Page 1
Cisco Wireless ISR and HWIC Access Point Configuration Guide December 2006 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: 0L-6415-04...
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.;...
Configuring Radio Settings C H A P T E R Enabling the Radio Interface Roles in Radio Network Configuring Network or Fallback Role Bridge Features Not Supported Sample Bridging Configuration Universal Client Mode Cisco Wireless Router and HWIC Configuration Guide OL-6415-04...
Page 4
Performing a Carrier Busy Test Configuring Multiple SSIDs C H A P T E R Understanding Multiple SSIDs SSID Configuration Methods Supported by Cisco IOS Releases Configuring Multiple SSIDs Creating an SSID Globally Using a RADIUS Server to Restrict SSIDs...
Page 5
Matching Access Point and Client Device Authentication Types Configuring RADIUS Servers C H A P T E R Configuring and Enabling RADIUS Understanding RADIUS RADIUS Operation Configuring RADIUS Displaying the RADIUS Configuration Cisco Wireless Router and HWIC Configuration Guide OL-6415-04...
A P P E N D I X MIB List Using FTP to Access the MIB Files Error and Event Messages A P P E N D I X How to Read System Messages Cisco Wireless Router and HWIC Configuration Guide OL-6415-04...
Page 7
Contents Message Traceback Reports Association Management Messages 802.11 Subsystem Messages Local Authenticator Messages L O S S A R Y N D E X Cisco Wireless Router and HWIC Configuration Guide OL-6415-04...
AP HWIC, Cisco 800 series and Cisco 1800 series routers. This guide provides procedures for using the Cisco IOS software commands that have been created or changed for use with the wireless device. It does not provide detailed information about these commands. For information about the standard Cisco IOS software commands, see the Cisco IOS software documentation set available from the Cisco.com home page at Service and Support >...
Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements. Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional • element. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 11
électriques et familiarisez-vous avec les procédures courantes de prévention des accidents. Pour obtenir les traductions des mises en garde figurant dans cette publication, veuillez consulter l’annexe intitulée « Translated Safety Warnings » (Traduction des avis de sécurité). Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Products with 802.11a/b/g and 802.11b/g Radios Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available.
Register to receive security information from Cisco. • A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html...
Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting Note a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts &...
Obtaining Additional Publications and Information For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 18
Preface Obtaining Additional Publications and Information iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies • learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions.
Page 19
Wireless Device Management You can use the wireless device management system through the following interfaces: The Cisco IOS command-line interface (CLI), that can be used through a console port or a Telnet • session. Use the interface dot11radio configuration command in global mode to place the wireless device into radio configuration mode.
LAN. Figure 1-1 Access Points as Root Units on a Wired LAN Access Point (Root Unit) Wired LAN Access Point (Root Unit) Cisco Wireless Router and HWIC Configuration Guide OL-6415-04...
Root/Non-Root bridging mode is supported only on modular ISR platforms, such as Cisco Note 3800 series , Cisco 2800 and Cisco 1841 series. Fixed ISR platforms, such as the Cisco 800 and Cisco 1800 do not support this feature. QoS Basic Service Set (QBSS) support—This feature aligns Cisco QBSS implementation with the •...
VLAN Assignment By Name—This feature allows the RADIUS server to assign a client to a virtual LAN (VLAN) identified by its VLAN name. In releases before Cisco IOS Release 12.4(5)T, the RADIUS server identified the VLAN by ID. This feature is important for deployments where VLAN IDs are not used consistently throughout the network.
Page 23
HTTP Web Server v1.1—This feature provides a consistent interface for users and applications by • implementing the HTTP 1.1 standard (see RFC 2616). In previous releases, Cisco software supported only a partial implementation of HTTP 1.0. The integrated HTTP Server API supports server application interfaces.
Configuring Maximum Data Retries, page 2-27 Configuring Fragmentation Threshold, page 2-28 • • Enabling Short Slot Time for 802.11g Radios, page 2-28 Performing a Carrier Busy Test, page 2-29 • Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Enabling the Radio Interface Enabling the Radio Interface The wireless device radios are disabled by default. In Cisco IOS Release 12.4 there is no default SSID. You must create a Radio Service Set Identifier Note (SSID) before you can enable the radio interface.
Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Configuring Radio Settings Configuring Network or Fallback Role Bridge Features Not Supported The following features are not supported when a Cisco ISR series access point is configured as a bridge: Clear Channel Assessment (CCA) • Interoperability with 1400 series bridge •...
0 0 line aux 0 line vty 0 4 webvpn context Default_context ssl authenticate verify all no inservice The following is a sample of Non-Root Bridge Configuration: no aaa new-model Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 30
1 bridge-group 1 spanning-disabled interface BVI1 ip address 20.0.0.5 255.0.0.0 ip route 0.0.0.0 0.0.0.0 20.0.0.1 ip http server no ip http secure-server control-plane bridge 1 route ip Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Cisco root bridges or Cisco workgroup bridges. Configuring Universal Client Mode You can configure universal client mode in Cisco ISR series by setting the radio interface station-role to non-root. This is different from configuring the dot11radio interface to operate in non-root bridge mode, which requires specifying the word bridge at the end of the command, ex: "station-role non-root...
Page 32
NAT fails to translate with a DHCP address on the dot11 interface running in universal client mode. Note The following configuration is supported on NAT: ip nat inside source list 1 interface Virtual-Dot11Radio0 overload The following is an example of a NAT configuration on a Cisco 1803 ISR: C1803W_UC# C1803W_UC#sh run Building configuration...
Page 33
6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root rts threshold 2312 no cdp enable interface Dot11Radio1 ip address dhcp ip nat outside ip virtual-reassembly Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Cisco Wireless ISR and HWIC Access Point Configuration Guide 2-10 OL-6415-04...
Page 35
802.11g client devices to associate to the wireless device’s 802.11g radio. On the 5-GHz radio, the default option sets rates 6.0, 12.0, and 24.0 to basic, and rates 9.0, 18.0, 36.0, 48.0, and 54.0 to enabled. Cisco Wireless ISR and HWIC Access Point Configuration Guide 2-11 OL-6415-04...
To determine what transmit power is available for your access point and which regulatory domain it operates in, refer to the hardware installation guide for that device. hardware installation guides are available at cisco.com. Follow these steps to view and download them: Browse to http://www.cisco.com.
Note Cisco AVVID documentation uses the term Dynamic Power Control (DTPC) to refer to limiting the power level on associated client devices. Beginning in privileged EXEC mode, follow these steps to specify a maximum allowed power setting on...
Too many access points in the same vicinity creates radio congestion that can reduce throughput. A careful site survey can determine the best placement of access points for maximum radio coverage and throughput. Cisco Wireless ISR and HWIC Access Point Configuration Guide 2-14 OL-6415-04...
(IE) in beacons and probe responses. By default, however, the country code in the IE is blank. You use the world-mode command to populate the country code IE. Cisco Wireless ISR and HWIC Access Point Configuration Guide 2-19...
For example, a client device used primarily in Japan could rely on world mode to adjust its channel and power settings automatically when it travels to Italy and joins a network there. Cisco client devices running firmware version 5.30.17 or later detect whether the wireless device is using 802.11d or Cisco legacy world mode and automatically use world mode that matches the mode used by...
Long—A long preamble ensures compatibility between the wireless device and all early models of • Cisco Access Point Wireless LAN Adapters (PC4800 and PC4800A). If these client devices do not associate to the wireless devices, you should use short preambles.
For best performance, leave the transmit antenna setting at the default setting, diversity. Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Wireless ISR and HWIC Access Point Configuration Guide 2-22 OL-6415-04...
Disabling and Enabling Access Point Extensions Disabling and Enabling Access Point Extensions By default, the wireless device uses Cisco Access Point extensions to detect the capabilities of Cisco Access Point client devices and to support features that require specific interaction between the wireless device and associated client devices.
