Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges, 12.3(8)JA
Cisco IOS Commands for Access Points and Bridges
Downloads: This chapterpdf (PDF - 2.22MB) The complete bookPDF (PDF - 6.97MB) | Feedback

Cisco IOS Commands for Access Points and Bridges

Table Of Contents

Cisco IOS Commands for Access Points
and Bridges

aaa authentication login default local cache

aaa authorization exec default local cache

aaa cache profile

aaa pod server

accounting (SSID configuration mode)

admission-control (QOS Class interface configuration mode)

admit-traffic (SSID configuration mode)

admit-traffic (QOS Class interface configuration mode)

anonymous-id (dot1x credentials configuration mode)

antenna

authentication (local server configuration mode)

authentication client

authentication key-management

authentication network-eap (SSID configuration mode)

authentication open (SSID configuration mode)

authentication shared (SSID configuration mode)

beacon

boot buffersize

boot ios-break

boot mode-button

boot upgrade

bridge aging-time

bridge forward-time

bridge hello-time

bridge max-age

bridge priority

bridge protocol ieee

bridge-group block-unknown-source

bridge-group path-cost

bridge-group port-protected

bridge-group priority

bridge-group spanning-disabled

bridge-group subscriber-loop-control

bridge-group unicast-flooding

broadcast-key

cache authentication profile

cache authorization profile

cache expiry

cca

channel

channel-match (LBS configuration mode)

class-map

clear dot11 aaa authentication mac-authen filter-cache

clear dot11 cckm-statistics

clear dot11 client

clear dot11 hold-list

clear dot11 statistics

clear eap sessions

clear iapp rogue-ap-list

clear iapp statistics

clear ip igmp snooping membership

clear wlccp wds

clear wlccp wds recovery statistics

concatenation

countermeasure tkip hold-time

cw-max (QOS Class interface configuration mode)

cw-min (QOS Class interface configuration mode)

debug dot11

debug dot11 aaa

debug dot11 cac

debug dot11 dot11radio

debug dot11 ids

debug dot11 ids mfp

debug eap

debug iapp

debug radius local-server

debug wlccp ap

debug wlccp ap rm enhanced-neighbor-list

debug wlccp packet

debug wlccp rmlib

debug wlccp wds

description (dot1x credentials configuration mode)

dfs band

distance

dot11 aaa authentication attributes service-type login-only

dot11 aaa authentication mac-authen filter-cache

dot11 aaa csid

dot11 association mac-list

dot11 activity-timeout

dot11 adjacent-ap age-timeout

dot11 arp-cache

dot11 carrier busy

dot11 extension aironet

dot11 extension power native

dot11 holdoff-time

dot11 ids eap attempts

dot11 ids mfp

dot11 igmp snooping-helper

dot11 lbs

dot11 linktest

dot11 location isocc

dot11 mbssid

dot11 meter

dot11 network-map

dot11 phone

dot11 priority-map avvid

dot11 qos class

dot11 ssid

dot11 update-group-key

dot11 vlan-name

dot11 wpa handshake timeout

dot1x credentials

dot1x eap profile (configuration interface mode)

dot1x eap profile (SSID configuration mode)

dot1x timeout supp-response

dot1x reauth-period

duplex

eap profile

eapfast authority

eapfast pac expiry

eapfast server-key

encryption key

encryption mode ciphers

encryption mode wep

exception crashinfo buffersize

exception crashinfo file

fixed-slot (QOS Class interface configuration mode)

fragment-threshold

group (local server configuration mode)

guest-mode (SSID configuration mode)

iapp standby mac-address

iapp standby poll-frequency

iapp standby primary-shutdown

iapp standby timeout

information-element ssidl (SSID configuration mode)

infrastructure-client

infrastructure-ssid (SSID configuration mode)

interface dot11 (LBS configuration mode)

interface dot11radio

ip igmp snooping vlan

ip redirection

l2-filter bridge-group-acl

l2-filter-block-arp

led display

led flash

logging buffered

logging snmp-trap

match (class-map configuration)

max-associations (SSID configuration mode)

mbssid

mbssid (SSID configuration mode)

method (eap profile configuration mode)

method (LBS configuration mode)

mobile station

mobility network-id

multicast address (LBS configuration mode)

nas (local server configuration mode)

packet max-retries

packet retries

packet speed

packet timeout

packet-type (LBS configuration mode)

parent

parent timeout

password (dot1x credentials configuration mode)

payload-encapsulation

pki-trustpoint (dot1x credentials configuration mode)

power client

power inline negotiation

power local

preamble-short

probe-response gratuitous

radius local-server pac-generate

radius-server local

rts

server-address (LBS configuration mode)

short-slot-time

show boot mode-button

show controllers dot11radio

show dot11 aaa authentication mac-authen filter-cache

show dot11 adjacent-ap

show dot11 associations

show dot11 bssid

show dot11 cac

show dot11 carrier busy

show dot11 directed-roam

show dot11 ids eap

show dot11 ids mfp

show dot11 network-map

show dot11 statistics client-traffic

show dot11 traffic-streams

show dot11 vlan-name

show dot1x

show dot1x credentials

show eap registrations

show eap sessions

show environment

show iapp rogue-ap-list

show iapp standby-parms

show iapp statistics

show interfaces dot11radio

show interfaces dot11radio aaa

show interfaces dot11radio statistics

show ip igmp snooping groups

show led flash

show power-injector

show radius local-server statistics

show running-config ssid

show spanning-tree

show wlccp

show wlccp ap mn

show wlccp ap rm enhanced-neighbor-list

snmp-server enable traps envmon temperature

snmp-server group

snmp-server location

snmp-server user

snmp-server view

speed (Ethernet interface)

speed (radio interface)

speed ofdm

ssid

station-role

station-role install

transmit-op (QOS Class interface configuration mode)

traffic-class

traffic-stream

username (dot1x credentials configuration mode)

user (local server configuration mode)

vlan (SSID configuration mode)

wlccp ap eap profile

wlccp ap username

wlccp authentication-server

wlccp wds aaa authentication mac-authen filter-cache

wlccp wds priority

wlccp wnm ip address

workgroup-bridge client-vlan

world-mode

wpa-psk

write memory

write terminal


Cisco IOS Commands for Access Points
and Bridges


This chapter lists and describes Cisco IOS commands in Cisco IOS Release 12.3(8)JA that you use to configure and manage your access point, bridge, and wireless LAN. The commands are listed alphabetically.

aaa authentication login default local cache

To set a local login cache for authentication, authorization, and accounting (AAA) authentication, use the aaa authentication login default local cache command in global configuration mode. To disable the local login cache, use the no form of this command:

[no] aaa authentication login default local cache [word | radius | tacacs+]

Syntax Description

word

Character string used to name the local login cache used for AAA authentication login.

radius

(Optional) Specifies the RADIUS host used for the AAA authentication login.

tacacs+

(Optional) Specifies the TACACS+ host used for the AAA authentication login.


Command Default

There is no default for this command.

Command Modes

Global configuration

Command History

Release
Modification

12.3(7)JA

This command was introduced.


Examples

The following example creates a local cache for an AAA authentication list called tac_admin set as the default list used for all login authentications. This authentication checks the local cache first, and if the information is not available, the authentication server (group tac_admin) is contacted and the information is also stored in the local cache.

AP(config)# aaa authentication login default cache tac_admin group tac_admin
 
   

Related Commands

Command
Description

aaa authorization exec default local cache

Sets the local cache for AAA exec authorization

aaa cache profile

Sets the AAA cache profile name

aaa group server

Sets the AAA group server name

cache authorization profile

Sets the cache authorization profile name

cache expiry

Sets the expiration time for the local cache

server

Sets the IP address for the server


aaa authorization exec default local cache

To set a local cache for AAA exec authorization, use the aaa authorization exec default local cache command in global configuration mode. To disable the local cache, use the no form of this command:

[no] aaa authorization exec default local cache [word| radius | tacacs+]

Syntax Description

word

Character string used to name the local cache for exec AAA authorization.

radius

(Optional) Specifies the RADIUS server used for the exec AAA authorization.

tacacs+

(Optional) Specifies the TACACS+ server used for the exec AAA authorization.


Command Default

There is no default for this command.

Command Modes

Global configuration

Command History

Release
Modification

12.3(7)JA

This command was introduced.


Examples

The following example creates a local exec mode cache for an AAA authorization list called tac_admin set as the default list used for all login authorizations. This authorization checks the local cache first, and if the information is not available, the authorization server (group tac_admin) is contacted and the information is also stored in the local cache.

AP(config)# aaa authorization exec default cache tac_admin group tac_admin
 
   

Related Commands

Command
Description

aaa authentication login default local cache

Sets local cache for AAA authentication login

aaa cache profile

Sets the AAA cache profile name

aaa group server

Sets the AAA group server name

cache authentication profile

Sets the cache authentication profile name

cache expiry

Sets the expiration time for the local cache

server

Sets the IP address for the server


aaa cache profile

To set storage rules for the AAA cache, use the aaa cache profile command in global configuration mode. To disable the AAA cache profile, use the no form of this command:

[no] aaa cache profile name
[no] profile exact match [no-auth]
[
no] regexp match expression [any | only] [no-auth]
[
no] all [no-auth]

Syntax Description

name

Character string used to name the AAA cache profile.

profile exact match

Specifies a username that must exactly match the AAA server response before the information is saved in the cache.

no-auth

Specifies that password authentication is not performed.

regexp match expression

Specifies a regular expression that must match the AAA server response before the information is included in the cache.

Note This option is not recommended because it can require extensive processing time.

any

Specifies that any AAA server response that matches
regexp
match expression is saved in the cache.

only

Specifies that only 1 AAA server response that matches
regexp match expression is saved in the cache.

all

Specifies that all AAA server responses are saved in the cache.


Command Default

There is no default for this command.

Command Modes

Global configuration

Command History

Release
Modification

12.3(7)JA

This command was introduced.


Examples

The following example sets a name of admin_cache for the AAA cache profile and only stores AAA server responses with the username administrator in the cache.

AP(config)# aaa cache admin_cache
AP(config-profile-map)# profile administrator

Related Commands

Command
Description

aaa authentication login default local cache

Sets local cache for AAA authentication login

aaa authentication login default local cache

Sets local cache for AAA authentication login

aaa group server

Sets the AAA group server name

cache authentication profile

Sets the cache authentication profile name

cache authorization profile

Sets the cache authorization profile name

cache expiry

Sets the expiration time for the local cache

server

Sets the IP address for the server


aaa pod server

To enable inbound user sessions to be disconnected when specific session attributes are presented, use the aaa pod server global configuration command. To disable this feature, use the no form of this command.
Packet of Disconnect (POD) consists of a method of terminating a session that has already been connected. The POD is a RADIUS disconnect_request packet and is intended to be used in situations where the authenticating agent server wants to disconnect the user after the session has been accepted by the RADIUS access_accept packet.

aaa pod server {
auth-type [all | any | session-key] |
clients IP-address |
ignore [server-key | session-key] |
port number |
server-key string}

no aaa pod server

Syntax Description

auth-type
(Optional) Specifies the type of authorization required for disconnecting
sessions. For 802.11 sessions, the Calling-Station-ID [31] RADIUS attribute must be supplied in the POD request. This is the MAC address of the client. No other attributes are used; therefore all and any have the same effect.

Note session-key is not supported for 802.11 sessions.

any
(Optional) Specifies that the session that matches all attributes sent in the POD
packets are disconnected. The POD packet can contain one or more of four key attributes (user-name, framed-IP-address, session-ID, and session-key).
all
(Optional) Only a session that matches all four key attributes is disconnected. All is the default.
clients address
(Optional) Specifies the IP addresses for up to four RADIUS servers that may be nominated as clients. If this configuration is present and a POD request originates from a device that is not on the list, it is rejected.
ignore
(Optional) When set to server-key, the shared secret is not validated when a POD request is received.
port number
(Optional) Specifies the unsolicited data packet (UDP) port on which the access point listens for packet of disconnect (POD) requests. If no port is specified, the default 1700 port is used.
session-key
(Optional) Specifies that the session that has a matching session-key attribute is
disconnected. All other attributes are ignored.

Note This option is not supported for 802.11 sessions.

server-key string
Configures the secret text string that is shared between the network access server and the client workstation. This secret string must be the same on both systems.

Defaults

The POD server function is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.1(3)T

This command was introduced.

12.3(8)JA

The clients and ignore keywords were added.


Usage Guidelines

For a session to be disconnected, the values in one or more of the key fields in the POD request must match the values for a session on one of the network access server ports. Which values must match depends on the auth-type attribute defined in the command. If no auth-type is specified, all four values must match. If no match is found, all connections remain intact and an error response is returned. The key fields are as follows:

User-Name

Framed-IP-Address

Session-Id

Server-Key

Related Commands

Command
Description

aaa authentication

Enables authentication.

aaa accounting

Enables accounting records.

aaa accounting delay-start

Delays generation of the start accounting record until the user IP address is established.

debug aaa pod

Displays debug messages related to POD packets.

radius-server host

Identifies a RADIUS host.


accounting (SSID configuration mode)

Use the accounting SSID configuration mode command to enable RADIUS accounting for the radio interface (for the specified SSID). Use the no form of the command to disable accounting.

[no] accounting list-name

Syntax Description

list-name

Specifies the name of an accounting list.


Defaults

This command has no defaults.

Command Modes

SSID configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

You create accounting lists using the aaa accounting command. These lists indirectly reference the server where the accounting information is stored.

Examples

This example shows how to enable RADIUS accounting and set the RADIUS server name:

AP(config-if-ssid)# accounting radius1
 
   

This example shows how to disable RADIUS accounting:

AP(config-if-ssid)# no accounting

Related Commands

Command
Description

ssid

Specifies the SSID and enters the SSID configuration mode


admission-control (QOS Class interface configuration mode)

Use the admission-control QOS Class interface configuration mode command to require call admission control (CAC) traffic for a radio interface. Use the no form of the command to remove the setting.

[no] admission-control


Note This command is not supported on c1200 and c1100 platforms.



Note This command is not supported when operating in repeater mode.


Syntax Description

This command has no arguments or keywords.

Defaults

This command has no defaults.

Command Modes

QOS Class interface configuration mode

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to configure CAC admission control as a requirement for the radio interface:

AP(config)# interface dot11radio 0
AP(config-if)# dot11 qos class voice
AP(config-if-qosclass)# admission-control
 
   

This example shows how to remove the CAC admission control requirement on the radio interface:

AP(config-if-qosclass)# no admission-control 

Related Commands

Command
Description

admit-traffic (QOS Class interface configuration mode)

Specifies that CAC traffic is enabled for the radio interface.

cw-max (QOS Class interface configuration mode)

Specifies the CAC maximum contention window size for the radio interface.

cw-min (QOS Class interface configuration mode)

Specifies the CAC minimum contention window size for the radio interface.

fixed-slot (QOS Class interface configuration mode)

Specifies the CAC fixed fallback slot time for the radio interface.

transmit-op (QOS Class interface configuration mode)

Specifies the CAC transmit opportunity time for the radio interface.


admit-traffic (SSID configuration mode)

Use the admit-traffic SSID configuration mode command to enable or disable call admission control (CAC) traffic for an SSID. Use the no form of the command to disable all CAC traffic for the SSID.

[no] admit-traffic


Note This command is not supported when operating in repeater mode.


Syntax Description

This command has no arguments or keywords.

Defaults

By default, the admission control is disabled on all SSIDs.

Command Modes

SSID configuration mode

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to enable CAC traffic support for the test SSID:

AP(config)# dot11 ssid test
AP(config-ssid)# admit-traffic
 
   

This example shows how to disable CAC traffic on the test SSID:

AP(config)# dot11 ssid test
AP(config-ssid)# no admit-traffic 
 
   

Related Commands

Command
Description

admit-traffic (QOS Class interface configuration mode)

Configures CAC admission control on the access point.

show dot11 cac

Displays admission control information on the access point.

traffic-stream

Configures CAC traffic data rates and priorities on the access point.

debug cac

Provides debug information for CAC admission control on the access point.


admit-traffic (QOS Class interface configuration mode)

Use the admit-traffic QOS Class interface configuration mode command to enable CAC traffic for a radio interface. Use the no form of the command to disable all CAC traffic for the access point.

admit-traffic {narrowband | signaling} {infinite | max-channel percent}
[
roam-channel roam]

no admit-traffic


Note This command is not supported when operating in repeater mode.


Syntax Description

narrowband

Specifies that narrowband codecs are allowed on the radio interface.

signaling

Specifies that signaling only is allowed on the radio interface.

infinite

Specifies unlimited channel utilization is allowed for the CAC traffic on the radio interface.

max-channel percent

Specifies the maximum percentage (1 to 100) of channel utilization allowed for CAC traffic on the radio interface.

roam-channel roam

Specifies the maximum percentage (1 to 100) of channel utilization that is reserved for roaming CAC traffic on the radio interface.


Defaults

This command has no defaults.

Command Modes

QOS Class interface configuration mode

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to configure CAC voice traffic parameters for the radio interface:

AP(config)# interface dot11radio 0
AP(config-if)# dot11 qos class voice
AP(config-if-qosclass)# narrowband max-channel 30 roam-channel 10 channel-min 10
 
   

This example shows how to disable CAC traffic on the radio interface:

AP(config-if-qosclass)# no admin-traffic 

Related Commands

Command
Description

admit-traffic (SSID interface configuration mode)

Enables CAC admission control for an SSID on the access point.

show dot11 cac

Displays admission control information for the access point.

traffic-stream

Configures CAC traffic data rates and priorities for a radio interface on the access point.

debug cac

Provides CAC admission control debugging information for on the access point.


anonymous-id (dot1x credentials configuration mode)

Use the anonymous-id dot1x credentials configuration mode command to configure an anonymous username for the dot1x credentials. Use the no form of the command to disable anonymous-id.

[no] anonymous-id name

Syntax Description

name

Specifies the anonymous username for the dot1x credentials.


Defaults

This command has no defaults.

Command Modes

SSID configuration interface

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to configure a dot1x certificate anonymous username:

AP(config-dot1x-creden)# anonymous-id user1
 
   

This example shows how to disable the anonymous username:

AP(config-dot1x-creden)# no anonymous-id

Related Commands

Command
Description

dot1x credentials

Configures the dot1x credentials on the access point.

show dot1x credentials

Displays the configured dot1x credentials on the access point.


antenna

Use the antenna configuration interface command to configure the radio receive or transmit antenna settings. Use the no form of this command to reset the receive antenna to defaults.

[no] antenna
{gain gain |
{
receive | transmit {diversity | left | right}}}

Syntax Description

gain gain

Specifies the resultant gain of the antenna attached to the device. Enter a value from -128 to 128 dB. If necessary, you can use a decimal in the value, such as 1.5.

Note This setting does not affect the behavior of the wireless device; it only informs the WLSE on your network of the device's antenna gain.

receive

Specifies the antenna that the access uses to receive radio signals

transmit

Specifies the antenna that the access uses to transmit radio signals

diversity

Specifies the antenna with the best signal

left

Specifies the left antenna

right

Specifies the right antenna


Defaults

The default antenna configuration is diversity.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to specify the right receive antenna option:

AP(config-if)# antenna receive right
 
   

This example shows how to set the receive antenna option to defaults:

AP(config-if)# no antenna receive
 
   

This example shows how to enter an antenna gain setting:

AP(config-if)# antenna gain 1.5
 
   

Related Commands

Command
Description

power local

Configures the radio power level

show running-config

Displays the current access point operating configuration


authentication (local server configuration mode)

Use the authentication local server configuration command to specify the authentication types that are allowed on the local authenticator. By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based authentication for up to 50 client devices. You use the no form of the authentication command to limit the local authenticator to one or more authentication types.

[no] authentication [eapfast] [leap] [mac]


Note This command is not supported on bridges.


Syntax Description

eapfast

Specifies that the local authenticator performs EAP-FAST authentication for client devices.

leap

Specifies that the local authenticator performs LEAP authentication for client devices.

mac

Specifies that the local authenticator performs MAC-address authentication for client devices.


Defaults

By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based authentication. To limit the local authenticator to one or two authentication types, use the no form of the command to disable unwanted authentication types.

Command Modes

Local server configuration mode

Command History

Release
Modification

12.3(2)JA

This command was introduced.


Examples

This example shows how to limit the local authenticator to perform only LEAP authentications for client devices:

AP(config-radsrv)# no authentication eapfast
AP(config-radsrv)# no authentication mac
 
   

Related Commands

Command
Description

group (local server configuration mode)

Creates a user group on the local authenticator and enters user group configuration mode

nas (local server configuration mode)

Adds an access point to the list of NAS access points on the local authenticator

radius-server local

Enables the access point as a local authenticator and enters local server configuration mode

show running-config

Displays the current access point operating configuration


authentication client

Use the authentication client configuration interface command to configure a LEAP username and password that the access point uses when authenticating to the network as a repeater.

authentication client username username password password

Syntax Description

username

Specifies the repeater's LEAP username

password

Specifies the repeater's LEAP password


Defaults

This command has no defaults.

Command Modes

SSID configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to configure the LEAP username and password that the repeater uses to authenticate to the network:

AP(config-if-ssid)# authentication client username ap-north password buckeye
 
   

Related Commands

Command
Description

ssid

Specifies the SSID and enters the SSID configuration mode

show running-config

Displays the current access point operating configuration


authentication key-management

Use the authentication key-management SSID configuration mode command to configure the radio interface (for the specified SSID) to support authenticated key management. Cisco Centralized Key Management (CCKM) and Wi-Fi Protected Access (WPA) are the key management types supported on the access point.

authentication key-management { [wpa] [cckm] } [ optional ]


Note This command is not supported on bridges.


Syntax Description

wpa

Specifies WPA authenticated key management for the SSID

cckm

Specifies CCKM authenticated key management for the SSID

optional

Specifies that client devices that do not support authenticated key management can use the SSID


Defaults

This command has no defaults.

Command Modes

SSID configuration interface

Command History

Release
Modification

12.2(11)JA

This command was introduced.

12.2(13)JA

This command was modified to allow you to enable both WPA and CCKM for an SSID.


Usage Guidelines

Use this command to enable authenticated key management for client devices.

To enable authenticated key management, you must enable a cipher suite using the encryption mode ciphers command.

To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must use the wpa-psk command to configure a pre-shared key for the SSID.

When you enable both WPA and CCKM for an SSID, you must enter wpa first and cckm second in the command. Only 802.11b and 802.11g radios support WPA and CCKM simultaneously.

To enable both WPA and CCKM, you must set the encryption mode to a cipher suite that includes TKIP.

Examples

This example shows how to enable both WPA and CCKM for an SSID:

AP(config-if-ssid)# authentication key-management wpa cckm
 
   

Related Commands

Command
Description

encryption mode ciphers

Specifies a cipher suite

ssid

Specifies the SSID and enters SSID configuration mode

wpa-psk

Specifies a pre-shared key for an SSID


authentication network-eap (SSID configuration mode)

Use the authentication network-eap SSID configuration mode command to configure the radio interface (for the specified SSID) to support network-EAP authentication with optional MAC address authentication. Use the no form of the command to disable network-eap authentication for the SSID.

