Cisco Wireless Control System Configuration Guide, Release 5.0
Chapter 9: Configuring Controllers and Access Points
Downloads: This chapterpdf (PDF - 886.0KB) The complete bookPDF (PDF - 11.42MB) | Feedback

Configuring Controllers and Access Points

Table Of Contents

Configuring Controllers and Access Points

Adding Controllers

Setting Multiple Country Codes

Searching Controllers

Managing User Authentication Order

Viewing Audit Status (for Controllers)

Viewing Latest Network Audit Report

Pinging a Network Device from a Controller

Enabling Load-Based CAC for Controllers

Enabling High Density

Requirements

Optimizing the Controller to Support High Density

Configuring 802.3 Bridging

Configuring an RRM Threshold Controller (for 802.11a/n or 802.11b/g/n)

Configuring EDCA Parameters for Individual Controller

Configuring SNMPv3

Configuring Global Credentials for Access Points

Autonomous to LWAPP Migration Support

Adding Autonomous Access Points to WCS

Adding Autonomous Access Points by Device Information

Adding Autonomous Access Points by CSV File

Viewing Autonomous Access Points in WCS

Work Group Bridge (WGB) Mode

Autonomous Access Point to LWAPP Access Point Migration

Adding/Modifying a Migration Template

Configuring Access Points

Configuring Access Point Radios for Location Optimized Monitor Mode

Scheduling Radio Status

Viewing Scheduled Tasks

Viewing Audit Status (for Access Points)

Searching Access Points

Viewing or Editing Rogue Access Point Rules

Configuring Spectrum Experts

Adding a Spectrum Expert

Monitoring Spectrum Experts

Spectrum Experts > Summary

Interferers > Summary

Spectrum Experts Details

Configuring Wired Guest Access


Configuring Controllers and Access Points


This chapter describes how to configure controllers and access points in the Cisco WCS database. This chapter contains the following sections:

Adding Controllers

Setting Multiple Country Codes

Searching Controllers

Managing User Authentication Order

Viewing Audit Status (for Controllers)

Viewing Latest Network Audit Report

Enabling Load-Based CAC for Controllers

Enabling High Density

Configuring 802.3 Bridging

Configuring an RRM Threshold Controller (for 802.11a/n or 802.11b/g/n)

Configuring EDCA Parameters for Individual Controller

Configuring SNMPv3

Configuring Global Credentials for Access Points

Autonomous to LWAPP Migration Support

Configuring Access Points

Configuring Access Point Radios for Location Optimized Monitor Mode

Searching Access Points

Viewing or Editing Rogue Access Point Rules

Configuring Spectrum Experts

Configuring Wired Guest Access


Adding Controllers

You can add controllers one at a time or in batches. Follow these steps to add controllers.


Step 1 Choose Configure > Controllers.

Step 2 From the Select a command drop-down menu choose Add Controllers and click GO. The Add Controller window appears (see Figure 9-1).

Figure 9-1 Add Controller Window

Step 3 Choose one of the following:

If you want to add one controller or use commas to separate multiple controllers, leave the Add Format Type drop-down menu at Device Info.

If you want to add multiple controllers by importing a CSV file, choose File from the Add Format Type drop-down menu. The CSV file allows you to generate your own import file and add the devices you want.


Note If you are adding a controller into WCS across a GRE link using IPsec or a lower MTU link with multiple fragments, you may need to adjust the MaxVar Binds PerPDU. If it is set too high, the controller may fail to be added into WCS. To adjust the MaxVarBindsPerPDU setting, do the following: 1) Stop WCS. 2) Go to the location of the the Open SnmpParameters.properties file on the server that is running WCS. 3) Edit MaxVarBindsPerPDU to 50 or lower. 4) Restart WCS.


Step 4 If you chose Device Info, enter the IP address of the controller you want to add. If you want to add multiple controllers, use a comma between the string of IP addresses.


Note If a partial byte boundary is used and the IP address appears to be broadcast (without regard to the partial byte boundary), there is a limitation on adding the controllers into WCS. For example, 10.0.2.255/23 cannot be added but 10.0.2.254/23 can.


If you chose File, click Browse... to find the location of the CSV file you want to import.

Step 5 Click OK.


Setting Multiple Country Codes

To set multiple country support for a single controller(s) that is not part of a mobility group, follow the steps below.


Step 1 Choose Configure > Controllers.

Step 2 Choose the controller for which you are adding countries.

Step 3 Select 802.11 > General from the left sidebar menu. The Controller 802.11 window appears (see Figure 9-2).

Figure 9-2 Controller 802.11

Step 4 Click the check box to choose which country you want to add. Access points are designed for use in many countries with varying regulatory requirements. You can configure a country code to ensure that it complies with your country's regulations.


Note Access points may not operate properly if they are not designed for use in your country of operation. For example, an access point with part number AIR-AP1030-A-K9 (which is included in the Americas regulatory domain) cannot be used in Australia. Always be sure to purchase access points that match your country's regulatory domain. For a complete list of country codes supported per product, refer to http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps5861/product_data_sheet0900aecd80537b6a.html.


Step 5 Enter the time (in seconds) after which the authentication response will timeout.

Step 6 Click Save.


Searching Controllers

Use the controls in the left sidebar to create and save custom searches:

New Search drop-down menu: Opens the Search Controllers window. Use the Search Controllers window to configure, run, and save searches.

Saved Searches drop-down menu: Lists the saved custom searches. To open a saved search, choose it from the Saved Searches list.

Edit Link: Opens the Edit Saved Searches window. You can delete saved searches in the Edit Saved Searches window.

You can configure the following parameters in the Search Controllers window:

Search for controller by— Choose all controllers, IP address, or controller name.

Select a Network— Choose all networks or an individual network.

Save Search— Check the Save Search check box and enter a name in the Save Search text field to save the search in the Saved Searches drop-down list.

Search by Audit Status— Search by audit status of the following:

Not Available: Audit status is not available.

Identical: No configuration differences found during last audit.

Mismatch: Configuration differences were found between WCS and controller during last audit.

Items per page—Choose the number of found items to display on the search results window. The range is 10 to 100 items per window. The default is 20.

After you click GO, the controller search results appear:

Table 9-1 Search Results

Parameter
Options

IP Address

Local network IP address of the controller management interface. Clicking the title toggles from ascending to descending order. Clicking an IP address in the list displays a summary of the controller details.

WCS

User-defined WCS name.

Controller Name

Clicking the title toggles from ascending to descending order.

Type

Type of controller. For example, Cisco 2000 Series, Cisco 4100 Series, or Cisco 4400 Series.

Location

The geographical location (such as campus or building). Clicking the title toggles from ascending to descending order.

Mobility Group Name

Name of the controller or WPS group.