To enable and disable PSPF using CLI commands on the wireless device, you use bridge groups. You can find a detailed explanation of bridge groups and instructions for implementing them in this document: Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.2. Click this link to • browse to the Configuring Transparent Bridging chapter: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_c/bcfpart1/bcftb.
Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Cisco Wireless ISR and HWIC Access Point Configuration Guide 2-26 OL-6415-04...
2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Step 3 packet retries value Set the maximum data retries. Enter a setting from 1 to 128. Cisco Wireless ISR and HWIC Access Point Configuration Guide 2-27 OL-6415-04...
Step 1 router(config-if)# slot-time-short In radio interface mode, enter this command to enable short slot time. Step 2 no slot-time-short (optional) Enter no slot-time-short to disable short slot time. Cisco Wireless ISR and HWIC Access Point Configuration Guide 2-28 OL-6415-04...
For interface-number, enter dot11radio 0 to run the test on the 2.4-GHz radio, or enter dot11radio 1 to run the test on the 5-GHz radio. Use the show dot11 carrier busy command to re-display the carrier busy test results. Cisco Wireless ISR and HWIC Access Point Configuration Guide 2-29 OL-6415-04...
Page 54
Chapter 2 Configuring Radio Settings Performing a Carrier Busy Test Cisco Wireless ISR and HWIC Access Point Configuration Guide 2-30 OL-6415-04...
Cisco IOS Release 12.4(15)T. If you need to upgrade to a release later than 12.4(15)T, you should first upgrade to Cisco IOS Release 12.4(15)T, save the configuration file, upgrade to the target release, and load the saved configuration file.
Creating an SSID Globally In Cisco IOS Releases 12.4 and later, you can configure SSIDs globally or for a specific radio interface. When you use the dot11 ssid global configuration command to create an SSID, you can use the ssid configuration interface command to assign the SSID to a specific interface.
Page 58
Assign the SSID to a radio interface router# configure terminal router(config)# dot11 ssid batman router(config-ssid)# accounting accounting-method-list router(config-ssid)# max-associations 15 router(config-ssid)# vlan 3762 router(config-ssid)# exit router(config)# interface dot11radio 0 router(config-if)# ssid batman Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Using Spaces in SSIDs In Cisco IOS Release 12.4(15)T, you can include spaces in an SSID, but trailing spaces (spaces at the end of an SSID) are invalid. However, any SSIDs created in previous versions having trailing spaces are recognized.
Configuring Multiple SSIDs Configuring Multiple Basic SSIDs The allowed list of SSIDs from the RADIUS server are in the form of Cisco VSAs. The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the access point and the RADIUS server by using the vendor-specific attribute (attribute 26).
Microsoft Wireless Provisioning Services (WPS). Use the advertisement option to include the SSID name and capabilities in the SSIDL IE. Use the wps option to set the WPS capability flag in the SSIDL IE. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 64
Chapter 3 Configuring Multiple SSIDs Enabling MBSSID and SSIDL at the same time Cisco Wireless ISR and HWIC Access Point Configuration Guide 3-10 OL-6415-04...
LEAP, EAP-FAST, and MAC-based authentication for up to 1000 client devices. This chapter contains these sections: Understand Local Authentication, page 4-2 • • Configure a Local Authenticator, page 4-2 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Beginning in Privileged Exec mode, follow these steps to configure the access point as a local authenticator: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 68
See the “Unblocking Locked Usernames” section on page 4-11 for instructions on unblocking client devices. Step 10 exit Exit group configuration mode and return to authenticator configuration mode. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 69
00095125d02b password 00095125d02b group clerks mac-auth-only Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 71
0 4 transport preferred all transport input all transport output all line vty 5 15 transport preferred all transport input all transport output all Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Cisco client devices to accommodate expected server timeouts. To remove the local authenticator from the access point configuration, use the no radius-server host hostname | ip-address global configuration command. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
PAC to expire in 10 days, and writes the PAC file to the TFTP server at 10.0.0.5: router# radius local-server pac-generate tftp://10.0.0.5 joe password bingo expiry 10 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
PACs generated by the local authenticator might not expire when they should. The access point clock is reset when the access point reboots, so the elapsed time on the clock would not reach the PAC expiration time. Cisco Wireless ISR and HWIC Access Point Configuration Guide 4-10 OL-6415-04...
