Allen-Bradley Stratix 5100 User Manual
  1. Manuals
  2. Brands
  3. Allen-Bradley Manuals
  4. Wireless Access Point
  5. Stratix 5100
  6. User manual
Allen-Bradley Stratix 5100 User Manual

Allen-Bradley Stratix 5100 User Manual

Wireless access point/workgroup bridge
Hide thumbs Also See for Stratix 5100:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
Table of Contents

Advertisement

Quick Links

Download this manual
User Manual
Stratix 5100 Wireless Access Point/Workgroup Bridge
Catalog Numbers 1783-WAPAK9, 1783-WAPEK9, 1783-WAPCK9, 1783-WAPZK9

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Stratix 5100 and is the answer not in the manual?

Questions and answers

Related Manuals for Allen-Bradley Stratix 5100

Summary of Contents for Allen-Bradley Stratix 5100

  • Page 1 User Manual Stratix 5100 Wireless Access Point/Workgroup Bridge Catalog Numbers 1783-WAPAK9, 1783-WAPEK9, 1783-WAPCK9, 1783-WAPZK9...

  • Page 2: Important User Information

    Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE). Allen-Bradley, Rockwell Automation, and Stratix are trademarks of Rockwell Automation, Inc. Trademarks not belonging to Rockwell Automation are property of their respective companies.

  • Page 3: Table Of Contents

    Ports and Connections ......... . . 32 Stratix 5100 WAP Specifications ........32 Access Point/Workgroup Bridge Ethernet Cable Recommendation .
  • Page 4 Login to the Stratix 5100 WAP........
  • Page 5 Table of Contents Association Page ..........104 Wireless Page .
  • Page 6 Chapter 5 Configure the Stratix 5100 WAP Using Cisco IOS Command Modes ........175 Getting Help.
  • Page 7 Table of Contents Configuring RADIUS Login Authentication ....209 Defining AAA Server Groups ....... . 211 Configuring RADIUS Authorization for User Privileged Access and Network Services .
  • Page 8 Table of Contents Chapter 7 Configuring Radio Settings Enabling the Radio Interface ........242 Configuring the Role in Radio Network.
  • Page 9 Table of Contents Chapter 8 Configuring Multiple SSIDs Understanding Multiple SSIDs........279 Effect of Software Versions on SSIDs .
  • Page 10 Table of Contents Chapter 10 Configure an Access Point as a Local Understanding Local Authentication ......319 Configuring a Local Authenticator.
  • Page 11 Table of Contents Using WPA Key Management ........357 Software and Firmware Requirements for WPA, CCKM, CKIP, and WPA-TKIP .
  • Page 12 Table of Contents Configuring Client MFP ........398 Configuring Radio Management.
  • Page 13 Configuring/Enabling VLAN with SSID by Using Stratix 5100 Device Manager ......454 Set the Encryption for the VLAN......455...
  • Page 14 Table of Contents Chapter 18 Configuring CDP Understanding CDP ..........499 Configuring CDP .
  • Page 15 Table of Contents Configuring a Workgroup Bridge for Roaming ....538 Configuring a Workgroup Bridge for Limited Channel Scanning . . . 538 Configuring the Limited Channel Set .
  • Page 16 Table of Contents Appendix A Protocol Filters Ethertype Protocols ..........573 IP Protocols.

  • Page 17: Audience

    For detailed information about these commands, see the Cisco IOS Command- Line Configuration Guide 15.3. Before using this manual to configure the Stratix 5100 WAP, you must perform IMPORTANT a site survey. A radio frequency (RF) site survey is the first step in the deployment of a Wireless network and the most important step to make sure appropriate operation.

  • Page 18: Organization

    Item Description Chapter 1 Getting Started with the Stratix 5100 WAP Provides an overview of the Stratix 5100 Wireless Access Point/Workgroup Bridge, including it’s features and network configuration Chapter 2 Install the Stratix 5100 Wireless Access Point/ Provides details on how to install the access point.

  • Page 19: Conventions

    Preface Conventions The Stratix 5100 Wireless Access Point/Workgroup Bridge is referred to as the Stratix 5100 WAP, WAP, access point, or workgroup bridge in this document This publication uses these conventions to convey instructions and information. Command descriptions use these conventions: •...

  • Page 20: Rockwell Automation Support

    Preface Rockwell Automation Support Rockwell Automation provides technical information on the Web to assist you in using its products. http://www.rockwellautomation.com/support you can find technical and application notes, sample code, and links to software service packs. You can also visit our Support Center at https://rockwellautomation.custhelp.com/ software updates, support chats and forums, technical information, FAQs, and to sign up for product notification updates.
  • Page 21 LAN solution that combines mobility and flexibility with the enterprise-class features required by networking professionals. With a management system based on Cisco IOS software, the Stratix 5100 WAP is a wireless LAN transceiver, Wi-Fi certified and compliant in: •...
  • Page 22 The access point is standalone (autonomous) configuration. The Stratix 5100 WAP contains simultaneous dual-band radios (2.4 GHz and 5 GHz) with integrated and external antenna options. The access points support full inter-operability with leading 802.11n clients, and support a mixed deployment with other access points and controllers.

  • Page 23: Regulatory Domains

    Configuring the Access Point You can configure and monitor the wireless device by using the following: • Command-line interface (CLI), • Stratix 5100 WAP Device Manager, browser-based management system: web based or Simple Network Management Protocol (SNMP). Management Options You can use the wireless device management system through the following interfaces: •...

  • Page 24: Roaming Client Devices

    Chapter 1 Getting Started with the Stratix 5100 WAP Roaming Client Devices If you have more than one wireless device in your wireless LAN, wireless client devices can roam from one wireless device to another. The roaming functionality is based on signal quality, not proximity. When signal quality drops from a client, it roams to another access point.

  • Page 25: Network Configuration Examples

    Getting Started with the Stratix 5100 WAP Chapter 1 Network Configuration This section describes the role of an access point in common wireless network configurations. The access point default configuration is as a root unit connected Examples to a wired LAN or as the central unit in a wireless network. You can configure access points as repeater access points, bridges, and workgroup bridges.

  • Page 26: Repeater Access Point

    Repeater Bridges The Stratix 5100 access point can be configured as a root or non-root bridge. In this role, an access point establishes a wireless link with a non-root bridge. Traffic is passed over the link to the wired LAN. Access points in root and non-root bridge roles can be configured to accept associations from clients.

  • Page 27: Workgroup Bridge

    Getting Started with the Stratix 5100 WAP Chapter 1 Figure 3 - Access Point as a Root Bridge with Clients Root bridge Non-root bridge Figure 4 - Access Points as Root and Non-root Bridges with Clients Root bridge Non-root bridge Workgroup Bridge You can configure access points as workgroup bridges.

  • Page 28: Central Unit In A Wireless Network

    Chapter 1 Getting Started with the Stratix 5100 WAP This graphic shows an access point configured as a workgroup bridge. See Understanding Workgroup Bridge Mode on page 535 Configuring Workgroup Bridge Mode on page 540 for information on configuring your access point as a workgroup bridge.

  • Page 29: Items Shipped With The Wap

    Getting Started with the Stratix 5100 WAP Chapter 1 • Power adapter • 4 Wi-Fi antennas • Console cable If any item is missing or damaged, contact your Rockwell Automation, see Rockwell Automation Support on the back cover of this manual.
  • Page 30 Chapter 1 Getting Started with the Stratix 5100 WAP Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...
  • Page 31 Chapter Install the Stratix 5100 Wireless Access Point/ Workgroup Bridge This chapter provides basic instructions on how to install and configure your Stratix 5100 Wireless Access Point/Workgroup Bridge. Topic Page Stratix 5100 WAP Specifications Ethernet Cable Recommendation External Antennas Preparing the Access Point...

  • Page 32: Ports And Connections

    Points. This document is available on Cisco.com. Ethernet Cable Recommendation While the Stratix 5100 WAP works well with the CAT-5e cable for 10/100 MB installations, we recommend that you use CAT-6a cable for 1 GB installations. Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 33: External Antennas

    The external antennas support mounting inside NEMA enclosures for use in the most demanding environments. The Stratix 5100 WAP is configured with up to four external dual-band dipole antennas, and 2.4 GHz and 5 GHz dual-band radios in a 3 x 4 multiple-input/ multiple-output (MIMO) configuration with three spatial streams.
  • Page 34 Status Indicator Antenna connector C The Stratix 5100 WAP is configured with up to four external dual-band dipole antennas, and 2.4 GHz/5 GHz dual-band radios in a 3 x 4 MIMO configuration with three spatial streams. The radios and antennas support frequency bands 2400…2500 MHz and 5150…5850 MHz through a common dual-band RF...
  • Page 35 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Chapter 2 Table 2 - Dual-band Dipole Antenna (AIR-ANT2524DG-R) Specifications Parameter Description Antenna type Dual-band dipole Operating frequency range 2400…2500 MHz Nominal input impedance 50 Ω VSWR Less than 2:1 Peak Gain @ 2.4 GHz...

  • Page 36: Preparing The Access Point

    MAC addresses from each location and return them to the person who is planning or managing your wireless network. The first time you use the Stratix 5100 Wireless Access Point/Workgroup Bridge, Initial configuration you must configure it using the console cable. See...

  • Page 37: Install The Wap

    Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Chapter 2 Install the WAP Install the Stratix 5100 WAP on a flat surface. 1. Unpack and remove the access point and the accessory kit from the shipping box. 2. Return any packing material to the shipping container and save it for future use.

  • Page 38: Very High Altitudes

    Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Very High Altitudes While not defined in the specification sheet for the Stratix 5100 WAP, it has passed functional checks after a non-operational altitude test of 25 °C @ 4572 m (77 °F @ 15,000 ft) was performed. Additionally, they fully passed a functional test during an operational altitude test of 40 °C @ 3000 m (104 °F @ 9843 ft).

  • Page 39: Grounding The Access Point

    Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Chapter 2 Grounding the Access Point Grounding is not always required for indoor installations because the access point is classified as a low-voltage device and does not contain an internal power supply. However, check your local and national electrical codes to see if grounding is a requirement.

  • Page 40: Securing The Access Point

    Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Securing the Access Point There are two ways to secure your access point: • Attach it to an immovable object with a security cable. • Lock it to the mounting plate with a padlock.

  • Page 41: Using A Security Cable

    5. Remove the key. Mounting the Access Point The Stratix 5100 WAP comes with a low-profile access point mounting bracket: AIR-AP-BRACKET-1. This bracket can be mounted flush on a flat surface or directly onto a ceiling, on grid-work. AIR-AP-BRACKET-1...
  • Page 42 Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Figure 13 - WAP Mounting Bracket 32473-M Table 3 - Mounting Bracket Description Wall mount locations Cable access cover Grounding post Security hasp Access point attachment slots Mark all four locations of the wall mounts. Make sure you have a secure installation.
  • Page 43 The Stratix 5100 access point is shipped with the flat mounting bracket for a hard ceiling or wall, and on applications that you need to mount on an electrical or network box.

  • Page 44: Access Point Spacing Recommendation

    Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Access Point Spacing Recommendation If you have a Wi-Fi device such as a WAP and want to use another WAP in the vicinity on a different channel, space the WAPs approximately six feet (two meters) apart.
  • Page 45 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Chapter 2 Follow these steps to mount the access point on a solid ceiling or wall. 1. Use the mounting bracket as a template to mark the locations of the mounting holes on the bracket.

  • Page 46: Mounting The Access Point To A Network Or Electrical Box

    Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge 4. Pull approximately 9 in. of cable through the hole. Route the Ethernet and power cables through the bracket before you attach the bracket to the ceiling or wall. Route the cables through the main cable access hole and then through the smaller access hole as shown in this figure.

  • Page 47: Deploying The Access Point On The Wireless Network

    Once you have configured the access point using the console cable, see Connect to the Stratix 5100 WAP Access Point Locally on page 54, it begins a power-up sequence that you can verify by observing the access point status indicators. If the power-up sequence is successful, the discovery and join process begins.

  • Page 48: Access Point Status Indicators

    Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Access Point Status Indicators It is expected that there are small variations in color intensity and hue from unit to unit. This is within the normal range of the status indicators manufacturer’s specifications and is not a defect.

  • Page 49: Checking Power

    Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Chapter 2 Table 4 - Status Indicator Descriptions (Continued) Message Type Status Indicator Description Operating status Blinking blue Software upgrade in progress Cycling through green, red, and Discovery/join process in progress Rapidly cycling through blue,...

  • Page 50: Configure The Access Point

    Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Configure the Access Point The configuration process takes place on the WAP using the Stratix 5100 Device Manager. For instructions on how to configure the Wireless Access Point/ Workgroup Bridge by using Straitx 5100 Device Manager software, see...
  • Page 51 Chapter Stratix 5100 Device Manager Configuration Startup This chapter describes the Stratix 5100 Device Manager and startup configurations. It is a web browser interface that you use to configure the wireless access point/workgroup bridge. Topic Page Login to the Stratix 5100 WAP...

  • Page 52: Using Device Manager

    The Easy Setup page where you can configure an access point’s basic parameters quickly. Avoid using both CLI and Stratix 5100 WAP Device manager (web browser) to concurrently configure the wireless device. If you configure the wireless device by using CLI, the web browser interface can display an inaccurate interpretation of the configuration.

  • Page 53: Before You Start

    Stratix 5100 Device Manager Configuration Startup Chapter 3 Before You Start Before you configure the Stratix 5100 WAP, make sure you are using a computer connected to the same network as the access point, and obtain the following information from your network administrator: •...

  • Page 54: Obtain And Assign An Ip Address

    Stratix 5100 Device Manager. Default Radio Settings The Stratix 5100 WAP radios are disabled and no default SSID is assigned. This is to prevent unauthorized users to access a your wireless network through an access point having a default SSID and no security settings. You must create an SSID before you can enable the access point radio interfaces.

  • Page 55: Reset The Wap To Default Settings

    Reset to default settings returns a device that you have configured it's default settings. You need to enter the username and password that you assigned to the Stratix 5100 WAP to log in and then follow these steps to reset the device back to defaults.
  • Page 56 Chapter 3 Stratix 5100 Device Manager Configuration Startup The Summary Status page appears. 5. From the top menu, click Software. The System Software screen appears. 6. Click System Configuration. The System Configuration screen appears. 7. Click Reset to Defaults to reset all settings, including the IP address, to factory defaults.

  • Page 57: Logging Into The Access Point

    • CLI, see Accessing CLI on page 182. • Console port, see Connect to the Stratix 5100 WAP Access Point Locally on page Using Online Help Click the help icon at the top of any page in the web browser interface to display online help.
  • Page 58 Chapter 3 Stratix 5100 Device Manager Configuration Startup The Summary Status page appears. Your page can be different depending on the access point model you are using. Figure 18 - Summary Status Page 6. Click Easy Setup. 7. Open Easy Setup and click Network Configuration.
  • Page 59 Stratix 5100 Device Manager Configuration Startup Chapter 3 8. Enter the network configuration settings. This table describes the network configuration settings on the Easy Setup page. For more information about the parameters, see Easy Setup Network Configuration Page on page...
  • Page 60 Chapter 3 Stratix 5100 Device Manager Configuration Startup 9. Enter the radio configuration settings. Figure 19 - Radio Configuration Settings on the Network Configuration Page Table 6 - Radio Configuration Settings Parameter Description SSID Identifies the SSID that client devices must use to associate with a device.

  • Page 61: Enable The Radio On The Network

    Stratix 5100 Device Manager Configuration Startup Chapter 3 Table 6 - Radio Configuration Settings Parameter Description Aironet Extensions Choose Enable if there are only Rockwell Automation WAPs or Cisco Aironet devices on your wireless LAN and the unit is operating as an access point or workgroup bridge or if the unit is operating as a repeater.
  • Page 62 Chapter 3 Stratix 5100 Device Manager Configuration Startup The Network Interfaces Summary page appears. 4. Click the radio you want to configure. The Radio Status page appears. 5. Click the Settings tab. Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 63: Using Vlans

    Stratix 5100 Device Manager Configuration Startup Chapter 3 The radio settings page appears. 6. Check Enable. 7. Click Apply. Your access point is now running but requires additional configuring to conform to your network operational and security requirements. Using VLANs...

  • Page 64: Configuring Security

    Chapter 3 Stratix 5100 Device Manager Configuration Startup Configuring Security After you assign the basic settings to the WAP, you must configure security settings to prevent unauthorized access to your network. Because it is a radio device, the access point can communicate beyond the physical boundaries of your work site.

  • Page 65: Easy Set-Up Page Security Types

    Stratix 5100 Device Manager Configuration Startup Chapter 3 Easy Set-up Page Security Types This table describes the four security types that you can assign to an SSID on the Easy Setup Network Configuration page. Table 7 - Security Types on Easy Set-up Security Setup Page...

  • Page 66: Easy Setup Network Configuration Security Limitations

    Chapter 3 Stratix 5100 Device Manager Configuration Startup Easy Setup Network Configuration Security Limitations Because the Easy Setup page is designed for simple configuration of basic network configurations and security, the options available are a subset of the access point security capabilities. If the No VLAN option is chosen, the static WEP key can be configured once.
  • Page 67 Stratix 5100 Device Manager Configuration Startup Chapter 3 3. Click NEW and type the SSID in the SSID entry field. • The SSID can contain up to 32 alphanumeric characters. • See SSID Manger Page on page 116 for details on naming conventions.
  • Page 68 Chapter 3 Stratix 5100 Device Manager Configuration Startup 5. (Optional) Assign the SSID to a VLAN. a. Click Define VLANS. b. Select NEW. c. Enter a VLAN number (1…4094). d. Choose a radio and click Apply. You cannot assign an SSID to an existing VLAN.

  • Page 69: Enabling Https For Secure Browsing

    Stratix 5100 Device Manager Configuration Startup Chapter 3 9. If needed, choose the MAC Authentication Servers. 10. Define the key management. If you don’t use VLANs on your wireless LAN, the security options that you can assign to multiple SSIDs are limited. For detailed information, see...
  • Page 70 Chapter 3 Stratix 5100 Device Manager Configuration Startup Figure 21 - DNS Page 2. Choose Enable for Domain Name System. 3. In the Domain Name field, enter your company domain name. At Rockwell Automation, for example, the domain name is rockwellautomation.com.
  • Page 71 Stratix 5100 Device Manager Configuration Startup Chapter 3 Figure 22 - Services: HTTP Web Server Page 8. Click the Enable Secure (HTTPS) Browsing check box and click Apply. 9. Enter a domain name and click Apply. Although you can enable both standard HTTP and HTTPS, We recommend that you enable one or the other.
  • Page 72 Chapter 3 Stratix 5100 Device Manager Configuration Startup The address in your browser address line changes from: http://ip-address to https://ip-address. Another warning page appears stating that the access point security certificate is valid but is not from a known source. However, you can accept the certificate with confidence because the site in question is your own access point.
  • Page 73 Stratix 5100 Device Manager Configuration Startup Chapter 3 The Microsoft pages Certificate Import Wizard appears. Figure 26 - Certificate Import Wizard page 13. Click Next. The Certificate Storage Area dialog box appears and asks where do you want to store the certificate. We recommend that you use the default storage area on your system.

  • Page 74: Cli Configuration Example

    Chapter 3 Stratix 5100 Device Manager Configuration Startup A final security warning appears. Figure 29 - Certificate Security Warning 16. Click Yes. Another page stating that the installation is successful appears. Figure 30 - Import Successful page 17. Click OK.

  • Page 75: Deleting An Https Certificate

    Stratix 5100 Device Manager Configuration Startup Chapter 3 Deleting an HTTPS Certificate The access point generates a certificate automatically when you enable HTTPS. However, if you need to change the fully qualified domain name (FQDN) for an access point, or you need to add an FQDN after enabling HTTPS, you can delete the certificate.
  • Page 76 Chapter 3 Stratix 5100 Device Manager Configuration Startup Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...
  • Page 77 Chapter Stratix 5100 Device Manager Parameter Definitions This chapter defines the parameter settings for each page in Device Manager. Topic Page Device Manager System Management Tabs Easy Setup Network Configuration Page Network Configuration Settings on the Easy Setup Page Radio Configuration Settings on the Easy Setup Page...
  • Page 78 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Topic (Continued) Page QoS Policies Page Stream Page SNMP Page SNTP Page ARP Caching Page Band Select Page Management Page Software Page Software Upgrade HTTP Page Software Upgrade TFTP Page System Configuration Page...

  • Page 79: Device Manager System Management Tabs

    Changes are applied only when you click Apply. Figure 31 - Stratix 5100 Device Manager Home Page Table 9 - Stratix 5100 Device Manager System Management Tab Descriptions Item Description...

  • Page 80: Easy Setup Network Configuration Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 9 - Stratix 5100 Device Manager System Management Tab Descriptions (Continued) Item Description Services Provides access to the other services available, for example, HTTP and QOS. Services Page on page 135 for details.

  • Page 81: Network Configuration Settings On The Easy Setup Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Network Configuration Settings on the Easy Setup Page This is the Network configuration page under Easy Setup. Easy Setup contains an abbreviated version of parameters from the Network page. Figure 32 - Network Configuration Easy Setup...
  • Page 82 Current SSID List • List of your SSIDs you have configured. If you want to setup basic configuration parameters in CLI, see Configure the Stratix 5100 WAP Using the Command-Line Interface on page 175. Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 83: Radio Configuration Settings On The Easy Setup Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Radio Configuration Settings on the Easy Setup Page This page contains information about the status of GigabitEthernet and Radio- 802.11b, Radio-802.11a, or Radio-802.11g interfaces, depending on the radio that is installed on the access point. This is an abbreviated parameters from the radio settings tab in Network>Network Interface.
  • Page 84 Universal Workgroup Provides the means for the Stratix 5100 WAP to be configured as workgroup bridges (WGBs) Bridge and to associate with non-Cisco access points. In addition, this feature provides the WGB with the ability to be continuously in World Mode.

