Cisco Wireless Control System Configuration Guide, Release 4.0
Using Templates
Downloads: This chapterpdf (PDF - 3.74MB) The complete bookPDF (PDF - 7.37MB) | Feedback

Using Templates

Table Of Contents

Using Templates

Adding Controller Templates

Configuring an NTP Server Template

Configuring QoS Templates

Configuring a Traffic Stream Metrics QoS Template

Configuring WLAN Templates

Configuring a File Encryption Template

Configuring a RADIUS Authentication Template

Configuring a RADIUS Accounting Template

Configuring a Local Net Users Template

Configuring Guest User Templates

Configuring a MAC Filter Template

Configuring an Access Point Authorization Template

Configuring an Access Control List (ACL) Template

Configuring an Access Point Authentication and MFP Template

Configuring a Web Authentication Template

Downloading a Customized Web Authentication Page

Configuring an 802.11a Policy Name Template

Configuring an 802.11b/g Radio Template

Configuring an 802.11b/g Voice Template

Configuring an 802.11a Voice Template

Configuring an 802.11b/g RRM Threshold Template

Configuring an 802.11b/g RRM Interval Template

Configuring a Known Rogue Access Point Template

Configuring a Trap Receiver Template

Configuring a Trap Control Template

Configuring a Telnet SSH Template

Configuring a Syslog Template

Configuring a Local Management User Template

Applying Controller Templates

Adding Access Point Templates

Configuring Access Point/Radio Templates


Using Templates


This chapter describes how to add and apply controller templates. Information on creating (adding) access point templates is also provided.

Templates allow you to set parameters that you can apply to multiple devices without having to re-enter the common information.


Note Template information can be overridden on individual devices.


It contains these sections:

Adding Controller Templates

Applying Controller Templates

Adding Access Point Templates

Adding Controller Templates

A summary of the templates that can be specified is highlighted below:

Configuring an NTP Server Template

Configuring QoS Templates

Configuring a Traffic Stream Metrics QoS Template

Configuring WLAN Templates

Configuring a File Encryption Template

Configuring a RADIUS Authentication Template

Configuring a RADIUS Accounting Template

Configuring a Local Net Users Template

Configuring Guest User Templates

Configuring a MAC Filter Template

Configuring an Access Point Authorization Template

Configuring an Access Control List (ACL) Template

Configuring an Access Point Authentication and MFP Template

Configuring a Web Authentication Template

Configuring an 802.11a Policy Name Template

Configuring an 802.11b/g Radio Template

Configuring an 802.11b/g Voice Template

Configuring an 802.11a Voice Template

Configuring an 802.11b/g RRM Threshold Template

Configuring an 802.11b/g RRM Interval Template

Configuring a Known Rogue Access Point Template

Configuring a Trap Receiver Template

Configuring a Trap Control Template

Configuring a Telnet SSH Template

Configuring a Syslog Template

Configuring a Local Management User Template

Configuring Access Point/Radio Templates

Follow these steps to add a new controller template.


Step 1 Choose Configure > Controller Templates.

Step 2 Choose Add Template from the Select a command drop-down menu and click GO.

Step 3 Enter the template name.

Step 4 Provide a description of the template.

Step 5 Click Save.


Configuring an NTP Server Template

Follow these steps to add a new network time protocol (NTP) server template to the controller configuration or make modifications to an existing NTP template. NTP is used to synchronize computer clocks on the internet.


Step 1 Choose Configure > Controller Templates.

Step 2 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To modify an existing template, click to select a template in the Template Name column. The NTP Server Template window appears (see Figure 9-1), and the number of controllers the template is applied to automatically populates.

Figure 9-1 NTP Servers Template

Step 3 Enter the NTP server IP address.

Step 4 Click Save.


Configuring QoS Templates

Follow these steps to make modifications to the quality of service profiles.


Step 1 Choose Configure > Controller Templates.

Step 2 On the left sidebar menu, choose System > QoS Profiles. The QoS Template window appears (see Figure 9-2), and the number of controllers the template is applied to automatically populates.

Figure 9-2 QoS Profile Template

Step 3 Set the following values in the Per-User Bandwidth Contracts portion of the screen. All have a default of 0 or Off.

Average Data Rate - The average data rate for non-UDP traffic.

Burst Data Rate - The peak data rate for non-UDP traffic.

Average Real-time Rate - The average data rate for UDP traffic.

Burst Real-time Rate - The peak data rate for UDP traffic.

Step 4 Set the following values for the Over-the-Air QoS portion of the screen.

Maximum QoS RF Usage per AP - The maximum air bandwidth available to clients. The default is 100%.

QoS Queue Depth - The depth of queue for a class of client. The packets with a greater value are dropped at the access point.

Step 5 Set the following values in the Wired QoS Protocol portion of the screen.

Wired QoS Protocol - Choose 802.1P to activate 802.1P priority tags or None to deactivate 802.1P priority flags.

802.1P Tag - Choose 802.1P priority tag for a wired connection from 0 to 7. This tag is used for traffic and LWAPP packets.

Step 6 Click Save.


Configuring a Traffic Stream Metrics QoS Template

Traffic stream metrics are a series of statistics about VoIP over your wireless LAN and informs you of the QoS of the wireless LAN. These statistics are different than the end-to-end statistics provided by VoIP systems. End-to-end statistics provide information on packet loss and latency covering all the links comprising the call path. However, traffic stream metrics are statistics for only the WLAN segment of the call. Because of this, system administrators can quickly determine whether audio problems are being caused by the WLAN or by other network elements participating in a call. By observing which access points have impaired QoS, system administrators can quickly determine the physical area where the problem is occurring. This is important when lack of radio coverage or excessive interference is the root problem.

Four QoS values (packet latency, packet jitter, packet loss, and roaming time), which can affect the audio quality of voice calls, are monitored. All the wireless LAN components participate in this process. Access points and clients measure the metrics, access points collect the measurements and then send them to the controller. The access points update the controller with traffic stream metric information every 90 seconds, and 10 minutes of data is stored at one time. Cisco Wireless Control System queries the controller for the metrics and displays them in the Traffic Stream Metrics QoS Status. These metrics are compared to threshold values to determine their status level and if any of the statistics are displaying a status level of fair (yellow) or degraded (red), the administrator should investigate the QoS of the wireless LAN.

For the access points to collect measurement values, traffic stream metrics must be enabled on the controller.


Step 1 Choose Configure > Controller Templates.

Step 2 On the left sidebar menu, choose System > Traffic Stream Metrics QoS. The Traffic Stream Metrics QoS Status Configuration window appears (see Figure 9-3).

Figure 9-3 Traffic Stream Metrics QoS Status Template

The Traffic Stream Metrics QoS Status Configuration window shows several QoS values. An administrator can monitor voice and video quality of the following:

Upstream delay

Upstream packet loss rate

Roaming time

Downstream packet loss rate

Downstream delay

Packet Loss Rate (PLR) affects the intelligibility of voice. Packet delay can affect both the intelligibility and conversational quality of the connection. Excessive roaming time produces undesired gaps in audio.

There are three levels of measurement:

Normal: Normal QoS (green)

Fair: Fair QoS (yellow)

Degraded: Degraded QoS (red)

System administrators should employ some judgement when setting the green, yellow, and red alarm levels. Some factors to consider are:

Environmental factors including interference and radio coverage which can affect PLR.

End-user expectations and system administrator requirements for audio quality on mobile devices (lower audio quality can permit greater PLR).

Different codec types used by the phones have different tolerance for packet loss.

