticator: • Use an access point that does not serve a large num[...]

4-4 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 4 Config uring an Ac cess Point as a Local Authenticator Configure a Local Authenticator Step 3 radius-server local Enable the access point as a local authenticator and enter conf iguration mode for the authen ticator . Step 4 nas ip-addr ess key shar ed-k e y Add[...]

4-5 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 4 Configuring an Acce ss Point as a Local Auth enticator Configure a Local Auth enticator This example sho ws ho w to set up a local authenticator used by three access points with three user groups and sev eral users: router# configure terminal router(config)# radi[...]

4-6 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 4 Config uring an Ac cess Point as a Local Authenticator Configure a Local Authenticator router(config-radsrv)# user 00095125d02b password 00095125d02b group cashiers router(config-radsrv)# user 00079431f04a password 00079431f04a group cashiers router(config-radsr[...]

4-7 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 4 Configuring an Acce ss Point as a Local Auth enticator Configure a Local Auth enticator ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface [...]

4-8 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 4 Config uring an Ac cess Point as a Local Authenticator Configure a Local Authenticator Configuring Other Access Points to Use the Local Authenticator Y ou add the local authenticator to the list of serv ers on the access point the same way that y ou add other se[...]

4-9 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 4 Configuring an Acce ss Point as a Local Auth enticator Configure a Local Auth enticator Configuring EAP-FAST Settings The default set tings for EAP-F AST authenticat ion are suitable for most wi reless LANs. Howe ver , you can customize the credential time out va[...]

4-10 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 4 Config uring an Ac cess Point as a Local Authenticator Configure a Local Authenticator Configuring an Authority ID All EAP-F AST authenticators are iden tified b y an authorit y identity (AID). The local auth enticator sends its AID to an authenticatin g client[...]

4-11 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 4 Configuring an Acce ss Point as a Local Auth enticator Configure a Local Auth enticator Limiting the Local Authenticator to One Authentication Type By default, a local authenticator access poi nt performs LEAP , EAP-F AST , and MA C-based authentication for cli [...]

4-12 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 4 Configure a Local Authenticator The second section lists stats for each acces s point (N AS) authorized to use th e local authenticator . The EAP-F AST statistics i n this section include these stats: • Auto provision succe ss—the numbe r of P A Cs generate[...]

CH A P T E R 5-1 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 5 Configuring Encryption Types This chapter descri bes how to conf igure the en cr yption types requi red to use WP A authenticated key management, W ired Equi v alent Pri v acy (WEP), AES- CCM, T empor al K ey Inte grity Protocol ( TKIP), and broadcast key ro[...]

5-2 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 5 Configuring En cryption Types Understand Encr yption Types Understand Encryption Types This section descri bes how encryp tion types protect traf f ic on your wireless LAN. Just as anyone with in range of a radio station can tune to the station's frequenc y[...]

5-3 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 5 Configuring Encr yption Types Configure Encryption Types Note Client de vices using static WEP canno t use th e access point when you enable broadcast key rotation. When you enable broadcast k ey rotatio n, only wireless client de vices using 802 .1x authenticati[...]

5-4 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 5 Configuring En cryption Types Configure Encryp tion Types This example sh ows ho w to cr eate a 128-bit WEP ke y in slot 3 for VLAN 22 and sets the k ey as the transmit k ey: router# configure terminal router(config)# interface dot11radio 0 router(config-if)# en[...]

5-5 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 5 Configuring Encr yption Types Configure Encryption Types Example WEP Key Setup Ta b l e 5-2 sho ws an e xample WEP ke y setu p that would work for the access point and an associated device: Ta b l e 5-2 WEP Key Set up Example Key Slot Access Point Associated Devi[...]

5-6 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 5 Configuring En cryption Types Configure Encryp tion Types Use the no form of the encryption command to disable a cipher suite. This exa mple sets up a ciph er suite for VLA N 22 that enables AES-C CM, and 128-bit WEP . router# configure terminal router(config)# [...]

