User Guide for the CiscoWorks Wireless LAN Solution Engine, 2.5
Configuring Devices
Downloads: This chapterpdf (PDF - 1.92MB) The complete bookPDF (PDF - 7.77MB) | Feedback

Configuring Devices

Table Of Contents

Configuring Devices

Using the Templates

What is a Configuration Template?

Template Choices

IOS Templates

Naming the Template

Using Basic Settings

Setting Up Network Interfaces

Defining Security Settings

Defining Services

Configuring the Event Log

Configuring Wireless Services

Configuring Custom Values

Non-IOS Templates

Naming the Template

Using Basic Settings

Setting Up Association

Configuring the Ethernet Port

Configuring the 11b Radio

Configuring the 11a Radio

Defining the Security Settings

Configuring Services

Configuring Events

Configuring Custom Values

Previewing the Template

Saving the Template

Creating a Template

Copying a Template

Editing a Template

Converting a Template

Deleting a Template

Importing a Template

Exporting a Template

Managing Configuration Archives

Viewing Archived Configurations

Scheduling an Archive Collection

Viewing Archive Status

Editing the Archive

Selecting Overwrite Settings

Deleting Archived Configurations

Comparing Configurations

Exporting a Configuration to a File

Exporting a Configuration to a Template

Managing Jobs

Managing Configuration Jobs

How Do WLSE Configuration Jobs Work?

Recommendations For Running Configuration Jobs

Configuration Job Choices

Creating a Configuration Job

Viewing Configuration Job Status

Managing Archive Jobs

How Do Configuration Archive Jobs Work?

Recommendations For Using Configuration Archives

Archive Job Choices

Creating an Archive Job

Viewing Archive Job Status

Automating Configurations

Assigning a Startup Configuration

Creating a Startup Configuration Template

Creating an IOS Startup Template

Creating a Non-IOS Startup Template

Assigning an Auto-Managed Configuration

Assigning Auto-Managed Configurations

Using Auto-Managed Options


Configuring Devices


The Configure tab allows you to view, create, copy, edit, and delete configuration templates and apply them to large numbers of devices at a time. It also allows you to schedule a configuration job and to check on the job's status.

Following are the subtabs under Configure:


Note Some of the subtabs may not be visible to some users.


Templates—See Using the Templates.

Archives—See Managing Configuration Archives.

Jobs—See Managing Jobs.

Auto Update—See Automating Configurations.

Using the Templates

This is window allows you to create, modify, and delete configuration templates.

The topics covered in this section are:

What is a Configuration Template?

Template Choices

Creating a Template

Copying a Template

Editing a Template

Converting a Template

Deleting a Template

Importing a Template

Exporting a Template

Related Topics

Managing Jobs

What is a Configuration Template?

You can think of a configuration template as a configuration update file for an access point. This file might contain the update for only one parameter or a complete access point configuration.

Templates for non-IOS access points are stored internally as files in the .ini format that is understood by the access points. IOS-based templates are stored as text files containing IOS commands.

You can use the Configure > Templates option to:

Create a configuration template (see Creating a Template).

Import templates directly from devices and export them to files (see Exporting a Template).

Convert non-IOS templates to IOS-based templates (see Converting a Template).

Template Choices

The template choices vary depending upon the type of template you are creating:

IOS Templates

Non-IOS Templates

IOS Templates

When you create or edit an IOS configuration template, the following choices appear in the left pane of the Templates window:

1. Template Name—See Naming the Template.

2. Template Categories


Note Any or all of the template categories can be completed in any order.


Basic Settings—See Using Basic Settings.

Network Interfaces—See Setting Up Network Interfaces.

Security—See Defining Security Settings.

Services—See Defining Services.

Event Log—See Configuring the Event Log.

Wireless Services—See Configuring Wireless Services.

Custom Values—See Configuring Custom Values.

3. Preview—See Previewing the Template.

4. Save—See Saving the Template.

Naming the Template

This option enables to you to name the template.

Procedure


Note Clicking Clear removes all the entries you have made.



Step 1 Select Template Name. The Template Name dialog box appears:

Field
Description

Name

Enter a name for the template.

See Naming Guidelines.

Description

Enter a description of the purpose of the template.

See Naming Guidelines.

Do not click the Enter key at the end of the description; it will generate an error.


Step 2 Select a template category. For additional information, see Template Categories.


Using Basic Settings

Use this option if you need to set up an access point quickly with a simple configuration. This will allow you to enter all the access point's essential settings for basic operation.

Procedure


Step 1 Select Basic Settings. The Basic Settings dialog box displays in the right pane:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-1 Basic Settings 

Field
Description

Configuration Server Protocol

Set this entry to match the network's method of IP address assignment.

Select one of the following options:

DHCP—Use this setting if your network uses Dynamic Host Configuration Protocol, in which IP addresses are "leased" for predetermined periods of time.

Static IP—Use this setting if your network does has an automatic system for IP address assignment.

Default Gateway

Enter the IP address of your default Internet gateway.

The entry 255.255.255.255 indicates no gateway.

SNMP Community

Enter the SNMP community name.

Select one of the following: Read-Only, Read-Write

Radio0-802.11b

SSID

Enter any alphanumeric, case-sensitive string, from 1 to 32 characters long.

The SSID is a unique identifier that clients use to associate with the radio.

Role in Radio Network

Select one of the following:

Access Point Root—Use this setting for a root access point to become a repeater and associate to a nearby root access point when the wired connection is lost.

Repeater Non-Root—Use this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent.

Broadcast SSID in Beacon

Select one of the following:

Yes—Use this setting to allow devices that do not specify an SSID to associate with the access point.

No—Use this setting require that the SSID used by the client devices must match exactly the access point's SSID.

Optimize Radio Network for

Select one of the following:

Throughput—Use this setting to maximize the data volume handled by the access point; however, it might reduce the access point's range.

Range—Use this setting to maximize the access point's range; however, it might reduce throughput.

Aironet Extensions

Select one of the following:

Enable—Use this setting to enable load balancing, Message Integrity Check (MIC), and WEP key hashing.

Disable—Use this setting to disables load balancing, Message Integrity Check (MIC), and WEP key hashing.

Radio0-802.11a

SSID

Enter any alphanumeric, case-sensitive string, from 1 to 32 characters long.

The SSID is a unique identifier that clients use to associate with the radio.

Role in Radio Network

Select one of the following:

Access Point Root—Use this setting for a root access point to become a repeater and associate to a nearby root access point when the wired connection is lost.

Repeater Non-Root—Use this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent.

Broadcast SSID in Beacon:

Select one of the following:

Yes—Use this setting to allow devices that do not specify an SSID to associate with the access point.

No—Use this setting require that the SSID used by the client devices must match exactly the access point's SSID.

Optimize Radio Network for

Select one of the following:

Throughput—Use this setting to maximize the data volume handled by the access point; however, it might reduce the access point's range.

Range—Use this setting to maximize the access point's range; however, it might reduce throughput.

Default—Use this setting to specify the that the access point use settings entered for the Network Interfaces Settings.

Aironet Extensions

Select one of the following:

Enable—Use this setting to enable load balancing, Message Integrity Check (MIC), and WEP key hashing.

Disable—Use this setting to disables load balancing, Message Integrity Check (MIC), and WEP key hashing.


Step 2 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Setting Up Network Interfaces

Use this option to configure the device's network interface settings.

Procedure


Step 1 Select Network Interfaces. The menu expands and the Network Interfaces: FastEthernet Settings dialog box displays in the right pane.

Step 2 Select one of the following from the menu:

FastEthernet—See Configuring Fast Ethernet Settings.

Radio-802.11b—See Configuring Radio-802.11b Settings.

Radio-802.11a—See Configuring Radio-802.11a Settings


Configuring Fast Ethernet Settings

Use this option to define the Fast Ethernet port settings.

Procedure


Step 1 Select Network Interfaces > FastEthernet. The Network Interfaces: FastEthernet Settings dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-2 Fast Ethernet Settings 

Field
Description

Enable Ethernet

Select one of the following:

Enable—Use this setting to enable Ethernet.

Disable—Use this setting to disable Ethernet.

Requested Duplex

Select one of the following:

Auto—Use this setting to allow the duplex setting to be automatically negotiated between the access point and the hub, switch, or router to which the access point is connected.

Half—Use this setting to allow operation in half-duplex mode.

Full—Use this setting to allow operation in full-duplex mode.

Requested Speed

Select one of the following:

Auto—Use this setting to allow the transmission speed to be automatically negotiated between the access point and the hub, switch, or router to which the access point is connected.

100Mbps—Use this setting to allow a transmission speed of 100 Mbps.

10Mbps—Use this setting to allow a transmission speed of 10 Mbps.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Radio-802.11b Settings

Use this option to configure the device's 802.11b radio.

Procedure


Step 1 Select Network Interfaces > Radio-802.11b. The Network Interfaces: Radio-802.11b dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-3 Radio-802.11b Settings 

Field
Description

Enable Radio

Select one of the following:

Enable—Use this setting to allow the access point to send packets through its 802.11b radio interface and monitor when other devices use the 802.11b radio interface to send packets.

Disable—Use this setting to change the administrative state of the radio from up to down.

Role in Radio Network

(Fallback mode upon loss of Ethernet connection)

This setting is used to configure a fallback role for the access point. The access point automatically assumes the fallback role when its Ethernet port is disabled or disconnected from the wired LAN.

Select one of the following:

Access Point Root (Fallback to Radio Island)—Use this setting to enable wireless clients to continue to associate even when there is no connection to the wired LAN.

Access Point Root (Fallback to Radio Shutdown)—Use this setting to force the clients to associate to another access point, if one is available, when the radio shuts down because the wired connection is lost.

Access Point Root (Fallback to Repeater)—Use this setting for a root access point to become a repeater and associate to a nearby root access point when the wired connection is lost.

Repeater Non-Root—Use this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent.

Data Rates

Click one of the following to automatically set the data transmission rates:

Best Range—Use this setting to maximize the access point's range; however, it might reduce throughput.

Best Throughput—Use this setting to maximize the data volume handled by the access point; however, it might reduce the access point's range.

Or

Select one of the following to manually set the data transmission rates:

Require—Use this setting to enable transmission at this rate for all packets, both unicast and multicast. At least one data rate must be set to Require. A client must support a required rate before it can associate.

Enable—Use this setting to enable transmission at this rate for unicast packets only.

Disable—Use this setting to not allow transmission at this rate.

Transmitter Power (mW)

Select the power level of the radio transmission.

Note Government regulations define the highest allowable power level for radio devices. This setting must conform to established standards for the country in which you use the device.

To reduce interference, limit the range of your access point, or conserve power, select a lower power setting.


Caution Do not use the 50mW or 10mW setting for Japanese channels.

For a list of maximum power levels allowed in each regulatory domain refer to one of the following:

URL: http://www.cisco.com/en/US/products/hw/wireless/ps430/products_command_reference_chapter09186a0080147d8b.html#87443

Cisco IOS Commands for Access in the Cisco Aironet 1200 Series Access Point Command Reference.

Limit Client Power (mW)

Use this setting to limit the power level on client devices that associate to the access point. When a client device associates to the access point, the access point sends the maximum power level setting to the client.

Default Radio Channel

From the list, select the radio channel you want for a default.

If you select Least Congested Frequency, the access point scans for the radio channel that is least busy and selects that channel for use. The device scans at power-up and when the radio settings are changed.

Least Congested Channel Search

If you want to limit the channels the access point scans when the Default Radio Channel is set for Least Congested Frequency, select one or more channels from the list.

World Mode Multi-Domain Operation

Select one of the following:

Enable—Use this setting to enable the access point to add channel carrier set information to its beacon.

Client devices with world-mode enabled receive the carrier set information and adjust their settings automatically.

Disable—Use this setting to not allow the access point to add channel carrier set information to its beacon.

Radio Preamble

Select one of the following:

Short—Use this setting to improves throughput performance; Cisco Aironet's Wireless LAN Adapter supports short preambles.

Long—Use this setting to ensure compatibility between the access point and all early models of Cisco Aironet Wireless LAN Adapters (PC4800 and PC4800A).

Receive Antenna

From the list, select one of the following:

Diversity—Use this setting if your access point has two fixed (non-removable) antennas; it tells the access point to use the antenna that receives the best signal.

Left—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's left connector. (When you look at the access point's back panel, the left antenna is on the left.)

Right—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's right connector. (When you look at the access point's back panel, the right antenna is on the right.)

Transmit Antenna

Aironet Extensions

Select one of the following:

Enable—Use this setting to enable load balancing, Message Integrity Check (MIC), and WEP key hashing.

Disable—Use this setting to disable load balancing, Message Integrity Check (MIC), and WEP key hashing.

Ethernet Encapsulation Transform

Select one of the following:

RFC1042—Use this setting to ensure interoperability with non-Cisco Aironet wireless equipment.

802.1H—Use this setting to provide optimum performance for Cisco Aironet wireless products.

Reliable Multicast to WGB

Select one of the following:

Disable—Use this setting to not allow reliable multicast to workgroup bridges.

Enable—Use this setting to allow reliable multicast to workgroup bridges.

Public Secure Packet Forwarding

Note Use this setting only if no VLAN is configured. If a VLAN is configured, then enable and disable PSPF by selecting Services > VLAN.

Select one of the following:

Enable—Use this setting to enable use of the protected port for secure mode configuration. (No exchange of unicast, broadcast, or multicast traffic occurs between protected ports.)

Disable—Use this setting to disable the use of the port fro secure mode configuration.

Beacon Period

Enter the amount of time between beacons in kilomicroseconds. (One kilomicrosecond equals 1,024 microseconds.)

Data Beacon Rate (DTIM)

Enter the amount of time, always a multiple of the beacon period, to determine how often the beacon contains a delivery traffic indication message (DTIM).

The DTIM tells power-save client devices that a packet is waiting for them.

If the beacon period is set at 100, its default setting, and the data beacon rate is set at 2, its default setting, then the access point sends a beacon containing a DTIM every 200 kilomicrosecond.

Max. Data Retries

Enter the maximum number of attempts the access point makes to send a packet before giving up and dropping the packet.

RTS Max. Retries

Enter the maximum number of times the access point issues an RTS before stopping the attempt to send the packet through the radio.

Fragmentation Threshold

Enter a setting to determine the size at which packets are fragmented (sent as several pieces instead of as one block).

Use a low setting in areas where communication is poor or where there is a great deal of radio interference.

RTS Threshold

Enter a setting to determine the packet size at which the access point issues a request to send (RTS) before sending the packet.

A low RTS Threshold setting can be useful in areas where many client devices are associating with the access point, or in areas where the clients are far apart and can detect only the access point and not each other.

Repeater Parent AP Timeout

Enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list.

Repeater Parent AP MAC1 though MAC 4

Enter the MAC address for the access point to which the repeater should associate.

You can enter MAC addresses for up to four parent access points. The repeater attempts to associate to MAC address 1 first; if that access point does not respond, the repeater tries the next access point in its parent list.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Radio-802.11a Settings

Use this option to configure the device's 802.11a radio.

Procedure


Step 1 Select Network Interfaces > Radio-802.11a. The Network Interfaces: Radio-802.11a dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-4 Radio-802.11a Settings 

Field
Description

Enable Radio

Select one of the following:

Enable—Use this setting to allow the access point to send packets through its 802.11a radio interface and monitor when other devices use the 802.11a radio interface to send packets.

Disable—Use this setting to change the administrative state of the radio from up to down.

Role in Radio Network

(Fallback mode upon loss of Ethernet connection)

This setting is used to configure a fallback role for the access point. The access point automatically assumes the fallback role when its Ethernet port is disabled or disconnected from the wired LAN.

Select one of the following:

Access Point Root (Fallback to Radio Island)—Use this setting to enable wireless clients to continue to associate even when there is no connection to the wired LAN.

Access Point Root (Fallback to Radio Shutdown)—Use this setting to force the clients to associate to another access point, if one is available, when the radio shuts down because the wired connection is lost.

Access Point Root (Fallback to Repeater)—Use this setting for a root access point to become a repeater and associate to a nearby root access point when the wired connection is lost.

Repeater Non-Root—Use this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent.

Data Rates

Click one of the following to automatically set the data transmission rates:

Best Range—Use this setting to maximize the access point's range; however, it might reduce throughput.

Best Throughput—Use this setting to maximize the data volume handled by the access point; however, it might reduce the access point's range.

Default—Use this setting to compromise between range and throughput, providing good range and good throughput.

Or

Select one of the following to manually set the data transmission rates:

Require—Use this setting to enable transmission at this rate for all packets, both unicast and multicast. At least one data rate must be set to Require. A client must support a required rate before it can associate.

Enable—Use this setting to enable transmission at this rate for unicast packets only.

Disable—Use this setting to not allow transmission at this rate.

Transmitter Power (mW)

Select the power level of the radio transmission.

Note Government regulations define the highest allowable power level for radio devices. This setting must conform to established standards for the country in which you use the device.

To reduce interference, limit the range of your access point, or conserve power, select a lower power setting.

For a list of maximum power levels allowed in each regulatory domain refer to one of the following:

URL: http://www.cisco.com/en/US/products/hw/wireless/ps430/products_command_reference_chapter09186a0080147d8b.html#87443

Cisco IOS Commands for Access in the Cisco Aironet 1200 Series Access Point Command Reference.

Limit Client Power (mW)

Use this setting to limit the power level on client devices that associate to the access point. When a client device associates to the access point, the access point sends the maximum power level setting to the client.

Default Radio Channel

From the list, select the radio channel you want for a default.

If you select Least Congested Frequency, the access point scans for the radio channel that is least busy and selects that channel for use. The device scans at power-up and when the radio settings are changed.

Least Congested Channel Search

If you want to limit the channels the access point scans when the Default Radio Channel is set for Least Congested Frequency, select one or more channels from the list.

Receive Antenna

From the list, select one of the following:

Diversity—Use this setting if your access point has two fixed (non-removable) antennas; it tells the access point to use the antenna that receives the best signal.

Left—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's left connector. (When you look at the access point's back panel, the left antenna is on the left.)

Right—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's right connector. (When you look at the access point's back panel, the right antenna is on the right.)

Transmit Antenna

Aironet Extensions

Select one of the following:

Enable—Use this setting to enable load balancing, Message Integrity Check (MIC), and WEP key hashing.

Disable—Use this setting to disable load balancing, Message Integrity Check (MIC), and WEP key hashing.

Ethernet Encapsulation Transform

Select one of the following:

RFC1042—Use this setting to ensure interoperability with non-Cisco Aironet wireless equipment.

802.1H—Use this setting to provide optimum performance for Cisco Aironet wireless products.

Reliable Multicast to WGB

Select one of the following:

Disable—Use this setting to not allow reliable multicast to workgroup bridges.

Enable—Use this setting to allow reliable multicast to workgroup bridges.

Public Secure Packet Forwarding

Note Use this setting only if no VLAN is configured. If a VLAN is configured, then enable and disable PSPF by selecting Services > VLAN.

Select one of the following:

Enable—Use this setting to enable use of the protected port for secure mode configuration. (No exchange of unicast, broadcast, or multicast traffic occurs between protected ports.)

Disable—Use this setting to disable the use of the port fro secure mode configuration.

Beacon Period

Enter the amount of time between beacons in kilomicroseconds. (One kilomicrosecond equals 1,024 microseconds.)

Data Beacon Rate (DTIM)

Enter the amount of time, always a multiple of the beacon period, to determine how often the beacon contains a delivery traffic indication message (DTIM).

The DTIM tells power-save client devices that a packet is waiting for them.

If the beacon period is set to 100, its default setting, and the data beacon rate is set to 2, its default setting, then the access point sends a beacon containing a DTIM every 200 kilomicrosecond.

Max. Data Retries

Enter the maximum number of attempts the access point makes to send a packet before giving up and dropping the packet.

RTS Max. Retries

Enter the maximum number of times the access point issues an RTS before stopping the attempt to send the packet through the radio.

Fragmentation Threshold

Enter a setting to determine the size at which packets are fragmented (sent as several pieces instead of as one block).

Use a low setting in areas where communication is poor or where there is a great deal of radio interference.

RTS Threshold

Enter a setting to determine the packet size at which the access point issues a request to send (RTS) before sending the packet.

A low RTS Threshold setting can be useful in areas where many client devices are associating with the access point, or in areas where the clients are far apart and can detect only the access point and not each other.

Repeater Parent AP Timeout

Enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list.

Repeater Parent AP MAC1 though MAC 4

Enter the MAC address for the access point to which the repeater should associate.

You can enter MAC addresses for up to four parent access points. The repeater attempts to associate to MAC address 1 first; if that access point does not respond, the repeater tries the next access point in its parent list.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining Security Settings

Use this option to configure the device's security settings.

Procedure


Step 1 Select Security. The menu expands and the Security: Admin Access dialog box displays in the right pane.

Step 2 Select one of the following from the menu:

Admin Access—See Configuring Admin Access Settings.

SSID 802.11x—See Configuring SSID 802.11x Settings.

WEP 802.11x—See Configuring WEP 802.11x Settings.

Server Manager—See Configuring Server Manager Settings.

Advanced Security—See Configuring Advanced Security.

Local Radius Server—See Setting Up the Local RADIUS Server.


Configuring Admin Access Settings

Use this option to add users to the system, remove users from the system, and assign user capabilities.

Procedure


Step 1 Select Security > Admin Access. The Security: Admin Access dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-5 Admin Access Settings 

Field
Description

Administrator Authenticated by

Select one of the following:

Default Authentication (Global Password)—Use this setting to skip the username and enter only a password.

You will need to enter the password in the Default Authentication (Global Password field below).

Local User List Only (Individual Password)—Use this setting to designate the local user list for authentication.

You will need to have at least one Read-Write user in the Local User List on the access point or in the Local User List field below.

Authentication Server Only—Use this setting to designate the server for authentication.

Authentication Server if not found in Local List—Use this setting to designate the server for authentication if not in the local list.

You will need to have at least one Read-Write user in the Local User List on the access point or in the Local User List field below.

Default Authentication (Global Password)

Default Authentication Password

Enter the password to be used as the default.

Confirm Authentication Password

Reenter the password.

Local User List (Individual Passwords)

User List

Lists the existing users.

To delete a username from the list, select it, then click Delete.

Username

Enter the username.

Password

Enter the password

Confirm Password

Reenter the password

Capability Settings

Select one of the settings, then click Add.

Delete Users

User ID

Enter the user identification, then click >>.

Users to Delete

Lists the users to be deleted.

To remove users from the list, click <<.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring SSID 802.11x Settings

Use this option to configure SSID 802.11b and 802.11a settings.

Procedure


Step 1 Select Security > SSID Manager. The Security: SSID Manager dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-6 SSID 802.11x Settings 

Field
Description

SSID List

Lists the currently configured SSIDs.

To delete an SSID from the list, select it, then click Delete.

SSID

Enter any alphanumeric, case-sensitive string, from 1 to 32 characters long.

The SSID is a unique identifier that clients use to associate with the radio.

VLAN

Enter the identification number of the VLAN.

Authentication Methods Accepted

Open Authentication

Select one of the following from the list:

MAC Authentication—Use this setting to specify that client devices that associate to the access point with open authentication, use MAC authentication.

EAP—Use this setting to specify that client devices that associate to the access point with open authentication, use EAP authentication.

MAC Authentication and EAP—Use this setting to allow client devices that associate to the access point using 802.11 open authentication to first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication.