Not all calls will be mobile-to-mobile; therefore, some will have less stringent PLR requirements for the wireless LAN.


Configuring WLAN Templates

WLAN templates allow you to define various WLAN profiles for application to different controllers.

In WCS software release 4.0.96.0 and later releases, you can configure multiple WLANs with the same SSID. This feature enables you to assign different Layer 2 security policies within the same wireless LAN. To distinguish among WLANs with the same SSID, you need to create a unique profile name for each WLAN.

These restrictions apply when configuring multiple WLANs with the same SSID:

WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in the beacons and probes. These are the available Layer 2 security policies:

None (open WLAN)

Static WEP or 802.1x

CKIP

WPA/WPA2

Broadcast SSID must be enabled on the WLANs that share an SSID so that the access points can generate probe responses for these WLANs.

Hybrid-REAP access points do not support multiple SSIDs.

The WLAN Override feature is not supported for use with multiple SSIDs.

Follow these steps to add a new WLAN template or make modifications to an existing WLAN template.


Step 1 Choose Configure > Controller Templates.

Step 2 Choose WLAN from the left sidebar menu. The WLAN Template window appears with a summary of all existing defined WLANs.

The following information headings are used to define the WLANs listed on the WLAN Template window (see Figure 9-4).

Template Name - The user-defined name of the template. Clicking the name displays parameters for this template.

Profile Name - This is unique name used to distinguish WLANs with the same SSID.


Note This heading is not seen in versions of 4.0.x software prior to 4.0.96.0.


SSID Column - Displays the name of the WLAN.

Security Policies - Determines whether 802.1X is enabled. None indicates no 802.1X.

AdminStatus - Indicates whether or not administrative privileges are enabled or disabled.

Controllers Applied To - Specifies the number of controllers this template is currently applied to.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. The WLAN > New Template screen appears (see Figure 9-4).

To make modifications to an existing template, select the appropriate template link listed in the Template Name column. The WLAN Template > Selected Template appears.


Note The screens that appear for creating a new template and the existing template are identical except that the existing template screen shows its existing configuration and its Profile and SSID values are fixed and cannot be modified.


Figure 9-4 WLAN Template

Step 4 Enter a unique Profile name for the WLAN.


Note This parameter is only found in versions 4.0.96.0 and greater.


Step 5 Enter an SSID name for the WLAN.

Step 6 Use the Radio Policy drop-down menu to set the WLAN policy to apply to All (802.11a/b/g), 802.11a only, 802.11g only, 802.11b/g only, or 802.11a/g only.

Step 7 Check the AdminStatus check box if you want the enable administrative privileges for the WLAN.

Step 8 Use the Interface drop-down menu to select from the available names of interfaces created by the Controller > Interfaces module.

Step 9 At the Session Timeout parameter, set the maximum time a client session can continue before requiring reauthorization.

Step 10 Use the QoS drop-down menu to choose Platinum (voice) Gold (video), Silver (best effort), or Bronze (background). Services such as VoIP should be set to gold while non-discriminating services such as text messaging can be set to bronze.

Step 11 Use the WMM Policy drop-down menu to choose Disabled, Allowed (so clients can communicate with the WLAN), or Required to make it mandatory for clients to have WMM enabled for communication.

Step 12 Click the 7920 AP CAC check box if you want to enable support on Cisco 7920 phones.

Step 13 If you want WLAN to support older versions of the software on 7920 phones, click to enable the 7920 Client CAC check box. The CAC limit is set on the access point for newer versions of software.

Step 14 Click the Broadcast SSID to activate SSID broadcasts for this WLAN.

Step 15 Check the Aironet IE check box if you want to enable support for Aironet information elements (IEs) for this WLAN. If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request.

Step 16 When AAA Override is enabled, and a client has conflicting AAA and controller WLAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the operating system moves clients from the default Cisco WLAN Solution to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system also uses QoS and ACL provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as identity networking.)

For instance, if the Corporate WLAN primarily uses a management interface assigned to VLAN 2, and if AAA Override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.

When AAA Override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is only performed by the AAA server if the controller WLAN do not contain any client-specific authentication parameters.

The AAA override values may come from a RADIUS server, for example.

Step 17 Click the check box if you want to enable external policy validation.

Step 18 Click the check box if you want to enable automatic client exclusion. If you enable client exclusion, you must also set the Timeout Value in seconds for disabled client machines. Client machines are excluded by MAC address and their status can be observed. A timeout setting of 0 indicates that administrative control is required to re-enable the client.


Note When session timeout is not set, it implies that an excluded client remains and won't timeout from the excluded state. It does not imply that the exclusion feature is disabled.


Step 19 When you click the check box to override DHCP server, another parameter appears where you can enter the IP address of your DHCP server. For some WLAN configurations, this is required. Three valid configurations are as follows:

DHCP Required and a valid DHCP server IP address - All WLAN clients obtain an IP address from the DHCP server.

DHCP is not required and a valid DHCP server IP address - All WLAN clients obtain an IP address from the DHCP server or use a static IP address.

DHCP not required and DHCP server IP address 0.0.0.0 - All WLAN clients are forced to use a static IP address. All DHCP requests are dropped.

An invalid combination is clicking to require DHCP address assignment and entering a DHCP server IP address.

Step 20 Click the check box if you want to enable Hybrid REAP local switching. For more information on Hybrid REAP, see the "Configuring Hybrid REAP" section on page 11-1. If you enable, the hybrid-REAP access point handles client authentication and switches client data packets locally.

H-REAP local switching is only applicable to the Cisco 1130/1240/1250 series access points.

Step 21 Click on this link to add a mobility anchor to the WLAN.

Mobility anchors are used to restrict a WLAN to a single subnet, irrespective of a client's entry point into the network. It can also be used to provide some geographic load balancing since WLANs can be used to represent a particular section of the building like engineering, marketing, and so on.

To add a mobility anchor through this page, follow these steps:

a. Click Mobility Anchors.

b. Check the controller that you want to add as a mobility anchor.

c. Click Save.


Note A Cisco 2000 Series Wireless LAN Controller cannot be designated as an anchor for a WLAN. However, a WLAN created on a Cisco 2000 Series Wireless LAN Controller can have a Cisco 4100 Series Wireless LAN Controller and Cisco 4400 Series Wireless LAN Controller as its anchor.


Step 22 Use the drop-down menus in the RADIUS servers section to choose authentication and accounting servers. This selects the default RADIUS server for the specified WLAN and overrides the RADIUS server that is configured for the network. If all three RADIUS servers are configured for a particular WLAN, server 1 has the highest priority and so on.

Step 23 Click if you want to enable IPv6. Layer 3 security must be set to None for this to be enabled.

Step 24 Use the Layer 2 security drop-down menu to choose between None, Static WEP, 802.1X, Cranite, Fortress, Static WEP-802.1x, CKIP, and WPA1 + WPA2 as described in the table below.

Parameter
Description

None

No Layer 2 security selected.

802.1X

WEP 802.1X data encryption type (Note 1):

40/64 bit key.

104/128 bit key.

128/152 bit key.

Static WEP

Static WEP encryption parameters:

Key sizes: 40/64, 104/128 and 128/152 bit key sizes.

Key Index: 1 to 4 (Note 2).

Encryption key required.

Select encryption key format in ASCII or HEX.

Cranite

Configure the WLAN to use the FIPS140-2 compliant Cranite WirelessWall Software Suite, which uses AES encryption and VPN tunnels to encrypt and verify all data frames carried by the Cisco Wireless LAN Solution.