Router#sh radius local-server statistics Successes Unknown usernames Client blocks Invalid passwords Unknown NAS Invalid packet from NAS: 0 The first section of statistics lists cumulative statistics from the local authenticator. Cisco Wireless ISR and HWIC Access Point Configuration Guide 4-11 OL-6415-04...
Use the error option to display error messages related to the local authenticator. Use the packets option to turn on display of the content of RADIUS packets sent and received. • Cisco Wireless ISR and HWIC Access Point Configuration Guide 4-12 OL-6415-04...
WEP while also allowing use of authenticated key management, Cisco recommends that you enable encryption by using the encryption mode cipher command in the CLI or by using the cipher drop-down menu in the web-browser interface. Cipher suites that contain AES-CCM provide the best security for your wireless LAN, and cipher suites that contain only WEP are the least secure.
Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Cannot configure a WEP key in key slot 4 Cipher suite with 40-bit WEP Cannot configure a 128-bit key Cipher suite with 128-bit WEP Cannot configure a 40-bit key Cipher suite with TKIP Cannot configure any WEP keys Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 82
If you configure your access point to use WPA authenticated key management, you must select a cipher suite compatible with the authenticated key management type. Table 5-3 lists the cipher suites that are compatible with WPA. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
For example, if the access point is configured with AES and TKIP encryption, the universal client must also have AES+TKIP in order for the devices to associate properly. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 85
TKIP+AES (encryption mode ciphers aes-ccm tkip), you will get a system message stating the multicast suite was not found. %DOT11-4-CANT_ASSOC: Interface Dot11Radio0/1/0, cannot associate: WPAIE not found and required Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Caveats When the Cisco dot11radio is in the universal client mode and associates to a 3rd party access point, there are some additional caveats. The first is on the "show dot11 association" output. The "Device" area shows a result of "unknown" when associated to a 3rd party access point (non-Cisco). In the example below, a Cisco 876W universal client is associated to a Symbol 4131 Access Point.
Page 87
: 16 Bytes Input : 46619 Bytes Output : 3495 Duplicates Rcvd Data Retries Decrypt Failed RTS Retries MIC Failed MIC Missing Packets Redirected: 0 Redirect Filtered: 0 c876# Cisco Wireless ISR and HWIC Access Point Configuration Guide 5-11 OL-6415-04...
This chapter describes how to configure authentication types on the access point. This chapter contains these sections: Understand Authentication Types, page 6-2 • Configure Authentication Types, page 6-9 • Matching Access Point and Client Device Authentication Types, page 6-16 • Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
In this example, the device’s WEP key does not match the access point’s key, so it can authenticate but not pass data. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
6. Key mismatch, frame discarded Shared Key Authentication to Access Point Cisco provides shared key authentication to comply with the IEEE 802.11b standard. However, because of shared key’s security flaws, Cisco recommends that you avoid using it. During shared key authentication, the access point sends an unencrypted challenge text string to any device attempting to communicate with the access point.
The client and access point activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
MAC-address cache without sending the request to your authentication server. See the “Configuring MAC Authentication Caching” section on page 6-14 instructions on enabling this feature. Figure 6-4 shows the authentication sequence for MAC-based authentication. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
WPA-PSK, however, you configure a pre-shared key on both the client and the access point, and that pre-shared key is used as the PMK. Note In Cisco IOS releases 12.3(4)JA and later, you cannot enable both MAC-address authentication and WPA-PSK. Cisco Wireless ISR and HWIC Access Point Configuration Guide...
Page 95
Confirm installation of all keys. Client and access point complete a two-way handshake to securely deliver the group transient key from the access point to the client. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Understand Authentication Types Software and Firmware Requirements for WPA and WPA-TKIP Table 6-1 lists the firmware and software requirements required on access points and Cisco client devices to support WPA key management and WPA-TKIP encryption protocols. To support the security combinations in...