[no] authentication
network-eap
list-name
[mac-address list-name]


Note The mac-address option is not supported on bridges.


Syntax Description

list-name

Specifies the list name for EAP authentication

mac-address list-name

Specifies the list name for MAC authentication


Defaults

This command has no defaults.

Command Modes

SSID configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

Use this command to authenticate clients using the network EAP method, with optional MAC address screening. You define list names for MAC addresses and EAP using the aaa authentication login command. These lists define the authentication methods activated when a user logs in and indirectly identify the location where the authentication information is stored.


Note Using the CLI, you can configure up to 2,048 MAC addresses for filtering. Using the web-browser interface, however, you can configure only up to 43 MAC addresses for filtering.


Examples

This example shows how to set the authentication to open for devices on a specified address list:

AP(config-if-ssid)# authentication network-eap list1
 
   

This example shows how to reset the authentication to default values:

AP(config-if-ssid)# no authentication network-eap

Related Commands

Command
Description

authentication open (SSID configuration mode)

Specifies open authentication

authentication shared (SSID configuration mode)

Specifies shared-key authentication

ssid

Specifies the SSID and enters the SSID configuration mode

show running-config

Displays the current access point operating configuration


authentication open (SSID configuration mode)

Use the authentication open SSID configuration mode command to configure the radio interface (for the specified SSID) to support open authentication and optionally EAP authentication or MAC address authentication. Use the no form of the command to disable open authentication for the SSID.

[no] authentication open
[[optional] eap list-name]
[mac-address list-name [alternate] ]


Note The mac-address and alternate options are not supported on bridges.


Syntax Description

eap list-name

Specifies the list name for EAP authentication

optional

Specifies that client devices using either open or EAP authentication can associate and become authenticated. This setting is used mainly by service providers that require special client accessibility.

mac-address list-name

Specifies the list name for MAC authentication

alternate

Specifies the use of either EAP authentication or MAC address authentication


Defaults

This command has no defaults.

Command Modes

SSID configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

Use this command to authenticate clients using the open method, with optional MAC address or EAP screenings. If you use the alternate keyword, the client must pass either MAC address or EAP authentication. Otherwise, the client must pass both authentications. Use the optional keyword to allow client devices using either open or EAP authentication to associate and become authenticated. You define list names for MAC addresses and EAP using the aaa authentication login command. These lists define the authentication methods activated when a user logs in and indirectly identify the location where the authentication information is stored.

Examples

This example shows how to enable open authentication with MAC address restrictions:

AP(config-if-ssid)# authentication open mac-address mac-list1
 
   

This example shows how to disable open authentication for the SSID:

AP(config-if-ssid)# no authentication open

Related Commands

Command
Description

authentication shared (SSID configuration mode)

Specifies shared key authentication

authentication network-eap (SSID configuration mode)

Specifies network EAP authentication

dot11 ssid

Creates an SSID and enters SSID configuration mode


authentication shared (SSID configuration mode)

Use the authentication shared SSID configuration mode command to configure the radio interface (for the specified SSID) to support shared authentication with optional MAC address authentication and EAP authentication. Use the no form of the command to disable shared authentication for the SSID.

[no] authentication shared
[mac-address list-name]
[eap list-name]


Note The mac-address option is not supported on bridges.


Syntax Description

mac-address list-name

Specifies the list name for MAC authentication

eap list-name

Specifies the list name for EAP authentication


Defaults

This command has no defaults.

Command Modes

SSID configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

Use this command to authenticate clients using the shared method, with optional MAC address or EAP screenings. You define list names for MAC addresses and EAP using the aaa authentication login command. These lists define the authentication methods activated when a user logs in and indirectly identify the location where the authentication information is stored.

Examples

This example shows how to set the authentication to shared for devices on a MAC address list:

AP(config-if-ssid)# authentication shared mac-address mac-list1
 
   

This example shows how to reset the authentication to default values:

AP(config-if-ssid)# no authentication shared

Related Commands

Command
Description

authentication open (SSID configuration mode)

Specifies open authentication

authentication network-eap (SSID configuration mode)

Specifies network EAP authentication

ssid

Specifies the SSID and enters the SSID configuration mode

show running-config

Displays the current access point operating configuration


beacon

Use the beacon configuration interface command to specify how often the beacon contains a Delivery Traffic Indicator Message (DTIM). Use the no form of this command to reset the beacon interval to defaults.

[no] beacon {period Kms | dtim-period count}

Syntax Description

period Kms

Specifies the beacon time in Kilomicroseconds (Kms). Kms is a unit of measurement in software terms. K = 1024, m = 10-6, and s = seconds,
so Kms = 0.001024 seconds, 1.024 milliseconds, or 1024 microseconds.

dtim-period count

Specifies the number of DTIM beacon periods to wait before delivering multicast packets.

Note The dtim-period option is not supported on bridges.


Defaults

The default period is 100.

The default dtim-period is 2.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

Clients normally wake up each time a beacon is sent to check for pending packets. Longer beacon periods let the client sleep longer and preserve power. Shorter beacon periods reduce the delay in receiving packets.

Controlling the DTIM period has a similar power-saving result. Increasing the DTIM period count lets clients sleep longer, but delays the delivery of multicast packets. Because multicast packets are buffered, large DTIM period counts can cause a buffer overflow.

Examples

This example shows how to specify a beacon period of 15 Kms (15.36 milliseconds):

AP(config-if)# beacon period 15
 
   

This example shows how to set the beacon parameter to defaults:

AP(config-if)# no beacon

Related Commands

Command
Description

show running-config

Displays the current access point operating configuration


boot buffersize

To modify the buffer size used to load configuration files, use the boot buffersize global configuration command. Use the no form of the command to return to the default setting.

[ no ] boot buffersize bytes

Syntax Description

bytes

Specifies the size of the buffer to be used. Enter a value from 4 KB to 512 KB.


Defaults

The default buffer size for loading configuration files is 32 KB.

Command Modes

Global configuration

Command History

Release
Modification

12.3(2)JA

This command was introduced.


Usage Guidelines

Increase the boot buffer size if your configuration file size exceeds 512 KB.

Examples

This example shows how to set the buffer size to 512 KB:

AP(config)# boot buffersize 524288
 
   

boot ios-break

Use the boot ios-break global configuration command to enable an access point or bridge to be reset using a send break Telnet command.

After you enter the boot ios-break command, you can connect to the access point console port and press Ctrl-] to bring up the Telnet prompt. At the Telnet prompt, enter send break. The access point reboots and reloads the image.

[ no ] boot ios-break

Syntax Description

This command has no arguments or keywords.

Defaults

This command is disabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.3(2)JA

This command was introduced.


Examples

This example shows how to enable an access point or bridge to be reset using a send break Telnet command:

AP(config)# boot ios-break
 
   

boot mode-button

Use the boot mode-button global configuration command to enable or disable the operation of the mode button on access points with a console port. This command can be used to prevent password recovery and to prevent unauthorized users from gaining access to the access point CLI.

Use the no form of the command to disable the access point mode button.

[ no ] boot mode-button


Caution This command can be used to disable password recovery. If you lose the privileged EXEC password for the access point after entering this command, you need to contact Cisco Technical Assistance Center (TAC) to regain access to the access point CLI.

Syntax Description

This command has no arguments or keywords.

Defaults

This command is enabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.3(7)JA

This command was introduced.

Note This command requires the 12.3(2)JA or later access point boot loader.


Examples

This example shows how to disable the Mode button on an access point with a console port:

AP(config)# no boot mode-button
 
   

This example shows how to reenable the Mode button on an access point with a console port:

AP(config)# boot mode-button
 
   

Note You must know the privileged EXEC password for your access point to access the CLI.


Related Commands

Command
Description

show boot

Displays the current boot configuration.

show boot mode-button

Displays the current status of the mode-button.


boot upgrade

Use the boot upgrade global interface command to configure access points and bridges to automatically load a configuration and use DHCP options to upgrade system software.

When your access point renews its IP address with a DHCP request, it uses the details configured on the DHCP server to download a specified configuration file from a TFTP server. If a boot system command is part of the configuration file and the unit's current software version is different, the access point or bridge image is automatically upgraded to the version in the configuration. The access point or bridge reloads and executes the new image.

[ no ] boot upgrade

Syntax Description

This command has no arguments or keywords.

Defaults

This command is enabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.2(13)JA

This command was introduced.


Examples

This example shows how to prevent an access point or bridge from automatically loading a configuration and upgrading system software:

AP(config)# no boot upgrade
 
   

bridge aging-time

Use the bridge aging-time global configuration command to configure the length of time that a dynamic entry can remain in the bridge table from the time the entry is created or last updated.

bridge group aging-time seconds


Note This command is supported only on bridges.


Syntax Description

group

Specifies the bridge group

seconds

Specifies the aging time in seconds


Defaults

The default aging time is 300 seconds.

Command Modes

Global configuration

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure the aging time for bridge group 1:

bridge(config)# bridge 1 aging-time 500

Related Commands

Command
Description

bridge protocol ieee

Enables STP on the bridge

bridge forward-time

Specifies a forward delay interval on the bridge

bridge hello-time

Specifies the interval between the hello BPDUs

bridge max-age

Specifies the interval that the bridge waits to hear BPDUs from the spanning tree root

bridge priority

Specifies the bridge STP priority


bridge forward-time

Use the bridge forward-time global configuration command to configure the forward delay interval on the bridge.

bridge group aging-time seconds


Note This command is supported only on bridges.


Syntax Description

group

Specifies the bridge group

seconds

Specifies the forward time in seconds


Defaults

The default forward time is 30 seconds.

Command Modes

Global configuration

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure the forward time for bridge group 2:

bridge(config)# bridge 2 forward-time 60

Related Commands

Command
Description

bridge protocol ieee

Enables STP on the bridge

bridge aging-time

Specifies the length of time that a dynamic entry can remain in the bridge table from the time the entry is created or last updated

bridge hello-time

Specifies the interval between the hello BPDUs

bridge max-age

Specifies the interval that the bridge waits to hear BPDUs from the spanning tree root

bridge priority

Specifies the bridge STP priority


bridge hello-time

Use the bridge hello-time global configuration command to configure the interval between hello bridge protocol data units (BPDUs).

bridge group hello-time seconds


Note This command is supported only on bridges.


Syntax Description

group

Specifies the bridge group

seconds

Specifies the hello interval in seconds


Defaults

The default hello time is 2 seconds.

Command Modes

Global configuration

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure the hello time for bridge group 1:

bridge(config)# bridge 1 hello-time 15

Related Commands

Command
Description

bridge protocol ieee

Enables STP on the bridge

bridge aging-time

Specifies the length of time that a dynamic entry can remain in the bridge table from the time the entry is created or last updated

bridge forward-time

Specifies a forward delay interval on the bridge

bridge max-age

Specifies the interval that the bridge waits to hear BPDUs from the spanning tree root

bridge priority

Specifies the bridge STP priority


bridge max-age

Use the bridge max-age global configuration command to configure the interval that the bridge waits to hear BPDUs from the spanning tree root. If the bridge does not hear BPDUs from the spanning tree root within this specified interval, it assumes that the network has changed and recomputes the spanning-tree topology.

bridge group max-age seconds


Note This command is supported only on bridges.


Syntax Description

group

Specifies the bridge group

seconds

Specifies the max-age interval in seconds (enter a value between 10 and 200 seconds)


Defaults

The default max-age is 15 seconds.

Command Modes

Global configuration

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure the max age for bridge group 1:

bridge(config)# bridge 1 max-age 20

Related Commands

Command
Description

bridge protocol ieee

Enables STP on the bridge

bridge aging-time

Specifies the length of time that a dynamic entry can remain in the bridge table from the time the entry is created or last updated

bridge forward-time

Specifies a forward delay interval on the bridge

bridge hello-time

Specifies the interval between the hello BPDUs

bridge priority

Specifies the bridge STP priority


bridge priority

Use the bridge priority global configuration command to configure the spanning tree priority for the bridge. STP uses the bridge priority to select the spanning tree root. The lower the priority, the more likely it is that the bridge will become the spanning tree root.

The radio and Ethernet interfaces and the native VLAN on the bridge are assigned to bridge group 1 by default. When you enable STP and assign a priority on bridge group 1, STP is enabled on the radio and Ethernet interfaces and on the primary VLAN, and those interfaces adopt the priority assigned to bridge group 1. You can create bridge groups for sub-interfaces and assign different STP settings to those bridge groups.

bridge group priority priority


Note This command is supported only on bridges.


Syntax Description

group

Specifies the bridge group to be configured

priority

Specifies the STP priority for the bridge


Defaults

The default bridge priority is 32768.

Command Modes

Global configuration

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure the priority for the bridge:

bridge(config-if)# bridge 1 priority 900

Related Commands

Command
Description

bridge protocol ieee

Enables STP on the bridge

bridge aging-time

Specifies the length of time that a dynamic entry can remain in the bridge table from the time the entry is created or last updated

bridge forward-time

Specifies a forward delay interval on the bridge

bridge hello-time

Specifies the interval between the hello BPDUs

bridge max-age

Specifies the interval that the bridge waits to hear BPDUs from the spanning tree root


bridge protocol ieee

Use the bridge number protocol ieee global configuration command to enable Spanning Tree Protocol (STP) on the bridge. STP is enabled for all interfaces assigned to the bridge group that you specify in the command.

The radio and Ethernet interfaces and the native VLAN on the bridge are assigned to bridge group 1 by default. When you enable STP and assign a priority on bridge group 1, STP is enabled on the radio and Ethernet interfaces and on the primary VLAN, and those interfaces adopt the priority assigned to bridge group 1. You can create bridge groups for sub-interfaces and assign different STP settings to those bridge groups.

bridge number protocol ieee [ suspend ]


Note This command is supported only on bridges.


Syntax Description

number

Specifies the bridge group for which STP is enabled

suspend

Suspends STP on the bridge until you re-enable it.


Defaults

STP is disabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to enable STP for bridge group 1:

bridge(config)# bridge 1 protocol ieee

Related Commands

Command
Description

bridge aging-time

Specifies the length of time that a dynamic entry can remain in the bridge table from the time the entry is created or last updated

bridge forward-time

Specifies a forward delay interval on the bridge

bridge hello-time

Specifies the interval between the hello BPDUs

bridge max-age

Specifies the interval that the bridge waits to hear BPDUs from the spanning tree root


bridge-group block-unknown-source

Use the bridge-group block-unknown-source configuration interface command to block traffic from unknown MAC addresses on a specific interface. Use the no form of the command to disable unknown source blocking on a specific interface.

For STP to function properly, block-unknown-source must be disabled for interfaces participating in STP.

bridge-group group block-unknown-source

Syntax Description

group

Specifies the bridge group to be configured


Defaults

When you enable STP on an interface, block unknown source is disabled by default.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to disable block unknown source for bridge group 2:

bridge(config-if)# no bridge-group 2 block-unknown-source
 
   

Related Commands

Command
Description

bridge protocol ieee

Enables STP on the bridge

bridge-group path-cost

Specifies the path cost for the bridge Ethernet and radio interfaces

bridge-group port-protected

Enables protected port for public secure mode configuration

bridge-group priority

Specifies the spanning tree priority for the bridge Ethernet and radio interfaces

bridge-group spanning-disabled

Disables STP on a specific interface

bridge-group subscriber-loop-control

Enables loop control on virtual circuits associated with a bridge group

bridge-group unicast-flooding

Enables unicast flooding for a specific interface


bridge-group path-cost

Use the bridge-group path-cost configuration interface command to configure the path cost for the bridge Ethernet and radio interfaces. Spanning Tree Protocol (STP) uses the path cost to calculate the shortest distance from the bridge to the spanning tree root.

bridge-group group path-cost cost


Note This command is supported only on bridges.


Syntax Description

group

Specifies the bridge group to be configured

cost

Specifies the path cost for the bridge group


Defaults

The default path cost for the Ethernet interface is 19, and the default path cost for the radio interface is 33.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure the path cost for bridge group 2:

bridge(config-if)# bridge-group 2 path-cost 25
 
   

Related Commands

Command
Description

bridge protocol ieee

Enables STP on the bridge

bridge-group block-unknown-source

Blocks traffic from unknown MAC addresses on a specific interface

bridge-group port-protected

Enables protected port for public secure mode configuration

bridge-group priority

Specifies the spanning tree priority for the bridge Ethernet and radio interfaces

bridge-group spanning-disabled

Disables STP on a specific interface

bridge-group subscriber-loop-control

Enables loop control on virtual circuits associated with a bridge group

bridge-group unicast-flooding

Enables unicast flooding for a specific interface


bridge-group port-protected

Use the bridge-group port-protected configuration interface command to enable protected port for public secure mode configuration. In Cisco IOS software, there is no exchange of unicast, broadcast, or multicast traffic between protected ports.

bridge-group bridge-group
port-protected

Syntax Description

bridge-group

Specifies the bridge group for port protection


Defaults

This command has no defaults.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to enable protected port for bridge group 71:

AP(config-if)# bridge-group 71 port-protected
 
   

Related Commands

Command
Description

bridge protocol ieee

Enables STP on the bridge

bridge-group block-unknown-source

Blocks traffic from unknown MAC addresses on a specific interface

bridge-group path-cost

Specifies the path cost for the bridge Ethernet and radio interfaces

bridge-group priority

Specifies the spanning tree priority for the bridge Ethernet and radio interfaces

bridge-group spanning-disabled

Disables STP on a specific interface

bridge-group subscriber-loop-control

Enables loop control on virtual circuits associated with a bridge group

bridge-group unicast-flooding

Enables unicast flooding for a specific interface


bridge-group priority

Use the bridge-group priority configuration interface command to configure the spanning tree priority for the bridge Ethernet and radio interfaces. Spanning Tree Protocol (STP) uses the interface priority to select the root interface on the bridge.

The radio and Ethernet interfaces and the native VLAN on the bridge are assigned to bridge group 1 by default. When you enable STP and assign a priority on bridge group 1, STP is enabled on the radio and Ethernet interfaces and on the primary VLAN, and those interfaces adopt the priority assigned to bridge group 1. You can create bridge groups for sub-interfaces and assign different STP settings to those bridge groups.

bridge-group group priority priority

Syntax Description

group

Specifies the bridge group to be configured

priority

Specifies the STP priority for the bridge group


Defaults

The default priority for both the Ethernet and radio interfaces is 128.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure the priority for an interface on bridge group 2:

bridge(config-if)# bridge-group 2 priority 150
 
   

Related Commands

Command
Description

bridge protocol ieee

Enables STP on the bridge

bridge-group block-unknown-source

Blocks traffic from unknown MAC addresses on a specific interface

bridge-group path-cost

Specifies the path cost for the bridge Ethernet and radio interfaces

bridge-group port-protected

Enables protected port for public secure mode configuration

bridge-group spanning-disabled

Disables STP on a specific interface

bridge-group subscriber-loop-control

Enables loop control on virtual circuits associated with a bridge group

bridge-group unicast-flooding

Enables unicast flooding for a specific interface


bridge-group spanning-disabled

Use the bridge-group spanning-disabled configuration interface command to disable Spanning Tree Protocol (STP) on a specific interface. Use the no form of the command to enable STP on a specific interface.

For STP to function properly, spanning-disabled must be disabled for interfaces participating in STP.

bridge-group group spanning-disabled

Syntax Description

group

Specifies the bridge group to be configured


Defaults

STP is disabled by default.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to disable STP for bridge group 2:

bridge(config-if)# bridge-group 2 spanning-disabled
 
   

Related Commands

Command
Description

bridge protocol ieee

Enables STP on the bridge

bridge-group block-unknown-source

Blocks traffic from unknown MAC addresses on a specific interface

bridge-group path-cost

Specifies the path cost for the bridge Ethernet and radio interfaces

bridge-group port-protected

Enables protected port for public secure mode configuration

bridge-group priority

Specifies the spanning tree priority for the bridge Ethernet and radio interfaces

bridge-group subscriber-loop-control

Enables loop control on virtual circuits associated with a bridge group

bridge-group unicast-flooding

Enables unicast flooding for a specific interface


bridge-group subscriber-loop-control

Use the bridge-group subscriber-loop-control configuration interface command to enable loop control on virtual circuits associated with a bridge group. Use the no form of the command to disable loop control on virtual circuits associated with a bridge group.

For Spanning Tree Protocol (STP) to function properly, subscriber-loop-control must be disabled for interfaces participating in STP.

bridge-group group subscriber-loop-control

Syntax Description

group

Specifies the bridge group to be configured


Defaults

When you enable STP for an interface, subscriber loop control is disabled by default.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to disable subscriber loop control for bridge group 2:

bridge(config-if)# no bridge-group 2 subscriber-loop-control
 
   

Related Commands

Command
Description

bridge protocol ieee

Enables STP on the bridge

bridge-group block-unknown-source

Blocks traffic from unknown MAC addresses on a specific interface

bridge-group path-cost

Specifies the path cost for the bridge Ethernet and radio interfaces

bridge-group port-protected

Enables protected port for public secure mode configuration

bridge-group priority

Specifies the spanning tree priority for the bridge Ethernet and radio interfaces

bridge-group spanning-disabled

Disables STP on a specific interface

bridge-group unicast-flooding

Enables unicast flooding for a specific interface


bridge-group unicast-flooding

Use the bridge-group unicast-flooding configuration interface command to enable unicast flooding for a specific interface. Use the no form of the command to disable unicast flooding for a specific interface.

bridge-group group unicast-flooding

Syntax Description

group

Specifies the bridge group to be configured


Defaults

Unicast flooding is disabled by default.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure unicast flooding for bridge group 2:

bridge(config-if)# bridge-group 2 unicast-flooding
 
   

Related Commands

Command
Description

bridge protocol ieee

Enables STP on the bridge

bridge-group block-unknown-source

Blocks traffic from unknown MAC addresses on a specific interface

bridge-group path-cost

Specifies the path cost for the bridge Ethernet and radio interfaces

bridge-group port-protected

Enables protected port for public secure mode configuration

bridge-group priority

Specifies the spanning tree priority for the bridge Ethernet and radio interfaces

bridge-group spanning-disabled

Disables STP on a specific interface

bridge-group subscriber-loop-control

Enables loop control on virtual circuits associated with a bridge group


broadcast-key

Use the broadcast-key configuration interface command to configure the time interval between rotations of the broadcast encryption key used for clients. Use the no form of the command to disable broadcast key rotation.

[no] broadcast-key
[vlan vlan-id]
[change secs]
[
membership-termination ]
[
capability-change ]


Note Client devices using static WEP cannot use the access point when you enable broadcast key rotation. When you enable broadcast key rotation, only wireless client devices using 802.1x authentication (such as LEAP, EAP-TLS, or PEAP) can use the access point.



Note This command is not supported on bridges.