Fortress

FIPS 40-2 compliant Layer 2 security feature.

Static WEP-802.1X

Use this setting to enable both Static WEP and 802.1x policies. If this option is selected, static WEP and 802.1x parameters are displayed at the bottom of the page.

Static WEP encryption parameters:

Key sizes: 40/64, 104/128 and 128/152 bit key sizes.

Key Index: 1 to 4 (Note 2).

Enter encryption key.

Select encryption key format in ASCII or HEX.

WEP 802.1X data encryption type (Note 1):

40/64 bit key.

104/128 bit key.

128/152 bit key.

WPA1+WPA2

Use this setting to enable WPA1, WPA2 or both. See the WPA1 and WPA2 parameters displayed on the screen when WPA1+WPA2 is selected. WPA1 enables Wi-Fi Protected Access with TKIP-MIC Data Encryption. When WPA1+WPA2 is selected, you can use Cisco's Centralized Key Management (CCKM) authentication key management, which allows fast handoff when a client roams from one access point to another.

When WPA1+WPA2 is selected as the Layer 2 security policy, and Pre-Shared Key is enabled, than neither CCKM or 802.1X can be enabled. Although, both CCKM and 802.1X can be enabled at the same time.

CKIP

Cisco Key Integrity Protocol (CKIP). A Cisco access point advertises support for CKIP in beacon and probe response packets. CKIP can be configured only when Aironet IE is enabled on the WAN.

When selected, these CKIP parameters are displayed.

Key length: Specify key length.

Key (ASCII or HEX): Specify encryption key.

MMH Mode: Enable or disable (check box).

KP: Enable or disable (check box).


Step 25 Check the MAC Filtering check box if you want to filter clients by MAC address.

Step 26 If the MFP Signature Generation check box is checked, it enables signature generation for the 802.11 management frames transmitted by an access point associated with this WLAN. Signature generation makes sure that changes to the transmitted management frames by an intruder are detected and reported.

Step 27 Use the Layer 3 security drop-down menu to choose between None, VPN Pass Through, and L2TP.


Note L2TP options are displayed only if a crypto card is installed in the controller.


Step 28 Check the Web Authentication check box if you want it enabled. Web authentication cannot be used in combination with L2TP or VPN passthrough.

Step 29 Click Save. The newly created WLAN template appears on the WLAN template summary page.


Configuring a File Encryption Template

This page allows you to add a new file encryption template or make modifications to an existing file encryption template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose Security > File Encryption.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The File Encryption Template appears (see Figure 9-5).

Figure 9-5 File Encryption Template

Step 4 Check if you want to enable file encryption.

Step 5 Enter an encryption key text string of exactly 16 ASCII characters.

Step 6 Retype the encryption key.

Step 7 Click Save.


Configuring a RADIUS Authentication Template

This page allows you to add a template for RADIUS authentication server information or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 On the left sidebar menu, choose Security > RADIUS Authentication Servers.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select the template in the Template Name column. The RADIUS Authentication Server Template window appears (see Figure 9-6), and the number of controllers the template is applied to automatically populates.

The IP address of the RADIUS server and the port number for the interface protocol is also displayed.

Figure 9-6 RADIUS Authentication Server Template

Step 4 Use the drop-down menu to choose either ASCII or hex shared secret format.

Step 5 Enter the RADIUS shared secret used by your specified server.

Step 6 Click if you want to enable key wrap. If this option is enabled, the authentication request is sent to RADIUS servers that have key encryption key (KEK) and message authenticator code keys (MACK) configured. Also, when enabled, the parameters below appear:

Shared Secret Format: Determine whether ASCII or hexadecimal.

KEK Shared Secret: Enter KEK shared secret.

MACK Shared Secret: Enter MACK shared secret.

Each time the controller is notified with the shared secret, the existing shared secret is overwritten with the new shared secret.


Note Each time the controller is notified with the shared secret, the existing shared secret is overwritten with the new shared secret.


Step 7 Click if you want to enable administration privileges.

Step 8 Click if you want to enable support for RFC 3576. RFC 3576 is an extension to the Remote Authentication Dial In User Service (RADIUS) protocol. It allows dynamic changes to a user session and includes support for disconnecting users and changing authorizations applicable to a user session. With these authorizations, support is provided for Disconnect and Change-of-Authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately, whereas CoA messages modify session authorization attributes such as data filters.

Step 9 Click if you want to enable network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.

Step 10 Click if you want to enable management authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the management user.

Step 11 Specify the time in seconds after which the RADIUS authentication request times out and a retransmission is attempted by the controller. You can specify a value between 2 and 30 seconds.

Step 12 Click Save.


Configuring a RADIUS Accounting Template

This page allows you to add a new template for RADIUS accounting server information or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose Security > RADIUS Acct Servers.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The RADIUS Accounting Template appears (see Figure 9-7), and the number of controllers the template is applied to automatically populates. The IP address of the RADIUS server and the port number for the interface protocols are also displayed.

Figure 9-7 RADIUS Accounting Server Templates

Step 4 Use the Shared Secret Format drop-down menu to choose either ASCII or hexadecimal.

Step 5 Enter the RADIUS shared secret used by your specified server.

Step 6 Retype the shared secret.

Step 7 Click if you want to establish administrative privileges for the server.

Step 8 Click if you want to enable the network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.

Step 9 Specify the time in seconds after which the RADIUS authentication request will timeout and a retransmission by the controller will occur. You can specify a value between 2 and 30 seconds.

Step 10 Click Save.


Configuring a Local Net Users Template

This page allows you to add a new local authentication template or make modifications to an existing template. You must create a local net user and define a password when logging in as a web authentication client.


Step 1 Choose Configure > Controller Templates.

Step 2 On the left sidebar menu, choose Security > Local Net Users.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a user in the User Name column. The Local Net Users Template appears (see Figure 9-8).

Figure 9-8 Local Net Users Template

Step 4 If you keep Import from File enabled, you need to enter a file path or click the Browse button to navigate to the file path. Then continue to Step 8. If you disable the import, continue to Step 5.


Note You can only import a .csv file. Any other file formats are not supported. See Figure Figure 9-9 for CSV file format examples.


The first row in the file is the header. The data in the header is not read by the Cisco WCS. The header can either be blank or filled. The Cisco WCS reads data from the second row onwards. It is mandatory to fill the Username and Password fields in all the rows.

Figure 9-9 CSV File Format

Step 5 Enter a username and password.

Step 6 Use the drop-down menu to choose the SSID which this local user is applied to or choose the any SSID option.

Step 7 Enter a user-defined description of this interface. Skip to Step 9.

Step 8 If you want to override the existing template parameter, click to enable this parameter.

Step 9 Click Save.


Configuring Guest User Templates

This page allows you to create a new template for guest user information or make modifications to an existing template. The purpose of a guest user account is to provide a user account for a limited amount of time. A Lobby Ambassador is able to configure a specific time frame for the guest user account to be active. After the specified time period, the guest user account automatically expires. Refer to the"Creating Guest User Accounts" section on page 7-3 for further information on guest access.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose Security > Guest Users.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a user in the User Name column. The Guest User Template window appears (see Figure 9-10).

Figure 9-10 Guest User Template

Step 4 Enter a guest name. Maximum size is 24 characters.

Step 5 Click the Generate Password check box if you want a password automatically generated. The Password and Confirm Password parameters are automatically populated. If automatic generation is not enabled, you must supply a password twice.