MAC Authentication or EAP—Use this setting to allow client devices that associate to the access point using open authentication to first attempt MAC authentication. If MAC authentication succeeds, the client device joins the network; if the client is also using EAP authentication, it attempts to authenticate using EAP. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication.

Shared Authentication

Select one of the following from the list:

MAC Authentication—Use this setting to specify that client devices that associate to the access point with shared authentication, use MAC authentication.

EAP—Use this setting to specify that client devices that associate to the access point with shared authentication, use EAP authentication.

MAC Authentication and EAP—Use this setting to specify that client devices that associate to the access point with shared authentication, use MAC and EAP authentication.

Network EAP

Select the following from the list:

MAC Authentication—Use this setting to specify that client devices that associate to the access point with network EAP authentication, use MAC authentication.

Server Priorities

EAP Authentication Severs

Select one of the following:

Use Defaults—Use this setting to use the defaults.

Use Server Group—Use this setting to specify a server group then enter the group name.

Customize—Use this setting to create a new server group.

New Group Name—Enter a name for the new group.

Priority—Enter the server IP address or hostname.

Auth Port—Enter the authentication port.

Acct Port—Enter the accounting port.

or

Select a name from the list.

MAC Authentication Servers

Authenticated Key Management

From the list, select one of the following:

Note For 802.11a you select either CCKM or WPA; for 802.11b, you can select both.

None—Use this setting to indicate you do not want to use authenticated key management.

Mandatory—Use this setting to indicate authenticated key management is mandatory.

Optional—Use this setting to indicate authenticated key management is optional.

CCKM

Select this option to use Cisco Centralized Key Management (CCKM).

Using CCKM, authenticated client devices can roam from one access point to another without any perceptible delay during reassociation. An access point on your network acts as a wireless domain services (WDM) and creates a cache of security credentials for CCKM-enabled client devices on the subnet. The WDM's cache of credentials reduces the time required for reassociation when a CCKM-enabled client device roams to a new access point.

Note To enable CCKM for an SSID, you must configure network-EAP authentication.

WPA

Select this option to use Wi-Fi Protected Access (WPA).

The WPA key management uses a combination of encryption methods to protect communication between client devices and the access point.

If authentication key management is WPA, the client and authentication server authenticate to each other using an EAP authentication method (e.g., EAP-TLS) and generate a Pairwise Master Key.

Note To enable WPA for an SSID, you must also enable Open authentication and/or Network EAP.

WPA Pre-shared Key

Enter a key for the access point to support client devices using WPA key management.

For versions earlier than 12.2(11)JA, Enter a WEP key. For 40-bit encryption, enter 10 hexadecimal digits; for 128-bit encryption, enter 26 hexadecimal digits.

Select either ASCII or Hexadecimal. If you use hexadecimal, you must enter 64 hexadecimal characters (unencrypted key) to complete the 256-bit key. If you use ASCII, you must enter a minimum of 8 letters, numbers, or symbols, and the access point expands the key for you. Up to 63 ASCII characters are allowed.

EAP Client Username

Enter the username used for EAP authentication when the repeater access point is associating with a parent access point.

Password

Enter the EAP client password.

Association Limit

Enter the maximum number of clients that may associate to a particular SSID. This limit prevents access points from getting overloaded and helps to provide an adequate level of service to associated clients.

Proxy Mobile IP

Select one of the following:

Enable—Use this setting to use this server for storing security association (SA) bindings for mobile agents. The access point uses this server to retrieve the SPI and key associated with the IP address of the client to which it is trying to roam. The SPI and key is then sent to the home agent to validate the client before allowing it to roam.

Disable—Use this setting if you do not want the server used for storing SA bindings for mobile agents.

Accounting

From the list, select one of the following:

Enable—Use this setting to indicate whether you want this server to record usage data of clients associating with the access point.

Disable—Use this setting to turn off accounting for your wireless network

Accounting Server Priorities

Select one of the following:

Use Defaults—Use this setting to select the defaults.

Use Server Group—Use this setting to specify a server group, then enter the name of the group.

Customize—Use this setting to create a new server group, then enter the name of the group.

Priority—Enter the server IP address or hostname.

Auth Port—Enter the authentication port.

Acct Port—Enter the accounting port.

or

Select a name from the list.


Step 3 Click Save.

Step 4 To delete an entry from the listbox, select it, then click Delete.

Step 5 Complete the following to set global SSID properties:

Table 4-7 Setting SSID 802.11x Global Properties 

Field
Description

Set Guest Mode SSID

Enter the your access point's guest-mode SSID. The access point includes the SSID in its beacon and allows associations from client devices that do not specify an SSID.

Set Infrastructure SSID

Enter the SSID that other access points and workgroup bridges use to associate to this access point. If you do not designate an SSID as the infrastructure SSID, infrastructure devices can associate to the access point using any SSID.

Force infrastructure device to associate only to this SSID

Select this option to force infrastructure devices to associate to the access point using the specified SSID.


Step 6 Complete the following to delete an SSID:

Table 4-8 Setting SSID 802.11x Global Properties 

Field
Description

SSID

Enter the SSID you want to delete, then click >>. The SSID is added to the SSID to Delete list.

SSID to Delete

Lists the SSIDs to delete. To remove an SSID from this list, click <<.


Step 7 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring WEP 802.11x Settings

Use this option to select authentication types for the access point. The WEP keys allow you to encrypt radio signals sent by the device and decrypt radio signals received by the device.

Procedure


Step 1 Select Security > WEP 802.11x. The Security: WEP Key Manager dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-9 WEP 802.11x Settings 

Field
Description

Set Encryption Mode and Keys for VLAN

Enter the VLAN for which you want to set the encryption mode and keys.

If you enter None, properties are applied globally.

VLAN List

Lists the currently configured VLANs.

To remove a VLAN from the list, select it, then click Delete.

Encryption Modes

None

Select this option if the device communicates only with client devices that are not using WEP.

WEP Encryption

Select this option if you want to use WEP key encryption.

From the list, select one of the following:

Optional—Use this option to allow client devices to communicate with the access point either with or without WEP.

Mandatory—Use this option to require client devices to use WEP when communicating with the access point. Devices not using WEP are not allowed to communicate.

Check one of the following:

Cisco Compliant TKIP Features—Use this option to enable Temporal Key Integrity Protocol (TKIP).

When TKIP is enabled, all WEP-enabled client devices associated to the access point must support WEP key hashing, or they will not be able to communicate with the access point.

Enable MIC—Use this setting if you to enable Message Integrity Check (MIC). When you enable MIC, only MIC-capable client devices can communicate with the access point.

Enable Per Packet Keying—Use this option to enable MIC on both the access point and all associated client devices. A few bytes are added to each packet to make the packets tamper-proof.

Cipher

Select this option to enable Wi-Fi Protected Access (WPA) or Cisco Centralized Key Management (CCKM).

Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN.

From the list, select the one of the cipher suites.

WEP—Wired equivalent privacy is the least secured cipher suite.

TKIP—Temporal key integrity protocol is the most secured cipher suite.

CKIP—Cisco Key Integrity Protocol is Cisco's WEP key permutation technique based on an early algorithm.

CMIC—Cisco Message Integrity Check) is Cisco's message integrity check mechanism designed to detect forgeries attracts.

WEP Keys

Encryption Keys 1 through 4

Transmit Key

Select to indicate this is the key you want to use to transmit packets. Only one key can be selected at a time.

Encryption Key

Enter the type of encryption key used:

For 40-bit WEP keys, enter as 10 hexadecimal digits (0-9, a-f, or A-F).

For 128-bit WEP keys, enter as 26 hexadecimal digits (0-9, a-f, or A-F).

Key Size

From the list, select one of the following:

40 bit

128 bit

Broadcast Key Rotation Interval

Select one of the following:

Disable Rotation—Use this setting to disable broadcast key rotation.

Enable Rotation with Interval—Use this setting for the access point to provide a dynamic broadcast WEP key and to change it at the selected interval.

WPA Group Key Update

Select the appropriate checkbox to determine how frequently the access point changes and distributes the group key to WPA-enabled client devices.

Enable Group Key Update on Membership Termination—Select this setting if clients do not roam frequently among access points.

The access point generates and distributes a new group key when any authenticated station disassociates from the access point. This option keeps the group key private to only currently active members. However, it may generate some overhead if clients in your network roam frequently.

Enable Group Key Update on Member's Capability Change—Use this setting, when in WPA migration mode, to improve the security of the key management capable clients when there are no legacy clients associated to the access point.

The access point generates and distributes a dynamic group key when the last non-key management (static WEP) client disassociates, and it distributes the statically configured WEP key when the first non-key management (static WEP) client authenticates.


Step 3 Click Save. The VLAN is added to the list box.

Step 4 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Server Manager Settings

Use this option to enter the authentication settings. The RADIUS server on the your network uses EAP to provide authentication service for wireless client devices.

Procedure


Step 1 Select Security > Server Manager. The Security: Server Manager dialog box appears.

Step 2 Complete the following to add a server to the list:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-10 Backup Radius Server 

Field
Description

Backup Radius Server

Select one of the following:

Create—Use this setting to create a backup RADIUS server.

Delete—Use this setting to delete a backup RADIUS server.

Backup Radius Server

Enter the hostname or IP address of the RADIUS server you are either creating or deleting.

Shared Secret

Enter the server's shared secret.

Corporate Servers

Current Server List

Lists the servers that are currently configured.

To remove a server from the list, select it, then click Delete.

RADIUS

Select this option if you are configuring settings for RADIUS.

TACACS+

Select this option if you are configuring settings for TACACS+.

Server

Enter the hostname or IP address for the selected server.

Shared Secret

Enter the shared secret used by your server.

Authentication Port

Enter the port number your server uses for authentication. Enter the port number the server uses for authentication.

Accounting Port

Enter the port number your server uses for accounting.


Step 3 Click Save. The server appears on the list.

Step 4 To delete a server, select it from the list, then click Delete.

Step 5 Complete the following to set default server priorities:

Table 4-11 Default Server Priority Settings

Field
Description

EAP Authentication

Priority—Enter the server IP address or hostname.

Auth Port—Enter the authentication port used by the server.

Acct Port—Enter the accounting port used by the server.

MAC Authentication

Accounting

Admin Authentication (RADIUS)

Admin Authentication (TACACS+)

Proxy Mobile IP Authentication


Step 6 Complete the following to set global server properties:

Table 4-12 Global Server Properties 

Field
Description

Accounting Update Interval

Enter the interval at which the accounting updates should be performed.

The accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming.

TACACS+ Server Timeout

Enter the number of seconds the access point should wait before resending the request.

RADIUS Server Timeout

Enter the number of seconds the access point should wait before resending the request.

RADIUS Server Retransmit Retries

Enter the number of seconds the access point should wait before giving up contacting the server.

Dead Server List

When a server is found to be unresponsive after numerous retransmissions and time-outs, it is assumed to be dead and is put in a dead server list.

Select one of the following:

Disable—Use this setting to disable the feature.

Enable; Server remains on list for—Use this setting to enable the feature and to set the length of time for which the server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).

RADIUS Attributes

Remove Existing WISPr Location-ID

Select to remove the existing location identification configured on the access point, which is sent with authentication and account requests, and use the ISO and E.164 country codes, and E.164 area code instead.

ISO Country Code

Enter a unique two-letter code.

Information about the ISO 3166 country codes can be found at the following URL: http://www.iso.ch/iso/en/prods-services/iso3166ma/index.html

E.164 Country Code

Enter a three-digit code for special uses.

Information about the ISO 3166 country codes can be found at the following URL: http://www.iso.ch/iso/en/prods-services/iso3166ma/index.html.

E.164 Area Code

Enter a three-digit code based on the International Telecommunication Union (ITU) Telecommunication Standardization Sector (ITU-T) recommendations.

Information about ITU-T can be found at the following URL: http://www.itu.int/ITU-T/


Step 7 Complete the following to delete RADIUS servers:

Table 4-13 Deleting Servers and Server Groups 

Field
Description

Servers to Delete

Lists the servers to delete.

To delete a server from the list, select it, then click Delete.

Delete Server

Enter the server you want to delete, then select either RADIUS or TACACS+.

Authentication Port

Enter the port number your RADIUS/TACACS+ server uses for authentication.

From Group

Enter the name of the group from which you want to delete the server.

Delete Server also?

If you want to delete the server from the group and delete the server itself, select, then click >>. The group name is added to the list.

Click Add Server to Delete List and the server name is added to the Servers to Delete.


Step 8 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Advanced Security

Use this option to set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication.

When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication. If MAC authentication succeeds, the client device joins the network. If the client is also using EAP authentication, it attempts to authenticate using EAP. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication.

Procedure


Step 1 Select Security > Advanced Security. The Security: Advanced Security dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-14 Advanced Security 

Field
Description

MAC Address Authentication

MAC Addresses Authenticated by

Select one of the following:

Local List Only—Use this setting if you want the authentication to be stored on the access point, and enter MAC addresses.

Authentication Server Only—Use this setting if you want the authentication to be stored on the server.

Authentication Server if not found in Local List—Use this setting if you want to try MAC authentication list first and then automatically try the Authentication server list.

Holdoff Time

Client Holdoff Time

Select one of the following:

Disable Holdoff—Use this setting to disable the client holdoff feature.

Enable Holdoff with Interval—Use this setting to specify the number of seconds a client device must wait before it can reattempt to authenticate following a failed authentication.

TKIP MIC Failure Holdoff Time (Radio0-802.11X)

Select one of the following:

Disable Holdoff—Use this setting to disable the TCIP MIC failure holdoff feature.

Enable Holdoff with Interval—Use this setting to enable the TKIP MIC failure hold time. The number of seconds you enter specifies the amount of time the access point blocks all TKIP clients on the interface.

Local MAC Address List

Local List

The local MAC address list is displayed in this listbox.

To delete an entry, select it, then click Delete.

New MAC Address

Enter the MAC address, then click Add.

Radio0-802.11b EAP Authentication

EAP Reauthentication Interval

Select one of the following:

Disable Reauthentication—Use this setting to disable reauthentication.

Enable Reauthentication with Interval—Use this setting to enter the interval in seconds that the access point waits before forcing an authenticated client to reauthenticate.

Enable Reauthentication with Interval given by Authentication Server—Use this setting to use the reauthentication period specified by the authentication server.

EAP Client Timeout

Enter the number of seconds the access point should wait for a reply from a client attempting to authenticate before the authentication fails.

Radio1-802.11a EAP Authentication

EAP Reauthentication Interval

Select one of the following:

Disable Reauthentication—Use this setting to disable reauthentication.

Enable Reauthentication with Interval—Use this setting to enter the interval in seconds that the access point waits before forcing an authenticated client to reauthenticate.

Enable Reauthentication with Interval given by Authentication Server—Use this setting to use the reauthentication period specified by the authentication server.

EAP Client Timeout

Enter the number of seconds the access point should wait for a reply from a client attempting to authenticate before the authentication fails.

Association Access List

Filter client association with MAC address access list

Select one of the following:

Enable— Use this setting to enable a MAC address filter for clients who are trying to associate with the access point.

Disable—Use this setting to prevent clients from associating based on their MAC addresses.

Filter

Enter the MAC address filter or select one from the list.


Step 3 Complete the following to delete local MAC addresses:

Table 4-15 Deleting Local MAC Addresses

Field
Description

MAC Address

Enter the address you want to delete, then click >>. The address is added to the MAC Addresses to Delete list.

MAC Addresses to Delete

Lists the MAC dress to delete.

To remove an address from the list, select it, then click <<.


Step 4 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Setting Up the Local RADIUS Server

Use this option to configure local server settings.

Procedure


Step 1 Select Security > Local Radius Server. The Security: Local Radius Server - General Set-Up dialog box appears.

Using this option you can do the following:

Set up the network access server—See Setting Up Network Access Servers.

Set up user groups—Setting Up User Groups.

Set up individual users—Setting Up Individual Users.

Delete servers, groups, and users—Deleting Servers, Groups, and Users.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Setting Up Network Access Servers

Procedure


Step 1 Complete the following:

Table 4-16 Local Radius Server - Network Access Server 

Field
Description

Current Network Access Servers

Lists the network access servers.

To remove a server from the list, select it, then click Delete.

Network Access Server

Enter the IP address of the RADIUS server.

Shared Secret

Enter the shared secret text string used between the access point and the RADIUS server.


Step 2 Click Save. The server appears in the Current Network Access Severs list.

Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Setting Up User Groups

Procedure


Step 1 Complete the following:

Table 4-17 Local Radius Server - User Groups 

Field
Description

Current User Group

Lists the user groups.

To remove a group from the list, select it, then click Delete.

Group Name

Enter a name for the a new group.

Session Timeout

Use this setting to specify the maximum number of seconds of service to be provided to the user before the session terminates.

Number of failed Authentications

Enter the number of times a user assigned to this group can provide an incorrect password; when the user fails this number of authentication attempts, the access point locks out the user. This setting helps prevent or delay password "dictionary" attacks.

Lockout

Select one of the following:

Infinite—Use this setting to manually unlock any locked-out users.

Interval—Use this setting to specify the length of time that the access point locks out a user before the user can reattempt authentication.

VLAN ID

Enter the identification number of the VLAN.

SSID

Enter the SSID (any alphanumeric, case-sensitive string, from 1 to 32 characters long), then click Add.

SSID List

Lists all the SSIDs.

To delete and SSID from the list, select it, then click Delete.


Step 2 Click Save. The Group name is added to the Current User Group List.

Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Setting Up Individual Users

Procedure


Step 1 Complete the following:

Table 4-18 Local Radius Server - Individual Users 

Field
Description

Current User List

Lists the current usernames.

Username

Enter the username.

Password

Enter the password, then select Text or NT Hash.

Confirm Password

Reenter the password.

Group Name

From the list, select the group name or None if the user does not belong to any group.


Step 2 Click Save. The user name is added to the Current User List.

Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Deleting Servers, Groups, and Users

Procedure


Step 1 Complete the following:

Table 4-19 Deleting Servers, Groups, and Users 

Field
Description

Server

Enter the server you want to delete, then click Add. The server name is added to the Servers to Delete list.

Servers to Delete

Select the server to delete, then click Delete.

Group

Enter the group you want to delete, then click Add. The group name is added to the Groups to Delete list.

Groups to Delete

Select the group to delete, then click Delete.

User

Enter the user you want to delete, then click Add. The user name is added to the Servers to Delete list.

Users to Delete

Select the user to delete, then click Delete.


Step 2 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining Services

Use this option to configure various system features and support services on the device.

Procedure


Step 1 Select Services. The menu expands and the Security: Telnet/SSH dialog box displays in the right pane.

Step 2 Select one of the following from the menu:

Telnet/SSH—See Configuring Telnet/SSH.

Hot Standby—See Configuring Hot Standby.

CDP—See Configuring CDP.

DNS—See Configuring DNS.

MAC address filters—See Configuring MAC Address Filters.

IP filters—See Configuring IP Filters.

Ethertype filters—See Configuring Ethertype Filters.

HTTP—See Configuring HTTP.

Proxy Mobile IP—See Configuring Proxy Mobile IP.

QoS policies—See Configuring QoS Policies.

QoS radio 802.11x—See Configuring QoS Radio 802.11x.

SNMP—See Configuring SNMP.

NTP—See Configuring NTP.

VLAN—See Configuring VLAN.

ARP Cache—See Configuring ARP Cache.

Configuring Telnet/SSH

Use this option to configure the access point to work through Telnet or SSH.

Procedure


Step 1 Select Services > Telnet/SSH. The Services: Telnet/SSH dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-20 Telnet/SSH  

Field
Description

Telnet

Select one of the following:

Enabled—Use this setting to enable Telnet access to the management system.

Disabled—Use this setting to disable Telnet access to the management system.

Terminal Type

Select one of the following:

Teletype—Use this setting if your terminal emulator does not support ANSI.

ANSI—Use this setting to offer graphic features such as reverse video buttons and underlined links.

Columns

Enter a number to define the width of the terminal emulator display within the range of 64 characters to 132 characters.

Lines

Enter a number to define the height of the terminal emulator display within the range of 16 characters to 50 characters.

Secure Shell Configuration

Secure Shell

Select one of the following:

Enabled—Use this setting to enable secure shell.

Disabled—Use this setting to disable secure shell.

System Name

Enter a system name for your access point.

Domain Name

Enter a domain name for your access point.

RSA Key Size

Enter the additional bits used for authentication.

Note For SSH, you must enter a key size or it will remain disabled.

Authentication Timeout (optional)

Enter the timeout in seconds, not to exceed 120 seconds for the length of time for authentication to take place.

Authentication Retries (optional)

Enter the number of authentication retries.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Hot Standby

Use this option to configure an access point for hot standby mode. Hot standby mode designates an access point as a backup for another access point.

The standby access point is placed near the access point it monitors, and is configured exactly the same as the monitored access point.

The standby access point associates with the monitored access point as a client and queries the monitored access point regularly through both the Ethernet and the radio ports. If the monitored access point fails to respond, the standby access point comes online and takes the monitored access point's place in the network.

Procedure


Step 1 Select Services > Hot Standby. The Services: Hot Standby dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-21 Hot Standby 

Field
Description

Hot Standby Mode

Select one of the following:

Enabled—Use this setting to enable hot standby mode on the access point.

Disabled—Use this setting to disable hot standby mode on the access point.

MAC Address for the Monitored 802.11bRadio

Enter the MAC address of the access point to be monitored.

MAC Address for the Monitored 802.11a Radio

Polling Interval

Enter the number of seconds between queries that the access point sends to the monitored access point's radio and Ethernet ports.

Timeout for Each Polling

Enter the number of seconds the access point waits for a response from the monitored access point before it assumes that the monitored access point has malfunctioned.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring CDP

Use this option to enable, disable, or adjust the access point's CDP settings.

Procedure


Step 1 Select Services > CDP. The Services: CDP-Cisco Discovery Protocol dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-22 CDP Settings 

Field
Description

Cisco Discovery Protocol (CDP)

Select one of the following:

Enabled—Use this setting to enable CDP on the access point.

Disabled—Use this setting to disable CDP on the access point.

Packet Hold Time (optional)

Enter the number of seconds other CDP-enabled devices should consider the access point's CDP information valid.

Packets Sent Every (optional)

Enter the number of seconds between each CDP packet the access point sends.

This value should always be less than the packet hold time.

Individual Port Enable

Ethernet

Select one of the following:

Enabled—Use this option to enable CDP on the Ethernet port.

Disabled—Use this option to disable CDP on the Ethernet port.

Radio0-802.11b

Select one of the following:

Enabled—Use this option to enable CDP on the radio port.

Disabled—Use this option to disable CDP on the radio port.

Radio0-802.11a

Select one of the following:

Enabled—Use this option to enable CDP on the radio port.

Disabled—Use this option to disable CDP on the radio port.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring DNS

Use this option to configure the access point to work with your network's Domain Name System (DNS) server.

Procedure


Step 1 Select Services > DNS. The Services: DNS-Domain Name Service dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-23 DNS Settings 

Field
Description

Domain Name System (DNS)

Select one of the following:

Enabled—Use this setting if your network uses DNS.

Disabled—Use this setting if you network does not use DNS.

Domain Name (optional)

Enter the domain name.

Name Server IP Addresses

Enter the IP addresses of up to three domain name servers on your network.

Delete Name Severs

Server

Enter the server you want to delete, then click >>. The server name is added to the Servers to Delete list.