Reachability Status

Reachable or Unreachable. Clicking the title toggles from ascending to descending order.


Managing User Authentication Order

You can control the order in which authentication servers are used to authenticate a controller's management users.


Step 1 Choose Configure > Controllers.

Step 2 Click an IP address.

Step 3 From the left sidebar menu, choose Management > Authentication Priority.

Step 4 The local database is searched first. Choose either RADIUS or TACACS+ for the next search. If authentication using the local database fails, the controller uses the next type of server.

Step 5 Click Save.


Viewing Audit Status (for Controllers)

An Audit Status column on the Configure > Controllers window shows audit status for each of the controllers based on the last audit. You can also view the network audit report for the selected controllers. The report shows the time of the audit, the IP address of the selected controller, and the synchronization status.


Step 1 Choose Configure > Controllers.

Step 2 You can view the latest audit report in one of two ways:

Check the check boxes of the controllers for which you want audit reports. Choose Audit Now from the Select a command drop-down list and click GO. This method shows the report from the network audit task and not an on-demand audit per controller.

or

Click the Audit Status column value to go to the latest audit details page for the selected controller. This method has similar information as the Network Audit report in the Reports menu, but this report is interactive and per controller.


Note If you mouse over the Audit Status column value, the time of the last audit is displayed.


The Audit Report displays the device name, configuration name, time of audit, audit status for each configuration (mismatch or identical), attribute for each configuration (AP Group Name, IP address), value in WCS, and value in controller.

To run an on-demand audit report, select for which controller you want to run the report and choose Audit Now from the Select a command drop-down menu. If you run an on-demand audit report and configuration differences are detected, you are given the option to retain the existing controller or WCS values.

Step 3 If configuration differences are found as a result of the audit, you can either restore WCS values on the controller or refresh controller values to synchronize WCS with the controller. Choose Restore WCS Values or Refresh Controller Values.


Note If you choose to refresh the controller values, you receive a Refresh Config window with two options for "Configuration if present on WCS but not on device, do you wish to:"

Retain—The WCS refreshes the configuration from the controller but will not delete any devices or configurations that no longer exist in the controller configuration. For example, if the WCS database shows an AP1 but that access point is no longer present in the controller configuration, WCS will not delete AP1 from its database.

Delete—WCS deletes the configuration of the controller from its database and retrieves a new configuration from the controller. Delete is the recommended option so WCS matches the most recent configuration you are refreshing from WLCs.



Note When WCS does a Refresh Config, only the configuration objects for this controller in the WCS database are updated. Upon refresh, the WCS templates are not updated.



Viewing Latest Network Audit Report

The Network Audit Report shows the time of the audit, the IP address of the selected controller, and the synchronization status.


Note This method shows the report from the network audit task and not an on-demand audit per controller.


To view the latest network audit report for the selected controllers, follow these steps:


Step 1 Choose Configure > Controllers.

Step 2 Select the check box for the applicable controller.

Step 3 From the Select a command drop-down menu, choose View Latest Network Audit Report.

Step 4 Click GO.

The Audit Summary displays the time of the audit, the IP address of the selected controller, and the audit status. If any configuration differences exist, they are shown in the details.

You can use the General and Schedule tabs to revise the Audit Report parameters.


Note From the All Controllers page, click the Audit Status column value to view the latest audit details page for the selected controller. This method has similar information as the Network Audit report in the Reports menu, but this report is interactive and per controller.



Note To run an on-demand audit report, select which controller you want to run the report on and choose Audit Now from the Select a command drop-down menu. If you run an on-demand audit report and configuration differences are detected, you are given the option to retain the existing controller or WCS values.



Pinging a Network Device from a Controller

Follow these steps to ping network devices from a controller.


Step 1 Click Configure > Controllers to navigate to the All Controllers page.

Step 2 Click the desired IP address to display the IP Address > Controller Properties page.

Step 3 In the sidebar, choose System > Commands to display the IP Address > Controller Commands page.

Step 4 Choose Ping From Controller from the Administrative Commands drop-down menu and click GO.

Step 5 In the Enter an IP Address (x.x.x.x) to Ping window, enter the IP address of the network device that you want the controller to ping and click OK.

WCS displays the Ping Results window, which shows the packets that have been sent and received. Click Restart to ping the network device again or click Close to stop pinging the network device and exit the Ping Results window.


Enabling Load-Based CAC for Controllers

Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.

In load-based CAC, the access point periodically measures and updates the utilization of the RF channel, channel interference, and the additional calls that the access point can admit. The access point admits a new call only if the channel has enough unused bandwidth to support that call. By doing so, load-based CAC prevents over-subscription of the channel and maintains QoS under all conditions of WLAN loading and interference.

To enable load-based CAC for a controller template, refer to the "Configuring a Voice Parameter Template (for 802.11a/n or 802.11b/g/n)" section.

To enable load-based CAC for a controller using the WCS web interface, follow these steps.


Step 1 Click Configure > Controllers.

Step 2 Click the IP address link of the controller.

Step 3 Click Voice Parameters under 802.11a/n or 802.11b/g/n.

The 802.11a/n (or 802.11b/g/n) Voice Parameters page appears (see Figure 9-3).

Figure 9-3 802.11a/n Voice Parameters Page

Step 4 Click the check box to enable bandwidth CAC. For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.

Step 5 Determine if you want to enable load-based CAC for this radio band. Doing so incorporates a measurement scheme that considers the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference.

Step 6 Enter the percentage of maximum bandwidth allowed.

Step 7 Enter the percentage of reserved roaming bandwidth.

Step 8 Click the check box if you want to enable expedited bandwidth as an extension of CAC for emergency calls. You must have an expedited bandwidth IE that is Cisco Compatible Extensions (version 5) compliant so that a TSPEC request is given higher priority.

Step 9 Click the check box if you want to enable metric collection. Traffic stream metrics are a series of statistics about VoIP over your wireless LAN, and they inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g/n interfaces from all associated access points. If you are using VoIP or video, enable this feature.

Step 10 Click Save.


Enabling High Density

The high density deployments are enabled with Cisco Unified Wireless Network software release 4.1 in conjunction with the Cisco and Intel Business Class Suite Version 2 initiative.

The high density networking feature is designed for large, multi-cell high density wireless networks in which it can be challenging to populate a site with a large number of lightweight access points to manage the cumulative bandwidth load while diminishing the contention between access points and still maintaining quality of service. To optimize RF channel capacity and improve network performance, the high density (or pico cell) mode parameters are introduced.