Ta b l e 5-3 Cipher Suit es Compatible with WP A Authenticated Key Management T ypes Compatible Cipher Suites WP A • encryptio n mode ciphers aes-ccm • encryption mod e ciphers aes-ccm wep128 • encryption mod e ciphers aes-ccm wep40 • encryption mod e ciphers aes-ccm tkip • encryption mod e ciphers aes-ccm tkip wep128 • encryption mod e[...]

5-8 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 5 Configuring En cryption Types Configure Encryp tion Types Use the no form of the encryption command to disable b roadcast key rot ation. This ex ample enables broadcast key rotation on VLAN 22 and sets the ro tation interv al to 300 secon ds: router# configure t[...]

5-9 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 5 Configuring Encr yption Types Configure Encryption Types • TKIP • AES • TKIP+AES • WEP 40-bit • WEP 128-bit Universal client configuration ! dot11 ssid test10 authentication open authentication key-management wpa wpa-psk ascii 7 11584B5643475D5B5C737B ![...]

5-10 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 5 Configuring En cryption Types Configure Encryp tion Types Debugging T o determine if the uni v ersal client has associated to the access point, the user can issue the 'show dot11 association all' command for a detail ed output of w hich access point i[...]

5-11 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 5 Configuring Encr yption Types Configure Encryption Types SSID : symbol VLAN : 0 Hops to Infra : -1 Association Id : 2 Tunnel Address : 0.0.0.0 Key Mgmt type : NONE Encryption : WEP Current Rate : 11.0 Capability : Supported Rates : 1.0 2.0 5.5 11.0 Signal Streng[...]

5-12 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 5 Configuring En cryption Types Configure Encryp tion Types[...]

CH A P T E R 6-1 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 6 Configuring Authentication Types This chapter describes how to conf igure authenticati on types on the access point. This chapter conta ins these sections: • Understand Authentication T ypes, page 6-2 • Config ure Authentication T ypes, page 6-9 • Matc[...]

6-2 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 6 Configuring Au thentication Types Understand Authe ntication Types Understand Authentication Types This section describes the authentication types that you can co nfigure on the access point. The authentication types are ti ed to the SSIDs that you conf igure fo[...]

6-3 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 6 Configuring Authen tication Types Understand Authentication Types Figur e 6-1 Sequence for Open A uthentication Access point or bridge with WEP key = 123 Client device with WEP key = 321 1. Authentication request 2. Authentication response 4. Association response[...]

6-4 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 6 Configuring Au thentication Types Understand Authe ntication Types EAP Authentication to Network This authentication t ype provides t he highest le vel of security for your wireless networ k. By using the Extensible A uthenticatio n Protocol (EAP) to inte ract w[...]

6-5 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 6 Configuring Authen tication Types Understand Authentication Types There is more than one typ e of EAP authentication, b ut the access poin t behav es the same way f or each type: it re lays authentica tion mess ages from the wireless client de vice to the RADIUS [...]

6-6 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 6 Configuring Au thentication Types Understand Authe ntication Types Figur e 6-4 Sequence for MAC-Based A uthentication Acce ss point or b ridge Wired LAN Client de vice Ser v er 1. A u thentic a tion re qu e s t 2. A u thentic a tion su cce ss 3 . A ss oci a tion[...]

6-7 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 6 Configuring Authen tication Types Understand Authentication Types Note Unicast and multicast cipher suites adv ertised in WP A information element (and ne gotiated during 802.11 association) may potent ially mismatch with the ciph er suite support ed in an e xpli[...]

6-8 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 6 Configuring Au thentication Types Understand Authe ntication Types Software and Firmware Require ments for WPA and WPA-TKIP Ta b l e 6-1 lists the firmw are and software requirement s required on access points and Cisco client de vices to support WP A key manage[...]

6-9 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 6 Configuring Authen tication Types Configure Aut hentication Types Configure Authentication Types This section descri bes how to conf igure authenticat ion t ypes. Y ou attach conf iguration types to the access point’ s SSIDs . See Chapter 3 , “Confi guring Mu[...]