  • Page 85: Security Configuration Settings On The Easy Setup Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Security Configuration Settings on the Easy Setup Page You can configure a limited number of security parameters for the Stratix 5100 WAP. There are four choices: • No Security • WEP Key •...

  • Page 86: Network Page

    Disable default before leaving the page because the time to discover the network can greatly increase the system load. Figure 34 - Network Map Table 13 - Stratix 5100 Network Map Parameter Descriptions Item Description...

  • Page 87: Network Interface Summary Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 13 - Stratix 5100 Network Map Parameter Descriptions (Continued) Item Description Device The type of device (client, access point, bridge, and so on). Name The name given to this device. Software Version The software version currently running on your device.
  • Page 88 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 14 - System Setting Parameter Descriptions System Settings Description IP Address (DHCP) / IP Address (Static) The IP address for the access point. The IP address can be assigned dynamically with DHCP or assigned statically.
  • Page 89 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 14 - System Setting Parameter Descriptions (Continued) System Settings Description Last Output Hang The number of hours, minutes, and seconds (or never) since the interface was last reset because of a transmission that took too long. When the number of hours in the Time Since Last Input, Time Since Last Output, or Last Output Hang fields exceeds 24 hours, the number of days and hours is printed.

  • Page 90: Network Interface Ip Address Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Network Interface IP Address Page Use this page to identify the configuration server protocol and to identify the IP Address, IP Subnet Mask, and Default Gateway IP Address. Figure 36 - Network Interfaces IP Address...

  • Page 91: Network Interface Gigabitethernet Status Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Network Interface GigabitEthernet Status Page Use this page to review the status for the GigabitEthernet interface. Figure 37 - Network Interface GigabitEthernet Status Page Table 16 - GigabitEthernet Status Parameter Descriptions Parameter...
  • Page 92 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 16 - GigabitEthernet Status Parameter Descriptions (Continued) Parameter Description Receive Statistics 5 min Input Rate (bits/sec) The average number of bits per second transmitted in the last 5 minutes. 5 min Input Rate (packets/sec) The average number of packets per second transmitted in the last 5 minutes.
  • Page 93 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 16 - GigabitEthernet Status Parameter Descriptions (Continued) Parameter Description Babbles The number of times the transmit jabber time expired. Collisions The number of packets retransmitted because of an Ethernet collision (only applicable in half duplex).

  • Page 94: Network Interface: Gigabitethernet Settings

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Network Interface: GigabitEthernet Settings You can use the settings page to define physical settings and AP authentication. Table 17 - GigabitEthernet Parameter Descriptions Parameter Description Physical Settings Enable Ethernet Enable Disable Current Status...

  • Page 95: Network Interface: Radio0-802.11N 2 Ghz And Radio1-802.11N

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Network Interface: Radio0-802.11n 2 GHz and Radio1-802.11n 5 GHz Status The Radio Status and the Detailed Status pages provide a summary of the current radio interface configuration and statistics. Table 18 - Radio Interface Configuration and Statistics Parameter Descriptions...
  • Page 96 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 18 - Radio Interface Configuration and Statistics Parameter Descriptions (Continued) Parameter Description Role in Network The access point can operate as an Access Point (Root) or as a Repeater (Non-root). When operating as an Access Point (Root), it bridges wireless traffic to the wired LAN.

  • Page 97: Detailed Status

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Detailed Status This page shows status details for the interface. Figure 38 - Interface Detailed Status Table 19 - Network Interfaces: Radio0-802.11N2.4 GHz and 5 GHz Detailed Status Parameter Description Radio Radio Type List the interface and serial number.
  • Page 98 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 19 - Network Interfaces: Radio0-802.11N2.4 GHz and 5 GHz Detailed Status (Continued) Parameter Description Multicasts Received/Sent By Host Number of Multicast Packets Received/Sent by the server. Mgmt Packets Received/Sent Number of Management Packets Received/Sent by the access point.

  • Page 99: Network Interface Radio Settings Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Network Interface Radio Settings Page The Setting page provides detailed parameters settings for the interface you need to configure. There are some overlap in these parameters with the Easy Setup page. Figure 39 - Interface Settings Page Table 20 - Radio0-802.11n 2 GHz and Radio1-802.11n 5 GHz Settings Description...
  • Page 100 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 20 - Radio0-802.11n 2 GHz and Radio1-802.11n 5 GHz Settings Description (Continued) Parameter Description Current Status This value comes from the radio buttons just above it. If you set the radio to enabled this value changes.
  • Page 101 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Figure 40 - Interface Settings Page (continued) Table 21 - Radio0-802.11n 2 GHz and Radio1-802.11n 5 GHz Settings Description Parameter Description Data Rates • Default • Best Range • Best Throughput • 1.0, 2.0, 5.5, 11.0, 6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0, and 54.0 Mbps •...
  • Page 102 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 21 - Radio0-802.11n 2 GHz and Radio1-802.11n 5 GHz Settings Description (Continued) Parameter Description Client Power (dBm) Local, 23, 20, 17, 14, 11, 8, 5, Max Default Radio Channel Least Congested Channel Search...
  • Page 103 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Figure 42 - Interface Settings Page (Continued) Table 23 - Radio0-802.11n 2 GHz and Radio1-802.11n 5 GHz Settings Description (Continued) Traffic Stream Metric Enable Disable Aironet Extension Enable Disable Ethernet Encapsulation Transform RFC1042 802.1H...

  • Page 104: Carrier Busy Test

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Carrier Busy Test The Carrier Busy Test determines if the carrier is busy. The Carrier indicates the regulatory domain that the access point is operating on. The carriers sets constrain the frequencies and power levels available.

  • Page 105: Wireless Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 24 - Association Page Parameter Descriptions (Continued) Parameter Description MAC Address The Media Access Control (MAC) address is a unique identifier assigned to the network interface by the manufacturer. If you click the MAC Address link, it takes you to the Association: Station View - Client screen.
  • Page 106 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Figure 44 - Wireless AP Services Summary Table 25 - Wireless AP Page Parameter Descriptions Parameter Description Participate in SWAN Enable Infrastructure Disable WDS Discovery Auto Discovery Specified Discovery (IP Address) Username...

  • Page 107: Wds

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 When you configure Wireless Domain Services on your network, access points on your wireless LAN use the WDS device (either an access point, an Integrated Services Router, or a switch configured as the WDS device) to provide fast, secure roaming for client devices and to participate in radio management.
  • Page 108 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 26 - Wireless WSD/WNM General Setup Page Parameter Descriptions (Continued) Parameter Description State Displays the state of the access point as either Registered or not. AP Information MAC Address The Media Access Control (MAC) address is a unique identifier assigned to the network interface by the manufacturer.
  • Page 109 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Figure 46 - WDS and WNM General Set-up Page Table 27 - Wireless WSD/WNM General Setup Page Parameter Descriptions Parameter Description WDS - Wireless Domain Services - Global Properties Use this AP as Wireless Domain Services Check the box if you want to use the AP as Wireless Domain Services.
  • Page 110 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Figure 47 - WDS Server Groups Page This page lets you set up authentication servers that can be used by the WDS access point. If you want an access point to serve as the WDS or as a WDS candidate, you need to configure them as such.

  • Page 111: Security Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Security Page Use the Security page to configure security settings to prevent unauthorized access to your network. Because the WAP is a radio device, the wireless device can communicate beyond the physical boundaries of your work-site. The Security Summary page provides a snap shot of the security setting and links to other security pages.
  • Page 112 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 29 - Security Summary Parameters Descriptions Parameters Description Username The username of the active user. Read-Only Specifies whether the user has read-only capabilities. Read-Write Specifies whether the user has read/write capabilities.

  • Page 113: Admin Access Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Admin Access Page The Admin Access page provides the administrator with information pertaining to security, authentication and user lists. Figure 49 - Security Admin Access Table 30 - Security Admin Access Parameter Descriptions...

  • Page 114: Encryption Manager Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Encryption Manager Page You use Wired Equivalent Privacy (WEP) to encrypt radio signals sent by the bridge and decrypt radio signals received by the bridge. This page enables you to select authentication types for the access point.
  • Page 115 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 31 - Security Encryption Manager Parameter Descriptions Parameter Description Encryption Modes Indicate whether clients should use data encryption when communicating with the bridge. None The bridge communicates only with client devices that are not using WEP.

  • Page 116: Ssid Manger Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions SSID Manger Page Use the SSID Manager page to assign SSIDs to specific radio interfaces. The SSIDs that you create are enabled on all radio interfaces. Table 32 - SSID Manager Parameter Descriptions...
  • Page 117 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 32 - SSID Manager Parameter Descriptions (Continued) Parameter Description Client Authentication Settings and Specifies the Layer 3 mobility network identification number for the SSID. Methods Accepted Open Authentication Choose Open Authentication by checking the check box.
  • Page 118 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 32 - SSID Manager Parameter Descriptions (Continued) Parameter Description IDS Client Enable Client MFP on this SSID AP Authentication Credentials are used to authenticate the access point to the network. Credentials Use the pull-down menu to specify a credentials profile for an SSID.
  • Page 119 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 32 - SSID Manager Parameter Descriptions (Continued) Parameter Description Set DataBeacon Rate (DTIM) These commands let you set the DataBeacon: ap> enable ap# configure terminal ap(config)# interface ________ ap(config-if)# beacon dtim-period <value>...

  • Page 120: Server Manager Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Server Manager Page The Server Manager page is where you to enter the authentication settings. The RADIUS/TACACS+ server on the your network uses EAP to provide authentication service for wireless client devices.
  • Page 121 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 33 - Security: Server Manager Parameter Descriptions Parameter Description Backup RADIUS Server Enter the host name or IP address of the access point acting as a local RADIUS server. Other access points on your wireless LAN use this backup authenticator when the main RADIUS server does not respond.

  • Page 122: Server Manager Global Properties

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Server Manager Global Properties The Server Manager Global Properties page provides more information about the servers you are using and the global locations of those servers. Table 34 - Server Manager Global Properties Parameter Descriptions...
  • Page 123 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 34 - Server Manager Global Properties Parameter Descriptions Parameter Description RADIUS Calling/Called Station ID Format Default Example: 0000.4096.3e4a IETF Example: 00-00-40-96-3e-4a Unformatted Example: 000040963e4a RADIUS Service-Type Attributes Login Framed RADIUS WISPr Attributes (optional) ISO County Code 2 letters E.164 Country Code 1…999...

  • Page 124: Ap Authentication

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions AP Authentication Traditionally, the dot1x authenticator/client relationship has always been a network device and a PC client respectively, as it was the personal computer user that had to authenticate to gain access to the network. However, wireless networks introduce unique challenges to the traditional authenticator/client relationship.
  • Page 125 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 35 - AP Authentication General Set-up Page Parameter Descriptions Parameter Description Current Credentials Choose <NEW> if you want to add a dot1x credentials profile. Credentials Name Enter a name for the dot1x credentials profile if you are adding a new profile. You can change the name if you have chosen an existing profile.

  • Page 126: Ap Authentication Certificates

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions AP Authentication Certificates This page lists the current certificates and public keys available. You can also configure the parameters for the trustpoint. Table 36 - Certificates Page Properties Parameter Descriptions Parameter Description...

  • Page 127: Intrusion Detection

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 36 - Certificates Page Properties Parameter Descriptions Parameter Description Authentication Methods Profile Credential profiles are applied to an interface or an SSID in the same way. When an access point connects to the network, the access point and the network authentication device negotiate to agree upon an authentication method supported by both devices to complete authentication.
  • Page 128 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Figure 52 - MFP Statistics Table 37 - Intrusion Detection Page Parameter Descriptions Parameter Description Transmit MFP Frames When enabled, the access point protects the management frames it transmits by adding a message integrity check information element (MIC IE) to each frame.

  • Page 129: Local Radius Server

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Local RADIUS Server Usually an external RADIUS Server is used to authenticate users. In some cases, this is not a feasible solution. In these situations, an access point can be made to act as a RADIUS Server.
  • Page 130 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Figure 54 - Local RADIUS Server General Set-up Page Table 39 - Local RADIUS Server General Set-up Page Parameter Descriptions Parameter Description Enable Authentication Protocols EAP Fast LEAP Network Access Server (AAA...
  • Page 131 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Figure 55 - Local RADIUS Server EAP-Fast Set-up Page Table 40 - Local RADIUS Server EAP-Fast Set-up Page Parameter Descriptions Parameter Description PAC Encryption Keys • Primary Key (optional): 32 Hex characters; Generate Random •...

  • Page 132: Advanced Security

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Advanced Security You can set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication, see SSID Manger Page on page 116. When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication.
  • Page 133 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Figure 57 - Timers Page Table 42 - Timers Page Parameter Descriptions Parameter Description Global Client Properties Client Holdoff Time Disable Holdoff Enable Holdoff with Interval: 1…65555 s EAP or MAC Reauthentication...
  • Page 134 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Figure 58 - Associated Access list Page Table 43 - Association Access List Page Parameter Descriptions Parameter Description Filter client association with MAC Select a filter. address access list Define Filter This link takes you to Service>Filter where you can configure filters.

  • Page 135: Services Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Services Page The summary provides a list of the main services that are currently enabled or disabled. You can click any of the links to go to that page and change the configurations.
  • Page 136 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 44 - Telnet/SSH Page Parameter Descriptions Parameter Description Telnet/SSH… Telnet: Enable or Disable • Select Enabled to let Telnet access the management system. Terminal Type: Teletype or ANSI • The preferred setting is ANSI, that offers graphic features such as reverse video buttons and underlined links.

  • Page 137: Hot Standby Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Hot Standby Page Clients associated to the standby access point lose their connection during the hot standby setup process. Figure 61 - Hot Standby Page Table 45 - Hot Standby Page Parameter Descriptions...

  • Page 138: Cdp Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions CDP Page Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices.
  • Page 139 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 46 - CDP Page Parameter Descriptions (Continued) Parameter Description Packets Sent Every (optional) The number of seconds between each CDP packet that the device sends. The default value is 60. This value needs to be less than the packet hold time.

  • Page 140: Dns Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions DNS Page This page is where you decide if you want the DNS (Domain Name System) enabled or disabled. The DNS is a named server that lets you connect to a device without knowing its IP address but can access by using a given name.

  • Page 141: Filters Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Filters Page Protocol filters prevent or allow the use of specific protocols through the interface. You can set up individual protocol filters or sets of filters. This base page enables you to apply the filters for incoming and outgoing Ethernet and 802.11b Radio interfaces.

  • Page 142: Mac Address Filters Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions MAC Address Filters Page Use this page to allow or disallow the forwarding of unicast or multicast packets sent from or addressed to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify.
  • Page 143 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 49 - MAC Address Filters Page Parameter Descriptions (Continued) Parameter Description Action Select Forward or Block. Click Add. The MAC address appears in the Filters Classes field. Default Action Packets that do not match any of the Filters Classes are handled according to the Default Action.

  • Page 144: Ip Filters Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions IP Filters Page Use this page to create or edit protocol filters. IP filters prevent or allow the use of IP address(es), IP protocols, and TCP/UDP ports through the access point's Ethernet and radio ports. You can create a filter that passes traffic to all addresses except those you specify, or you can create a filter that blocks traffic to all addresses except those you specify.
  • Page 145 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 50 - IP Filters Page Parameter Descriptions (Continued) Parameter Description Default Action Packets that do match any of the Filters Classes are handled according to the Default Action. Select Forward All or Block All as the filter's default action. The filter's default action must be the opposite of the action for at least one of the addresses in the filter.

  • Page 146: Ethertype Filters Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Ethertype Filters Page Ethertype filters prevent or allow the use of specific L3 protocols through the access point's Ethernet and radio ports. You can apply the filters you create to either or both the Ethernet and radio ports and to either or both incoming and outgoing packets.

  • Page 147: Http Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 HTTP Page Use the Web Server page to enable browsing to the web-based management system files and enter settings for a custom-tailored web system for management. Figure 68 - HTTP Page Table 52 - HTTP Page Parameter Descriptions...
  • Page 148 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 52 - HTTP Page Parameter Descriptions (Continued) Parameter Description HTTP Port This setting determines what port your device provides non-secure web access. Use the port setting provided by your System Administrator. The default is 80.

  • Page 149: Qos Policies Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 QoS Policies Page This page lets you configure the quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size.
  • Page 150 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 53 - QoS Policies Page Parameter Descriptions (Continued) Parameter Description Match Classifications All switches and routers that access the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information.

  • Page 151: Qos: Radio Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 QoS: Radio Page This page enables you to define the parameters of Carrier Sense Multiple Access (CSMA) for each traffic access category. These parameters affect how packets are delivered for the different classes of service.
  • Page 152 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 54 - Access Category Definition Page Parameter Description (Continued) Parameter Description Transmit Opportunity Enter the number of microseconds that qualified transmitters can transmit through the normal back-off procedure with a set of pending packets.
  • Page 153 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 55 - QoS Policies Advanced Page Parameter Description Parameter Description IP Phone If you enable this feature, dynamic voice classifiers are created for some of the wireless phone vendor clients, that gives top priority to all voice packets.

  • Page 154: Stream Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Stream Page Figure 71 - Stream Page Table 56 - Stream Page Parameter Descriptions Parameter Description Packet Handling per User Priority Select the user priority to use for stream services. For each user priority listed, use the pull-down menu to choose either Reliable or Low Latency for the packet handling descriptor.

  • Page 155: Snmp Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 SNMP Page SNMP is an application-layer protocol that supports message-oriented communication between SNMP management stations and agents. This page configures the access point to work with your network administrator's Simple Network Management Protocol (SNMP) station.
  • Page 156 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 57 - SNMP Page Parameter Description (Continued) Parameter Description SNMP Request Communities This section is not enabled until you select Enabled in the Simple Network Management Protocol (SNMP) field at the top of the page and click Apply.
  • Page 157 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 58 - SNMP Trap Community Parameter Descriptions (Continued) Parameter Description SNMP Trap Community The SNMP community string identifiers the sender to the trap destination. This string is required by the trap destination before it records traps sent by the device.

  • Page 158: Sntp Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions SNTP Page Simple Network Time Protocol is an adaptation of the Network Time Protocol (NTP) used to synchronize computers clocks on the Internet. In this page, you can clarify certain design features to ensure accurate and reliable operation.

  • Page 159: Vlan Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 VLAN Page A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they can be intermingled with other teams.
  • Page 160 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 60 - VLAN Page Parameter Descriptions Parameter Description Global VLAN Properties Current Native VLAN specifies the VLAN that is designated as the native VLAN. Check the box under the VLAN ID field that denotes Native VLAN.

  • Page 161: Arp Caching Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 ARP Caching Page ARP caching on the access point reduces the traffic on your wireless LAN by stopping ARP requests for client devices at the access point. Instead of forwarding ARP requests to client devices, the access point responds to requests on behalf of associated client devices.

  • Page 162: Band Select Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Band Select Page Band selection enables client radios that are capable of dual-band (2.4 and 5 GHz) operation to move to a less congested 5 GHz access point. The 2.4 GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co- channel interference from other access points because of the 802.11b/g limit of...
  • Page 163 Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 62 - Band Select Page Parameter Descriptions (Continued) Parameter Description Cycle-Threshold 1…1000 ms Expire-Dual-Band 10…300 s Sets the expiration time for pruning previously known dual-band clients. The default value is 60 seconds. After this time elapses, clients become new and are subject to probe response suppression.

  • Page 164: Management Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Management Page The Management page is where you manage guest user accounts. This is where your business can create guest wireless user access by creating a web authentication page. For example, if you want to login to a network that allows guest access, they are brought to a web page that states the Terms and Conditions of using the Wifi.

  • Page 165: Webauth Login

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Webauth Login This page lets you customize the appearance of the Login page. The Login page is presented to web users the first time they access the Wireless Network if 'Web Authentication' is turned on SSID.

  • Page 166: Software Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Software Page The Software page provides version information for the Cisco IOS software. Figure 80 - Software Page Table 65 - Software Page Parameter Descriptions Parameter Description Product/Model Number The model number of the access point.

  • Page 167: Software Upgrade Http Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Software Upgrade HTTP Page An HTTP upgrade requires you to load the image into the access point memory. If there is not enough system memory for an HTTP upgrade, the upgrade fails. If...

  • Page 168: Software Upgrade Tftp Page

    Chapter 4 Stratix 5100 Device Manager Parameter Definitions Software Upgrade TFTP Page Use the Software Upgrade TFTP page to upgrade the Wireless AP via a TFTP Server. (You need to supply the TFTP server) This lets the WAP connect to the user supplied TFTP server to download a new version of software and upgrade it.

  • Page 169: System Configuration Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 System Configuration Page This is where the system configuration information can be found. On this page, you can load new configuration files, pull your show-tech information, reset the device, and adjust PoE settings.
  • Page 170 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 68 - Software System Configuration Parameter Descriptions Parameter Description Reset to Factory Defaults Returns all access point settings to their defaults, except for a fixed IP address that (Except IP Address) remains the same if it is configured.

  • Page 171: Event Log Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Event Log Page This is the page where you can view the Event log. In CLI, this command is show logging Table 69 - Event Log Page Parameter Descriptions Parameter Description Start Display at Enter the event where you want the event log to begin.
  • Page 172 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 69 - Event Log Page Parameter Descriptions (Continued) Parameter Description Time Displays the time stamp that was recorded with the event. The displayed format is chosen on the Event Log: Configuration Options page. The time stamp format displayed is dependent on the time stamp format that was selected at the time the event occurred.