Servers to Delete

Select the server to delete, then click <<.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring MAC Address Filters

Use this option to configure MAC address filters.

MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify.

Procedure


Step 1 Select Services > MAC address filters. The Services: Filters - MAC Address Filters dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-24 MAC Address Filters 

Field
Description

Create and Apply

Select this option to create and apply MAC address filters.

Create Only

Select this option to create MAC address filters, but not apply them.

Apply Only

Select this option to apply the MAC address filters.

Filters List

Lists the currently configured filters.

To delete a filter from the list, select it, then click Delete Filter.

Filter Index

Enter a number from 700 to 799. The number you assign creates an access control list (ACL) for the filter.

Add MAC Address

Enter the MAC address.

Mask

Enter the subnet mask.

Action

From the list, select one of the following actions:

Forward—Use this setting to forward the MAC addresses.

Block—Use this setting to block the MAC addresses.

VLAN ID

Enter the VLAN identification number then click >>.

To remove a VLAN ID from the list, select it, then click <<.

Bridge-Group

Enter a valid bridge group number used by the interface for which you want to create or delete filters.

Apply Filter to

FastEthernet

Select one of the following:

Incoming—Use this option to apply the filter to the incoming packets.

Outgoing—Use this option to apply the filter to the outgoing packets.

Click AddFilter.

Radio0-802.11b

Radio0-802.11a

Default Action

Select one of the following:

Block All

Forward All

then click Update.

The filter's default action must be the opposite of the action for at least one of the addresses in the filter. For example, if you enter several addresses and you select Block as the action for all of them, you must choose Forward All as the filter's default action.

Filters Classes

Lists MAC addresses.

To remove the MAC address from the Filters Classes list, select it, then click Delete.

Delete Filters

Filters

To delete a filter, select it from the list, then click Delete.

Filter Index

Enter the filter index number.

VLAN ID

Enter the VLAN identification number, then click >> to add it to the list.

To delete a VLAN ID from the list, click <<.

Bridge-Group

Enter a valid bridge group number.

Remove Filter from

FastEthernet

Select one of the following:

Incoming—Use this option to remove the filter from the incoming packets.

Outgoing—Use this option to remove the filter from the outgoing packets.

Click AddFilter.

Radio0-802.11b

Radio0-802.11a


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring IP Filters

Use this option to create IP filters that prevent or allow the use of IP address(es), IP protocols, and TCP/UDP ports through the access point's Ethernet and radio ports.

If you use this template to apply IP filters to access points with versions 12.2(4)JA, 12.2(4)JA1, or 12.2(8)JA, the configuration commands generated through the template may not display correctly on the access point's UI.

To work around this problem, do the following:

1. Use this template to create the IP filters and select Create Only.

2. Click Preview.

3. Copy and paste the commands in the Preview window into a custom template (see Configuring Custom Values).

4. Note the following WLSE-generated commands:

permit/deny ip source-ip source-mask dest-ip dest-mask 
permit/deny tcp/udp any any eq port-number

5. Change the commands as follows:

For versions 12.2(4)JA or 12.2(4)JA1, enter the following custom values:

permit/deny ip source-ip source-mask any 
permit/deny tcp/udp any eq port-number any

For version12.2(8)JA, enter the following custom values:

permit/deny tcp/udp any eq port-number any

Procedure


Step 1 Select Services > IP Filters. The Services: Filters - IP Filters dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-25 IP Filters 

Field
Description

Create and Apply

Select this option to create and apply IP address filters.

Create Only

Select this option to create IP address filters, but not apply them.

Apply Only

Select this option to apply the IP address filters.

Filter Name List

List the currently configured filters.

To delete a filter from the list, select it, then click Delete Filter.

Filter Name

Enter a name for the filter.

Default Action

From the list, select one of the following:

Block All—Use this setting to block all IP addresses.

Forward All—Use this setting to forward all IP addresses.

then click Update.

IP Address

Destination Address

Enter the IP address that you want to filter.

Note This is not valid for versions 12.2(4) or 12.2(4)JA1.

Mask

Enter the mask for the destination IP address. Enter the mask with periods separating the three groups of four characters (255.255.255.240, for example).

If you enter 255.255.255.255 as the mask, the access point accepts any IP address.

If you enter 0.0.0.0, the access point looks for an exact match with the IP address you entered.

The mask you enter in this field behaves the same way that a mask behaves when you enter it in the CLI.

Source Address

Enter the IP address you want to filter.

Mask

Enter the mask for the source IP address. Enter the mask with periods separating the three groups of four characters (255.255.255.240, for example). The method for entering the mask depends on the release.

If you are using the 12.2(4)JA release, entering 0.0.0.0 as the mask causes the access point to accept any IP address.

If you enter 255.255.255.255, the access point looks for an exact match with the IP address you entered in the IP Address field.

If you are using the 12.2(8)JA or later release, entering 255.255.255.255 as the mask causes the access point to accept any IP address.

If you enter 0.0.0.0, the access point looks for an exact match with the IP address you entered in the IP Address field.

Action

From the list, select one of the following:

Forward —Use this setting to forward the IP address.

Block —Use this setting to block the IP address.

Click Add.

IP Protocol

IP Protocol

Do one of the following:

From the list, select a protocol.

Enter a custom protocol.

Action

From the list, select one of the following:

Forward —Use this setting to forward the IP protocol.

Block —Use this setting to block the IP protocol.

Click Add.

UDP/TCP Port

TCP Port

Do one of the following:

From the list, select a TCP port.

Enter a custom port.

Action

From the list, select one of the following:

Forward —Use this setting to forward the TCP port.

Block —Use this setting to block the IP TCP port.

Click Add.

UDP Port

Do one of the following:

From the list, select a TCP port.

Enter a custom port.

Action

From the list, select one of the following:

Forward —Use this setting to forward the UDP port.

Block —Use this setting to block the IP UDP port.

Click Add.

VLAN ID

Enter the VLAN identification number then click >>.

To remove a VLAN ID from the list, select it, then click <<.

Apply Filter to

FastEthernet

Select one of the following:

Incoming—Use this option to apply the filter to the incoming packets.

Outgoing—Use this option to apply the filter to the outgoing packets.

Click Apply.

Radio0-802.11b

Radio0-802.11a

Filters Classes

Lists the currently configured filters.

To delete a filter, select it, then click Delete.

Delete Filters

Filters

To delete a filter, select it from the list, then click Delete.

Filter Name

Enter the filter name.

VLAN ID

Enter the VLAN identification number, then click >> to add it to the list.

To remove a VLAN ID from the list, click <<.

Remove Filter from

FastEthernet

Select one of the following:

Incoming—Use this option to remove the filter from the incoming packets.

Outgoing—Use this option to remove the filter from the outgoing packets.

Click AddFilter.

Radio0-802.11b


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Ethertype Filters

Use this option to configure Ethertype filters to prevent or allow the use of specific L3 protocols through the access point's Ethernet and radio ports.

Procedure


Step 1 Select Services > Ethertype Filters. The Services: Filters - Ethertype Filters dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-26 Ethertype Filters 

Field
Description

Create and Apply

Select this option to create and apply Ethertype filters.

Create Only

Select this option to create Ethertype filters, but not apply them.

Apply Only

Select this option to apply the Ethertype filters.

Filters List

Lists the currently configured filters.

To remove a filter from the list, select it, then click Delete Filter.

Filter Index

Enter a number from 200 to 299. The number you assign creates an access control list (ACL) for the filter.

Add EtherType

Enter an Ethertype number.

Mask

Enter the mask for the Ethertype.

Action

From the list, select one of the following:

Forward —Use this setting to forward the traffic.

Block —Use this setting to block the traffic.

VLAN ID

Enter the VLAN identification number then click >>.

To remove a VLAN ID from the list, select it, then click <<.

Bridge-Group

Enter a valid bridge group number used by the interface for which you want to create or delete filters.

Apply Filter to

FastEthernet

Select one of the following:

Incoming—Use this option to apply the filter to the incoming packets.

Outgoing—Use this option to apply the filter to the outgoing packets.

Click Apply.

Radio0-802.11b

Radio0-802.11a

Default Action

From the list, select one of the following:

Block All—Use this setting to block all.

Forward All—Use this setting to forward all.

then click Update.

Filters Classes

Lists the currently configured filters.

To delete a filter, select it, then click Delete.

Delete Filters

Filters

To delete a filter, select it from the list, then click Delete.

Filter Index

Enter the filter index.

VLAN ID

Enter the VLAN identification number, then click Add to add it to the list.

To delete a VLAN ID from the list, click Delete.

Bridge-Group

Enter a valid bridge group number.

Remove Filter from

FastEthernet

Select one of the following:

Incoming—Use this option to remove the filter from the incoming packets.

Outgoing—Use this option to remove the filter from the outgoing packets.

Click AddFilter.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring HTTP

Use this option to configure HTTP settings for the access point.

Procedure


Step 1 Select Services > HTTP. The Services: HTTP-Web Server dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-27 HTTP 

Field
Description

Allow Web-based Configuration Management

Select one of the following:

Enabled—Use this setting to allow web-based browsing to the management system.

Disabled—Use this setting to disallow web-based browsing to the management system.

HTTP Port

Enter the port through which the access point provides web access.

Default Help Root URL

Enter the URL where the device can locate help files.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Proxy Mobile IP

Use this option to allow access points to help client devices from other networks remain connected to their home networks. The visiting client devices do not need special software, the access point provides proxy mobile IP services for the client.

Procedure


Step 1 Select Services > Proxy Mobile IP. The Services: Proxy Mobile IP dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-28 Proxy Mobile IP 

Field
Description

Proxy Mobile IP

Select one of the following:

Enabled—Use this setting to enable the proxy mobile IP feature on the access point.

Disabled—Use this setting to disable the proxy mobile IP features.

Select either Radio 802-11b or Radio 802.11a

GRE encapsulation in the Registration Request

Select one of the following:

Enabled—Use this setting to enable the access point to request the encapsulation type in all mobile node registration requests.

Disabled—Use this setting to disable this feature.

Reverse Tunnel in the Registration Request

Select one of the following:

Enabled—Use this setting to enable the access point to request reverse tunnel encapsulation in all mobile mode registration requests.

Disabled—Use this setting to disable this feature.

Authoritative Access Points (Hostname or IP Address)

Enter the hostname or IP address of up to three authoritative access points (AAPs) on the wireless network. At least one AAP is required for the proxy mobile IP feature to work.

Current SA Bindings List

Lists the clients that are able to establish contact with a foreign agent in another network segment or network other than the client's home network.

New/Edit SA Binding

IP Address Range

Enter the range IP addresses within which client devices must reside in order to be valid.

Security Parameter Index

Enter an index for the IP address range.

The index is a 32-bit number (8 hexadecimal digits) assigned to the initiator of the security association request by the receiving IPSec endpoint. On receiving a packet, the destination address, protocol, and SPI are used to determine the security association. The security association allows the node to authenticate or decrypt the packet according to the security policy configured for that security association.

Key

1. Enter a key (ASCII or Hexadecimal) used to access a foreign agent.

2. Select ASCII or Hexadecimal to indicate the type of key entered.


Step 3 Click Add. The entry is added to the Current SA Bindings list.

Step 4 To Delete and entry, select it from the Current SA Bindings list, then click Delete.

Step 5 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring QoS Policies

Use this option to configure quality of service policies.

If you know the applications used by wireless client devices, the applications' sensitivity to delay, and the amount of traffic associated with the applications, you can configure QoS to improve performance.

Procedure


Step 1 Select Services > QoS Policies. The Services: QoS Policies dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-29 QoS Policies 

Field
Description

Create and Apply

Select this option to create and apply QoS policies.

Create Only

Select this option to create QoS policies., but not apply them.

Apply Only

Select this option to apply the QoS policies.

QoS Element for Wireless Phones

Select one of the following:

Enable—Use this setting to specify that wireless phone clients' traffic has a higher priority than the rest of the clients.

Disable—Use this setting to disable this feature.

IGMP Snooping Helper

Select one of the following:

Enable—Use this setting to enable Internet Group Membership Protocol (IGMP) snooping. When this feature is enabled, the access point sends a general IGMP query to the network infrastructure on behalf of the client every time the client associates or reassociates to the access point. By doing so, the multicast stream is maintained for the client as it roams.

Disable—Use this setting to disable this feature.

AVVID Priority Mapping - Map Ethernet Packets with CoS 5 to CoS 6

Select one of the following:

Yes—Use this setting if your network is based on the Cisco AVVID specification. This setting will prioritize voice packets coming with priority 5 (video).

No—Use this setting if your network is not based on the Cisco AVVID specification.

Policy List

Lists the names of the existing policies.

To remove a name from the list, select it, then click Delete Policy.

Policy Name

Enter a name for the policy.

Classifications

Lists the classifications assigned to that policy.

To delete a classification, select it, then click Delete.

Match Classifications

Precedence

If the packets that you need to prioritize contain IP precedence information select an IP precedence classification from the list.

Apply Class of Service

From the list, select the class of service that the access point will apply to packets of the type that you selected from the Precedence list, then click Add.

IP DSCP

If the packets that you need to prioritize contain IP DSCP information, select an IP DSCP classification from the list or create a new one.

Apply Class of Service

From the list, select the class of service that the access point will apply to packets of the type that you selected from the IP DSCP list, then click Add.

IP Protocol 119

If you need to prioritize the packets from Spectralink on your wireless LAN, select the class of service the access point will apply to the phone packets, then click Add.

Apply Class of Service

Filter

If you need to assign a priority to filtered packets, from the list, select the filter to include in the policy or create a new one.

Apply Class of Service

From the list, select the class of service that the access point will apply to packets that match the filter that you selected or entered, then click Add.

Default Classification for Packets on the VLAN

If you want to set a default classification for all packets on a VLAN, select the class of service that the access point will apply to packets on a VLAN, then click Add.

VLAN ID

Enter the VLAN identification number, then click >> to add it to the list.

VLAN ID List

To delete a VLAN ID from the list, click <<.

Apply Policy to

FastEthernet

Select one of the following:

Incoming—Use this option to apply the filter to the incoming packets.

Outgoing—Use this option to apply the filter to the outgoing packets.

Click ApplyPolicy.

Radio0-802.11b

Radio0-802.11a

Remove Policy from Interface/VLANs

Policy List

To delete a policy, select it from the list, then click Delete.

Policy Name

Enter the name of the policy.

VLAN ID

Enter the VLAN identification number, then click >> to add it to the list.

VLAN ID List

To delete a VLAN ID from the list, click <<.

Remove Policy from

FastEthernet

Select one of the following:

Incoming—Use this option to remove the filter from the incoming packets.

Outgoing—Use this option to remove the filter from the outgoing packets.

Click AddPolicy.

Radio0-802.11B

Radio0-802.11A

Remove Policy Map and Class Map

Policy List

Lists the policies. Select the policy to remove, then click Delete.

Policy Name

Enter the policy name, then click Add Policy. The name appears in the Policy List.

Class Name

Enter the class name. Click >> to add it to the Class Name List

Class Name List

Click << to remove the class name from the list.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring QoS Radio 802.11x

Use this option to define traffic class QoS policies. The access point uses the radio traffic class definitions to calculate backoff times for each packet.

Procedure


Step 1 Select Services > QoS Radio 802.11x. The Services: QoS Policies - Traffic Class Definition dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-30 QoS Radio 802.11x Traffic Class Definition 

Field
Description

802.11e 4 Level Qos

Select for version 12.2(13)JA and above.

802.1D 8 Level Qos

Select for versions below 12.2(13)JA.

Background

Min Contention Window—Enter the minimum contention window value. The access point computes Contention Window values.

Max Contention Window—Enter the maximum contention window value. The access point computes Contention Window values.

Fixed Slot Time—Enter a value for a fixed slot time.

Best Effort

Video

Voice

802.1D 8 Level QoS

Select if you are setting 8 QOS levels.

Best Effort

Min Contention Window—Enter the minimum contention window value. The value listed is to the power of 2. The access point computes Contention Window values.

Max Contention Window—Enter the maximum contention window value. The value listed is to the power of 2. The access point computes Contention Window values.

Fixed Slot Time—Enter a value for a fixed slot time.

Background

Spare

Excellent Effort

Controlled Load

Video <100ms Latency

Voice <100ms Latency

Network Control


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring SNMP

Use this option to configure settings for notifications to be sent to an SNMP server.

Procedure


Step 1 Select Services > SNMP. The Services: SNMP- Simple Network Management Protocol dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-31 SNMP 

Field
Description

Simple Network Management Protocol (SNMP)

Select one of the following:

Enabled—Use this setting to allow event notifications to be sent to an SNMP server.

Disabled—Use this setting to disallow event notifications to be sent to an SNMP server.

System Name (optional)

Enter the name of the access point.

The name in this field is reported to your SNMP's management station as the name of the device when you use SNMP to communicate with the access point.

System Location (optional)

Enter a description of the access point's physical location, such as the building or room in which it is installed.

System Contact (optional)

Enter the name the system administrator responsible for the access point.

SNMP Request Communities

Current Community Strings

Lists the current community strings.

To delete an entry, select it, then click Delete.

To edit an entry, select it.

Edit Community Strings

SNMP Community—The SNMP Community value for the selected community string displays. SNMP community strings authenticate access to MIB objects and function as embedded passwords.

Object Identifier (Optional)—The Object Identifier value for the selected community string displays. Enter a new object identifier for the community string. The object identifier limits the scope of the SNMP MIB object that the user can access through the community string.

For for example, if you enter iso as the Object Identifier value for the public string, then only users using the public string can access the OID that is represented by the SNMP variable name iso, including all the variables that come under this variable starting at this point. (This is the MIB family view to which the community has access.)

Select one of the following one of the following: Read-Only or Read-Write.

SNMP Trap Destination

1. Enter the IP address or the host name of the server running the SNMP Management software.

2. Select one of the following:

Enable All Trap Notifications—Use this setting to enable all traps.

Enable Specific Traps—Use this setting to select one or more of trap types.

3. Click Save.

Delete Communities and SNMP Trap Destinations

Community

Enter the community to delete, then click >>.

Communities to Delete

Lists the communities to be deleted.

To delete a community, select it, then click <<.

SNMP Trap

Enter the IP address or the host name of the server to delete.

Communities

Enter the community associated with the SNMP trap, then click >>.

Destinations to Delete

Lists the SNMP trap destinations to be deleted.

To delete a destination, select it, then click <<.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring NTP

This option allows you to configure the date and time on using NTP (Network Time Protocol) servers.

Procedure


Step 1 Select Services > NTP. The Services: NTP - Network Time Protocol dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-32 NTP 

Field
Description

NTP Server

Network Time Protocol (NTP)

Select one of the following:

Enabled—Use this setting to use of NTP.

Disabled—Use this setting to disallow the use NTP.

Time Server IP Address (optional)

Enter the server's IP address.

Time Settings

GMT Offset

From the list, select one of the options.

Use Daylight Savings Time

Select one of the following:

Yes—Use this setting to use daylight savings time.

No—Use this setting if you are not going to use daylight savings time.

Manually Set Date

Use this setting to manually set the date.

Manually Set Time

Use this setting to manually set the time.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring VLAN

Using this option, you can configure VLANs on the access point.

Procedure


Step 1 Select Services > VLAN. The Services: VLAN dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-33 VLAN 

Field
Description

Global VLAN Properties

Set Native VLAN

From the list, select a VLAN for the default.

Assigned VLANs

Current VLAN List

Lists the current VLANs.

To delete a VLAN from the list, select it, then click Delete.

Create VLAN

VLAN ID

Enter a VLAN ID.

Bridge-Group

Enter the bridge group number.

If the VLAN ID you entered is less than 255, and you do not enter a value in this field, then the same number for the bridge group is automatically assigned.

If the VLAN ID you entered is 255 or greater you will need to know what bridge group numbers are unused on the access point and enter one of them.

When a VLAN is created directly on the access point, the access point dynamically assigns a bridge group to the VLAN. So, if you create a VLAN ID of 123, then the bridge group is 123.

If the VLAN is larger than 255, the access point starts at 255 and decrements the count until it gets to an unused bridge group number. So, if you create a VLAN ID of 500, the access point assigns a bridge group of 255 if that number is unused. If it is used, it will then try 254, and so on until it finds an unused number for the bridge group.

Enable Public Secure Packet Forwarding

Select to enable public secure packet forwarding (PSPF).

With PSPF enabled, client devices cannot communicate with other client devices on the wireless network. This feature is useful for public wireless networks like those installed in airports or on college campuses.

Radio0-802.11B

Radio1-802.11A

Select the radio.

SSID

Enter an SSID, then click Add.

Delete VLANs

VLANs to Delete

Lists the VLANs to delete.

To delete VLAN from the list, select it, then click Delete.

VLAN ID

Enter the identification number of the VLAN you want to add to the VLANs to Delete list.

Radio0-802.11B

Radio1-802.11A

Select the radio to delete.

SSID

Enter the SSID, then click Add. The VLAN appears in the VLANs to Delete list.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring ARP Cache

Address resolution protocol (ARP) is used to find the MAC address that corresponds to a particular IP address. Using this option, the access point remembers the IP addresses of its clients and will not send ARP requests to them.

This feature helps improve performance because it reduces traffic load over the wireless link. If all client IP address are not known, the access point drops the ARP request, and caching is prevented.

Procedure


Step 1 Select Services > ARP Cache. The Services: ARP Caching dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-34 ARP Cache 

Field
Description

Client ARP Caching

Select one of the following:

Enable—Use this setting to allow ARP caching.

Disable—Use this setting to disable the feature.

Forward ARP Requests To Radio Interfaces When Not All Client IP Addresses Are Known

Select when all client IP address are not known, so that the access point forwards the ARP request to all its clients, and caching is prevented


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring the Event Log

This option enables to you to customize the display of access point events.

Procedure


Step 1 Select Event Log. The menu expands and the Event Log: Configuration Options dialog box displays in the right pane.

Step 2 Select one of the following from the menu:

Configuration Options—See Setting Configuration Options.

Notification Options—See Setting Notification Options.


Setting Configuration Options

Procedure


Step 1 Select Event Log > Configuration Options. The Event Log: Configuration Options dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-35 Configuration Options 

Field
Description

Disposition of Events (by Severity Level)

Emergency

Check one or more of the following for each of the events:

Display on Event Log

Notify via SNMP/Syslog Trap

Record for SNMP/Syslog History Table

Display on Telnet/SSH Monitor

Alert

Critical

Error

Warning

Notification

Information

Debugging

Time Stamp Format for Future Events

Select one of the following:

System Uptime—Use this setting to use the system uptime in the timestamp.

Global Standard Time—Use this setting to use the global standard time in the timestamp.

Local Time—Use this setting to use the local time in the timestamp.

Event Log Size

Enter the maximum size of the event log.

History Table Size

Enter the maximum number of messages in the history table.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Setting Notification Options

Procedure


Step 1 Select Event Log > Notification Options. The Event Log: Notification Options dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-36 Notification Options 

Field
Description

Events Generate Syslog Messages

Select one of the following:

Enable—Use this setting to allow events to generate syslog messages.

Disable—Use this setting to disable the feature.

Syslog Server Hostname or IP Address

Enter the hostname or IP address of the syslog server.

Syslog Facility

From the list, select the syslog facility.