Step 2 dot11 ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 98
An access point configured for EAP authentication Note forces all client devices that associate to perform EAP authentication. Client devices that do not use EAP cannot use the access point. Cisco Wireless ISR and HWIC Access Point Configuration Guide 6-10 OL-6415-04...
WPA. If you enable WPA with a pre-shared key, the key management type is WPA-PSK. See the “Configuring Additional WPA Settings” section on page 6-13 for instructions on configuring a pre-shared key. Cisco Wireless ISR and HWIC Access Point Configuration Guide 6-11 OL-6415-04...
3 size 128 12345678901234567890123456 transmit-key router(config-if)# ssid migrate router(config-ssid)# authentication open router(config-ssid)# authentication network-eap adam router(config-ssid)# authentication key-management wpa optional router(config-ssid)# wpa-psk ascii batmobile65 router(config-ssid)# exit Cisco Wireless ISR and HWIC Access Point Configuration Guide 6-12 OL-6415-04...
Page 101
8 letters, numbers, or symbols, and the access point expands the key for you. You can enter a maximum of 63 ASCII characters. Step 5 Return to privileged EXEC mode. Cisco Wireless ISR and HWIC Access Point Configuration Guide 6-13 OL-6415-04...
[address] clear specific clients from the cache. Step 6 Return to privileged EXEC mode. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Wireless ISR and HWIC Access Point Configuration Guide 6-14 OL-6415-04...
Session-Timeout value for the EAP authentication. To avoid confusion on which Session-Timeout attribute is used, configure the same Session-Timeout value on your authentication server for both MAC and EAP authentication. Cisco Wireless ISR and HWIC Access Point Configuration Guide 6-15 OL-6415-04...
Open authentication with EAP. To allow both the Cisco access point clients using LEAP and non-Cisco clients using LEAP to associate using the same SSID, you might need to configure the SSID for both Network EAP authentication and Open authentication with EAP.
Page 105
Set up and enable WEP and enable to configure card control using IEEE 802.1X and EAP and Open Authentication for Smart Card or other Certificate as the SSID the EAP Type Cisco Wireless ISR and HWIC Access Point Configuration Guide 6-17 OL-6415-04...
Page 106
Set up and enable WEP with full to configure card control using IEEE 802.1X and encryption and enable Require EAP SIM Authentication as the EAP and Open Authentication for the Type SSID Cisco Wireless ISR and HWIC Access Point Configuration Guide 6-18 OL-6415-04...
Chapter 6, “Configuring Authentication Types,” for detailed instructions on configuring your access point as a local authenticator. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Security Command Reference for Release 12.2.
• Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID” section on page 6-9 for instructions on setting up client authentication using a RADIUS server. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the access point through the CLI. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
To enable accounting for an SSID, you must include the Note accounting command in the SSID configuration. Click this URL to browse to a detailed description of the SSID configuration mode accounting command: http://www.cisco.com/en/US/products/hw/wireless/ps4570/prod ucts_command_reference_chapter09186a008041757f.html#wp2 449819 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 114
{default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 116
Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 7-7. Cisco Wireless ISR and HWIC Access Point Configuration Guide 7-10 OL-6415-04...
Page 117
Use the local database if authentication was not performed by using RADIUS. • Authorization is bypassed for authenticated users who log in through the CLI even if authorization has Note been configured. Cisco Wireless ISR and HWIC Access Point Configuration Guide 7-11 OL-6415-04...
Page 118
Access Point” section on page 7-18 for a complete list of attributes sent and honored by the access point. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 119
Step 5 radius-server deadtime minutes Use this command to cause the Cisco IOS software to mark as “dead” any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server.
Page 120
The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco’s vendor ID is 9, and the supported option has vendor type 1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization.
Page 121
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the access point and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
You can find a list of ISO and ITU country and area codes at the ISO and ITU websites. Cisco IOS software does not check the validity of the country and area codes that you configure on the access point.
To display the RADIUS configuration, use the show running-config privileged EXEC command. Note When DNS is configured on the access point, the show running-config command sometimes displays a server’s IP address instead of its name. Cisco Wireless ISR and HWIC Access Point Configuration Guide 7-17 OL-6415-04...