Syntax Description

vlan vlan-id

(Optional) Specifies the virtual LAN identification value

change secs

(Optional) Specifies the amount of time (in seconds) between the rotation of the broadcast encryption key

membership-termination

(Optional) If WPA authenticated key management is enabled, this option specifies that the access point generates and distributes a new group key when any authenticated client device disassociates from the access point. If clients roam frequently among access points, enabling this feature might generate significant overhead.

capability-change

(Optional) If WPA authenticated key management is enabled, this option specifies that the access point generates and distributes a dynamic group key when the last non-key management (static WEP) client disassociates, and it distributes the statically configured WEP key when the first non-key management (static WEP) client authenticates. In WPA migration mode, this feature significantly improves the security of key-management capable clients when there are no static-WEP clients associated to the access point.


Defaults

This command has no defaults.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to configure vlan10 to support broadcast key encryption with a 5-minute key rotation interval:

AP(config-if)# broadcast-key vlan 10 change 300
 
   

This example shows how to disable broadcast key rotation:

AP(config-if)# no broadcast-key
 
   

cache authentication profile

Use the cache authentication profile server configuration command to configure the cache authentication profile. Use the no form of the command to disable the cache authentication profile.

[no] cache authentication profile name


Note This command is not supported on bridges.


Syntax Description

name

Specifies the name of the cache authentication profile.


Defaults

This command has no defaults.

Command Modes

Server group configuration.

Command History

Release
Modification

12.3(7)JA

This command was introduced.


Examples

This example shows how to configure a RADIUS cache authentication profile:

AP(config)# aaa group server radius rad_admin
AP(config-sg-radius)# server 10.19.21.105
AP(config-sg-radius)# cache expiry 5
AP(config-sg-radius)# cache authentication profile admin_cache
 
   

This example shows how to to configure a TACACS+ cache authentication profile:

AP(config)# aaa group server tacacs+ tac_admin
AP(config-sg-tacacs+)# server 10.19.21.125
AP(config-sg-tacacs+)# cache expiry 5
AP(config-sg-tacacs+)# cache authentication profile admin_cache
 
   

Related Commands

Command
Description

aaa authentication login default local cache

Sets local cache for AAA authentication login.

aaa authorization exec default local cache

Sets local cache for the AAA authorization exec mode.

aaa cache profile

Sets the AAA cache profile name.

cache authorization profile

Sets the cache authorization profile name.

cache expiry

Sets the expiration time for the server group cache.


cache authorization profile

Use the cache authorization profile server configuration command to configure the cache authorization profile. Use the no form of the command to disable the cache authorization profile.

[no] cache authorization profile name


Note This command is not supported on bridges.


Syntax Description

name

Specifies the name of the cache authorization profile.


Defaults

This command has no defaults.

Command Modes

Server group configuration.

Command History

Release
Modification

12.3(7)JA

This command was introduced.


Examples

This example shows how to configure a RADIUS cache authorization profile:

AP(config)# aaa group server radius rad_admin
AP(config-sg-radius)# server 10.19.21.105
AP(config-sg-radius)# cache expiry 5
AP(config-sg-radius)# cache authorization profile admin_cache
 
   

This example shows how to to configure a TACACS+ cache authorization profile:

AP(config)# aaa group server tacacs+ tac_admin
AP(config-sg-tacacs+)# server 10.19.21.125
AP(config-sg-tacacs+)# cache expiry 5
AP(config-sg-tacacs+)# cache authorization profile admin_cache
 
   

Related Commands

Command
Description

aaa authentication login default local cache

Sets local cache for AAA authentication login.

aaa authorization exec default local cache

Sets local cache for the AAA authorization exec mode.

aaa cache profile

Sets the AAA cache profile name.

cache authentication profile

Sets the cache authentication profile name.

cache expiry

Sets the expiration time for the server group cache.


cache expiry

Use the cache expiry server group configuration command to configure the expiration time of the server group cache. Use the no form of the command to disable the cache expiration.

[no] cache expiry hours [enforce | failover]


Note This command is not supported on bridges.


Syntax Description

hours

Specifies the amount of time (in hours) before the cache expires. Enter a number from 0 to 2147483647. Zero specifies the cache never expires.

enforce

(Optional) Specifies not to use an expired entry.

failover

(Optional) Specifies that an expired entry is used if all other methods fail.


Defaults

The default cache expiration time is 24 hours.

Command Modes

Server group configuration

Command History

Release
Modification

12.3(7)JA

This command was introduced.


Examples

This example shows how to configure a RADIUS cache expiration time of 5 hours:

AP(config)# aaa group server radius rad_admin
AP(config-sg-radius)# server 10.19.21.105
AP(config-sg-radius)# cache expiry 5
 
   

This example shows how to to configure a TACACS+ cache expiration time of 5 hours:

AP(config)# aaa group server tacacs+ tac_admin
AP(config-sg-tacacs+)# server 10.19.21.125
AP(config-sg-tacacs+)# cache expiry 5
 
   

Related Commands

Command
Description

aaa authentication login default local cache

Sets local cache for AAA authentication login.

aaa authorization exec default local cache

Sets local cache for the AAA authorization exec mode.

aaa cache profile

Sets the AAA cache profile name.

cache authentication profile

Sets the cache authentication profile name.

cache authorization profile

Sets the cache authorization profile name.


cca

Use the cca configuration interface command to configure the clear channel assessment (CCA) noise floor level for the bridge radio. The value you enter is used as an absolute value of dBm.

cca number


Note This command is supported only on bridges.


Syntax Description

number

Specifies the radio noise floor in dBm. Enter a number from -60 to 0. Zero configures the radio to use a received validate frame as the CCA indication.


Defaults

The default CCA level is -62 dBm.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure the CCA level for the bridge radio:

bridge(config-if)# cca 50
 
   

channel

Use the channel configuration interface command to set the radio channel frequency. Use the no form of this command to reset the channel frequency to defaults.

[no] channel {number | frequency | least-congested}


Note This command is disabled on 5-GHz radios that support Dynamic Frequency Selection (DFS). All 5-GHz radios configured at the factory for use in the European Union and Signapore support DFS. Radios configured for use in other regulatory domains do not support DFS.


Syntax Description

number

Specifies a channel number. For a list of channels for the 2.4-GHz radio, see Table 2-1. For a list of channels for the 5-GHz radio, see Table 2-2.

Note The valid numbers depend on the channels allowed in your regulatory region and are set during manufacturing. For additional information, refer to the hardware installation guide for your access point or bridge.

frequency

Specifies the center frequency for the radio channel. For a list of center frequencies for the 2.4-GHz access point radio, see Table 2-1. For a list of center frequencies for the 5-GHz access point radio, see Table 2-2. For a list of center frequencies for the 5-GHz bridge radio, see Table 2-3.

Note The valid frequencies depend on the channels allowed in your regulatory region and are set during manufacturing. For additional information, refer to the hardware installation guide for your access point or bridge.

least-congested

Enables or disables the scanning for a least busy radio channel to communicate with the client adapter


Table 2-1 Channels and Center Frequencies for 2.4-GHz Radios (both 802.11b and 802.11g)

Channel Identifier
Frequency
(MHz)
 
Channel Identifier
Frequency
(MHz)
 

1

2412

 

8

2447

2

2417

 

9

2452

3

2422

 

10

2457

4

2427

 

11

2462

5

2432

 

12

2467

6

2437

 

13

2472

7

2442

 

14

2484


Table 2-2 Channels and Center Frequencies for Access Point 5-GHz Radios

Channel Identifier
Frequency
(MHz)
 
Channel Identifier
Frequency
(MHz)
 
Channel Identifier
Frequency
(MHz)
   

34

5170

 

100

5500

 

149

5745

36

5180

 

104

5520

 

153

5765

38

5190

 

108

5540

 

157

5785

40

5200

 

112

5560

 

161

5805

42

5210

 

116

5580

 

165

5825

44

5220

 

120

5600

 

-

-

46

5230

 

124

5620

 

-

-

48

5240

 

128

5640

 

-

-

52

5260

 

132

5660

 

-

-

56

5280

 

136

5680

 

-

-

60

5300

 

140

5700

 

-

-

64

5320

 

-

-

 

-

-


Table 2-3 Channels and Center Frequencies for the 1400 Series Bridge 5-GHz Radio

Channel Identifier
Frequency
(MHz)

149

5745

153

5765

157

5785

161

5805

Defaults

The default channel setting is least-congested.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.

12.2(8)JA

Parameters were added to support the 5-GHz access point radio.

12.2(11)JA

Parameters were added to support the 5-GHz bridge radio.


Examples

This example shows how to set the access point radio to channel 10 with a center frequency of 2457.

AP(config-if)# channel 2457
 
   

This example shows how to set the access point to scan for the least-congested radio channel.

AP(config-if)# channel least-congested
 
   

This example shows how to set the frequency to the default setting:

AP(config-if)# no channel

Related Commands

Command
Description

show controllers dot11radio

Displays the radio controller information and status


channel-match (LBS configuration mode)

Use the channel-match location based services (LBS) configuration mode command to specify that the LBS packet sent by an LBS tag must match the radio channel on which the access point receives the packet. If the channel used by the tag and the channel used by the access point do not match, the access point drops the packet.

[no] channel-match

Syntax Description

This command has no arguments or keywords.

Defaults

The channel match option is enabled by default.

Command History

Release
Modification

12.3(4)JA

This command was introduced.


Examples

This example shows how to enable the channel match option for an LBS profile:

ap(dot11-lbs)# channel-match
 
   

Related Commands

Command
Description

dot11 lbs

Creates an LBS profile and enters LBS configuration mode

interface dot11 (LBS configuration mode)

Enables an LBS profile on a radio interface

method (LBS configuration mode)

Specifies the location method used in an LBS profile

multicast address (LBS configuration mode)

Specifies the multicast address that LBS tag devices use when they send LBS packets

packet-type (LBS configuration mode)

Specifies the LBS packet type accepted in an LBS profile

server-address (LBS configuration mode)

Specifies the IP address of the location server on your network


class-map

Use the class-map global configuration command to create a class map to be used for matching packets to the class whose name you specify and to enter class-map configuration mode. Use the no form of this command to delete an existing class map and return to global configuration mode.

[no] class-map name

Syntax Description

name

Specifies the name of the class map


Defaults

This command has no defaults, and there is not a default class map.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

Use this command to specify the name of the class for which you want to create or modify class-map match criteria and to enter class-map configuration mode. In this mode, you can enter one match command to configure the match criterion for this class.

The class-map command and its subcommands are used to define packet classification, marking, and aggregate policing as part of a globally named service policy applied on a per-interface basis.

After you are in quality of service (QoS) class-map configuration mode, these configuration commands are available:

description: describes the class map (up to 200 characters). The show class-map privileged EXEC command displays the description and the name of the class-map.

exit: exits from QoS class-map configuration mode.

match: configures classification criteria. For more information, see the match (class-map configuration) command.

no: removes a match statement from a class map.

rename: renames the current class map. If you rename a class map with a name already in use, the message A class-map with this name already exists is displayed.

Only one match criterion per class map is supported. For example, when defining a class map, only one match command can be issued.

Because only one match command per class map is supported, the match-all and match-any keywords function the same.

Only one access control list (ACL) can be configured in a class map. The ACL can have multiple access control entries (ACEs).

Examples

This example shows how to configure the class map called class1. class1 has one match criterion, which is an access list called 103.

AP(config)# access-list 103 permit any any dscp 10
AP(config)# class-map class1
AP(config-cmap)# match access-group 103
AP(config-cmap)# exit
 
   

This example shows how to delete the class map class1:

AP(config)# no class-map class1
 
   

You can verify your settings by entering the show class-map privileged EXEC command.

Related Commands

Command
Description

match (class-map configuration)

Defines the match criteria ACLs, IP precedence, or IP Differentiated Services Code Point (DSCP) values to classify traffic

policy-map

Creates or modifies a policy map that can be attached to multiple interfaces to specify a service policy

show class-map

Displays QoS class maps


clear dot11 aaa authentication mac-authen filter-cache

Use the clear dot11 aaa authentication mac-authen filter-cache privileged EXEC command to clear entries from the MAC authentication cache.

clear dot11 aaa authentication mac-authen filter-cache [address]

Syntax Description

address

Specifies a specific MAC address to clear from the cache.


Defaults

This command has no defaults.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(15)JA

This command was introduced.


Examples

This example shows how to clear a specific MAC address from the MAC authentication cache:

ap# clear dot11 aaa authentication mac-authen filter-cache 7643.798a.87b2
 
   

Related Commands

Command
Description

dot11 activity-timeout

Enable MAC authentication caching on the access point.

show dot11 aaa authentication mac-authen filter-cache

Display MAC addresses in the MAC authentication cache.


clear dot11 cckm-statistics

Use the clear dot11 cckm-statistics privileged EXEC command to reset CCKM statistics.

clear dot11 cckm-statistics

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default setting.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(15)JA

This command was introduced.


Examples

This example shows how to clear CCKM statistics:

AP# clear dot11 cckm-statistics
 
   

Related Commands

Command
Description

show dot11 associations

Displays association information for 802.11 devices


clear dot11 client

Use the clear dot11 client privileged EXEC command to deauthenticate a radio client with a specified MAC address. The client must be directly associated with the access point, not a repeater.

clear dot11 client {mac-address}

Syntax Description

mac-address

Specifies a radio client MAC address (in xxxx.xxxx.xxxx format)


Defaults

This command has no defaults.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to deauthenticate a specific radio client:

AP# clear dot11 client 0040.9645.2196
 
   

You can verify that the client was deauthenticated by entering the following privileged EXEC command:

AP# show dot11 associations 0040.9645.2196 

Related Commands

Command
Description

show dot11 associations

Displays the radio association table or optionally displays association statistics or association information about repeaters or clients


clear dot11 hold-list

Use the clear dot11 hold-list privileged EXEC command to reset the MAC, LEAP, and EAP authentications hold list.

clear dot11 hold-list

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default setting.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to clear the hold-off list of MAC authentications:

AP# clear dot11 hold-list
 
   
 
   

clear dot11 statistics

Use the clear dot11 statistics privileged EXEC command to reset statistic information for a specific radio interface or for a particular client with a specified MAC address.

clear dot11 statistics
{interface | mac-address}

Syntax Description

interface

Specifies a radio interface number

mac-address

Specifies a client MAC address (in xxxx.xxxx.xxxx format)


Defaults

This command has no default setting.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to clear radio statistics for radio interface 0:

AP# clear dot11 statistics dot11radio 0
 
   

This example shows how to clear radio statistics for the client radio with a MAC address of 0040.9631.81cf:

AP# clear dot11 statistics 0040.9631.81cf

You can verify that the radio interface statistics are reset by entering the following privileged EXEC command:

AP# show dot11 associations statistics 

Related Commands

Command
Description

show dot11 statistics client-traffic

Displays client traffic statistics

show interfaces dot11radio

Displays radio interface information

show interfaces dot11radio statistics

Displays radio interface statistics


clear eap sessions

Use the clear eap sessions privileged EXEC command to clear the EAP session information on the access point.

clear eap sessions
[credentials profile name]
[interface name [number]]
[
method name]
[
transport name]

Syntax Description

credentials profile name

Clears EAP session information for the credentials profile specified by profile name.

interface interface number

Clears EAP session information for the interface specified by name and number.

method name

Clears EAP session information for the EAP method specified by name.

transport name

Clears EAP session information for the EAP transport specified by name.


Defaults

Clears all session information on the access point.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to clear all the EAP session information on the access point:

AP# clear eap sessions
 
   

This command shows how to clear all EAP session information for the fast Ethernet interface:

AP# clear eap sessions interface fastethernet 0
 
   

This command shows how to clear all EAP session information for the EAP-FAST method:

AP# clear eap sessions method eap-fast

Related Commands

Command
Description

show eap sessions

Displays all the EAP session information on the access point.


clear iapp rogue-ap-list

Use the clear iapp rogue-ap-list privileged EXEC command to clear the list of IAPP rogue access points.

clear iapp rogue-ap-list


Note This command is not supported on bridges.


Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default setting.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to clear the IAPP rogue access point list:

AP# clear iapp rogue-ap-list
 
   

You can verify that the rogue AP list was deleted by entering the show iapp rogue-ap-list privileged EXEC command.

Related Commands

Command
Description

show iapp rogue-ap-list

Displays the IAPP rogue access point list


clear iapp statistics

Use the clear iapp statistics privileged EXEC command to clear all the IAPP statistics.

clear iapp statistics

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default setting.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to clear the IAPP statistics:

AP# clear iapp statistics
 
   

You can verify that the IAPP statistics were cleared by entering the following privileged EXEC command:

AP# show iapp statistics 

Related Commands

Command
Description

show iapp statistics

Displays the IAPP transmit and receive statistics


clear ip igmp snooping membership

Use the clear ip igmp snooping membership privileged EXEC command to reset IGMP host membership information on the access point.

clear ip igmp snooping membership
[vlan
vlan id ]

Syntax Description

vlan vlan id

Resets IGMP host membership information by VLAN.


Defaults

This command has no defaults.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to reset the IGMP membership information on the access point:

AP# clear ip igmp snooping membership
 
   

This example shows how to reset the IGMP membership information by vlan:

AP# clear ip igmp snooping membership vlan 1
 
   

Related CommandsT

Command
Description

show ip igmp snooping groups

Displays IGMP snooping group information.

ip igmp snooping vlan

Enables IGMP snooping for a Catalyst VLAN.


clear wlccp wds

Use the clear wlccp wds privileged EXEC command to clear WDS statistics and to remove devices from the WDS database.

clear wlccp wds {[ap [mac-address]] | [mn [mac-address]] | statistics |
aaa authentication mac-authen filter-cache [mac-address]}

Syntax Description

ap [mac-address]

Removes access points from the WDS database. If you specify a MAC address (in the hhhh.hhhh.hhhh format), the command removes the specified device from the WDS database. If you do not specify a MAC address, the command removes all access points from the WDS database.

mn [mac-address]

Removes client devices (mobile nodes) from the WDS database. If you specify a MAC address (in the hhhh.hhhh.hhhh format), the command removes that device from the WDS database. If you do not specify a MAC address, the command removes all clients from the WDS database.

statistics

Resets all WDS statistics.

aaa authentication mac-authen filter-cache [mac-address]

Removes MAC addresses from the access point's MAC authentication filter cache. If you specify a MAC address (in the hhhh.hhhh.hhhh format), the command removes that device from the filter cache. If you do not specify a MAC address, the command removes all addresses from the cache.


Defaults

This command has no default setting.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(15)JA

This command was introduced.


Examples

This example shows how to remove an access point from the WDS database:

AP# clear wlccp wds ap 1572.342d.97f4
 
   

Related Commands

Command
Description

show wlccp

Displays information on devices participating in Cisco Centralized Key Management (CCKM)

wlccp wds aaa authentication mac-authen filter-cache

Enables MAC authentication caching on the access point


clear wlccp wds recovery statistics

Use the clear wlccp wds recovery statistics privileged EXEC command to clear WDS recovery statistics.

clear wlccp wds recovery statistics

Syntax Description

This command has no arguments of keywords.

Defaults

This command has no default setting.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to clear the WDS recovery statistics:

AP# clear wlccp wds recovery statistics
 
   

Related Commands

Command
Description

show wlccp

Displays information on devices participating in Cisco Centralized Key Management (CCKM)


concatenation

Use the concatenation configuration interface command to enable packet concatenation on the bridge radio. Using concatenation, the bridge combines multiple packets into one packet to reduce packet overhead and overall latency, and to increase transmission efficiency.

concatenation [ bytes ]


Note This command is supported only on bridges. To avoid possible connectivity problems, ensure that all devices on the wireless LAN support wireless concatenation prior to implementing this feature.


Syntax Description

bytes

(Optional) Specifies a maximum size for concatenated packets in bytes. Enter a value from 1600 to 4000.


Defaults

Concatenation is enabled by default, and the default maximum concatenated packet size is 3500.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure concatenation on the bridge radio:

bridge(config-if)# concatenation 4000
 
   

countermeasure tkip hold-time

Use the countermeasure tkip hold-time configuration interface command to configure a TKIP MIC failure holdtime. If the access point detects two MIC failures within 60 seconds, it blocks all the TKIP clients on that interface for the holdtime period.

countermeasure tkip hold-time seconds

Syntax Description

seconds

Specifies the length of the TKIP holdtime in seconds (if the holdtime is 0, TKIP MIC failure hold is disabled)


Defaults

TKIP holdtime is enabled by default, and the default holdtime is 60 seconds.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure the TKIP holdtime on the access point radio:

ap(config-if)# countermeasure tkip hold-time 120
 
   

cw-max (QOS Class interface configuration mode)

Use the cw-max QOS Class interface configuration mode command to configure the CAC 802.11 maximum contention window size for a radio interface. Use the no form of the command to remove the setting.

[no] cw-max 0-10

Syntax Description

0-10

Specifies the size of the maximum contention window.


Defaults

When QoS is enabled, the default cw-max settings for access points match the values in Table 2-4, and the default cw-max settings for bridges match the values in Table 2-5.

Table 2-4 Default QoS cw-max Definitions for Access Points

Class of Service
Max Contention Window

Background

10

Best Effort

10

Video <100ms Latency

5

Voice <100ms Latency

4


Table 2-5 Default QoS cw-max Definitions for Bridges

Class of Service
Max Contention Window

Background

10

Best Effort

10

Video <100ms Latency

4

Voice <100ms Latency

3


Command Modes

QOS Class interface configuration mode

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to configure the CAC 802.11 maximum contention window size for the radio interface:

AP(config)# interface dot11radio 0
AP(config-if)# dot11 qos class voice
AP(config-if-qosclass)# cw-max 2
 
   

This example shows how to remove the CAC 802.11 maximum contention window for the radio interface:

AP(config-if-qosclass)# no cw-max
 
   

Related Commands

Command
Description

admission-control (QOS Class interface configuration mode)

Specifies that CAC admission control is required for the radio interface.

admit-traffic (QOS Class interface configuration mode)

Specifies that CAC traffic is enabled for the radio interface.

cw-min (QOS Class interface configuration mode)

Specifies the CAC minimum contention window size for the radio interface.

fixed-slot (QOS Class interface configuration mode)

Specifies the CAC fixed fallback slot time for the radio interface.

transmit-op (QOS Class interface configuration mode)

Specifies the CAC transmit opportunity time for the radio interface.


cw-min (QOS Class interface configuration mode)

Use the cw-min QOS Class interface configuration mode command to configure the CAC 802.11 minimum contention window size for a radio interface. Use the no form of the command to remove the setting.

[no] cw-min 0-10

Syntax Description

0-10

Specifies the size of the maximum contention window.


Defaults

When QoS is enabled, the default cw-min settings for access points match the values in Table 2-6, and the default cw-min settings for bridges match the values in Table 2-7.