6-10 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 6 Configuring Au thentication Types Configure Authentication Types Step 3 authentication open [ mac-address list -name [ alter nate ]] [[ optional ] eap list-name ] (Optional) Set the authenticati on type to open for this SSID. Open authenticati on allo ws any de[...]

6-11 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 6 Configuring Authen tication Types Configure Aut hentication Types Step 4 authentication shared [ mac-address list -name ] [ eap list-name ] (Optional) Set the authenticati on type for the SSID to shared key . Note Because of shared key's security flaw s, Ci[...]

6-12 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 6 Configuring Au thentication Types Configure Authentication Types Use the no form of the SSID commands to disable th e SSID or to disable SSID features. This exampl e sets the authentication t ype for the SSID batman to Networ k-EAP authent icated key management[...]

6-13 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 6 Configuring Authen tication Types Configure Aut hentication Types Configuring Additional WPA Settings Use two optional sett ings to conf igure a pre-shared k ey on the access point and adjust the frequ ency of group k ey updat es. Setting a Pre-Shared Key T o su[...]

6-14 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 6 Configuring Au thentication Types Configure Authentication Types This exampl e show s ho w to config ure a pre-shared ke y for clients using WP A and static WEP , with group ke y update options: ap# configure terminal ap(config)# interface dot11radio 0 ap(confi[...]

6-15 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 6 Configuring Authen tication Types Configure Aut hentication Types Use the no form of the dot11 aaa mac-authen f ilter -cache command to disable MAC authentication caching. This example sho ws how to enable MA C a uthentication cac hing with a one-hour t imeout: [...]

6-16 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 6 Configuring Au thentication Types Matching Access Point a nd Client Device Au thentication Types Use the no form of these commands to reset the v alues to def ault settings. Matching Access Point and Client Device Authentication Types T o use the authentication[...]

6-17 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 6 Configuring Authen tication Types Matching Access Point and Clie nt Device Authentication Types EAP-F AST authentication with WP A Enable EAP-F AST and W i-Fi Protected Ac cess (WP A) and enable automatic pro visioning or import a P AC f ile. T o allow the clien[...]

6-18 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 6 Configuring Au thentication Types Matching Access Point a nd Client Device Au thentication Types EAP-MD5 authenticatio n If using ACU to config ure card Create a WEP key , enable Host Based EAP , and enable Use Static WEP K eys in A CU and select Enable network[...]

CH A P T E R 7-1 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 7 Configuring RADIUS Servers This chapter describes ho w to enable and con figur e the Remote Authen ticati on Dial-In User Service (RADIUS), that pro vides detailed accounting info rmation and flexible ad ministrati ve con trol ov er authentication and author[...]

7-2 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enablin g RADIUS Configuring and Enabling RADIUS This section descri bes how to conf igure and en able RADI US. These section s describe RADI US configuration: • Understanding RADIUS, page 7-2 • RADIUS Operation, pa[...]

7-3 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 7 Configuring RADI US Servers Configuring and E nabling RADIUS RADIUS Operation When a wireless user attempts to log in and authen ticate to an access point whose access is controlled by a RADIUS server , authentication to th e network occurs in the steps sho wn in[...]

7-4 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enablin g RADIUS Configuring RADIUS This section d escribes ho w to conf igure yo ur access point to su pport RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and def ine the[...]

7-5 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enab ling RADIUS Identifying the RADIUS Server Host Access point-to-RADIUS-server communi cation in volves se veral comp onents: • Host name or IP address • Authentication destinati on port • Accounting destinat io[...]

7-6 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enablin g RADIUS Step 3 radius-server host { hostname | ip-addr ess } [ auth-port port-number ] [ acct-port port-number ] [ timeout seconds ] [ retransmit re t r i e s ] [ key string ] Specify the IP address or host nam[...]

7-7 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enab ling RADIUS T o remov e the specified RADIUS server , use the no radius-server host hostname | ip-addr ess global confi guration command. This example shows ho w to configure one RADIUS serv er to be used for authen[...]