Microsoft IAS servers recognize reauthentication requests from the access point. Use the dot11 aaa authentication attributes service-type login-only global configuration command to set the service-type attribute in reauthentication requests to login-only. Cisco Wireless ISR and HWIC Access Point Configuration Guide 7-20 OL-6415-04...
LAN. These sections describe how to configure your access point to support VLANs: Understanding VLANs, page 8-2 • Configuring VLANs, page 8-4 • VLAN Configuration Example, page 8-9 • Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
VLAN are 802.11Q tagged before they are forwarded onto the wired network. Figure 8-1 shows the difference between traditional physical LAN segmentation and logical VLAN segmentation with wireless devices connected. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
SSID 3 = VLAN 3 Related Documents These documents provide more detailed information pertaining to VLAN design and configuration: Cisco IOS Switching Services Configuration Guide. Click this link to browse to this document: • http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_c/index.htm Cisco Internetwork Design Guide. Click this link to browse to this document: •...
• Assigning Names to VLANs, page 8-7 • • Using a RADIUS Server to Assign Users to VLANs, page 8-7 • Viewing VLANs Configured on the Access Point, page 8-8 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Step 5 exit Return to interface configuration mode for the radio interface. Step 6 interface dot11radio 0.x | 1.x Enter interface configuration mode for the radio VLAN sub interface. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
VLAN name to a different VLAN ID. Note If clients on your wireless LAN require seamless roaming, Cisco recommends that you assign the same VLAN name to the same VLAN ID across all access points, or that you use only VLAN IDs without names.
Faculty access—Medium level of access; users can access school’s Intranet and Internet, access internal files, access student databases, and view internal information such as human resources, payroll, and other faculty-related material. Faculty users are required to authenticate using Cisco LEAP.
Page 136
1 bridge-group 2 bridge-group 3 no bridge-group 1 source-learning no bridge-group 2 source-learning no bridge-group 3 source-learning bridge-group 1 spanning-disabled bridge-group 2 spanning-disabled bridge-group 3 spanning-disabled Cisco Wireless ISR and HWIC Access Point Configuration Guide 8-10 OL-6415-04...
Page 137
2 unicast-flooding bridge-group 2 spanning-disabled When you configure a bridge group on the FastEthernet interface, these commands are set automatically: no bridge-group 2 source-learning bridge-group 2 spanning-disabled Cisco Wireless ISR and HWIC Access Point Configuration Guide 8-11 OL-6415-04...
Page 138
Chapter 8 Configuring VLANs VLAN Configuration Example Cisco Wireless ISR and HWIC Access Point Configuration Guide 8-12 OL-6415-04...
It sends the packets without any assurance of reliability, delay bounds, or throughput. This chapter consists of these sections: Understanding QoS for Wireless LANs, page 9-2 • • Configuring QoS, page 9-4 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
They support Spectralink phones using the class-map IP protocol clause with the protocol value set • to 119. To contrast the wireless LAN QoS implementation with the QoS implementation on other Cisco network devices, see the Cisco IOS Quality of Service Solutions Configuration Guide at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/index.htm Impact of QoS on a Wireless LAN Wireless LAN QoS features are a subset of the proposed 802.11e draft.
You can use the Cisco IOS command dot11 phone dot11e command to enable the future upgrade of the 7920 Wireless Phone firmware to support the standard QBSS Load IE. The new 7920 Wireless Phone firmware will be announced at a later date.
QoS is disabled by default (however, the radio interface always honors tagged 802.1P packets even when you have not configured a QoS policy). This section describes how to configure QoS on your access point. It contains this configuration information: Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
IEEE Draft Standard 802.11e. For detailed information on these values, consult that standard. Cisco strongly recommends that you use the default settings on the Radio Access Categories page. Changing these values can lead to unexpected blockages of traffic on your wireless LAN, and the blockages might be difficult to diagnose.
