Table Of Contents
Release Notes for 1100 Series Access Points for Cisco IOS Release 12.2(4)JA1
January 8, 2003
These release notes describe features, enhancements, and caveats for Cisco IOS Release 12.2(4)JA1. They also provide important information about 1100 series access points. Cisco IOS Release 12.2(4)JA1 fixes defect CSCdz60229.
These release notes contain the following sections:
The Cisco Aironet Access Point is a wireless LAN transceiver that can act as the connection point between wireless and wired networks or as the center point of a standalone wireless network. In large installations, the roaming functionality provided by multiple access points enables wireless users to move freely throughout the facility while maintaining uninterrupted access to the network.
You can configure and monitor the 1100 series access point using the command-line interface (CLI), the browser-based management system, or Simple Network Management Protocol (SNMP).
You must have an 1100 series access point to install Cisco IOS Release 12.2(4)JA1.
Note Only 1100 series access points run Cisco IOS software; 1200, 350, and 340 series access points do not support Cisco IOS. Do not attempt to load a Cisco IOS image on a 1200, 350, or 340 series access point.
Determining the Software Version
To determine the version of Cisco IOS running on your access point, use a Telnet session to log into the access point and enter the show version EXEC command. This example shows command output from an access point running Cisco IOS Release 12.2(4)JA1:ap1100>show versionCisco Internetwork Operating System SoftwareIOS (tm) C1100 Software (C1100-K9W7-M), Version 12.2(4)JA1Copyright (c) 1986-2002 by Cisco Systems, Inc.
You can also find the software version on the System Software Version page in the access point's web-browser interface.
Upgrading to a New Software Release
For instructions on installing access point software:
1. Follow this link to the Cisco Aironet Install and Upgrade page:
2. Click this link to browse to the Cisco IOS Software Center on Cisco.com:
Select the Cisco Aironet 1100 Series link to download Cisco IOS version 12.2(4)JA1.
This section lists new features in Cisco IOS Release 12.2(4)JA, which are also included in Cisco IOS Release 12.2(4)JA1. These features, which existed in previous releases of Cisco access point firmware, were added to Cisco IOS in October, 2002.
Support for 802.11 Wireless Standards
Cisco IOS Release 12.2(4)JA supports IEEE 802.11 standards for wireless networking. This support enables interoperability under 802.11 specifications for network architecture, wireless association, and radio management. Support for 802.11 standards allows you to set the access point mode of operation (root or repeater), service set identifier (SSID), authentication type, channel selection, transmission rates, power-save mode, and security based on wired equivalent privacy (WEP), and other configurable fields.
Inter-Access Point Roaming
Clients who roam from one access point to another are supported with pre-standard services for seamless hand-off as defined under IEEE 802.11f Inter-Access Point Protocol (IAPP). When a client roams from one access point to another, the second access point sends a message to the first to update its association table, establishing a learning path to the client for the switch. This feature provides backward compatibility with the Cisco Aironet Data Delivery Protocol for inter-access point hand-off as implemented on 340, 350, and 1200 series access points.
Note Wireless LAN users are sometimes concerned when a client device stays associated to a distant access point instead of roaming to a closer access point. However, if a client's signal to a distant access point remains strong, the client does not roam to a closer access point. If client devices checked constantly for closer access points, the extra radio traffic would slow throughput on the wireless LAN.
Access points can support up to 16 SSIDs, enabling flexible service deployment. You can configure each SSID for several parameters, creating up to 16 unique sets of services. Configurable parameters include mode for guest clients (enabling a broadcast SSID), client authentication method, maximum number of client associations, VLAN identifier, proxy Mobile IP, and RADIUS accounting list identifier. You can also designate an SSID as an infrastructure SSID that is used only by repeater access points.
Each country regulates usage of the 2.4-GHz spectrum in its domain with respect to channel availability and allowable transmit power. The world mode feature automates client configuration of channel and transmit power settings by allowing world-mode-enabled access points to configure the settings on world-mode-enabled clients. For example, a user with a client device used primarily in Japan could rely on world mode to adjust its channel and power settings automatically when the user travels to Italy and joins a network there.
Configurable Radio Transmit Power
The transmit power of the access point radio can be configured from 1 mW up to 100 mW. You can manipulate the coverage area provided by the access point to meet your needs.
Note The settings allowed in your regulatory domain might differ from the settings named here.
This feature provides testing and diagnosis capabilities for the wireless interface's connectivity status and throughput performance. You can examine radio configuration information such as the operating channel, transmit power, supported data rates, and regulatory settings; run a link test; determine signal strength and quality; diagnose the client association and authentication process; and examine data packets sent over the radio interface.
The access point bridges the network between the wired infrastructure and wireless devices, switching traffic between the radio and Ethernet interfaces. This feature provides transparent bridging and forwarding logic between these interfaces.