7-8 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enablin g RADIUS T o disable AAA, use the no aaa new-mod el global confi guration command. T o disable AAA authentic ation, use the no aaa authentication l ogin { default | list-name } method1 [ method2... ] global conf[...]

7-9 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enab ling RADIUS Defining AAA Server Groups Y ou can configu re the access point to use AAA serv er groups to group e xisting server ho sts for authentication. Y ou select a subset of the configured server hosts and use [...]

7-10 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enablin g RADIUS Step 3 radius-server host { hostname | ip-addr ess } [ auth-port port-number ] [ acct-port port-number ] [ timeout seconds ] [ retransmit re t r i e s ] [ key string ] Specify the IP address or host na[...]

7-11 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enab ling RADIUS T o remov e the specified RADIUS server , use the no radius-server host hostname | ip-addr ess global confi guration command. T o remov e a server gro up from the conf iguration list, use the no aaa gr [...]

7-12 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enablin g RADIUS Beginni ng in pri vileged EXEC mode, follo w these steps to specify RA DIUS authorization for pri vile ged EXEC access and network services: Command Purpose Step 1 configur e terminal Enter global conf[...]

7-13 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 7 Configuring RADI US Servers Configuring and E nabling RADIUS Selecting the CSID Format Y ou can select the format for MAC addresses in Called-Station-ID (CS ID) and Calling-Station-ID attributes in RADIUS packets. Use the dot11 aaa csid global conf iguration com[...]

7-14 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enablin g RADIUS T o return to th e default setting f or retransmit, timeout, and dead time, use the no forms of these commands. Configuring the Access Point to Us e Vendor-Specific R ADIUS Attributes The Internet Engi[...]

Command Purpose Step 1 conf igur e terminal Enter global conf iguration mode. Step 2 radius-ser ver vsa send [ accounting | authentication ] Enable the access point to recognize and use VSAs as defined b y RADIUS IETF attribute 26. • (Optional) Use the accounting ke yword to limi t the set of recognized vendor -specif ic attribu tes to only accou[...]

7-16 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enablin g RADIUS T o delete the v endor-p roprietary RADIUS host, use the no radius-ser ver host { ho stname | ip-addr ess } non-standard global conf iguration command. T o disable the ke y , use the no radius-serv er [...]

7-17 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 7 Configuring RADI US Servers Configuring and E nabling RADIUS Beginning in priv ileged EXEC mode, foll ow these st eps to specify WISPr RADIUS attrib utes on the access point: Command Purpose Step 1 conf igur e terminal Enter global configu ration mode. Step 2 sn[...]

7-18 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 7 Configuring RADIUS Servers Configuring and Enablin g RADIUS RADIUS Attributes Sent by the Access Point Ta b l e 7-2 through Ta b l e 7-6 identify the attributes sent b y an acce ss point to a client in acc ess-request, access-accept, and acco unting-request pac[...]

Ta b l e 7 -4 Attr ibutes Sent in Ac counting-Request (start) P ack ets Attribute ID Description 1 User-Name 4 N AS-IP-Address 5 N AS-Port 6 Service-T ype 25 Class 41 Acct-Delay -T ime 44 Acct-Session-Id 61 N AS-Port-T ype VSA (attrib ute 26) SSID VSA (attrib ute 26) NA S- L o c a t i o n VSA (attrib ute 26) Cisco-N AS-Port VSA (attrib ute 26) Inte[...]

Ta b l e 7 -6 Attr ibute s Sent in Accounting-Request (stop) P ac k ets Attribute ID Description 1 User-Name 4 N AS-IP-Address 5 N AS-Port 6 Service-T ype 25 Class 41 Acct-Delay -T ime 42 Acct-Input-Octets 43 Acct-Output-Octets 44 Acct-Session-Id 46 Acct-Session-T ime 47 Acct-Input-Pack ets 48 Acct-Output-Packets 49 Acct-T erminate-Cause 61 N AS-Po[...]