_class_WMM2 set cos 2 class _class_WMM3 set cos 3 class _class_WMM4 set cos 4 class _class_WMM5 set cos 5 class _class_WMM6 set cos 6 class _class_WMM7 set cos 7 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
A P P E N D I X Channel Settings This appendix lists the radio channels supported by Cisco access products in the regulatory domains of the world. IEEE 802.11b (2.4-GHz Band) The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11b...
The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11a 20-MHz-wide channel are shown in Table A-3. Table A-3 5-GHz Radio Band Regulatory Domains Center Channel Frequency North America Identifier (MHz) (-A) ETSI Japan (-P) China 5180 5200 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 147
All channel sets are restricted to indoor usage except the Americas ( – A), which allows for indoor and outdoor use on channels 52 through 64 in the United States. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 148
Appendix A Channel Settings IEEE 802.11a (5-GHz Band) Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
In each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 151
Internet Group Management Protocol IGMP Transmission Control Protocol Exterior Gateway Protocol — CHAOS — User Datagram Protocol XNS-IDP ISO-TP4 ISO-CNLP CNLP Banyan VINES VINES Encapsulation Header encap_hdr Spectralink Voice Protocol Spectralink — Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 152
Domain Name Server domain — BOOTP Server — BOOTP Client — TFTP — gopher — netrjs finger — Hypertext Transport Protocol HTTP ttylink link Kerberos v5 Kerberos krb5 supdup — hostname hostnames Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 153
ISO CMIP Management Over IP CMIP Management Over IP cmip-man CMOT ISO CMIP Agent Over IP cmip-agent X Display Manager Control xdmcp Protocol NeXTStep Window Server NeXTStep Border Gateway Protocol Prospero — Internet Relay Chap Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Supported MIBs This appendix lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release. The Cisco IOS SNMP agent supports both SNMPv1 and SNMPv2. This appendix contains these sections: MIB List, page C-1 •...
Use the get MIB_filename command to obtain a copy of the MIB file. Step 5 Note You can also access information about MIBs on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
FACILITY is a code consisting of two or more uppercase letters that indicate the facility to which the message refers. A facility can be a hardware device, a protocol, or a module of the system software. You can see a complete list of mainline facility codes for Cisco IOS Release 12.3 on Cisco.com. Go to this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123sup/123sems/123semv1/emgove...
A station disassociated from an access point. Explanation Recommended Action None. Error Message DOT11-6-ROAMED: Station [mac-address] Roamed to [mac-address] The indicated station roamed to the indicated new access point. Explanation None. Recommended Action Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Error Message DOT11-2-VERSION_INVALID: Interface [interface], unable to find required radio version [hex].[hex] [number] When trying to re-flash the radio firmware on the indicated interface, the access point Explanation recognized that the indicated radio firmware packaged with the Cisco IOS software had the incorrect version. None. Recommended Action...
Page 160
Error Message DOT11-6-FREQ_SCAN: Interface [interface] Scanning frequencies for [number] seconds Explanation Starting a scan for a least congested frequency on the interface indicated for a the time period indicated. None. Recommended Action Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 161
No SSID was configured for a VLAN. The indicated interface was not started. Explanation At least one SSID must be configured per VLAN. Add at least one SSID for Recommended Action the VLAN on the indicated interface. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 162
The connection to the parent access point failed for the displayed reason. The uplink Explanation will stop its connection attempts. Try resetting the uplink interface. Contact Technical Support if the problem Recommended Action persists. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 163
Error Message DOT11-4-RM_INCORRECT_INTERFACE: Invalid interface, either not existing or non-radio A radio management request discovered that the interface either does not exist or is not Explanation a radio interface. None. Recommended Action Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 164
The indicated interface radio has been stopped to load the indicated new firmware. None. Recommended Action Error Message DOT11-4-LOADING_RADIO: Interface [interface], loading the radio firmware [characters] Explanation The indicated interface radio has been stopped to load new indicated firmware. None. Recommended Action Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 165
The unit could not establish a connection to a parent access point for the displayed Explanation reason. Recommended Action Verify that the basic configuration settings (SSID, WEP, and others) of the parent access point and this unit match. Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04...