Table 2-6 Default QoS cw-min Definitions for Access Points

Class of Service
Mix Contention Window

Background

5

Best Effort

5

Video <100ms Latency

4

Voice <100ms Latency

2


Table 2-7 Default QoS cw-min Definitions for Bridges

Class of Service
Min Contention Window

Background

4

Best Effort

4

Video <100ms Latency

3

Voice <100ms Latency

2


Command Modes

QOS Class interface configuration mode

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to configure the CAC 802.11 minimum contention window size for the radio interface:

AP(config)# interface dot11radio 0
AP(config-if)# dot11 qos class voice
AP(config-if-qosclass)# cw-min 2
 
   

This example shows how to remove the CAC 802.11 minimum contention window for the radio interface:

AP(config-if-qosclass)# no cw-min
 
   

Related Commands

Command
Description

admission-control (QOS Class interface configuration mode)

Specifies that CAC admission control is required for the radio interface.

admit-traffic (QOS Class interface configuration mode)

Specifies that CAC traffic is enabled for the radio interface.

cw-max (QOS Class interface configuration mode)

Specifies the CAC maximum contention window size for the radio interface.

fixed-slot (QOS Class interface configuration mode)

Specifies the CAC fixed fallback slot time for the radio interface.

transmit-op (QOS Class interface configuration mode)

Specifies the CAC transmit opportunity time for the radio interface.


debug dot11

Use the debug dot11 privileged EXEC command to begin debugging of radio functions. Use the no form of this command to stop the debug operation.

[no] debug dot11
{events | packets | forwarding | mgmt | network-map | syslog | virtual-interface}

Syntax Description

events

Activates debugging of all radio related events

packets

Activates debugging of radio packets received and transmitted

forwarding

Activates debugging of radio forwarded packets

mgmt

Activates debugging of radio access point management activity

network-map

Activates debugging of radio association management network map

syslog

Activates debugging of radio system log

virtual-interface

Activates debugging of radio virtual interfaces


Defaults

Debugging is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to begin debugging of all radio-related events:

AP# debug dot11 events
 
   

This example shows how to begin debugging of radio packets:

AP# debug dot11 packets
 
   

This example shows how to begin debugging of the radio system log:

AP# debug dot11 syslog
 
   

This example shows how to stop debugging of all radio related events:

AP# no debug dot11 events

Related Commands

Command
Description

show debugging

Displays all debug settings and the debug packet headers

show interfaces dot11radio

Displays configuration and status information for the radio interface


debug dot11 aaa

Use the debug dot11 aaa privileged EXEC command to activate debugging of dot11 authentication, authorization, and accounting (AAA) operations. Use the no form of this command to stop the debug operation.

[no] debug dot11 aaa
{accounting | authenticator | dispatcher | manager }

Syntax Description

accounting

Activates debugging of 802.11 AAA accounting packets

authenticator
{ all | dispatcher | mac-authen | process | rxdata | state-machine | txdata }

Activates debugging of MAC and EAP authentication packets. Use these options to activate authenticator debugging:

all—activates debugging for all authenticator packets

dispatcher—activates debugging for authentication request handler packets

mac-authen—activates debugging for MAC authentication packets

process—activates debugging for authenticator process packets

rxdata—activates debugging for EAPOL packets from client devices

state-machine—activates debugging for authenticator state-machine packets

txdata—activates debugging for EAPOL packets sent to client devices

dispatcher

Activates debugging of 802.11 AAA dispatcher (interface between Association & Manager) packets

manager
{ all | dispatcher | keys | rxdata | state-machine | supplicant | txdata }

Activates debugging information for the AAA manager. Use these options to activate AAA manager debugging:

all—activates all AAA manager debugging

dispatcher—activates debug information for AAA manager-authenticator dispatch traffic

keys—activates debug information for AAA manager key processing

rxdata—activates debugging for AAA manager packets received from client devices

state-machine—activates debugging for AAA manager state-machine packets

supplicant—activates debugging for LEAP supplicant packets

txdata—activates debugging for AAA manager packets sent to client devices


Defaults

Debugging is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)JA

This command was introduced.

12.2(15)JA

This command was modified to include the accounting, authenticator, dispatcher, and manager debugging options.


Examples

This example shows how to begin debugging of dot11 AAA accounting packets:

AP# debug dot11 aaa accounting
 
   

Related Commands

Command
Description

show debugging

Displays all debug settings

show interfaces dot11radio aaa

Optionally displays all radio clients


debug dot11 cac

Use the debug dot11 cac privileged EXEC command to begin debugging of admission control radio functions. Use the no form of this command to stop the debug operation.

[no] debug dot11 cac
{events | unit}


Note This command is not supported on repeaters.


Syntax Description

events

Activates debugging of radio admission control events.

unit

Activates verbose debugging of radio admission control events.


Defaults

Debugging is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to begin debugging of all admission control radio-related events:

AP# debug dot11 cac events
 
   

This example shows how to begin verbose debugging of all admission control radio-related events:

AP# debug dot11 cac unit
 
   

This example shows how to stop debugging of all admission control radio-related events:

AP# debug dot11 cac events
 
   

This example shows how to stop verbose debugging of all admission control radio-related events:

AP# no debug dot11 cac unit

Related Commands

Command
Description

admit-traffic (SSID configuration mode)

Enables CAC admission control for an SSID on the access point.

admit-traffic (QOS Class interface configuration mode)

Configures CAC admission control on the access point.

show debugging

Displays all debug settings and the debug packet headers

show dot11 ids eap

Displays all CAC radio events on the access point.

traffic-stream

Configures CAC traffic data rates and priorities for a radio interface on the access point.


debug dot11 dot11radio

Use the debug dot11 dot11radio privileged EXEC command to turn on radio debug options. These options include run RF monitor mode and trace frames received or transmitted on the radio interface. Use the no form of this command to stop the debug operation.

[no] debug dot11 dot11radio interface-number {accept-radio-firmware |
monitor
{ack | address | beacon | crc | lines | plcp | print | probe | store} |
print { hex | if | iv | lines | mic | plcp | printf | raw | shortadr } |
radio_debug
flag-value | stop-on-failure |
trace
{off | print | store}}

Syntax Description

interface-number

Specifies a radio interface number (the 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1).

accept-radio-firmware

Configures the access point to disable checking the radio firmware version

monitor

Enables RF monitor mode. Use these options to turn on monitor modes:

ack—Displays ACK packets. ACK packets acknowledge receipt of a signal, information, or packet.

address—Displays packets to or from the specified IP address

beacon—Displays beacon packets

crc—Displays packets with CRC errors

lines—Specifies a print line count

plcp—Displays plcp packets

print—Enables RF monitor printing mode

probe—Displays probe packets

store—Enables RF monitor storage mode

print

Enables packet printing. Use these options to turn on packet printing:

hex—Prints entire packets without formatting

if—Prints the in and out interfaces for packets

iv—Prints the packet WEP IV

lines—Prints the line count for the trace

mic—Prints the Cisco MIC

plcp—Displays the PLCP

printf—Prints using printf instead of buginf

raw—Prints without formatting data

shortadr—Prints MAC addresses in short form

stop-on-failure

Configures the access point to not restart when the radio driver fails

trace

Enables trace mode. Use these options to turn on trace modes:

off—Turns off traces

print—Enables trace printing

store—Enables trace storage


Defaults

Debugging is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to enable packet printing with MAC addresses in short form:

AP# debug dot11 dot11radio 0 print shortadr
 
   

This example shows how to begin monitoring of all packets with CRC errors:

AP# debug dot11 dot11radio 0 monitor crc
 
   

This example shows how to stop monitoring of packets with CRC errors:

AP# no debug dot11 dot11radio 0 monitor crc

Related Commands

Command
Description

show debugging

Displays all debug settings and the debug packet headers

show interfaces dot11radio

Displays configuration and status information for the radio interface

show interfaces dot11radio statistics

Displays radio interface statistics


debug dot11 ids

Use the debug dot11 ids eap privileged EXEC command to enable debugging for wireless IDS monitoring. Use the no form of the command to disable IDS debugging.

[no] debug dot11 ids {eap | cipher-errors}


Note This command is not supported on 1400 series bridges.


Syntax Description

eap

Activates debugging of IDS authentication events

cipher-errors

Activates debugging of cipher errors detected by IDS


Defaults

Debugging is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(4)JA

This command was introduced.


Examples

This example shows how to activate wireless IDS debugging for authentication events:

AP# debug dot11 ids eap
 
   

Related Commands

Command
Description

dot11 ids eap attempts

Configures limits on authentication attempts and EAPOL flooding on scanner access points in monitor mode

show debugging

Displays all debug settings and the debug packet headers

show dot11 ids eap

Displays wireless IDS statistics


debug dot11 ids mfp

Use the debug dot11 ids mfp privileged EXEC command to debug Management Frame Protection (MFP) operations on the access point.

[no] debug dot11 ids mfp
ap
{all |detector | events |generator | io}
wds
{all | detectors | events | generators | statistics}|
wlccp

Syntax Description

ap

Debugs MFP events on the access point.

all

Debugs all MFP events.

detectors

Debugs MFP detector key management events.

events

Debugs high level MFP events.

generators

Debugs MFP generator key management events.

io

Debugs MFP IO (generate or detect frame) events.

reporting

Debugs MFP reporting events.

statistics

Debugs MFP WDS statistics received from the detectors.

wds

Debugs MFP WDS events.

wlccp

Debugs MFP WLCCP messages.


Defaults

There are no defaults for this command.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to debug the MFP detectors on the access point:

ap(config)# debug dot11 ids mfp ap detectors
 
   

Related Commands

Command
Description

dot11 ids mfp

Configures MFP parameters on the access point.

show dot11 ids mfp

Displays MFP parameters on the access point.


debug eap

To display information about Extensible Authentication Protocol (EAP), use the debug eap command in privileged EXEC mode. To disable debugging output, use the no form of this command.

[no] debug eap {all | authenticator | errors | events | fast | gtc | leap | md5 | mschapv2 |
packets | peer | sm | tls}

Syntax Description

all

Turns on debugging for all EAP information.

authenticator

Turns on debugging for EAP authenticator.

errors

Displays information about EAP packet errors.

events

Displays information about EAP events.

fast

Turns on debugging for EAP-FAST authentications.

gtc

Turns on debugging for EAP-GTC authentications.

leap

Turns on debugging for EAP-LEAP authentications.

md5

Turns on debugging for EAP-MD5 authentications.

mschapv2

Turns on debugging for EAP-MSCHAPV2 authentications.

packets

Displays EAP packet-related information.

peer

Turns on debugging for peer EAP authentications.

sm

Displays EAP state machine transitions.

tls

Turns on debugging for EAP-TLS authentications.


Defaults

Debugging is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to activate debugging for EAP-FAST authentication events:

AP# debug eap fast all
 
   

This example shows how to deactivate EAP-FAST authentication debugging:

AP# no debug eap fast all
 
   

Related Commands

Command
Description

show debugging

Displays all debug settings and the debug packet headers


debug iapp

Use the debug iapp privileged EXEC command to begin debugging of IAPP operations. Use the no form of this command to stop the debug operation.

[no] debug iapp
{packets | event | error}

Syntax Description

packets

Displays IAPP packets sent and received by the access point. Link test packets are not displayed

event

Displays significant IAPP events

error

Displays IAPP software and protocol errors


Defaults

This command has no default setting.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to begin debugging of IAPP packets:

AP# debug iapp packet
 
   

This example shows how to begin debugging of IAPP events:

AP# debug iapp events
 
   

This example shows how to begin debugging of IAPP errors:

AP# debug iapp errors

Related Commands

Command
Description

show debugging

Displays all debug settings


debug radius local-server

Use the debug radius local-server privileged EXEC mode command to control the display of debug messages for the local authenticator.

debug radius local-server {client | eapfast | error | packets }

Syntax Description

Command
Description

client

Activates display of error messages related to failed client authentications to the local authenticator

eapfast {encryption | events | pac | pkts}

Activates display of messages related to EAP-FAST on the local authenticator.

encryption—displays encryption and decryption of packets sent and received

events—displays EAP-FAST events on the local authenticator

pac—displays PAC generations and verifications

pkts—displays packets received and transmitted from EAP-FAST clients

error

Activates display of error messages related to the local authenticator

packets

Activates display of the content of RADIUS packets sent from and received by the local authenticator


Defaults

Debugging is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(11)JA

This command was first introduced.


Examples

This example shows how to begin debugging for local authenticator errors:

AP# debug radius local-server error
 
   

Related Commands

Command
Description

radius-server local

Enables the access point as a local authenticator

show debugging

Displays all debug settings and the debug packet headers


debug wlccp ap

Use the debug wlccp ap privileged EXEC command to enable debugging for devices that interact with the access point that provides wireless domain services (WDS).

debug wlccp ap {mn | rm [statistics | context | packet] | state | wds-discovery}


Note This command is not supported on bridges.


Syntax Description

Command
Description

mn

(Optional) Activates display of debug messages related to client devices

rm [statistics | context | packet]

(Optional) Activates display of debug messages related to radio management

statistics—shows statistics related to radio management

context—shows the radio management contexts

packet—shows output related to packet flow

state

(Optional) Activates display of debug messages related to access point authentication to the WDS access point

wds-discovery

(Optional) Activates display of debug messages related to the WDS discovery process


Defaults

Debugging is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(11)JA

This command was first introduced.


Examples

This example shows how to begin debugging for LEAP-enabled client devices participating in Cisco Centralized Key Management (CCKM):

AP# debug wlccp ap mn
 
   

Related Commands

Command
Description

show debugging

Displays all debug settings and the debug packet headers

show wlccp

Displays WLCCP information


debug wlccp ap rm enhanced-neighbor-list

Use the debug wlccp ap rm enhanced-neighbor-list privileged EXEC command to enable internal debugging information and error messages of the Enhanced Neighbor List feature. Use the no form of the command to disable the debugging and error messages.

[no] debug wlccp ap rm enhanced-neighbor-list


Note This command is not supported on bridges.


Syntax Description

This command has no arguments or keywords.

Defaults

Debugging is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(8)JA

This command was first introduced.


Examples

This example shows how to activate debugging and error messages of the Enhanced Neighbor List feature on the access point:

AP# debug wlccp ap rm enhanced-neighbor-list
 
   

Related Commands

Command
Description

show debugging

Displays all debug settings and the debug packet headers

show wlccp

Displays WLCCP information

show wlccp ap rm enhanced-neighbor-list

Displays Enhanced Neighbor List feature related information.

debug wlccp ap rm enhanced-neighbor list

 

debug wlccp packet

Use the debug wlccp packet privileged EXEC command to activate display of packets to and from the access point that provides wireless domain services (WDS).

debug wlccp packet


Note This command is not supported on bridges.


Syntax Description

This command has no arguments or keywords.

Defaults

Debugging is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(11)JA

This command was first introduced.


Examples

This example shows how to activate display of packets to and from the WDS access point:

AP# debug wlccp packet
 
   

Related Commands

Command
Description

show debugging

Displays all debug settings and the debug packet headers

show wlccp

Displays WLCCP information


debug wlccp rmlib

Use the debug wlccp rmlib privileged EXEC command to activate display of radio management library functions on the access point that provides wireless domain services (WDS).

debug wlccp rmlib


Note This command is not supported on bridges.


Syntax Description

This command has no arguments or keywords.

Defaults

Debugging is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)JA

This command was first introduced.


Examples

This example shows how to activate display of radio management library functions on the access point that provides WDS:

AP# debug wlccp rmlib
 
   

Related Commands

Command
Description

show debugging

Displays all debug settings and the debug packet headers

show wlccp

Displays WLCCP information


debug wlccp wds

Use the debug wlccp wds privileged EXEC command to activate display of wireless domain services (WDS) debug messages.

debug wlccp wds
aggregator [packet]
authenticator {all | dispatcher | mac-authen | process | rxdata | state-machine | txdata}
nm [packet | loopback]
state
statistics


Note This command is not supported on bridges.


Syntax Description

Command
Description

aggregator [packet]

(Optional) Activates display of debug messages related to radio management. Use the packet option to display packets from and to the radio management aggregator.

authenticator {all | dispatcher | mac-authen | process | rxdata | state-machine | txdata}

(Optional) Use this command and its options to turn on display of WDS debug messages related to authentication.

all—Enables all authenticator debugging

dispatcher—Enables debugging related to handling authentication requests

mac-authen—Enables debugging related to MAC address authentication

process—Enables debugging related to authenticator processes

rxdata—Enables display of EAPOL packets from clients

state-machine—Enables authenticator state-machine debugging

txdata—Enables display of EAPOL packets to clients

nm [packet | loopback]

(Optional) Activates display of debug messages from the wireless network manager (WNM). The packet option displays Cisco IOS packets from and to the network manager, and the loopback option re-routes packets sent to the WNM to the WDS access point console instead.

state

(Optional) Activates display of state transitions for access points interacting with the WDS access point.

statistics

(Optional) Activates display of WDS statistics.


Defaults

Debugging is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(11)JA

This command was first introduced.

12.2(13)JA

This command was modified to include the aggregator and nm options.


Examples

This example shows how to begin debugging for LEAP-enabled client devices participating in Cisco Centralized Key Management (CCKM):

AP# debug wlccp ap mn
 
   

Related Commands

Command
Description

show debugging

Displays all debug settings and the debug packet headers

show wlccp

Displays WLCCP information


description (dot1x credentials configuration mode)

Use the description dot1x credentials configuration mode command to specify a text description for the dot1x credential. Use the no form of the command to disable anonymous-id.

[no] description name

Syntax Description

name

Specifies the text description for the dot1x credential.


Defaults

This command has no defaults.

Command Modes

Dot1x credentials configuration interface

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to specify text description for the dot1x credential:

AP(config-dot1x-creden)# description This is a test credential
 
   

Related Commands

Command
Description

dot1x credentials

Configures the dot1x credentials on the access point.

show dot1x credentials

Displays the configured dot1x credentials on the access point.


dfs band

Use the dfs band configuration interface command to prevent the access point from automatically selecting specific groups of 5-GHz channels during dynamic frequency selection (DFS). Use the no form of the command to unblock groups of channels.

[no] dfs band [1] [2] [3] [4] block


Note This command is supported only on 5-GHz radios configured at the factory for use in the European Union and Signapore.


Syntax Description

[1] [2] [3] [4]

Specifies a group of channels to be blocked from auto-selection during DFS.

1—Specifies frequencies 5.150 to 5.250 GHz. This group of frequencies is also known as the UNII-1 band.

2—Specifies frequencies 5.250 to 5.350 GHz. This group of frequencies is also known as the UNII-2 band.

3—Specifies frequencies 5.470 to 5.725 GHz.

4—Specifies frequencies 5.725 to 5.825 GHz. This group of frequencies is also known as the UNII-3 band.


Defaults

By default, no channels are blocked from DFS auto-selection.

Command Modes

Configuration interface

Command History

Release
Modification

12.3(4)JA

This command was introduced.


Examples

This example shows how to prevent the access point from selecting frequencies 5.150 to 5.350 GHz during DFS:

ap(config-if)# dfs band 1 2 block
 
   

This example shows how to unblock frequencies 5.150 to 5.350 for DFS:

ap(config-if)# no dfs band 1 2 block
 
   

This example shows how to unblock all frequencies for DFS:

ap(config-if)# no dfs band block
 
   

Usage Guidelines

Some regulatory domains limit the 5-GHz channels that can be used in specific locations; for example, indoors or outdoors. Use the dfs band command to comply with the regulations in your regulatory domain.

Related Commands

Command
Description

channel

Specifies the radio frequency on which a radio interface operates


distance

Use the distance configuration interface command to specify the distance from a root bridge to the non-root bridge or bridges with which it communicates. The distance setting adjusts the bridge's timeout values to account for the time required for radio signals to travel from bridge to bridge. You do not need to adjust this setting on non-root bridges.

distance kilometers


Note This command is supported only on bridges.



Note If more than one non-root bridge communicates with the root bridge, enter the distance from the root bridge to the non-root bridge that is farthest away.


Syntax Description

kilometers

Specifies the bridge distance setting (enter a value from 0 to 99 km)


Defaults

In installation mode, the default distance setting is 99 km. In all other modes, such as root and non-root, the default distance setting is 0 km.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure the distance setting for the root bridge radio:

bridge(config-if)# distance 40
 
   

dot11 aaa authentication attributes service-type login-only

Use the dot11 aaa authentication attributes service-type login-only global configuration command to set the service-type attribute in reauthentication requests to login-only. By default, the access point sends reauthentication requests to the server with the service-type attribute set to authenticate-only. However, some Microsoft IAS servers do not support the authenticate-only service-type attribute. Changing the service-type attribute to login-only ensures that Microsoft IAS servers recognize reauthentication requests from the access point.

dot11 aaa authentication attributes service-type login-only

Syntax Description

This command has no arguments or keywords.

Defaults

The default service-type attribute in reauthentication requests is set to authenticate-only. This command sets the service-type attribute in reauthentication requests to login-only.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)JA

This command was introduced.


 
   

Related Commands

Command
Description

dot11 aaa csid

Selects the format for MAC addresses in Called-Station-ID (CSID) and Calling-Station-ID attributes


dot11 aaa authentication mac-authen filter-cache

Use the dot11 aaa authentication mac-authen filter-cache global configuration command to enable MAC authentication caching on the access point. MAC authentication caching reduces overhead because the access point authenticates devices in its MAC-address cache without sending the request to your authentication server. When a client device completes MAC authentication to your authentication server, the access point adds the client's MAC address to the cache.

dot11 aaa authentication mac-authen filter-cache [timeout seconds]

Syntax Description

timeout seconds

Specifies a timeout value for MAC authentications in the cache.


Defaults

MAC authentication caching is disabled by default. When you enable it, the default timeout value is 1800 (30 minutes).

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)JA

This command was introduced.


Examples

This example shows how to configure MAC authentication caching with a one-hour timeout:

ap(config)# dot11 aaa authentication mac-authen filter-cache timeout 3600
 
   

Related Commands

Command
Description

clear dot11 aaa authentication mac-authen filter-cache

Clear MAC addresses from the MAC authentication cache.

show dot11 aaa authentication mac-authen filter-cache

Display MAC addresses in the MAC authentication cache.


dot11 aaa csid

Use the dot11 aaa csid global configuration command to select the format for MAC addresses in Called-Station-ID (CSID) and Calling-Station-ID attributes in RADIUS packets.

dot11 aaa csid { default | ietf | unformatted }

Syntax Description

default

Specifies the default format for MAC addresses in CSID attributes. The default format looks like this example:

0007.85b3.5f4a

ietf

Specifies the Internet Engineering Task Force (IETF) format for MAC addresses in CSID attributes. The IETF format looks like this example:

00-07-85-b3-5f-4a

unformatted

Specifies no formatting for MAC addresses in CSID attributes. An unformatted MAC address looks like this example:

000785b35f4a

Defaults

The default CSID format looks like this example:

0007.85b3.5f4a

Command Modes

Global configuration

Command History

Release
Modification

12.2(13)JA

This command was introduced.


Usage Guidelines

You can also use the wlccp wds aaa csid command to select the CSID format.

Related Commands

Command
Description

debug dot11 aaa

Begin debugging of dot11 authentication, authorization, and accounting (AAA) operations


dot11 association mac-list

To specify a MAC address access list used for dot11 association use the dot11 association mac-list command.

dot11 association mac-list number

Syntax Description

number

Specifies a number (700 to 799) for a 48-bit MAC address access list.