CH A P T E R 8-1 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 8 Configuring VLANs This chapter describes how to configure your access point to operate with the VLANs set up on your wired LAN. These sections describe ho w to co nfigure you r access point to support VLANs: • Understanding VLANs, page 8-2 • Config uring[...]

8-2 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 8 Configuring VLANs Understanding VLANs Understanding VLANs A VLAN is a swit ched network t hat is logically segmented, b y functions, pro ject teams, or applications rather than on a physical or geographical basis. F or exampl e, all workstations and servers used[...]

8-3 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 8 Configuring VLANs Understanding VLANs Figur e 8-1 LAN and VLAN Segmentati on with Wireless Devices Related Documents These documents prov ide more detailed informati on p ertaining to VLAN d esign and conf igurati on: • Cisco IOS Switchi ng Services Conf igurat[...]

8-4 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 8 Configuring VLANs Configuring VLANs Incorporating Wireless Devices into VLANs The basic wireless componen ts of a VLAN consist of an access point and a client associated to it using wireless technology . The access poin t is physically co nnected through a t run[...]

8-5 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 8 Configuring VLANs Configuri ng VLANs Configuring a VLAN Note When you confi gure VLANs on access points, th e Na ti ve VLAN must be V LAN1. In a single architecture, client traff ic recei ved by the access po int is tunneled through an IP-GRE tunnel, which is est[...]

8-6 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 8 Configuring VLANs Configuring VLANs This example sho ws how to: • Name an SSID • Assign the SSID to a V LAN • Enable the VLAN on the radio and Ethernet ports as the na ti ve VLAN router# configure terminal router(config)# interface dot11radio0 router(confi[...]

8-7 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 8 Configuring VLANs Configuri ng VLANs Assigning Names to VLANs Y ou can assign a name to a VLAN in addition to its numerical ID. VLAN names can cont ain up to 32 ASCII characters. The access point stores ea ch VLAN name and ID pair in a table. Guidelines for Using[...]

8-8 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 8 Configuring VLANs Configuring VLANs ne w cipher suite. Curren tly , the WP A protocol d oes not allo w the cipher suit e to be changed after the initial 802.11 cipher ne gotiation ph ase. In this scenario, the client d evice is di sassociated from the wireless L[...]

8-9 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 8 Configuring VLANs VLAN Configuratio n Example VLAN Configuration Example This example sh ows ho w to use VLANs to man age wireless devi ces on a college camp us. In this exam ple, three le vels of access ar e av ailable through VLANs conf igured on the wired netw[...]

8-10 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 8 Configuring VLANs VLAN Configuratio n Example Ta b l e 8-2 shows the command s needed to conf ig ure the three VLANs in this example. Ta b l e 8-2 Config uration Commands for VLAN Example Configuring VLAN 1 Configuring VLAN 2 Configuring VLAN 3 router# configur[...]

8-11 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 8 Configuring VLANs VLAN Configuratio n Example Notice that when yo u configure a bri dge group on the radio interface, these commands are set automatically: bridge-group 2 subscriber-loop-control bridge-group 2 block-unknown-source no bridge-group 2 source-learni[...]

8-12 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 8 Configuring VLANs VLAN Configuratio n Example[...]

CH A P T E R 9-1 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 9 Configuring QoS This chapter describes how to conf igure quality of se rvice (QoS) on your access point. W ith this feature, you can provide preferential treatment to certain traff i c at the expense of others. W ithout QoS, the access point offers best-ef f[...]

9-2 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 9 Configuring QoS Understanding Qo S for Wireless LANs Understanding QoS for Wireless LANs T ypically , networks o perate on a best-ef fort deli very ba sis, which means that all t raff ic has equal priority and an equal chance of being deli vered in a timely mann[...]

9-3 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 9 Configuring QoS Understanding QoS for Wireless LANs QoS on the wireless LAN focus es on downstre am prioritization fr om the access point. Figure 9-1 sho ws the upstream and downstream traf fic flo w . Figur e 9-1 Upstream and Do wnstream T raf fic Flo w • The [...]