With this feature you can manually configure the transmit power, receiver sensitivity thresholds, and clear channel assessment sensitivity threshold of Intel client devices and Cisco Aironet lightweight access points in order to create optimal high-density deployments. When a client that supports high density associates to an access point with high-density enabled, they exchange specific 802.11 information element s (IEs) that instruct the client to adhere to the access point's advertised received sensitivity threshold, CCA sensitivity threshold, and transmit power levels. These three parameters reduce the effective cell size by adjusting the received signal strength before an access point and client consider the channel accessible for the transfer of packets. When all access points and clients raise the signal standard in this way throughout a high density area, access points can be deployed closer together, minimizing interference with each other and managing environmental and distant rogue signals.


Note High density is off by default. There are deployment risks involved if you change from the predetermined values. Do not attempt to configure pico cell functionality within your wireless LAN without the advice of Cisco technical support. Non-standard installation is not supported.


Along with these configuration changes, you can further optimize the pico cell deployment as follows:

Requirements

High density has the following restrictions:

Only Cisco lightweight access points (except the AP1030 and 1500 series mesh access points) and the Intel PRO/Wireless 3945ABG and Intel Wireless WiFi Link 4965AGN clients are supported.

Only 802.11a/n networks with high density deployments are supported.


Note Cisco recommends the use of high density only in new WLAN deployments in which all clients and lightweight access points support the high-density feature.


Optimizing the Controller to Support High Density

To optimize a controller to support high density, you need to enable pico cell mode v2. A method to mitigate the inter-cell contention problem in high-density networks is to adjust the access point and client receiver sensitivity, CCA sensitivity, and transmit power parameters in a relatively cooperative manner. By adjusting these variables, the effective cell size can be reduced, not by lowering the transmit power but by increasing the necessary received power before an access point and client consider the channel sufficiently clear for packet transfer. These similar values can be set in the Controller Templates portion of the GUI. Refer to Adding Controller Templates. Follow these steps to configure high density.


Note If you enable pico cell, the default values for auto RF adjust according to the values suggested for Intel 3945ABG clients. The transmit power is set to 10 dBm, CCA sensitivity threshold to -65 dBm, and receiver sensitivity threshold to -65 dBm.



Step 1 Choose Configure > Controllers.

Step 2 From the left sidebar menu, choose 802.11a/n > Parameters or 802.11b/g/n > Parameters. The window as shown in Figure 9-4 appears. Ensure that the 802.11a/n (or 802.11b/g/n) Network Status check box is not enabled.

Figure 9-4 Pico Cell Parameter

Step 3 In the General portion of this window, you see a Pico Cell Mode parameter. Click Enable.


Note Pico cell mode cannot be enabled while Aggressive Load Balancing is enabled on the controller.


Step 4 Click Save.

Step 5 Choose 802.11a/n > Pico Cell or 802.11b/g/n > Pico Cell from the left sidebar menu. The Pico Cell Parameters screen appears (see Figure 9-5).

Figure 9-5 Pico Cell Parameters Window


Note If the Pico Cell Mode parameter is set to Disabled or V1, the Pico Cell V2 parameters are grayed out.


Step 6 From the Pico Cell Mode drop-down menu, choose V2. By choosing V2, the high-density parameters for the access point and clients share the same values and make communication symmetrical. This selection also allows you to enter values for Rx sensitivity, CCA sensitivity, and transmit power, although the defaulted minimum and maximum values represent the Cisco recommended values for most networks.


Note Choose V1 only if you are using a legacy Airespace branded product acquired prior to their acquisition by Cisco. Cisco recommends that you choose V2 if you want to enable pico cell mode.


Step 7 Set the Rx sensitivity threshold based on the desired receiver sensitivity for 802.11a/n radios. The Current column shows what is currently set on the access point and clients, and the Min and Max columns show the range to which the access points and clients should adapt. The valid ranges for Current, Min, and Max columns are -127 to 127 dBm. The defaults are -65 dBm (current), -127 dBm (Min), and 127 dBm (Max). Receiver signal strength values outside of this range are blocked.

Step 8 Set the CCA sensitivity threshold based on when the access point or client considers the channel clear enough for activity. The Current column shows what is currently set on the access point and clients, and the Min and Max columns show the range to which the access points and clients should adapt. The valid ranges for Current, Min, and Max columns are -127 to 127 dBm. The defaults are -65 dBm (current), -127 dBm (Min), and 127 dBm (Max). CCA values outside of this range are blocked.

Step 9 Specify the transmit power of the radio that will be used by the client. The valid ranges for Current, Min, and Max columns are -127 to 127 dBm. The defaults are 10 dBm (current), 0 dBm (Min), and 17 dBm (Max).

Step 10 Click Save to save these values. Click Audit to see a comparison of how WCS configuration matches up with controller configurations. Before choosing Reset to Defaults, you must turn off the 802.11a/n network.

Step 11 Return to 802.11a/n > Parameters and check the 802.11a /n Network Status check box to turn the network back on.


Configuring 802.3 Bridging

The controller supports 802.3 frames and applications that use them, such as those typically used for cash registers and cash register servers. However, to make these applications work with the controller, the 802.3 frames must be bridged on the controller.

Support for raw 802.3 frames allows the controller to bridge non-IP frames for applications not running over IP. Only this raw 802.3 frame format is currently supported.

You can configure 802.3 bridging using WCS release 4.1 or later. Follow these steps.


Step 1 Click Configure > Controllers.

Step 2 Click System > General to access s the General page.

Step 3 From the 802.3 Bridging drop-down menu, choose Enable to enable 802.3 bridging on your controller or Disable to disable this feature. The default value is Disable.

Step 4 Click Save to commit your changes.


Configuring an RRM Threshold Controller (for 802.11a/n or 802.11b/g/n)

Follow these steps to configure an 802.11a/n or 802.11b/g/n RRM threshold controller.


Step 1 Choose Configure > Controller.

Step 2 Click the IP address of the appropriate controller to open the Controller Properties page.

Step 3 From the left sidebar menu, choose 802.11a/n > RRM Thresholds or 802.11b/g/n > RRM Thresholds.

Step 4 Make any necessary changes to Coverage Thresholds, Load Thresholds, Other Thresholds, and Noise/Interference/Rogue Monitoring Channels.


Note When the Coverage Thresholds Min SNR Level (dB) parameter is adjusted, the value of the Signal Strength (dB) automatically reflects this change. The Signal Strength (dB) parameter provides information regarding what the target range of coverage thresholds is when adjusting the SNR value.


Step 5 Click Save.


Configuring EDCA Parameters for Individual Controller

The EDCA parameters (EDCA profile and Streaming MAC Enable settings) for 802.11a/n and 802.11b/g/n can be configured either by individual controller or through a controller template to improve voice QoS support. Refer to the "Configuring EDCA Parameters through a Controller Template" section for steps to configure a controller template.

To configure 802.11a/n or 802.11b/g/n EDCA parameters for an individual controller, do the following:


Step 1 Choose Configure > Controllers.