VLAN over Wireless
You use VLANs to partition your network into logical subnets that are independent of physical location. This allows you to differentiate services such as network access for network users. This feature defines 802.1q VLANs for wireless LANs, using a VLAN identifier in the Ethernet frame. Up to 16 VLANs, one per SSID, are supported in this release.
QoS over Wireless
This feature enables the access point to provide traffic prioritization services over the wireless interface for standards-based quality of service (QoS). This feature prioritizes traffic based on the 802.1p tag in the Ethernet header or the IP type of service/Differentiated Services Code Point (TOS/DSCP) bits in the IP header.
Proxy Mobile IP
This release supports the proxy Mobile IP protocol for seamless inter-subnet roaming. When you enable proxy Mobile IP on your access points, client devices that roam from one subnet to the next maintain their IP address and session. The access point acts as a mobile IP proxy for clients devices that do not have Mobile IP software installed. The access point informs the foreign agent router that the client has roamed to another subnet, while the foreign agent directs the home agent to reroute packets to it.
This features enables you to add redundant reliability to your wireless LAN by installing a standby access point as a backup for a primary device and configuring it for hot standby. When installed on the same Ethernet LAN and configured consistently as a primary device, the standby device associates to the primary device as a client and monitors the primary device with periodic link test request packets sent over both the Ethernet and wireless interfaces. The standby device assumes the role of access point by activating its Ethernet port and accepting radio client associations if the primary device fails to respond with a link test response packet.
The load-balancing feature optimizes aggregate bandwidth with intelligent user associations, resulting in a better load distribution. At initialization, the client polls all access points within range for the device load information, and selects the one with the lightest load. The access point interprets the request and provides loading information to the client.
This feature enables Web-based graphical user interface (GUI) management by providing support for HTML Web pages and Common Gateway Interface (CGI) scripts using common Web browsers. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x) to open the web-browser interface.
This release provides support for standard and Cisco Enterprise MIB I and MIB II. For a complete list of supported MIBs, refer to Appendix F, "Supported MIBs," in the Cisco Aironet 1100 Series Access Point Installation and Configuration Guide.
Access Control Lists
Access control lists allow filtering of traffic based on identifiable attributes within an Ethernet frame. You can filter data based on source or destination addresses, protocol used, protocol-specific options (Telnet, FTP, HTTP, and SNMP), and Media Access Control (MAC) address.
This Cisco Wireless Security Suite feature supports the 802.1X standard port-based authentication framework including EAP Cisco Wireless (LEAP), Protected Extensible Authentication Protocol (PEAP), Extensible Authentication Protocol Transport Layer Security (EAP-TLS), and EAP-Tunneled TLS (EAP-TTLS).
Key Hashing (Temporal Key Integrity Protocol)
With this pre-standard implementation of the key hashing technique, the base key and packet-unique initialization vector are hashed together to create a new, per-packet key. This procedure mitigates passive attacks that attempt to determine the base key by accumulating weak initialization vectors. Key hashing is a component of the Cisco Wireless Security Suite pre-standard Temporal Key Integrity Protocol (TKIP), which is part of the draft for IEEE 802.11i enhanced wireless security.
Message Integrity Check
This feature supports a pre-standard implementation of the MIC protocol. With this feature, the access point validates that packets received from the client have not been tampered with by calculating the packet checksum and comparing it to the checksum calculated and sent by the client. This feature prevents active attacks such as bit-flipping attacks. MIC is also a component of the Cisco Wireless Security Suite pre-standard TKIP.
Broadcast Key Rotation
You use this Cisco Wireless Security Suite feature to set a timeout for the shared broadcast key, causing a new broadcast key to be generated. This feature mitigates passive attacks that attempt to determine the broadcast key from weak initialization vectors.
This section lists information you should keep in mind when installing 1100 series access points.
Installation in Environmental Air Space
The 1100 series access point provides adequate fire resistance and low smoke-producing characteristics suitable for operation in a building's environmental air space, such as above suspended ceilings, in accordance with Section 300-22(C) of the National Electrical Code (NEC) and Sections 2-128, 12-010(3) and 12-100 of the Canadian Electrical Code, Part 1, C22.1.
Caution The power injector is not intended for use in extremely high or low temperatures or in environmental air spaces, such as above suspended ceilings.
Caution The operational voltage range for 1100 series access points is 24 to 60 VDC, and the nominal voltage is 48 VDC. Voltage higher than 60 VDC can damage the equipment.
Caution Cisco Aironet power injectors are designed for use with Cisco Aironet access points and bridges only. Do not use the power injector with any other Ethernet-ready device. Using the power injector with other Ethernet-ready devices can damage the equipment.
This section describes important information about the access point.