9-4 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 9 Configuring QoS Understanding Qo S for Wireless LANs Note This release continues to support e xisting 7920 wireless ph one fi rmware. Do not attempt to use the ne w standard (IEEE 802.11e draft 13) QBSS Load IE with the 7920 W ireless Phone until ne w phone f ir[...]

9-5 Cisco Wireless ISR and HWIC Ac cess Point Configuration Guide OL-6415-04 Chapter 9 Configuring QoS Configuri ng QoS Configuring QoS QoS is disabled by def ault (ho wev er , the radio interface alw ays honors tagged 802.1P packets e ven when you have not configured a QoS policy). This section describe s ho w to configure QoS on y our access poin[...]

9-6 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Chapter 9 Configuring QoS Configuring QoS Note In this release, clients are bloc ked from using an access cate gory when you select Enable for Admission Control. Using the Admi ssion Control check box es, you can con t rol client use of the acc ess categories. When you en[...]

A-1 Cisco Wireless ISR and HWIC Ac cess Point Confi gurat ion Guide OL-6415-04 APPENDIX A Channel Settings This appendix lists th e radio channels suppor ted by Cisco access product s in the regulatory domains of the world . IEEE 802.11b (2.4-GHz Band) The channel identifiers, channel center frequencies, and re gu latory domains of each IEEE 802.11[...]

A-2 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Appendix A Channel Settin gs IEEE 802.11g (2.4-GHz Band) Note Mexico is included in t he Americas ( – A) re gulatory domain; ho we v er , channels 1 throu gh 8 are for indoor use onl y while channels 9 through 11 can be used indoors and outdoors. Users are respo nsible [...]

A-3 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 Appendix A Channel Settings IEEE 802.11a (5-GHz Band) Note All channel sets are restricted to indoor usage except the Americas ( – A), which allows f or indoor and outdoor use on channels 52 thr ough 64 in the United States. 44 5220 X X X 48 5240 X X X 52 5260 X X X 56[...]

A-4 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Appendix A Channel Settin gs IEEE 802.11a (5- GHz Band)[...]

B-1 Cisco Wireless ISR and HWIC Ac cess Point Confi gurat ion Guide OL-6415-04 APPENDIX B Protocol Filters The tables in this appendix list some of the prot ocol s that you can f ilter on th e access point. The tables include: • T able A-1, Etherty pe Protocols • T able A-2, IP Protocol s • T able A-3, IP Port Prot ocols In each table, the Pr[...]

Ta b l e B-1 Et hertype Pr otocols Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkele y T railer Negotiation — 0x1000 LAN T est — 0x0708 X.25 Le vel3 X.25 0x0805 Ban yan — 0x0B AD CDP — 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump/Load — 0x6001 DEC MOP MOP 0x6002 DEC LA T LA T 0x6004 Ethertalk —[...]

Ta b l e B-2 I P Prot ocols Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 T ransmission Control Protocol TCP 6 Exterior Gate way Prot ocol EGP 8 PUP — 12 CHA OS — 16 User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banya n [...]

B-4 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Appendix B Protocol Filters Ta b l e B-3 I P P or t Protocols Protocol Additional Identifier ISO Designator TCP port service multiple xer tcpmu x 1 echo — 7 discard (9) — 9 systat (11) — 11 daytime (13) — 13 netstat (15) — 15 Quote of the Day qotd quote 17 Messa[...]

B-5 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 Appendix B Protocol Filters TSAP iso-tsap 102 CSO Name Serv er cso-ns csnet-ns 105 Remote T elnet rtelnet 107 Po s t offi ce v 2 POP2 POP v2 109 Po s t offi ce v 3 POP3 POP v3 110 Sun RPC sunrpc 111 tap ident authentication auth 113 sftp — 115 uucp-path — 117 Network[...]