Step 2 Click the IP Address of the applicable controller.

Step 3 From the left sidebar menu, select 802.11a/n > EDCA Parameters or 802.11b/g/n > EDCA Parameters.

Step 4 Choose the EDCA Profile from the drop-down menu.


Note Profiles include Wi-Fi Multimedia (WMM), Spectralink Voice Priority (SVP), Voice Optimized, and Voice & Video Optimized. WMM is the default EDCA profile.



Note You must shut down radio interface before configuring EDCA Parameters.


Step 5 Click the Enable Streaming MAC check box to enable this feature.


Note Only enable Streaming MAC if all clients on the network are WMM compliant.



Configuring SNMPv3

When you are configuring a controller, you can add SNMPv3 settings or change the setting (and any other settings) established from the previously added controller. Follow these steps to set the SNMPv3 settings.


Step 1 Choose Configure > Controllers.

Step 2 Click the IP Address of the applicable controller or choose Add Controller from the Select a command drop-down menu.

Step 3 On the SNMP Parameters portion of the window, choose v3 from the Version drop-down menu.

Step 4 You can change the retries and timeout values that were established for this controller if desired.

Step 5 In the Privacy Type drop-down menu, choose None, CBC-DES, or CFB-AES-128. AES refers to the Advanced Encryption Standard algorithm established by the National Institute of Standards and Technology (NIST). It is more secure than older DES algorithms. CFB (Cipher Feedback) refers to the method AES uses to encrypt the packets, and 128 refers to the key length (128 bits).

Step 6 Any passwords used to derive encryption keys for algorithms using 128 but must contain a minimum of 12 characters. Enter a privacy password that fits this criteria.

Step 7 Click OK.


Configuring Global Credentials for Access Points

Cisco autonomous access points are shipped from the factory with "Cisco" as the default enable password. This password allows users to log into the non-privileged mode and execute show and debug commands, posing a security threat. The default enable password must be changed to prevent unauthorized access and to enable users to execute configuration commands from the access point's console port.

In WCS and controller software releases prior to 5.0, you can set the access point enable password only for access points that are currently connected to the controller. In WCS and controller software release 5.0, you can set a global username, password, and enable password that all access points inherit as they join a controller. This includes all access points that are currently joined to the controller and any that join in the future. When you are adding an access point, you can also choose to accept this global username and password or override it on a per-access point basis and assign a unique username, password, and enable password. Refer to the "Configuring Access Point Templates" section to see where the global password is displayed and how it can be overridden on a per-access point basis.

Also in controller software release 5.0, after an access point joins the controller, the access point enables console port security, and you are prompted for your username and password whenever you log into the access point's console port. When you log in, you are in non-privileged mode, and you must enter the enable password in order to use the privileged mode.


Note These controller software release 5.0 features are supported on all access points that have been converted to lightweight mode, except the 1100 series. VxWorks access points are not supported.


The global credentials that you configure on the controller are retained across controller and access point reboots. They are overwritten only if the access point joins a new controller that is configured with a global username and password. If the new controller is not configured with global credentials, the access point retains the global username and password configured for the first controller.


Note You need to keep careful track of the credentials used by the access points. Otherwise, you might not be able to log into an access point's console port. If necessary, you can clear the access point configuration to return the access point username and password to the default setting.


Follow these steps to establish a global username and password.


Step 1 Choose Configure > Controllers or Configure > Access Points.

Step 2 Choose an IP address of a controller with software release 5.0 or later or choose an access point associated with software release 5.0 or later.

Step 3 Choose System > AP Username Password from the left sidebar menu. The AP Username Password window appears (see Figure 9-6).

Figure 9-6 AP Username Password Window

Step 4 In the AP Username field, enter the username that is to be inherited by all access points that join the controller.

Step 5 In the AP Password field, enter the password that is to be inherited by all access points that join the controller. Re-enter in the Confirm AP Password field.

Step 6 For Cisco autonomous access points, you must also enter and confirm an enable password. In the AP Enable Password field, enter the enable password that is to be inherited by all access points that join the controller. Re-enter in the Confirm Enable Password field.

Step 7 Click Save.


Autonomous to LWAPP Migration Support

The autonomous to LWAPP migration support feature provides a common application (WCS) from which you can perform basic monitoring of autonomous access points along with current LWAPP access points. The following autonomous access points are supported:

Cisco Aironet 1100 Access Point

Cisco Aironet 1130 Access Point

Cisco Aironet 1200 Access Point

Cisco Aironet 1240 Access Point

Cisco Aironet 1240 Access Point

Cisco Aironet 1310 Bridge

Cisco Aironet 1410 Bridge

You may also choose to convert autonomous access points to LWAPP.

From WCS, the following functions are available when managing autonomous access points:

Adding Autonomous Access Points to WCS

Configuring autonomous access points

Viewing Autonomous Access Points in WCS

Monitoring associated alarms

Performing an autonomous access point background task

Checks the status of autonomous access points managed by WCS.

Generates a critical alarm when an unreachable autonomous access point is detected.

See Background Task for more information

Running reports on autonomous access points

See Reports > Inventory Reports and Reports > Client Reports > Client Count for more information

Supporting autonomous access points in Work Group Bridge (WGB) mode

Migrating autonomous access points to LWAPP access points

Adding Autonomous Access Points to WCS

From WCS, the following methods are available for adding autonomous access points:

Add autonomous access points by Device information (IP addresses and credentials).

Add autonomous access points by CSV file.

Adding Autonomous Access Points by Device Information

Autonomous access points can be added to WCS by device information using comma-separated IP addresses and credentials.

To add autonomous access points using device information, follow these steps:


Step 1 Choose Configure > Access Points.

Step 2 From the Select a command drop-down menu, choose Add Autonomous APs.

Step 3 Click GO.

Step 4 Select Device Info from the Add Format Type drop-down list.

Step 5 Enter comma-separated IP addresses of autonomous access points.

Step 6 Enter the SNMP parameters including version number, number of retries, and timeout in seconds.

Step 7 Enter Telnet credentials for migration (optional).


Note The Telnet credentials are required to convert the access points from autonomous to unified.



Note If the autonomous access point already exists, WCS updates the credentials (SNMP and Telnet) to the existing device.


Step 8 Click OK.


Adding Autonomous Access Points by CSV File

Autonomous access points can be added to WCS using a CSV file exported from WLSE.

To add autonomous access points using a CSV file, follow these steps:


Step 1 Choose Configure > Access Points.

Step 2 From the Select a Command drop-down menu, choose Add Autonomous APs.

Step 3 Click GO.

Step 4 Select File from the Add Format Type drop-down list.

Step 5 Enter or browse to the applicable CSV file.


Note The CSV file has the same format as Adding Controllers but includes additional (optional) columns such as telnet_username, telnet_password, and enable_password.