Step 6 From the SSID drop-down list, choose which SSID this guest user applies to. Only those WLANs for which web security is enabled are listed. The SSID must be a WLAN that has Layer 3 web authentication policy configured.

Step 7 Enter a description of the guest user account.

Step 8 From the Lifetime drop-down lists, choose the number of days, hours, or minutes for this user account to remain active. The maximum allotted time is 30 days. A value of zero implies infinity and is considered a permanent account.

Step 9 Click Save.


Configuring a MAC Filter Template

This page allows you to add a new MAC filter template or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose Security > MAC Filtering.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a MAC address in the MAC Address column. The MAC Filter Templates window appears (see Figure 9-11).

Figure 9-11 MAC Filter Templates

Step 4 If you keep Import From File enabled, you need to enter a file path or click the Browse button to navigate to the file path. Skip to Step 9. If you disable Import from File, continue to Step 5.

The client MAC address appears.

Step 5 Choose the SSID which this MAC filter is applied to or choose the any SSID option.

Step 6 Use the drop-down menu to choose from the available interface names.

Step 7 Enter a user-defined description of this interface. Skip to Step 9.

Step 8 If you want to override the existing template parameter, click to enable this parameter.

Step 9 Click Save.


Configuring an Access Point Authorization Template

Follow these steps to add an access point authorization template or make changes to an existing template. These templates are devised for Cisco 11xx/12xx series access points converted from IOS to LWAPP or for 1030 access points connecting in bridge mode.


Step 1 Choose Configure > Controller Templates.

Step 2 From the Security selections in the left sidebar menu, choose AP authorization.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click a MAC address in the AP Base Radio MAC column. The AP Authorization Template appears (see Figure 9-12), and the number of controllers the template is applied to automatically populates.

Figure 9-12 AP Authorization Templates

Step 4 Select the Import from File check box if you want to import a file containing access point MAC addresses.


Note You can only import a .csv file. Any other file formats are not supported.


Step 5 Enter the file path from where you want to import the file.

Step 6 Click Save.


Configuring an Access Control List (ACL) Template

An access control list (ACL) is a security method used to limit the access of an interface. With ACL, you establish a set of rules to apply to a particular interface, and then ACL is applied to all packets that go to that interface. Follow these steps to add an ACL template or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 Choose Security > Access Control Lists in the left sidebar menu.

Step 3 If you want to create a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template name in the ACL Name column. The Access Control List Template appears (see Figure 9-13).

Figure 9-13 Access Control List Template

Step 4 Enter an access control list name and click Save to add the new ACL name to the Cisco WCS database.

Step 5 Click the desired list item under ACL Name on the Access Control List window.

Step 6 From the Select a command drop-down menu, choose Add New Rule and click Go (or click an item under Seq #). You can now add a new rule or edit an existing rule in an access control list template. A rule has seven parameters with an action for each rule. When a packet matches all the parameters of a rule, the action for this rule is exercised.

Step 7 In the Sequence parameter, you can define up to 64 rules for each ACL. The rules for each ACL are listed in contiguous sequence from 1 to 64. That is, if Rules 1 through 4 are already defined when you add Rule 29, this rule will become Rule 5.


Note If you add or change a sequence number, the operating system adjusts the other rule sequence numbers to retain the contiguous sequence. For instance, if you have sequence numbers 1 through 7 defined and change number 7 to 5, the operating system automatically reassigns sequence 5 to 6 and sequence 6 to 7.


Step 8 From the Source drop-down menu, choose any or IP address. If you choose IP address, two new fields appear where you are required to enter the IP address and Netmask.

Step 9 For the Destination drop-down menu, choose any or IP address. If you choose IP address, two new fields appear where you are required to enter the IP address and Netmask.

Step 10 Specify which protocol to use for this ACL. The choices in the drop-down menu are as follows:

Any

Transmission control protocol (TCP)

User datagram protocol (UDP)

Internet control message protocol (ICMP)

IP encapsulating security payload (ESP)

Authentication header (AH)

Generic routing encapsulation (GRE)

Internet protocol (IP)

Ethernet over Internet protocol (Eth Over IP)

Open shortest path first (OSPF)

Any other IANA protocol (http://www.iana.org/)


Note If you select TCP or UDP, you are additionally required to enter a source port and destination port.


Step 11 In the DSCP drop-down menu, choose differentiated services code point, any, or a specific IP address.

Step 12 In the Direction drop-down menu, choose any, inbound, or outbound.

Step 13 In the Action drop-down menu, choose permit or deny.

Step 14 Click Save.


Configuring an Access Point Authentication and MFP Template

Management frame protection (MFP) provides for the authentication of 802.11 management frames by the wireless network infrastructure. Management frames can be protected in order to detect adversaries who are invoking denial of service attacks, flooding the network with associations and probes, interjecting as rogue access points, and affecting the network performance by attacking the QoS and radio measurement frames.

When enabled, the access point protects the management frames it transmits by adding a message integrity check information element (MIC IE) to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, causing any receiving access point configured to detect MFP frames to report the discrepancy. An access point must be a member of a WDS to transmit MFP frames.

When MFP detection is enabled, the access point validates every management frame that it receives from other access points in the network. It ensures that the MIC IE is present (when the originator is configured to transmit MFP frames) and matches the content of the management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID belonging to an access point that is configured to transmit MFP frames, it reports the discrepancy to the network management system.

Follow these steps to add a new template for the access point authentication and management frame protection (MFP) or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, select Security > AP Authentication and MFP.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a MAC address in the AP Base Radio MAC column. The AP Authentication Policy Template appears (see Figure 9-14), and the number of controllers the template is applied to automatically populates.

Figure 9-14 AP Authentication Policy Template

Step 4 From the Protection Type drop-down menu, choose one of the following authentication policies:

None: No access point authentication policy.

AP Authentication: Apply authentication policy.

MFP: Apply management frame protection.

Step 5 Check to enable AP neighbor authentication. With this feature enabled, the access points sending RRM neighbor packets with different RF network names are reported as rogues.

Step 6 Alarm trigger threshold appears only when AP authentication is selected as a protection type. Set the number of hits to be ignored from an alien access point before raising an alarm.

The valid range is from 1 to 255. The default value is 255.

Step 7 Click Save.


Configuring a Web Authentication Template

With web authentication, guests are automatically redirected to a web authentication page when they launch their browsers. Guests gain access to the WLAN through this web portal. Wireless LAN administrators using this authentication mechanism should have the option of providing unencrypted or encrypted guest access. Guest users can then log into the wireless network using a valid username and password, which is encrypted with SSL. Web authentication accounts may be created locally or managed by a RADIUS server. The Cisco Wireless LAN controllers can be configured to support a web authentication client. You can use this template to replace the Web authentication page provided on the controller.

Follow these steps to add a web authentication template or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose Security > Web Auth Configuration.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The Web Authentication Configuration Template window appears (see Figure 9-15), and the number of controllers the template is applied to automatically populates.

Figure 9-15 Web Authentication Configuration Template

Step 4 Choose the appropriate web authentication type from the drop-down menu. The choices are default internal, customized web authentication, or external.

If you choose default internal, you can still alter the page title, message, and redirect URL, as well as whether the logo displays. Continue to Step 5.

If you choose customized web authentication, click Save and apply this template to the controller. You are prompted to download the web authentication bundle.


Note Before you can choose customized web authentication, you must first download the bundle by going to Config > Controller and choose Download Customized Web Authentication from the Select a command drop-down menu and click GO.