Radio MAC Address Appears in ACU
When a Cisco Aironet client device associates to an 1100 series access point, the access point MAC address that appears on the Status page in the Aironet Client Utility (ACU) is the MAC address for the access point radio. The MAC address for the access point Ethernet port is printed on the label on the back of the access point.
This section lists resolved and open caveats in Cisco IOS Release 12.2(4)JA1.
This caveat is resolved in Cisco IOS Release 12.2(4)JA1:
•Resolved: CSCdz60229—Access points are no longer vulnerable to a denial of service (DoS) when support for the Secure Shell (SSH) server is enabled. Malformed SSH packets directed at the access point no longer cause a reload of the device. Support for SSH is disabled by default.
These caveats are open in Cisco IOS Release 12.2(4)JA1:
•CSCdy48684—If a client device is associated to a repeater access point and you clear the client on the repeater's parent access point, the repeater's virtual interface toggles on the parent access point, and the repeater must reassociate to the parent access point. Workaround: Log into the repeater access point, where the client is directly associated, and enter the clear dot11 client H.H.H command in the CLI to clear the client.
•CSCdy69161—The web-browser interface does not include a setting for limiting the radio transmit power of client devices associated to the access point. To enable this feature, use the power client command in the CLI.
•CSCdy69605—When a Symbol 802.11 phone associates to an access point using an SSID that contains more than 9 characters, the Symbol frequently disassociates, reassociates, and disassociates again. Workaround: Configure an SSID containing less than 9 characters, and configure the Symbol phones to associate using that SSID.
•CsCdy72333—When VLANs are enabled, you cannot use the web-browser interface to enable PSPF for the radio sub-interfaces. Workaround: Using the access point CLI, enter these commands to enable PSPF for a VLAN:ap1100# configure terminalap1100(config)# interface dot11radio0.<vlan id>ap1100(config-subif)# bridge-group <vlan id> port-protected
•CSCdy73237—The access point radio driver can enter a loop in which the driver tries to start the radio, the radio firmware reports an invalid configuration, the radio does not start, and the driver tries to start the radio again. This loop can occur when you use this configuration: you configure the access point to use VLANs; at least one VLAN has encryption; an SSID is configured to use shared key authentication and that SSID is assigned to a VLAN that has no encryption keys defined. Workaround: Make sure that the VLAN you use for shared key authentication has encryption enabled and at least one encryption key defined before the SSID is assigned to that VLAN. If the loop has already occurred, assign an encryption key to the unencrypted VLAN.
•CSCdy73490—When you upgrade access point software from the web-browser interface, errors that cause the upgrade to fail appear only on the CLI, and the web-browser interface does not indicate that the upgrade failed. Workaround: If the system software version number on the web-browser System Software page has not changed after an upgrade, use the privileged EXEC show logging command on the CLI to check for errors that occurred during the upgrade.
•CSCdy74184—The SNMP command dot1qVlanCurrentTable does not retrieve all the VLANs configured on the access point when one of the VLAN identifiers uses continuous characters, such as 1234. Workaround: Use the SNMP get and get-next commands to view the dot1qVlanCurrentTable.
•CSCdy74230—If the access point boots up when it is connected to a switch port that is in shut mode, the access point does not start its bridge virtual interface (BVI) even after the switch port is changed to no shut mode. Workaround: Power off the access point, change the switch port to no shut mode, and power up the access point; or, issue a shut command and a no shut command to the switch port.
•CSCdy75398—If you use SNMP to change the authentication method for an existing SSID, you cannot change it again. Workaround: If you need to change the authentication method twice for an SSID, delete the SSID and re-create it.
•CSCdy79971—The contents of the Software Image Filename field are incomplete on the System Software: Software Upgrade: TFTP Upgrade page in the web-browser interface. Workaround: View the system image filename on a different page, such as the System Software: Software Upgrade: HTTP Upgrade page.
For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at http://www.cisco.com/cisco/web/support/index.html. Select Wireless LAN under Top Issues.
This section lists documents related to Cisco IOS Release 12.2(4)JA1 and to 1100 series access points.
These documents describe installation and configuration of 1100 series access points:
•Quick Start Guide: Cisco Aironet 1100 Series Access Points
•Cisco Aironet 1100 Series Access Point Installation and Configuration Guide
•Cisco Aironet 1100 Series Access Point Command Reference
•Installation Instructions for Cisco Aironet Power Injectors
Cisco IOS Software Documentation Set
Table 1 lists the contents of the Cisco IOS Release 12.2 software documentation set. These documents are available in electronic form, and you can order them in printed form.
You can find the most current Cisco IOS documentation on Cisco.com. Follow this link path to find the documentation for Cisco IOS Release 12.2:
Technical Documents: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 12.2
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Copyright © 2003 Cisco Systems, Inc. All rights reserved.