  • Page 173: Configuration Options Page

    Stratix 5100 Device Manager Parameter Definitions Chapter 4 Configuration Options Page These settings let you decide how you want to be notified of the different events that are logged and the level of logging that is to take place. Figure 84 - Configuration Options Page...
  • Page 174 Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 70 - Event Log Configuration Parameter Descriptions (Continued) Parameter Description Time Stamp Format for Future Events Choose the time format that you want the event time stamp information saved. The three supported time stamp formats are as follows: •...

  • Page 175: Cisco Ios Command Modes

    Chapter Configure the Stratix 5100 WAP Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) that you can use to configure the wireless device. Topic Page Cisco IOS Command Modes Getting Help Abbreviating Commands Using No and Default Forms of Commands...

  • Page 176: Getting Help

    Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface You can make changes to the running configuration by using the configuration modes: global, interface, and line. If you save the configuration, these commands are stored and used when the wireless device restarts. To access the various configuration modes, you must start at global configuration mode.

  • Page 177: Abbreviating Commands

    Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 Table 72 - Help Summary (Continued) Command Purpose Lists all commands available for a particular command mode. For example: ap> ? command ? Lists the associated keywords for a command.

  • Page 178: Understanding Cli Messages

    Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Understanding CLI Messages This table lists some error messages that you can encounter while using CLI to configure the wireless device. Table 73 - CLI Error Messages Error Message...

  • Page 179: Recalling Commands

    Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 Recalling Commands To recall commands from the history buffer, perform one of the actions listed in this table. Table 74 - Recall Command Actions and Results Action Result Press Ctrl-P or the up arrow key.

  • Page 180: Editing Commands Through Keystrokes

    Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Editing Commands through Keystrokes This table shows the keystrokes that you need to edit command lines. Table 75 - Editing Commands Through Keystrokes Capability Keystroke Purpose Move around the command line to Ctrl-B or the left Move the cursor back one character.

  • Page 181: Editing Command Lines That Wrap

    Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 Editing Command Lines that Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left.

  • Page 182: Searching And Filtering Output Of Show And More Commands

    Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Searching and Filtering You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude Output of show and more output that you don’t need to see.

  • Page 183: Opening Cli With Secure Shell

    Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 Opening CLI with Secure Secure Shell Protocol is a protocol that provides a secure, remote connection to networking devices. Secure Shell (SSH) is a software package that provides secure Shell login sessions by encrypting the entire session.

  • Page 184: Security Cli Configuration Examples

    Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface 5. Enter when the following CLI message appears: Proceed with reload? [confirm]. ATTENTION: Avoid damaging the configuration, don’t interrupt the startup process. Wait until the access point/bridge Install Mode status indicator begins to blink green before continuing with CLI configuration changes.
  • Page 185 Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled interface Dot11Radio1/1 no ip address no ip route-cache ssid no_security_ssid speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 rts threshold 2312 station-role root interface Dot11Radio1/1.10...

  • Page 186: Example 2: Static Wep

    Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Example 2: Static WEP This example shows part of the configuration that results from using the Security page to create an SSID called , excluding the SSID from the...
  • Page 187 Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 bridge-group 20 spanning-disabled interface Dot11Radio1/1 no ip address no ip route-cache encryption vlan 20 key 3 size 128bit 7 741F07447BA1D4382450CB68F37A transmit-key encryption vlan 20 mode wep mandatory ssid static_wep_ssid speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0...

  • Page 188: Example 3: Eap Authentication

    Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Example 3: EAP Authentication This example shows part of the configuration that results from using the Security page to create an SSID called , excluding the SSID from the beacon,...
  • Page 189 Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 bridge-group 30 subscriber-loop-control bridge-group 30 block-unknown-source no bridge-group 30 source-learning no bridge-group 30 unicast-flooding bridge-group 30 spanning-disabled interface Dot11Radio0/1 no ip address no ip route-cache encryption vlan 30 mode wep mandatory ssid eap_ssid speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0...
  • Page 190 Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface no ip address ip mtu 1564 no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled interface FastEthernet0.30 mtu 1500 encapsulation dot1Q 30...

  • Page 191: Example 4: Wpa

    Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 Example 4: WPA This example shows part of the configuration that results from using the Security page to create an SSID called , excluding the SSID from the beacon,...
  • Page 192 Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface bridge irb interface Dot11Radio0/1 no ip address no ip route-cache encryption vlan 40 mode ciphers tkip ssid wpa_ssid speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 rts threshold 2312 station-role root bridge-group 1...

  • Page 193: Assign An Ip Address By Using Cli

    Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled interface FastEthernet0.40 encapsulation dot1Q 40 no ip route-cache bridge-group 40 no bridge-group 40 source-learning bridge-group 40 spanning-disabled For the instructions in Device Manager, see...

  • Page 194: Using A Terminal Application Session To Access Cli

    Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Using a Terminal Application Follow these steps to access CLI by using a terminal application. These steps are for a computer running Microsoft with a Telnet terminal application. Check your...

  • Page 195: Creating A Credentials Profile

    Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 Creating a Credentials Profile Beginning in privileged EXEC mode, follow these steps to create an 802.1X credentials profile. For information in Device Manager, see AP Authentication on page 124.

  • Page 196: Applying The Credentials To An Interface Or Ssid

    Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface ap1240AG(config-dot1x-creden)#username Rockwell ap1240AG(config-dot1x-creden)#password wirelessap ap1240AG(config-dot1x-creden)#exit ap1240AG(config)# Applying the Credentials to an Interface or SSID Credential profiles are applied to an interface or an SSID in the same way. SSID...

  • Page 197: Applying The Credentials Profile To An Ssid Used For The Uplink

    Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 Applying the Credentials Profile to an SSID Used for the Uplink If you have a repeater access point in your wireless network and are using the 802.1X supplicant on the root access point, you must apply the 802.1X supplicant credentials to the SSID the repeater uses to associate with and authenticate to the root access point.
  • Page 198 Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 199: Administering The Wap Access

    Chapter Administering the WAP Access This chapter describes how to administer the wireless device. Topic Page Disabling the Mode Button Preventing Unauthorized Access to Your Access Point Protecting Access to Privileged EXEC Commands Controlling Access Point Access with RADIUS Controlling Access Point Access with TACACS+ Configuring Ethernet Speed and Duplex Settings Configuring the Access Point for Wireless Network Management Configuring the Access Point for Local Authentication and Authorization...

  • Page 200: Disabling The Mode Button

    Chapter 6 Administering the WAP Access Disabling the Mode Button You can disable the mode button on access points having a console port by using command. This command prevents password [no] boot mode-button recovery and is used to prevent unauthorized users from gaining access to the access point CLI.

  • Page 201: Preventing Unauthorized Access To Your Access Point

    Administering the WAP Access Chapter 6 Preventing Unauthorized You can prevent unauthorized users from reconfiguring the wireless device and viewing configuration information. Typically, you want network administrators Access to Your Access Point to have access to the wireless device while you restrict access to users who connect through a terminal or workstation from within the local network.

  • Page 202: Default Password And Privilege Level Configuration

    Chapter 6 Administering the WAP Access Default Password and This table shows the default password and privilege level configuration. Privilege Level Configuration Table 76 - Default Password and Privilege Levels Feature Default Setting Username and password Default username is blank and the default password is wirelessap. Enable password and privilege level Default password is wirelessap.
  • Page 203 Administering the WAP Access Chapter 6 When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-V; you can simply enter abc?123 at the password prompt. Characters TAB, ?, $, +, and [ are invalid characters for passwords. 4.

  • Page 204: Protecting Enable And Enable Secret Passwords With Encryption

    Chapter 6 Administering the WAP Access Protecting Enable and To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you Enable Secret Passwords can use either the global enable password enable secret...

  • Page 205: Configuring Username And Password Pairs

    Administering the WAP Access Chapter 6 Encryption prevents the password from being readable in the configuration file. 4. Return to privileged EXEC mode. 5. (Optional) Save your entries in the configuration file. copy running-config startup-config If both the enable and enable secret passwords are defined, users must enter the enable secret password.
  • Page 206 Chapter 6 Administering the WAP Access username name [privilege level] {password encryption-type password} • For , specify the user ID as one word. Spaces and quotation marks are name not allowed. • (Optional) For , specify the privilege level the user has after gaining level access.

  • Page 207: Configuring Multiple Privilege Levels

    Administering the WAP Access Chapter 6 Configuring Multiple By default, Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of Privilege Levels commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.

  • Page 208: Logging Into And Exiting A Privilege Level

    Chapter 6 Administering the WAP Access show running-config show privilege 6. (Optional) Save your entries in the configuration file. copy running-config startup-config When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show command to level 15, the commands and...

  • Page 209: Default Radius Configuration

    Administering the WAP Access Chapter 6 Default RADIUS Configuration RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the wireless device through CLI. Configuring RADIUS Login Authentication To configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces.
  • Page 210 Chapter 6 Administering the WAP Access • For , specify a character string to name the list you are list-name creating. • For ..., specify the actual method the authentication method1 algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails.

  • Page 211: Defining Aaa Server Groups

    Administering the WAP Access Chapter 6 Defining AAA Server Groups You can configure the wireless device to use AAA server groups to group existing server hosts for authentication. You choose a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, that lists the IP addresses of the selected server hosts.
  • Page 212 Chapter 6 Administering the WAP Access • (Optional) For , specify the authentication and key string encryption key used between the wireless device and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server.

  • Page 213: Configuring Radius Authorization For User Privileged Access And Network Services

    Administering the WAP Access Chapter 6 In this example, the wireless device is configured to recognize two different RADIUS group servers (group1 and group2). Group1 has two different host entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry.

  • Page 214: Displaying The Radius Configuration

    Chapter 6 Administering the WAP Access Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: 1. Enter global configuration mode. configure terminal 2. Configure the wireless device for user RADIUS authorization for all network-related service requests.

  • Page 215: Controlling Access Point Access With Tacacs

    Administering the WAP Access Chapter 6 Controlling Access Point This section describes how to control administrator access to the wireless device by using Terminal Access Controller Access Control System Plus (TACACS+). Access with TACACS+ For complete instructions on configuring the wireless device to support TACACS+, see Configuring RADIUS and TACACS+ Servers on page 407.
  • Page 216 Chapter 6 Administering the WAP Access Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. 1. Enter global configuration mode. configure terminal 2. Enable AAA. aaa new-model 3. Create a login authentication method list. aaa authentication login {default | list-name} method1 [method2...] •...

  • Page 217: Configuring Tacacs+ Authorization For Privileged Exec Access

    Administering the WAP Access Chapter 6 7. Verify your entries. show running-config 8. (Optional) Save your entries in the configuration file. copy running-config startup-config • To disable AAA, use the global configuration no aaa new-model command. • To disable AAA authentication, use the no aaa authentication list-name} method1 [method2...] global login {default |...

  • Page 218: Displaying The Tacacs+ Configuration

    Chapter 6 Administering the WAP Access 3. Configure the wireless device for user TACACS+ authorization to determine if the user has privileged EXEC access. keyword can return user profile information (such as exec information). autocommand aaa authorization exec tacacs+ 4. Return to privileged EXEC mode. 5.

  • Page 219: Configuring The Access Point For Wireless Network Management

    Administering the WAP Access Chapter 6 The Ethernet speed and duplex are set to by default. Beginning in auto privileged EXEC mode, follow these steps to configure Ethernet speed and duplex: 1. Enter global configuration mode. configure terminal 2. Enter configuration interface mode. interface fastethernet0 3.

  • Page 220: Configuring The Access Point For Local Authentication

    Chapter 6 Administering the WAP Access Configuring the Access Point You can configure AAA to operate without a server by configuring the wireless device to implement AAA in local mode. The wireless device then handles for Local Authentication and authentication and authorization. No accounting is available in this Authorization configuration.

  • Page 221: Configuring The Authentication Cache And Profile

    Administering the WAP Access Chapter 6 • For password, specify the password the user must enter to gain access to the wireless device. The password must be from 1…25 characters, can contain embedded spaces, and must be the last option specified in the username command.
  • Page 222 Chapter 6 Administering the WAP Access The following is a configuration example from an access point configured for Admin authentication by using TACACS+ with the auth cache enabled. While this example is based on a TACACS server, the access point can be configured for Admin authentication by using RADIUS: version 12.3 no service pad...
  • Page 223 Administering the WAP Access Chapter 6 aaa authentication login mac_methods local aaa authorization exec default local cache tac_admin group tac_admin aaa accounting network acct_methods start-stop group rad_acct aaa cache profile admin_cache aaa session-id common bridge irb interface Dot11Radio0 no ip address no ip route-cache shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-...
  • Page 224 Chapter 6 Administering the WAP Access ip http server ip http authentication aaa no ip http secure-server ip http help-path http://www.cisco.com/warp/public/ 779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 tacacs-server host 192.168.133.231 key 7 105E080A16001D1908 tacacs-server directed-request radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.134.229 auth-port 1645 acct-port 1646 key 7 111918160405041E00 radius-server vsa send accounting...

  • Page 225: Configuring The Access Point To Provide Dhcp Service

    Administering the WAP Access Chapter 6 Configuring the Access Point By default, access points are configured to receive IP settings from a DHCP server on your network. You can also configure an access point to act as a DHCP to Provide DHCP Service server to assign IP settings to devices on both your wired and wireless LANs.
  • Page 226 Chapter 6 Administering the WAP Access 5. Configure the duration of the lease for IP addresses assigned by the wireless device. • days, configure the lease duration in number of days • (optional) hours, configure the lease duration in number of hours •...

  • Page 227: Monitoring And Maintaining The Dhcp Server Access Point

    Administering the WAP Access Chapter 6 Monitoring and Maintaining You can use commands to monitor and maintain the DHCP show clear server access point the DHCP Server Access Point Show Commands In Exec mode, enter the commands in this table to display information about the wireless device as DHCP server.

  • Page 228: Configuring The Access Point For Secure Shell

    Chapter 6 Administering the WAP Access Configuring the Access Point This section describes how to configure the Secure Shell (SSH) feature. for Secure Shell For complete syntax and usage information for the commands used in this section, see Secure Shell Commands in Cisco IOS Security Command Reference for Release 12.3 Understanding SSH...

  • Page 229: Configuring Client Arp Caching

    Administering the WAP Access Chapter 6 Configuring Client ARP You can configure the wireless device to maintain an ARP cache for associated client devices. Maintaining an ARP cache on the wireless device reduces the Caching traffic load on your wireless LAN. ARP caching is disabled by default. ARP caching on the wireless device reduces the traffic on your wireless LAN by stopping ARP requests for client devices at the wireless device.

  • Page 230: Managing The System Time And Date

    Chapter 6 Administering the WAP Access 5. (Optional) Save your entries in the configuration file. copy running-config startup-config This example shows how to configure ARP caching on an access point: AP# configure terminal AP(config)# dot11 arp-cache AP(config)# end Managing the System Time You can manage the system time and date on the wireless device automatically, by using the Simple Network Time Protocol (SNTP), or manually, by setting the and Date...

  • Page 231: Configuring Time And Date Manually

    Administering the WAP Access Chapter 6 Enter the command once for each NTP server. The NTP servers sntp server must be configured to respond to the SNTP messages from the access point. If you enter both the command and the sntp server sntp broadcast command, the access point accepts time from a broadcast server but...

  • Page 232: Displaying The Time And Date Configuration

    Chapter 6 Administering the WAP Access 2. Verify your entries. show running-config 3. (Optional) Save your entries in the configuration file. copy running-config startup-config This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001.

  • Page 233: Configuring Summer Time (Daylight Saving Time)

    Administering the WAP Access Chapter 6 3. Return to privileged EXEC mode. 4. Verify your entries. show running-config 5. (Optional) Save your entries in the configuration file. copy running-config startup-config variable in the global minutes-offset clock timezone configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC.
  • Page 234 Chapter 6 Administering the WAP Access 4. Verify your entries. show running-config 5. (Optional) Save your entries in the configuration file. copy running-config startup-config The first part of the global configuration command clock summer-time specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone.

  • Page 235: Defining Http Access

    Administering the WAP Access Chapter 6 4. Verify your entries. show running-config 5. (Optional) Save your entries in the configuration file. copy running-config startup-config The first part of the global configuration command clock summer-time specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone.

  • Page 236: Default System Name And Prompt Configuration

    Chapter 6 Administering the WAP Access Default System Name and The default access point system name and prompt is Prompt Configuration Configuring a System Name Beginning in privileged EXEC mode, follow these steps to manually configure a system name: 1. Enter global configuration mode. configure terminal 2.

  • Page 237: Understanding Dns

    Administering the WAP Access Chapter 6 Understanding DNS The DNS protocol controls the Domain Name System (DNS), a distributed database where you can map host names to IP addresses. When you configure DNS on the wireless device, you can substitute the host name for the IP address with all IP commands, such as , and related Telnet ping, telnet, connect...
  • Page 238 Chapter 6 Administering the WAP Access 3. Specify the address of one or more name servers to use for name and address resolution. You can specify up to six name servers. Separate each server address with a space. The first server specified is the primary server. The wireless device sends DNS queries to the primary server first.

  • Page 239: Displaying The Dns Configuration

    Administering the WAP Access Chapter 6 Displaying the DNS Configuration To display the DNS configuration information, use the show running- privileged EXEC command. When DNS is configured on the wireless config device, the command sometimes a server IP address show running-config appears instead of its name.
  • Page 240 Chapter 6 Administering the WAP Access Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 241: Configuring Radio Settings

    Chapter Configuring Radio Settings This chapter describes how to configure radio settings for the wireless access point. Topic Page Enabling the Radio Interface Universal Workgroup Bridge Mode Radio Tracking Configuring Radio Data Rates Configuring MCS Rates Configuring Radio Transmit Power Configuring Radio Channel Settings Configuring Location-based Services Disabling and Enabling Short Radio Preambles...

  • Page 242: Enabling The Radio Interface

    7. (Optional) Save your entries in the configuration file. copy running-config startup-config Use the shutdown command to disable the radio port. Configuring the Role in Radio The Stratix 5100 Wireless Access Point/Workgroup Bridge has these roles in the radio network. Network • Access point •...
  • Page 243 Configuring Radio Settings Chapter 7 When configuring a universal workgroup bridge by using AES-CCM TKIP, the non-root device must use TKIP or AES-CCM TKIP as ciphers to associate to the root device. The non-root device does not associate with the root if it is configured only AES-CCM.
  • Page 244 Chapter 7 Configuring Radio Settings • A universal workgroup bridge configures the access point in workgroup bridge mode and able to interoperate with other access points. You must enter the Ethernet client MAC address. The workgroup bridge associates with the configured MAC address only if it is present in the bridge table and it should not be a static entry.

  • Page 245: Universal Workgroup Bridge Mode

    Configuring Radio Settings Chapter 7 Universal Workgroup Bridge When configuring the universal workgroup bridge roll, you must include the client MAC address. The workgroup bridge associates only with this MAC Mode address if it is present in the bridge table and is not a static entry. If validation fails, the workgroup bridge associates with its BVI MAC address.

  • Page 246: Radio Tracking

    Chapter 7 Configuring Radio Settings Radio Tracking You can configure the access point to track or monitor the status of one of its radios. It the tracked radio goes down or is disabled, the access point shuts down the other radio. If the tracked radio comes up, the access point enables the other radio.

  • Page 247: Mac-Address Tracking

    Configuring Radio Settings Chapter 7 MAC-Address Tracking You can configure the radio whose role is root access point to go up or down by tracking a client access point, using its MAC address, on another radio. If the client disassociates from the access point, the root access point radio goes down. If the client reassociates to the access point, the root access point radio comes back up.
  • Page 248 Chapter 7 Configuring Radio Settings • To set the 2.4 GHz, 802.11g radio to serve only 802.11g client devices, set any Orthogonal Frequency Division Multiplexing (OFDM) data rate (6, 9, 12, 18, 24, 36, 48, 54) to Basic. • To set only the 5 GHz radio for 54 Mbps service, set the 54 Mbps rate to Basic and set the other data rates to Disabled.

  • Page 249: Access Points Send Multicast And Management Frames

    Configuring Radio Settings Chapter 7 Access Points Send Multicast Access points running recent Cisco IOS versions are transmitting multicast and management frames at the highest configured basic rate, and is a situation that and Management Frames at can cause reliability problems. Highest Basic Rate Access points running LWAPP or autonomous IOS can transmit multicast and management frames at the lowest configured basic rate.
  • Page 250 Chapter 7 Configuring Radio Settings 3. Refer to Speed Command and Purpose descriptions Table 81 - Speed Command and Purpose Descriptions Command Purpose Set each data rate to basic or enabled, or enter range to optimize range or throughput to speed optimize throughput.

  • Page 251: Configuring Mcs Rates

    Configuring Radio Settings Chapter 7 Use the no form of the speed command to remove one or more data rates from the configuration. This example shows how to remove data rates basic-2.0 and basic-5.5 from the configuration: ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# no speed basic-2.0 basic-5.5 ap1200(config-if)# end...
  • Page 252 Chapter 7 Configuring Radio Settings Table 82 - Data Rates Based on MCS Settings, Guard Interval, and Channel Width (Continued) MCS Index Guard Interval = 800 ns Guard Interval = 400 ns 57 7/9 86 2/3 115 5/9 144 4/9 The legacy rates are: 5 GHz: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps 2.4 GHz: 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, and 54 Mbps...

  • Page 253: Configuring Radio Transmit Power

    Configuring Radio Settings Chapter 7 Configuring Radio Transmit Radio transmit power is based on the type of radio or radios installed in your access point and the regulatory domain where it operates. Power Use this table to determine what transmit power, and the translation relationship between mW and dBm.

  • Page 254: Limiting The Power Level For Associated Client Devices

    Chapter 7 Configuring Radio Settings power levels. CCK modulation is supported by 802.11b and 802.11g devices. OFDM modulation is supported by 802.11g and 802.11a devices. Make sure the power settings are in the manual power settings for your regulatory domain. The 802.11g radio transmits at up to 100 mW for the 1, 2, 5.5, and 11 Mbps data rates.