If you choose external, you need to enter the URL you want to redirect to after a successful authentication. For example, if the value entered for this field is http://www.company.com, the user would be directed to the company home page.

Step 5 Click to enable Logo Display if you want your company logo displayed.

Step 6 Enter the title you want displayed on the Web authentication page.

Step 7 Enter the message you want displayed on the Web authentication page.

Step 8 Provide the URL where the user is redirected after a successful authentication. For example, if the value entered for this field is http://www.company.com, the user would be directed to the company home page.

Step 9 Click Save.


Downloading a Customized Web Authentication Page

You can download a customized Web authentication page to the controller. A customized web page is created to establish a username and password for user web access.

When downloading customized web authentication, these strict guidelines must be followed:

A username must be provided.

A password must be provided.

A redirect URL must be retained as a hidden input item after extracting from the original URL.

The action URL must be extracted and set from the original URL.

Scripts to decode the return status code must be included.

All paths used in the main page should be of relative type.

Before downloading, the following steps are required:


Step 1 Download the sample login.html bundle file from the server. The.html file is shown in Figure 9-16. The login page is presented to web users the first time they access the WLAN if web authentication is turned on.

Figure 9-16 Login.html

Step 2 Edit the login.html file and save it as a .tar or .zip file.


Note You can change the text of the Submit button to Accept terms and conditions and Submit.


Step 3 Make sure you have a Trivial File Transfer Protocol (TFTP) server available for the download. Keep these guidelines in mind when setting up a TFTP server:

If you are downloading through the service port, the TFTP server must be on the same subnet as the service port because the service port is not routable. However, if you want to put the TFTP server on a different network while the management port is down, add a static route if the subnet where the service port resides has a gateway (config route add IP address of TFTP server).

If you are downloading through the distribution system network port, the TFTP server can be on the same or a different subnet because the distribution system port is routable.

A third-party TFTP server cannot run on the same computer as the Cisco WCS because WCS's built-in TFTP server and third-party TFTP server use the same communication port.

Step 4 Download the .tar or .zip file to the controller(s).


Note The controller allows you to download up to 1 MB of a tar file containing the pages and image files required for the Web authentication display. The 1 MB limit includes the total size of uncompressed files in the bundle.


You can now continue with the download.

Step 5 Copy the file to the default directory on your TFTP server.

Step 6 Choose Configure > Controllers.

Step 7 Choose a controller by clicking the URL for the corresponding IP address. If you select more than one IP address, the customized Web authentication page is downloaded to multiple controllers.

Step 8 From the left sidebar menu, choose System > Commands.

Step 9 From the Upload/Download Commands drop-down menu, choose Download Customized Web Auth and click GO.

Step 10 The IP address of the controller to receive the bundle and the current status are displayed (see Figure 9-17).

Figure 9-17 Download Customized Web Auth Bundle to Controller

Step 11 Choose local machine from the File is Located On parameter. If you know the filename and path relative to the server's root directory, you can also select TFTP server.


Note For a local machine download, either .zip or .tar file options exists, but the WCS does the conversion of .zip to .tar automatically. If you chose a TFTP server download, only .tar files would be specified.


Step 12 Enter the maximum number of times the controller should attempt to download the file in the Maximum Retries parameter.

Step 13 Enter the maximum amount of time in seconds before the controller times out while attempting to download the file in the Timeout parameter.

Step 14 The files are uploaded to the c:\tftp directory. Specify the local file name in that directory or use the Browse button to navigate to it.

Step 15 Click OK.

If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is Located On parameter, and the Server File Name will be populated for you and retried. The local machine option initiates a two-step operation. First, the local file is copied from the administrator's workstation to WCS's own built-in TFTP server. Then the controller retrieves that file. For later operations, the file is already in the WCS server's TFTP directory, and the download web page now automatically populates the filename.

Step 16 Click the "Click here to download a sample tar file" to get an option to open or save the login.tar file.

Step 17 After completing the download, you are directed to the new page and able to authenticate.


Configuring an 802.11a Policy Name Template

Follow these steps to add a new 802.11a policy name template or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose 802.11a > Parameters.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu. To make modifications to an existing template, click to select a policy name in the Policy Name column. The 802.11a Parameters Template window appears (see Figure 9-18), and the number of controllers the template is applied to automatically populates.

Figure 9-18 802.11a Parameters Template

Step 4 Click the check box if you want to enable 802.11a network status.

Step 5 Enter the amount of time between beacons in kilomicroseconds. The valid range is from 100 to 600 milliseconds.

Step 6 Enter the number of beacon intervals that may elapse between transmission of beacon frames containing a traffic indicator message (TIM) element whose delivery count field is 0. This value is transmitted in the DTIM period field of beacon frames. When client devices receive a beacon that contains a DTIM, they normally wake up to check for pending packets. Longer intervals between DTIMS let clients sleep longer and preserve power. Conversely, shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.

Step 7 At the Fragmentation Threshold parameter, determine the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference.

Step 8 Enter the percentage for 802.11e maximum bandwidth.

Step 9 Click the Pico Cell Mode check box if you want it enabled. This feature enables automatic operating system parameter reconfiguration, allowing the operating system to function efficiently in pico cell deployments. When the operator is deploying a pico cell network, the operating system must also have more memory allocated (512 to 2048 MB) using the config database size 2048 CLI command.

Step 10 Click the Fast Roaming Mode check box if you want to enable it.

Step 11 At the Dynamic Assignment drop-down menu, choose one of three modes:

Automatic - The transmit power is periodically updated for all access points that permit this operation.

On Demand - Transmit power is updated when the Assign Now button is selected.

Disabled - No dynamic transmit power assignments occur, and values are set to their global default.

Step 12 Use the Tx Level drop-down menu to determine the access point's transmit power level. The available options are as follows:

1 - Maximum power allowed per country code setting

2 - 50% power

3 - 25% power

4 - 6.25 to 12.5% power

5 - 0.195 to 6.25% power


Note The power levels and available channels are defined by the country code setting and are regulated on a country by country basis.


Step 13 The Assignment Mode drop-down menu has three dynamic channel modes:

Automatic - The channel assignment is periodically updated for all access points that permit this operation. This is also the default mode.

On Demand - Channel assignments are updated when desired.

OFF - No dynamic channel assignments occur, and values are set to their global default.

Step 14 At the Avoid Foreign AP Interference check box, click if you want to enable it. Enable this parameter to have RRM consider interference from foreign Cisco access points (those non-Cisco access points outside RF/mobility domain) when assigning channels. This foreign 802.11 interference. Disable this parameter to have RRM ignore this interference.

In certain circumstances with significant interference energy (dB) and load (utilization) from foreign access points, RRM may adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the foreign access points. This increases capacity and reduces variability for the Cisco Wireless LAN Solution.

Step 15 Click the Avoid Cisco AP Load check box if you want it enabled. Enable this bandwidth-sensing parameter to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points. Disable this parameter to have RRM ignore this value.

In certain circumstances and with denser deployments, there may not be enough channels to properly create perfect channel re-use. In these circumstances, RRM can assign better re-use patterns to those access points that carry more traffic load.

Step 16 Click the Avoid non 802.11 Noise check box if you want to enable it. Enable this noise-monitoring parameter to have access points avoid channels that have interference from non-access point sources, such as microwave ovens or Bluetooth devices. Disable this parameter to have RRM ignore this interference.

In certain circumstances with significant interference energy (dB) from non-802.11 noise sources, RRM may adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources. This increases capacity and reduces variability for the Cisco Wireless LAN Solution.