Delete Syslog Server

Server Hostname or IP Address to remove

Enter the Syslog server hostname or IP address to be deleted.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Wireless Services

This option provides context control to the nodes by maintaining a cache of all client contexts within a given subnet.

Procedure


Step 1 Select Wireless Services. The menu expands and the Wireless Services: AP dialog box displays in the right pane.

Step 2 Select one of the following from the menu:

AP Configuration—See Configuring the AP.

WDS—See Configuring WDS.


Configuring the AP

Use this option to configure the access point to interact with wireless services.

Procedure


Step 1 Select Wireless Services > AP Configuration. The Wireless Services: AP dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-37 AP Configuration 

Field
Description

Wireless Services

Select one of the following:

Enabled—Use this setting to enable services.

Disabled—Use this setting to disable services.

Username

Enter a username.

Password

Enter a password.

Confirm Password

Reenter the password.


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring WDS

Use this option to configure wireless domain services and to set its priority.

Procedure


Step 1 Select Wireless Services > WDS. The Wireless Services: WDS - Wireless Domain Services - Settings dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-38 WDS Settings 

Field
Description

Global Properties

Use this AP as Wireless Domain Services

Select to enable the access point to provide Wireless Domain Services.

Wireless Domain Services Priority

Enter a number between 1 and 255 to indicate the priority.

The priority is structured so that a WDS will not replace an active WDS with the same priority value, even it has a higher node ID.

WNM IP Address

Enter the access point's IP address.

Server Groups

Server Group List

Lists the configured servers.

To delete a server, select it, then click Delete.

Server Group Name

Enter the name of the server group.

Priority—Enter the server IP address or hostname.

Auth Port—Enter the authentication port.

Acct Port—Enter the accounting port.

or

Select a name from the list.

Use Group for

Select one of the following:

Infrastructure Authentication—Use this setting to initiate infrastructure authentication by sending a path initialization request message to its WDS, which acts as the IN authenticator.

Client Authentication—Use this setting to provide client authentication services.

Select the type of client authentication.

SSID

Enter the SSID or leave blank to apply to all SSIDs, then click >> to add to the SSID List.

The click Save.

Delete Server Group

Server Group Name

Enter the server group to delete.

Use Group For

Select one of the following:

Infrastructure Authentication—Use this setting to initiate infrastructure authentication by sending a path initialization request message to its WDS, which acts as the IN authenticator.

Client Authentication—Use this setting to provide client authentication services.

Select the type of client authentication.

Then click >> to add to the Server Group List to Delete.


Step 3 Click Save. The server is added to the Authentication Server List.

Step 4 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Custom Values

This option enables to you to enter custom values that might not be available in the Template Menu. It also allows you to quickly enter a value, if you know the exact value you want to change, instead of going through the menu.


Note This option should be used only by advanced users.


Templates with custom values are not validated.

Procedure


Step 1 Select Configure > Templates > Custom Values. The Custom IOS Values dialog box appears.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.



Note If the custom value you enter is the same as an existing one in the Template Menu, the custom value will override the value in the menu.


Step 2 Enter the IOS commands.

Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Non-IOS Templates

When you create or edit a non-IOS configuration template, the following choices appear in the left pane of the Templates window:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


When you create or edit a configuration template, the following choices appear in the left pane of the Templates window:

1. Template Name—See Naming the Template.

2. Template Categories


Note Any or all of the template categories can be completed in any order.


Basic Settings—See Using Basic Settings.

Association—See Setting Up Association.

Ethernet—See Configuring the Ethernet Port.

11b Radio—See Configuring the 11b Radio.

11a Radio—See Configuring the 11a Radio.

Security—See Defining the Security Settings.

Services—See Configuring Services.

Events—See Configuring Events.

Custom Values—See Configuring Custom Values.

3. Preview—See Previewing the Template.

4. Save—See Saving the Template.

Naming the Template

This option enables to you to name the template.

Procedure


Note Clicking Clear removes all the entries you have made.



Step 1 Select Template Name. The Template Name dialog box appears:

Field
Description

Name

Enter a name for the template.

See Naming Guidelines.

Description

Enter a description of the purpose of the template.

See Naming Guidelines.

Do not click the Enter key at the end of the description; it will generate an error.


Step 2 Select a template category. For additional information, see Template Categories.


Using Basic Settings

Use this option if you need to set up an access point quickly with a simple configuration. This will allow you to enter all the access point's essential settings for basic operation.

Procedure


Step 1 Select Basic Settings. The Basic Settings dialog box displays in the right pane:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-39 Basic Settings 

Field
Description

Reboot Device

From the list, select Yes if you want to allow device reboots.

SysName

Enter a system name.

The system name appears in the titles of the management system pages and in the access point's Association Table page.

This is not an essential setting, but it helps identify the access point on your network.

SysLocation

Enter the system's location.

This is not an essential setting, but it helps identify the access point on your network.

SysContact

Enter a contact name.

This is not an essential setting but it helps identify the person responsible for the access point on your network.

Configuration Server Protocol

Set this entry to match the network's method of IP address assignment.

From the list, select one of the following options:

None-Static IP—Use this if your network does not have an automatic system for IP address assignment.

BOOTP—Use this if your network uses Bootstrap Protocol, in which IP addresses are hard-coded based on MAC addresses.

DHCP—Use this if your network uses Dynamic Host Configuration Protocol, in which IP addresses are "leased" for predetermined periods of time.

Default Subnet Mask

Enter an IP subnet mask to identify the subnetwork so the IP address can be recognized on the LAN.

If DHCP or BOOTP is not enabled, this field is the subnet mask.

If DHCP or BOOTP is enabled, this field provides the subnet mask only if no server responds to the access point's DHCP or BOOTP request.

Default Gateway

Enter the IP address of your default Internet gateway.

The entry 255.255.255.255 indicates no gateway.

Radio Service Set ID (SSID)

Enter any alphanumeric, case-sensitive string, from 1 to 32 characters long.

The SSID is a unique identifier that client devices use to associate with the access point. The SSID helps client devices distinguish between multiple wireless networks in the same vicinity and provides access to VLANs by wireless client devices.

Several access points on a network or subnetwork can share an SSID.

Role in Network

From the list, select one of the following:

Access Point—Use this setting if the access point is connected to the wired LAN.

Repeater—Use this setting for access points not connected to the wired LAN.

Survey Client—Use this setting when performing a site survey for a repeater access point. When you select this setting, clients are not allowed to associate and the bridge's STP function is disabled.

Root Bridge—Use this setting to set a bridge as the root bridge. (One bridge in each group of bridges must be set as the root bridge.) The root bridge cannot associate with another root bridge.

Non-Root Bridge w/ Client—Use this setting for non-root bridges that accept associations from client devices and for bridges acting as repeaters. A non-root bridge will only associate to another bridge (root or non-root).

Non-Root Bridge w/o Client—Use this setting for non-root bridges that should not accept associations from client devices. A non-root bridge (without clients) can connect to a wired LAN and only associates to another bridge (root or non-root).

Ensure Compatibility with 1MB/sec Clients

From the list, select one of the following:

Enable— Use this setting to operate at a maximum speed of one megabit per second.

Disable—Use this setting if you do not want devices to operate at a maximum speed of one megabit per second.

Ensure Compatibility with 2MB/sec Clients

From the list, select one of the following:

Enable— Use this setting to operate at a maximum speed of two megabits per second.

Disable—Use this setting if you do not want devices to operate at a maximum speed of two megabits per second.

Ensure Compatibility with non-Aironet 802.11

From the list, select one of the following:

Enable—Use this setting to automatically configure the device to be compatible with other Cisco devices on your wireless LAN.

Disable—Use this setting to not automatically configure the device to be compatible with other Cisco devices on your wireless LAN.


Step 2 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Setting Up Association

Use this option to set up spanning tree protocol (STP) on bridges and to set up filtering to control the flow of data through the access point.

Procedure


Step 1 Select Association. The menu expands and the Association dialog box displays in the right pane.

Step 2 Select one of the following from the Association menu:

Spanning Tree—See Defining Spanning Tree Protocol.

Address Filters—See Defining Address Filters.

Ethertype Filters—See Defining Ethertype Filters.

IP Protocol Filters—See Defining IP Protocol Filters.

IP Port Filters—See Defining IP Port Filters.

Policy Groups—See Configuring Policy Groups.

VLANs—See Configuring VLANs.

Quality of Service—See Configuring Quality of Service.

Service Sets—See Configuring Service Sets.

Primary Service Set—See Configuring Primary Service Set.

Advanced—See Defining Advanced Associations.

Port Assignments—See Configuring Port Assignments.

DSCP to CoS—See Configuring DSCP to CoS.


Defining Spanning Tree Protocol

This option is used for only bridges.

Procedure


Step 1 Select Association > Spanning Tree. The Association: Spanning Tree Protocol dialog box appears.

Step 2 Click See detail for information on which bridges this configuration is valid.

Step 3 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-40 Spanning Tree Protocol Settings 

Field
Description

Spanning Tree Protocol (STP)

From the list, select one of the following:

Enable—Use this setting to enable STP on the bridge.

Disable—If you do not want STP enabled the bridge.

Always Unblock Ethernet when STP is disabled

From the list, select one of the following:

Yes—Use this setting to maintain a bridge link when STP is disabled.

No—Use this setting to not maintain a bridge link when STP is disabled.

Click See detail to see for which versions this setting is valid.

Root Configuration

Priority (0-65535)

Enter a number to influence which bridge is designated the root bridge in the spanning tree.

When bridges have the same priority setting, STP uses the MAC addresses as a tiebreaker.

The bridge with the lowest priority setting is likely to be designated the root bridge in the tree.

Max Age (6-40 Seconds)

Enter the number of seconds to define how long the bridge waits before deciding the network has changed and the spanning tree needs to be rebuilt.

For example, with Max Age set to 20, the bridge attempts to rebuild the spanning tree if it does not receive a hello BDPU from the root bridge in the spanning tree within 20 seconds.

Hello Time (1-10 Seconds)

Enter the number of seconds to define how often the root bridge in the spanning tree sends out a hello BPDU telling the other bridges that the network topology has not changed and that the spanning tree should remain the same.

Forward Delay (4-30 Seconds)

Enter the number of seconds to define how long the bridge's ports should stay in the listening and learning transition states if there is a change in the spanning tree.

Port Configuration

Path Cost (1-65535)

Enter a number to indicates the relative efficiency of a port's network link.

A port with a high path cost is less likely to become a bridge's root port.

Priority (0-255)

Enter a number to influence whether STP designates a port as a bridge's root port.

A port with a low priority setting is more likely to become a bridge's root port.

Enable

From the list, select one of the following for each port configured:

Enable—Use this setting to indicate whether the port participates in STP. (This determines whether the port blocks or forwards traffic.)

Disable—Use this setting to indicate that the port does not participate in STP.


Step 4 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining Address Filters

Using this option, you can:

Create a MAC address filter

Remove a MAC address filter

Procedure


Step 1 Select Association > Address Filters. The Association: Address Filters dialog box appears.

Step 2 To add or delete a new MAC address filter complete the following fields:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-41 Address Filters Settings 

Field
Description

New Destination MAC Address

Enter a destination MAC address by entering the address in one of the following ways:

With colons separating the character pairs (00:40:96:12:34:56, for example).

Without any intervening characters (004096123456, for example).

Allowed

Click to pass traffic to the MAC address.

Disallowed

Click to discard traffic to the MAC address.

Delete MAC Address

Enter the MAC address to delete

Lookup MAC address on Authentication Server if not in an Existing Filter List?

Click one of the following:

Yes—Use this setting to allow looking up a MAC address on the authentication server.

No—Use this setting to disallow looking up a MAC address.

Is MAC Authentication alone sufficient for a client to be fully authenticated?

From the list, select one of the following:

Yes—Use this setting to specify that client devices that associate to the access point using 802.11 open authentication, first attempt MAC authentication.

No—Use this setting to specify that MAC authentication alone is not sufficient.

Click See detail to see for which versions this setting is valid.


Step 3 To add a MAC address to the enter the MAC address, then click >> to add it to the Current MAC Address Filters list.

Step 4 To delete a MAC address, enter the MAC address to delete in the Delete MAC address field, then click >>.

Step 5 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining Ethertype Filters

Procedure


Step 1 Select Association > Ethertype Filters. The Association: Ethertype Filters dialog box appears.

Step 2 Using this option:

Create new filters—See Creating New Ethertype Filters.

Create Special Cases—See Creating Special Cases.


Creating New Ethertype Filters

Procedure


Step 1 To create and enable protocol filters for the access point's Ethernet port, enter the following:


Note For a list of protocols, refer to Appendix B, Protocol Filter Lists in the Cisco Aironet Access Point Software Configuration Guide. The guide can be found on Cisco.com by selecting Products and Services > Wireless LAN Products > Cisco Aironet 350 Series > Configuration Guides Books.


Table 4-42 Creating New Ethertype Filters Settings 

Field
Description

New Ethertype Filter

Set ID

Enter an identification number for the filter set.

Set Name

Enter a descriptive filter set name.

See Naming Guidelines.

Default Disposition

From the list, select one of the following:

Forward—Use this setting to forward protocol traffic.

Block—Use this setting to block protocol traffic.

Default Time to Live (msec)

Unicast

Enter the number of milliseconds unicast packets should stay in the access point's buffer before they are discarded.

Multicast

Enter the number of milliseconds multicast packets should stay in the access point's buffer before they are discarded.


Step 2 Click >>. The new name is added to the Ethertype Filters list.

Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Creating Special Cases

Procedure


Step 1 Select the default filter for which you want to define a special case.

Step 2 Enter the following:

Table 4-43 Ethertype Filter Special Cases Settings 

Field
Description

New Special Cases

Ethertype

Enter the Ethertype filter name.

Disposition

From the list, select one of the following:

Default—Use the disposition you set for the Ethertype filter.

Forward—Use this setting to forward protocol traffic.

Block—Use this setting to block protocol traffic.

Priority

From the list, select one of the following:

Default—This setting is the same as best effort, which applies to normal LAN traffic.

Background—Use this setting for bulk transfers and other activities that are allowed on the network but should not impact network use by other users and applications.

Excellent Effort—Use this setting for a network's most important users.

Controlled Load—Use this setting for important business applications that are subject to some form of admission control.

Interactive Video—Use this setting for traffic with less than 100 ms delay.

Interactive Voice—Use this setting for traffic with less than 10 ms delay.

Network Control—Use this setting for traffic that must get through to maintain and support the network infrastructure.

Time to Live (msec)

Unicast

Enter the number of milliseconds unicast packets should stay in the access point's buffer before they are discarded.

Multicast

Enter the number of milliseconds multicast packets should stay in the access point's buffer before they are discarded.

Alert

From the list, select one of the following:

Yes—Use this setting to send an alert to the event log when a user transmits or receives the protocol through the access point.

No—Use this setting to not send an alert to the event log.


Step 3 Click >>. The new name is added to the list box.

Step 4 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining IP Protocol Filters

Procedure


Step 1 Select Association > IP Protocol Filters. The Association: IP Protocol Filters dialog box appears.

Step 2 With this option you can:

Create new filters—See Creating New IP Protocol Filters.

Create Special Cases—See Creating Special Cases.


Creating New IP Protocol Filters

Procedure


Step 1 To create and enable IP protocol filters, enter the following:


Note For a list of protocols, refer to Appendix B, Protocol Filter Lists in the Cisco Aironet Access Point Software Configuration Guide. The guide can be found on Cisco.com by selecting Products and Services > Wireless LAN Products > Cisco Aironet 350 Series > Configuration Guides Books.


Table 4-44 IP Protocol Filter Settings 

Field
Description

New Protocol Filter

Set ID

Enter an identification number for the filter set.

Set Name

Enter a descriptive filter set name.

See Naming Guidelines.

Default Disposition

From the list, select one of the following:

Forward—Use this setting to forward protocol traffic.

Block—Use this setting to block protocol traffic.

Default Time to Live (msec)

Unicast

Enter the number of milliseconds unicast packets should stay in the access point's buffer before they are discarded.

Multicast

Enter the number of milliseconds multicast packets should stay in the access point's buffer before they are discarded.


Step 2 Click >>. The new name is added to the Current Protocol Filters list.

Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Creating Special Cases

Procedure


Step 1 Select the default filter for which you want to define a special case.

Step 2 Enter the following:

Table 4-45 IP Protocol Filters Special Cases Settings 

Field
Description

New Special Cases

Protocol

Enter the IP protocol name.

Disposition

From the list, select one of the following:

Default—Use the disposition you set for the protocol filter.

Forward—Use this setting to forward traffic.

Block—Use this setting to block traffic.

Priority

From the list, select one of the following:

Default—This setting is the same as best effort, which applies to normal LAN traffic.

Background—Use this setting for bulk transfers and other activities that are allowed on the network but should not impact network use by other users and applications.

Excellent Effort—Use this setting for a network's most important users.

Controlled Load—Use this setting for important business applications that are subject to some form of admission control.

Interactive Video—Use this setting for traffic with less than 100 ms delay.

Interactive Voice—Use this setting for traffic with less than 10 ms delay.

Network Control—Use this setting for traffic that must get through to maintain and support the network infrastructure.

Time to Live (msec)

Unicast

Enter the number of milliseconds unicast packets should stay in the access point's buffer before they are discarded.

Multicast

Enter the number of milliseconds multicast packets should stay in the access point's buffer before they are discarded.

Alert

From the list, select one of the following:

Yes—Use this setting to send an alert to the event log when a user transmits or receives the protocol through the access point.

No—Use this setting to not send an alert to the event log.


Step 3 Click >>. The new name is added to the list box.

Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining IP Port Filters

Procedure


Step 1 Select Association > IP Port Filters. The Association: IP Port Filters dialog box appears.

Step 2 With this option you can:

Create new filters—See Creating New Port Filters.

Create Special Cases—See Creating Special Cases.


Creating New Port Filters


Note For a list of protocols, refer to Appendix B, Protocol Filter Lists in the Cisco Aironet Access Point Software Configuration Guide. The guide can be found on Cisco.com by selecting Products and Services > Wireless LAN Products > Cisco Aironet 350 Series > Configuration Guides Books.


Procedure


Step 1 To create and enable port filters, enter the following:

Table 4-46 IP Port Filter Settings

Field
Description

New Port Filter

Set ID

Enter an identification number for the filter set.

Set Name

Enter a descriptive filter set name.

See Naming Guidelines.

Default Disposition

From the list, select one of the following:

Forward—Use this setting to forward traffic.

Block—Use this setting to block traffic.

Default Time to Live (msec)

Unicast

Enter the number of milliseconds unicast packets should stay in the access point's buffer before they are discarded.

Multicast

Enter the number of milliseconds multicast packets should stay in the access point's buffer before they are discarded.


Step 2 Click >>. The new name is added to the Current Port Filters list.

Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Creating Special Cases

Procedure


Step 1 Select the default filter for which you want to define a special case.

Step 2 Enter the following:

Table 4-47 IP Port Filters Special Cases Settings 

Field
Description

New Special Cases

Port

Enter the IP Port filter name.

Disposition

From the list, select one of the following:

Default—Use the disposition you set for the port filter.

Forward—Use this setting to forward protocol traffic.

Block—Use this setting to block protocol traffic.

Priority

From the list, select one of the following:

Default—This setting is the same as best effort, which applies to normal LAN traffic.

Background—Use this setting for bulk transfers and other activities that are allowed on the network but should not impact network use by other users and applications.

Excellent Effort—Use this setting for a network's most important users.

Controlled Load—Use this setting for important business applications that are subject to some form of admission control.

Interactive Video—Use this setting for traffic with less than 100 ms delay.

Interactive Voice—Use this setting for traffic with less than 10 ms delay.

Network Control—Use this setting for traffic that must get through to maintain and support the network infrastructure.

Time to Live (msec)

Unicast

Enter the number of milliseconds unicast packets should stay in the buffer before they are discarded.

Multicast

Enter the number of milliseconds multicast packets should stay in the buffer before they are discarded.

Alert

From the list, select one of the following:

Yes—Use this setting to send an alert to the event log when a user transmits or receives the protocol through the access point.

No—Use this setting to not send an alert to the event log.


Step 3 Click >>. The new name is added to the Special Cases list.

Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Policy Groups

Policy groups are used to configure access parameters to a logical group of stations in a consistent manner from a single place. For example, protocol filters can be applied to frames for a selected group of stations.

Procedure


Step 1 Select Association > Policy Group. The Association: Policy Group dialog box appears.

Click See detail to see for which versions this setting is valid.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Step 2 Using this option you can:

Add a policy group—See Adding a New Policy Group.

Delete an exiting Policy Group From a Device—See Deleting an Existing Policy Group from a Device.


Adding a New Policy Group

Procedure


Step 1 To add a new policy group, enter the following:

Table 4-48 New Policy Group Settings 

Field
Description

Group ID

Enter an identification number for the policy group.

Group Name

Enter a name for the policy group, then click >>.

Policy Groups to Add.

Lists the policy groups to be added.

To remove a group from the list, click <<.

Ethertype

Receive

Enter the ID of a defined Ethertype filter, or select one of the filters you created using Association > Ethertype Filters.

Transmit

Enter the ID of a defined Ethertype filter, or select one of the filters you created using Association > Ethertype Filters.

IP Protocol

Receive

Enter the ID of a defined IP protocol filter, or select one of the filters you created using Association > IP Protocol Filters.

Transmit

Enter the ID of a defined IP protocol filter, or select one of the filters you created using Association > IP Protocol Filters.

IP Port

Receive

Enter the ID of a defined IP port filter, or select one of the filters you created using Association > IP Port Filters.

Transmit

Enter the ID of a defined IP port filter, or select one of the filters you created using Association > IP Port Filters.


Step 2 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Deleting an Existing Policy Group from a Device

Procedure


Step 1 Enter the group identification number in the Group ID text box, then click >> to add it to the Policy Groups to Delete list.

To remove a group from the list, click <<.

Step 2 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring VLANs

Access points and bridges in a VLAN network, which are running specific software versions, can provide a wireless VLAN trunk link between two wired segments of the network.

Using this option, you can configure VLANs on the access point.

Procedure


Step 1 Select Association > VLANs. The Association: VLAN dialog box appears.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Step 2 Click See detail to see for which versions this option is valid.

Step 3 Enter the following information:

Table 4-49 VLAN Configuration 

Field
Description

VLAN (802.1Q) Tagging

From the list, select one of the following:

Enabled—Use this setting to allow IEEE 802.1Q protocol tagging on VLAN packets.

The IEEE 802.1Q protocol is used to interconnect multiple switches and routers, and for defining VLAN topologies.

Disabled—Use this setting to not allow tagging.

Native VLAN ID

Enter identification number of the access point's native VLAN.

Note This setting must agree with the native VLAN ID setting on the switch.

Single VLAN ID which allows unencrypted packets

Enter an identification number to allow unencrypted packets. An entry with a value of 0 (zero requires the use of encryption.)

Optionally allow Encrypted Packets on unencrypted VLAN

From the list, select one of the following:

Yes—Use this setting to allow point-to-point encryption.

No—Use this setting to not allow point-to-point encryption.


Step 4 Using this option you can:

Add a new VLAN—See Adding a New VLAN.

Delete an exiting VLAN from a Device—See Deleting an Existing VLAN.


Adding a New VLAN

Procedure


Step 1 To add a new VLAN, enter the following:

Table 4-50 New VLAN Settings 

Field
Description

VLAN ID

Enter the identification number of the VLAN.

Note This setting must match the setting on the switch.