Step 6 Click OK.


To remove an autonomous access point from WCS:


Step 1 Select the check box(es) of the appropriate access point(s).

Step 2 Select Remove APs from the Select a Command drop-down list.


Viewing Autonomous Access Points in WCS

Once added, the autonomous access points can be viewed on the Monitor > Access Points page.

Click the autonomous access point to view more detailed information such as:

Operational status of the access points

Key attributes including radio information, channel, power, and number of clients on the radio

CDP neighbored information

The autonomous access points can also be viewed in Monitor > Maps.

They can be added to a floor area by choosing Monitor Maps > <floor area> and selecting Add Access Points from the Select a Command drop-down list.

Work Group Bridge (WGB) Mode

Wireless Group Bridge (WGB) mode is a special mode where an autonomous access point functions as a wireless client and connects to an LWAPP access point. The WGB and its wired clients are listed as client in WCS.

Choose Monitor > WGBs to view a list of all WCS clients that are in WGBs. Click a User to view detailed information regarding a specific WGB and its wired clients.


Note The WCS provides WGB client information for the autonomous access point whether or not it is managed by the WCS. If the WGB access point is also managed by the WCS, WCS provides basic monitoring functions for the access point similar to other autonomous access points.


Autonomous Access Point to LWAPP Access Point Migration

To make a transition from an Autonomous solution to a Unified architecture, autonomous access points must be converted to LWAPP access points. The migration utility is available from the Configure > Migration Templates page where existing templates are listed.

From the Select a command drop-down list, the following functions can be performed:

Add Template—Allows you to provide necessary information for migration.

Delete Templates—Allows you to delete a current template.

View Migration Report—Allows you to view information such as AP address, migration status, timestamp, and a link to detailed logs.

View Current Status—Allows you to view the progress of the current migration (updated every three seconds).


Note When migrating an already-managed autonomous access point to LWAPP, its location and antenna information is migrated as well. You do not need to re-input the information. WCS automatically removes the autonomous access point after migration.


Adding/Modifying a Migration Template

To add a new template, select Add Template from the Select a command drop-down list.

To modify an existing template, click the template name from the summary list.

Enter or modify the following migration parameters:

General

Template Name—User-defined name of this migration template.

Description—Brief description to help you identify the migration template.

Upgrade Options

DHCP Support—Ensures that after the conversion every access point gets an IP from the DHCP server.

Retain AP HostName—Allows you to retain the same hostname for this access point.

Migrate over WAN Link—Increases the default timeouts for the CLI commands executed on the access point.

DNS Address

Domain Name

Controller Details


Note Ensures that the access point authorization information (SSC) can be configured on this controller and the converted access points can join.


Controller IP—Enter the IP address of the WLAN controller you are wanting to add to the newly migrated access point.

User Name—Enter a valid username for login of the WLAN controller.

Password—Enter a valid password for this username used during WLAN controller login.

TFTP Details

When you installed and set up WCS, it provided its own TFTP and FTP server.

TFTP Server IP—Enter the IP address of the WCS server.

File Path—Enter the TFTP directory which was defined during WCS setup.

File Name—Enter the LWAPP conversion file defined in the TFTP directory during WCS setup (for example, c1240-rcvk9w8-tar.123.11JX1.tar).

Once a template is added in WCS, the following additional buttons appear:

Select APs—Selecting this option provides a list of autonomous access points in WCS from which to choose the access points for conversion.

Select File—To provide CSV information for access points intended for conversion.

Configuring Access Points

Choose Configure > Access Points to see a summary of all access points in the Cisco WCS database. The summary information includes the following:

Ethernet MAC

IP Address

Radio

Map Location

AP Type

Controller

Operation Status

Alarm Status

Audit Status


Note If you hover over the Audit Status value, the time of the last audit is displayed.



Step 1 Click the link under AP Name to see detailed information about that access point name. The following window appears (see Figure 9-7).

Figure 9-7 Detailed Access Point Information

.


Note There is no need to add access points to the Cisco WCS database. The operating system software automatically detects and adds an access point to the Cisco WCS database as it associates with existing controllers in the Cisco WCS database.


Some of the parameters on the window are supplied.

The General portion displays the Ethernet MAC, the Base Radio MAC, and IP Address.

The Versions portion of the window displays the software and boot version.

The Inventory Information portion displays the model, IOS version, and serial number and type of the access point, provides which certificate type is required, and determines whether H-REAP mode is supported or not.

The Radio Interfaces portion provides the current status of the 802.11a/n and 802.11b/g/n radios such as admin status, channel number, power level, antenna mode, antenna diversity, and antenna type.

Follow the steps below to set the configurable parameters.

Step 2 Enter the name assigned to the access point.

Step 3 Use the drop-down menu to choose a country code to establish multiple country support. Access points are designed for use in many countries with varying regulatory requirements. You can configure a country code to ensure that the access point complies with your country's regulations. Consider the following when setting the country code:

You can configure up to 20 countries per controller.

Because only one auto-RF engine and one list of available channels exist, configuring multiple countries limits the channels available to auto-RF in the common channels. A common channel is one that is legal in each and every configured country.

When you configure access points for multiple countries, the auto-RF channels are limited to the highest power level available in every configured country. A particular access point may be set to exceed these limitations (or you may manually set the levels in excess of these limitations), but auto-RF does not automatically choose a non-common channel or raise the power level beyond that available in all countries.


Note Access points may not operate properly if they are not designed for use in your country of operation. For example, an (-A) access point with part number AIR-AP1030-A-K9 (which is included in the Americas regulatory domain) cannot be used in Europe (-E). Always be sure to purchase access points that match your country's regulatory domain. For a complete list of country codes supported per product, refer to http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html.


Step 4 If you want to enable the access point for administrative purposes, check the Enabled check box.

Step 5 If you click Enabled at the AP Static IP check box, a static IP address is always assigned to the access point rather than getting an IP address dynamically upon reboot.

Step 6 Choose the role of the access point from the AP Mode drop-down menu. No reboot is required after the mode is changed except when monitor mode is selected. You are notified of the reboot when you click Save. The available modes are as follows:

Local — This is the normal operation of the access point and the default AP Mode choice. With this mode, data clients are serviced while configured channels are scanned for noise and rogues. The access point goes off-channel for 50 ms and listens for rogues. It cycles through each channel for the period specified under the Auto RF configuration.

Monitor — This is radio receive only mode and allows the access point to scan all configured channels every 12 seconds. Only deauthentication packets are sent in the air with an access point configured this way. A monitor mode access point detects rogues, but it cannot connect to a suspicious rogue as a client to prepare for the sending of RLDP packets.