  • Page 255: Configuring Radio Channel Settings

    Configuring Radio Settings Chapter 7 • Setting the power level to local sets the client power level to that of the access point. • Setting the power level to sets the client power to the allowed maximum maximum. The settings allowed in your regulatory domain can differ from the settings listed here.

  • Page 256: 802.11N Channel Widths

    Chapter 7 Configuring Radio Settings Each 2.4 GHz channel covers 22 MHz. The bandwidth for channels 1, 6, and 11 does not overlap, so you can set up multiple access points in the same vicinity without causing interference. Both 802.11b and 802.11g 2.4 GHz radios use the same channels and frequencies.

  • Page 257: Dynamic Frequency Selection

    Configuring Radio Settings Chapter 7 40 Mhz with the extension channel above the control channel. Choosing 40-below sets the channel width to 40 MHz with the extension channel below the control channel. The channel command is disabled for 5 GHz radios that comply with European Union regulations on dynamic frequency selection (DFS).
  • Page 258 Channels requiring Dynamic Frequency Selection (DFS) can be manually selected for the Stratix 5100 Wireless Access Point/Workgroup Bridge by using the -E or -M regulatory domains. The same GUI/CLI you use to manually configure non-DFS channels can be used to select DFS channels as well. The default channel selection is DFS, that randomly selects a channel.

  • Page 259: Radar Detection On A Dfs Channel

    Configuring Radio Settings Chapter 7 *Mar 6 12:35:09.750: %DOT11-6-DFS_TRIGGERED: DFS: triggered on frequency 5500 MHz When radar is detected on a channel, that channel can not be used for 30 minutes. The access point maintains a flag in nonvolatile storage for each channel that it detects radar on in the last 30 minutes.

  • Page 260: Configuring A Channel

    Chapter 7 Configuring Radio Settings Radio AIR-RM1251A, Base Address 011.9290ec0, BBlock version 0.00, Software version 6.00.0 Serial number FOCO83114WK Number of supported simultaneous BSSID on Dot11Radio1: 8 Carrier Set: Americas (OFDM) (US ) Uniform Spreading Required: Yes Current Frequency: 5300 MHz Channel 60 (DFS enabled) Current Frequency: 5300 MHz Channel 60 (DFS...

  • Page 261: Blocking Channels From Dfs Selection

    Configuring Radio Settings Chapter 7 configure terminal 2. Enter the configuration interface for the 802.11a radio interface dot11radio1 dfs 3. For number, enter one of the following channels: 36, 40, 44, 48, 149, 153, 157, 161, 5180, 5200, 5220, 5240, 5745, 5765, 5785, or 5805. Enter and one of the following frequency bands to use dynamic frequency selection on the selected channel:...

  • Page 262: Setting The 802.11N Guard Interval

    Chapter 7 Configuring Radio Settings The 1, 2, 3, and 4 options designate blocks of channels: • 1 - Specifies frequencies 5.150…5.250 GHz. This group of frequencies is also known as the UNII-1 band. • 2 - Specifies frequencies 5.250…5.350 GHz. This group of frequencies is also known as the UNII-2 band.

  • Page 263: Configuring Location-Based Services

    Configuring Radio Settings Chapter 7 5. (Optional) Save your entries in the configuration file. copy running-config startup-config Configuring Location-based This section describes how to configure location-based services by using the access point CLI. As with other access point features, you can use a WLSE on Services your network to configure LBS on multiple access points.

  • Page 264: Configuring Lbs On Access Points

    Chapter 7 Configuring Radio Settings Configuring LBS on Access Points Use CLI to configure LBS on your access point. Beginning in privileged EXEC mode, follow these steps to configure LBS: 1. Enter global configuration mode. configure terminal 2. Create an LBS profile for the access point and enter LBS configuration mode.

  • Page 265: Disabling And Enabling Short Radio Preambles

    Configuring Radio Settings Chapter 7 9. Return to global configuration mode. exit In this example, the profile southside is enabled on the access point 802.11g radio: ap# configure terminal ap(config)# dot11 lbs southside ap(dot11-lbs)# server-address 10.91.105.90 port 1066 ap(dot11-lbs)# interface dot11 0 ap(dot11-lbs)# exit Disabling and Enabling Short The radio preamble (sometimes called a header) is a section of data at the head of...

  • Page 266: Configuring Transmit And Receive Antennas

    Chapter 7 Configuring Radio Settings 5. (Optional) Save your entries in the configuration file. copy running-config startup-config Short preambles are enabled by default. Use the command preamble-short to enable short preambles if they are disabled. You can select the antenna the wireless access point uses to receive and transmit Configuring Transmit and data.

  • Page 267: Enabling And Disabling Gratuitous Probe Response

    Configuring Radio Settings Chapter 7 For best performance with two antennas, leave the receive antenna setting at the default setting, . For one antenna, attach the antenna diversity on the right and set the antenna for right antenna receive {diversity | left | middle | right} 5.

  • Page 268: Disabling And Enabling Aironet Extensions

    Chapter 7 Configuring Radio Settings probe-response gratuitous {period | speed} 4. (Optional) Enter a value from 10 to 255. The default value is 10 period Kusec 5. (Optional) Sets the response speed in Mbps. The default value is 6.0. speed {[6.0] [9.0] [12.0] [18.0] [24.0] [36.0] [48.0 ] [54.0] } 6.
  • Page 269 Configuring Radio Settings Chapter 7 Cisco's WEP key permutation technique based on an early algorithm presented by the IEEE 802.11i security task group. The standards-based algorithm, TKIP, does not require Aironet extensions to be enabled. • Repeater mode You must enable the Aironet extensions on repeater access points and on the associated root access points.

  • Page 270: Configuring The Ethernet Encapsulation Transformation Method

    Chapter 7 Configuring Radio Settings Configuring the Ethernet When the wireless access point receives data packets that are not 802.3 packets, the wireless access point must format the packets to 802.3 by using an Encapsulation encapsulation transformation method. These are the two transformation Transformation Method methods: •...
  • Page 271 Configuring Radio Settings Chapter 7 The performance cost of reliable multicast delivery, that is a duplication of each multicast packet sent to each workgroup bridge—limits the number of infrastructure devices, including workgroup bridges, that can associate to the wireless access point. To increase beyond 20 the number of workgroup bridges that can maintain a radio link to the wireless access point, the wireless access point must reduce the delivery reliability of multicast packets to workgroup bridges.

  • Page 272: Enabling And Disabling Public Secure Packet Forwarding

    Chapter 7 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client Public Secure Packet devices associated to the access point. It provides Internet access to client devices Forwarding without providing other capabilities of a LAN.

  • Page 273: Configuring Protected Ports

    Configuring Radio Settings Chapter 7 Configuring Protected Ports To prevent communication between client devices associated to different access points on your wireless LAN, you must set up protected ports on the switch where the wireless access points are connected. Beginning in privileged EXEC mode, follow these steps to define a port on your switch as a protected port: 1.

  • Page 274: Configure Rts Threshold And Retries

    Chapter 7 Configuring Radio Settings The default beacon period is 100, and the default DTIM is 2. Beginning in privileged EXEC mode, follow these steps to configure the beacon period and the DTIM: 1. Enter global configuration mode. configure terminal 2.

  • Page 275: Configuring The Maximum Data Retries

    Configuring Radio Settings Chapter 7 4. Set the maximum RTS retries. Enter a setting from 1…128. rts retries value 5. Return to privileged EXEC mode. 6. (Optional) Save your entries in the configuration file. copy running-config startup-config Use the form of the command to reset the RTS settings to defaults. The maximum data retries setting determines the number of attempts the Configuring the Maximum wireless access point makes to send a packet before giving up and dropping the...

  • Page 276: Enabling Short Slot Time For 802.11G Radios

    Chapter 7 Configuring Radio Settings • The 2.4 GHz radio and the 2.4 GHz 802.11n radio is 0. • The 5 GHz radio and the 5 GHz 802.11n radio is 1. interface dot11radio {0 | 1} 3. Set the fragmentation threshold. •...

  • Page 277: Performing A Carrier Busy Test

    Configuring Radio Settings Chapter 7 Performing a Carrier Busy You can perform a carrier busy test to check the radio activity on wireless channels. During the carrier busy test, the wireless access point drops all Test associations with wireless networking devices for 4 seconds while it conducts the carrier test and then the test results appear.

  • Page 278: Debugging Radio Functions

    Chapter 7 Configuring Radio Settings Debugging Radio Functions Use the command to begin debugging of debug dot11 privileged EXEC radio functions. Use the no form of this command to stop the debug operation. The command syntax is: [no] debug dot11 {events | packets | forwarding | mgmt | network-map | syslog | virtual-interface} Table 85 - Syntax for debug dot11 Command...

  • Page 279: Understanding Multiple Ssids

    Chapter Configuring Multiple SSIDs This chapter describes how to configure and manage multiple service set identifiers (SSIDs) on the access point. Topic Page Understanding Multiple SSIDs Configuring Multiple SSIDs Configuring Multiple Basic SSIDs Assigning IP Redirection for an SSID Including an SSID in an SSIDL IE NAC Support for MBSSID Understanding Multiple The SSID is a unique identifier that wireless networking devices use to establish...

  • Page 280: Configuring Multiple Ssids

    Chapter 8 Configuring Multiple SSIDs For information on how to configure guest mode SSID and disable Guest mode SSID, see Creating an SSID Globally on page 281. If your access point is a repeater or is root access point that acts as a parent for a repeater, you can set up an SSID for use in repeater mode.

  • Page 281: Configuring Multiple Ssids

    Configuring Multiple SSIDs Chapter 8 This table shows an example SSID configuration on an access point running Cisco IOS Release 12.2(15)JA and the configuration as it appears after upgrading to Cisco IOS Release 12.3(7)JA. Table 87 - Example: SSID Configuration Converted to Global Mode after Upgrade SSID Configuration in 12.2(15)JA SSID Configuration after Upgrade to 12.3(7)JA interface dot11Radio 0...
  • Page 282 Chapter 8 Configuring Multiple SSIDs When an SSID has been created in global configuration mode, the ssid configuration interface command attaches the SSID to the interface but does not enter ssid configuration mode. However, if the SSID has not been created in global configuration mode, the command puts CLI into SSID ssid...
  • Page 283 Configuring Multiple SSIDs Chapter 8 7. (Optional) Designate the SSID as your access point guest-mode SSID. The access point includes the SSID in its beacon and allows associations from client devices that don’t specify an SSID. guest-mode 8. This command controls the SSID that access points and bridges use when associating with one another.

  • Page 284: Viewing Ssids Configured Globally

    Chapter 8 Configuring Multiple SSIDs Use the no form of the command to disable the SSID or to disable SSID features. This example shows how to: • Name an SSID. • Configure the SSID for RADIUS accounting. • Set the maximum number of client devices that can associate by using this SSID to 15.

  • Page 285: Restrict Ssids By Using A Radius Server

    Configuring Multiple SSIDs Chapter 8 For example, this sample output from a show configuration privileged EXEC command does not show spaces in SSIDs: ssid buffalo vlan 77 authentication open ssid buffalo vlan 17 authentication open ssid buffalo vlan 7 authentication open However, this sample output from a show dot11 associations privileged EXEC command shows the spaces in the SSIDs: SSID [buffalo] :...

  • Page 286: Configuring Multiple Basic Ssids

    Chapter 8 Configuring Multiple SSIDs b. If the access point does not find a match for the client in the allowed list of SSIDs, the access point disassociates the client. c. If the RADIUS server does not return any SSIDs (no list) for the client, then the administrator has not configured the list, and the client is allowed to associate and attempt to authenticate.

  • Page 287: Requirements For Configuring Multiple Bssids

    Configuring Multiple SSIDs Chapter 8 Requirements for Configuring Multiple BSSIDs To configure multiple BSSIDs, your access points must meet these minimum requirements: • VLANs must be configured • Access points must run Cisco IOS Release 12.3(4)JA or later • Access points must contain an 802.11a or 802.11g radio that supports multiple BSSIDs.

  • Page 288: Configuring Multiple Bssids

    Chapter 8 Configuring Multiple SSIDs Configuring Multiple BSSIDs Follow these steps to configure multiple BSSIDs: 1. Click Security. The Security summary page appears. If you use CLI instead of the GUI, refer to CLI commands listed in the CLI Configuration Example on page 290.
  • Page 289 Configuring Multiple SSIDs Chapter 8 3. Enter the SSID name in the SSID field. 4. From the VLAN pull-down menu, choose the VLAN that is assigned to the SSID. 5. Select the radio interfaces where the SSID is enabled. The SSID remains inactive until you enable it for a radio interface. 6.

  • Page 290: Cli Configuration Example

    Chapter 8 Configuring Multiple SSIDs 10. Enter a beacon rate between 1…100. Increasing the DTIM period count delays the delivery of multicast packets. Because multicast packets are buffered, large DTIM period counts can cause a buffer overflow. 11. In the Guest Mode/Infrastructure SSID Settings section, select Multiple BSSID.

  • Page 291: Assigning Ip Redirection For An Ssid

    Configuring Multiple SSIDs Chapter 8 Dot11Radio1 0011.2161.b7c0 atlantic Dot11Radio0 0005.9a3e.7c0f WPA2-TLS-g When you configure IP redirection for an SSID, the access point redirects all Assigning IP Redirection for packets sent from client devices associated to that SSID to a specific IP address. an SSID IP redirection is used mainly on wireless LANs serving handheld devices that use a central software application and are statically configured to communicate with...

  • Page 292: Guidelines For Using Ip Redirection

    Chapter 8 Configuring Multiple SSIDs Guidelines for Using IP Redirection Keep these guidelines in mind when using IP redirection: • The access point does not redirect broadcast, unicast, or multicast BOOTP/DHCP packets received from client devices. • Existing ACL filters for incoming packets take precedence over IP redirection.

  • Page 293: Including An Ssid In An Ssidl Ie

    Configuring Multiple SSIDs Chapter 8 ACL logging is not supported on the bridging interfaces of access point IMPORTANT platforms. When applied on a bridging interface, it works as if the interface were configured without the log option, and logging does not take effect. However ACL logging does work for the BVI interfaces as long as a separate ACL is used for the BVI interface.

  • Page 294: Nac Support For Mbssid

    Chapter 8 Configuring Multiple SSIDs Beginning in privileged EXEC mode, follow these steps to include an SSID in an SSIDL IE: 1. Enter global configuration mode. configure terminal 2. Enter interface configuration mode for the radio interface. • The 2.4 GHz radio and the 2.4 GHz 802.11n radio is 0. •...
  • Page 295 Configuring Multiple SSIDs Chapter 8 WLANs need to be protected from security threats such as viruses, worms, and spyware. Both the NAC Appliance and the NAC Framework provide security threat protection for WLANs by enforcing device security policy compliance when WLAN clients attempt to access the network. These solutions quarantine non-compliant WLAN clients and provide remediation services to verify compliance.
  • Page 296 Chapter 8 Configuring Multiple SSIDs When a client associates and the RADIUS server determines that it is unhealthy, the server returns one of the quarantine NAC VLANs in its RADIUS authentication response for authentication. This VLAN must be one of dot1x the configured back-up VLANs under the client SSID.

  • Page 297: Configuring Nac For Mbssid

    Configuring Multiple SSIDs Chapter 8 Configuring NAC for MBSSID This feature supports only Layer 2 mobility within VLANs. Layer 3 mobility by using a network ID is not supported in this feature. Before you attempt to enable NAC for MBSSID on your access points, you must first have NAC working properly.
  • Page 298 Chapter 8 Configuring Multiple SSIDs vlan mktg-normal backup mktg-infected1, mktg- infected2, mktg-infected3 authentication open authentication network-eap eap_methods interface Dot11Radio0 encryption vlan engg-normal key 1 size 40bit 7 482CC74122FD transmit-key encryption vlan engg-normal mode ciphers wep40 encryption vlan mktg-normal key 1 size 40bit 7 9C3A6F2CBFBC transmit-key encryption vlan mktg-normal mode ciphers wep40 ssid engg...
  • Page 299 Configuring Multiple SSIDs Chapter 8 interface FastEthernet0.100 encapsulation dot1Q 100 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled interface FastEthernet0.102 encapsulation dot1Q 102 no ip route-cache bridge-group 102 no bridge-group 102 source-learning bridge-group 102 spanning-disabled Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...
  • Page 300 Chapter 8 Configuring Multiple SSIDs Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 301: Configuring Spanning Tree Protocol

    Chapter Configuring Spanning Tree Protocol This chapter describes how to configure Spanning Tree Protocol (STP) on your access point. Topic Page Understanding Spanning Tree Protocol (STP) Understanding Spanning Tree Protocol (STP) Access Point/Bridge Protocol Data Units Access Point/Bridge Protocol Data Units Election of the Spanning-tree Root Spanning-tree Timers Creating the Spanning-tree Topology...

  • Page 302: Access Point/Bridge Protocol Data Units

    Chapter 9 Configuring Spanning Tree Protocol STP defines a tree with a root bridge and a loop-free path from the root to all infrastructure devices in the Layer 2 network. STP discussions use the term root to describe two concepts: the bridge on the network that serves as a central point in the spanning tree is called the root bridge, and the port on each bridge that provides the most efficient path to the root bridge is called the root port.
  • Page 303 Configuring Spanning Tree Protocol Chapter 9 When the access points in a network are powered up, each access point functions as the STP root. The access points send configuration BPDUs through the Ethernet and radio ports. The BPDUs communicate and compute the spanning- tree topology.

  • Page 304: Election Of The Spanning-Tree Root

    Chapter 9 Configuring Spanning Tree Protocol Election of the Spanning- All access points in the Layer 2 network participating in STP gather information about other access points in the network through an exchange of BPDU data tree Root messages. This exchange of messages results in these actions: •...

  • Page 305: Creating The Spanning-Tree Topology

    Configuring Spanning Tree Protocol Chapter 9 Creating the Spanning-tree In this figure, bridge 4 is elected as the spanning-tree root because the priority of all the access points is set to the default (32768) and bridge 4 has the lowest Topology MAC address.
  • Page 306 Chapter 9 Configuring Spanning Tree Protocol An interface moves through these states: • From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled •...

  • Page 307: Blocking State

    Configuring Spanning Tree Protocol Chapter 9 Blocking State An interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to the access point’s Ethernet and radio ports. A access point initially functions as the spanning-tree root until it exchanges BPDUs with other access points.

  • Page 308: Forwarding State

    Chapter 9 Configuring Spanning Tree Protocol Forwarding State An interface in the forwarding state forwards frames. The interface enters the forwarding state from the learning state. An interface in the forwarding state performs as follows: • Receives and forwards frames received on the port •...

  • Page 309: Default Stp Configuration

    Configuring Spanning Tree Protocol Chapter 9 Default STP Configuration STP is disabled by default. This table lists the default STP settings when you enable STP. Table 90 - Default STP Values When STP is Enabled Setting Default Value Bridge priority 32768 Bridge max age Bridge hello time...

  • Page 310: Stp Configuration Examples

    Chapter 9 Configuring Spanning Tree Protocol 5. Return to global configuration mode. exit 6. Enable STP for the bridge group. You must enable STP on each bridge group that you create with bridge-group commands. bridge number protocol ieee 7. (Optional) Assign a priority to a bridge group. The lower the priority, the more likely it is that the bridge becomes the spanning-tree root.
  • Page 311 Configuring Spanning Tree Protocol Chapter 9 guest-mode speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 2312 station-role root no cdp enable infrastructure-client bridge-group 1 interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 interface BVI1 ip address 1.4.64.23 255.255.0.0 no ip route-cache...

  • Page 312: Non-Root Bridge Without Vlans

    Chapter 9 Configuring Spanning Tree Protocol Non-root Bridge without VLANs This example shows the configuration of a non-root bridge with no VLANs configured with STP enabled: hostname client-bridge-north ip subnet-zero bridge irb interface Dot11Radio0 no ip address no ip route-cache ssid tsunami authentication open guest-mode...

  • Page 313: Root Bridge With Vlans

    Configuring Spanning Tree Protocol Chapter 9 line con 0 line vty 0 4 login line vty 5 15 login Root Bridge with VLANs This example shows the configuration of a root bridge with VLANs configured with STP enabled: hostname master-bridge-hq ip subnet-zero ip ssh time-out 120 ip ssh authentication-retries 3...
  • Page 314 Chapter 9 Configuring Spanning Tree Protocol infrastructure-client interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache no cdp enable bridge-group 1 interface Dot11Radio0.2 encapsulation dot1Q 2 no ip route-cache no cdp enable bridge-group 2 interface Dot11Radio0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 bridge-group 3 path-cost 500 interface FastEthernet0...

  • Page 315: Non-Root Bridge With Vlans

    Configuring Spanning Tree Protocol Chapter 9 encapsulation dot1Q 3 no ip route-cache bridge-group 3 interface BVI1 ip address 1.4.64.23 255.255.0.0 no ip route-cache ip default-gateway 1.4.0.1 bridge 1 protocol ieee bridge 1 route ip bridge 1 priority 9000 bridge 2 protocol ieee bridge 2 priority 10000 bridge 3 protocol ieee bridge 3 priority 3100...
  • Page 316 Chapter 9 Configuring Spanning Tree Protocol interface Dot11Radio0 no ip address no ip route-cache ssid vlan1 vlan 1 authentication open infrastructure-ssid speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 2312 station-role non-root no cdp enable interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache no cdp enable...
  • Page 317 Configuring Spanning Tree Protocol Chapter 9 interface FastEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 interface FastEthernet0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 2 interface FastEthernet0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 bridge-group 3 path-cost 400 interface BVI1 ip address 1.4.64.24 255.255.0.0 no ip route-cache...