VLAN Name

Enter the a unique name for the VLAN configured on the access point.

VLAN Enable

From the list, select one of the following:

Enabled—Use this setting to enable the VLAN.

Disabled—Use this setting to disable the VLAN.

Default Priority

From the list, select one of the following:

Background—Use this setting for bulk transfers and other activities that are allowed on the network but should not impact network use by other users and applications.

Default—Use this setting for normal LAN traffic.

Excellent Effort—Use this setting for the network's most important users.

Controlled Load—Use this setting for important business applications that are subject to some form of admission control.

Interactive Video—Use this setting for traffic with less than 100 ms delay.

Interactive Voice—Use this setting for traffic with less than 10ms delay.

Network Control—Use this setting for traffic that must get through to maintain and support the network infrastructure.

Default Policy Group

Enter the default policy group number, or select one you created using Association > Policy Groups.

Enhanced MIC verify WEP

From the list, select one of the following:

None—Use this setting if you do not want Message Integrity Check (MIC) enabled.

MMH—Use this setting if you want MIC enabled to protect WEP keys.

Note When you enable MIC, only MIC-capable client devices can communicate with the access point.

Temp Key Integrity Protocol

From the list, select one of the following:

None—Use this setting if you do not want to enable the temporal key integrity protocol (TKIP), or WEP key hashing.

Cisco—Use this setting to enable TKIP.

Note When TKIP is enabled, all WEP-enabled client devices associated to the access point must support WEP key hashing, or they will not be able to communicate with the access point.

WEP Key Rotation Interval

Use this setting to enable or disable broadcast key rotation.

To enable it, enter the rotation interval in seconds.

If you enter 900, for example, the access point sends a new broadcast WEP key to all associated client devices every 15 minutes.

Note When you enable broadcast key rotation, only wireless client devices using LEAP or EAP-TLS authentication can use the access point. Client devices using static WEP (with open, shared key, or EAP-MD5) cannot use the access point when you enable broadcast key rotation.

To disable it, enter 0 (zero).

Alert?

From the list, select one of the following:

Yes—Use this setting if you are not adding an encrypted VLAN.

No—Use this setting if you are adding an encrypted VLAN.

WEP Keys 1 through 4

Enter the encryption keys used: 40 bit or 128 bit hexadecimal digits.

Size

For each WEP key, select one of the following: Not set, 40 bit, or 128 bit.


Step 2 Click >> to add the VLAN to the VLANs to Add list.

Step 3 To make sure the VLAN ID you want to create does not already exist, click Update.

Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Deleting an Existing VLAN

Procedure


Step 1 Enter the VLAN identification number in the VLAN ID text box, then click >> to add it to the VLANs to Delete list.

Step 2 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Quality of Service

This option is used to configure the access point's Quality of Service feature.

Procedure


Step 1 Select Association > Quality of Service. The Association: Quality of Service dialog box appears.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Step 2 Click See detail to see for which versions this option is valid.

Step 3 Enter the following information:

Table 4-51 Quality of Service Settings 

Field
Description

Generate QBBS Element

From the list, select one of the following:

Yes—Use this setting to enable support for basic 802.11 Quality of Service.

No—Use this setting to disable support for basic 802.11 Quality of Service.

User Symbol Extensions

From the list, select one of the following:

Yes—Use this setting enables support for Symbol Voice over IP (VoIP phones).

No—Use this setting to disable support for Symbol VoIP phones.

Send IGMP General Query

From the list, select one of the following:

Yes—Use this setting to allow the access point to send an IGMP General Query to all associated stations when they complete all required high-level authentication.

No—Use this setting to not allow the access point to send an IGMP General Query.

Background

From the CWmin and CWmax lists, select the minimum and maximum contention window values for each traffic category.

(spare)

Best Effort (default)

Excellent Effort

Controlled Load

Interactive Video

Interactive Voice

Network Control


Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Service Sets

This option allows you to define service sets.

Procedure


Step 1 Select Association > Service Sets. The Association: Service Sets dialog box appears.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Step 2 Click See detail to see for which versions this option is valid.

Step 3 Enter the following information:

Table 4-52 Service Set Settings 

Field
Description

Device

SSID for use by Infrastructure Stations (such as Repeaters)

Enter the SSID to be used by repeaters and workgroup bridges to associate to the access point.

This SSID should be mapped to the native VLAN ID in order to facilitate communications between infrastructure devices and a non-root access point or bridge.

Disallow Infrastructure Stations on any other SSID

From the list, select one of the following:

Yes—This setting prevents repeaters or workgroup bridges from associating to SSIDs other than the infrastructure SSID.

No—This setting does not prevent repeaters or workgroup bridges from associating to SSIDs other than the infrastructure SSID.


Step 4 Using this option you can:

Add a new Service Set—See Adding a New Service Set.

Delete an exiting Service Set from a device—See Deleting an Existing Service Set.


Adding a New Service Set

Procedure


Step 1 To add a new Service set, enter the following:

Table 4-53 New Service Set Settings 

Field
Description

Service Set ID (1-24)

Enter an identification for the SSID.

Service Set Name

Enter the SSID, then click >>.

Service Sets To Add

Lists the added service sets.

To remove a service set from the list, click <<.

Maximum Number of Associations

Enter a number to limit the maximum number of wireless clients per SSID.

Proxy Mobile IP Enabled

From the list, select one of the following:

Yes—This setting allows proxy mobile IP use by all stations associated to this access point.

No—This setting does not allow proxy mobile IP use.

Default VLAN ID

Enter the identification number for a defined VLAN, or select one of the VLAN IDs you created using Association >VLANs.

Default Policy Group

Enter the identification number of a defined policy group, or select one of the policy groups you created using Association > Policy Groups.

Accept Authentication Type

Open

From the list, select one of the following:

Yes—Allows any device, regardless of its WEP keys, to authenticate and attempt to associate. This is the recommended setting.

No—Does not allow any device, regardless of its WEP keys, to authenticate and attempt to associate.

Shared

From the list, select one of the following:

Yes—Tells the access point to send a plain-text, shared key query to any device attempting to associate with the access point. This query can leave the access point open to a known-text attack from intruders. This is not as secure as the Open setting.

No—Does not allow the access point to send a plain-text, shared key query to any device attempting to associate with the access point.

Network-EAP

From the list, select one of the following:

Yes—Allows EAP-enabled client devices to authenticate through the access point.

No—Does not allow EAP-enabled client devices to authenticate through the access point.

Require EAP

Open

From the list, select one of the following:

Yes—Use this option if you use open and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use open and EAP authentication.

Shared

From the list, select one of the following:

Yes—Use this option if you use shared and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use shared and EAP authentication.

Default Unicast Address Filter

Open

From the list, select one of the following:

Allowed—The access point forwards all traffic except packets sent to the MAC addresses set as disallowed with the Address Filters.

Disallowed—The access point discards all traffic except packets sent to the MAC addresses set as allowed with the Address Filters or on your authentication server.

Select Disallowed for each authentication type that also uses MAC-based authentication.

Shared

Network-EAP


Step 2 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Deleting an Existing Service Set

Procedure


Step 1 Enter the Service Set number in the Service Set ID text box, then click >> to add it to the Service Sets to Delete list.

Step 2 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Primary Service Set

This option allows you to set a default VLAN for the primary SSID on an access point.

Procedure


Step 1 Select Association > Primary Service Set. The Association: Primary Service Set dialog box appears.

Step 2 Complete the following:

Table 4-54 Primary Service Set 

Field
Description

Service Set Name

Enter the SSID.

Maximum Number of Associations

Enter a number to limit the maximum number of wireless clients per SSID.

Proxy Mobile IP Enabled

From the list, select one of the following:

Yes—This setting allows proxy mobile IP use by all stations associated to this access point.

No—This setting does not allow proxy mobile IP use.

Default VLAN ID

Enter the identification number for a defined VLAN, or select one of the VLAN IDs you created using Association >VLANs.

Default Policy Group

Enter the identification number of a defined policy group, or select one of the policy groups you created using Association > Policy Groups.

Accept Authentication Type

Open

From the list, select one of the following:

Yes—Allows any device, regardless of its WEP keys, to authenticate and attempt to associate. This is the recommended setting.

No—Does not allow any device, regardless of its WEP keys, to authenticate and attempt to associate.

Shared

From the list, select one of the following:

Yes—Tells the access point to send a plain-text, shared key query to any device attempting to associate with the access point. This query can leave the access point open to a known-text attack from intruders. This is not as secure as the Open setting.

No—Does not allow the access point to send a plain-text, shared key query to any device attempting to associate with the access point.

Network-EAP

From the list, select one of the following:

Yes—Allows EAP-enabled client devices to authenticate through the access point.

No—Does not allow EAP-enabled client devices to authenticate through the access point.

Require EAP

Open

From the list, select one of the following:

Yes—Use this option if you use open and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use open and EAP authentication.

Shared

From the list, select one of the following:

Yes—Use this option if you use shared and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use shared and EAP authentication.

Default Unicast Address Filter

Open

From the list, select one of the following:

Allowed—The access point forwards all traffic except packets sent to the MAC addresses set as disallowed with the Address Filters.

Disallowed—The access point discards all traffic except packets sent to the MAC addresses set as allowed with the Address Filters or on your authentication server.

Select Disallowed for each authentication type that also uses MAC-based authentication.

Shared

Network-EAP


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining Advanced Associations

Use this option to control the total number of devices an access point can list in the Association Table and the amount of time the access point continues to track each device class when a device is inactive.

Procedure


Step 1 Select Association > Advanced. The Association: Advanced dialog box appears.

Step 2 To define advanced associations, enter the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-55 Advanced Association Settings 

Field
Description

Alert Severity Level

From the list select one of the following:

systemFatal—Indicates an event that prevents operation of the port or device.

protocolFatal—Indicates an event that prevents operation of the port or device

portFatal—Indicates an event that prevents operation of the port or device

systemAlert—Indicates that you need to take action to correct the condition.

protocolAlert—Indicates that you need to take action to correct the condition.

portAlert—Indicates that you need to take action to correct the condition.

externalAlert—Indicates that you need to take action to correct the condition.

 

systemWarning—Indicates that an error or failure may have occurred.

protocolWarning—Indicates that an error or failure may have occurred.

portWarning—Indicates that an error or failure may have occurred.

externalWarning—Indicates that an error or failure may have occurred.

systemInfo—Notification that some sort of event has occurred.

protocolInfo—Notification that some sort of event has ocurred.

portInfo—Notification that some sort of event has ocurred.

externalInfo—Notification that some sort of event has ocurred.

Max Bytes Stored Per Alert Packet

Enter the maximum number of bytes the access point stores for each Station Alert packet when packet tracing is enabled.

If you use 0, the access point does not store bytes for Station Alert packets; it only logs the event.

Max Fwd Table Entries

Note Changing this setting may cause the access point to reboot.

From the list, select one of the settings to designate the maximum number of devices that can appear in the Association Table.

Rogue AP alert timeout (minutes)

Enter the amount of time in minutes the access point transmits an alert message. (When an access point detects a rogue access point, it sends an alert message to the system log.) When the timeout is reached, the access point stops sending the alert message.

Click See detail to see for which versions this option is valid.

Enable RFC 1493 802.1D Stats In MIB

From the list, select one of the following:

Enable—Use this setting to enable the storage of detailed RFC 1493 802.1D statistics in access point memory.

Disable—Use this setting to disable the storage of detailed RFC 1493 802.1D statistics in access point memory. When you disable extended statistics you conserve memory, and the access point can include more devices in the Association Table.

Click See detail to see for which versions this option is valid.

Enable Extended Stats in MIB

From the list, select one of the following:

Enable—Use this setting to enable the storage of detailed statistics in the device's memory.

Disable—Use this setting to disable the storage of detailed statistics in the device's memory.

When you disable extended statistics you conserve memory, and the device can include more devices in the Association Table.

Map Multicast Entries to Broadcast Entry

From the list, select one of the following:

Enable—Use this setting to make the access point more virus-resistant by mapping all multicast MAC addresses into the Broadcast address.

Disable—Use this setting to disable this feature.

Click See detail to see for which versions this setting is valid.

Enable PSPF

From the list, select one of the following:

Enable—Use this setting to enable Publicly Secure Packet Forwarding, which ensures that client devices cannot communicate with other client devices on the wireless network. This feature is useful for public wireless networks like those installed in airports or on college campuses.

Disable—Use this setting to disable Publicly Secure Packet Forwarding.

Click See detail to see for which versions this option is valid.

Unknown Class Timeout

Enter the number of seconds the access point continues to track an inactive device depending on its class.

A setting of zero tells the access point to track a device indefinitely no matter how long it is inactive.

A setting of 300 equals 5 minutes; 1800 equals 30 minutes; 28800 equals 8 hours.

Multicast Addresses Timeout

Infrastructure Hosts Timeout

Client Stations Timeout

Repeaters Timeout

Access Points Timeout

Across Bridge Hosts Timeout

Non-Root Bridges Timeout

Root Bridges Timeout


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Port Assignments

When you assign specific ports, your network topology remains constant even when devices reboot.

Procedure


Step 1 Select Association > Port Assignments. The Association: Port Assignments dialog box appears.

Step 2 To define port assignments, enter the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-56 Port Assignments Settings 

Field
Description

ifIndex

Lists the port's designator in the Standard MIB-II (RFC1213)-MIB.my interface index.

dot1dBasePort

Lists the port's designator in the Bridge MIB (RFC1493); BRIDGE-MIB.my interface index.

AID

Lists the port's 802.11 radio drivers association identifier.

Station

Enter the MAC address of the device to which you want to assign the port.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring DSCP to CoS

This option is use to statically map Differentiated Services Code-Point (DSCP) values to corresponding Class of Service (CoS) values.

Procedure


Step 1 Select Association > DSCP to CoS. The Association: DSCP to CoS Conversion dialog box appears.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Step 2 Click See detail to see for which versions this option is valid.

Step 3 For each DSCP, enter the CoS conversion. Select one of the following:

No Change

Background

Spare

Best Effort

Excellent Effort

Controlled Load

Interactive Video

Interactive Voice

Network Control

Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring the Ethernet Port

Use this option to configure the device's Ethernet port.

Procedure


Step 1 Select Ethernet. The menu expands and the Ethernet dialog box displays in the right pane.

Step 2 Select one of the following from the Ethernet menu:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Identification—See Identifying the Ethernet Port.

Filters—See Setting Up Ethernet Filters.

Hardware—See Setting Up Hardware.

Advanced—See Defining the Ethernet Advanced Settings.


Identifying the Ethernet Port

Use this option to define basic identity information for the Ethernet port.

Procedure


Step 1 Select Ethernet > Identification. The Ethernet: Identification dialog box displays in the right pane.

Step 2 Enter the following information to identify the port:

Table 4-57 Ethernet Port Settings 

Field
Description

Primary Port

From the list, select one of the following:

Ethernet—Sets the Ethernet port for all access points other than AP1200's as the primary port.

Ethernet AP 1200—Sets the Ethernet port for AP1200 access points as the primary port.

Radio 11b—Sets the 11b radio port as the primary port.

Radio 11a—Sets the 11a radio port as the primary port.

Adopt Primary Port Identity

Note Changing this setting may cause the access point to reboot.

From the list, select one of the following:

yes—This adopts the primary port settings (MAC and IP addresses for the Ethernet port).

no—This uses different MAC and IP addresses for the Ethernet port.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Setting Up Ethernet Filters

Use this option to define filters for the Ethernet port, the IP Protocol, and the IP Port.

Procedure


Step 1 Select Ethernet > Filters. The Ethernet: Filters dialog box displays in the right pane.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-58 Ethernet Filters Settings 

Field
Description

Ethertype

Receive

Enter the ID of a defined Ethertype filter, or select one of the filters you created using Association > Ethertype Filters.

Transmit

Enter the ID of a defined Ethertype filter, or select one of the filters you created using Association > Ethertype Filters.

IP Protocol

Receive

Enter the ID of a defined IP protocol filter, or select one of the filters you created using Association > IP Protocol Filters.

Transmit

Enter the ID of a defined IP protocol filter, or select one of the filters you created using Association > IP Protocol Filters.

IP Port

Receive

Enter the ID of a defined IP port filter, or select one of the filters you created using Association > IP Port Filters.

Transmit

Enter the ID of a defined IP port filter, or select one of the filters you created using Association > IP Port Filters.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Setting Up Hardware

This option allows you to select the hardware settings used by the access point's Ethernet port.

Procedure


Step 1 Select Ethernet > Hardware. The Ethernet: Hardware dialog box displays in the right pane.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Step 2 Click See detail to see for which versions this option is valid.

Step 3 Complete the following:

Table 4-59 Ethernet Hardware Settings 

Field
Description

Loss of Backbone Connectivity # of Secs (1-1000)

Enter the number of seconds the system must detect loss of backbone connectivity (i.e. loss of Ethernet link and no active trunk available on any of the radios) before taking the specified by Loss of Backbone Connectivity Action.

Loss of Backbone Connectivity Action

From the list, select one of the following:

No action

Switch to repeater mode

Shut the radio off

Restrict to SSID

Loss of Backbone Connectivity SSID

Enter an SSID index required if the Loss of Backbone Connectivity Action is set to Restrict to SSID, or select the SSID from the list.


Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining the Ethernet Advanced Settings

Use this option to define the settings and operational status of the Ethernet port.

Procedure


Step 1 Select Ethernet > Advanced. The Ethernet: Advanced dialog box displays in the right pane.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-60 Ethernet Advanced Settings 

Field
Description

Status

From the list, select one of the following:

up—Enables the Ethernet port for normal operation.

down—Disables the device's Ethernet port.

Packet Forwarding

From the list, select one of the following:

enabled—Allows normal operation.

disabled—Prevents data from moving between the Ethernet and the radio, which is useful in troubleshooting.

Default Multicast Address Filter

From the list, select one of the following:

allowed—The access point forwards all traffic except packets sent to the MAC addresses set as disallowed under Association > Address Filters.

disallowed—The access point discards all traffic except packets sent to the MAC addresses set as allowed under Association > Address Filters.

Maximum Multicast Packets/Second

Use this setting to control the number of multicast packets that can pass through the Ethernet port each second.

If you enter 0, the access point passes an unlimited number of multicast packets.

If you enter a number other than 0, the device passes only that number of multicast packets per second.

Default Unicast Address Filter

From the list, select one of the following:

allowed—The access point forwards all traffic except packets sent to MAC addresses that have been set as disallowed under Association > Address Filters.

disallowed—The access point discards all traffic except packets sent to the MAC addresses that have been set as allowed under Association > Address Filters.

Always Unblock Ethernet when STP is disabled

From the list, select one of the following:

From the list, select one of the following:

Yes—Use this setting to maintain a bridge link when STP is disabled

No—Use this setting to not maintain a bridge link when STP is disabled.

Click See detail to see for which versions this option is valid.

Optimize Ethernet for

From the list, select one of the following:

Performance—Allows faster packet forwarding.

Statistics Collection—Allows better statistics collection.

Click See detail to see for which versions this option is valid.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring the 11b Radio

Use this option to configure the device's 11b radio.

Procedure


Step 1 Select 11b Radio. The menu expands and the Radio dialog box displays in the right pane.

Step 2 Select one of the following from the Radio menu:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Identification—See Identifying the 11b Radio Port.

Filters—See Setting Up 11b Radio Filters.

Hardware—See Defining the 11b Radio Hardware Settings.

Advanced—See Defining the 11b Radio Advanced Settings.

Searched Channels—See Defining the 11b Radio Searched Channels Settings.


Identifying the 11b Radio Port

Use this option to define basic identity information for the port.


Note Changing this setting may cause the access point to reboot.


Procedure


Step 1 Select 11b Radio > Identification. The 11b Radio: Identification dialog box displays in the right pane.

Step 2 Enter the following information to identify the port:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-61 11b Radio Identification Settings 

Field
Description

Primary Port

From the list, select one of the following:

Note If the primary port was set using Ethernet > Identification, the selected value is displayed.

Ethernet—Sets the Ethernet port for all access points other than AP1200's as the primary port.

Ethernet AP 1200—Sets the Ethernet port for AP1200 access points as the primary port.

Radio 11b—Sets the 11b radio port as the primary port.

Radio 11a—Sets the 11a radio port as the primary port.

Adopt Primary Port Identity

Note Changing this setting may cause the access point to reboot.

From the list, select one of the following:

yes—This adopts the primary port settings (MAC and IP addresses) for the Ethernet port.

no—This uses different MAC and IP addresses for the Ethernet port.

LEAP User Name

Use this field if the radio is set up as a repeater and authenticates to the network using LEAP. When the radio authenticates using LEAP, the access point sends this user name to the authentication server.

Click See detail to see for which versions this option is valid.

LEAP Password

Enter the LEAP password.

Click See detail to see for which versions this option is valid.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Setting Up 11b Radio Filters

Procedure


Step 1 Select 11b Radio > Filters. The 11b Radio Filters dialog box displays in the right pane.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-62 11b Radio Filters Settings 

Field
Description

Ethertype

Receive

Enter the ID of a defined Ethertype filter, or select one of the filters you created using Association > Ethertype Filters.

Transmit

Enter the ID of a defined Ethertype filter, or select one of the filters you created using Association > Ethertype Filters.

IP Protocol

Receive

Enter the ID of a defined IP protocol filter, or select one of the filters you created using Association > IP Protocol Filters.

Transmit

Enter the ID of a defined IP protocol filter, or select one of the filters you created using Association > IP Protocol Filters.

IP Port

Receive

Enter the ID of a defined IP port protocol filter, or select one of the filters you created using Association > IP Port Filters.

Transmit

Enter the ID of a defined IP port protocol filter, or select one of the filters you created using Association > IP Port Filters.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining the 11b Radio Hardware Settings

Procedure


Step 1 Select 11b Radio > Hardware. The 11b Radio: Hardware dialog box displays in the right pane.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-63 11b Radio Hardware Settings 

Field
Description

Service Set ID (SSID)

Enter a unique identifier client devices use to associate with the access point. It can be any alphanumeric, case-sensitive string, from 1 to 32 characters long.

Several access points on a network or sub-network can share an SSID.

Allow "Broadcast" SSID to Associate

From the list, select one of the following:

yes—Allows devices that do not specify an SSID (devices that are "broadcasting" in search of an access point) to associate with to associate with the access point.

no—Does not allow devices that do not specify an SSID (devices that are "broadcasting" in search of an access point) to associate with to associate with the access point.

With no selected, the SSID used by the client device must match exactly the access point's SSID.

Enable "World Mode" multi-domain operation?

From the list, select one of the following:

yes—Allows the access point to add channel carrier set information to its beacon.

Client devices with world-mode enabled receive the carrier set information and adjust their settings automatically.

no—Does not allow the access point to add channel carrier set information to its beacon.

Data Rates (Mb/sec)

1.0

From the list, select one of the following for each of the four rates in megabits per second:

basic—Allows transmission at this rate for all packets, both unicast and multicast. At least one data rate must be set to basic.

yes—Allows transmission at this rate for unicast packets only.

no—Does not allow transmission at this rate.

2.0

5.5

11.0

Transmit Power

From the list, select one of the following milliwatt settings: 1, 5, 20, 30, 50, 100.

To reduce interference or to conserve power, select a lower power setting.

Click See detail to see for which versions this option is valid.

Fragmentation Threshold (256-2338)

Enter a setting to determine the size at which packets are fragmented (sent as several pieces instead of as one block).