Step 17 The Signal Strength Contribution check box is always enabled (not configurable). constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel re-use. The net effect is an increase in Cisco Wireless LAN Solution capacity and a reduction in co-channel and adjacent channel interference.

Step 18 Data rates are negotiated between the client and the controller. If the data rate is set to Mandatory, the client must support it in order to use the network. If a data rate is set as Supported by the controller, any associated client that also supports that same rate may communicate with the access point using that rate. However, it is not required that a client be able to use all the rates marked supported in order to associate. For each rate, a pull-down selection of Mandatory or Supported is available. Each data rate can also be set to Disabled to match client settings.

Step 19 At the Channel List drop-down menu in the Noise/Interference/Rogue Monitoring Channels section, choose between all channels, country channels, or DCA channels based on the level of monitoring you want.

Step 20 The CCX location measurement interval can only be changed when measurement mode is enabled to broadcast radio measurement requests. When enabled, this enhances the location accuracy of clients.

Step 21 Click if you want to enable channel assignment and then choose Custom or Global channel assignment. Global channel assignment is used if your access point's channel is set globally by the controller. Choose custom if your access point's channel is set locally and then select a channel from the drop-down list.


Note The assignment method should be left at the global setting. This allows the controller to dynamically change the channel number as determined by the Radio Resource Management (RRM).


Step 22 Click both the Admin Status and the Enabled check box to enable radio administrative status.

Step 23 Click if you want to enable antenna mode for 802.11a radios and use the drop-down to choose sector A, sector B, or Omni (both A and B).

Step 24 Click if you want to enable antenna diversity for 802.11b/g radios. Then use the drop-down to choose from the following orientation for the external antennas:

Enabled - Choose to enable diversity on both the left and right connectors of the access point.

Left - Choose if your access point has removable antennas and a high-gain antenna is installed on the access point's left connector.

Right - Choose if your access point has removable antennas and a high-gain antenna is installed on the access point's right connector.

Similarly, the orientation for internal antennas has the following options:

Enabled - Choose to enable diversity on both Side A and Side B.

Side A - Choose to enable diversity on Side A (front antenna) only.

Side B - Choose to enable diversity on Side B (rear antenna) only.

Step 25 Click the Antenna Type check box if you want to choose between internal or external antennas (for 802.11b/g radios only).

Step 26 Use the Antenna Name drop-down menu to choose an antenna name. Not all antenna models are supported by radios of different access point types.

Step 27 Click if you want to enable power assignment. When enabled, it allows you to set the transmit power either globally by the controller or locally using the custom option. If you choose custom, use the drop-down menu to choose one of the following options:

1 - Maximum power allowed per country code setting

2 - 50% power

3 - 25% power

4 - 6.25 to 12.5% power

5 - 0.195 to 6.25% power

The assignment method should be left at the global setting. This allows the controller to dynamically change the transmit power level based on the Radio Resource Management (RRM).


Note The power levels and available channels are defined by the county code setting and are regulated on a country by country basis.


Step 28 Click if you want to enable WLAN override for an 802.11b/g radio. When you enable WLAN override, the operating system displays a table showing all current Cisco wireless LAN solutions. In the table, choose WLANS to enable WLAN operation and deselect WLANs to disallow WLAN operation for this 802.11b/g radio.

Step 29 Save the template.

Step 30 Choose the Select APs tab. Use the drop-down menu to apply the parameters by controller, floor area, outdoor area, or all. Click Apply.


Configuring an 802.11b/g Radio Template

This page allows you to add 802.11b/g parameters for a selected template or make modifications to an existing template.


Note Making modifications to RF parameters does not change grouping configurations.



Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose 802.11b/g > Parameters.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a policy name in the Policy Name column. The 802.11b/g Parameters Template window appears (see Figure 9-19), and the number of controllers the template is applied to automatically populates.

Figure 9-19 802.11b/g Parameters Template

Step 4 Click if you want to enable the 802.11b/g network.

Step 5 Enter the rate at which the SSID is broadcast by the access point. The valid range is from 100 to 600 milliseconds.

Step 6 Enter the number of beacon intervals that may elapse between transmission of beacon frames containing a TIM element whose DTIM Count field is 0. When client devices receive a beacon that contains a DTIM, they normally wake up to check for pending packets. Longer intervals between DTIMs let clients sleep longer and preserve power. Conversely, shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often. This value is transmitted in the DTIM period field of beacon frames.

Step 7 At the Fragmentation Threshold parameter, determine the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference. The default value is 2346.

Step 8 Enter a percentage for 802.11e max bandwidth. The default is 100.

Step 9 Click the check box if you want to enable short preamble. A short preamble improves throughput performance.

Step 10 Click the check box if you want to enable pico cell mode. With this enabled, a set of commands for the configuration of access point parameters is activated so that pico cell deployments function properly.

Step 11 Click the check box if you want to enable fast roaming.

Step 12 Use the Dynamic Assignment drop-down menu to choose one of three transmit power modes:

Automatic - The transmit power is periodically updated for all access points that permit this operation. This is the default.

On demand - Transmit power is updated when the Assign Now button is chosen.

Fixed - No dynamic transmit power assignments occur, and values are set to their global default.

Step 13 Choose a transmit power level for the access point. The options available in the drop-down menu include the following:

1 - Maximum power allowed per country code setting

2 - 50% power

3 - 25% power

4 - 6.25 to 12.5% power

5 - 0.195 to 6.25% power


Note The power levels and available channels are defined by the country code setting and are regulated on a country by country basis.


Step 14 Click the Dynamic Tx Power Control check box if you want to enable DTPC support. If this option is enabled, the transmit power level of the radio is advertised in the beacons and probe responses.

Step 15 Use the Assignment Mode drop-down menu to choose one of three dynamic channel assignments:

Automatic - The channel assignment is periodically updated for all access points that permit this operation. This is the default.

On Demand - Channel assignments are updated when desired.

Off - No dynamic channel assignments occur, and values are set to their global default.

Step 16 At the Avoid Foreign AP Interference parameter, click the check box to enable or leave unchecked to disable. If you enable this foreign 802.11 interference-monitoring parameter, Radio Resource Management (RRM) will consider interference from foreign access points (non-Cisco access points outside the RF/mobility domain) when assigning channels to Cisco access points. Disable this parameter to have Radio Resource Management ignore this interference.

In certain circumstances with significant interference energy (dB) and load (utilization) from foreign access points, RRM may adjust the channel assignment. This adjustment would help avoid channels (and sometimes adjacent channels) in Cisco access points that are close to the foreign access points. This in turn increases capacity and reduces variability for the Cisco wireless LAN solution.

Step 17 At the Avoid Cisco AP Load parameter, click the check box to enable or leave unchecked to disable. If you enable this RRM bandwidth-sensing parameter, controllers will assess the traffic bandwidth used by each access point before assigning channels. Disable this parameter to have RRM ignore this value.

In certain circumstance and with denser deployments, there may not be enough channels to properly create perfect channel re-use. In these circumstances, RRM can assign better re-use patterns to those access points that carry more traffic load.

Step 18 At the Avoid Non-802.11 Noise parameter, click the check box to enable or leave unchecked to disable. If you enable this RRM noise-monitoring parameter, access points will avoid channels that have interference from non-access point sources, such as microwave ovens or Bluetooth devices. Disable this parameter to have RRM ignore this interference.

Step 19 The Signal Strength Contribution parameter should always be enabled. RRM constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel reuse. The net effect is an increase in Cisco wireless LAN solution capacity and a reduction in co-channel and adjacent channel interference.