B-6 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Appendix B Protocol Filters SNMP Unix Multiple xer smux 199 AppleT alk Routing at-rtmp 201 AppleT alk name binding at-nbp 202 AppleT alk echo at-echo 204 AppleT alk Zone Information at-zis 206 NISO Z39.50 da tabase z3950 210 IPX — 213 Interactiv e Mail Access Protocol v[...]

C-1 Cisco Wireless ISR and HWIC Ac cess Point Confi gurat ion Guide OL-6415-04 APPENDIX C Supported MIBs This appendi x lists the Simple Net work Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release. The Ci sco IOS SNMP agent supports both SNMPv1 and SNMPv2. This appendix co ntains [...]

C-2 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Appendix C Supp orted MIBs Using FTP to Ac cess the MIB Files • CISCO-MEMOR Y -POOL-MIB • CISCO-PR OCESS-MIB • CISCO-PR ODUCTS-MIB • CISCO-SMI-MIB • CISCO-TC-MIB • CISCO-SYSLOG-MIB • ENTITY -MIB • IF-MIB • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-SYS-MIB • [...]

D-1 Cisco Wireless ISR and HWIC Ac cess Point Confi gurat ion Guide OL-6415-04 APPENDIX D Error and Event Messages This appendix lists the CLI erro r and ev ent messages. How to Read System Messages System messages beg in with a percent (%) and are struct ured as follows: The te xt in bold are required elements of the system message, the t ext in i[...]

D-2 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Appendix D Error and Event Messages Message Trac eback Reports Message Traceback Reports Some messages describe internal errors and contain traceback repo rts. This information is very important and should be incl uded when you report a problem to your technical support r[...]

D-3 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 Appendix D Error and Even t Messages 802.11 Subsystem Messages Error Message DOT11-4-ENCRYPT_MISMATCH: Possible encryption key m ismatch between interface [interface] and station [m ac-address] Explanation The encry ption setting of th e indicated interf ace and indicate[...]

D-4 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-3-RADIO_OVER_TEMPERATURE: Interface [inerface ] Radio over temperature detected Explanation The radio’ s internal temperatu re exceeds maximum li mits on the indicated radio interface. Rec[...]

D-5 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 Appendix D Error and Even t Messages 802.11 Subsystem Messages Error Message DOT11-2-NO_CHAN_AVAIL: Interface [interface], no ch annel available Explanation No frequenc y is av ailable, lik ely because RAD AR has been de tec ted within the pre vious 30 minutes. Recommend[...]

D-6 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-NO_MBSSID_VLAN: No VLANs configured in MBSS ID mode. [characters] not started Explanation No VLAN configured in MB SSID mode. The indicated interface was not started. Recommended Action Ad[...]

D-7 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 Appendix D Error and Even t Messages 802.11 Subsystem Messages Error Message DOT11-4-CANT_ASSOC: Interface [interface], cannot a ssociate [characters] Explanation The indicated interface device could not associate to an in dicated parent access point. Recommended Action [...]

D-8 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-3-POWERS_INVALID: Interface [interface], no v alid power levels available Explanation The rad io driv er found no v alid po wer leve l settings. Recommended Action Inv estigate and correct t[...]

D-9 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 Appendix D Error and Even t Messages 802.11 Subsystem Messages Error Message DOT11-2-NO_FIRMWARE: Interface [interface], no radi o firmware file [characters] was found.” Explanation When try ing to flash ne w f irmware, the file fo r the radio was no t found in the Fla[...]

D-10 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-BRIDGE_LOOP: Bridge loop detected between W GB [mac-address] and device [mac-address] Explanation The i ndicated workgroup b ridge reported the address of one of its in dicated Ethernet c[...]

D-11 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 Appendix D Error and Even t Messages 802.11 Subsystem Messages Error Message DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Mich ael MIC failure report from the station [mac-address ] on the packet (TSC=0x0) encrypted and protected by [key] key Explanation The access po[...]

D-12 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 Appendix D Error and Event Messages Local Authenticato r Messages Local Authenticator Messages Error Message RADSRV-4-NAS_UNKNOWN: Unknown authenticator: [ip-ad dress] Explanation The lo cal RADIUS serv er recei ved an authen tication requ est but do es not recognize the[...]