Defaults

No MAC address access list is assigned.

Examples

This example shows the creation of a MAC address access list used to filter one client with a MAC 
address of 0000.1234.5678.
 
   
AP(config)# access-list 700 deny 0000.1234.5678 0000.0000.0000 
AP(config)# dot11 association mac-list 700 

Related Commands

Command
Description

show access-list

Displays the configured access-lists.


dot11 activity-timeout

Use the dot11 activity-timeout global configuration command to configure the number of seconds that the access point tracks an inactive device (the number depends on its device class). The access point applies the unknown device class to all non-Cisco Aironet devices.

dot11 activity-timeout { [ client-station | repeater | bridge | workgroup-bridge | unknown ] [ default <1 - 100000> ] [ maximum <1 - 100000> ] }

Syntax Description

client-station, repeater, bridge, workgroup- bridge

Specify Cisco Aironet device classes

unknown

Specifies unknown (non-Cisco Aironet) device class

default <1 - 100000>

Specifies the activity timeout value that the access point uses when a device associates and proposes a zero-refresh rate or does not propose a refresh rate

maximum <1 - 100000>

Specifies the maximum activity timeout allowed for a device regardless of the refresh rate proposed by a device when it associates


Defaults

Table 2-8 lists the default activity timeouts for each device class. All values are in seconds.

Table 2-8 Default Activity Timeouts

Device Class
Default Timeout

unknown

60

client-station

1800

repeater

28800

bridge

28800

workgroup-bridge

28800


Command Modes

Global configuration

Command History

Release
Modification

12.2(13)JA

This command was introduced.


Examples

This example shows how to configure default and maximum activity timeouts for all device classes:

AP(config)# dot11 activity-timeout default 5000 maximum 24000
 
   

Usage Guidelines

To set an activity timeout for all device types, set a default or maximum timeout without specifying a device class (for example, enter dot11 activity-timeout default 5000). The access point applies the timeout to all device types that are not already configured with a timeout.

Related Commands

Command
Description

dot11 adjacent-ap age-timeout

Specifies the number of hours an inactive entry remains in the list of adjacent access points

show dot11 associations

Display the radio association table, radio association statistics, or association information about wireless devices

show dot11 network-map

Displays the radio network map


dot11 adjacent-ap age-timeout

Use the dot11 adjacent-ap age-timeout global configuration command to specify the number of hours an inactive entry remains in the list of adjacent access points.

dot11 adjacent-ap age-timeout hours


Note This command is not supported on bridges.


Syntax Description

hours

Specifies the number of hours an inactive entry remains in the list of adjacent access points


Defaults

The default age-timeout is 24 hours.

Command Modes

Global configuration

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to configure the timeout setting for inactive entries in the adjacent access point list:

AP# dot11 adjacent-ap age-timeout 12
 
   

Related Commands

Command
Description

show dot11 adjacent-ap

Displays the list of adjacent access points


dot11 arp-cache

Use the dot11 arp-cache global configuration command to enable client ARP caching on the access point. ARP caching on the access point reduces the traffic on your wireless LAN and increases client battery life by stopping ARP requests for client devices at the access point. Instead of forwarding ARP requests to client devices, the access point responds to requests on behalf of associated client devices and drops ARP requests that are not directed to clients associated to the access point. When ARP caching is optional, the access point responds on behalf of clients with IP addresses known to the access point but forwards through its radio port any ARP requests addressed to unknown clients. When the access point knows all the IP addresses for associated clients, it drops any ARP requests not directed to its clients. In its beacon, the access point includes an information element to alert client devices that they can safely ignore broadcast messages to increase battery life.

[no] dot11 arp-cache [optional]

Syntax Description

optional

Configures the access point to respond to ARP requests addressed to clients for which the access point knows the IP address but forward through its radio port ARP requests addressed to client devices that the access point does not recognize. When the access point learns all the IP addresses for associated clients, it drops any ARP requests not directed to its clients.


Defaults

ARP caching is disabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.2(13)JA

This command was introduced.


Examples

This example shows how to enable ARP caching:

AP(config)# dot11 arp-cache
 
   

dot11 carrier busy

Use the dot11 carrier busy privileged exec command to display levels of radio activity on each channel.

dot11 interface-number carrier busy

Syntax Description

interface-number

Specifies the radio interface number (The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.)


Defaults

This command has no defaults.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Usage Guidelines

During the carrier busy test, the access point or bridge drops all associations with wireless networking devices for about 4 seconds while it conducts the carrier test and then displays the test results.

You can re-display the carrier busy results using the show dot11 carrier busy command.

Examples

This example shows how to run the carrier busy test for radio interface 0:

AP# dot11 d0 carrier busy
 
   

This example shows the carrier busy test results:

Frequency  Carrier Busy %
---------  --------------
5180          0
5200          2
5220         27
5240          5
5260          1
5280          0
5300          3
5320          2
 
   

Related Commands

Command
Description

show dot11 carrier busy

Displays the carrier busy test results


dot11 extension aironet

Use the dot11 extension aironet configuration interface command to enable or disable Cisco Aironet extensions to the IEEE 802.11b standard. Use the no form of this command to disable the Cisco Aironet extensions.

[no] dot11 extension aironet


Note You cannot disable Cisco Aironet extensions on bridges.


Syntax Description

This command has no arguments or keywords.

Defaults

Cisco Aironet extensions are enabled by default.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

The Cisco Aironet extensions help clients choose the best access point. You must enable these extensions to use advanced features such as Cisco MIC and key hashing. Disable these extensions for non-Cisco clients that misinterpret the extensions.

Examples

This example shows how to enable Cisco Aironet extensions for the radio interface:

AP(config-if)# dot11 extension aironet
 
   

This example shows how to disable Cisco Aironet extensions for the radio interface:

AP(config-if)# no dot11 extension aironet

Related Commands

Command
Description

show running-config

Displays the current access point operating configuration


dot11 extension power native

Use the dot11 extension power native configuration interface command to configure the native MIB power table to be used to respond to SNMP queries on the access point power levels. This command works with the cd11IfPhyNativePowerUseStandard MIB object of the Cisco DOT11-IF-MIB. Use the no form of this command to use the standard MIB power table.

[no] dot11 extension power native

Syntax Description

This command has no arguments or keywords.

Defaults

The standard MIB power table is enabled by default.

Command Modes

Configuration interface

Command History

Release
Modification

12.3(7)JA

This command was introduced.


Examples

This example shows how to enable the native MIB power table for the radio interface:

AP(config-if)# dot11 extension power native
 
   

This example shows how to return to the standard MIB power table for the radio interface:

AP(config-if)# no dot11 extension power native

Related Commands

Command
Description

show running-config

Displays the current access point operating configuration


dot11 holdoff-time

Use the dot11 holdoff-time global configuration command to specify the hold-off time for EAP and MAC address authentication. The holdoff time is invoked when a client fails three login attempts or fails to respond to three authentication requests from the access point. Use the no form of the command to reset the parameter to defaults.

[no] dot11 holdoff-time seconds

Syntax Description

seconds

Specifies the hold-off time (1 to 65555 seconds)


Defaults

The default holdoff time is 0 (disabled).

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to specify a 2-minute hold-off time:

AP(config)# dot11 holdoff-time 120
 
   

This example shows how reset the hold-off time to defaults:

AP(config)# dot11 no holdoff-time

Related Commands

Command
Description

show running-config

Displays information on the current running access point configuration


dot11 ids eap attempts

Use the dot11 ids eap attempts global configuration command to configure the number of authentication attempts and the number of seconds of EAPOL flooding that trigger a fault on a scanner access point in monitor mode.

Setting an authentication failure limit protects your network against a denial-of-service attack called EAPOL flooding. The 802.1X authentication that takes place between a client and the access point triggers a series of messages between the access point, the authenticator, and an authentication server using EAPOL messaging. The authentication server can quickly become overwhelmed if there are too many authentication attempts. If not regulated, a single client can trigger enough authentication requests to impact your network.

A scanner access point in monitor mode tracks the rate at which 802.1X clients attempt to authenticate through the access point. If your network is attacked through excessive authentication attempts, the access point generates an alert when the authentication threshold has been exceeded.

[no] dot11 ids eap attempts number period seconds

Syntax Description

number

Specifies the number of authentication attempts that triggers a fault on a scanner access point in monitor mode

seconds

Specifies the number of seconds of EAPOL flooding that triggers a fault on a scanner access point in monitor mode


Defaults

This command has no defaults.

Command Modes

Global configuration

Command History

Release
Modification

12.3(4)JA

This command was introduced.


Examples

This example shows how to configure a limit on authentication attempts and on the duration of EAPOL flooding on a scanner access point in monitor mode:

ap(config)# dot11 ids eap attempts 10 period 10
 
   

Related Commands

Command
Description

debug dot11 ids

Enables wireless IDS debugging

show dot11 ids eap

Displays IDS statistics


dot11 ids mfp

Use the dot11 ids mfp global configuration command to configure Management Frame Protection (MFP) parameters on the access point.


Note To configure an MFP distributor, the access point must be configured as a WDS.


[no] dot11 ids mfp {detector | distributor | generator}

detector

Enables the MFP detector on the access point.

distributor

Configures the MFP distributor on the access point.

generator

Configures an MFP generator.


Defaults

This command has no defaults.

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to configure the MFP detector, enable the MFP distributor, and configure the MFP generator on the access point:

ap(config)# dot11 ids mfp detector
ap(config)# dot11 ids mfp distributor
ap(config)# dot11 ids mfp generator
 
   

Related Commands

Command
Description

show dot11 ids mfp

Displays MFP parameters configured on the access point.

debug dot11 ids mfp

Debugs MFP operations on the access point.


dot11 igmp snooping-helper

Use the dot11 igmp snooping-helper global configuration command to begin sending IGMP Query requests when a new client associates with the access point. Use the no form of this command to disable the IGMP Query requests.

[no] dot11 igmp snooping-helper

Syntax Description

This command has no arguments or keywords.

Defaults

IGMP Query requests are disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to enable IGMP Query requests:

AP(config)# dot11 igmp snooping-helper
 
   

This example shows how to stop or disable the IGMP Query requests:

AP(config)# no dot11 igmp snooping-helper

dot11 lbs

Use the dot11 lbs global configuration command to create a location based services (LBS) profile and to enter LBS configuration mode.

[no] dot11 lbs profile-name

Syntax Description

profile-name

Specifies the name of the LBS profile


Defaults

This command has no defaults.

Command Modes

Global configuration

Command History

Release
Modification

12.3(4)JA

This command was introduced.


Examples

This example shows how to create an LBS profile and enter LBS configuration mode:

ap(config)# dot11 lbs southside
 
   

Related Commands

Command
Description

channel-match (LBS configuration mode)

Specifies that the LBS packet sent by an LBS tag must match the radio channel on which the access point receives the packet

interface dot11 (LBS configuration mode)

Enables an LBS profile on a radio interface

method (LBS configuration mode)

Specifies the location method used in an LBS profile

multicast address (LBS configuration mode)

Specifies the multicast address that LBS tag devices use when they send LBS packets

packet-type (LBS configuration mode)

Specifies the LBS packet type accepted in an LBS profile

server-address (LBS configuration mode)

Specifies the IP address of the location server on your network


dot11 linktest

Use the dot11 linktest privileged EXEC command to test a radio link between the access point and a client device.

dot11 interface-number linktest
[target mac-address]
[
count packet-number]
[interval sec]
[
packet-size size]
[
rate value]

Syntax Description

interface-number

Specifies the radio interface number (The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.)

target mac-address

(Optional) Specifies the MAC address (in xxxx.xxxx.xxxx format) of the client device

count packet-number

(Optional) Specifies the number of packets (1 to 9999) to send to the client device

interval sec

(Optional) Specifies the time interval between tests (from 1 to 10000 seconds)

packet-size size

(Optional) Specifies the size of each packet (from 1 to 1400 bytes)

rate value

(Optional) Specifies a specific link test data rate.

Rates for the 802.11b, 2.4-GHz radio are 1, 2, 5, or 11 Mbps.

Rates for the 802.11g, 2.4-GHz radio are 1, 2, 5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps.

Rates for the 5-GHz radio are 6, 9, 12, 18, 24, 36, 48, or 54 Mbps.


Defaults

The default target for a root access point is the first client. The default target for a repeater is its parent access point.

The default count specifies that test runs once.

The default interval is 5 seconds.

The default packet-size is 512 bytes.

The default rate is the automatic rate-shifting algorithm.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)JA

This command was introduced.

12.2(8)JA

Parameters were added to support the 5-GHz access point radio.

12.2(11)JA

Parameters were added to support the 5.8-GHz bridge radio.

12.2(13)JA

Parameters were added to support the 802.11g, 2.4-GHz access point radio.


Usage Guidelines

The link test verifies the radio link between the access point and a client device by sending the client a series of special packets, which the client returns to the access point.


Note Some client devices, such as non-Cisco wireless clients, wired clients that are connected to a workgroup bridge, or non-Cisco clients connected to a repeater access point, might not respond to link test packets.


The client adds information to the packets that quantify how well it received the request. Results are displayed as a table of packet statistics, quality, and signal-level information.

If you specify an interval, the test repeats continuously separated by the specified number of seconds. To abort the test, type the escape sequence (Ctrl key and ^ key). Without an interval, the test runs once.

Examples

This example shows how to initiate a radio link test to send 10 packets to client MAC address 0040963181CF on radio interface 0:

AP# dot11 dot11radio 0 linktest target 0040.9631.81CF count 10
 
   

This example shows how to initiate a radio link test to send 100 packets of 500 bytes to client MAC address 0040963181CF on radio interface 0:

AP# dot11 dot11radio 0 linktest target 0040.9631.81CF packet-size 500 count 100

Related Commands

Command
Description

show interfaces dot11radio statistics

Displays the radio statistics

show dot11 associations

Displays the radio association table

show dot11 network-map

Displays the radio network map


dot11 location isocc

Use the dot11 location isocc global configuration command to configure location identifiers that the access point sends with all RADIUS authentication and accounting requests.

dot11 location isocc ISO-country-code cc country-code ac area-code

Syntax Description

isocc ISO-country-code

Specifies the ISO country code that the access point includes in RADIUS authentication and accounting requests

cc country-code

Specifies the International Telecommunication Union (ITU) country code that the access point includes in RADIUS authentication and accounting requests

ac area-code

Specifies the ITU area code that the access point includes in RADIUS authentication and accounting requests


Defaults

This command has no defaults.

Command Modes

Global configuration

Command History

Release
Modification

12.2(13)JA

This command was introduced.


Usage Guidelines

You can find a list of ISO and ITU country and area codes at the ISO and ITU websites. Cisco IOS software does not check the validity of the country and area codes that you enter with this command.

Examples

This example shows how to configure the ISO and ITU location codes on the access point:

ap(config)# dot11 location isocc us cc 1 ac 408
 
   

This example shows how the access point adds the SSID used by the client device and how it formats the location-ID string:

isocc=us,cc=1,ac=408,network=ACMEWISP_NewarkAirport
 
   

Related Commands

Command
Description

snmp-server location

Specifies the SNMP system location and the WISPr location-name attribute


dot11 mbssid

Use the dot11 mbssid global configuration command to enable multiple basic SSIDs on all access point radio interfaces.

[no] dot11 mbssid


Note This command is supported only on access points that contain at least one radio interface that supports multiple basic SSIDs. To determine whether a radio supports multiple basic SSIDs, enter the show controllers radio_interface command. Multiple basic SSIDs are supported if the results include this line:
Number of supported simultaneous BSSID on radio_interface: 8


Syntax Description

This command has no arguments or keywords.

Defaults

This command is disabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.3(4)JA

This command was introduced.


Examples

This example shows how to enable multiple basic SSIDs on all interfaces that support multiple basic SSIDs:

ap(config)# dot11 mbssid
 
   

Related Commands

Command
Description

mbssid (SSID configuration mode)

Specifies that a BSSID is included in beacons and specifies a DTIM period for the BSSID

show dot11 bssid

Displays configured BSSIDs


dot11 meter

Use the dot11 meter privileged EXEC command to measure the performance of packet forwarding. To display the results, use the show dot11 statistics metered-traffic command.

dot11 interface-number meter

Syntax Description

interface-number

Specifies the radio interface number. The 2.4-GHz radio is radio 0. The 5-GHz radio is radio 1.


Defaults

This command has no defaults.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to activate the meter tool for radio interface 0:

AP# dot11 dot11radio 0 meter

Related Commands

Command
Description

show dot11 statistics metered-traffic

Displays packet forwarding performance


dot11 network-map

Use the dot11 network-map global configuration command to enable the radio network map feature. When enabled, the access point broadcasts a IAPP GenInfo Request every collection interval. This request solicits information from all Cisco access points in the same Layer 2 domain. Upon receiving a GetInfo Request, the access point sends a unicast IAPP GenInfo Response back to the requester. The access point uses these IAPP GenInfo Responses to build a network-map.

dot11 network-map [collect-interval]

Syntax Description

collect-interval

Specifies the time interval between IAPP GenInfo Requests (1 to 60 seconds)


Defaults

The default collect interval is 5 seconds.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to generate a radio network map with a collection interval of 30 seconds:

ap(config)# dot11 network-map 30
 
   

You can verify the network map by using the show dot11 network-map EXEC command.

Related Commands

Command
Description

show dot11 network-map

Displays the radio network map


dot11 phone

Use the dot11 phone global configuration command to enable or disable IEEE 802.11 compliance phone support. Use the no form of this command to disable the IEEE 802.11 phone.

[no] dot11 phone dot11e


Note This command is not supported on bridges.


Syntax Description

dot11e

Specifies the use of the standard QBSS Load Information Element (IE).


Defaults

This command has no defaults.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)JA

This command was introduced.

12.3(7)JA

Parameter added for the standard (IEEE 802.11e draft 13) QBSS Load IE.


Usage Guidelines

Enabling IEEE 802.11 compliance phone support adds information to the access point beacons and probe responses. This information helps some 802.11 phones make intelligent choices about the access point to which they should associate. Some phones do not associate with an access point without this additional information.

The dot11e parameter enables the future upgrade of the 7920 Wireless Phone firmware to support the standard QBSS Load IE. The new 7920 Wireless Phone firmware will be announced at a later date.


Note This release continues to support your existing 7920 Wireless Phone firmware. Please do not attempt to use the standard (IEEE 802.11e draft 13) QBSS Load IE with the 7920 Wireless Phone until new phone firmware is available for you to upgrade your phones.


Examples

This example shows how to enable IEEE 802.11 phone support with the legacy QBSS Load element:

AP(config)# dot11 phone 
 
   

This example shows how to enable IEEE 802.11 phone support with the standard (IEEE 802.11e
draft 13) QBSS Load element:

AP(config)# no dot11 phone dot11e

This example shows how to stop or disable the IEEE 802.11 phone support:

AP(config)# no dot11 phone

dot11 priority-map avvid

Use the dot11 priority-map avvid global configuration command to enable or disable Cisco AVVID (Architecture for Voice, Video and Integrated Data) priority mapping. AVVID priority mapping maps Ethernet packets tagged as class of service 5 to class of service 6. This feature enables the access point to apply the correct priority to voice packets for compatibility with Cisco AVVID networks. Use the no form of this command to disable AVVID priority mapping.

[no] dot11 priority-map avvid


Note This command is not supported on bridges.


Syntax Description

This command has no arguments or keywords.

Defaults

AVVID priority mapping is enabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.2(13)JA

This command was introduced.


Examples

This example shows how to stop or disable AVVID priority mapping:

AP(config)# no dot11 priority-map avvid

This example shows how to enable AVVID priority mapping:

AP(config)# dot11 priority-map avvid
 
   

Related Commands

Command
Description

class-map

Creates a class map to be used for matching packets to the class whose name you specify

show class-map

Displays quality of service (QoS) class maps


dot11 qos class

Use the dot11qos class interface configuration mode command to configure QOS class parameters for the radio interface. Use the no form of the command to disable the QOS parameters.

[no] dot11 qos class {background | best-effort | video | voice}
{ [both] [cell] [local] }


Note This command is not supported when operating in repeater mode.


Syntax Description

background

Specifies the QOS traffic is a background process.

best-effort

Specifies the QOS traffic is a best-effort process.

video

Specifies the QOS traffic is video data.

voice

Specifies the QOS traffic is voice data.

both

Specifies the QOS parameters for local and radio use.

cell

Specifies the QOS parameters apply to the radio cells.

local

Specifies the QOS parameters are for local use only.


Defaults

This command has no defaults.

Command Modes

Interface configuration mode

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to specify video traffic support on radio cells:

AP(config)# interface dot11radio 1
AP(config-if)# dot11 qos class video cell
AP(config-if-qosclass)#
 
   

This example shows how to disable video traffic support on radio cells:

AP(config-if)# no dot11 qos class video 
 
   

Related Commands

Command
Description

admit-traffic (QOS Class interface configuration mode)

Configures CAC admission control on the access point.

show dot11 cac

Displays admission control information on the access point.

traffic-stream

Configures CAC traffic data rates and priorities on the access point.

debug cac

Provides debug information for CAC admission control on the access point.


dot11 ssid

Use the dot11 ssid global configuration command to create a global SSID. The SSID is inactive until you use the ssid configuration interface command to assign the SSID to a specific radio interface.

dot11 ssid ssid

In Cisco IOS Release 12.3(4)JA, you can configure SSIDs globally or for a specific radio interface. However, when you create an SSID using the ssid configuration interface command, the access point stores the SSID in global configuration mode.

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no defaults.

Command Modes

Global configuration

Command History

Release
Modification

12.3(2)JA

This command was introduced.


Examples

This example shows how to:

Create an SSID in global configuration mode

Configure the SSID for RADIUS accounting

Set the maximum number of client devices that can associate using this SSID to 15

Assign the SSID to a VLAN

Assign the SSID to a radio interface

AP# configure terminal
AP(config)# dot11 ssid batman
AP(config-ssid)# accounting accounting-method-list
AP(config-ssid)# max-associations 15
AP(config-ssid)# vlan 3762
AP(config-ssid)# exit
AP(config)# interface dot11radio 0
AP(config-if)# ssid batman
 
   

Related Commands

Command
Description

show running-config ssid

Displays configuration details for SSIDs created in global configuration mode

ssid

Creates an SSID in configuration interface mode or assigns a globally configured SSID to a specific radio interface


dot11 update-group-key

Use the dot11 update-group-key privileged EXEC command to trigger an update of the WPA group key. When you enter the command, the access point distributes a new WPA group key to authenticated client devices.

dot11 interface-number update-group-key [vlan vlan-id]

Syntax Description

interface-number

Specifies the radio interface number (the 2.4-GHz radio is radio 0; the 5-GHz radio is radio 1)

vlan-id

Specifies the VLAN on which the access point sends out the group key update


Defaults

This command has no defaults.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to trigger a group key update on VLAN 2:

AP# dot11 d0 update-group-key vlan 2
 
   

Related Commands

Command
Description

authentication key-management

Configures the radio interface (for a specified SSID) to support authenticated key management


dot11 vlan-name

Use the dot11 vlan-name global configuration command to assign a name to a VLAN in addition to its numerical ID.

dot11 vlan-name name vlan vlan-id

Syntax Description

name

Specifies a name to assign to a VLAN ID. The name can contain up to 32 ASCII characters.

vlan-id

Specifies the VLAN ID to which the name is assigned.