Note You can expand the monitor mode for tags to include location calculation by enabling the location optimized monitor mode (LOMM) feature. When LOMM is enabled, you can specify which four channels within the 2.4GHz band (802.11b/g radio) of an access point to use to monitor tags. This allows you to focus channel scans on only those channels for which tags are traditionally found (such as channels 1, 6, and 11) in your network. To enable LOMM, you must also make additional edits on the 802.11b/g radio of the access point. Refer to the "Configuring Access Point Radios for Location Optimized Monitor Mode" section for configuration details.


Rogue Detector — In this mode, the access point radio is turned off, and the access point listens to wired traffic only. The controller sends all the rogue access point and client MAC address lists to the rogue detector, and the rogue detector forwards this information to the WLC. The MAC address list is compared to what the WLC access points expected. If the MAC addresses match, you can determine which rogue access points are connected on the wired network.

Sniffer Mode — Operating in sniffer mode, the access point captures and forwards all the packets on a particular channel to a remote machine that runs Airopeek. These packets contain information such as timestamp, signal strength, packet size, and so on. This feature can only be enabled if you run Airopeek, which is a third-party network analyzer software that supports the decoding of data packets. For more information on Airopeek, see http://www.wildpackets.com/products.

HREAP —Choose HREAP from the AP Mode drop-down menu to enable hybrid REAP for up to six access points. The HREAP access points can switch client data traffic locally and perform client authentication locally when their connection to the controller is lost.

Step 7 In the Primary, Secondary, and Tertiary Controller fields, you can define the order in which controllers are accessed.

Step 8 The AP Group Name drop-down shows all access point group names that have been defined using WLANs > AP Group VLANs, and you can specify whether this access point is tied to any group.

Step 9 Enter a description of the physical location where the access point was placed.

Step 10 In the Stats Collection Period parameter, enter the time in which the access point sends .11 statistics to the controller. The valid range is 0 to 65535 seconds. A value of 0 means statistics should not be sent.

Step 11 Choose Enabled for Mirror Mode if you want to duplicate (to another port) all of the traffic originating from or terminating at a single client device or access point. Mirror mode is useful in diagnosing specific network problems but should only be enabled on an unused port since any connections to this port become unresponsive.

Step 12 You can globally configure MFP on a controller. When you do, management frame protection and validation are enabled by default for each joined access point, and access point authentication is automatically disabled. After MFP is globally enabled on a controller, you can disable and re-enable it for individual WLANs and access points.

If you click to enable MFP Frame Validation, three main functions are performed:

Management frame protection — When management frame protection is enabled, the access point protects the management frames it transmits by adding a message integrity check information element (MIC IE) to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, and the receiving access points which were configured to detect MFP frames report the discrepancy.

Management frame validation — When management frame validation is enabled, the access point validates every management frame it receives from other access points in the network. When the originator is configured to transmit MFP frames, the access point ensures that the MIC IE is present and matches the content of the management frame. If it receives any frame that does not contain a valid MIC IE, it reports the discrepancy to the network management system. In order to report this discrepancy, the access point must have been configured to transmit MFP frames. Likewise, for the timestamps to operate properly, all controllers must be Network Transfer Protocol (NTP) synchronized.

Event reporting — The access point notifies the controller when it detects an anomaly, and the controller aggregates the received anomaly events and reports the results through SNMP traps to alert the network manager.

Step 13 Click the Cisco Discovery Protocol check box if you want to enable it. CDP is a device discovery protocol that runs on all Cisco-manufactured equipment, such as routers, bridges, and communication servers. Each device sends periodic messages to a multicast address and listens to the messages that others send in order to learn about neighboring devices. When the device boots, it sends a CDP packet specifying whether the device is inline power enabled so that the requested power can be supplied.


Note Changing access point parameters temporarily disables an access point and might result in loss of connectivity to some clients.


Step 14 On the System > AP Username Password window, you can set global credentials for all access points to inherit as they join a controller. These established credentials are displayed in the lower right of the AP Parameters tab window. If you want to override the global credentials for this particular access point, click the Override Global Username Password check box. You can then enter a unique username, password, and enable password that you want to assign to this access point.

Step 15 Select the role of the mesh access point from the AP Role drop-down menu. The default setting is MAP.


Note An access point in a mesh network functions as either a root access point (RAP) or mesh access point (MAP).


Step 16 Enter the name of the bridge group to which the access point belongs. The name can have up to 10 characters.


Note Bridge groups are used to logically group the mesh access points to avoid two networks on the same channel from communicating with each other.



Note For mesh access points to communicate, they must have the same bridge group name.



Note For configurations with multiple RAPs, make sure that all RAPs have the same bridge group name to allow failover from one RAP to another.



Note For configurations where separate sectors are required, make sure that each RAP and its associated MAPs have separate bridge group names.


The Type parameter appears whether the mesh access point is an indoor or outdoor access point, and the Backhaul Interface parameter displays the access point radio that is being used as the backhaul for the access point.

Step 17 Select the data rate for the backhaul interface from the drop-down menu. Data rates available are dictated by the backhaul interface. The default rate is 18 Mbps.


Note This data rate is shared between the mesh access points and is fixed for the whole mesh network.



Note Do NOT change the data rate for a deployed mesh networking solution.


Step 18 Choose the Enable option from the Ethernet Bridging drop-down menu to enable Ethernet bridging for the mesh access point.

Step 19 Click Save to save the configuration.

Step 20 If you need to perform a hardware reset on this access point, click Reset AP Now.

Step 21 If you need to clear the access point configuration and reset all values to the factory default, click Clear Config.


Configuring Access Point Radios for Location Optimized Monitor Mode

To optimize monitoring and location calculation of tags, you can enable LOMM on up to four channels within the 2.4 GHz band (802.11b/g radio) of an access point. This allows you to focus channel scans only on those channels on which tags are usually programmed to operate (such as channels 1, 6, and 11).

After enabling Monitor Mode at the access point level, you must then enable LOMM and assign monitoring channels on the 802.11b/g radio of the access point.


Note For details on enabling Monitor Mode on an access point, refer to Step 6 in the "Configuring Access Points" section.


Follow the steps below to set enable LOMM and assign monitoring channels on the access point radio.


Step 1 After enabling Monitor Mode at the access point level, choose Configure > Access Points.

Step 2 At the All Access Points Summary window, choose the 802.11 b/g Radio link for the appropriate access point.

Step 3 At the Radio parameters window, disable Admin Status by unchecking the check box. This disables the radio.

Step 4 Check the Location Optimized Channel Assignment checkbox. Drop-down menus for each of the four configurable channels display.

Step 5 Select the four channels on which you want the access point to monitor tags.


Note You can configure fewer than four channels for monitoring. To eliminate a monitoring channel, select None from the channel drop-down menu.


Step 6 Click Save. Channel selection is saved.