  • Page 318: Displaying Spanning-Tree Status

    Chapter 9 Configuring Spanning Tree Protocol Displaying Spanning-tree To display the spanning-tree status, use one or more of the privileged EXEC commands in this table. Status Table 91 - Commands for Displaying Spanning-tree Status Command Description show spanning-tree Information on your network’ s spanning tree. show spanning-tree blocked-ports List of blocked ports on this bridge.

  • Page 319: Understanding Local Authentication

    Chapter Configure an Access Point as a Local Authenticator This chapter describes how to configure the access point as a local authenticator to serve as a stand-alone authenticator for a small wireless LAN or to provide back up authentication service. As a local authenticator, the access point performs LEAP, EAP-FAST, and MAC-based authentication for up to 50 client devices.

  • Page 320: Configuring A Local Authenticator

    Chapter 10 Configure an Access Point as a Local Authenticator You can configure your access points to use the local authenticator when they cannot reach the main servers, or you can configure your access points to use the local authenticator or as the main authenticator if you don’t have a RADIUS server.

  • Page 321: Configuring/Enabling Local Mac Authentication

    Configure an Access Point as a Local Authenticator Chapter 10 If your local authenticator access point also serves client devices, you must enter the local authenticator as a RADIUS server in the local authenticator’s configuration. When a client associates to the local authenticator access point, the access point uses itself to authenticate the client.

  • Page 322: Creating Local Mac Address Lists

    Chapter 10 Configure an Access Point as a Local Authenticator Creating Local MAC Address Lists Now that the SSID is configured, you can create the local MAC address list. 1. Click Security. 2. From the Security menu, click Advanced Security. 3.

  • Page 323: Creating And Enabling Mac Authentication

    Configure an Access Point as a Local Authenticator Chapter 10 Creating and Enabling MAC You must first configure the SSID. Complete the following steps to configure the SSID. Authentication by Using RADIUS Server 1. Click Security. 2. From the Security menu, click SSID Manager. 3.

  • Page 324: Add The Radius Server

    Chapter 10 Configure an Access Point as a Local Authenticator If you click to enable the use of the defaults, click the Define Defaults link to go to the Server Manager page. This is where you can configure the RADIUS server. 10.
  • Page 325 Configure an Access Point as a Local Authenticator Chapter 10 9. From Default Server Priorities, determine the level of priority you want to assign to each server. 10. Select Priority 1, 2, or 3 for this server. 11. Click Apply to add the server. Steps step 12 through...

  • Page 326: Setting The Mac Authentication Method

    Chapter 10 Configure an Access Point as a Local Authenticator Setting the MAC Authentication Method After the RADIUS server is added, you can set the MAC authentication method. Complete these steps to set the MAC authentication method. 1. Click Security. 2.

  • Page 327: Configuring Network Emap

    Configure an Access Point as a Local Authenticator Chapter 10 Configuring Network EMAP A device uses the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server on your network to provide authentication for wireless client devices. To configure Network EAP, you must first configure the SSID. Follow these steps to configure the SSID.
  • Page 328 Chapter 10 Configure an Access Point as a Local Authenticator 4. Under the Encryption Mode section, click WEP Encryption to enable encryption. You can choose either Optional or Mandatory from the pull-down menu. This step is optional and can be skipped to expedite setup. If you want to set the broadcast key rotation interval, continue with this step.
  • Page 329 Configure an Access Point as a Local Authenticator Chapter 10 9. Enter the port number your RADIUS server uses for accounting. The port setting for Cisco's RADIUS server (the Access Control Server [ACS]) is 1646, and the port setting for many RADIUS servers is 1813. Check your server's product documentation to find the correct accounting port setting.

  • Page 330: Configuring Advanced Eap Parameters

    Chapter 10 Configure an Access Point as a Local Authenticator Configuring Advanced EAP Parameters Now that the RADIUS server is added, you can configure advanced EAP parameters. These steps are optional and can be skipped to expedite setup. 1. Click Security. 2.

  • Page 331: Configuring The Local Authenticator Access Point By Using Cli

    Configure an Access Point as a Local Authenticator Chapter 10 Configuring the Local Beginning in Privileged Exec mode, follow these steps to configure the access point as a local authenticator: Authenticator Access Point by Using CLI 1. Enter global configuration mode. configure terminal 2.

  • Page 332: Local Authenticator

    Chapter 10 Configure an Access Point as a Local Authenticator The reauthentication provides users with a new encryption key. The default setting is 0, that means that group members are never required to reauthenticate. reauthentication time seconds 9. (Optional) To help protect against password guessing attacks, you can lock out members of a user group for a length of time after a set number of incorrect passwords.
  • Page 333 Configure an Access Point as a Local Authenticator Chapter 10 12. Return to privileged EXEC mode. 13. (Optional) Save your entries in the configuration file. copy running-config startup-config This example shows how to set up a local authenticator used by three access points with three user groups and several users: AP# configure terminal AP(config)# radius-server local...
  • Page 334 Chapter 10 Configure an Access Point as a Local Authenticator AP(config-radsrv)# user 00095125d02b password 00095125d02b group clerks mac-auth-only AP(config-radsrv)# user 00095125d02b password 00095125d02b group cashiers AP(config-radsrv)# user 00079431f04a password 00079431f04a group cashiers AP(config-radsrv)# user carl password 272165 group managers AP(config-radsrv)# user vic password lid178 group managers AP(config-radsrv)# end Configuring Other Access Points to Use the Local Authenticator...
  • Page 335 Configure an Access Point as a Local Authenticator Chapter 10 This example shows how to set up two main servers and a local authenticator with a server deadtime of 10 minutes: AP(config)# aaa new-model AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654 AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654 AP(config)# radius-server host 10.91.6.151 auth-...

  • Page 336: Configuring Eap-Fast Settings

    Chapter 10 Configure an Access Point as a Local Authenticator Configuring EAP-FAST The default settings for EAP-FAST authentication are suitable for most wireless LANs. However, you can customize the credential timeout values, authority ID, Settings and server keys to match your network requirements. Configuring PAC Settings This section describes how to configure Protected Access Credential (PAC) settings.

  • Page 337: Configuring An Authority Id

    Configure an Access Point as a Local Authenticator Chapter 10 Use this command to generate a PAC manually: AP# radius local-server pac-generate filename username [password password] [expiry days] When you enter the PAC filename, enter the full path to where the local authenticator writes the PAC file (such as tftp://172.1.1.1/test/user.pac).

  • Page 338: Possible Pac Failures Caused By Access Point Clock

    Chapter 10 Configure an Access Point as a Local Authenticator attempts to decrypt the PAC with the secondary key if one is configured. If decryption fails, the authenticator rejects the PAC as invalid. Use these commands to configure server keys: AP(config-radsrv)# [no] eapfast server-key primary {[auto-generate] | [ [0 | 7] key]} AP(config-radsrv)# [no] eapfast server-key...

  • Page 339: Limiting The Local Authenticator To One Authentication Type

    Configure an Access Point as a Local Authenticator Chapter 10 Limiting the Local By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based authentication for client devices. However, you can limit the local Authenticator to One authenticator to perform only one or two authentication types. Use the form Authentication Type of the authentication command to restrict the authenticator to an authentication...
  • Page 340 Chapter 10 Configure an Access Point as a Local Authenticator PAC refresh Invalid PAC received Username Successes Failures Blocks nicky jones jsmith Router#sh radius local-server statistics Successes Unknown usernames Client blocks Invalid passwords Unknown NAS Invalid packet from NAS: 0 The first section of statistics lists cumulative statistics from the local authenticator.

  • Page 341: Using Debug Messages

    Configure an Access Point as a Local Authenticator Chapter 10 Using Debug Messages In privileged exec mode, enter this command to control the display of debug messages for the local authenticator: AP# debug radius local-server { client | eapfast | error | packets} Use the command options to display this debug information: •...
  • Page 342 Chapter 10 Configure an Access Point as a Local Authenticator Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 343: Understanding Cipher Suites And Wep

    Chapter Configuring Cipher Suites and WEP This chapter describes how to configure the cipher suites required to use Wi-Fi Protected Access (WPA) and Cisco Centralized Key Management (CCKM) authenticated key management, Wired Equivalent Privacy (WEP), WEP features including AES, Message Integrity Check (MIC), Temporal Key Integrity Protocol (TKIP), and broadcast key rotation.
  • Page 344 Chapter 11 Configuring Cipher Suites and WEP Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher suite to enable WPA or CCKM. Because cipher suites provide the protection of WEP while also allowing use of authenticated key management, We recommend that you enable WEP by using the command in CLI...

  • Page 345: Configuring Cipher Suites And Wep

    Configuring Cipher Suites and WEP Chapter 11 Configuring Cipher Suites These sections describe how to configure cipher suites, WEP and additional WEP features such as MIC, TKIP, and broadcast key rotation. and WEP WEP, TKIP, MIC, and broadcast key rotation are disabled by default. Creating WEP Keys You need to configure only static WEP keys if your access point needs to support client devices that use static WEP.

  • Page 346: Wep Key Restrictions

    Chapter 11 Configuring Cipher Suites and WEP [ 0 | 7 ] [transmit-key] 4. Return to privileged EXEC mode. 5. (Optional) Save your entries in the configuration file. copy running-config startup-config This example shows how to create a 128-bit WEP key in slot 3 for VLAN 22 and sets the key as the transmit key: ap5100# configure terminal ap5100(config)# interface dot11radio 0...

  • Page 347: Example Wep Key Setup

    Configuring Cipher Suites and WEP Chapter 11 Example WEP Key Setup This table shows an example WEP key setup that works for the access point and an associated device: Table 93 - WEP Key Setup Example Key Slot Access Point Associated Device Transmit? Key Contents...

  • Page 348: Matching Cipher Suites With Wpa Or Cckm

    Chapter 11 Configuring Cipher Suites and WEP • If you enable a cipher suite with two elements (such as TKIP and 128- bit WEP), the second cipher becomes the group cipher. • If you configure you must also enable Aironet extensions. The ckip command to enable Aironet extensions is dot11 extension...

  • Page 349: Enabling And Disabling Broadcast Key Rotation

    Configuring Cipher Suites and WEP Chapter 11 key management type. This table lists the cipher suites that are compatible with WPA and CCKM. Table 94 - Cipher Suites Compatible with WPA and CCKM Authenticated Key Management Types Compatible Cipher Suites CCKM encryption mode ciphers wep128 encryption mode ciphers wep40...
  • Page 350 Chapter 11 Configuring Cipher Suites and WEP 3. Enable broadcast key rotation. 4. Enter the number of seconds between each rotation of the broadcast key. 5. (Optional) Enter a VLAN that you want to enable for broadcast key rotation. 6. (Optional) If you enable WPA authenticated key management, you can enable additional circumstances where the access point changes and distributes the WPA group key.

  • Page 351: Understanding Authentication Types

    Chapter Configuring Authentication Types This chapter describes how to configure authentication types on the access point. Topic Page Understanding Authentication Types Using WPA Key Management Configuring Authentication Types Configuring Additional WPA Settings Configuring Authentication Hold-off, Timeout, and Interval Creating and Applying EAP Method Profiles for the 802.1X Supplicant Matching Access Point and Client Device Authentication Types Understanding The authentication types are tied to the SSIDs that you configure for the access...

  • Page 352: Open Authentication To The Access Point

    Chapter 12 Configuring Authentication Types Open Authentication to the Open authentication allows any device to authenticate and then attempt to communicate with the access point. By using open authentication, any wireless Access Point device can authenticate with the access point, but the device can communicate only if its WEP keys match the access point’s.

  • Page 353: Eap Authentication To The Network

    Configuring Authentication Types Chapter 12 Figure 92 - Sequence for Shared Key Authentication Wired LAN Access point Client Server or bridge device 1. Authentication request 2. Unencrypted challenge text 3. Encrypted challenge text 4. Authentication success EAP Authentication to the Network This authentication type provides the highest level of security for your wireless network.

  • Page 354: Mac Address Authentication To The Network

    Chapter 12 Configuring Authentication Types The client uses a one-way encryption of the user-supplied password to generate a response to the challenge and sends that response to the RADIUS server. By using information from its user database, the RADIUS server creates its own response and compares that to the response from the client.

  • Page 355: Combining Mac-Based, Eap, And Open Authentication

    Configuring Authentication Types Chapter 12 If MAC-authenticated clients on your wireless LAN roam frequently, you can enable a MAC authentication cache on your access points. MAC authentication caching reduces overhead because the access point authenticates devices in its MAC-address cache without sending the request to your authentication server. Configuring MAC Authentication Caching on page 366 for instructions on enabling this feature.

  • Page 356: Using Cckm For Authenticated Clients

    Chapter 12 Configuring Authentication Types Using CCKM for Authenticated Clients By using Cisco Centralized Key Management (CCKM), authenticated client devices can roam from one access point to another without any perceptible delay during reassociation. An access point on your network provides Wireless Domain Services (WDS) and creates a cache of security credentials for CCKM-enabled client devices on the subnet.

  • Page 357: Using Wpa Key Management

    Configuring Authentication Types Chapter 12 Using WPA Key Management Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that strongly increases the level of data protection and access control for existing and future wireless LAN systems. It is derived from and can be forward-compatible with the upcoming IEEE 802.11i standard.

  • Page 358: Wpa-Tkip

    Cisco Aironet client devices to support WPA and CCKM key management and CKIP and WPA-TKIP encryption protocols. To support the security combinations in this table, your Stratix 5100 Wireless Access Point/Workgroup Bridge, the device must run the following software and firmware versions: •...

  • Page 359: Configuring Authentication Types

    Configuring Authentication Types Chapter 12 Table 95 - Firmware and Software Requirements Key Management and Encryption Protocol Third Party Host Supported Platform Operating Supplicant Required Systems LEAP with CKIP pages 95/98, Me, NT, 2000, XP, pages CE, Mac OS X, Linux, DOS This security combination requires 12.2(11)JA or later.
  • Page 360 Chapter 12 Configuring Authentication Types The SSID can consist of up to 32 alphanumeric, case-sensitive, characters. The first character cannot contain the following characters: • Exclamation point (!) • Pound sign (#) • Semicolon (;) The following characters are invalid and cannot be used in an SSID: •...
  • Page 361 Configuring Authentication Types Chapter 12 Use the optional keyword to allow client devices by using either open or EAP authentication to associate and become authenticated. This setting is used mainly by service providers that require special client accessibility. An access point configured for EAP authentication forces all client devices that associate to perform EAP authentication.
  • Page 362 Chapter 12 Configuring Authentication Types • To enable CCKM for an SSID, you must also enable Network-EAP authentication. When CCKM and Network EAP are enabled for an SSID, client devices using LEAP, EAP-FAST, PEAP/GTC, MSPEAP, EAP-TLS, and EAP-FAST can authenticate by using the SSID. •...

  • Page 363: Configuring Wpa Migration Mode

    Configuring Authentication Types Chapter 12 Use the no form of the SSID commands to disable the SSID or to disable SSID features. This example sets the authentication type for the to Network- SSID batman EAP with CCKM authenticated key management. Client devices using the batman SSID authenticate by using the adam server list.

  • Page 364: Configuring Additional Wpa Settings

    Chapter 12 Configuring Authentication Types This example sets the SSID migrate for WPA migration mode: ap1200# configure terminal ap1200(config-if)# ssid migrate ap1200(config-if)# encryption mode cipher tkip wep128 ap1200(config-if)# encryption key 3 size 128 12345678901234567890123456 transmit-key ap1200(config-ssid)# authentication open ap1200(config-ssid)# authentication network-eap adam ap1200(config-ssid)# authentication key-management wpa optional...

  • Page 365: Configuring Group Key Updates

    Configuring Authentication Types Chapter 12 Configuring Group Key Updates In the last step in the WPA process, the access point distributes a group key to the authenticated client device. You can use these optional settings to configure the access point to change and distribute the group key based on client association and disassociation: •...

  • Page 366: Configuring Mac Authentication Caching

    Chapter 12 Configuring Authentication Types 2. Enter the ssid defined in Step 2 to assign the ssid to the selected radio interface. ssid ssid-string 3. Return to privileged EXEC mode. exit 4. Use the broadcast key rotation command to configure additional updates of the WPA group key.
  • Page 367 Configuring Authentication Types Chapter 12 Use the timeout option to configure a timeout value for MAC addresses in the cache. Enter a value from 30…65555 seconds. The default value is 1800 (30 minutes). When you enter a timeout value, MAC-authentication caching is enabled automatically.

  • Page 368: Configuring Authentication Hold-Off, Timeout, And Interval

    Chapter 12 Configuring Authentication Types Configuring Authentication Beginning in privileged EXEC mode, follow these steps to configure hold-off times, reauthentication periods, and authentication timeouts for client devices Hold-off, Timeout, and authenticating through your access point: Interval 1. Enter global configuration mode. configure terminal 2.
  • Page 369 Configuring Authentication Types Chapter 12 If you configure both MAC address authentication and EAP authentication for an SSID, the server sends the Session-Timeout attribute for both MAC and EAP authentications for a client device. The access point uses the Session-Timeout attribute for the last authentication that the client performs.

  • Page 370: Creating And Applying Eap Method Profiles

    Chapter 12 Configuring Authentication Types Creating and Applying EAP This section describes the optional configuration of an EAP method list for the 802.1X supplicant. Configuring EAP method profiles enables the supplicant not Method Profiles for the to acknowledge some EAP methods, even though they are available on the 802.1X Supplicant supplicant.

  • Page 371: Applying An Eap Profile To The Fast Ethernet Interface

    Configuring Authentication Types Chapter 12 Applying an EAP Profile to the Fast Ethernet Interface This operation normally applies to root access points. Beginning in privileged exec mode, follow these steps to apply an EAP profile to the Fast Ethernet interface: 1.

  • Page 372: Matching Access Point And Client Device Authentication Types

    Chapter 12 Configuring Authentication Types Matching Access Point and To use the authentication types described in this section, the access point authentication settings must match the authentication settings on the client Client Device Authentication adapters that associate to the access point. Types See the Cisco Aironet Wireless LAN Client Adapters Installation and...

  • Page 373: Authentication Type

    Configuring Authentication Types Chapter 12 This table lists the client and access point settings required for each authentication type. Table 96 - Client and Access Point Settings Required for Each Authentication Type Security Feature Client Setting Access Point Setting Static WEP with open authentication Create a WEP key and enable Use Static WEP Keys Set up and enable WEP and enable Open Authentication for the SSID and Open Authentication...
  • Page 374 Chapter 12 Configuring Authentication Types Table 96 - Client and Access Point Settings Required for Each Authentication Type (Continued) Security Feature Client Setting Access Point Setting PEAP authentication If using ACU to configure card Enable Host Based EAP and Use Dynamic WEP Set up and enable WEP and enable EAP and Open authentication for the Keys in ACU and choose Enable network access SSID.

  • Page 375: Understanding Wds

    Chapter Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services This chapter describes how to configure your access points for wireless domain services (WDS), fast, secure roaming of client devices, radio management, and wireless intrusion detection services (WIDS). Topic Page Understanding WDS...

  • Page 376: Role Of The Wds Device

    Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Access points participating in radio management forward information about the radio environment (such as possible rogue access points and client associations and disassociations) to the WDS device. The WDS device aggregates the information and forwards it to a wireless LAN solution engine (WLSE) device on your network.

  • Page 377: Role Of Access Points By Using The Wds Device

    Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 Role of Access Points by Using the WDS Device The access points on your wireless LAN interact with the WDS device in these activities: • Discover and track the current WDS device and relay WDS advertisements to the wireless LAN.
  • Page 378 Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services When you configure your wireless LAN for fast, secure roaming, however, LEAP-enabled client devices roam from one access point to another without involving the main RADIUS server. Using Cisco Centralized Key Management (CCKM), a device configured to provide Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the client so quickly that there is no perceptible delay in voice or other time-sensitive applications.

  • Page 379: Understanding Radio Management

    The Layer 3 mobility wireless LAN solution consists of these hardware and software components: • The Stratix 5100 WAP and these Cisco devices (1040, 1100, 1130, 1200, 1240, and 1260 series access points) participate WDS. • Catalyst 6500 switch with Supervisor Module and WLSM configured as...
  • Page 380 Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services This figure shows the components that interact to perform Layer 3 mobility. Figure 99 - Required Components for Layer 3 Mobility CiscoWorks Wireless LAN Solution Engine (WLSE) Catalyst 6500 Catalyst 6500...

  • Page 381: Understanding Wireless Intrusion Detection Services

    Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 Understanding Wireless When you implement Wireless Intrusion Detection Services (WIDS) on your wireless LAN, your access points, WLSE, and an optional (non-Cisco) WIDS Intrusion Detection Services engine work together to detect and prevent attacks on your wireless LAN infrastructure and associated client devices.

  • Page 382: Configuring Wds

    Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS This section describes how to configure WDS on your network. Topic Page Guidelines for WDS Requirements for WDS Configuration Overview Configuring Access Points as Potential WDS Devices Configuring Access Points to Use the WDS Device Configuring WDS-Only Mode Configuring WDS-Only Mode...

  • Page 383: Configuration Overview

    Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 Configuration Overview You must complete three major steps to set up WDS and fast, secure roaming: 1. Configure access points, ISRs, or switches as potential WDS devices. This chapter provides instructions for configuring an access point as a WDS device.