GL-1 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 GLOSSARY 802.11 The IEEE standard that specifies carrier sense media access control and physical layer specif ications for 1- and 2- megabit-per -second (Mbps) wireless LANs operating in the 2 .4-GHz band. 802.11a The IEEE standard that specifies carrier sense media acc[...]

Glossary GL-2 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 beacon A wireless LAN pa cket that signals the a v ailability and presence of the wireless device. Beacon packets are sent b y access points and base stations; howe ver , client radio ca rds send beacons when op erating in computer to computer (Ad Hoc) mode. BOO[...]

Glossar y GL-3 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 DNS Domain Name System server . A server that translates text names into I P addresses. The server maintains a database of host alphanumeric names and their corresponding IP ad dresses. DSSS Direct sequence spread spectrum. A type of spread sp ectrum radio tra[...]

M MAC Media Access Control address. A unique 48 -bit number used in Ethernet data packets to identify an Ethe rnet device, such as an access point or your client adapter . modulation Any of sev eral techniques for comb ining user information with a transmitter’ s carrier signal. multipath The echoes created as a radio signal bounces of f of physi[...]

Glossar y GL-5 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 roaming A feature of some Access Points that allo ws users to mo ve through a f acility while maintaining an unbroken conn ection to the LAN. RP-TNC Re verse Polarity Threaded Neil l Concelman connector . Part 15.203 of the FCC rules cov ering spread spectrum [...]

Glossary GL-6 Cisco Wireless ISR and HWIC Ac cess Point Confi guration Guide OL-6415-04 WMM W ireless Mul tiMedia. workstation A computing de vice with an installed client adap ter. WPA W i-Fi Protected Access (WP A) is a stan dards-based, interoperable security enhancement that st rongly increases the level of data protection and access control fo[...]

IN-1 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 INDEX Numerics 802.11d 20 802.11e 2 802.11g 28 802.1H 23 802.1x authentication 2 A access point security set tings, matching client devices 16 accounting with RADIUS 12 accounting command 3 Address Resolution Prot ocol (ARP) 24 AES-CCMP 2 Aironet extensions 14, 23 anten[...]

Index IN-2 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04 commands accounting 3 antenna 22 authentication client 3 beacon dtim-p eriod 27 beacon period 27 bridge-group 25 broadcast-key 14 countermeasure tkip hold-time 16 dot11 aaa mac-authen filter-cache 14 dot11 exte nsion aironet 23 dot11 holdoff- time 15 dot11 interface-[...]

Index IN-3 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 encryption command 4 error and event messages 1 how to read 1 message traceback reports 2 error messages 802.11 subsys tem messages 3 association management messages 2 inter-access point protocol messages 12 local authenticator messages 12 event messages 1 F fallb[...]

Index IN-4 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04 N names, VLAN 7 Network-EAP 4 O OFDM 13 Orthogonal Freque ncy Division Mul tiplexing (OFDM) See OFDM P packet retries command 27 packet size (fragment) 28 payload-e ncapsulation command 24 PEAP authentication setting on client and access point 18 ports, protec ted 26[...]

Index IN-5 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04 regulatory domains 15, 16, 18, 2 regulatory domains 1 Remote Authentication Dial-In User Service See RADIUS request to send (RTS) 27 restricting access RADIUS 1 RFC 1042 23 roaming 2, 5 role (mode) 3 role in radio network 2 rotation, broadcast key 1 rts retries co[...]

Index IN-6 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04 world-mode command 21 WPA 6 WPA migration mode 12 wpa-psk comm and 13[...]

Index IN-7 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04[...]

Index IN-8 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04[...]

Index IN-9 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04[...]

Index IN-10 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04[...]

Index IN-11 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04[...]

Index IN-12 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04[...]

Index IN-13 Cisco Wireless ISR and HWIC Ac cess Point Confi guration G uide OL-6415-04[...]

Index IN-14 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04[...]