Step 7 At the Radio parameters window, re-enable the radio by checking the Admin Status check box.

Step 8 Click Save. The access point is now configured as a LOMM access point.

The AP Mode displays as Monitor/LOMM on the Monitor > Access Points window.


Scheduling Radio Status

To schedule a radio status change (enable or disable), follow these steps:


Step 1 Choose Configure > Access Points.

Step 2 Choose the check box for the applicable access point(s).

Step 3 From the Select a command drop-down menu, choose Schedule Radio status.

Step 4 Click GO.

Step 5 Choose Enable or Disable from the Admin Status drop-down menu.

Step 6 Use the Hours and Minutes drop-down menus to determine the scheduled time.

Step 7 Click the calendar icon to select the scheduled date for the status change.

Step 8 If the scheduled task is recurring, choose Daily or Weekly, as applicable. If the scheduled task is a one-time event, choose No Recurrence.

Step 9 Choose Submit to confirm the scheduled task.


Viewing Scheduled Tasks

To view currently scheduled radio status tasks, follow these steps:


Step 1 Choose Configure > Access Points.

Step 2 Choose the check box for the applicable access point(s).

Step 3 From the Select a command drop-down menu, choose View Scheduled Task(s).

Step 4 Click GO.

The Scheduled Task(s) information includes:

Scheduled Task(s)—Choose the task to view its access points and access point radios.

Scheduled Radio adminStatus—Indicates the status change (Enable or Disable).

Schedule Time—Indicates the time the schedule task occurs.

Execution status—Indicates whether or not the task is scheduled.

Recurrence—Indicates Daily or Weekly if the scheduled task is recurring.

Next Execution—Indicates the time and date of the next task occurrence.

Last Execution—Indicates the time and date of the last task occurrence.

Unschedule—Click Unschedule to cancel the scheduled task. Click OK to confirm the cancellation.


Viewing Audit Status (for Access Points)

An Audit Status column on the Configure > Access Points window shows an audit status for each of the access points. You can also view the audit report for the selected access points. The report shows the time of the audit, the IP address of the selected access point, and the synchronization status.


Step 1 Choose Configure > Access Points.

Step 2 Click the Audit Status column value to go to the latest audit details page for the selected access point. This report is interactive and per access point.


Note If you hover over the Audit Status column value, the time of the last audit is displayed.



To run an access point on-demand audit report, select the desired access point for which you want to run the report and choose Audit Now from the Select a command drop-down menu. In versions prior to 4.1, the audit only spanned the parameters present on the AP Details and AP Interface Details page. In release 4.1, this audit report covers complete access point level auditing. The audit results are stored in the database so that you can view the latest audit reports without having to run another audit.


Note The audit can only be run on an access point that is associated to a controller.


Searching Access Points

Use the controls in the left sidebar to create and save custom searches:

New Search drop-down menu: Opens the Search Access Points window. Use the Search Access Points window to configure, run, and save searches.

Saved Searches drop-down menu: Lists the saved custom searches. To open a saved search, choose it from the Saved Searches list.

Edit Link: Opens the Edit Saved Searches window. You can delete saved searches in the Edit Saved Searches window.

You can configure the following parameters in the Search Access Points window:

Search By

Radio Type

Search in

Save Search

Items per page

After you click GO, the access point search results appear:

Table 9-2 Access Point Search Results 

Parameter
Options

AP Name

Name assigned to the access point. Click the access point name item to display details.

WCS

WCS name where access point was detected.

Ethernet MAC

MAC address of the access point.

IP Address

IP address of the access point.

Radio

Protocol of the access point is either 802.11a/n or 802.11b/g/n.

Map Location

Campus, building, and floor location.

Controller

IP address of the controller.

Admin Status

Administration site of the access point (Enabled or Disabled).

AP Type

Access point radio frequency type.

Operational Status

Displays the operational status of the Cisco radios (Up or Down).

Alarm Status

Alarms are color coded as follows:

Clear = No Alarm

Red = Critical Alarm

Orange = Major Alarm

Yellow = Minor Alarm


Viewing or Editing Rogue Access Point Rules

You can view or edit current rogue access point rules on a single WLC. Follow these steps to access the rogue access point rules. Refer to the "Configuring a Rogue AP Rules Template" section for more information.


Step 1 Choose Configure > Controllers.

Step 2 Click an IP address under the IP Address column.

Step 3 From the left sidebar menu, choose Security > Rogue AP Rules. The Rogue AP Rules displays the rogue access point rules, the rule types (malicious or friendly), and the rule sequence.

Step 4 Choose a Rogue AP Rule to view or edit its details.


Configuring Spectrum Experts

A Spectrum Expert client acts as a remote interference sensor and sends dynamic interference data to WCS. This feature allows the WCS to collect, monitor, and archive detailed interferer data from Spectrum Experts in the network.

To configure spectrum experts, choose Configure > Spectrum Experts. This page provides a list of all Spectrum Experts including:

Hostname—The hostname or IP address of the Spectrum Expert laptop.

MAC Address— The MAC address of the spectrum sensor card in the laptop.

Reachability Status— Specifies whether the Spectrum Expert is successfully running and sending information to WCS. The status appears as reachable or unreachable.

Adding a Spectrum Expert

To add a Spectrum Expert, follow these steps:


Step 1 Choose Configure > Spectrum Experts.

Step 2 Click Add a Spectrum Expert.


Note This link only appears when no spectrum experts are added. You can also access the Add a Spectrum Expert page by choosing Add a Spectrum Expert from the Select a command drop-down menu.


Step 3 Enter the Spectrum Expert's Hostname or IP address. If you use hostname, your spectrum expert must be registered with DNS in order to be added to WCS.


Note To be correctly added as a spectrum expert, the spectrum expert client must be running and configured to communicate to WCS.



Monitoring Spectrum Experts

You also have the option to monitor spectrum experts. Follow these steps to monitor spectrum experts:


Step 1 Choose Monitor > Spectrum Experts.

Step 2 From the left sidebar menu, you can access the Spectrum Experts > Summary page and the Interferers > Summary page.


Spectrum Experts > Summary

The Spectrum Experts Summary page provides a table of the Spectrum Experts added to the system. The table provides the following Spectrum Expert information:

Hostname—Displays the host name or IP address.

Active Interferers—Indicates the current number of interferes being detected by the Spectrum Experts.

Alarms APs—The number of access points seen by the Spectrum Experts that are potentially affected by detected interferers.

Alarms—The number of active interference traps sent by the Spectrum Expert. Click to access the Alarm page that is filtered to the active alarms for this Spectrum Expert.

Reachability Status—Indicates "Reachable" in green if the Spectrum Expert is running and sending data to WCS. Otherwise, indicates "unreachable" in red.