  • Page 384: Configuring Access Points As Potential Wds Devices

    Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Access Points as For the main WDS candidate, configure an access point that does not serve a large number of client devices. If client devices associate to the WDS access point Potential WDS Devices when it starts up, the clients can wait several minutes to be authenticated.
  • Page 385 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 2. Click WDS to go to the WDS/WNM Summary page. 3. On the WDS/WNM Summary page, click General Setup to go to the WDS/WNM General Setup page. The WDS/WNM General Setup page appears.
  • Page 386 Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services The WDS access point candidate with the highest number in the priority field becomes the acting WDS access point. For example, if one WDS candidate is assigned priority 255 and one candidate is assigned priority 100, the candidate with priority 255 becomes the acting WDS access point.

  • Page 387: Configure A Group Of Servers

    Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 The WDS Server Groups Page appears. Figure 103 - WDS Server Groups Page Configure a Group of Servers Follow these instructions to create a group of servers to be used for 802.1x authentication for the infrastructure devices (access points) that use the WDS access point.
  • Page 388 Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services 5. Configure the list of servers to be used for 802.1x authentication for client devices. You can specify a separate list for clients by using a certain type of authentication, such as EAP, LEAP, PEAP, or MAC-based, or specify a list for client devices by using any type of authentication.
  • Page 389 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 CLI Configuration Example This example shows the CLI commands that are equivalent to the steps listed in Configuring Access Points as Potential WDS Devices on page 384: AP# configure terminal AP(config)# aaa new-model...

  • Page 390: Configuring Access Points To Use The Wds Device

    Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Access Points to Use the WDS Device To participate in WDS, infrastructure access points run the same version of IOS as the one that WDS runs. Follow these steps to configure an access point to authenticate through the WDS device and participate in WDS.

  • Page 391: Cli Configuration Example

    Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 This password must match the password that you create for the access point on your authentication server. 7. Click Apply. The access points that you configure to interact with the WDS automatically perform these steps: •...

  • Page 392: Viewing Wds Information

    Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services • To set the WDS access point to operate in both AP and WDS modes, use command and use the no wlccp wds mode wds-only write command to reload the access point immediately.

  • Page 393: Using Debug Messages

    Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 Using Debug Messages In privileged exec mode, use these debug commands to control the display of debug messages for devices interacting with the WDS device: Table 98 - Debug Commands Command Description Use this command to turn on display of debug messages related to client devices (mn), the...

  • Page 394: Configuring Access Points To Support Fast Secure Roaming

    Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Access Points to Support Fast Secure Roaming To support fast, secure roaming, the access points on your wireless LAN must be configured to participate in WDS and they must allow CCKM authenticated key management for at least one SSID.
  • Page 395 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 5. Go to the SSID Manager page. Figure 106 - SSID Manager Page 6. On the SSID that supports CCKM, choose these settings: a. If your access point contains multiple radio interfaces, select the interfaces that the SSID applies to.

  • Page 396: Cli Configuration Example

    Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services d. Check the CCKM check box. 7. Click Apply. CLI Configuration Example This example shows CLI commands that are equivalent to the steps listed in the Configuring Access Points to Support Fast Secure Roaming on page 394: AP# configure terminal...

  • Page 397: Management Frame Protection

    Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 Management Frame Management Frame Protection provides security features for the management messages passed between Access Point and Client stations. MFP consists of two Protection functional components: Infrastructure MFP and Client MFP. Infrastructure MFP provides Infrastructure support.

  • Page 398: Protection Of Broadcast Management Frames

    Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Protection of Broadcast Management Frames To prevent attacks by using broadcast frames, access points supporting CCXv5 don’t emit any broadcast class 3 management frames. An access point in workgroup bridge, repeater, or non-root bridge mode discards broadcast class 3 management frames if Client MFP is enabled.
  • Page 399 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 This ssid configuration command enables Client MFP as optional on a particular SSID. The Dot11Radio interface is reset when the command is executed if the SSID is bound to the Dot11Radio interface. Client MFP is enabled for this particular SSID if the SSID is WPAv2 capable, otherwise Client MFP is disabled.

  • Page 400: Configuring Radio Management

    Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Beginning in privileged EXEC mode, follow these steps to configure the WDS: 1. Enter global configuration mode. configure terminal 2. Configures the WDS as an MFP distributor. When enabled, the WDS manages signature keys, used to create the MIC IEs, and securely transfers them between generators and detectors.
  • Page 401 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 2. Click WDS. 3. Check Use this AP as Wireless Domain Services and Configure Wireless Network Manager. 4. In the Wireless Network Manager IP Address field, enter the IP address of the WLSE device on your network.

  • Page 402: Cli Configuration Example

    Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services CLI Configuration Example This example shows the CLI commands that are equivalent to the steps listed in Configuring Radio Management on page 400: AP# configure terminal AP(config)# wlccp wnm ip address 192.250.0.5 AP(config)# end In this example, the WDS access point is enabled to interact with a WLSE device...

  • Page 403: Configuring The Access Point For Monitor Mode

    Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 Configuring the Access Point for Monitor Mode When an access point is configured as a scanner it can also capture frames in monitor mode. In monitor mode, the access point captures 802.11 frames and forwards them to the WIDS engine on your network.

  • Page 404: Displaying Monitor Mode Statistics

    Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Displaying Monitor Mode Statistics Use this global configuration command to display statistics on captured frames. show wlccp ap rm monitor statistics This example shows output from the command: ap# show wlccp ap rm monitor statistics Dot11Radio 0 ====================...

  • Page 405: Configuring Monitor Mode Limits

    Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 Configuring Monitor Mode Limits You can configure threshold values that the access point uses in monitor mode. When a threshold value is exceeded, the access point logs the information or sends an alert.

  • Page 406: Configuring Wlsm Failover

    Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WLSM Failover To ensure near hot standby in cases of WLSM failure, the WLSM Version 2.13 Release supports resilient tunnel recovery and active and standby WLSMs. Resilient Tunnel Recovery In the case of a single chassis scenario (one WLSM per chassis), if the WLSM software fails, existing access point clients connected to the SUP continue to be...

  • Page 407: Configuring And Enabling Radius

    Chapter Configuring RADIUS and TACACS+ Servers This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+), that provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS and TACACS+ are facilitated through AAA and can be enabled only through commands.
  • Page 408 Chapter 14 Configuring RADIUS and TACACS+ Servers • Turnkey network security environments that applications support the RADIUS protocol, such as an access environment that uses a smart card access control system. In one case, RADIUS has been used with Enigma’s security cards to validate users and to grant access to network resources.

  • Page 409: Radius Operation

    Configuring RADIUS and TACACS+ Servers Chapter 14 RADIUS Operation When a wireless user attempts to log in and authenticate to an access point whose access is controlled by a RADIUS server, authentication to the network occurs in the steps shown in this figure. Figure 109 - Sequence for EAP Authentication Wired LAN Access point...

  • Page 410: Configuring Radius

    Chapter 14 Configuring RADIUS and TACACS+ Servers There is more than one type of EAP authentication, but the access point behaves the same way for each type: it relays authentication messages from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device.
  • Page 411 Configuring RADIUS and TACACS+ Servers Chapter 14 You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
  • Page 412 Chapter 14 Configuring RADIUS and TACACS+ Servers Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. 1. Enter global configuration mode. configure terminal 2. Enable AAA. aaa new-model 3. Specify the IP address or host name of the remote RADIUS server host. •...
  • Page 413 Configuring RADIUS and TACACS+ Servers Chapter 14 The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive. dot11 ssid ssid-string 5. Enable RADIUS accounting for this SSID. For list-name, specify the accounting method list. http://www.cisco.com/univercd/cc/td/doc/product/software/ ios122/122cgcr/fsecur_c/fsaaa/scfacct.htm#xtocid2 for more information on method lists.

  • Page 414: Configuring Radius Login Authentication

    Chapter 14 Configuring RADIUS and TACACS+ Servers You need to configure some settings also on the RADIUS server. These settings include the IP address of the access point and the key string to be shared by both the server and the access point. Configuring RADIUS Login Authentication To configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces.
  • Page 415 Configuring RADIUS and TACACS+ Servers Chapter 14 Use the line password for authentication. You must define a line password before you can use this authentication method. Use the password line configuration command. password • Local Use the local username database for authentication. You must enter username information in the database.

  • Page 416: Defining Aaa Server Groups

    Chapter 14 Configuring RADIUS and TACACS+ Servers Defining AAA Server Groups You can configure the access point to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list.
  • Page 417 Configuring RADIUS and TACACS+ Servers Chapter 14 • (Optional) For string, specify the authentication and encryption key used between the access point and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server.

  • Page 418: Configuring Radius Authorization For User Privileged Access And Network Services

    Chapter 14 Configuring RADIUS and TACACS+ Servers entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry. AP(config)# aaa new-model AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 AP(config)# aaa group server radius group1...

  • Page 419: Configuring Packet Of Disconnect

    Configuring RADIUS and TACACS+ Servers Chapter 14 Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: 1. Enter global configuration mode. configure terminal 2. Configure the access point for user RADIUS authorization for all network-related service requests.
  • Page 420 Chapter 14 Configuring RADIUS and TACACS+ Servers When a session is terminated, the RADIUS server sends a disconnect message to the Network Access Server (NAS); an access point or WDS. For 802.11 sessions, the Calling-Station-ID [31] RADIUS attribute (the MAC address of the client) must be supplied in the Pod request.

  • Page 421: Starting Radius Accounting

    Configuring RADIUS and TACACS+ Servers Chapter 14 string—The shared-secret text string that is shared between the network access server and the client workstation. This shared-secret must be the same on both systems. Any data entered after this parameter is treated as the shared secret string. aaa pod server [port port number] [auth-type {any | all | session-key}] [clients client 1...] [ignore {server-key string...|...

  • Page 422: Selecting The Csid Format

    Chapter 14 Configuring RADIUS and TACACS+ Servers 6. Verify your entries. show running-config 7. (Optional) Save your entries in the configuration file. copy running-config startup-config To disable accounting, use the no aaa accounting {network | method1... global configuration command. exec} {start-stop} Selecting the CSID Format You can choose the format for MAC addresses in Called-Station-ID (CSID) and Calling-Station-ID attributes in RADIUS packets.
  • Page 423 Configuring RADIUS and TACACS+ Servers Chapter 14 4. Specify the number of seconds an access point waits for a reply to a RADIUS request before resending the request. The default is 5 seconds; the range is 1…1000. radius-server timeout seconds 5.

  • Page 424: Configuring The Access Point To Use Vendor-Specific

    Chapter 14 Configuring RADIUS and TACACS+ Servers Configuring the Access Point The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the access point and the to Use Vendor-specific RADIUS server by using the vendor-specific attribute (attribute 26). Vendor- RADIUS Attributes specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use.

  • Page 425: Configuring The Access Point For Vendor-Proprietary Radius Server

    Configuring RADIUS and TACACS+ Servers Chapter 14 If you enter this command without keywords, both accounting and authentication vendor-specific attributes are used. radius-server vsa send [accounting | authentication] 3. Return to privileged EXEC mode. 4. Verify your settings. show running-config 5.

  • Page 426: Configuring Wispr Radius Attributes

    Chapter 14 Configuring RADIUS and TACACS+ Servers The access point and the RADIUS server use this text string to encrypt passwords and exchange responses. The key is a text string that must match the encryption key used on the RADIUS server.
  • Page 427 Configuring RADIUS and TACACS+ Servers Chapter 14 You can find a list of ISO and ITU country and area codes at the ISO and ITU websites. Cisco IOS software does not check the validity of the country and area codes that you configure on the access point. Beginning in privileged EXEC mode, follow these steps to specify WISPr RADIUS attributes on the access point: 1.

  • Page 428: Displaying The Radius Configuration

    Chapter 14 Configuring RADIUS and TACACS+ Servers This example shows how to configure the WISPr location-name attribute: ap# snmp-server location ACMEWISP,Gate_14_Terminal_C_of_Newark_Airport This example shows how to configure the ISO and ITU location codes on the access point: ap# dot11 location isocc us cc 1 ac 408 This example shows how the access point adds the SSID used by the client device and formats the location-ID string: isocc=us,cc=1,ac=408,network=ACMEWISP_NewarkAirport...
  • Page 429 Configuring RADIUS and TACACS+ Servers Chapter 14 Table 99 - Attributes Sent in Access-Request Packets (Continued) Attribute ID Description NAS-Port-Type EAP-Message Message-Authenticator (1) The access point sends the NAS-Identifier if attribute 32 (include-in-access-req) is configured. Table 100 - Attributes Honored in Access-Accept Packets Attribute ID Description Class...
  • Page 430 Chapter 14 Configuring RADIUS and TACACS+ Servers Table 102 - Attributes Sent in Accounting-Request (update) Packets Attribute ID Description User-Name NAS-IP-Address NAS-Port Service-Type Class Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Session-Time Acct-Input-Packets Acct-Output-Packets NAS-Port-Type VSA (attribute 26) SSID VSA (attribute 26) NAS-Location VSA (attribute 26) VLAN-ID VSA (attribute 26)

  • Page 431: Configuring And Enabling Tacacs

    Configuring RADIUS and TACACS+ Servers Chapter 14 Table 103 - Attributes Sent in Accounting-Request (stop) Packets (Continued) Attribute ID Description VSA (attribute 26) NAS-Location VSA (attribute 26) Disc-Cause-Ext VSA (attribute 26) VLAN-ID VSA (attribute 26) Connect-Progress VSA (attribute 26) Cisco-NAS-Port VSA (attribute 26) Interface VSA (attribute 26)

  • Page 432: Tacacs+ Operation

    Chapter 14 Configuring RADIUS and TACACS+ Servers Authentication Provides complete control of authentication of administrators through login and password dialog box, challenge and response, and messaging support. The authentication facility can conduct a dialog with the administrator (for example, after a username and password are provided, to challenge a user with several questions, such as home address, mother’s maiden name, service type, and social security number).

  • Page 433: Configuring Tacacs

    Configuring RADIUS and TACACS+ Servers Chapter 14 TACACS+ lets a conversation to be held between the daemon and the administrator until the daemon receives enough information to authenticate the administrator. The daemon prompts for a username and password combination, but can include other items, such as the user’s mother’s maiden name.

  • Page 434: Default Tacacs+ Configuration

    Chapter 14 Configuring RADIUS and TACACS+ Servers Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application. When enabled, TACACS+ can authenticate administrators accessing the access point through CLI. Identifying the TACACS+ Server Host and Setting the Authentication You can configure the access point to use a single server or AAA server groups to group existing server hosts for authentication.

  • Page 435: Configuring Tacacs+ Login Authentication

    Configuring RADIUS and TACACS+ Servers Chapter 14 aaa group server tacacs+ group-name 5. (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. server ip-address 6.
  • Page 436 Chapter 14 Configuring RADIUS and TACACS+ Servers Beginning in privileged EXEC mode, follow these steps to configure login authentication: 1. Enter global configuration mode. configure terminal 2. Enable AAA. aaa new-model 3. Create a login authentication method list. • To create a default list that is used when a named list is not specified in command, use the login authentication default...

  • Page 437: Privileged Exec Access And Network Services

    Configuring RADIUS and TACACS+ Servers Chapter 14 • For list-name, specify the list created with the command. authentication login login authentication {default | list-name} 9. Return to privileged EXEC mode. 10. Verify your entries. show running-config 11. (Optional) Save your entries in the configuration file. copy running-config startup-config •...

  • Page 438: Starting Tacacs+ Accounting

    Chapter 14 Configuring RADIUS and TACACS+ Servers Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for privileged EXEC access and network services: 1. Enter global configuration mode. configure terminal 2. Configure the access point for administrator TACACS+ authorization for all network-related service requests.

  • Page 439: Displaying The Tacacs+ Configuration

    Configuring RADIUS and TACACS+ Servers Chapter 14 3. Enable TACACS+ accounting to send a start-record accounting notice at the beginning of a privileged EXEC process and a stop-record at the end. aaa accounting exec start-stop tacacs+ 4. Return to privileged EXEC mode. 5.
  • Page 440 Chapter 14 Configuring RADIUS and TACACS+ Servers Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 441: Configuring Vlans

    Chapter Configuring VLANs This chapter describes how to configure your access point to operate with the VLANs set up on your wired LAN in the following sections: Topic Page Understanding VLANs Configuring VLANs VLAN Configuration Example Understanding VLANs A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis.
  • Page 442 Chapter 15 Configuring VLANs You extend VLANs into a wireless LAN by adding IEEE 802.11Q tag awareness to the access point. Frames destined for different VLANs are transmitted by the wireless access point/workgroup bridge on different SSIDs with different WEP keys.

  • Page 443: Related Documents

    Configuring VLANs Chapter 15 This figure shows the difference between traditional physical LAN segmentation and logical VLAN segmentation with wireless devices connected. Figure 110 - LAN and VLAN Segmentation with Wireless Devices VLAN Segmentation Traditional LAN Segmentation VLAN 1 VLAN 2 VLAN 3 LAN 1 Catalyst...

  • Page 444: Incorporating Wireless Devices Into Vlans

    Chapter 15 Configuring VLANs Incorporating Wireless Devices into VLANs The basic wireless components of a VLAN consist of an access point and a client associated to it by using wireless technology. The access point is physically connected through a trunk port to the network VLAN switch where the VLAN is configured.

  • Page 445: Configuring Vlans

    Configuring VLANs Chapter 15 Configuring VLANs When you configure VLANs on access points, the native VLAN must be VLAN1. In a single architecture, client traffic received by the access point is tunneled through an IP-GRE tunnel, that is established on the access point’s Ethernet interface native VLAN.
  • Page 446 Chapter 15 Configuring VLANs The following characters are invalid and cannot be used in an SSID: • Plus sign (+) • Right bracket (]) • Front slash (/) • Quotation mark (") • Tab • Trailing spaces You use the ssid command’s authentication options to configure an authentication type for each SSID.

  • Page 447: Assigning Names To Vlans

    Configuring VLANs Chapter 15 12. (Optional) Save your entries in the configuration file. copy running-config startup-config This example shows how to: a. Name an SSID. b. Assign the SSID to a VLAN. c. Enable the VLAN on the radio and Ethernet ports as the native VLAN. ap1200Router# configure terminal ap1200Router(config)# interface dot11radio0 ap1200Router(config-if)# ssid batman...

  • Page 448: Using A Radius Server To Assign Users To Vlans

    Chapter 15 Configuring VLANs • VLAN names can contain up to 32 ASCII characters. However, a VLAN name cannot be a number between 1…4095. For example, vlan4095 is a valid VLAN name, but 4095 is not. The access point reserves the numbers 1…4095 for VLAN IDs.

  • Page 449: Using A Radius Server For Dynamic Mobility

    Configuring VLANs Chapter 15 3. When the client authenticates successfully, the RADIUS server maps the client to a specific VLAN, regardless of the VLAN mapping defined for the SSID the client is using on the access point. If the server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified by the SSID mapped locally on the access point.

  • Page 450: Vlan Configuration Example

    Chapter 15 Configuring VLANs This is configured as native Vlan for the following interface(s) : Dot11Radio0 FastEthernet0 Virtual-Dot11Radio0 Protocols Configured: Address: Received: Transmitted: Bridging Bridge Group 1 201688 Bridging Bridge Group 1 201688 Bridging Bridge Group 1 201688 Virtual LAN ID: 2 (IEEE 802.1Q Encapsulation) vLAN Trunk Interfaces: Dot11Radio0.2...
  • Page 451 Configuring VLANs Chapter 15 In this scenario, a minimum of three VLAN connections are required, one for each level of access. Because the access point can handle up to 16 SSIDs, you can use the basic design shown in this table. Table 104 - Access Level SSID and VLAN Assignment Level of Access SSID...
  • Page 452 Chapter 15 Configuring VLANs This table shows the commands needed to configure the three VLANs in this example. Table 105 - Configuration Commands for VLAN Example Configuring VLAN 1 Configuring VLAN 2 Configuring VLAN 3 ap1200Router# configure terminal ap1200Router# configure terminal ap1200Router# configure terminal ap1200Router(config)# interface ap1200Router(config)# interface...
  • Page 453 Configuring VLANs Chapter 15 no bridge-group 2 unicast-flooding bridge-group 2 spanning-disabled When you configure a bridge group on the FastEthernet interface, these commands are set automatically: no bridge-group 2 source-learning bridge-group 2 spanning-disabled Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 454: Using Stratix 5100 Device Manager

    Chapter 15 Configuring VLANs Configuring/Enabling VLAN The default VLAN is the management VLAN, and all untagged frames are implicitly associated with this default VLAN ID. Configure one of your VLANs with SSID by Using Stratix to be configured as the native. 5100 Device Manager Complete these steps to configure the VLAN.

  • Page 455: Set The Encryption For The Vlan

    Configuring VLANs Chapter 15 6. Click the Define SSID link to go to the SSID Manager page. 7. Choose a unique SSID to be mapped with this VLAN. If no unique SSIDs are available, choose the <NONE> setting. 8. Click Apply to add the assigned VLAN. Set the Encryption for the VLAN Now that you have completed the configuration of the VLAN, you must set the encryption for the VLAN.
  • Page 456 Chapter 15 Configuring VLANs Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 457: Configuring Qos

    Chapter Configuring QoS This chapter describes how to configure quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size.

  • Page 458: Qos For Wireless Lans Versus Qos On Wired Lans

    Chapter 16 Configuring QoS QoS for Wireless LANs Versus QoS on Wired LANs The QoS implementation for wireless LANs differs from QoS implementations on other Cisco devices. With QoS enabled, access points perform the following: • Don’t classify packets; they prioritize packets based on DSCP value, client type (such as a wireless phone), or the priority value in the 802.1q or 802.1p tag.

  • Page 459: Precedence Of Qos Settings

    Configuring QoS Chapter 16 • The radio downstream flow is traffic transmitted out the access point radio to a wireless client device. This traffic is the main focus for QoS on a wireless LAN. • The radio upstream flow is traffic transmitted out the wireless client device to the access point.