Defaults

This command has no default setting.

Command Modes

Global configuration

Command History

Release
Modification

12.3(2)JA

This command was introduced.


Usage Guidelines

Keep these guidelines in mind when using VLAN names:

The mapping of a VLAN name to a VLAN ID is local to each access point, so across your network, you can assign the same VLAN name to a different VLAN ID.


Note If clients on your wireless LAN require seamless roaming, Cisco recommends that you assign the same VLAN name to the same VLAN ID across all access points, or that you use only VLAN IDs without names.


Every VLAN configured on your access point must have an ID, but VLAN names are optional.

VLAN names can contain up to 32 ASCII characters. However, a VLAN name cannot be a number between 1 and 4095. For example, vlan4095 is a valid VLAN name, but 4095 is not. The access point reserves the numbers 1 through 4095 for VLAN IDs.

Examples

This example shows how to assign a name to a VLAN:

AP(config)# dot11 vlan-name chicago vlan 121
 
   

You can view VLAN name and ID pairs by using the show dot11 vlan-name EXEC command.

Related Commands

Command
Description

show dot11 traffic-streams

Displays VLAN name and ID pairs.


dot11 wpa handshake timeout

Use the dot11 wpa handshake timeout configuration command to adjust the duration before timing out WPA key packet transmission. This timer value may need to be increased with WPA clients in PSP mode.

dot11 wpa handshake timeout time

Syntax Description

time

Specifies the new timeout time. Valid range is from 100ms to 2000ms.


Defaults

The default timeout is 100ms.

Command Modes

Global configuration

Usage Guidelines

The WPA handshake timeout timer starts when the access point's state machine submits the key packet for transmission. If the client is in power save mode (PSP) at this time, the timer may expire before the client can come out of PSP mode and the packet can actually be transmitted. For PSP clients, a timeout value of 1000ms may work more reliably.

dot1x credentials

Use the dot1x credentials global configuration command to configure a dot1x credentials profile. The no form of the command disables the profile.

[no] dot1x credentials profile-name


Note This command is not supported on c1200 and c1100 platforms.


Syntax Description

profile-name

Specifies the name of the dot1x credentials profile.


Defaults

This command has no default setting.

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Usage Guidelines

Use the dot1x credentials command to configure a dot1x credentials profile. Issuing
dot1x credentials profile-name puts you in dot1x credentials configuration mode where you can specify profile parameters using these subcommands:

Command
Description

anonymous-id <name>

Specifies an anonymous user identification name.

description <line>

Provides a description for the dot1x credentials profile.

exit

Exits dot1x credentials configuration mode.

no

Negates a command or sets its defaults.

password [0] [7] <password>

Specifies the authentication password.

0—Specifies an unencrypted password follows.

7—Specifies a hidden password follows.

password—The password.

pki-trustpoint <name>

Specifies the default pki trustpoint name.

username <name>

Specifies the authentication username.


Examples

This example shows how to configure a dot1x credentials profile and specify the profile description, authentication password, and username:

AP(config)# dot1x credentials test
AP(config-dot1x-creden)# description This is a test credential profile
AP(config-dot1x-creden)# password 7 R127A61290H23
AP(config-dot1x-creden)# username John110
AP(config-dot1x-creden)# exit
 
   

dot1x eap profile (configuration interface mode)

Use the dot1x eap profile interface configuration mode command to enable a preconfigured EAP profile for the fast Ethernet interface. Use the no form of this command to disable the EAP profile.

[no] dot1x eap profile profile-name

Syntax Description

profile-name

Specifies the name of the EAP profile.


Defaults

This command has no default setting.

Command Modes

Configuration interface

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Usage Guidelines

You must first configure an EAP profile before you can enable the profile on the fast Ethernet interface. To configure an EAP profile, use the eap profile configuration command. To enable a preconfigured EAP profile on the fast Ethernet interface, use the dot1x eap profile configuration interface command.

Examples

This example shows how to enable the preconfigured EAP test profile on the fast Ethernet interface:

AP(config)# interface fastethernet 0
AP(config-if)# dot1x eap profile test
 
   

This example shows how to disable the EAP test profile on the fast Ethernet interface:

AP(config)# interface fastethernet 0
AP(config-if)# no dot1x eap profile test

Related Commands

Command
Description

eap profile

Configures an EAP profile.

method (eap profile configuration mode)

Specifies the method types for an EAP profile.

show eap registrations

Displays EAP registrations for the access point.

show eap sessions

Displays EAP statistics for the access point.


dot1x eap profile (SSID configuration mode)

Use the dot1x eap profile SSID configuration mode command to enable a preconfigured EAP profile for the SSID. Use the no form of this command to disable the EAP profile.

[no] dot1x eap profile profile-name

Syntax Description

profile-name

Specifies the name of the EAP profile.


Defaults

This command has no default setting.

Command Modes

Configuration interface

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Usage Guidelines

You must configure an EAP profile before you can enable the profile for the SSID interface. To configure an EAP profile, use the eap profile configuration command. To enable a preconfigured EAP profile for the SSID interface, use the dot1x eap profile configuration interface command.

Examples

This example shows how to enable the preconfigured EAP profile test on the SSID configuration interface:

AP(config)# dot11 ssid EAP_test
AP(config-ssid)# dot1x eap profile test
 
   

This example shows how to disable the EAP test profile on the SSID interface:

AP(config)# dot11 ssid EAP_test
AP(config-ssid)# no dot1x eap profile test

Related Commands

Command
Description

eap profile

Configures an EAP profile.

method (eap profile configuration mode)

Specifies the method types for an EAP profile.

show eap registrations

Displays EAP registrations for the access point.

show eap sessions

Displays EAP statistics for the access point.


dot1x timeout supp-response

Use the dot1x timeout supp-response global configuration command to configure the time that an access point waits for the wireless client to reply to an EAP dot1x message. The no form of the command disables the timeout.

[no] dot1x timeout supp-response time [local]

Syntax Description

time

Specifies the timeout value (1 to 120 seconds).

local

Specifies that the access point must use the local configured timeout value and ignore the override timeout value from the RADIUS server.


Defaults

The default is 30 seconds.

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to configure an access point to control the EAP dot1x wireless client response timeout and configure a value of 100 seconds:

AP(config)# dot1x timeout supp-response 100 local
 
   

Related Commands

Command
Description

none

 

dot1x reauth-period

Use the dot1x reauth-period configuration interface command to configure the dot1x client- reauthentication period. The no form of the command disables reauthentication.

[no] dot1x reauth-period {1-65555 | server}

Syntax Description

1-65555

Specifies a number of seconds (1 to 65555)

server

Specifies reauthentication period configured on the authentication server. If you use this option, configure your authentication server with RADIUS attribute 27, Session-Timeout. This attribute sets the maximum number of seconds of service to be provided to a client device before termination of the session. The server sends this attribute to the access point when a client performs EAP authentication.


Defaults

The default is disabled.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to configure a 2-minute dot1x client-reauthentication period:

AP(config-if)# dot1x reauth-period 120

Related Commands

Command
Description

show interfaces dot11radio aaa

Displays radio AAA timeout values


duplex

To configure the duplex operation on a wireless device's Ethernet port, use the duplex interface configuration command. Use the no form of this command to return the system to auto-duplex mode.

[no] duplex {auto | full | half}


Note Cisco recommends that you use auto, the default setting, for both duplex and speed settings on the Ethernet port.


Syntax Description

auto

Specifies auto-duplex operation. Cisco recommends that you use this setting.

full

Specifies full-duplex operation.

half

Specifies auto-duplex operation.


Defaults

The default duplex setting is auto.

Command Modes

Interface configuration mode

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

Cisco recommends that you use auto, the default setting, for both the speed and duplex settings on the Ethernet port.

When the access point or bridge receives inline power from a switch, any change in the speed or duplex settings that resets the Ethernet link reboots the unit. If the switch port to which the wireless device is connected is not set to auto, you can change the wireless device port to half or full to correct a duplex mismatch and the Ethernet link is not reset. However, if you change from half or full back to auto, the link is reset and, if the wireless device receives inline power from a switch, the wireless device reboots.


Note The speed and duplex settings on the wireless device Ethernet port must match the Ethernet settings on the port to which the wireless device is connected. If you change the settings on the port to which the wireless device is connected, change the settings on the wireless device Ethernet port to match.


Examples

This example shows how to configure the Ethernet port for auto duplex:

AP(config-if)# duplex auto
 
   

Related Commands

Command
Description

speed (Ethernet interface)

Configures the speed setting on the Ethernet port


eap profile

Use the eap profile global configuration command to configure an EAP profile. Use the no form of this command to disable the EAP profile.

[no] eap profile profile-name


Note This command is not supported on c1200 and c1100 platforms.


Syntax Description

profile-name

Specifies the name of the EAP profile.


Defaults

This command has no default setting.

Command Modes

Configuration interface

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Usage Guidelines

Use the eap profile command to configure an eap profile. Issuing the eap profile command puts you in dot1x eap profile mode.

You can specify eap profile parameters using these subcommands:

description—Specifies a text description for the EAP profile.

method—Specifies EAP method types for the EAP profile.

Examples

This example shows how to create and provide a description for the EAP profile test:

AP(config)#eap profile test
AP(config-eap-profile)#description This is a test EAP profile
 
   

This example shows how to disable the EAP test profile:

AP(config-if)# no eap profile test

Related Commands

Command
Description

method (eap profile configuration mode)

Configures EAP types for the EAP profile.

show eap regisgtrations

Displays EAP registrations for the access point.

show eap sessions

Displays EAP statistics for the access point.

dot1x eap profile

Configures a dot1x EAP profile for an interface.


eapfast authority

Use the eapfast authority command to configure an EAP-FAST authority ID (AID) for a local authenticator access point. The EAP-FAST AID identifies the server that authenticates the EAP-FAST client. The local authenticator sends its AID to an authenticating client, and the client checks its database for a matching AID. If the client does not recognize the AID, it requests a new Protected Access Credential (PAC).

[no] eapfast authority {id identifier | info string}

Syntax Description

id identifier

Specifies an authority identifier for the local authenticator access point. Enter up to 32 hexadecimal digits for the AID.

info string

Specifies an AID information string. The information string is not used during EAP-FAST authentication, but it provides additional information about the local authenticator. Enter up to 32 ASCII characters.


Defaults

The default AID is LOCAL RADIUS SER.

Command Modes

Configuration mode for local authenticators

Command History

Release
Modification

12.3(2)JA

This command was introduced.


Examples

This example shows how to configure an AID for the local authenticator access point:

AP(config-radsrv)#eapfast authority id ap1200
 
   

This example shows how to configure an information string for the AID:

AP(config-radsrv)#eapfast authority id AP1200 A+G North
 
   

Related Commands

Command
Description

radius local-server pac-generate

Generates a PAC file for an EAP-FAST client


eapfast pac expiry

Use the eapfast pac expiry global configuration command to set the Protected Access Credential (PAC) expiration time and grace period for a group of EAP-FAST clients associated to a local authenticator access point.

[no] eapfast pac expiry days [grace days]

Syntax Description

days

Specifies the number of days that the PAC is valid for a group of EAP-FAST clients. Enter a number of days from 1 to 4095.

grace days

Specifies the grace period after the PAC expires. The PAC remains valid until the end of the grace period. Enter a number of days from 1 to 4095.


Defaults

The default is infinite days for both the expiration time and the grace period.

Command Modes

Client group configuration mode for local authenticators

Command History

Release
Modification

12.3(2)JA

This command was introduced.


Examples

In this example, PACs for the user group clerks expire in 10 days with a grace period of two days:

AP(config)#radius-server local
AP(config-radsrv)#group clerks
AP(config-radsrv-group)#eapfast pac expiry 10 grace 2
 
   

Related Commands

Command
Description

radius local-server pac-generate

Generates a PAC file for an EAP-FAST client


eapfast server-key

Use the eapfast server-key command to configure EAP-FAST server keys. The local authenticator uses server keys to encrypt Protected Access Credential (PAC) files that it generates and to decrypt PACs when it is authenticating clients. The server maintains two keys, a primary key and a secondary key, and uses the primary key to encrypt PACs. Periodically, the local authenticator switches keys, making the primary key the secondary and using the secondary key as the primary. If you do not configure server keys, the local authenticator generates keys automatically.

When the local authenticator receives a client PAC, it attempts to decrypt the PAC with the primary key. If decryption fails with the primary key, the authenticator attempts to decrypt the PAC with the secondary key. If decryption fails with the secondary key, the authenticator rejects the PAC as invalid.

[no] eapfast server-key {primary {auto-generate | [0 | 7] key} |
secondary [0 | 7] key}

Syntax Description

primary {auto-generate |
[0 | 7] key

Specifies a primary EAP-FAST server key. Use the auto-generate option to configure the local authenticator to generate a primary server key automatically. To configure a specific key, enter the key preceded by 0 or 7. Keys can contain up to 32 hexadecimal digits. Enter 0 before the key to enter an unencrypted key. Enter 7 before the key to enter an encrypted key.

secondary [0 | 7] key

Specifies a secondary EAP-FAST server key. Enter the key preceded by 0 or 7. Keys can contain up to 32 hexadecimal digits. Enter 0 before the key to enter an unencrypted key. Enter 7 before the key to enter an encrypted key.


Defaults

By default, the local authenticator generates server keys automatically.

Command Modes

Configuration mode for local authenticators

Command History

Release
Modification

12.3(2)JA

This command was introduced.


Examples

This example shows how to configure a primary server key for the local authenticator access point:

AP(config-radsrv)#eapfast server-key primary 0 2468
 
   

This example shows how to configure a secondary server key:

AP(config-radsrv)#eapfast server-key secondary 0 9753

Related Commands

Command
Description

radius local-server pac-generate

Generates a PAC file for an EAP-FAST client


encryption key

Use the encryption key configuration interface command to define a WEP key used for data encryption on the wireless LAN or on a specific virtual LAN (VLAN). Use the no form of the command to remove a specific encryption key.


Note You need to configure static WEP keys only if your access point supports client devices that use static WEP. If all the client devices that associate to the access point use key management (WPA, CCKM, or 802.1x authentication) you do not need to configure static WEP keys.



Note Encryption VLAN is not supported on bridges.


[no] encryption
[vlan vlan-id ]
key 1-4
size {40bit | 128Bit}
encryption-key
[transmit-key]

Syntax Description

vlan vlan-id

Specifies the VLAN number (1 to 4095)

key 1-4

Specifies the number of the key (1 to 4) that is being configured. (A total of four encryption keys can be configured for each VLAN.)

Note If you configure static WEP with MIC or CMIC, the access point and associated client devices must use the same WEP key as the transmit key, and the key must be in the same key slot on the access point and the clients. See Table 2-9 for a list of WEP key restrictions based on your security configuration.

size 40bit

Specifies a 40-bit encryption key

size 128bit

Specifies a 128-bit encryption key

encryption-key

Specifies the value of the encryption key:

A 40-bit encryption key requires 10 (hexadecimal) digits.

A 128-bit encryption key requires 26 (hexadecimal) digits.

transmit-key

Specifies the key for encrypting transmit data from the access point. Key slot 1 is the default key slot.


Defaults

This command has no defaults.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

Using security features such as authenticated key management can limit WEP key configurations. Table 2-9 lists WEP key restrictions based on your security configuration.

Table 2-9 WEP Key Restrictions

Security Configuration
WEP Key Restriction

CCKM or WPA authenticated key management

Cannot configure a WEP key in key slot 1

LEAP or EAP authentication

Cannot configure a WEP key in key slot 4

Cipher suite with 40-bit WEP

Cannot configure a 128-bit key

Cipher suite with 128-bit WEP

Cannot configure a 40-bit key

Cipher suite with TKIP

Cannot configure any WEP keys

Cipher suite with TKIP and 40-bit WEP or 128-bit WEP

Cannot configure a WEP key in key slot 1 and 4

Static WEP with MIC or CMIC

Access point and client devices must use the same WEP key as the transmit key, and the key must be in the same key slot on both access point and clients

Broadcast key rotation

Keys in slots 2 and 3 are overwritten by rotating broadcast keys


Examples

This example shows how to configure a 40-bit encryption key with a value of 11aa33bb55 as
WEP key 1 used on VLAN number 1:

AP(config-if)# encryption vlan 1 key 1 size 40bit 11aa33bb55 transmit-key
 
   

This example shows how to remove WEP key 1 on VLAN 1:

AP(config-if)# no encryption vlan 1 key 1

Related Commands

Command
Description

show running-config

Displays the current access point operating configuration


encryption mode ciphers

Use the encryption mode ciphers configuration interface command to enable a cipher suite. Cipher suites are sets of encryption algorithms that, like WEP, protect radio communication on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco Centralized Key Management (CCKM).

Because cipher suites provide the protection of WEP while also allowing use of authenticated key management, Cisco recommends that you enable WEP by using the encryption mode ciphers command in the CLI or by using the cipher drop-down menu in the web-browser interface. Cipher suites that contain TKIP provide the best security for your wireless LAN, and cipher suites that contain only WEP are the least secure.


Note You can also use the encryption mode wep command to set up static WEP. However, you should use encryption mode wep only if all clients that associate to the access point are not capable of key management.



Note Encryption VLAN is not supported on bridges.


encryption [vlan vlan] mode ciphers
{[aes-ccm | ckip | cmic | ckip-cmic | tkip]}
{[
wep128 | wep40]}

Syntax Description

vlan vlan

(Optional) Specifies the VLAN number

aes-ccm

Specifies that AES-CCMP is included in the cipher suite.

ckip1

Specifies that ckip is included in the cipher suite.

cmic2

Specifies that cmic is included in the cipher suite.

ckip-cmic3

Specifies that both ckip and cmic are included in the cipher suite.

tkip

Specifies that TKIP is included in the cipher suite.

Note If you enable a cipher suite with two elements (such as TKIP and 128-bit WEP), the second cipher becomes the group cipher.

wep128

Specifies that 128-bit WEP is included in the cipher suite.

wep40

Specifies that 40-bit WEP is included in the cipher suite.

1 You must enable Aironet extensions to use this option in the cipher suite.

2 You must enable Aironet extensions to use this option in the cipher suite.

3 You must enable Aironet extensions to use this option in the cipher suite.


Defaults

This command has no defaults.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.

12.2(15)JA

This command was modified to include support for AES-CCMP.


Usage Guidelines

If you configure your access point to use WPA or CCKM authenticated key management, you must 
select a cipher suite compatible with the authenticated key management type. Table 2-10 lists the 
cipher suites that are compatible with WPA and CCKM.

Table 2-10 Cipher Suites Compatible with WPA and CCKM

Authenticated Key Management Types
Compatible Cipher Suites

CCKM

encryption mode ciphers wep128

encryption mode ciphers wep40

encryption mode ciphers ckip

encryption mode ciphers cmic

encryption mode ciphers ckip-cmic

encryption mode ciphers tkip

encryption mode ciphers tkip wep128

encryption mode ciphers tkip wep40

WPA

encryption mode ciphers tkip

encryption mode ciphers tkip wep128

encryption mode ciphers tkip wep40



Note You must enable Aironet extensions to include CKIP, CMIC, or CKIP-CMIC in a cipher suite. Use the dot11 extension aironet command to enable Aironet extensions.


Refer to the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points for a complete description of WPA and CCKM and instructions for configuring authenticated key management.

Examples

This example sets up a cipher suite for VLAN 22 that enables CKIP, CMIC, and 128-bit WEP.

ap(config-if)# encryption vlan 22 mode ciphers ckip-cmic wep128
 
   

Related Commands

Command
Description

encryption mode wep

Configures the access point for WEP encryption

authentication open (SSID configuration mode)

Configures the client authentication type for an SSID, including WPA and CCKM authenticated key management


encryption mode wep

Use the encryption mode wep configuration interface command to enable a specific encryption type that is used to communicate on the wireless LAN or on a specific VLAN. When encryption is enabled, all client devices on the wireless LAN or on a VLAN must support the specified encryption methods to communicate with the access point. Use the no form of the command to disable the encryption features on a specific VLAN.


Note Because cipher suites provide the protection of WEP while also allowing use of authenticated key management, Cisco recommends that you enable WEP by using the encryption mode ciphers command. Cipher suites that contain TKIP provide the best security for your wireless LAN, and cipher suites that contain only WEP are the least secure.


[no] encryption [vlan vlan-id ] mode wep
{mandatory | optional}
{key-hash | mic [key-hash] }

Syntax Description

vlan vlan-id

(Optional) Specifies the VLAN number

mandatory

Specifies that encryption is mandatory for the client to communicate with the access point

optional

Specifies that client devices can communicate with the access point with or without using encryption

key-hash

(Optional) Specifies that encryption key hashing is required for client devices to communicate with the access point

mic

(Optional) Specifies that encryption with message integrity check (MIC) is required for client devices to communicate with the access point


Defaults

This command has no defaults.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to specify that encryption key hashing must be used on VLAN number 1:

AP(config-if)# encryption vlan 1 mode wep mandatory key-hash
 
   

This example shows how to disable mandatory encryption on VLAN 1:

AP(config-if)# no encryption vlan 1 mode wep mandatory

Related Commands

Command
Description

show running-config

Displays the current access point operating configuration


exception crashinfo buffersize

To change the size of the buffer used for crashinfo files, use the exception crashinfo buffersize command in global configuration mode. To revert to the default buffersize, use the no form of this command.

exception crashinfo buffersize kilobytes

no exception crashinfo buffersize kilobytes

Syntax Description

kilobytes

Sets the size of the buffersize to the specified value within the range of 32 to 100 kilobytes. The default is 32 KB.


Defaults

Crashinfo buffer is 32 KB.

Command Modes

Global config

Command History

Release
Modification

12.2(15)JA

This command was introduced.


Usage Guidelines

The crashinfo file saves information that helps Cisco technical support representatives to debug 
problems that caused the Cisco IOS image to fail (crash). The access point writes the crash 
information to the console at the time of the failure, and the file is created the next time you boot the 
Cisco IOS image after the failure (instead of while the system is failing).

Examples

This example sets the crashinfo buffer to 100 KB:

ap(config)# exception crashinfo buffersize 100
 
   

Related Commands

Command
Description

exception crashinfo file

Enables the creation of a diagnostic file at the time of unexpected system shutdowns.


exception crashinfo file

To enable the creation of a diagnostic file at the time of unexpected system shutdowns, use the exception crashinfo file command in global configuration mode. To disable the creation of crashinfo files, use the no form of this command.

exception crashinfo file device:filename

no exception crashinfo file device:filename

Syntax Description

device:filename

Specifies the flash device and file name to be used for storing the diagnostic information. The colon is required.


Defaults

Creation of crashinfo files is disabled by default.