Step 20 Data rates are negotiated between the client and the controller. If the data rate is set to Mandatory, the client must support it in order to use the network. If a data rate is set as Supported by the controller, any associated client that also supports that same rate may communicate with the access point using that rate. However, it is not required that a client use all the rates marked Supported in order to associate. For each rate, use the drop-down list to select Mandatory, Supported, or Disabled.

Step 21 At the Channel List drop-down menu in the Noise/Interference/Rogue Monitoring Channels section, choose between all channels, country channels, or DCA channels based on the level of monitoring you want.

Step 22 Click the Mode check box if you want to enable CCX location measurement.

Step 23 Enter the interval (in seconds) that you want to wait between radio measurement requests.

Step 24 Click Save.


Configuring an 802.11b/g Voice Template

Follow these steps to add a template for 802.11b/g voice parameters, such as call admission control and traffic stream metrics, or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose 802.11b/g > Voice Parameters.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The 802.11b/g Voice Parameters window appears (see Figure 9-20), and the number of controllers the template is applied to automatically populates.

Figure 9-20 802.11b/g Voice Parameters Template

Step 4 For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity. Click the check box to enable CAC.

Step 5 Enter the percentage of maximum bandwidth allowed.

Step 6 Enter the percentage of reserved roaming bandwidth.

Step 7 Click the check box if you want to enable metric collection. Traffic stream metrics are a series of statistics about VoIP over your wireless LAN and informs you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.

Step 8 Click Save.


Configuring an 802.11a Voice Template

Follow these steps to add a template for 802.11b/g voice parameters, such as call admission control and traffic stream metrics, or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose 802.11a > Voice Parameters.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template name in the Template Name column. The 802.11a Voice Parameters window appears (see Figure 9-21), and the number of controllers the template is applied to automatically populates.

Figure 9-21 802.11a Voice Parameter Template

Step 4 For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity. Click the check box to enable CAC.

Step 5 Enter the percentage of maximum bandwidth allowed.

Step 6 Enter the percentage of reserved roaming bandwidth.

Step 7 Click the check box if you want to enable metric collection. Traffic stream metrics are a series of statistics about VoIP over your wireless LAN and informs you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.

Step 8 Click Save.


Configuring an 802.11b/g RRM Threshold Template


Follow these steps to add a new 802.11b/g RRM threshold template or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose 802.11b/g > RRM Thresholds.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template name in the Template Name column. The 802.11b/g RRM Thresholds Template appears (see Figure 9-22), and the number of controllers the template is applied to automatically populates.

Figure 9-22 802.11b/g RRM Thresholds Template

Step 4 Enter the minimum percentage of failed clients that are currently associated with the controller.

Step 5 Enter the minimum number of failed clients that are currently associated with the controller.

Step 6 At the Min SNR Level parameter, enter the minimum signal-to-noise ratio of the client RF session.

Step 7 Enter the maximum number of clients currently associated with the controller.

Step 8 At the RF Utilization parameter, enter the percentage of threshold for either 802.11a or 802.11b/g.

Step 9 Enter an interference threshold.

Step 10 Enter a noise threshold between -127 and 0 dBm. When outside of this threshold, the controller sends an alarm to WCS.

Step 11 At the Channel List drop-down menu in the Noise/Interference/Rogue Monitoring Channels section, choose between all channels, country channels, or DCA channels based on the level of monitoring you want.

Step 12 Click Save.


Configuring an 802.11b/g RRM Interval Template

Follow these steps to add an 802.11b/g RRM interval template or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose 802.11b/g > RRM Intervals.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template name from the Template Name column. The 802.11b/g RRM Threshold Template appears (see Figure 9-23), and the number of controllers the template is applied to automatically populates.

Figure 9-23 802.11b/g RRM Intervals Template

Step 4 Enter at which interval you want strength measurements taken for each access point. The default is 300 seconds.

Step 5 Enter at which interval you want noise and interference measurements taken for each access point. The default is 300 seconds.

Step 6 Enter at which interval you want load measurements taken for each access point. The default is 300 seconds.

Step 7 Enter at which interval you want coverage measurements taken for each access point. The default is 300 seconds.

Step 8 Click Save.


Configuring a Known Rogue Access Point Template

If you have an established list of known rogue devices, you can configure a template to pass these rogue details to multiple controllers. Follow these steps to add a known rogue template or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose Known Rogues.

Step 3 If you want to add a new template, choose Add Known Rogue from the Select a command drop-down menu and click GO. To make modifications to an existing template, click a specific MAC address in the MAC Address column. The Known Rogues Template window appears (see Figure 9-24).

Figure 9-24 Known Rogues Template

Step 4 The Import from File check box is enabled. This enables you to import a .csv file which contains the MAC addresses of access points into the Cisco WCS. If you click to disable the check box, you are required to enter the MAC address of the access point manually (enter this and skip to Step 6). If you are importing a .csv file, continue to Step 5.

Step 5 Enter the file path where the .csv file exists or use the Browse button to navigate there. Skip to Step 9.

Step 6 Use the Status drop-down menu to specify whether the rogue is known or acknowledged.

Step 7 Enter a comment that may be useful to you later.

Step 8 Click the Suppress Alarms check box if you do not want an alarm sent to WCS.

Step 9 Click Save.


Configuring a Trap Receiver Template

Follow these steps to add a new trap receiver template or make modifications to an existing template. If you have monitoring devices on your network that receive SNMP traps, you may want to add a trap receiver template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose Management > Trap Receivers.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click a specific template in the Template Name column. The Trap Receiver Template window appears (see Figure 9-25), and the number of controllers the template is applied to automatically populates.

Figure 9-25 Trap Receiver Template

Step 4 Enter the IP address of the server.

Step 5 Click to enable the admin status if you want SNMP traps to be sent to the receiver.

Step 6 Click Save.


Configuring a Trap Control Template

Follow these steps to add a trap control template or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose Management > Trap Control.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The Trap Controls Template window appears (see Figure 9-26), and the number of controllers the template is applied to automatically populates.

Figure 9-26 Trap Controls Template

Step 4 Check the appropriate check box to enable any of the following miscellaneous traps:

SNMP Authentication - The SNMPv2 entity has received a protocol message that is not properly authenticated. When a user who is configured in SNMP V3 mode tries to access the controller with an incorrect password, the authentication fails and a failure message is displayed. However, no trap logs are generated for the authentication failure.

Link (Port) Up/Down - Link changes states from up or down.

Multiple Users - Two users log in with the same login ID.

Spanning Tree - Spanning Tree traps. Refer to the STP specification for descriptions of individual parameters.

Rogue AP - Whenever a rogue access point is detected or when a rogue access point was detected earlier and no longer exists, this trap is sent with its MAC address.

Controller Config Save - Notification sent when the configuration is modified.

Step 5 Check the appropriate check box to enable any of the following client-related traps:

802.11 Disassociation - The disassociate notification is sent when the client sends a disassociation frame.

802.11 Deauthentication - The deauthenticate notification is sent when the client sends a deauthentication frame.

802.11 Failed Authentication - The authenticate failure notification is sent when the client sends an authentication frame with a status code other than successful.

802.11 Failed Association - The associate failure notification is sent when the client sends an association frame with a status code other than successful.

Excluded - The associate failure notification is sent when a client is excluded.

Step 6 Check the appropriate check box to enable any of the following access point traps:

AP Register - Notification sent when an access point associates or disassociates with the controller.