  • Page 460: Configure Qos By Using Straitx 5100 Device Manager

    Chapter 16 Configuring QoS Configure QoS by Using These steps describe how to configure quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic Straitx 5100 Device Manager at the expense of others. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size.
  • Page 461 Configuring QoS Chapter 16 Follow these steps to configure QoS on your access point. 1. From the top menu, click Services. 2. From the Services menu, click QoS. 3. Select <NEW> Create/Edit Policy field or select an existing policy. 4. Type a name for the QoS policy in the Policy Name entry field. The name can contain up to 25 alphanumeric characters.
  • Page 462 Chapter 16 Configuring QoS 5. From the Apply Class of Service pull-down menu, select the class of service that you want the access point to apply packets to the type that you selected from the IP Precedence menu. 6. The access point matches your IP Precedence selection with your class of service selection.
  • Page 463 Configuring QoS Chapter 16 • Assured Forwarding - Class 4 Medium • Assured Forwarding - Class 4 High • Class Selector 1 • Class Selector 2 • Class Selector 3 • Class Selector 4 • Class Selector 5 • Class Selector 6 •...
  • Page 464 Chapter 16 Configuring QoS 13. Use the Apply Policies to Interface/VLANs pull-down menus to apply policies to the access point Ethernet and radio ports. • If VLANs are configured on the access point, pull-down menus for each VLAN’s virtual ports appear in this section. •...

  • Page 465: Using Wi-Fi Multimedia Mode

    Configuring QoS Chapter 16 Using Wi-Fi Multimedia Mode When you enable QoS, the access point uses Wi-Fi Multimedia (WMM) mode by default. WMM provides these enhancements over basic QoS mode: • The access point adds each packet’s class of service to the packet’s 802.11 header to be passed to the receiving station.

  • Page 466: Configuring Qos

    Chapter 16 Configuring QoS Configuring QoS QoS is disabled by default (however, the radio interface always honors tagged 802.1P packets even when you have not configured a QoS policy). This section describes how to configure QoS on your access point. Configuration Guidelines Before configuring QoS on your access point, be aware of this information: •...
  • Page 467 Configuring QoS Chapter 16 The QoS Policies page appears. Figure 112 - QoS Policies Page 4. With <NEW> selected in the Create/Edit Policy field, type a name for the QoS policy in the Policy Name entry field. The name can contain up to 25 alphanumeric characters.
  • Page 468 Chapter 16 Configuring QoS Settings in the Apply Class of Service menu include: • Best Effort (0) • Background (1) • Spare (2) • Excellent (3) • Control Lead (4) • Video <100 ms Latency (5) • Voice <100 ms Latency (6) •...
  • Page 469 Configuring QoS Chapter 16 The access point matches your IP DSCP selection with your class of service selection. 10. Click Add beside the Class of Service menu for IP DSCP. The classification appears in the Classifications field. 11. If you need to prioritize the packets from Spectralink phones (IP Protocol 119) on your wireless LAN, use the Apply Class of Service pull-down menu.
  • Page 470 Chapter 16 Configuring QoS 18. When you finish adding classifications to the policy, click Apply under the Apply Class of Service pull-down menus. • To cancel the policy and reset all fields to defaults, click Cancel under the Apply Class of Service pull-down menus. •...
  • Page 471 Configuring QoS Chapter 16 IGMP Snooping When Internet Group Membership Protocol (IGMP) snooping is enabled on a switch and a client roams from one access point to another, the clients’ multicast session is dropped. When the access points’ IGMP snooping helper is enabled, the access point sends a general query to the wireless LAN, prompting the client to send in an IGMP membership report.

  • Page 472: Adjusting Radio Access Categories

    Chapter 16 Configuring QoS This is used to rate-limit the upstream traffic originating from each of the non- roots to root bridge incase of P2MP setup. To do rate-limiting on downstream traffic, class-maps are applied at the root-side router/switch. Rate-limiting can be applied only to ethernet ingress. IMPORTANT Adjusting Radio Access Categories The access point uses the radio access categories to calculate backoff times for...
  • Page 473 Configuring QoS Chapter 16 This figure shows the Radio Access Categories page. Dual-radio access points have a Radio Access Categories page for each radio. Figure 114 - Radio Access Categories Page In this release, clients are blocked from using an access category when you IMPORTANT select Enable for Admission Control.
  • Page 474 Chapter 16 Configuring QoS For information on other keywords for the show spanning-tree privileged EXEC command, see publication Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges. The above rates work fine for Cisco phones. Third parties wireless phones can IMPORTANT have a different nominal rate or minimum PHY rate.
  • Page 475 Configuring QoS Chapter 16 5. To use video access category (AC = 2) for signaling, check Admission Control under Video(CoS 4-5). The admission control settings you have configured does not take effect until IMPORTANT you enable admission control on an SSID. Enabling Admission Control Follow these steps to enable admission control on an SSID: 1.
  • Page 476 Chapter 16 Configuring QoS Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 477: Configuring Filters

    Page Understanding Filters Configuring Filters by Using CLI Commands Configuring Filters by Using Stratix 5100 Device Manager Understanding Filters Protocol filters (IP protocol, IP port, and Ethertype) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports. You can set up individual protocol filters or sets of filters.

  • Page 478: Configuring Filters By Using Cli Commands

    Chapter 17 Configuring Filters Configuring Filters by Using To configure filters by using CLI commands, you use access control lists (ACLs) and bridge groups. You can find explanations of these concepts and instructions CLI Commands for implementing them in these documents: •...
  • Page 479 Configuring Filters Chapter 17 6. Create an ACL. For this example, 101: AP<config># ip access-list extended 101 AP<config-ext-nacl>#permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range Test This ACL permits Telnet traffic to and from the network for the specified time- IMPORTANT range Test.

  • Page 480: Configuring Filters By Using Stratix 5100 Device Manager

    This section describes how to configure and manage MAC address, IP, and Ethertype filters on the access point by using the web-browser interface, Stratix Stratix 5100 Device Manager 5100 Device Manager. Protocol filters (IP protocol, IP port, and Ethertype) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports.

  • Page 481: Configuring And Enabling Mac Address Filters

    Configuring Filters Chapter 17 Configuring and Enabling MAC Address Filters MAC address filters allow or disallow the forwarding of unicast and multicast packets addressed to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify.
  • Page 482 Chapter 17 Configuring Filters Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...
  • Page 483 Configuring Filters Chapter 17 To edit a filter, select the filter number from the Create/Edit Filter Index menu. 4. In the Filter Index field, name the filter with a number from 700…799. The number you assign creates an access control list (ACL) for the filter. 5.
  • Page 484 Chapter 17 Configuring Filters 7. From the Action pull-down menu, choose Forward or Block. 8. Click Add. The MAC address appears in the Filters Classes field. To remove the MAC address from the Filters Classes list, select it and click Delete Class.
  • Page 485 Configuring Filters Chapter 17 13. From one of the MAC pull-down menus, select the filter number. You can apply the filter to either or both the Ethernet and radio ports, and to either or both incoming and outgoing packets. Click Apply. The filter is enabled on the selected ports.
  • Page 486 Chapter 17 Configuring Filters For MAC addresses that you want to allow to associate, choose Forward from the Action menu. Select Block for addresses that you want to prevent from associating. Select Block All from the Default Action menu. 2. From the main menu, click Security. This figure shows the Security Summary page.
  • Page 487 Configuring Filters Chapter 17 4. Click Association Access List tab. Figure 117 - Association Access List Page 5. Select your MAC address ACL from the pull-down menu. 6. Click Apply. Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 488: Configuring And Enabling Ip Filters

    Chapter 17 Configuring Filters Configuring and Enabling IP Filters IP filters (IP address, IP protocol, and IP port) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports. IP address filters allow or disallow the forwarding of unicast and multicast packets addressed to specific IP addresses.
  • Page 489 Configuring Filters Chapter 17 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...
  • Page 490 Chapter 17 Configuring Filters 5. From the Default Action pull-down menu, select Forward all or Block all. • The filter’s default action must be the opposite of the action for at least one of the addresses in the filter. • For example, if you create a filter containing an IP addresses, an IP protocol, and an IP port and you choose Block as the action for all of them, you must choose Forward All as the filter’s default action.
  • Page 491 Configuring Filters Chapter 17 3. From the Action pull-down menu, select Forward or Block and click Add. • The address appears in the Filters Classes field. • To remove the address from the Filters Classes list, select it and click Delete Class.
  • Page 492 Chapter 17 Configuring Filters 8. Repeat step 5 through step 7 to add protocols to the filter. 9. If you do not need to add IP port elements to the filter, skip to step 6 save the filter on the access point. Filter a TCP or UDP Port Number Follow these steps to filter a TCP or UDP port number.

  • Page 493: Configuring And Enabling Ip Filters

    Configuring Filters Chapter 17 • To remove the port from the Filters Classes list, select it and click Delete Class. 5. Repeat step 1 through step 4 to add ports to the filter. 6. When the filter is complete, click Apply. The filter is saved on the access point, but it is not enabled until you IMPORTANT apply it on the Apply Filters page.
  • Page 494 Chapter 17 Configuring Filters Figure 118 - IP Filters Page Creating an IP Filter Follow these steps to create an IP filter: 1. If you are creating a new filter, make sure <NEW> (the default) is selected in the Create/Edit Filter Name menu. To edit an existing filter, select the filter name.
  • Page 495 Configuring Filters Chapter 17 4. To filter an IP address, enter an address in the IP Address field. If you plan to block traffic to all IP addresses except those you specify as IMPORTANT allowed, put the address of your computer in the list of allowed addresses to avoid losing connectivity to the access point.

  • Page 496: Configuring And Enabling Ethertype Filters

    Chapter 17 Configuring Filters 13. Click Add. The protocol appears in the Filters Classes field. To remove the protocol from the Filters Classes list, select it and click Delete Class. 14. When the filter is complete, click Apply. The filter is saved on the access point, but it is not enabled until you apply it on the Apply Filters page.
  • Page 497 Configuring Filters Chapter 17 Figure 120 - Ethertype Filters Page Follow these steps to go to the Ethertype Filters page: 1. From the main menu, click Services. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the Ethertype Filters tab. Creating an Ethertype Filter Follow these steps to create an Ethertype filter: 1.
  • Page 498 Chapter 17 Configuring Filters 5. Enter the mask for the Ethertype in the Mask field. If you enter 0, the mask requires an exact match of the Ethertype. 6. From the Action menu, select Forward or Block. 7. Click Add. The Ethertype appears in the Filters Classes field.

  • Page 499: Understanding Cdp

    Chapter Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your access point. If you are not going to use CDP, we recommend that you turn the feature off. For complete syntax and usage information for the commands used in this IMPORTANT chapter, see these publications: •...

  • Page 500: Configuring Cdp

    Chapter 18 Configuring CDP Configuring CDP This section contains CDP configuration information and procedures: Default CDP Configuration This table lists the default CDP settings. Table 108 - Default CDP Configuration Feature Default Setting CDP global state Enabled CDP interface state Enabled CDP holdtime (packet holdtime in seconds) CDP timer (packets sent every x seconds)

  • Page 501: Disabling And Enabling Cdp

    Configuring CDP Chapter 18 AP# show cdp Global CDP information: Sending a holdtime value of 120 seconds Sending CDP packets every 50 seconds For additional CDP commands, see the Monitoring and Maintaining show CDP on page 503. Disabling and Enabling CDP CDP is enabled by default.
  • Page 502 Chapter 18 Configuring CDP Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: 1. Enter global configuration mode. configure terminal 2. Enter interface configuration mode, and enter the interface that you are disabling CDP. interface interface-id 3.

  • Page 503: Monitoring And Maintaining Cdp

    Configuring CDP Chapter 18 Monitoring and Maintaining To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description Reset the traffic counters to zero. clear cdp counters Delete the CDP table of information about neighbors. clear cdp table show cdp Display global information, such as frequency of transmissions and the holdtime for packets...
  • Page 504 Chapter 18 Configuring CDP Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Fri 06-Jul-01 18:18 by jang advertisement version: 2 Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=0000000 0FFFFFFFF010221FF00000000000000024B293A00FF0000 VTP Management Domain: '' Duplex: full ------------------------- Device ID: idf2-1-lab-l3.cisco.com Entry address(es): IP address: 10.1.1.10 Platform: cisco WS-C3524-XL, Capabilities: Trans-...
  • Page 505 Configuring CDP Chapter 18 IP address: 172.20.135.202 Protocol information for tstswitch2 : IP address: 172.20.135.204 IP address: 172.20.135.202 AP# show cdp interface GigabitEthernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0/2 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds...
  • Page 506 Chapter 18 Configuring CDP Sending CDP packets every 60 seconds Holdtime is 180 seconds AP# show cdp neighbor Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Local Interface Holdtme...

  • Page 507: Understanding Snmp

    Chapter Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your access point. For complete syntax and usage information for the commands used in this chapter, see these publications: • Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges •...

  • Page 508: Snmp Versions

    Chapter 19 Configuring SNMP SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a full Internet standard, defined in RFC 1157. • SNMPv2C, has these features: – SNMPv2—Version 2 of the Simple Network Management Protocol, a draft Internet standard, defined in RFCs 1902…1907.

  • Page 509: Snmp Manager Functions

    Configuring SNMP Chapter 19 SNMP Manager Functions The SNMP manager uses information in the MIB to perform the operations described in this table. Table 110 - SNMP Operations Operation Description get-request Retrieves a value from a specific variable. get-next-request Retrieves a value from a variable within a table. get-bulk-request Retrieves large blocks of data that otherwise requires that the transmission of many small blocks of data, such as multiple rows in a table.

  • Page 510: Snmp Community Strings

    Chapter 19 Configuring SNMP SNMP Community Strings SNMP community strings authenticate access to MIB objects and function as embedded passwords. For the NMS to access the access point, the community string definitions on the NMS must match at least one of the three community string definitions on the access point.

  • Page 511: Default Snmp Configuration

    Configuring SNMP Chapter 19 Default SNMP Configuration This table shows the default SNMP configuration. Feature Default Setting SNMP agent Disabled SNMP community strings No strings are configured by default. However, when you enable SNMP by using the web browser interface, the access point automatically creates the public community with read-only access to the IEEE802dot11 MIB.
  • Page 512 Chapter 19 Configuring SNMP • Read and write or read-only permission for the MIB objects accessible to the community In the current Cisco IOS MIB agent implementation, the default community string is for the Internet MIB object sub-tree. Because IEEE802dot11 is under another branch of the MIB object tree, you must enable either a separate community string and view on the IEEE802dot11 MIB or a common view and community string on the ISO object in the MIB object tree.

  • Page 513: Specifying Snmp-Server Group Names

    Configuring SNMP Chapter 19 • For source, enter the IP address of the SNMP managers that are permitted to use the community string to gain access to the agent. • (Optional) For source-wildcard, enter the wildcard bits in dotted decimal notation to be applied to the source. Place ones in the bit positions that you want to ignore.

  • Page 514: Configuring Snmp-Server Hosts

    Chapter 19 Configuring SNMP Configuring SNMP-Server Hosts To configure the recipient of an SNMP trap operation, use the following command in global configuration mode: snmp-server host host [traps | informs][version {1 | 2c | 3 [auth | noauth | priv]} ] community-string [udp-port port] [notification-type] Configuring SNMP-Server Users To configure a new user to an SNMP group, use the following command in global...
  • Page 515 Configuring SNMP Chapter 19 Some notification types cannot be controlled with the snmp-server enable global configuration command, such as . These notification types are udp-port always enabled. You can use the global configuration snmp-server host command to a specific host to receive the notification types listed in Table 111 on page 514.

  • Page 516: Setting The Agent Contact And Location Information

    Chapter 19 Configuring SNMP 5. Verify your entries. show running-config 6. (Optional) Save your entries in the configuration file. copy running-config startup-config To remove the specified host from receiving traps, use the no snmp- host global configuration command. To disable a specific server host trap type, use the notification-types...

  • Page 517: Using The Snmp-Server View Command

    Configuring SNMP Chapter 19 Using the snmp-server view Command In global configuration mode, use the command to access snmp-server view Standard IEEE 802.11 MIB objects through IEEE view and the dot11 read-write community string. This example shows how to enable IEEE view and dot11 read-write community string: AP(config)# snmp-server view ieee ieee802dot11 included...
  • Page 518 Chapter 19 Configuring SNMP This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com by using the community string public.

  • Page 519: Displaying Snmp Status

    Configuring SNMP Chapter 19 AP(config)# snmp-server view iso iso included AP(config)# snmp-server engineID remote 1.4.74.10 1234567890 AP(config)# snmp-server group admin v3 priv AP(config)# snmp-server group admin v3 priv read iso write iso AP(config)# snmp-server user joe admin v3 auth md5 xyz123 priv des56 key007 AP(config)# snmp-server user fred admin v3 encrypted auth md5 abc789 priv des56 key99...
  • Page 520 Chapter 19 Configuring SNMP Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 521: Understanding Repeater Access Points

    Chapter Configuring Repeater and Standby Access Points and Workgroup Bridge Mode This chapter describes how to configure your access point as a repeater, as a hot standby unit, or as a workgroup bridge. Topic Page Understanding Repeater Access Points Configuring a Repeater Access Point Understanding Hot Standby Configuring a Hot Standby Access Point by Using CLI Understanding Workgroup Bridge Mode...
  • Page 522 Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode To set up repeaters, you must enable Aironet extensions on both the parent (root) access point and the repeater access points. Aironet extensions are enabled by default. This improve the access point's ability to understand the capabilities of Cisco Aironet client devices associated with the access point.

  • Page 523: Configuring A Repeater Access Point

    Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 Configuring a Repeater This section provides instructions for setting up an access point as a repeater. Access Point Default Configuration Access points are configured as root units by default. This table shows the default values for settings that control the access point’s role in the wireless LAN.

  • Page 524: Setting Up A Repeater

    Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Setting Up a Repeater Beginning in Privileged Exec mode, follow these steps to configure an access point as a repeater: 1. Enter the global configuration mode. configure terminal 2.

  • Page 525: Aligning Antennas

    Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 (Optional) You can also enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list. Enter a timeout value from 0 to 65535 seconds.

  • Page 526: Verifying Repeater Operation

    Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode 2. Enter interface configuration mode for the radio interface. – The 2.4 GHz radio and the 2.4 GHz 802.11n radio is 0. – The 5 GHz radio and the 5 GHz 802.11n radio is 1. dot11 dot11radio { 0 | 1 } 3.

  • Page 527: Setting Up A Repeater As A Leap Client

    Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 Setting Up a Repeater as a You can set up a repeater access point to authenticate to your network like other wireless client devices. After you provide a network username and password for LEAP Client the repeater access point, it authenticates to your network by using LEAP, Cisco's wireless authentication method, and receives and uses dynamic WEP keys.

  • Page 528: Setting Up A Repeater As A Wpa Client

    Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode 5. Configure the username and password that the repeater uses when it performs LEAP authentication. This username and password must match the username and password that you set up for the repeater on the authentication server.

  • Page 529: Understanding Hot Standby

    Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 6. Designate the SSID as the SSID that the repeater uses to associate to other access points. infrastructure ssid 7. Enter a pre-shared key for the repeater. Enter the key by using either hexadecimal or ASCII characters. If you use hexadecimal, you must enter 64 hexadecimal characters to complete the 256-bit key.

  • Page 530: Configuring Hot Standby

    Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode The MAC address of the monitored access point can change if a BSSID on the monitored unit is added or deleted. If you use multiple BSSIDs on your wireless LAN, check the status of the standby unit when you add or delete BSSIDs on the monitored access point.

  • Page 531: Configuring A Hot Standby Access Point By Using Cli

    Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 The table below lists the possible status values of the standby access point. Message Description IAPP Standby is Disabled The access point is not configured for standby mode. IAPP - AP is in standby mode The access point is in standby mode.
  • Page 532 Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode To quickly duplicate the monitored access point’s settings on the standby access point, save the monitored access point configuration and load it on the standby access point. Beginning in Privileged Exec mode, follow these steps to enable hot standby mode on an access point: 1.
  • Page 533 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 6. If the monitored access point is configured to require LEAP authentication, configure the username and password that the standby access point uses when it performs LEAP authentication. This username and password must match the username and password that you set up for the standby access point on the authentication server.

  • Page 534: Verifying Standby Operation

    Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode 13. (Optional) Save your entries in the configuration file. copy running-config startup-config After you enable standby mode, configure the settings that you recorded from the monitored access point to match on the standby access point. Use this command to check the status of the standby access point: Verifying Standby Operation show iapp standby-status...

  • Page 535: Understanding Workgroup Bridge Mode

    Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 Understanding Workgroup You can configure the Stratix 5100 access point as workgroup bridges. In workgroup bridge mode, the unit associates to another access point as a client and Bridge Mode provides a network connection for the devices connected to its Ethernet port.
  • Page 536 Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode This figure shows an access point in workgroup bridge mode. Figure 123 - Access Point in Workgroup Bridge Mode Access Point (Root Unit) Wired LAN 1X 2X ETHE RNET 3X 4X SPEED 100Base TX...

  • Page 537: Or As Client Devices

    Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 Treating Workgroup Bridges The access point that a workgroup bridge associates can treat the workgroup bridge as an infrastructure device or as a simple client device. By default, access as Infrastructure Devices or points and bridges treat workgroup bridges as client devices.

  • Page 538: Configuring A Workgroup Bridge For Roaming

    Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Workgroup If your workgroup bridge is mobile, you can configure it to scan for a better radio connection to a parent access point or bridge. Use this command to configure the Bridge for Roaming workgroup bridge as a mobile station: ap(config)# mobile station...