Command Modes

Global config

Command History

Release
Modification

12.2(15)JA

This command was introduced.


Usage Guidelines

The crashinfo file saves information that helps Cisco technical support representatives to debug 
problems that caused the Cisco IOS image to fail (crash). The access point writes the crash 
information to the console at the time of the failure, and the file is created the next time you boot the 
Cisco IOS image after the failure (instead of while the system is failing). The filename will be 
filename_yyyymmdd-hhmmss, where y is year, m is month, d is date, h is hour, and s is seconds.

Examples

In this example, the access point creates a crashinfo file called crashdata in the default flash memory device if a system crash occurs:

ap(config)# exception crashinfo file flash:crashinfo
 
   

Related Commands

Command
Description

exception crashinfo buffersize

Changes the size of the crashinfo buffer.


fixed-slot (QOS Class interface configuration mode)

Use the fixed-slot QOS Class interface configuration mode command to configure the CAC 802.11 fixed backoff slot time for a radio interface. Use the no form of the command to remove the setting.

fixed-slot 0-16

no cw-max


Note This command is not supported when operating in repeater mode.


Syntax Description

0-16

Specifies the fixed backoff slot time (0 to 16 msec).


Defaults

When QoS is enabled, the default fixed-slot settings for access points match the values in Table 2-11, and the default fixed-slot settings for bridges match the values in Table 2-12.

Table 2-11 Default QoS Fixed Slot Definitions for Access Points

Class of Service
Fixed Slot Time

Background

7

Best Effort

3

Video <100ms Latency

2

Voice <100ms Latency

2


Table 2-12 Default QoS Fixed Slot Definitions for Bridges

Class of Service
Min Contention Window

Background

7

Best Effort

3

Video <100ms Latency

2

Voice <100ms Latency

2


Command Modes

QOS Class interface configuration mode

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to configure the CAC 802.11 fixed backoff slot time for the radio interface:

AP(config)# interface dot11radio 0
AP(config-if)# dot11 qos class voice
AP(config-if-qosclass)# fixed-slot 6
 
   

This example shows how to remove the CAC 802.11 fixed backoff slot time for the radio interface:

AP(config-if-qosclass)# no fixed-slot
 
   

Related Commands

Command
Description

admission-control (QOS Class interface configuration mode)

Specifies that CAC admission control is required for the radio interface.

admit-traffic (QOS Class interface configuration mode)

Specifies that CAC traffic is enabled for the radio interface.

cw-max (QOS Class interface configuration mode)

Specifies the CAC maximum contention window size for the radio interface.

transmit-op (QOS Class interface configuration mode)

Specifies the CAC transmit opportunity time for the radio interface.


fragment-threshold

Use the fragment-threshold configuration interface command to set the size at which packets are fragmented. Use the no form of the command to reset the parameter to defaults.

[no] fragment-threshold 256-2346

Syntax Description

256-2346

Specifies the packet fragment threshold size (256 to 2346 bytes)


Defaults

The default threshold is 2346 bytes

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to set the packet fragment threshold size to 1800 bytes:

AP(config-if)# fragment-threshold 1800
 
   

This example shows how to reset the packet fragment threshold size to defaults:

AP(config-if)# no fragment-threshold

Related Commands

Command
Description

show running-config

Displays the current access point operating configuration


group (local server configuration mode)

Use the group local server configuration mode command to enter user group configuration mode and configure a user group to which you can assign shared settings. In user group configuration mode you can specify settings for the user group such as VLAN and SSID.

group group


Note This command is not supported on bridges.


Syntax Description

group

Specifies the name of the user group


Defaults

This command has no defaults.

Command Modes

Local server configuration mode

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to create a user group on the local authenticator:

AP(config-radsrv)# group hoosiers
 
   

Related Commands

Command
Description

nas (local server configuration mode)

Adds an access point to the list of NAS access points on the local authenticator

radius-server local

Enables the access point as a local authenticator and enters local server configuration mode

show running-config

Displays the current access point operating configuration

user (local server configuration mode)

Adds a user to the list of users allowed to authenticate to the local authenticator


guest-mode (SSID configuration mode)

Use the guest-mode SSID configuration mode command to configure the radio interface (for the specified SSID) to support guest mode. Use the no form of the command to disable the guest mode.

[no] guest-mode

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no defaults.

Command Modes

SSID configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

The access point can have one guest-mode SSID or none at all. The guest-mode SSID is used in beacon frames and response frames to probe requests that specify the empty or wildcard SSID. If no guest-mode SSID exists, the beacon contains no SSID and probe requests with the wildcard SSID are ignored. Disabling the guest mode makes the networks slightly more secure. Enabling the guest mode helps clients that passively scan (do not transmit) associate with the access point. It also allows clients configured without a SSID to associate.

Examples

This example shows how to set the wireless LAN for the specified SSID into guest mode:

AP(config-if-ssid)# guest-mode
 
   

This example shows how to reset the guest-mode parameter to default values:

AP(config-if-ssid)# no guest-mode

Related Commands

Command
Description

ssid

Specifies the SSID and enters the SSID configuration mode

show running-config

Displays the current access point operating configuration


iapp standby mac-address

Use the iapp standby mac-address global configuration command to configure an access point to be in standby mode and specify the monitored access point's MAC address. Use the no form of this command to disable the access point standby mode.

[no] iapp standby mac-address mac-address


Note This command is not supported on bridges.


Syntax Description

mac-address

Specifies the MAC address (in xxxx.xxxx.xxxx format) of the active access point


Defaults

This command has no default setting.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to place the access point in standby mode and indicate the MAC address of the active access point:

AP(config)# iapp standby mac-address 0040.9631.81cf
 
   

This example shows how to stop or disable the standby mode:

AP(config)# no iapp standby mac-address 0040.9631.81cf

Related CommandsYou can verify your settings by entering the show class-map privileged EXEC command.

Command
Description

iapp standby poll-frequency

Configures the polling interval in standby mode

iapp standby primary-shutdown

Shuts down the radio interface on the monitored access point when the standby access point takes over

iapp standby timeout

Configures the polling timeout value in standby mode


iapp standby poll-frequency

Use the iapp standby poll-frequency global configuration command to configure the standby mode polling interval. Use the no form of this command to clear the access point standby mode poll frequency.

[no] iapp standby poll-frequency sec [mac-address]


Note This command is not supported on bridges.


Syntax Description

sec

Specifies the standby mode poll frequency in seconds

mac-address

Specifies the MAC address of an access point


Defaults

When you enable hot standby, the default poll frequency is 2 seconds.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to specify the standby mode poll frequency of 5 minutes:

AP(config)# iapp standby poll-frequency 300
 
   

This example shows how to stop or disable the standby mode:

AP(config)# no iapp standby mac-address 0040.9631.81cf

Related CommandsYou can verify your settings by entering the show class-map privileged EXEC command.

Command
Description

iapp standby mac-address

Places the access point into standby mode and identifies the MAC address of the active access point

iapp standby primary-shutdown

Shuts down the radio interface on the monitored access point when the standby access point takes over

iapp standby timeout

Specifies the access point standby mode polling timeout value


iapp standby primary-shutdown

Use the iapp standby primary-shutdown global configuration command to disable the radio interfaces on the monitored access point when the standby access point becomes active. The standby access point sends a Dumb Device Protocol (DDP) message to disable the radios of the monitored access point when it detects a failure (for example, if the standby unit cannot associate to the monitored access point, or if the standby unit detects a link test failure on any of the monitored interfaces).

[no] iapp standby primary-shutdown


Note This command is not supported on bridges.



Note When the monitored access point receives the message to disable its radios it puts the radio interfaces into the admin down state. You must re-enable the radios to bring the radio interfaces back up.


Syntax Description

This command has no arguments or keywords.

Defaults

This feature is disabled by default.

Command Modes

Global configuration

Command History

Release
Modification

12.2(13)JA

This command was introduced.


Examples

This example shows how to enable the primary shutdown feature on a standby access point:

AP(config)# iapp standby primary-shutdown
 
   

Related CommandsYou can verify your settings by entering the show class-map privileged EXEC command.

Command
Description

iapp standby mac-address

Places the access point into standby mode and identifies the MAC address of the active access point

iapp standby poll-frequency

Specifies the polling interval in standby mode

iapp standby timeout

Specifies the access point standby mode polling timeout value


iapp standby timeout

Use the iapp standby timeout global configuration command to configure the standby mode polling timeout value. Use the no form of this command to clear the standby mode polling timeout value.

[no] iapp standby timeout sec

Syntax Description

sec

Specifies the standby mode polling timeout in seconds


Defaults

When you enable hot standby, the default standby timeout is 20 seconds.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to specify the standby mode polling timeout of 1 minute:

AP(config)# iapp standby timeout 60
 
   

This example shows how to clear the standby mode timeout value:

AP(config)# no iapp standby timeout

Related CommandsYou can verify your settings by entering the show class-map privileged EXEC command.

Command
Description

iapp standby mac-address

Places the access point into standby mode and identifies the MAC address of the active access point

iapp standby poll-frequency

Specifies the standby mode polling interval

iapp standby primary-shutdown

Shuts down the radio interface on the monitored access point when the standby access point takes over


information-element ssidl (SSID configuration mode)

Use the information-element ssidl SSID configuration command to designate an SSID for inclusion in an SSIDL information element (IE) that the access point includes in beacons. When you designate an SSID to be included in an SSIDL IE, client devices detect that the SSID is available, and they also detect the security settings required to associate using that SSID.

[no] information-element ssidl {[advertisement] [wps]}


Note When multiple basic SSIDs are enabled on the access point, the SSIDL IE does not contain a list of SSIDs; it contains only extended capabilities.


Syntax Description

advertisement

Includes the SSID name and capabilities in the access point SSIDL IE.

wps

Sets the WPS capability flag in the SSIDL IE.


Defaults

By default, the access point does not include SSIDL IEs in beacons.

Command Modes

SSID configuration mode

Command History

Release
Modification

12.3(2)JA

This command was introduced.


Examples

This example shows how to designate an SSID for inclusion in the WPS IE:

AP(config-if-ssid)# information-element ssidl advertisement wps

Related Commands

Command
Description

ssid

Assigns an SSID to a specific interface.


infrastructure-client

Use the infrastructure-client configuration interface command to configure a virtual interface for a workgroup bridge client. Use the no form of the command to disable the workgroup bridge client virtual interface.

[no] infrastructure-client


Note Enter this command on an access point or bridge. This command is not supported on devices configured as workgroup bridges.


Syntax Description

This command has no arguments or keywords.

Defaults

The default is infrastructure client disabled.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

Enable the infrastructure client feature to increase the reliability of multicast messages to workgroup bridges. When enabled, the access point sends directed packets containing the multicasts, which are retried if necessary, to the associated workgroup bridge. Enable only when necessary because it can greatly increase the load on the radio cell.

Examples

This example shows how to configure a virtual interface for a workgroup bridge client.

AP(config-if)# infrastructure-client
 
   

This example shows how to specify that a workgroup bridge client virtual interface is not supported.

AP(config-if)# no infrastructure-client

Related Commands

Command
Description

show running-config

Displays information on the current running access point configuration


infrastructure-ssid (SSID configuration mode)

Use the infrastructure-ssid command in SSID configuration mode to reserve this SSID for infrastructure associations, such as those from one access point or bridge to another. Use the no form of the command to revert to a normal non-infrastructure SSID.

[ no ] infrastructure-ssid [ optional ]

Syntax Description

optional

Specifies that both infrastructure and mobile client devices are allowed to associate using the SSID


Defaults

This command has no defaults.

Command Modes

SSID configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

This command controls the SSID that access points and bridges use when associating with one another. A root access point only allows a repeater access point to associate using the infrastructure SSID, and a root bridge only allows a non-root bridge to associate using the infrastructure SSID. Repeater access points and non-root bridges use this SSID to associate with root devices. Configure authentication types and VLANs for an SSID to control the security of access points and bridges.

Examples

This example shows how to reserve the specified SSID for infrastructure associations on the wireless LAN:

AP(config-if-ssid)# infrastructure-ssid
 
   

This example shows how to restore the SSID to non-infrastructure associations:

AP(config-if-ssid)# no infrastructure-ssid

Related Commands

Command
Description

ssid

Specifies the SSID and enters the SSID configuration mode


interface dot11 (LBS configuration mode)

Use the interface dot11 location based services (LBS) configuration mode command to specify the radio interface on which an LBS profile is enabled. An LBS profile remains inactive until you enter this command.

[no] interface dot11 {0 | 1}

Syntax Description

{0 | 1}

Specifies the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.


Defaults

LBS profiles are disabled by default.

Command History

Release
Modification

12.3(4)JA

This command was introduced.


Examples

This example shows how to specify the radio interface for an LBS profile:

ap(dot11-lbs)# interface dot11 0
 
   

Related Commands

Command
Description

channel-match (LBS configuration mode)

Specifies that the LBS packet sent by an LBS tag must match the radio channel on which the access point receives the packet

dot11 lbs

Creates an LBS profile and enters LBS configuration mode

method (LBS configuration mode)

Specifies the location method used in an LBS profile

multicast address (LBS configuration mode)

Specifies the multicast address that LBS tag devices use when they send LBS packets

packet-type (LBS configuration mode)

Specifies the LBS packet type accepted in an LBS profile

server-address (LBS configuration mode)

Specifies the IP address of the location server on your network


interface dot11radio

Use the interface dot11radio global configuration command to place access point into the radio configuration mode.

interface dot11radio interface-number

Syntax Description

interface-number

Specifies the radio interface number (The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.)


Defaults

The default radio interface number is 0.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to place the access point into the radio configuration mode:

AP# interface dot11radio 0

Related Commands

Command
Description

show interfaces dot11radio

Displays the radio interface configuration and statistics


ip igmp snooping vlan

Use the ip igmp snooping vlan global configuration command to enable IGMP snooping on a Catalyst VLAN.

[no] ip igmp snooping vlan vlan-id


Note If there is no multicast router for processing IGMP query and response from the host, it is mandatory that no ip igmp snooping be configured on the access point. When IGMP snooping is enabled, all multicast group traffic must send IGMP query and response. If an IGMP query or response is not detected, all multicast traffic for that group is dropped.


Syntax Description

vlan id

Specifies the Catalyst VLAN number.


Defaults

This command is enabled by default on the 1130AG, 1240AG, and 1300 series access points.

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to enable IGMP snooping on a Catalyst VLAN:

AP(config)# ip igmp snooping vlan 1
 
   

This example shows how to disable IGMP snooping on a Catalyst VLAN:

AP(config)# no ip igmp snooping vlan 1
 
   

Related Commands

Command
Description

show ip igmp snooping groups

Displays IGMP snooping group information.


ip redirection

Use the ip redirection SSID configuration mode command to enable IP redirection for an SSID. When you configure IP redirection for an SSID, the access point redirects packets sent from client devices associated to that SSID to a specific IP address. IP redirection is used mainly on wireless LANs serving handheld devices that use a central software application and are statically configured to communicate with a specific IP address.

You can redirect all packets from client devices associated using an SSID or redirect only packets directed to specific TCP or UDP ports (as defined in an access control list). When you configure the access point to redirect only packets addressed to specific ports, the access point redirects those packets from clients using the SSID and drops all other packets from clients using the SSID.


Note When you perform a ping test from the access point to a client device that is associated using an IP-redirect SSID, the response packets from the client are redirected to the specified IP address and are not received by the access point.


[no] ip redirection {host ip-address [access-group {access-list-number | access-list-name} in]}

Syntax Description

ip-address

Specifies the IP address to which packets are redirected. If you do not specify an access control list (ACL) which defines TCP or UDP ports for redirection, the access point redirects all packets that it receives from client devices.

access-list-number

Specifies the number of the ACL used for packet redirection.

access-list-name

Specifies the name of the ACL used for packet redirection.

in

Specifies that the ACL is applied to the access point's incoming interface.


Defaults

IP redirection is disabled by default.

Command Modes

SSID configuration mode

Command History

Release
Modification

12.3(2)JA

This command was introduced.


Examples

This example shows how to configure IP redirection for an SSID without applying an ACL. The access point redirects all packets that it receives from client devices associated to the SSID zorro:

AP# configure terminal
AP(config)# interface dot11radio 0
AP(config-if)# ssid zorro
AP(config-if-ssid)# ip redirection host 10.91.104.91
AP(config-if-ssid-redirect)# end
 
   
This example shows how to configure IP redirection only for packets sent to the specific TCP and 
UDP ports specified in an ACL. When the access point receives packets from client devices associated 
using the SSID robin, it redirects packets sent to the specified ports and discards all other packets:
 
   
AP# configure terminal
AP(config)# interface dot11radio 0
AP(config-if)# ssid zorro
AP(config-if-ssid)# ip redirection host 10.91.104.91 access-group redirect-acl in
AP(config-if-ssid)# end
 
   

Related Commands

Command
Description

ssid

Configure an SSID for the access point radio


l2-filter bridge-group-acl

Use the l2-filter bridge-group-acl configuration interface command to apply a Layer 2 ACL filter to the bridge group incoming and outgoing packets between the access point and the host (upper layer). Use the no form of the command to disable the Layer 2 ACL filter.

[no] l2-filter bridge-group-acl

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no defaults.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to apply a Layer 2 ACL filter to the bridge group packets:

AP(config-if)# l2-filter bridge-group-acl 
 
   
This example shows how to activate a Layer 2 ACL filter:
AP(config-if)# no l2-filter bridge-group-acl
 
   

Related Commands

Command
Description

bridge-group port-protected

Enables protected port for public secure mode configuration

show bridge

Displays information on the bridge group or classes of entries in the bridge forwarding database

show bridge group

Displays information about configured bridge groups


l2-filter-block-arp

Use the l2-filter block-arp command on radio interface to block all ARP requests whose target L3-address is the access point IP address.

The Address Resolution Protocol (ARP) is used to dynamically map physical hardware addresses to an IP address. Network devices and workstations maintain internal tables in which these mappings are stored for some period of time.

l2-filter block-arp

Syntax Description

This command has no arguments or keywords.

Defaults

This feature is disabled by default.

Command Modes

Configuration interface

Command History

Release
Modification

12.3(7) JA2

This command was introduced.


Examples

This example shows how to apply a l2-filter block-arp command to a radio interface:

interface Dot11Radio0
(config-if)#l2-filter block-arp

led display

Use the led display global configuration command to reduce the brightness or to turn-off the Status LED on the Cisco Aironet 1130AG access point. Use the no form of the command to return the Status LED to full intensity operation.

[no] led display {off | dim}

Syntax Description

off

Turns-off the Status LED.

dim

Reduces the brightness of the Status LED.


Defaults

This command has no defaults.

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to reduce the brightness of the 1130AG Status LED:

AP(oonfig)# led display dim
 
   
This example shows how to turn-off the 1130AG Status LED:
 
   
AP(config)# led display off
 
   

This example shows how to turn-on the 1130AG Status LED.

AP(config)# no led display off
 
   

This example shows how to return the 1130AG Status LED to full brightness operation.

AP(config)# no led display dim 
 
   

Related Commands

Command
Description

show running-config

Displays the contents of the currently running configuration file.


led flash

Use the led flash privileged EXEC command to start or stop the blinking of the LED indicators on the access point for a specified number of seconds. Without arguments, this command blinks the LEDs continuously.

led flash [seconds | disable]

Syntax Description

seconds

Specifies the number of seconds (1 to 3600) that the LEDs blink

disable

Stops the blinking of the LEDs


Defaults

The default is continuous blinking of the LEDs.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to blink the access point LEDs for 30 seconds:

AP# led flash 30
 
   
This example shows how to stop the blinking of the access point LEDs:
 
   
AP# led flash disable

Related Commands

Command
Description

show led flash

Displays the blinking status of the LEDs


logging buffered

Use the logging buffered global configuration command to begin logging of messages to an internal buffer. Use the no form of this command to stop logging messages.

[no] logging buffered [size] [severity]

Syntax Description

size

Specifies the size of the internal buffer (4096 to 2147483647 bytes)

severity

Specifies the message severity to log (1-7)

Severity 1: alerts

Severity 2: critical

Severity 3: errors

Severity 4: warnings

Severity 5: notifications

Severity 6: informational

Severity 7: debugging


Defaults

This command has no defaults.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to begin logging severity 3 messages to an internal 5000-byte buffer:

AP(config)# logging buffered 5000 3
 
   

This example shows how to stop the message logging:

AP(config)# no logging buffered

Related Commands

Command
Description

show logging

Displays recent logging event headers or complete events

clear logging

Clears logging status count and the trace buffer


logging snmp-trap

Use the logging snmp-trap global configuration command to specify the severity level of syslog messages for which the access point sends SNMP traps.

[no] logging snmp-trap severity

Syntax Description

severity

Specifies the severity levels for which the access point sends SNMP traps. You can enter a range of severity levels--0 through 7--or a single severity level.

To specify a single severity level, enter emergencies (level 0), alerts (level 1), critical (level 2), errors (level 3), warnings (level 4), notifications (level 5), informational (level 6), or debugging (level 7).


Defaults

This command has no defaults.

Command Modes

Global configuration

Command History

Release
Modification

12.3(2)JA

This command was introduced.


Usage Guidelines

For the logging snmp-trap command to operate correctly, you must also configure these global configuration commands on the access point:

AP(config)# logging history severity 
AP(config)# snmp-server enable traps 
AP(config)# snmp-server host address syslog
 
   

Examples

This example shows how to configure the access point to send SNMP traps for all severity levels:

AP(config)# logging snmp-trap 0 7
 
   

This example shows how to configure the access point to send SNMP traps only for warning messages:

AP(config)# logging snmp-trap warnings
 
   

Related Commands

Command
Description

logging buffered

Controls logging of messages to an internal buffer

show logging

Displays recent logging event headers or complete events

clear logging

Clears logging status count and the trace buffer


match (class-map configuration)

Use the match class-map configuration command to define the match criteria to classify traffic. Use the no form of this command to remove the match criteria.

[no] match {access-group acl-index-or-name |
ip [dscp dscp-list | precedence precedence-list] |
vlan vlan-id}

Syntax Description

access-group acl-index-or-name

Specifies the number or name of an IP standard or extended access control list (ACL) or MAC ACL. For an IP standard ACL, the ACL index ranges are 1 to 99 and 1300 to 1999. For an IP extended ACL, the ACL index ranges are100 to 199 and 2000 to 2699.

ip dscp dscp-list

Specifies a list of up to eight IP Differentiated Services Code Point (DSCP) values to match against incoming packets. Separate each value with a space. The range is 0 to 63.

ip precedence precedence-list

Specifies a list of up to eight IP-precedence values to match against incoming packets. Separate each value with a space. The range is 0 to 7.

vlan vlan-id

Specifies the virtual LAN identification number. Valid IDs are from 1 to 4095; do not enter leading zeros.



Note Though visible in the command-line help strings, the any, class-map, destination-address, input-interface, mpls, not, protocol, and source-address keywords are not supported.


Defaults

This command has no defaults.