AP Interface Up/Down - Notification sent when access point interface (802.11a or 802.11b/) status goes up or down.

Step 7 Check the appropriate check box to enable any of the following auto RF profile traps:

Load Profile - Notification sent when Load Profile state changes between PASS and FAIL.

Noise Profile - Notification sent when Noise Profile state changes between PASS and FAIL.

Interference Profile - Notification sent when Interference Profile state changes between PASS and FAIL.

Coverage Profile - Notification sent when Coverage Profile state changes between PASS and FAIL.

Step 8 Check the appropriate check box to enable any of the following auto RF update traps:

Channel Update - Notification sent when access point's dynamic channel algorithm is updated.

Tx Power Update - Notification sent when access point's dynamic transmit power algorithm is updated.

Antenna Update - Notification sent when access point's dynamic antenna algorithm is updated.

Step 9 Check the appropriate check box to enable any of the following AAA traps:

User Auth Failure - This trap is to inform you that a client RADIUS authentication failure has occurred.

RADIUS Server No Response - This trap is to indicate that no RADIUS server(s) are responding to authentication requests sent by the RADIUS client.

Step 10 Check the appropriate check box to enable the following 802.11 security trap:

WEP Decrypt Error - Notification sent when the controller detects a WEP decrypting error.

Step 11 Check the appropriate check box to enable the following WPS trap:

Rogue Auto Containment - Notification sent when a rogue access point is auto-contained.

Step 12 Click Save.


Configuring a Telnet SSH Template

Follow these steps to add a Telnet SSH configuration template or make changes to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose Management > Telnet SSH.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The Telnet SSH Configuration Template window appears (see Figure 9-27), and the number of controllers the template is applied to automatically populates.

Figure 9-27 Telnet SSH Configuration Template

Step 4 Enter the number of minutes a Telnet session is allowed to remain inactive before being logged off. A zero means there is no timeout. The valid range is 0 to 160, and the default is 5.

Step 5 At the Maximum Sessions parameter, enter the number of simultaneous Telnet sessions allowed. The valid range is 0 to 5, and the default is 5. New Telnet sessions can be allowed or disallowed on the DS (network) port. New Telnet sessions are always allowed on the service port.

Step 6 Use the Allow New Telnet Session drop-down menu to determine if you want new Telnet sessions allowed on the DS port. New Telnet sessions can be allowed or disallowed on the DS (network) port. New Telnet sessions are always allowed on the service port. The default is no.

Step 7 Use the Allow New SSH Session drop-down menu to determine if you want Secure Shell Telnet sessions allowed. The default is yes.

Step 8 Click Save.


Configuring a Syslog Template

Follow these steps to add a syslog configuration template or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose Management > Syslog.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The Syslog Configuration Template window appears (see Figure 9-28), and the number of controllers the template is applied to automatically populates.

Figure 9-28 Syslog Configuration Template

Step 4 Enter a template name. The number of controllers to which this template is applied is displayed.

Step 5 Click to enable syslog.

Step 6 Click Save.


Configuring a Local Management User Template

Follow these steps to add a local management user template or make modifications to an existing template.


Step 1 Choose Configure > Controller Templates.

Step 2 From the left sidebar menu, choose Management > Local Management Users.

Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a username in the User Name column. The Local Management Users Template appears (see Figure 9-29).

Figure 9-29 Local Management Users Template

Step 4 Enter a template username.

Step 5 Enter a password for this local management user template.

Step 6 Re-enter the password.

Step 7 Use the Access Level drop-down menu to choose either Read Only or Read Write.

Step 8 Click Save.


Applying Controller Templates

You can apply a controller template to a controller.


Step 1 Go to Configure > Controller Templates.

Step 2 Using the left sidebar menu, choose the category of templates to apply.

Step 3 Click the URL from the Template Name column that you want to apply to the controller.

Step 4 Click the Apply to Controllers button.


Adding Access Point Templates

This page allows you to add a new access point template.


Step 1 Choose Configure > Access Point Templates.

Step 2 Choose Add Template from the Select a command drop-down menu and click GO.

Step 3 Enter the template name.

Step 4 Provide a description of the template.

Step 5 Click Save.


Configuring Access Point/Radio Templates

This page allows you to configure a template of access point information that you can apply to one or more access points.


Step 1 Choose Configure > Access Point Templates.

Step 2 From the Template Name column, click on the template name you want to configure.

Step 3 Choose the AP Parameters tab. The AP/Radio Templates window appears (see Figure 9-30).

Figure 9-30 AP/Radio Templates

Step 4 Click the Location check box and enter the access point location.

Step 5 Click both the Admin Status and Enabled check box to enable access point administrative status.

Step 6 Click the AP Mode check box and use the drop-down menu to set the operational mode of the access point as follows:

Local - Default

Monitor - Monitor mode only

REAP - Cisco 1030 remote edge lightweight access point (REAP) used for Cisco 1030 IEEE 802.11a/b/g remote edge lightweight access points.

Rogue Detected - Monitors the rogue access points but does not transmit or contain rogue access points.

Sniffer - The access point "sniffs" the air on a given channel. It captures and forwards all the packets from the client on that channel to a remote machine that runs airopeek (a packet analyzer for IEEE 802.11 wireless LANs). It includes information on timestamp, signal strength, packet size, and so on. If you choose Sniffer as an operation mode, you are required to enter a channel and server IP address on the AP/Radio Templates 802.11b/g or 802.11a parameters tab.

Step 7 You must click both the Mirror Mode and Enabled check box to enable access point mirroring mode.

Step 8 Click to enable Stats Collection Interval and then enter the collection period (in seconds) for access point statistics.

Step 9 Choose the bridging option if you want the access point to act as a bridging access point. This feature applies only to Mesh access points.

Step 10 Use the Data Rate drop-down menu to choose a data rate of 6, 9, 12, 18, 24, 36, 48, or 54 Mbps.

Step 11 Use the Ethernet Bridging drop-down menu to choose to enabled or disabled.

Step 12 Click the Controllers check box, and then you will be required to enter the Primary, Secondary, and Tertiary Controller names.

Step 13 Click the Group VLAN Name check box and then use the drop-down menu to select an established Group VLAN name.

Step 14 Enable local switching by checking the H-REAP Configuration check box. When you enable local switching, any remote access point that advertises this WLAN is able to locally switch data packets (instead of tunneling to the controller).

Step 15 Check the VLAN Support check box to enable it and enter the number of the native VLAN on the remote network (such as 100) in the Native VLAN ID field. This value cannot be zero.


Note By default, a VLAN is not enabled on the hybrid-REAP access point. Once hybrid REAP is enabled, the access point inherits the VLAN name (interface name) and the VLAN ID associated to the WLAN. This configuration is saved in the access point and received after the successful join response. By default, the native VLAN is 1. One native VLAN must be configured per hybrid-REAP access point in a VLAN-enabled domain. Otherwise, the access point cannot send and receive packets to and from the controller. When the client is assigned a VLAN from the RADIUS server, that VLAN is associated to the locally switched WLAN.


Step 16 The SSID-VLAN Mappings section lists all the SSIDs of the controllers which are currently enabled for HREAP local switching. You can edit the number of VLANs from which the clients will get an IP address by clicking the check box and adjusting the value.

Step 17 Save the template.

Step 18 Choose the Select APs tab. Use the drop-down menu to apply the parameters by controller, floor area, outdoor area, or all. Click Apply.


Note When you apply the template to the access point, WCS checks to see if the access point supports REAP mode and displays the application status accordingly.