Page 166
A failure of the Michael MIC in a packet usually indicates an active attack on Recommended Action your network. Search for and remove potential rogue devices from your wireless LAN. Cisco Wireless ISR and HWIC Access Point Configuration Guide D-10 OL-6415-04...
Page 167
Error Message IF-4-MISPLACED_VLAN_TAG: Detected a misplaced VLAN tag on source [interface]. Dropping packet Received an 802.1Q VLAN tag which could not be parsed correctly. The received Explanation packet was encapsulated or de encapsulated incorrectly. Recommended Action Cisco Wireless ISR and HWIC Access Point Configuration Guide D-11 OL-6415-04...
Recommended Action Use the clear radius local-server user username privileged EXEC command to unblock the user, or allow the block on the user to expire by the configured lockout time. Cisco Wireless ISR and HWIC Access Point Configuration Guide D-12 OL-6415-04...
The random length of time that a station waits before sending a packet on the backoff time LAN. Backoff time is a multiple of slot time, so a decrease in slot time ultimately decreases the backoff time, which increases throughput. Cisco Wireless ISR and HWIC Access Point Configuration Guide GL-1 OL-6415-04...
Page 170
The text name that refers to a grouping of networks or network resources based domain name on organization-type or geography; for example: name.com—commercial; name.edu—educational; name.gov—government; ISPname.net—network provider (such as an ISP); name.ar—Argentina; name.au—Australia; and so on. Cisco Wireless ISR and HWIC Access Point Configuration Guide GL-2 OL-6415-04...
LAN or if it must be reached through a gateway. This number is expressed in a form similar to an IP address; for example: 255.255.255.0. An antenna that radiates its signal in a spherical pattern. isotropic Cisco Wireless ISR and HWIC Access Point Configuration Guide GL-3 OL-6415-04...
Page 172
A linear measure of the distance that a transmitter can send a signal. range A measurement of the weakest signal a receiver can receive and still correctly receiver sensitivity translate it into data. Radio frequency. A generic term for radio-based technology. Cisco Wireless ISR and HWIC Access Point Configuration Guide GL-4 OL-6415-04...
Page 173
RP-TNC rules covering spread spectrum devices limits the types of antennas that may be used with transmission equipment. In compliance with this rule, Cisco, like all other wireless LAN providers, equips its radios and antennas with a unique connector to prevent attachment of non-approved antennas to radios.
Page 174
LAN systems. It is derived from and will be forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages TKIP (Temporal Key Integrity Protocol) for data protection and 802.1X for authenticated key management. Cisco Wireless ISR and HWIC Access Point Configuration Guide GL-6 OL-6415-04...
CCK modulation authentication server Cisco IOS software, locating documentation configuring access point as local server client communication, blocking described client power level, limiting Cisco Wireless ISR and HWIC Access Point Configuration Guide IN-1 OL-6415-04...
Page 176
EAP-TLS authentication commands station role setting on client and access point Complementary Code Keying (CCK) encapsulation dot1q command See CCK encapsulation method countermeasure tkip hold-time command Cisco Wireless ISR and HWIC Access Point Configuration Guide IN-2 OL-6415-04...
Page 177
1, 2 Microsoft IAS servers IOS software, locating documentation migration mode, WPA ISO designators for protocols mode (role) multicast messages multiple basic SSIDs Cisco Wireless ISR and HWIC Access Point Configuration Guide IN-3 OL-6415-04...
Page 178
QBSS overview dot11e parameter SSID suggested network environments configuration guidelines tracking services accessed by user described RADIUS accounting overview reauthentication requests Cisco Wireless ISR and HWIC Access Point Configuration Guide IN-4 OL-6415-04...
Page 179
Wi-Fi Protected Access speed command See WPA SSID Wi-Fi Protected Access (WPA) guest mode WISPr RADIUS attributes multiple SSIDs support workgroup bridge using spaces in world mode 3, 20, 23 VLAN Cisco Wireless ISR and HWIC Access Point Configuration Guide IN-5 OL-6415-04...