  • Page 539: Ignoring The Ccx Neighbor List

    Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 ap(config-if)#end Use the command to restore scanning to all the no mobile station scan channels. Ignoring the CCX Neighbor List In addition, the workgroup bridge updates its known channel list by using CCX reports such as the AP Adjacent report or Enhanced Neighbor List report.

  • Page 540: Workgroup Bridge Vlan Tagging

    Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Workgroup Bridge VLAN The Workgroup-Bridge (WGB) VLAN tagging feature enables segregation of VLAN traffic based on the VLAN numbers for Unified WGB solution. Tagging When this feature is enabled, the WGB removes the 802.1q header while sending the packet from a VLAN client to the wireless LAN controller (WLC).
  • Page 541 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 6. (Optional) If the parent access point is configured to require LEAP authentication, configure the username and password that the workgroup bridge uses when it performs LEAP authentication. This username and password must match the username and password that you set up for the workgroup bridge on the authentication server.

  • Page 542: Using Workgroup Bridges In A Lightweight Environment

    Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode This example shows how to configure an access point as a workgroup bridge. In this example, the workgroup bridge uses the configured username and password to perform LEAP authentication, and the devices attached to its Ethernet port are assigned to VLAN 22: AP# configure terminal AP(config)# interface dot11radio 0...

  • Page 543: In A Lightweight Environment

    Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 Guidelines for Using Follow these guidelines for using workgroup bridges on your lightweight network: Workgroup Bridges in a Lightweight Environment • The workgroup bridge can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release JA or greater (on 32-MB access points).
  • Page 544 Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode • In a mesh network, a workgroup bridge can associate to any mesh access point, regardless of whether it acts as a root access point or a mesh access point.

  • Page 545: Sample Workgroup Bridge Configuration

    Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 Sample Workgroup Bridge Here is a sample configuration of a workgroup bridge access point by using static WEP with a 40-bit WEP key: Configuration ap#confure terminal Enter configuration commands, one per line. End with CNTL/Z.

  • Page 546: Enabling Videostream Support On Workgroup Bridges

    Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Enabling VideoStream VideoStream improves the reliability of an IP multicast stream by converting the multicast frame, over the air, to a unicast frame. Cisco IOS Releases 15.2(2)JA Support on Workgroup and later provide VideoStream support for wired devices connected to Bridges workgroup bridges.

  • Page 547: Configuring System Message Logging

    Chapter Configuring System Message Logging This chapter describes how to configure system message logging on your access point. Topic Page Understanding System Message Logging Configuring System Message Logging Displaying the Logging Configuration Default System Message Logging Configuration Disabling and Enabling Message Logging Setting the Message Display Destination Device Enabling and Disabling Timestamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages...

  • Page 548: Configuring System Message Logging

    Chapter 21 Configuring System Message Logging You can set the severity level of the messages to control the type of messages displayed on the console and each of the destinations. You can timestamp log messages or set the syslog source address to enhance real-time debugging and management.

  • Page 549: Default System Message Logging Configuration

    Configuring System Message Logging Chapter 21 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down *Mar...
  • Page 550 Chapter 21 Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to disable message logging: 1. Enter global configuration mode. configure terminal 2. Disable message logging. no logging on 3. Return to privileged EXEC mode. 4. Verify your entries. show running-config show logging 5.

  • Page 551: Setting The Message Display Destination Device

    Configuring System Message Logging Chapter 21 Setting the Message Display Destination Device If message logging is enabled, you can send messages to specific locations in addition to the console. Beginning in privileged EXEC mode, use one or more of the following commands to specify the locations that receive messages: 1.

  • Page 552: Enabling And Disabling Timestamps On Log Messages

    Chapter 21 Configuring System Message Logging global configuration command copies logging logging buffered messages to an internal buffer. The buffer is circular, so newer messages overwrite older messages after the buffer is full. • To display the messages that are logged in the buffer, use the show privileged EXEC command.

  • Page 553: Enabling And Disabling Sequence Numbers In Log Messages

    Configuring System Message Logging Chapter 21 • To disable timestamps for both debug and log messages, use the global configuration command. service timestamps • This example shows part of a logging display with the service global configuration command timestamps log datetime enabled: *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from...

  • Page 554: Defining The Message Severity Level

    Chapter 21 Configuring System Message Logging Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, that are described in Table 115 on page 555. Specifying a level causes messages at that level and numerically lower levels to be displayed at the destination.
  • Page 555 Configuring System Message Logging Chapter 21 • To disable logging to a terminal other than the console, use the global configuration command. logging monitor • To disable logging to syslog servers, use the global no logging trap configuration command. This table describes the level keywords. It lists also the corresponding UNIX syslog definitions from the most severe level to the least severe level.

  • Page 556: Limiting Syslog Messages Sent To The History Table And To Snmp

    Chapter 21 Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you have enabled syslog message traps to be sent to an SNMP network management station by using the global snmp-server enable trap configuration command, you can change the level of messages sent and stored in the access point history table.

  • Page 557: Setting A Logging Rate Limit

    Configuring System Message Logging Chapter 21 When the history table is full (it contains the maximum number of message entries specified with the global configuration logging history size command), the oldest message entry is deleted from the table to allow the new message entry to be stored.

  • Page 558: Configuring Unix Syslog Servers

    Chapter 21 Configuring System Message Logging Configuring UNIX Syslog Servers The next sections describe how to configure the 4.3 BSD UNIX server syslog daemon and define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server.
  • Page 559 Configuring System Message Logging Chapter 21 Configuring the UNIX System Logging Facility When sending system log messages to an external device, you can cause the access point to identify its messages as originating from any of the UNIX syslog facilities. Beginning in privileged EXEC mode, follow these steps to configure UNIX system facility message logging: 1.

  • Page 560: Displaying The Logging Configuration

    Chapter 21 Configuring System Message Logging This table lists the 4.3 BSD UNIX system facilities supported by the Cisco IOS software. For more information about these facilities, consult the operator’s manual for your UNIX operating system. Table 116 - Logging Facility-Type Keywords Facility Type Keyword Description auth...

  • Page 561: Troubleshooting

    Chapter Troubleshooting This chapter provides troubleshooting procedures for basic problems with the wireless access point/workgroup bridge. For the most up-to-date and compressive troubleshooting information, see the Cisco TAC website at the following URL (select Top Issues and then select Wireless Technologies): http://www.cisco.com/tac Topic Page...

  • Page 562: Wep Keys

    Chapter 21 Troubleshooting WEP Keys The WEP key you use to transmit data must be set up exactly the same on the wireless device and any associated wireless devices. For example, if you set WEP Key 3 on your client adapter to 0987654321 and select it as the transmit key, you must set WEP Key 3 on the wireless device to exactly the same value.

  • Page 563: Resetting To The Default Configuration

    Troubleshooting Chapter 21 Resetting to the Default If you forget the password that lets you to configure the wireless device, you need to completely reset the configuration. Configuration The following steps reset all configuration settings to factory defaults, IMPORTANT including passwords, WEP keys, the IP address, and the SSID. The default username is `a blank field’...

  • Page 564: Using Cli

    Chapter 21 Troubleshooting The System Configuration screen appears. 7. Click the Reset to Defaults or Reset to Defaults (Except IP). 8. If you want to retain a static IP address, choose Reset to Defaults (Except IP). 9. Click Restart. The system restarts. 10.
  • Page 565 Troubleshooting Chapter 21 flashfs[0]: flashfs fsck took 0 seconds..done initializing Flash. 4. Use the command to display the contents of Flash and find dir flash: the config.txt configuration file. ap: dir flash: Directory of flash:/ 3 .rwx 223 <date> env_vars 4 .rwx 2190 <date>...

  • Page 566: Reloading The Access Point Image

    Chapter 21 Troubleshooting ap# del flash:config.old Delete filename [config.old] Delete flash:config.old [confirm] Reloading the Access Point If the wireless device has a firmware failure, you must reload the image file by using the web browser interface or by pressing and holding the MODE button Image for around 30 seconds.

  • Page 567: Using The Tftp Interface

    Troubleshooting Chapter 21 4. Click the System Software tab. The Summary Status page appears. 5. Click Software Upgrade. The HTTP Upgrade screen appears. 6. Browse to the image file on your PC. 7. Click Upload. Using the TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the wireless device image file.
  • Page 568 Chapter 21 Troubleshooting 3. Enter your username, password and press Enter. 4. Click the System Software tab. 5. Click Software Upgrade. The HTTP Upgrade screen appears. 6. Click the TFTP Upgrade tab. 7. Enter the IP address for the TFTP server in the TFTP Server field. 8.

  • Page 569: Using Cli

    Troubleshooting Chapter 21 Using CLI Follow the steps below to reload the wireless device image by using CLI commands. When the wireless device begins to start, you interrupt the start-up process and use boot loader commands to load an image from a TFTP server to replace the image in the access point.
  • Page 570 Chapter 21 Troubleshooting • Directory on the TFTP server that contains the image • Name of the image • Destination for the image (the wireless device Flash) Your entry can look like this example: ap: tar -xtract tftp://192.168.130.222/images/c350- k9w7-tar.122-13.JA1.tar flash: When the display becomes full, CLI pauses and appears.

  • Page 571: Obtaining Tftp Server Software

    Troubleshooting Chapter 21 extracting c350-k9w7-mx.122-13.JA1/html/level1/ images/apps_button_last_flat.gif (318 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/ images/apps_button_nth.gif (1177 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/ images/apps_leftnav_dkgreen.gif (869 bytes) -- MORE -- If you don’t press the spacebar to continue, the process eventually times out and the wireless device stops inflating the image. 8.
  • Page 572 Chapter 21 Troubleshooting Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 573: Ethertype Protocols

    Appendix Protocol Filters The tables in this appendix list some of the protocols that you can filter on the access point. Topic Page Ethertype Protocols IP Protocols IP Port Protocols Ethertype Protocols In each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol.

  • Page 574: Ip Protocols

    Appendix A Protocol Filters Table 1 - Ethertype Protocols (Continued) Protocol Additional Identifier ISO Designator Telxon TXP 0x8729 Aironet DDP 0x872D Enet Config Test — 0x9000 NetBUI — 0xF0F0 IP Protocols Table 2 - IP Protocols Protocol Additional Identifier ISO Designator dummy —...
  • Page 575 Protocol Filters Appendix A Table 3 - IP Port Protocols (Continued) Secure Shell (22) Telnet — Simple Mail Transport Protocol SMTP mail time timserver Resource Location Protocol IEN 116 Name Server name whois nicname Domain Name Server domain — BOOTP Server —...
  • Page 576 Appendix A Protocol Filters Table 3 - IP Port Protocols (Continued) NETBIOS Datagram Service netbios-dgm NETBIOS Session Service netbios-ssn Interim Mail Access Protocol v2 Interim Mail Access Protocol IMAP2 Simple Network Management Protocol SNMP SNMP Traps snmp-trap ISO CMIP Management Over IP CMIP Management Over IP cmip-man CMOT...
  • Page 577 Protocol Filters Appendix A Table 3 - IP Port Protocols (Continued) SUP server supfilesrv swat for SAMBA swat SUP debugging supfiledbg 1127 ingreslock — 1524 Prospero non-priveleged prospero-np 1525 RADIUS — 1812 Concurrent Versions System 2401 Cisco IAPP — 2887 Radio Free Ethernet 5002 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...
  • Page 578 Appendix A Protocol Filters Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 579: Mib List

    Appendix Supported MIBs This appendix lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release. The Cisco IOS SNMP agent supports SNMPv1, SNMPv2, and SNMPv3. Topic Page MIB List Using FTP to Access the MIB Files •...

  • Page 580: Using Ftp To Access The Mib Files

    Appendix B Supported MIBs • CISCO-TC-MIB • CISCO-SYSLOG-MIB • CISCO-WDS-INFO-MIB • ENTITY-MIB • IF-MIB • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-SYS-MIB • OLD-CISCO-SYSTEM-MIB • OLD-CISCO-TS-MIB • RFC1213-MIB • RFC1398-MIB • SNMPv2-MIB • SNMPv2-SMI • SNMPv2-TC Using FTP to Access the MIB Follow these steps to obtain each MIB file by using FTP: Files 1.

  • Page 581: Conventions

    Appendix Error and Event Messages This appendix lists the CLI error and event messages. Topic Page Conventions Software Auto Upgrade Messages Association Management Messages Unzip Messages System Log Messages 802.11 Subsystem Messages Inter-Access Point Protocol Messages Local Authenticator Messages WDS Messages Mini IOS Messages Access Point/Bridge Messages Cisco Discovery Protocol Messages...

  • Page 582: Software Auto Upgrade Messages

    Appendix C Error and Event Messages Table 1 - Conventions for System Error Messages (Continued) Message Component Description Example Action Flags Internal to the code for additional action to display. 0—No action flag MSG-TRACEBACK—includes traceback with message MSG-PROCESS—includes process information with message MSG-CLEAR—indicates condition had cleared MSG-SECURITY—indicates as security message MSG-NOSCAN—suppresses EEM pattern screening...

  • Page 583: Association Management Messages

    Error and Event Messages Appendix C Association Management This table explains error message that are related to association management. Messages Table 3 - Association Management Messages Message Explanation Recommended Action 802.11 association and management uses a table- The system can continue but can lose the association that DOT11-3-BADSTATE: “%s %s ->%s.”...

  • Page 584: System Log Messages

    Appendix C Error and Event Messages System Log Messages This table explains the system log messages. Table 5 - System Log Messages Message Explanation Recommended Action The radio has been stopped to load new No action is required. %DOT11-4-LOADING_RADIO: Interface [chars], firmware.
  • Page 585 Error and Event Messages Appendix C Table 6 - Subsystem Messages (Continued) Message Explanation Recommended Action Radar has been detected on the current channel. Dynamic None. DOT11-6-CHAN_NOT_AVAIL: “DFS configured Frequency Selection (DFS) regulations require no frequency %d Mhz unavailable for %d transmission for 30 seconds on the channel.
  • Page 586 Appendix C Error and Event Messages Table 6 - Subsystem Messages (Continued) Message Explanation Recommended Action The initialization process used by the indicated interface Perform a reload of the access point. If this DOT11-2-PROCESS_INITIALIZATION_FAILED: failed for some reason, possibly a transient error. fails to rectify the problem, perform a power “The background process for the radio cycle.
  • Page 587 Error and Event Messages Appendix C Table 6 - Subsystem Messages (Continued) Message Explanation Recommended Action When trying to upgrade firmware, the file for the radio The wrong image has been loaded into the DOT11-2-NO_FIRMWARE: “Interface %s, no was not found in the flash file system. Or, the IOS on the unit.
  • Page 588 Appendix C Error and Event Messages Table 6 - Subsystem Messages (Continued) Message Explanation Recommended Action The indicated station failed CCKM authentication. Verify that the topology of the access points DOT11-7-CCKM_AUTH_FAILED: “Station %e configured to use the WDS access point is CCKM authentication failed.”...

  • Page 589: Inter-Access Point Protocol Messages

    Error and Event Messages Appendix C Table 6 - Subsystem Messages (Continued) Message Explanation Recommended Action SOAP FIPS self test on radio crypto routine failed. Check radio image. SOAP_FIPS-2-SELF_TEST_RAD_FAILURE: “RADIO crypto FIPS self test failed at %s on interface %s %d.” SOAP FIPS self test passed.

  • Page 590: Wds Messages

    Appendix C Error and Event Messages Message Explanation Recommended Action Am error occurred during the initialization of the shim None. DOT1X-SHIM-3-UNSUPPORTED_KM: layer. An unsupported key management type was found. “Unsupported key management: %X.” An unexpected error occurred when the shim layer tried to None.

  • Page 591: Mini Ios Messages

    Error and Event Messages Appendix C Mini IOS Messages Message Explanation Recommended Action Initialization failed on attempting to protect port. None. MTS-2-PROTECT_PORT_FAILURE: An attempt to protect port [number] failed Initialization failed when the user attempted to enable a None MTS-2-SET_PW_FAILURE: Error %d enabling secret password.

  • Page 592: Lwapp Error Messages

    Appendix C Error and Event Messages LWAPP Error Messages Message Explanation Recommended Action Could not send access point CDP update to controller No action is required. LWAPP-3-CDP: Failure sending CDP Update to Controller. Reason “s” This log message indicates an LWAPP client error event. No action is required.

  • Page 593: Snmp Error Messages

    Error and Event Messages Appendix C SNMP Error Messages Message Explanation Recommended Action An SNMP request was sent by this host that was not Make sure that the community/user name SNMP-3-AUTHFAILIPV6: Authentication properly authenticated. used in the SNMP req has been configured on failure for SNMP request from the router.
  • Page 594 Appendix C Error and Event Messages Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...
  • Page 595 Glossary The following terms and abbreviations are used throughout this manual. For definitions of terms not listed here, refer to the Allen-Bradley Industrial Automation Glossary, publication AG-7.1. 802.11 The IEEE standard that specifies carrier sense media access control and physical layer specifications for 1- and 2-megabit-per-second (Mbps) wireless LANs operating in the 2.4 GHz band.
  • Page 596 Glossary CCKM Cisco Centralized Key Management. By using CCKM, authenticated client devices can roam from one access point to another without any perceptible delay during reassociation. An access point on your network provides wireless domain services (WDS) and creates a cache of security credentials for CCKM-enabled client devices on the subnet.
  • Page 597 Glossary ETSI The European Telecommunication Standardization Institute (ETSI) has developed standards that have been adopted by many European countries as well as many others. Under the ETSI regulations, the power output and EIRP regulations are much different than in the United States. file server A repository for files so that a local area network can share files, mail, and programs.
  • Page 598 Glossary receiver sensitivity A measurement of the weakest signal a receiver can receive and still correctly translate it into data. Radio frequency. A generic term for radio-based technology. roaming A feature of some Access Points that lets you move through a facility while maintaining an unbroken connection to the LAN.
  • Page 599 Glossary WLSE Wireless LAN Solutions Engine. The WLSE is a specialized appliance for managing Cisco Aironet wireless LAN infrastructures. It centrally identifies and configures access points in customer-defined groups and reports on throughput and client associations. WLSE's centralized management capabilities are further enhanced with an integrated template-based configuration tool for added configuration ease and improved productivity.
  • Page 600 Glossary Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...
  • Page 601 Index Numerics login 209 SSID 279 802.11e 458 TACACS+ 802.11g 276 defined 432 key 434 802.11i 269 login 215 802.11n channel width 256 authentication client command 282 802.11n guard interval 262 authentication server 802.1H 270 configuring access point as local server 320 802.1x authentication 319 EAP 353 802.1X Supplicant...
  • Page 602 Index Cisco TAC 561 commands CiscoWorks 2000 510 abbreviating 177 accounting 282 clear command 175 antenna 266 CLI 175 authentication client 282 abbreviating commands 177 beacon dtim-period 274 command modes 175 beacon period 274 editing features bridge-group 272 enabling and disabling 179 broadcast-key 366 keystroke editing 180 cdp enable 502...
  • Page 603 Index console cable 54 Dynamic Frequency Selection 257 console port 32 blocking channels 261 CLI commands 259 countermeasure tkip hold-time command 369 configuring a channel 260 crypto software image 228 confirming DFS enabled 259 CSID format, selecting 422 EAP authentication 65 Data Beacon Rate 273 EAP authentication, overview 353 data rate setting 247...
  • Page 604 Index error messages 802.11 subsystem messages 584 help 57 access point/bridge messages 591 help, for the command line 176 association management messages 583 high altitudes 38 Cisco discovery protocol messages 591 CLI 178 history during command entry 178 changing the buffer size 178 explained 581 described 178 external radius server error messages 591...
  • Page 605 Index modes global configuration 175 latency 458 interface configuration 176 Layer 3 mobility 379 line configuration 176 LBS 263 privileged EXEC 175 user EXEC 175 LEAP 52 monitor mode 403 LEAP authentication monitoring local authentication 319 CDP 503 setting on client and access point 373 mounting bracket 32 limited channel scanning 538 move the cursor (CLI) 180...
  • Page 606 Index parameters association 104 QBSS 459 band select 162 dot11e parameter 464 event log 171 event log configuration 173 configuration guidelines 466 GigabitEthernet status 91 dot11e command 470 HTTP upgrade 167 overview 457 IP address 90 management 164 network configuration 81 QBSS Load IE 470 network map 86 quality of service...
  • Page 607 Index RADIUS 52 attributes sample configuration 252 CSID format, selecting 422 scanner 60 sent by the access point 428 secure remote connections 228 vendor-proprietary 425 vendor-specific 424 Secure Shell WISPr 426 See SSH configuring security 60 access point as local server 320 troubleshooting 562 accounting 421 security configuration 85...
  • Page 608 303 overview 507 superior BPDU 303 types of 514 timers, described 304 versions supported 508 Stratix 5100 wireless access point/workgroup SNMP versions supported 508 bridge SNMP, FTP MIB files 580 compliance 32 snmp-server group command 513 login 53...
  • Page 609 Index system prompt default setting 235 VLAN 60 configure 52 local authentication 319 names 447 TAC 561 SSID 279 TACACS+ use 63 vlan command 282 accounting, defined 432 authentication, defined 432 authorization, defined 432 configuring accounting 438 WDS 375 authentication key 434 configuring WDS-only mode 391 authorization 217 web-based interface...
  • Page 610 Index Notes: Rockwell Automation Publication 1783-UM006A-EN-P - May 2014...

  • Page 612: Documentation Feedback

    Rockwell Automation Support Rockwell Automation provides technical information on the Web to assist you in using its products. http://www.rockwellautomation.com/support you can find technical and application notes, sample code, and links to software service packs. You can also visit our Support Center at https://rockwellautomation.custhelp.com/ for software updates, support chats and forums, technical information, FAQs, and to sign up for product notification updates.

This manual is also suitable for:

1783-wapak91783-wapek91783-wapck91783-wapzk9

Table of Contents