Use a low setting in areas where communication is poor or where there is a great deal of radio interference.

RTS Threshold (0-2339)

Enter a setting to determine the packet size at which the access point issues a request to send (RTS) before sending the packet.

A low RTS Threshold setting can be useful in areas where many client devices are associating with the access point, or in areas where the clients are far apart and can detect only the access point and not each other.

Maximum RTS Retries (1-128)

Enter the maximum number of times the access point issues an RTS before stopping the attempt to send the packet through the radio.

Max. Data Retries (1-128)

Enter the maximum number of attempts the access point makes to send a packet before giving up and dropping the packet.

Beacon Period (Kusec)

Enter the amount of time between beacons in kilomicroseconds. (One kilomicrosecond equals 1,024 microseconds.)

Data Beacon Rate (DTIM)

Enter the amount of time, always a multiple of the beacon period, to determine how often the beacon contains a delivery traffic indication message (DTIM).

The DTIM tells power-save client devices that a packet is waiting for them.

If the beacon period is set at 100, its default setting, and the data beacon rate is set at 2, its default setting, then the access point sends a beacon containing a DTIM every 200 kilomicrosecond.

Default Radio Channel

From the list, select the radio channel you want for a default. Each channel covers 22 MHz.

The factory setting for Cisco wireless LAN systems is Radio Channel 6 transmitting at 2437 MHz.

Search for less-congested Radio Channel?

From the list, select one of the following:

yes—Allows the access point to scan for the radio channel that is least busy and selects that channel for use.

no—Will not allow the access point to scan for a radio channel that is least busy.

Receive Antenna

From the list, select one of the following:

Right—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's right connector. (When you look at the access point's back panel, the right antenna is on the right.)

Use this setting for both receive and transmit.

Left—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's left connector. (When you look at the access point's back panel, the left antenna is on the left.)

Use this setting for both receive and transmit.

Diversity—Use this setting if your access point has two fixed (non-removable) antennas; it tells the access point to use the antenna that receives the best signal.

Use this setting for both receive and transmit.

Transmit Antenna


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining the 11b Radio Advanced Settings

Use this option to define the settings and operational status of the Ethernet port.

Procedure


Step 1 Select 11b Radio > Advanced. The 11b Radio: Advanced dialog box displays in the right pane.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-64 11b Radio Advance Settings 

Field
Description

Status

From the list, select one of the following:

up— Enables the Radio port for normal operation.

down—Disables the device's Radio port.

Packet Forwarding

From the list, select one of the following:

enabled—Allows normal operation.

disabled—Prevents data from moving between the Ethernet and the radio, which is useful in troubleshooting.

Default Multicast Address Filter

From the list, select one of the following:

Allowed—The access point forwards all traffic except packets sent to the MAC addresses set as disallowed under Association > Address Filters.

Disallowed—The access point discards all traffic except packets sent to the MAC addresses set as allowed under Association > Address Filters.

Maximum Multicast Packets/Second

Use this setting to control the number of multicast packets that can pass through the Ethernet port each second.

If you enter 0, the access point passes an unlimited number of multicast packets.

If you enter a number other than 0, the device passes only that number of multicast packets per second.

Maximum Number of Associations

Enter the maximum number of wireless networking devices that are allowed to associate to the access point.

If you enter 0 it means that the maximum possible number of associations is allowed.

Click See detail to see for which versions this option is valid.

Use Aironet Extensions

From the list, select one of the following:

yes—Enable load balancing, Message Integrity Check (MIC), and WEP key hashing.

no—Does no enable the features listed above.

Classify Workgroup Bridges as network infrastructure

From the list, select one of the following:

yes—Use this setting to limit the number of workgroup bridges that can associate to the access point to 20 or less.

no—Use this setting to allow more than 20 workgroup bridges to associate to the access point.

Click See detail to see for which versions this option is valid.

User Symbol Extensions

From the list, select one of the following:

yes—Use this setting to enable the following features: load balancing, message integrity check (MIC), temporal key integrity protocol (TKIP).

no—Use this setting to disable use of Cisco Aironet 802.11 extensions.

Click See detail to see for which versions this option is valid.

Ethernet encapsulation transform

From the list, select one of the following:

802.1H—Provides optimum performance for Cisco Aironet wireless products.

RFC1042—Ensures interoperability with non-Cisco Aironet wireless equipment.

Enhanced MIC verification for WEP

From the list, select one of the following:

None—Does not enable MIC.

NMH—Enables MIC (Message Integrity Check), a security feature that protects your WEP keys by preventing attacks on encrypted packets called bit-flip attacks.

Click See detail to see for which versions this setting is valid.

Temporal Key Integrity Protocol

From the list, select the following:

None—Does not enable WEP key hashing.

Cisco—Enables WEP key hashing that defends against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in encrypted packets to calculate the WEP key.

Click See detail to see for which versions this option is valid.

Broadcast WEP Key rotation interval (sec)

Enter a rotation interval in seconds.

If you enter 900, for example, the access point sends a new broadcast WEP key to all associated client devices every 15 minutes.

If you enter 0, you disable broadcast WEP key rotation.

Click See detail to see for which versions this option is valid.

Default Unicast Address Filter

Open

From the list, select one of the following:

Allowed—The access point forwards all traffic except packets sent to the MAC addresses set as disallowed with the Address Filters.

Disallowed—The access point discards all traffic except packets sent to the MAC addresses set as allowed with the Address Filters or on your authentication server.

Select Disallowed for each authentication type that also uses MAC-based authentication.

Shared

Network-EAP

Specified Access Point 1

If this access point is a repeater, enter the MAC address of one or more root-unit access points with which you want this access point to associate.

With MAC addresses in these fields, the repeater access point always tries to associate with the specified access points instead of with other less-efficient access points.

Specified Access Point 2

Specified Access Point 3

Specified Access Point 4

Radio Modulation

From the list, select one of the following:

Standard—This setting is the modulation type specified in IEEE 802.11, the wireless standard published by the Institute of Electrical and Electronics Engineers (IEEE) Standards Association.

MOK—This modulation was used before the IEEE finished the high-speed 802.11 standard and may still be in use in older wireless networks.

Radio Preamble

From the list, select one of the following:

Long—Ensures compatibility between the access point and all early models of Cisco Aironet Wireless LAN Adapters (PC4800 and PC4800A).

Short—Cisco Aironet's Wireless LAN Adapter supports short preambles; it improves throughput performance.

Bridge Spacing (km)

Enter a value from 0 to 40 kilometers to specify the distance from a root bridge to non-root bridges with which it communicates. Note that you do not need to adjust this setting on non-root bridges.

The Bridge Spacing setting adjusts the bridge's timeout values to account for the time required for radio signals to travel from bridge to bridge. If more than one non-root bridge communicates with the root bridge, enter the distance from the root bridge to the non-root bridge that is farthest away.

Click See detail to see for which versions this option is valid.

Non-Root Mobility

This setting applies mainly to repeater access points that you intend to use in a roaming environment.

From the list, select one of the following:

Stationary—Use this setting to specify that the radio firmware not aggressively scan for a better root association, which makes the association more stable but does not allow the access point to roam.

Mobile—Use this setting to specify that the radio firmware aggressively scan for a better root association, which allows the access point to roam throughout the wireless network.

Click See detail to see for which versions this setting is valid.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining the 11b Radio Searched Channels Settings

Use this option to limit the channels that the access point scans when Search for less-congested radio channel is enabled.

The access point uses this setting to scan for the radio channel that is least busy and selects that channel for use.


Note Not all channels are available for all geographic domains.


Procedure


Step 1 Select 11b Radio > Searched Channels. The 11b Radio: Searched Channels dialog box displays in the right pane.

Step 2 Click See details to see for which versions this option is valid.

Step 3 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-65 11b Radio Searched Channels Settings 

Field
Description

Channel Number

Lists the available channels by number.

Frequency (mHz)

Lists the channel frequency.

For a list of channel frequency, refer to one of the following:

URL: http://www.cisco.com/en/US/products/hw/wireless/ps430/products_command_reference_chapter09186a0080147d8b.html#2450296

Cisco IOS Commands for Access in the Cisco Aironet 1200 Series Access Point Command Reference.

Search?

From the list, select one of the following:

Yes—Use this option to include the channel in the scan for less-congested channels.

No—Use this option to exclude the channel in the scan for less-congested channels


Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring the 11a Radio

Use this option to configure the device's 11a radio.

Procedure


Step 1 Select 11a Radio. The menu expands and the 11a Radio dialog box displays in the right pane.

Step 2 Click See details to see for which versions this option is valid.

Step 3 Select one of the following from the Radio menu:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Identification—See Identifying the 11a Radio Port.

Filters—See Setting Up 11a Radio Filters.

Hardware—See Defining the 11a Radio Hardware Settings.

Advanced—See Defining the 11a Radio Advanced Settings.

Searched Channels—See Defining the 11a Radio Searched Channels Settings.

Data Encryption—See Defining the 11a Radio Data Encryption Settings.

Module Service Sets—See Defining the 11a Radio Module Service Sets.

Primary Service Set—See Defining the 11a Radio Primary Service Set.

Module QoS—See Configuring 11a Radio QoS.


Identifying the 11a Radio Port

Use this option to define basic identity information for the Ethernet port.


Note Changing this setting may cause the access point to reboot.


Procedure


Step 1 Select 11a Radio > Identification. The 11a Radio: Identification dialog box displays in the right pane.

Step 2 Click See detail to see for which versions this option is valid.

Step 3 Enter the following information to identify the port:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-66 11a Radio Identification Settings 

Field
Description

Primary Port

From the list, select one of the following:

Note If the primary port was set using Ethernet > Identification, the selected value is displayed.

Ethernet—Sets the Ethernet port for all access points other than AP1200's as the primary port.

Ethernet AP 1200—Sets the Ethernet port for AP1200 access points as the primary port.

Radio 11b—Sets the 11b radio port as the primary port.

Radio 11a—Sets the 11a radio port as the primary port.

Adopt Primary Port Identity

Note This setting may cause the device to reboot.

From the list, select one of the following:

yes—This adopts the primary port settings (MAC and IP addresses) for the Ethernet port.

no—This uses different MAC and IP addresses for the Ethernet port.

Click See detail to see for which versions this setting is valid.

LEAP User Name

Use this field if the radio is set up as a repeater and authenticates to the network using LEAP. When the radio authenticates using LEAP, the access point sends this user name to the authentication server.

Click See detail to see for which versions this option is valid.

LEAP Password

Enter the LEAP password.

Click See detail to see for which versions this option is valid.


Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Setting Up 11a Radio Filters

Procedure


Step 1 Select 11a Radio > Filters. The 11a Radio Filters dialog box displays in the right pane.

Step 2 Click See detail to see for which versions this option is valid.

Step 3 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-67 11a Radio Filters Settings 

Field
Description

Ethertype

Receive

Enter the ID of a defined Ethertype filter, or select one of the filters you created using Association > Ethertype Filters.

Transmit

Enter the ID of a defined Ethertype filter, or select one of the filters you created using Association > Ethertype Filters.

IP Protocol

Receive

Enter the ID of a defined IP protocol filter, or select one of the filters you created using Association > IP Protocol Filters.

Transmit

Enter the ID of a defined IP protocol filter, or select one of the filters you created using Association > IP Protocol Filters.

IP Port

Receive

Enter the ID of a defined IP port protocol filter, or select one of the filters you created using Association > IP Port Filters.

Transmit

Enter the ID of a defined IP port protocol filter, or select one of the filters you created using Association > IP Port Filters.


Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining the 11a Radio Hardware Settings

Procedure


Step 1 Select 11a Radio > Hardware. The 11a Radio: Hardware dialog box displays in the right pane.

Step 2 Click See detail to see for which versions this option is valid.

Step 3 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-68 11a Radio Hardware Settings 

Field
Description

Service Set ID (SSID)

Enter a unique identifier client devices use to associate with the access point. It can be any alphanumeric, case-sensitive string, from 1 to 32 characters long.

Several access points on a network or sub-network can share an SSID.

Allow "Broadcast" SSID to Associate

From the list, select one of the following:

yes—Allows devices that do not specify an SSID (devices that are "broadcasting" in search of an access point) to associate with to associate with the access point.

no—Does not allow devices that do not specify an SSID (devices that are "broadcasting" in search of an access point) to associate with to associate with the access point.

With no selected, the SSID used by the client device must match exactly the access point's SSID.

Data Rates (Mb/sec)

6.0

From the list, select one of the following for each of the four rates in megabits per second:

basic—Allows transmission at this rate for all packets, both unicast and multicast. At least one data rate must be set to basic.

yes—Allows transmission at this rate for unicast packets only.

no—Does not allow transmission at this rate.

9.0

12.0

18.0

24.0

36.0

48.0

54.0

Transmit Power

From the list, select one of the following milliwatt settings: 5, 10, 20, 40.

To reduce interference or to conserve power, select a lower power setting.

Click See details to see for which versions this setting is valid.

Fragmentation Threshold (256-2338)

Enter a setting to determine the size at which packets are fragmented (sent as several pieces instead of as one block).

Use a low setting in areas where communication is poor or where there is a great deal of radio interference.

RTS Threshold (0-2339)

Enter a setting to determine the packet size at which the access point issues a request to send (RTS) before sending the packet.

A low RTS Threshold setting can be useful in areas where many client devices are associating with the access point, or in areas where the clients are far apart and can detect only the access point and not each other.

Maximum RTS Retries (1-128)

Enter the maximum number of times the access point issues an RTS before stopping the attempt to send the packet through the radio.

Max. Data Retires (1-128)

Enter the maximum number of attempts the access point makes to send a packet before giving up and dropping the packet.

Beacon Period (Kusec)

Enter the amount of time between beacons in kilomicroseconds. (One kilomicrosecond equals 1,024 microseconds.)

Data Beacon Rate (DTIM)

Enter the amount of time, always a multiple of the beacon period, to determine how often the beacon contains a delivery traffic indication message (DTIM).

The DTIM tells power-save client devices that a packet is waiting for them.

If the beacon period is set at 100, its default setting, and the data beacon rate is set at 2, its default setting, then the access point sends a beacon containing a DTIM every 200 Kmsecs. (One Kmsec equals 1,024 microseconds.)

Default Radio Channel

From the list, select the radio channel you want for a default.

Search for less-congested Radio Channel?

From the list, select one of the following:

yes—Allows the access point to scan for the radio channel that is least busy and selects that channel for use.

no—Will not allow the access point to scan for a radio channel that is least busy.

Receive Antenna

From the list, select one of the following:

Right—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's right connector. (When you look at the access point's back panel, the right antenna is on the right.)

Use this setting for both receive and transmit.

Left—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's left connector. (When you look at the access point's back panel, the left antenna is on the left.)

Use this setting for both receive and transmit.

Diversity—Use this setting if your access point has two fixed (non-removable) antennas; it tells the access point to use the antenna that receives the best signal.

Use this setting for both receive and transmit.

Transmit Antenna


Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining the 11a Radio Advanced Settings

Use this option to define the settings and operational status of the Ethernet port.

Procedure


Step 1 Select 11a Radio > Advanced. The 11a Radio: Advanced dialog box displays in the right pane.

Click See detail to see for which versions this setting is valid.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-69 11a Radio Advanced Settings 

Field
Description

Status

From the list, select one of the following:

up—Enables the Radio port for normal operation.

down—Disables the device's Radio port.

Packet Forwarding

From the list, select one of the following:

enabled—Allows normal operation.

disabled—Prevents data from moving between the Ethernet and the radio, which is useful in troubleshooting.

Default Multicast Address Filter

From the list, select one of the following:

Allowed—The access point forwards all traffic except packets sent to the MAC addresses set as disallowed under Association > Address Filters.

Disallowed—The access point discards all traffic except packets sent to the MAC addresses set as allowed under Association > Address Filters.

Maximum Multicast Packets/Second

Use this setting to control the number of multicast packets that can pass through the Ethernet port each second.

If you enter 0, the access point passes an unlimited number of multicast packets.

If you enter a number other than 0, the device passes only that number of multicast packets per second.

Radio Cell Role

From the list, enter one of the following:

Client/Non-Root—use this setting for diagnostics or site surveys, such as when you need to test and access point by having it communicate with another access point or bridge without accepting associations from client devices.

Repeater/Non-Root—Use this setting for access points that are not connected to a wired LAN and which transfer data between another access point or repeater.

Access Point/Root—Use this setting if the access point is connected to a wired LAN.

Maximum Number of Associations

Enter the maximum number of wireless networking devices that are allowed to associate to the access point.

If you enter 0 it means that the maximum possible number of associations is allowed.

Click See details to see for which versions this setting is valid.

Use Aironet Extensions

From the list, select one of the following:

yes—Enable load balancing, Message Integrity Check (MIC), and WEP key hashing.

no—Does no enable the features listed above.

Classify Workgroup Bridges as network infrastructure

From the list, select one of the following:

yes—Use this setting to limit the number of workgroup bridges that can associate to the access point to 20 or less.

no—Use this setting to allow more than 20 workgroup bridges to associate to the access point.

Ethernet encapsulation transform

From the list, select one of the following:

802.1H—Provides optimum performance for Cisco Aironet wireless products.

RFC1042—Ensures interoperability with non-Cisco Aironet wireless equipment.

Enhanced MIC verification for WEP

From the list, select one of the following:

None—Does not enable MIC.

NMH—Enables MIC (Message Integrity Check), a security feature that protects your WEP keys by preventing attacks on encrypted packets called bit-flip attacks.

Temporal Key Integrity Protocol

From the list, select the following:

None—Does not enable WEP key hashing.

Cisco—Enables WEP key hashing that defends against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in encrypted packets to calculate the WEP key.

Broadcast WEP Key rotation interval (sec)

Enter a rotation interval in seconds.

If you enter 900, for example, the access point sends a new broadcast WEP key to all associated client devices every 15 minutes.

If you enter 0, you disable broadcast WEP key rotation.

Accept Authentication Type

Open

From the list, select one of the following:

Yes—Allows any device, regardless of its WEP keys, to authenticate and attempt to associate. This is the recommended setting.

No—Does not allow any device, regardless of its WEP keys, to authenticate and attempt to associate.

Shared

From the list, select one of the following:

Yes—Tells the access point to send a plain-text, shared key query to any device attempting to associate with the access point. This query can leave the access point open to a known-text attack from intruders. This is not as secure as the Open setting.

No—Does not allow the access point to send a plain-text, shared key query to any device attempting to associate with the access point.

Network-EAP

From the list, select one of the following:

Yes—Allows EAP-enabled client devices to authenticate through the access point.

No—Does not allow EAP-enabled client devices to authenticate through the access point.

Require EAP

Open

From the list, select one of the following:

Yes—Use this option if you use open and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use open and EAP authentication.

Shared

From the list, select one of the following:

Yes—Use this option if you use shared and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use shared and EAP authentication.

Default Unicast Address Filter

Open

From the list, select one of the following:

Allowed—The access point forwards all traffic except packets sent to the MAC addresses set as disallowed with the Address Filters.

Disallowed—The access point discards all traffic except packets sent to the MAC addresses set as allowed with the Address Filters or on your authentication server.

Select Disallowed for each authentication type that also uses MAC-based authentication.

Shared

Network-EAP

Specified Access Point 1

If this access point is a repeater, enter the MAC address of one or more root-unit access points with which you want this access point to associate.

With MAC addresses in these fields, the repeater access point always tries to associate with the specified access points instead of with other less-efficient access points.

Specified Access Point 2

Specified Access Point 3

Specified Access Point 4

Non-Root Mobility

This setting applies mainly to repeater access points that you intend to use in a roaming environment.

From the list, select one of the following:

Stationary—Use this setting to specify that the radio firmware not aggressively scan for a better root association, which makes the association more stable but does not allow the access point to roam.

Mobile—Use this setting to specify that the radio firmware aggressively scan for a better root association, which allows the access point to roam throughout the wireless network.

Click See detail to see for which versions this setting is valid.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining the 11a Radio Searched Channels Settings

Use this option to limit the channels that the access point scans when Search for less-congested radio channel is enabled.

The access point uses this setting to scan for the radio channel that is least busy and selects that channel for use.


Note Not all channels are available for all geographic domains.


Procedure


Step 1 Select 11a Radio > Searched Channels. The 11a Radio: Searched Channels dialog box displays in the right pane.

Click See detail to see for which versions this setting is valid.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-70 11a Radio Searched Channels Settings 

Field
Description

Channel Number

Lists the available channels by number.

Frequency (mHz)

Lists the channel frequency.

For a list of channel frequency, refer to one of the following:

URL: http://www.cisco.com/en/US/products/hw/wireless/ps430/products_command_reference_chapter09186a0080147d8b.html#2450296

Cisco IOS Commands for Access in the Cisco Aironet 1200 Series Access Point Command Reference.

Search?

From the list, select one of the following:

Yes—Use this option to include the channel in the scan for less-congested channels.

No—Use this option to exclude the channel in the scan for less-congested channels


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining the 11a Radio Data Encryption Settings

Use this option to limit the channels that the access point scans when Search for less-congested radio channel is enabled.

The access point uses this setting to scan for the radio channel that is least busy and selects that channel for use.

Procedure


Step 1 Select 11a Radio > Data Encryption. The 11a Radio: Data Encryption dialog box displays in the right pane.

Step 2 Click See detail to see for which versions this setting is valid.

Step 3 Complete the following:

Table 4-71 11a Radio Data Encryption Settings 

Field
Description

Data Encryption by Stations

From the list, select the encryption type:

No Encryption—Requires clients to communicate with the Access Point without any data encryption. This setting is not recommended.

Optional—Allows clients to communicate with the Access Point either with or without data encryption. Typically, this option is used when you have client devices that cannot make a WEP connection, such as non-Cisco clients in a 128-bit WEP environment.

Full Encryption—Requires clients to use data encryption when communicating with the Access Point. Clients not using data encryption are allowed to communicate. This option is recommended if you want to maximize the security of your Wireless LAN.

Authentication Type

Open

From the list, select one of the following:

Yes—Allows any device, regardless of its WEP keys, to authenticate and attempt to associate. This is the recommended setting.

No—Does not allow any device, regardless of its WEP keys, to authenticate and attempt to associate.

Shared

From the list, select one of the following:

Yes—This setting enables the access point to send a plain-text, shared key query to any device attempting to associate with the access point. This query can leave the access point open to a known-text attack from intruders. This is not as secure as the Open setting.

No—This setting does not allow the access point to send a plain-text, shared key query to any device attempting to associate with the access point.

Network EAP

From the list, select one of the following:

From the list, select one of the following:

Yes—Allows EAP-enabled client devices to authenticate through the access point.

No—Does not allow EAP-enabled client devices to authenticate through the access point.

Require EAP

Open

From the list, select one of the following:

Yes—Use this option if you use open and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use open and EAP authentication.

Shared

From the list, select one of the following:

Yes—Use this option if you use shared and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use shared and EAP authentication.

Encryption Keys 1 through 4

Transmit Key

Click to indicate this is the key you want to use to transmit packets. Only one key can be selected at a time.

Encryption Key

Enter the type of encryption key used:

For 40-bit WEP keys, enter as 10 hexadecimal digits (0-9, a-f, or A-F).

For 128-bit WEP keys, enter as 26 hexadecimal digits (0-9, a-f, or A-F).