Location—When the Spectrum Expert is a wireless client, a link for location is available. It shows the location of the Spectrum Expert with a red box that shows the effective range.

Interferers > Summary

The Interferers Summary page displays a list of all the interferers detected over a 30-day interval. The table provides the following interferers' information:

Interferer ID—An identifier that is unique across different spectrum experts.

Category—Indicates the category of the interferer. Categories include: Bluetooth, cordless phones, microwave ovens, 802.11 FH, generic: fixed-frequency, jammers, generic: frequency-hopped, generic:continuous, and analog video.

Type—Active indicates that the interferer is currently being detected by a spectrum expert. Inactive indicates that the interferer is no longer detected by a spectrum expert or the spectrum expert saw that the interferer is no longer reachable by WCS.

Discover Time—Indicates when the interferer was discovered.

Affected Channels—Identifies affected channels.

Number of APs Affected—The number of access points managed by WCS that the spectrum expert detects or the interferers that the spectrum expert detected on the channels of the access point. Only active interferers are shown. If all of the following conditions are met, the access point is labelled as affected:

If the access point is managed by WCS.

If the spectrum expects detects the access point.

If the spectrum expert detects an interferer on the serving channel of the access point.

Power—Indicated in dBm.

Duty Cycle—Indicated in percentage. 100% is the worst value.

Severity—Indicates the severity ranking of the interferer. 100 is the worst case whereas 0 is no interference.

Spectrum Experts Details

The Spectrum Expert Details page provides all interference details from a single Spectrum Expert. This page updates every 20 seconds and gives a real-time look at the remote spectrum expert. This page includes the following items:

Total Interferer Count—Given from the specific spectrum expert.

Active Interferers Count Chart—Displays a pie chart that groups interferers by category.

Active Interferer Count Per Channel—Displays the number of interferers grouped by category on different channels.

AP List—Provides a list of access points detected by the spectrum expert. These access points are on channels that have active interferers detected.

Affected Clients List—Provides a list of clients that are currently authenticated to an access point in the access point list.

Configuring Wired Guest Access

Wired Guest Access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Wired guest access ports might be available in a guest office or specific ports in a conference room.

Like wireless guest user accounts, wired guest access ports are added to the network using the Lobby Ambassador feature. Refer to the "Creating Guest User Accounts" section.

Wired Guest Access can be configured in a standalone configuration or in a dual controller configuration employing an anchor and foreign controller. This latter configuration is used to further isolate wired guest access traffic but is not required for deployment of wired guest access.

Wired Guest Access ports initially terminate on a Layer 2 access switch or switch port which is configured with VLAN interfaces for wired guest access traffic.

The wired guest traffic is then trunked from the access switch to a wireless LAN controller. This controller is configured with an interface that is mapped to a wired guest access VLAN on the access switch.

If two controllers are being used, the controller (foreign) that receives the wired guest traffic from the switch then forwards the wired guest traffic to an anchor controller that is also configured for wired guest access. After successful hand off of the wired guest traffic to the anchor controller, a bidirectional Ethernet over IP (EoIP) tunnel is established between the foreign and anchor controllers to handle this traffic.


Note Although wired guest access is managed by anchor and foreign anchors when two controllers are deployed, mobility is not supported for wired guest access clients. In this case, DHCP and web authentication for the client are handled by the anchor controller.



Note You can specify how much bandwidth a wired guest user is allocated in the network by configuring and assigning a role and bandwidth contract. For details on configuring these features, refer to the "Creating Guest User Accounts" section.


Follow these steps to configure and enable wired guest user access on the network.


Step 1 To configure a dynamic interface for wired guest user access, click Configure > Controllers and after choosing a particular IP address, choose System > Interfaces. The Interfaces summary window appears.

Step 2 Choose Add Interface from the Select a command drop-down menu and click GO.

Step 3 Enter a name and VLAN ID for the new interface.

Step 4 Check the Guest LAN check box.

Step 5 Enter the IP address, netmask, and gateway address for the interface.

Step 6 Enter an IP address address for the primary and secondary DHCP server.

Step 7 Click Save. You are now ready to create a wired LAN for guest access.

Step 8 To configure a wired LAN for guest user access, click WLANs > WLAN from the left sidebar menu.

Step 9 Choose Add WLAN from the Select a command drop-down menu and click GO.

Step 10 If you have a template established that you want to apply to this controller, choose the guest LAN template name from the drop-down menu. Otherwise, click the click here link to create a new template.

Step 11 At the > New Template general panel, enter a name in the Profile Name field that identifies the guest LAN. Do not use any spaces in the name entered.

Step 12 Check the Enabled check box for the WLAN Status parameter.

Step 13 From the Ingress Interface drop-down menu, choose the VLAN that you created in Step 3. This VLAN provides a path between the wired guest client and the controller by way of the Layer 2 access switch.

Step 14 From the Egress Interface drop-down menu, choose the name of the interface. This provides a path out of the controller for wired guest client traffic.


Note If you have only one controller in the configuration, choose management from the Egress Interface drop-down menu.


Step 15 Click Security > Layer 3 to modify the default security policy (web authentication) or to assign specific web authentication (login, logout, login failure) pages and the server source.

a. To change the security policy to passthrough, check the Web Policy check box and the Passthrough option. This option allows users to access the network without entering a username or password.

An Email Input check box appears. Check this check box if you want users to be prompted for their e-mail address when attempting to connect to the network.

b. To specify custom web authentication windows, uncheck the Global WebAuth Configuration Enabled check box.

1. When the Web Auth Type drop-down menu appears, choose one of the following options to define the web login page for the wireless guest users:

Internal—Displays the default web login page for the controller. This is the default value.

Customized—Displays custom web login, login failure, and logout pages. When the customized option is selected, three separate drop-down menus for login, login failure, and logout page selection appear. You do not need to define a customized page for all three of the options. Choose None from the appropriate drop-down menu if you do not want to display a customized page for that option.

These optional login, login failure, and logout pages are downloaded to the controller as webauth.tar files. For specifics on downloading custom pages, refer to the "Downloading Customized Web Authentication" section.

External—Redirects users to an external server for authentication. If you choose this option, you must also enter the URL of the external server in the URL field.

You can select specific RADIUS or LDAP servers to provide external authentication on the Security > AAA panel. To do so, continue with Step 16.


Note The RADIUS and LDAP external servers must be already configured to have selectable options on the Security > AAA panel. You can configure these servers on the RADIUS Authentication Servers page, TACACS+ Authentication Servers page, and LDAP Servers page.


Step 16 If you selected External as the Web Authentication Type in Step 15, click Security > AAA and select up to three RADIUS and LDAP servers using the drop-down menus.

Step 17 Click Save.

Step 18 Repeat this process if a second (anchor) controller is being used in the network.