Command Modes

Class-map configuration

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

Use the class-map global configuration command to enter the class-map configuration mode. The match command in the class-map configuration mode is used to specify which fields in the incoming packets are examined to classify the packets. Only the IP access group or the MAC access group matching to the Ether Type/Len are supported.

You can use the match ip dscp dscp-list command only in a policy map that is attached to an egress interface.

Only one match command per class map is supported.

For the match ip dscp dscp-list or the match ip precedence ip-precedence-list command, you can enter a mnemonic name for a commonly used value. For example, you can enter the match ip dscp af11 command, which is the same as entering the match ip dscp 10 command. You can enter the match ip precedence critical command, which is the same as entering the match ip precedence 5 command. For a list of supported mnemonics, enter the match ip dscp ? or the match ip precedence ? command to see the command-line help strings.

Examples

This example shows how to create a class map called class2, which matches all the incoming traffic with DSCP values of 10, 11, and 12:

AP(config)# class-map class2
AP(config-cmap)# match ip dscp 10 11 12
AP(config-cmap)# exit
 
   

This example shows how to create a class map called class3, which matches all the incoming traffic with IP-precedence values of 5, 6, and 7:

AP(config)# class-map class3
AP(config-cmap)# match ip precedence 5 6 7 
AP(config-cmap)# exit
 
   

This example shows how to delete the IP-precedence match criteria and to classify traffic by vlan:

AP(config)# class-map class2
AP(config-cmap)# match ip precedence 5 6 7 
AP(config-cmap)# no match ip precedence
AP(config-cmap)# match vlan 2
AP(config-cmap)# exit
 
   

You can verify your settings by entering the show class-map privileged EXEC command.

Related Commands

Command
Description

class-map

Creates a class map to be used for matching packets to the class whose name you specify

show class-map

Displays quality of service (QoS) class maps


max-associations (SSID configuration mode)

Use the max-associations SSID configuration mode command to configure the maximun number of associations supported by the radio interface (for the specified SSID). Use the no form of the command to reset the parameter to the default value.

[no] max-associations value

Syntax Description

value

Specifies the maximum number (1 to 255) of associations supported


Defaults

This default maximum is 255.

Command Modes

SSID configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to set the maximum number of associations to 5 on the wireless LAN for the specified SSID:

AP(config-if-ssid)# max-associations 5
 
   

This example shows how to reset the maximum number of associations to the default value:

AP(config-if-ssid)# no max-associations

Related Commands

Command
Description

ssid

Specifies the SSID and enters the SSID configuration mode


mbssid

Use the mbssid configuration interface command to enable multiple basic SSIDs on an access point radio interface.

[no] mbssid


Note This command is supported only on radio interfaces that support multiple BSSIDs. To determine whether a radio supports multiple BSSIDs, enter the show controllers radio_interface command. Multiple BSSIDs are supported if the results include this line:
Number of supported simultaneous BSSID on radio_interface: 8


Syntax Description

This command has no arguments or keywords.

Defaults

This command is disabled by default.

Command Modes

Configuration interface

Command History

Release
Modification

12.3(4)JA

This command was introduced.


Examples

This example shows how to enable multiple BSSIDs on a radio interface:

ap(config-if)# mbssid
 
   

To enable multiple BSSIDs on all radio interfaces, use the dot11 mbssid global configuration command.

Related Commands

Command
Description

dot11 mbssid

Enables multiple BSSIDs on all radio interfaces that support multiple BSSIDs

mbssid (SSID configuration mode)

Specifies that a BSSID is included in beacons and specifies a DTIM period for the BSSID

show dot11 bssid

Displays configured BSSIDs


mbssid (SSID configuration mode)

Use the mbssid SSID configuration mode command to include the SSID name in the beacon and broadcast probe response and to configure the DTIM period for the SSID.

[no] mbssid [guest-mode] [dtim-period period]


Note This command is supported only on radio interfaces that support multiple basic SSIDs. To determine whether a radio supports multiple basic SSIDs, enter the show controllers radio_interface command. Multiple basic SSIDs are supported if the results include this line:
Number of supported simultaneous BSSID on radio_interface: 8


Syntax Description

guest-mode

Specifies that the SSID is included in beacons.

dtim-period period

Specifies the rate at which the device sends a beacon that contains a Delivery Traffic Indicator Message (DTIM). Enter a beacon rate between 1 and 100.


Defaults

Guest mode is disabled by default. The default period is 2, which means that every other beacon contains a DTIM.

Command Modes

SSID configuration interface

Command History

Release
Modification

12.3(4)JA

This command was introduced.


Usage Guidelines

The guest mode and DTIM period configured in this command are applied only when MBSSIDs are enabled on the radio interface.

When client devices receive a beacon that contains a DTIM, they normally wake up to check for pending packets. Longer intervals between DTIMs let clients sleep longer and preserve power. Conversely, shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.


Note Increasing the DTIM period count delays the delivery of multicast packets. Because multicast packets are buffered, large DTIM period counts can cause a buffer overflow.


If you configure a DTIM period for a BSSID and you also use the beacon command to configure a DTIM period for the radio interface, the BSSID DTIM period takes precedence.

Examples

This example shows how to include a BSSID in the beacon:

AP(config-if-ssid)# mbssid guest-mode
 
   

This example shows how to configure a DTIM period for a BSSID:

AP(config-if-ssid)# mbssid dtim-period 5
 
   

This example shows how to include a BSSID in the beacon and to configure a DTIM period:

AP(config-if-ssid)# mbssid guest-mode dtim-period 5
 
   

Related Commands

Command
Description

dot11 mbssid

Enables BSSIDs on all radio interfaces that support multiple BSSIDs

mbssid

Enables BSSIDs on a specific radio interface

show dot11 bssid

Displays configured BSSIDs


method (eap profile configuration mode)

Use the method EAP profile configuration mode command to enable method types used in an EAP profile. Use the no form of the command to disable the EAP method.

[no] method [fast] [gtc] [leap] [md5] [mschapv2] [tls]

Syntax Description

fast

Specifies the EAP-FAST method of authentication.

gtc

Specifies the EAP-GTC method of authentication.

leap

Specifies the EAP-LEAP method of authentication.

md5

Specifies the EAP-MD5 method of authentication.

mschapv2

Specifies the EAP-MSCHAPV2 method of authentication.

tls

Specifies the EAP-TLS method of authentication.



Note EAP-GTC, EAP-MD5, and EAP-MSCHAPV2 should not be used as the primary authentication method.


Defaults

There is no default for this command.

Command Modes

EAP profile configuration mode

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to specify the EAP-FAST method for the EAP test profile:

AP(config)# eap profile test
AP(config-eap-profile)#method fast
 
   

Related Commands

Command
Description

eap profile

Configures an EAP profile and enters into EAP profile configuration mode.

dot1x eap profile

Configures an EAP profile for an interface.

show eap regristrations

Displays the EAP registrations.

show eap sessions

Displays the EAP sessions.


method (LBS configuration mode)

Use the method location based services (LBS) configuration mode command to specify the location method used in an LBS profile.

method method

Syntax Description

method

Specifies the location method used by the access point. In this release, rssi (in which the access point measures the location packet's received signal strength indication) is the only option and is also the default.


Defaults

The default location method is RSSI.

Command Modes

LBS configuration mode

Command History

Release
Modification

12.3(4)JA

This command was introduced.


Examples

This example shows how to specify the location method used in the LBS profile:

ap(dot11-lbs)# method rssi
 
   

Related Commands

Command
Description

channel-match (LBS configuration mode)

Specifies that the LBS packet sent by an LBS tag must match the radio channel on which the access point receives the packet

dot11 lbs

Creates an LBS profile and enters LBS configuration mode

interface dot11 (LBS configuration mode)

Enables an LBS profile on a radio interface

multicast address (LBS configuration mode)

Specifies the multicast address that LBS tag devices use when they send LBS packets

packet-type (LBS configuration mode)

Specifies the LBS packet type accepted in an LBS profile

server-address (LBS configuration mode)

Specifies the IP address of the location server on your network


mobile station

Use the mobile station configuration interface command to configure a bridge or a workgroup bridge as a mobile device. When you enable this setting on a device in non-root or workgroup bridge mode, the device scans for a new parent association when it encounters a poor Received Signal Strength Indicator (RSSI), excessive radio interference, or a high frame-loss percentage. Using these criteria, a bridge configured as a mobile station searches for a new parent association and roams to a new parent before it loses its current association. When the mobile station setting is disabled (the default setting) the bridge does not search for a new association until it loses its current association.

[no] mobile station


Note This command is supported only on 1100 and 1200 series access points in workgroup bridge mode and on 1300 series access point/bridges in non-root or workgroup bridge mode.


Syntax Description

This command has no arguments or keywords.

Defaults

This command is disabled by default.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(15)JA

This command was introduced.

12.3(2)JA

Support added for 1100 series access points in workgroup bridge mode.

12.3(4)JA

Support added for 1200 series access points in workgroup bridge mode.


Usage Guidelines

This command can prevent data loss on a mobile workgroup bridge or bridge by ensuring that the bridge roams to a new parent device before it loses its current association.

Examples

This example shows how to specify that a bridge is a mobile station:

BR(config-if)# mobile-station
 
   

Related Commands

Command
Description

show running-config

Displays the current access point operating configuration


mobility network-id

Use the mobility network-id SSID configuration mode command to associate an SSID to a Layer 3 mobility network ID. Use the no form of the command to disassociate the SSID from the mobility network ID.

[no] mobility network-id network-id

Syntax Description

network-id

Specifies the Layer 3 mobility network identification number for the SSID


Defaults

This command has no defaults.

Command Modes

SSID configuration interface

Command History

Release
Modification

12.2(15)JA

This command was introduced.


Examples

This example shows how to an SSID with a Layer 3 mobility network ID:

AP(config-if-ssid)# mobility network-id 7
 
   

This example shows how to reset the VLAN parameter to default values:

AP(config-if-ssid)# no mobility network-id
 
   

Related Commands

Command
Description

ssid

Specifies the SSID and enters the SSID configuration mode

wlccp authentication-server

Enables Layer 3 mobility on the access point


multicast address (LBS configuration mode)

Use the multicast address location based services (LBS) configuration mode command to specify the multicast address that LBS tag devices use when they send LBS packets.

multicast address mac-address

Syntax Description

mac-address

Specifies the multicast address that LBS tag devices use when they send LBS packets.


Defaults

The default multicast address is 01:40:96:00:00:10.

Command History

Release
Modification

12.3(4)JA

This command was introduced.


Examples

This example shows how to specify the multicast address used in the LBS profile:

ap(dot11-lbs)# multicast address 01.40.96.00.00.10
 
   

Related Commands

Command
Description

channel-match (LBS configuration mode)

Specifies that the LBS packet sent by an LBS tag must match the radio channel on which the access point receives the packet

dot11 lbs

Creates an LBS profile and enters LBS configuration mode

interface dot11 (LBS configuration mode)

Enables an LBS profile on a radio interface

method (LBS configuration mode)

Specifies the location method used in an LBS profile

packet-type (LBS configuration mode)

Specifies the LBS packet type accepted in an LBS profile

server-address (LBS configuration mode)

Specifies the IP address of the location server on your network


nas (local server configuration mode)

Use the nas local server configuration mode command to add an access point to the list of devices that use the local authenticator.

nas ip-address key shared-key

Syntax Description

ip-address

Specifies the IP address of the NAS access point

shared-key

Specifies the shared key used to authenticate communication between the local authenticator and other access points. You must enter this shared key on the access points that use the local authenticator.


Defaults

This command has no defaults.

Command Modes

Local server configuration mode

Command History

Release
Modification

12.2(11)JA

This command was introduced.


Examples

This example shows how to add an access point to the list of NAS access points on the local authenticator:

AP(config-radsrv)# nas 10.91.6.158 key 110337
 
   

Related Commands

Command
Description

group (local server configuration mode)

Creates a user group on the local authenticator and enters user group configuration mode

radius-server local

Enables the access point as a local authenticator and enters local server configuration mode

user (local server configuration mode)

Adds a user to the list of users allowed to authenticate to the local server


packet max-retries

Use the packet max-retries configuration interface command to specify the maximum number of attempts per non-best-effort data packet before discarding the packet. Use the no form of the command to reset the parameter to defaults.

[no] packet max-retries number 1 number 2
fail-threshold number 3 number 4
priority value
drop-packet

Syntax Description

max-retries number 1 number 2

Specifies the maximum number (0 to 128) of non-best-effort data packet retries before discarding the packet. number 1 retries is used if number 3 fail-threshold has not exceeded and number 2 retries is used if number 3 fail-threshold has been exceeded. number 1 default is 3 and number 2 default is 0

fail-threshold number 3 number 4

Specifies the thresholds for the maximum number of consecutive dropped packets (0 to 1000). number 3 fail-threshold is used to switch max-retries from number 1 to number 2 as described above. If number 4 fail-threshold has exceeded, the client will be disassociated. number 3 default is 100 and number 4 default is 500.

priority value

Specifies the QOS user priority (1 to 7). value does not have a default value.

drop-packet

Specifies that priority packets should not be retried and that the packets should be dropped when the maximum number of retries has been reached.


Defaults

number 1 default is 3, number 2 default is 0, number 3 default is 100, number 4 default is 500, value does not have a default and drop-packet default is no, that is - non-best-effort data packets will not be discarded.

Command Modes

Configuration interface

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to specify the packet max-retries.

AP(config)#interface dot11radio 1
AP(config-if)# packet max-retries 15 15 fail-threshold 10 10 priority 7 drop-packet
 
   

This example shows how reset the packet retries to defaults.

AP(config-if)# no packet max-retries 15 15 fail-threshold 10 10 priority 7 drop-packet

Related Commands

Command
Description

show running-config

Displays the current access point operating configuration.


packet retries

Use the packet retries configuration interface command to specify the maximum number of attempts to send a packet. Use the no form of the command to reset the parameter to defaults.

[no] packet retries 1-128

Syntax Description

1-128

Specifies the maximum number of retries (1 to 128)


Defaults

The default number of retries is 64.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to specify 15 as the maximum number of retries.

AP(config-if)# packet retries 15 
 
   

This example shows how reset the packet retries to defaults.

AP(config-if)# no packet retries

Related Commands

Command
Description

show running-config

Displays the current access point operating configuration


packet speed

Use the packet speed configuration interface command to specify downlink data rates and priorities for packets which have been declared discard-eligible in the packet max-retries command. Use the no form of the command to disable specified speeds and priorities and to restore the default data rates.

[no] packet speed [rate1....rateN | default]
priority
0-7

rate1....rateN

Specifies one or multiple data rates that can be used for packets. Possible data rates are listed below:

802.11b data rates (Mbps)

1.0, 2.0, 5.5, 11.0

802.11g data rates (Mbps)

1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0. 24.0, 36.0, 48.0, 54.0

802.11a data rates (Mbps)

6.0, 9.0, 11.0, 12.0, 18.0. 24.0, 36.0, 48.0, 54.0

default

Specifies that the default rates are used for packets.

priority 0-7

Specifies the priority (0 to 7)


Defaults

802.11b default data rates (Mbps): 5.5, 11.0

802.11a default data rates (Mbps): 6.0, 12.0, 24.0

802.11g default data rates (Mbps): 5.5, 6.0, 11.0, 12.0, 24.0

Priority default is 6(voice). Currently, only priority 6 is allowed pending future releases.

Command Modes

Configuration interface

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to specify default packet speeds for priority 7.

AP(config-if)# packet speed default prority 7
 
   

This example shows how remove packet speeds of 1.0, 2.0, 5.5, 6.0, and 9.0 Mbps data rates at priority 7.

AP(config-if)# no packet speed 1.0 2.0 5.5 6.0 priority 7
 
   

Related Commands

Command
Description

show running-config

Displays the current access point operating configuration


packet timeout

Use the packet timeout configuration interface command to specify the packet timeout period for a priority. Queued packets whose age has exceeded the timeout threshold will be discarded if they have been declared discard-eligible in the packet max-retries command. Use the no form of the command to reset the parameter to defaults.

[no] packet timeout 1-128
priority 0-7

Syntax Description

1-128

Specifies the packet timeout (1 to 128 milliseconds).

0-7

Specifies the packet priority (0 to 7).


Defaults

The timeout default is 35 milliseconds.

Command Modes

Configuration interface

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to specify a packet timeout of 12 msec at a priority of 7:

AP(config-if)# packet timeout 12 priority 7
 
   

This example shows how remove the packet timeout of 12 at a priority of 7:

AP(config-if)# no packet timeout 12 priority 7

Related Commands

Command
Description

show running-config

Displays the current access point operating configuration


packet-type (LBS configuration mode)

Use the packet-type location based services (LBS) configuration mode command to specify the LBS packet type that accepted in an LBS profile.

packet-type {extended | short}

Syntax Description

extended

Specifies that the access point accepts extended packets from LBS tag devices. An extended packet contains two bytes of LBS information in the frame body. If the packet does not contain those two bytes in the frame body, the access point drops the packet.

short

Specifies that the access point accepts short location packets from LBS tag devices. In short packets, the LBS information is missing from the tag packet's frame body and the packet indicates the tag's transmit channel.


Defaults

The default packet type is extended.

Command History

Release
Modification

12.3(4)JA

This command was introduced.


Examples

This example shows how to specify the packet type used in the LBS profile:

ap(dot11-lbs)# packet-type short
 
   

Related Commands

Command
Description

channel-match (LBS configuration mode)

Specifies that the LBS packet sent by an LBS tag must match the radio channel on which the access point receives the packet

dot11 lbs

Creates an LBS profile and enters LBS configuration mode

interface dot11 (LBS configuration mode)

Enables an LBS profile on a radio interface

method (LBS configuration mode)

Specifies the location method used in an LBS profile

multicast address (LBS configuration mode)

Specifies the multicast address that LBS tag devices use when they send LBS packets

server-address (LBS configuration mode)

Specifies the IP address of the location server on your network


parent

Use the parent configuration interface command to add a parent to a list of valid parent access points. Use the no form of the command to remove a parent from the list.

[no] parent 1-4 mac-address

Syntax Description

1-4

Specifies the parent root access point number (1 to 4)

mac-address

Specifies the MAC address (in xxxx.xxxx.xxxx format) of a parent access point


Defaults

Repeater access point operation is disabled by default.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

The parent command adds a parent to the list of valid parent access points. Use this command multiple times to define up to four valid parents. A repeater access point operates best when configured to associate with specific root access points that are connected to the wired LAN.

Examples

This example shows how to set up repeater operation with the parent 1 access point:

AP(config-if)# parent 1 0040.9631.81cf
 
   

This example shows how to set up repeater operation with the parent 2 access point:

AP(config-if)# parent 2 0040.9631.81da
 
   

This example shows how to remove a parent from the parent list:

AP(config-if)# no parent 2

Related Commands

Command
Description

parent timeout

Sets the parent association timeout


parent timeout

Use the parent timeout configuration interface command to define the amount of time that a repeater tries to associate with a parent access point. Use the no form of the command to disable the timeout.

[no] parent timeout sec

Syntax Description

sec

Specifies the amount of time the access point attempts to associate with the specified parent access point (0 to 65535 seconds)


Defaults

Parent timeout is disabled by default.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Usage Guidelines

The parent timeout defines how long the access point attempts to associate with a parent in the parent list. After the timeout, another acceptable parent is used. You set up the parent list using the parent command. With the timeout disabled, the parent must come from the parent list.

Examples

This example shows how to set up repeater operation with the parent 1 access point with a timeout of 60 seconds:

AP(config-if)# parent timeout 60
 
   

This example shows how to disable repeater operation:

AP(config-if)# no parent

Related Commands

Command
Description

parent

Specify valid parent access points


password (dot1x credentials configuration mode)

Use the password dot1x credentials configuration mode command to specify dot1x credential user password. Use the no form of the command to disable the password.

[no] password [number] password

Syntax Description

number

Specifies the type of password that follows. 0 indicates the password is unencrypted. 7 indicates the password is hidden.

password

Specifies the user password for the dot1x credential.


Defaults

This command has no defaults.

Command Modes

Dot1x credentials configuration interface

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to specify an unencrpted user password for the dot1x credential:

AP(config-dot1x-creden)# password 0 1234A45b8
 
   

This example shows how to specify a hidden user password for the dot1x credential:

AP(config-dot1x-creden)# password 7 1234A45b8
 
   

This example shows how to disable the credential user password:

AP(config-dot1x-creden)# no password
 
   

Related Commands

Command
Description

dot1x credentials

Configures dot1x credentials on the access point.

show dot1x credentials

Displays the configured dot1x credentials on the access point.


payload-encapsulation

Use the payload-encapsulation configuration interface command to specify the Ethernet encapsulation type used to format Ethernet data packets that are not formatted using IEEE 802.3 headers. Data packets that are not IEEE 802.3 packets must be reformatted using IEEE 802.1H or RFC1042. Use the no form of the command to reset the parameter to defaults.

[no] payload-encapsulation
{snap | dot1h}

Syntax Description

snap

(Optional) Specifies the RFC1042 encapsulation

dot1h

(Optional) Specifies the IEEE 802.1H encapsulation


Defaults

The default payload encapsulation is snap.

Command Modes

Configuration interface

Command History

Release
Modification

12.2(4)JA

This command was introduced.


Examples

This example shows how to specify the use of IEEE 802.1H encapsulation:

AP(config-if)# payload-encapsulation dot1h
 
   

This example shows how to reset the parameter to defaults:

AP(config-if)# no payload-encapsulation

Related Commands

Command
Description

show running-config

Displays the current access point operating configuration


pki-trustpoint (dot1x credentials configuration mode)

Use the pki-trustpoint dot1x credentials configuration mode command to configure the PKI-Trustpoint for the dot1x credential. Use the no form of the command to disable the PKI-Trustpoint.

[no] pki-trustpoint name

Syntax Description

name

Specifies the default PKI-Trustpoint for the dot1x credential.


Defaults

This command has no defaults.

Command Modes

Dot1x credentials configuration interface

Command History

Release
Modification

12.3(8)JA

This command was introduced.


Examples

This example shows how to specify default PKI-Trustpoint for the dot1x credential:

AP(config-dot1x-creden)# pki-trustpoint pki101
 
   

This example shows how to disable the default PKI-Trustpoint:

AP(config-dot1x-creden)# no pki-trustpoint
 
   

Related Commands

Command
Description

dot1x credentials

Configures dot1x credentials on the access point.

show dot1x credentials

Displays the configured dot1x credentials on the access point.


power client

Use the power client configuration interface command to configure the maximum power level clients should use for IEEE 802.11b radio transmissions to the access point. The power setting is transmitted to the client device during association with the access point. Use the no form of the command to not specify a power level.

2.4-GHz Radio (802.11b)

[no] power client {1 | 5 | 20 | 30 | 50 | 100 | local | maximum }


Note Power settings in mW.


2.4-GHz Radio (802.11g)

[no] power client {1 | 5 | 10 | 20 | 30 | 50 | 100} | local | maximum )


Note Power settings in mW.


[no] power client{-1 | 2 | 5 | 8 | 11 | </