Key Size

From the list, select one of the following:

40 bit

128 bit

Not set


Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining the 11a Radio Module Service Sets

Use this option to limit the channels that the access point scans when Search for less-congested radio channel is enabled.

The access point uses this setting to scan for the radio channel that is least busy and to select that channel for use.

Procedure


Step 1 Select 11a Radio > Module Service Sets. The 11a Radio: Module Service Sets dialog box displays in the right pane.

Step 2 Click See detail to see which versions this option is valid for.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Step 3 Using this option you can:

Add a new Service Set—See Adding a New Service Set.

Delete an exiting Service Set from a device—See Deleting an Existing Service Sets.


Adding a New Service Set

Procedure


Step 1 To add a new module service set, enter the following:

Table 4-72 New Module Service Sets 

Field
Description

Device

SSID for use by Infrastructure Stations (such as Repeaters)

Enter an identification number for the client radio SSID.

Disallow Infrastructure Stations on any other SSID

From the list, select one of the following:

Yes—Use this option to disallow infrastructure stations on any other SSID.

No—Use this option to allow infrastructure stations on any other SSID.

Add New Service Set

Service Set ID (1-32)

Enter an identification for the SSID.

Service Set Name

Enter the SSID.

Maximum Number of Associations

Enter a number to limit the maximum number of wireless clients per SSID.

Proxy Mobile IP Enabled

From the list, select one of the following:

Yes—This setting allows proxy mobile IP use by all stations associated to this access point.

No—This setting does not allow proxy mobile IP use.

Default VLAN ID

Enter the identification number for a defined VLAN, or select one of the VLAN IDs you created using Association >VLANs.

Default Policy Group

Enter the identification number of a defined policy group, or select one of the policy groups you created using Association > Policy Groups.

Accept Authentication Type

Open

From the list, select one of the following:

Yes—Allows any device, regardless of its WEP keys, to authenticate and attempt to associate. This is the recommended setting.

No—Does not allow any device, regardless of its WEP keys, to authenticate and attempt to associate.

Shared

From the list, select one of the following:

Yes—Tells the access point to send a plain-text, shared key query to any device attempting to associate with the access point. This query can leave the access point open to a known-text attack from intruders. This is not as secure as the Open setting.

No—Does not allow the access point to send a plain-text, shared key query to any device attempting to associate with the access point.

Network-EAP

From the list, select one of the following:

Yes—Allows EAP-enabled client devices to authenticate through the access point.

No—Does not allow EAP-enabled client devices to authenticate through the access point.

Require EAP

Open

From the list, select one of the following:

Yes—Use this option if you use open and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use open and EAP authentication.

Shared

From the list, select one of the following:

Yes—Use this option if you use shared and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use shared and EAP authentication.

Default Unicast Address Filter

Open

From the list, select one of the following:

Allowed—The access point forwards all traffic except packets sent to the MAC addresses set as disallowed with the Address Filters.

Disallowed—The access point discards all traffic except packets sent to the MAC addresses set as allowed with the Address Filters or on your authentication server.

Select Disallowed for each authentication type that also uses MAC-based authentication.

Shared

Network-EAP


Step 2 Click Add to add the Service Set to the Service Sets to Add list.

Step 3 To delete a group from the list, select the name, then click Delete.

Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Deleting an Existing Service Sets

Procedure


Step 1 Enter the Service Set number in the Service Set ID text box, then click Add to add it to the Service Sets to Delete list.

Step 2 To delete an identification number from the list, select it, then click Delete.

Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining the 11a Radio Primary Service Set

Use this option to set a default VLAN for the primary SSID on an access point.

Procedure


Step 1 Select 11a Radio > Primary Service Set. The 11a Radio: Primary Service Set dialog box displays in the right pane.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Step 2 Enter the following information:

Table 4-73 Primary Service Set 

Field
Description

Service Set Name

Enter the name.

Maximum Number of Associations

Enter a number to limit the maximum number of wireless clients per SSID.

Proxy Mobile IP Enabled

From the list, select one of the following:

Yes—This setting allows proxy mobile IP use by all stations associated to this access point.

No—This setting does not allow proxy mobile IP use.

Default VLAN ID

Enter the identification number for a defined VLAN, or select one of the VLAN IDs you created using Association >VLANs.

Default Policy Group

Enter the identification number of a defined policy group, or select one of the policy groups you created using Association > Policy Groups.

Accept Authentication Type

Open

From the list, select one of the following:

Yes—Allows any device, regardless of its WEP keys, to authenticate and attempt to associate. This is the recommended setting.

No—Does not allow any device, regardless of its WEP keys, to authenticate and attempt to associate.

Shared

From the list, select one of the following:

Yes—Tells the access point to send a plain-text, shared key query to any device attempting to associate with the access point. This query can leave the access point open to a known-text attack from intruders. This is not as secure as the Open setting.

No—Does not allow the access point to send a plain-text, shared key query to any device attempting to associate with the access point.

Network-EAP

From the list, select one of the following:

Yes—Allows EAP-enabled client devices to authenticate through the access point.

No—Does not allow EAP-enabled client devices to authenticate through the access point.

Require EAP

Open

From the list, select one of the following:

Yes—Use this option if you use open and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use open and EAP authentication.

Shared

From the list, select one of the following:

Yes—Use this option if you use shared and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use shared and EAP authentication.

Default Unicast Address Filter

Open

From the list, select one of the following:

Allowed—The access point forwards all traffic except packets sent to the MAC addresses set as disallowed with the Address Filters.

Disallowed—The access point discards all traffic except packets sent to the MAC addresses set as allowed with the Address Filters or on your authentication server.

Select Disallowed for each authentication type that also uses MAC-based authentication.

Shared

Network-EAP


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring 11a Radio QoS

Use this option to define traffic class QoS policies.

Procedure


Step 1 Select 11a Radio > Module QoS. The 11a Radio: Quality of Service dialog box appears.

Click See detail to see which versions this option is valid for.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-74 11a Radio QoS 

Field
Description

Generate QBBS Element

From the list, select one of the following:

Yes—Use this setting to enable support for basic 802.11 Quality of Service.

No—Use this setting to disable support for basic 802.11 Quality of Service.

User Symbol Extensions

From the list, select one of the following:

Yes—Use this setting enables support for Symbol Voice over IP (VoIP phones).

No—Use this setting to disable support for Symbol VoIP phones.

Send IGMP General Query

From the list, select one of the following:

Yes—Use this setting to allow the access point to send an IGMP General Query to all associated stations when they complete all required high-level authentication.

No—Use this setting to not allow the access point to send an IGMP General Query.

Background

Min Contention Window—Enter the minimum contention window value. The value listed is to the power of 2. The access point computes Contention Window values.

Max Contention Window—Enter the maximum contention window value. The value listed is to the power of 2. The access point computes Contention Window values.

Fixed Slot Time—Enter a value for a fixed slot time.

(spare)

Best Effort (default)

Excellent Effort

Controlled Load

Interactive Video

Interactive Voice

Network Control


Step 3 Select one of the following:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Defining the Security Settings

Use this option to configure the device's security settings.

Procedure


Step 1 Select Security. The menu expands and the Security dialog box displays in the right pane.

Step 2 Select one of the following from the Security menu:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Local Admin Access—See Setting Local Admin Access.

Local AP/Client Security—See Setting Local AP/Client Security.

Authentication Server Security—See Setting Authentication Server Security.


Setting Local Admin Access

Use this option to enable or disable local admin access.

Procedure


Step 1 Select Security > Local Admin Access. The Security: Local Admin Access dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-75 Local Admin Access Settings 

Field
Description

Local Admin Authentication

From the list, select one of the following:

Enable—Use this setting to enable local admin authentication.

Disable—Use this setting to disable local admin authentication.

Allow read-only browsing without login

From the list, select one of the following:

Yes—Use this setting to allow read-only browsing.

No—Use this setting to disallow read-only browsing.


Step 3 Using this option you can:

Add Users—See Adding Users.

Delete Users—See Deleting Users.


Adding Users

Procedure


Step 1 To add a new user, enter the following:

Field
Description

Add Users

Click See user details for information about existing user IDs. See Understanding the User Details Window for information about the table.

User Identifier

Enter an identification number for the user. Use the table in the User Details window to help assign a number. If you use an existing identifier number, you will modify the current setting.

Tip If you want to set the same user name on all access points and do not know which user ID's may already be in use, enter a very high value (2000).

User name

Enter the name for the user.

User password

Enter a password for the user.

Confirm User Password

Reenter the password.

Capabilities

Select the capabilities you want to allow the user.


Step 2 Click >> to add the users to the Users to Add list.

Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Deleting Users

Procedure


Step 1 Click See detail to see which versions this option is valid for.

Click See user details Click See user details for information about existing user IDs. See Understanding the User Details Window for information about the table.

Step 2 Enter the user's identification number in the User Identifier text box, then click >> to add it to the Users to Delete list.

Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Understanding the User Details Window

When you click see user details, a window appears with the following table:

Field
Description

Device Name

The device name.

IP Address

The IP address of the device.

User Identifier

The currently assigned user identifier.

Username

The user name.

Timestamp

The time and date in which the information was collected from the access point.


Setting Local AP/Client Security

Use this option to set up the local access point and client security.

Procedure


Step 1 Select Security > Local AP/Client Security. The Security: Local AP/Client Security dialog box appears:

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-76 Local AP /Client Security Settings 

Field
Description

Data Encryption by Stations

From the list, select the encryption type:

No Encryption—Requires clients to communicate with the Access Point without any data encryption. This setting is not recommended.

Optional—Allows clients to communicate with the Access Point either with or without data encryption. Typically, this option is used when you have client devices that cannot make a WEP connection, such as non-Cisco clients in a 128-bit WEP environment.

Full Encryption—Requires clients to use data encryption when communicating with the Access Point. Clients not using data encryption are allowed to communicate. This option is recommended if you want to maximize the security of your Wireless LAN.

Authentication Type

Open

From the list, select one of the following:

Yes—Allows any device, regardless of its WEP keys, to authenticate and attempt to associate. This is the recommended setting.

No—Does not allow any device, regardless of its WEP keys, to authenticate and attempt to associate.

Shared Key

From the list, select one of the following:

Yes—Tells the access point to send a plain-text, shared key query to any device attempting to associate with the access point. This query can leave the access point open to a known-text attack from intruders. This is not as secure as the Open setting.

No—Does not allow the access point to send a plain-text, shared key query to any device attempting to associate with the access point.

Network-EAP

From the list, select one of the following:

Yes—Allows EAP-enabled client devices to authenticate through the access point.

No—Does not allow EAP-enabled client devices to authenticate through the access point.

Require EAP

Open

From the list, select one of the following:

Yes—Use this option if you use open and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use open and EAP authentication.

Shared

From the list, select one of the following:

Yes—Use this option if you use shared and EAP authentication to block client devices that are not using EAP from authenticating through the access point.

No—Use this option if you do not use shared and EAP authentication.

Encryption Keys 1 through 4

Transmit Key

Click to indicate this is the key you want to use to transmit packets. Only one key can be selected at a time.

Encryption Key

Enter the type of encryption key used:

For 40-bit WEP keys, enter as 10 hexadecimal digits (0-9, a-f, or A-F).

For 128-bit WEP keys, enter as 26 hexadecimal digits (0-9, a-f, or A-F).

Key Size

From the list, select one of the following:

Not set

40 bit

128 bit


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Setting Authentication Server Security

Use this option to set up authentication server security.


Note Changing this setting may cause the access point to reboot.


Procedure


Step 1 Select Security > Authentication Server. The Security: Authentication Server dialog box appears:

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-77 Authentication Server Settings 

Field
Description

802.1X Protocol Version (For EAP Authentication)

Note This setting may cause the device to reboot.

From the list, select one of the following:

Draft 7—No radio firmware versions compliant with Draft 7 have LEAP capability, so you should not need to select this setting.

Draft 8—Select this option if LEAP-enabled client devices that associate with this access point use radio firmware versions 4.13, 4.16, or 4.23, or if workgroup bridges associating with this access point use firmware version 8.58 or earlier.

Draft 10—Select this option if client devices that associate with this access point or bridge use Microsoft Windows XP EAP authentication, if LEAP-enabled client devices that associate with this bridge use radio firmware version 4.25 or later, or if workgroup bridges associating with this access point use firmware version 8.65 or later.

Click See detail for information on which version this setting is valid

Primary Server Reattempt Period (Min)

Enter the amount of time a before another attempt is made if the server is not responding.

Click See detail for information on which version this setting is valid.

Server Name/IP

Enter the name or IP address of the server.

Server Type

Enter the type of server.

Click See detail for information on which version this setting is valid

Port

Enter the port number your server uses for authentication.

Shared Secret

Enter the shared secret used by your server. It must match the shared secret on the RADIUS server.

Retran Int (sec)

Enter the number of seconds the access point should wait before retransmitting.

Click See detail for information on which version this setting is valid.

Max Retran

Enter the number of times the access point should attempt to contact the server before giving up.

Click See detail for information on which version this setting is valid.

Time Out (sec's)

Enter the number of seconds the access point should wait before authentication fails.

If the server does not respond within this time, the access point tries to contact the next defined authentication server.

EAP Auth.

From the list, select one of the following:

Yes—Use this server for EAP authentication.

In this type of authentication, the access point relays authentication messages between the server and the authenticating client device.

No—Do not use this server for EAP authentication.

Click See detail for information on which version this setting is valid.

MAC Auth.

From the list, select one of the following:

Yes—Use this server for MAC-based authentication.

This allows only client devices with specified MAC addresses to associate and pass data through the access point. Client devices with MAC addresses not in a list of allowed MAC addresses are not allowed to associate with the access point.

No—Do not use this server for MAC-based authentication.

Click See detail for information on which version this setting is valid.

User Auth.

From the list, select one of the following:

Yes—Use this setting to allow user authentication.

No—Use this setting to disallow user authentication.

Click See detail for information on which version this setting is valid.

MIP Auth.

From the list, select one of the following:

Yes—Use this setting to authenticate proxy Mobile IP configured clients.

No—Use this setting to disallow authentication of proxy Mobile IP configured clients.

Click See detail for information on which version this setting is valid.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Services

Use this option to configure various system features and support services on the device.

Procedure


Step 1 Select Services. The menu expands and the Services dialog box displays in the right pane.

Step 2 Select one of the following from the Services menu:

Start-Up—See Configuring Start-Up Settings.

Console/Telnet—See Configuring Console/Telnet Settings.

Hot Standby—See Configuring Hot Standby Settings.

Routing—See Configuring Routing Settings.

CDP—See Configuring CDP Settings.

DNS—See Configuring DNS Settings.

FTP—See Configuring FTP Settings.

HTTP—See Configuring HTTP Settings.

SNMP—See Configuring SNMP Settings.

SNTP—See Configuring SNTP Settings.

Accounting—See Configuring Accounting Settings.

ProxyMobile IP Setup—See Setting Up Proxy Mobile IP.

ProxyMobile SA Bind—See Configuring Proxy Mobile SA Bindings.


Configuring Start-Up Settings

Use this option to configure the access point for your network's BOOTP or DHCP servers for automatic assignment of IP addresses.

Procedure


Step 1 Select Services > Start-Up. The Services: Start-Up dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-78 Start-Up Settings 

Field
Description

Configuration Server Protocol

From the list, select one of the following:

None—Use this setting if your network does not have an automatic system for IP address assignment.

BOOTP—Use this setting if IP addresses are hard-coded based on MAC addresses.

DHCP—Use this setting if IP addresses are "leased" for predetermined periods of time.

Use prior Config Server settings if no server responds?

From the list, select one of the following:

yes—Use this setting to have the access point save the boot server's most recent response.

no—Use this setting to not use the most recent response.

Read ".ini" file from file server?

From the list, select one of the following:

always—Use this setting for the access point to always load configuration settings from an .ini file on the server.

never—Use this setting for the access point to never load configuration settings from an.ini file on the server.

if specified by server—Use this setting for the access point to load configuration settings from an.ini file on the server if the server's DHCP or BOOTP response specifies that an.ini file is available.

BOOTP Server Timeout (sec's)

Enter the length of time the access point waits to receive a response from a single BOOTP server.

DHCP Multiple-Offer Timeout (sec's)

Enter the length of time the access point waits to receive a response when there are multiple DHCP servers.

DHCP Requested Lease Duration (min's)

Enter the length of time the access point requests for an IP address lease from your DHCP server.

DHCP Minimum Lease Duration (min's)

Enter the shortest amount of time the access point accepts for an IP address lease. The access point ignores leases shorter than this period.

DHCP Client Identifier Type

From the list, select one of the client identifier types.

Click See detail to see for which versions this setting is valid.

DHCP Client Identifier Value

Use this setting to include a unique identifier in the access point's DHCP request packet.

If you select Other-Non Hardware from the DHCP Client Identifier Type list, you can enter up to 255 alphanumeric characters.

If you select any other option from the DHCP Client Identifier Type list, you can enter up to 12 hexadecimal characters (numbers 0 through 9, and the letters A through F).

Click See detail to see for which versions this setting is valid.

DHCP Class Identifier

Enter the access point's group name.

The DHCP server uses the group name to determine the response to send to the access point.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Console/Telnet Settings

Use this option to configure the access point to work with a terminal emulator or through Telnet.

Procedure


Step 1 Select Services > Console/Telnet. The Services: Console/Telnet dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-79 Console/Telnet Settings 

Field
Description

Baud Rate

Enter a rate from 110 to 115,200, expressed in bits per second.

The rate you enter is dependent on the capability of the computer you use to open the access point management system.

Parity

From the list, select one of the following:

None—Use this setting to use no parity bit.

Even—Use this setting to make the total number of bits even.

Odd—Use this setting to make the total number of bits odd.

Data Bits

From the list, select one of the data bit settings.

Stop Bits

From the list, select one of the stop bit settings.

Flow Control

From the list, select one of the following:

None—Use this setting to indicate no flow control is used.

SW Xonn/Xoff—Use this setting to indicate the method information is sent between pieces of equipment to prevent loss of data when too much information arrives at the same time on one device.

Terminal Type

From the list, select one of the following:

teletype—Use this setting if your terminal emulator does not support ANSI.

ANSI—Use this setting to offer graphic features such as reverse video buttons and underlined links.

Columns (64-132)

Enter a number to define the width of the terminal emulator display within the range of 64 characters to 132 characters.

Lines (16-50)

Enter a number to define the height of the terminal emulator display within the range of 16 characters to 50 characters.

Telnet

From the list, select one of the following:

Enable—Use this setting to enable Telnet access to the management system.

Disable—Use this setting to prevent Telnet access to the management system.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Hot Standby Settings

Use this option to configure a standby access point as a client device associated to a monitored access point.

Procedure


Step 1 Select Services > Hot Standby. The Services: Hot Standby dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-80 Hot Standby Settings 

Field
Description

Hot Standby Mode

From the list, select one of the following:

Enable—Use this setting to allow hot standby mode.

Disable—Use this setting to disable hot standby mode.

Service Set ID (SSID)

Enter the monitored access point's SSID.

MAC Address for the Monitored AP

Enter the monitored access point's MAC address.

Polling Frequency (1-30)

Enter the number of seconds between each query the standby access point sends to the monitored access point.

Timeout for Each Polling (1-600)

Enter the number of seconds the standby access point should wait for a response from the monitored access point before it assumes that the monitored access point has malfunctioned.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Routing Settings

Use this option to configure the access point to communicate with the IP network routing system.

Procedure


Step 1 Select Services > Routing. The Services: Routing dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-81 Routing Settings 

Field
Description

Default Gateway

Enter the IP address of your network's default gateway in this entry field.

The entry 255.255.255.255 indicates no gateway.

New Network Route

Destination Network

Enter the IP address of the destination network.

Gateway

Enter the IP address of the gateway used to reach the destination network.

Subnet Mask

Enter the subnet mask associated with the destination network.


Step 3 Click >> to add an additional network route for the access point.

Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring CDP Settings

Use this option to enable, disable, or adjust the access point's CDP settings.

Procedure


Step 1 Select Services > CDP. The Services: CDP dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-82 CDP Settings 

Field
Description

Cisco Discovery Protocol (CDP)

From the list, select one of the following:

Enable—Use this setting to enable CDP.

Disable—Use this setting to disable CDP.

Packet Hold Time

Enter the number of seconds other CDP-enabled devices should consider the access point's CDP information valid.

Packet Sent Every

Enter the number of seconds between each CDP packet the access point sends.

This value should always be less than the packet hold time.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring DNS Settings

Use this option to configure the access point to work with your network's Domain Name System (DNS) server.

Procedure


Step 1 Select Services > DNS. The Services: DNS dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-83 DNS Settings 

Field
Description

Domain Name System (DNS)

From the list, select one of the following:

Enable—Use this option if your network DNS.

Disable—Use this option if you network does not use DNS.

Default Domain

Enter the name of your network's IP domain. Your entry might look like this: mycompany.com

Domain Name Servers

Enter the IP addresses of up to three domain name servers on your network.

Domain Suffix

Enter the portion of the full domain name that you would like omitted from access point displays.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring FTP Settings

Use this option to configure File Transfer Protocol settings for the access point. All non-browser file transfers are governed by these settings.

Procedure


Step 1 Select Services > FTP. The Services: FTP dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-84 FTP Settings 

Field
Description

File Transfer Protocol (FTP)

From the list select one of the protocols.

Default File Server

Enter the IP address or DNS name of the file server where the access point should look for FTP files.

FTP Directory

Enter the file server directory that contains the firmware image files.

FTP User Name

Enter the username assigned to your FTP server.

You do not need to enter a name in this field if you selected TFTP.

FTP User Password

Enter the password associated with the file server's username.

You do not need to enter a password in this field if you selected TFTP.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring HTTP Settings

Use this option to configure HTTP settings for the access point.

Procedure


Step 1 Select Services > HTTP The Services: HTTP dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-85 HTTP Settings 

Field
Description

Allow Non-Console Browsing

From the list, select one of the following:

Enable—Use this setting to allow browsing to the management system.

Disable—Use this setting to make the management system accessible only through the console and Telnet interfaces.

HTTP Port

Enter the port through which the access point provides web access.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring SNMP Settings

Use this option to configure settings for notifications to be sent to an SNMP server.

Procedure


Step 1 Select Services > SNMP. The Services: SNMP dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-86 SNMP Settings 

Field
Description

Simple Network Management Protocol (SNMP)

From the list, select one of the following:

Enable—Use this setting to allow event notifications to be sent to an SNMP server.

Disable—Use this setting to not allow event notifications to be sent to an SNMP server.

SNMP Trap Destination

Enter the IP address or the host name of the server running the SNMP Management software.

SNMP Trap Community

Enter the SNMP community name.

SysName

Enter the system name.

SysLocation

Enter the system location.

SysContact

Enter the system contact.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring SNTP Settings

Use this option to configure time server settings.

Procedure


Step 1 Select Services > SNTP. The Services: SNTP dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-87 SNTP Settings 

Field
Description

Simple Network Time Protocol (SNTP)

From the list, select one of the following:

Enable—Use this setting if your network uses Simple Network Time Protocol.

Disable—Use this setting if your network does not use Simple Network Time Protocol.

Default Time Server

Enter enter the server's IP address.

GMT Offset (hr)

From the list, select the time zone in which the access point operates.

Use Daylight Savings Time

From the list, select one of the following:

Enable—Use this setting to have the access point automatically adjust to Daylight Savings Time.

Disable—Use this setting to not have the access point automatically adjust to Daylight Savings Time.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Accounting Settings

Use this option to configure settings that enable you to send network accounting information about wireless client devices to a RADIUS server on your network.

Procedure


Step 1 Select Services > Accounting. The Services: Accounting dialog box appears.

Click See detail to see for which versions this setting is valid.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-88 Accounting Settings 

Field
Description

Enable accounting

From the list, select one of the following:

enable—Use this setting to turn on accounting for your wireless network.

disable—Use this setting to turn off accounting for your wireless network

Enable delaying to report STOP

From the list, select one of the following:

enable—Use this setting to delay sending a stop report to the server when a client device disassociates from the access point.

The delay reduces accounting activity for client devices that disassociate from the access point and then quickly reassociate.

disable—Use this setting to not delay sending a stop report to the server when a client device disassociates from the access point.

Minimum delay time to report STOP (sec)

Enter the number of seconds the access point waits before sending a stop report to the server when a client device disassociates from the access point.

Server Name/IP

Enter the name or IP address of the server to which the access point sends accounting data.

Server Type

Select RADIUS from the list.

(Additional types may be added in future software releases.)

Port

Enter the communication port setting used by the access point and the server.

The default setting, 1813, is the correct setting for Cisco Aironet access points and Cisco secure ACS.

Shared Secret

Enter the shared secret used by your server. It must match the shared secret on the RADIUS server.

Retran (sec)

Enter the amount of time to wait before retransmitting.

Max Retran

Enter the maximum number of times to attempt retransmissions.

Click See detail for information on which version this setting is valid.

Enable Update

From the list, select one of the following:

enable—Use this setting to allow accounting update messages for wireless clients.

With updates enabled, the access point sends an accounting start message when a wireless client associates to the access point, sends updates at regular intervals while the wireless client is associated to the access point, and sends an accounting stop message when the client disassociates from the access point.

disable—Use this setting to not allow accounting update messages.

With updates disabled, the access point sends only accounting start and accounting stop messages to the server.

Update Delay (sec)

Enter the update interval in seconds.

If you use 360, the access point sends an accounting update message for each associated client device every 6 minutes.

EAP Auth.

From the list, select one of the following:

Yes—Use this server for EAP authentication.

In this type of authentication, the access point relays authentication messages between the server and the authenticating client device.

No—Do not use this server for EAP authentication.

Non-EAP Auth.

From the list, select one of the following:

Yes—Use this server for non-EAP authentication.

No—Do not use this server for non-EAP authentication.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Setting Up Proxy Mobile IP

Use this option to enable the access points to work in conjunction with Mobile IP configured on your network routers.

Procedure


Step 1 Select Services > ProxyMobileIP Setup. The Services: Proxy Mobile IP Setup dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-89 Proxy Mobile IP Setup 

Field
Description

Enable Proxy Mobile IP

From the list, select one of the following:

Yes—Use this setting to enable proxy mobile IP.

No—Use this setting to disable proxy mobile IP.

Authoritative IP 1 through 3

Enter the IP address of the authoritative access point.

Proxy Mobile IP must be enabled on the wireless SSID. Since multiple SSIDs may exist on the access point and not all SSIDs may have to accommodate mobile clients, you must enable proxy Mobile IP per SSID. The authoritative access point is used to communicate with new access points to update subnet map records and send the new access points a new and complete subnet mapping table.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Proxy Mobile SA Bindings

Use this option to identify the clients that are able to establish contact with a foreign agent in another network segment or network other than the client's home network.

Procedure


Step 1 Select Services > ProxyMobile SA Bind. The Services: Proxy Mobile SA Bindings dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-90 Proxy Mobile SA Bindings 

Field
Description

IP Address Range - Start

Enter the beginning IP address of the range in which client devices must reside in order to be valid.

IP Address Range - End

Enter the ending IP address of the range in which the client devices must reside in order be valid.

Group SPI

Enter the security parameter index of the IP address range entered in the IP Address Range - Start and End fields.

The SPI is a 32-bit number (8 hexadecimal digits) assigned to the initiator of the security association request by the receiving IPSec endpoint. On receiving a packet, the destination address, protocol, and SPI are used to determine the security association.

The security association allows the node to authenticate or decrypt the packet according to the security policy configured for that security association.

Group Key

Enter an authentication key that the group specified in the security association uses to access a foreign agent.

The group key is a 128-bit key entered as 32 hexadecimal digits (0-9, a-f, or A-F).

To add to the current SA Bindings, click >>.

Current SA Bindings

Lists previously configured security association bindings.

To remove a binding from the list, select it, then click <<.

Delete Existing SA Binding from Device

SA Binding ID

Enter the identification number of the SA binding to delete, then click >>.

SA Bindings To Delete

Lists the SA bindings to be deleted.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Events

This option enables to you to customize the display of access point events (alerts, warnings, and normal activity).

Procedure


Step 1 Select Events. The menu expands and the Events dialog box displays in the right pane.

Step 2 Select one of the following from the Events menu:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Event Handling—See Configuring Event Handling.

Event Notifications—See Configuring Event Notification.


Configuring Event Handling

The event settings control how events are handled by the access point: counted, displayed in the log, recorded, or announced in a notification. The settings are color coded: red for fatal errors, magenta for alerts, blue for warnings, and green for information.

Procedure


Step 1 Select Events > Event Handling. The Events: Event Handling dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-91 Event Handling Settings 

Field
Description

System Fatal

From the list, select one of the following:

Count—Use this option to tally the total events occurring in this category without any form of notification or display.

Display Console—Use this option to provide a read-only display of the event but not record it.

Record—Use this option to make a record of the event in the log and provide a read-only display of the event.

Notify—Use this option to makes a record of the event in the log, display the event, and tell the access point to notify someone of the occurrence.

Protocol Fatal

Network Port Fatal

System Alert

Protocol Alert

Network Port Alert

External Alert

System Warning

Protocol Warning

Network Port Warning

External Warning

System Information

Protocol Information

Network Port Information

External Information

Handle Alerts as Severity Level

From the list, select one of the following:

systemFatal—Indicates an event that prevents operation of the device as a whole.

protocolFatal—Indicates an event that prevents operation of a specific communications protocol in use, such as HTTP or IP.

portFatal—Indicates an event that prevents operation of the Ethernet or radio network interface.

systemAlert—Indicates that you need to take action to correct a condition on the device as a whole.

protocolAlert—Indicates that you need to take action to correct a condition on a specific communications protocol in use, such as HTTP or IP.

portAlert—Indicates that you need to take action to correct the condition on the Ethernet or radio network interface.

externalAlert—Indicates that you need to take action to correct the condition on a device on the network.

 

systemWarning—Indicates that an error or failure may have occurred on the device as a whole.

protocolWarning—Indicates that an error or failure may have occurred on a specific communications protocol in use, such as HTTP or IP.

portWarning—Indicates that an error or failure may have occurred on an Ethernet or radio network interface.

externalWarning—Indicates that an error or failure may have occurred on a device.

systemInfo—Notification that some sort of event has occurred on a device.

protocolInfo—Notification that some sort of event has ocurred on a communications protocol in use, such as HTTP or IP.

portInfo—Notification that some sort of event has ocurred on an Ethernet or radio network interface.

externalInfo—Notification that some sort of event has ocurred on a device.

Maximum Number of Bytes Stored per Alert Packet

(0- 2312)

Enter the maximum number of bytes the access point stores for each Station Alert packet when packet tracing is enabled.

If you use 0, the access point does not store bytes for Station Alert packets; it only logs the event.

Maximum Memory Reserved for Detailed Event Trace Buffer (bytes) (0-8388608)

Enter the number of bytes reserved for the Detailed Event Trace Buffer.

The Detailed Event Trace Buffer is a tool for tracing the contents of packets between specified stations on your network.

Note Changing this setting may cause the access point to reboot.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Event Notification

Use this option to enable and configure notification of fatal, alert, warning, and information events to destinations external to the access point, such as an SNMP server or a Syslog system.

Procedure


Step 1 Select Events > Event Notification. The Events: Event Notification dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Table 4-92 Events > Event Notification Settings 

Field
Description

Should Notify-Disposition Events generate SNMP Traps?

From the list, select one of the of the following:

Yes—Use this option to send event notifications to an SNMP server.

No—Use this option if you do not want to send notifications to an SNMP server.

SNMP Trap Destination

Enter the IP address or the host name of the server running the SNMP Management software.

SNMP Trap Community

Enter the SNMP community name.

Should Notify-Disposition Events generate Syslog Messages?

From the list, select one of the of the following:

Yes—Use this option to send event notifications to a Syslog server.

No—Use this option if you do not want to send notifications to a Syslog server.

Syslog Destination Address

Enter the IP address or the host name of the server running Syslog.

Syslog Facility Number

Enter the Syslog Facility number for the notifications.


Step 3 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Configuring Custom Values

This option enables to you to enter custom values that might not be available in the Template Menu. It also allows you to quickly enter a value, if you know the exact value you want to change, instead of going through the menu.


Note This option should be used only by advanced users who have a good understanding of the MIB variables they are setting.


Templates with custom key values are not validated.

Procedure


Step 1 Select Configure > Templates > Custom Values. The Custom Values dialog box appears.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.


Step 2 Complete the following:


Note You must enter the exact syntax for the setting to work properly.


Field
Description

Key

Enter a valid MIB key.

Value

Enter a valid MIB value.


Step 3 Click >> to add the custom value to the list.


Note If the custom value you enter is the same as an existing one in the Template Menu, the custom value will override the value in the menu.


Step 4 Select one of the following in the left pane:

Preview to see your changes before you apply them. See Previewing the Template.

Save to save the template. See Saving the Template.

Another template category to configure more options. See Template Categories.


Previewing the Template

Procedure


Step 1 Click Preview. A Command Preview window displays the configuration choices you have made to the template.

Step 2 Click Save. See Saving the Template.


Saving the Template

Procedure


Step 1 Click Save in the left pane to complete creating a template. The Save dialog box appears in the right pane.

Step 2 Click Save to create the template.

Step 3 Do one of the following:

Click Yes if you want to save the template then schedule a configuration job.

The window refreshes to the Job Creation window and a job is automatically created for you using the template name and a random number. See Selecting Devices.

Click No if you want to save the template only.

Click Cancel to cancel the operation and then display the previous screen.


Creating a Template

Use this option to create a configuration template.


Note Your login determines whether you can use this option.


Procedure


Step 1 Select Configure > Templates. The Templates dialog box appears.

Step 2 Select IOS or non-IOS depending upon the type of template you want to create.

Step 3 Enter a unique name. See Naming Guidelines for details.

Step 4 Click Create New. The window refreshes with the Template Creation menu in the left pane and the Template Name dialog box in the right pane.

Step 5 Select the choices in the left pane to create a configuration template. For a description, see Template Choices.


Copying a Template

Use this option to copy a configuration template that you can use as a base for another template.


Note Your login determines whether you can use this option.


Procedure


Step 1 Select Configure > Templates. The Templates dialog box appears.

Step 2 Select the template you want to copy from the Existing Templates box, then click Create Copy. A dialog box appears asking you to enter a name for the copy.

Step 3 Enter a unique name. See Naming Guidelines for details.

Step 4 Click OK. The Templates window refreshes and the new name appears in the Existing Templates list.

Step 5 Click Edit. See Editing a Template.


Editing a Template

Use this option to edit a configuration template.


Note Your login determines whether you can use this option.


Procedure


Step 1 Select Configure > Templates. The Templates dialog box appears.

Step 2 Select the template you want to edit from the Existing Templates box, then click Edit. The window refreshes with Template Creation menu in the left pane and the Template Name dialog box in the right pane.

Step 3 Select the choices in the Template Menu to create a configuration template. For a description, see Template Choices.


Converting a Template

Use this option to convert a non-IOS configuration template to an IOS template. You cannot convert an IOS template to a non-IOS template.


Note Your login determines whether you can use this option.


Procedure


Step 1 Select Configure > Templates. The Templates dialog box appears.

Step 2 Select the non-IOS template you want to convert from the Existing Templates box, then click Convert.

A dialog box appears with the following fields:

Field
Description

Name

Enter a name for the converted template.

Description

Enter a description for the template.

Converted Configuration

Displays the non-IOS configurations that have been converted to IOS.

Commands Not Converted

Displays the non-IOS configurations that were not converted to IOS.

These commands are not converted for one of two reasons:

There is no equivalent command for IOS.

The command conversion is not supported by the conversion tool.


Step 3 To save the template, click Save.

The Templates window displays and the new name appears in the Existing Templates list.


Deleting a Template

Use this option to delete a configuration template.


Note Your login determines whether you can use this option.


Procedure


Step 1 Select Configure > Templates. The Templates dialog box appears.

Step 2 Select the template you want to delete from the Existing Templates box, then click Delete. A window appears asking if you want to delete the template.


Note You cannot delete a template if it used in a scheduled job.


Step 3 Click OK to delete it.


Importing a Template

Use this option to import a configuration to the WLSE, either from a file or from a device. You can import files from devices that are not managed by the WLSE.

When you import a configuration from an IOS access point, the imported configuration options are displayed in the Custom Values template screen.

When you import a configuration from a non-IOS access point, the configuration options are displayed in their corresponding template screens. However, if the imported configuration options do not have corresponding template screens, they are displayed in the Custom Values template screen.


Note Your login determines whether you can use this option.


Procedure


Step 1 Select Configure > Templates. The Templates dialog box appears.

Step 2 Select IOS or Non-IOS.

Step 3 Click Import. The Import Template window appears and varies depending upon which type you selected.

For IOS, go to step 4.

For Non-IOS go to step 6.

Step 4 Complete the following:

Field
Description

Template Name

If you are importing from a file, enter a new name for the template or leave the entry blank to use the imported template name.

If you are importing from a device, you must enter a template name.

Description

Enter a description for the template.

Do not click the Enter key at the end of the description; it will generate an error.

From file

Enter the template filename or browse to find the file, then click Import.

From device (IP Address)

Enter a device name or IP address, then click Import.

Non-IP-Identity

Select this option if you do not want to download identity parameters, such as IP address, from the access point.

Some parameters are ignored using this type of import. The downloaded configuration parameters are not a full representation of the access point's configuration but an optimal representation.

Full

Select this option to import a full configuration from the access point.

This type of import includes the access point's identity parameters, such as sysname, IP address, etc.

When using this option, it is recommended you delete all the custom key values from the imported template before applying the template to any device.

Device Credentials

Select Telnet or SSH.

User Name

If the device is not managed by the WLSE, or if the device is managed but the credentials have not been set, enter the username on the access point.

User Password

If the device is not managed by the WLSE, enter the user password on the access point.


Step 5 Go to step 7.

Step 6 Complete the following:

Field
Description

Template Name

If you are importing from a file, enter a new name for the template or leave the entry blank to use the imported template name.

If you are importing from a device, you must enter a template name.

Description

Enter a description for the template.

Do not click the Enter key at the end of the description; it will generate an error.

From file

Enter the template filename or browse to find the file, then click Import.

From device (IP Address)

Enter a device name or IP address, then click Import.

Non-IP-Identity

Select this option if you do not want to download identity parameters, such as IP address, from the access point.

Some parameters are ignored using this type of import. The downloaded configuration parameters are not a full representation of the access point's configuration but an optimal representation.

Full

Select this option to import a full configuration from the access point.

This type of import includes the access point's identity parameters, such as sysname, IP address, etc.

When using this option, it is recommended you delete all the custom key values from the imported template before applying the template to any device.

Device Credentials

User Name

If the device is not managed by the WLSE, or if the device is managed but the credentials have not been set, enter the username on the access point.

User Password

If the device is not managed by the WLSE, enter the user password on the access point.


Step 7 To import another template, click Back and go to Step 3.

Step 8 When you are finished, click Done.

Step 9 View the template you imported by selecting Configure > Templates and selecting it in the Existing Templates list.


Exporting a Template

Use this option to export a configuration template to your local drive.


Note Your login determines whether you can use this option.


Procedure


Step 1 Select Configure > Templates. The Templates dialog box appears.

Step 2 Select a template name from Existing Templates, then click Export. The Export Template window appears.

Step 3 From the list, select the template you want to export, then click Export. You will be prompted for a location to export the.ini file.

Step 4 Click Done.


Managing Configuration Archives

As WLAN networks become larger, configuration management becomes more difficult. Each group of devices may have distinct configuration parameters that are difficult to track and maintain manually. The configuration archive feature allows you to easily restore or troubleshoot a failing device by applying the previously stored configuration. It also enables you to archive the last 4 distinct configurations for a device, which you can restore if needed.


Note Your login determines whether you can use this option.


The topics covered in this section are:

Viewing, editing, deleting, comparing, and exporting configuration archives—See Viewing Archived Configurations.

Scheduling a configuration archive job—Scheduling an Archive Collection.

Viewing the status of a configuration archive job—Viewing Archive Status.

Viewing Archived Configurations

Use this option to view, edit, delete, compare, and export an archived configuration. You can also allow or disallow a configuration archive to be overwritten.

Before You Begin

Before you can view any archived configurations, you must have run an archive job. See Scheduling an Archive Collection for information on creating and running an archive job.

Procedure


Step 1 Select Configure > Archives.

Step 2 Search for a device or select the device for which you want to view a configuration archive from the device selector in the left pane.

For information on how to search or use the device selector, see Exporting URL-Based Report Data.

Step 3 Click the device group or device name and the following table appears:

Field
Description

Device Name

The name of the device.

Archive Name

The name of the archived configuration.

Click the Archive Name to view the configuration. A window appears displaying the configuration file for the selected archive.

Date

The date the configuration was archived.

Type

The type of configuration archive: IOS or non-IOS.

Overwrite

Indicates if the configuration has been marked as Overwrite. Yes indicates that the configuration is available to be overwritten; No indicates it will not be overwritten.

Edit

Click the icon to edit the information. The Archive Details Window appears.

See Editing the Archive.


Step 4 By selecting the archives in this table you can do any of the following:

Allow or disallow overwriting—See Selecting Overwrite Settings.

Delete an archived configuration—See Deleting Archived Configurations.

Compare configurations—See Comparing Configurations.

Export a configuration to a file—See Exporting a Configuration to a File

Export a configuration to a template—See Exporting a Configuration to a Template


Scheduling an Archive Collection


Note Archive collection for non-IOS access points is supported only for device versions 11.23T and higher (AP350/BR350) and 11.56 and higher (AP1200).


Procedure


Step 1 Select Configure > Archives.

Step 2 Click Schedule Archive Collection. The window for creating an archive job appears. See Archive Job Choices.

Step 3 After scheduling a job, click View Archives to return to the Configure > Archives window.


Viewing Archive Status

Procedure


Step 1 Select Configure > Archives.

Step 2 Click View Archive Status. The window for creating and archive job appears. See Viewing Archive Job Status.

Step 3 After viewing the archive status, click View Archives to return to the Configure > Archives window.


Editing the Archive

Procedure


Step 1 To edit the archive, complete the following:


Note None of the fields under Details are editable; they are informational only.


Field
Description

Archive Name

Enter a name for the archived configuration.

Overwrite

Select one of the following:

Yes—Use this setting to indicate that the configuration archive is available to be overwritten.

No—Use this setting to indicate that it will not be overwritten.

Description

Enter a description for the archived configuration.

Details

Save Time

The date and time the configuration archive was saved.

Type

The type of configuration archive: IOS or non-IOS.

Device Name

The name of the device.


Step 2 Click Save Changes.


Selecting Overwrite Settings

Use this option to allow an archive to be overwritten or to disallow overwriting it.

Procedure


Step 1 Select a configuration archive configuration.

Step 2 Click one of the following:

Overwrite—to allow the configuration archive to be overwritten.

Do Not Overwrite—to make sure the configuration archive is not overwritten.


Deleting Archived Configurations

Use this option to delete an archived configuration from the database. You cannot retrieve a deleted configuration archive.

Procedure


Step 1 Select a configuration from the table.

Step 2 Click Delete.


Comparing Configurations

Use this option to compare archived configurations.


Tip You can compare archived configurations for devices that are in different groups by creating a new group, then putting the devices you want to compare into that group.


Procedure


Step 1 Select any two archived configurations you want to compare from the table.

Step 2 Click Compare. A window opens with the selected configurations.

Differences between the configurations are shown in red; information that is one configuration but not the other are shown in orange.


Exporting a Configuration to a File

Use this option to export an archived configuration to a file.

Procedure


Step 1 Select a configuration you want to from the table.

Step 2 Click Export to File. You will be prompted for a location to export the configuration.


Exporting a Configuration to a Template

Use this option to export an archived configuration to a template.

Procedure


Step 1 Select a configuration you want to from the table.

Step 2 Click Export to Template. The configuration is exported to a template.

Step 3 To view the exported template, select Configure > Templates and it is listed in the Existing Templates window.


Managing Jobs

There are two types of jobs you can manage in this window:

Configuration Jobs—See Managing Configuration Jobs.

Archive Jobs—Managing Archive Jobs.

Managing Configuration Jobs

This is window allows you to view a list of configuration jobs. It also allows you to create, edit, undo, and perform other operations on configuration jobs.

The topics covered in this section are:

How Do WLSE Configuration Jobs Work?

Recommendations For Running Configuration Jobs

Creating a Configuration Job

Viewing Configuration Job Status

Filtering a Configuration Job

Editing a Configuration Job

Running a Configuration Job Again

Deleting a Configuration Job

Copying a Configuration Job

Viewing Job Run Details

Related Topics

Using the Templates.

Configuration FAQs and Troubleshooting

How Do WLSE Configuration Jobs Work?

Both IOS and non-IOS access points use jobs created by the Configure > Jobs option to make configuration updates. The process by which the configurations are updated, however, differs for IOS and non-IOS access points.

IOS-Based Access Points

When the WLSE configures IOS-based access points, it pushes raw IOS CLI commands to the access points over a telnet or SSH connection.

To update the configuration, therefore, the WLSE requires only the telnet or SSH user name and password access point credentials.

Non-IOS-Based Access Points

To configure non-IOS-based access points:

1. The WLSE places the configuration template in the local /tftpboot directory.

2. The WLSE starts the configuration job using either the SNMP set or HTTP post operation.

When using SNMP, the SNMP set operation includes the WLSE IP address as the TFTP server and the template filename to download from the /tftpboot directory of the WLSE.

When using HTTP, because of limitations on the access point, you cannot specify the WLSE as the TFTP server when you start the configuration job. Instead, you must configure each separate access point to use the WLSE as a TFTP server first, before you can use HTTP to start the job.

3. The devices use TFTP to download the configuration updates from the WLSE.

4. When the job completes, the WLSE removes the template from the /tftpboot directory to prevent an unauthorized client from connecting to the WLSE and downloading the configuration template.

To make configuration updates for non-IOS-based access points, the WLSE requires these access point credentials:

When using SNMP: SNMP-write access.

When using HTTP:

The HTTP username and password

WLSE configured as a TFTP server on each access point

Related Topics

Recommendations For Running Configuration Jobs

Creating a Configuration Job

Recommendations For Running Configuration Jobs

There are two interrelated questions you should consider when you use the WLSE configuration feature:

How many devices should be included in the job?

How much time should be allotted for the job?

How Many Devices?

Because the WLSE configuration feature is multi-threaded with up to 20 allotted threads, it can configure as many as twenty access points simultaneously. For example, a configuration job with 100 devices will begin by configuring twenty devices, one thread per device. When a device configuration completes, its thread will start on a new device immediately, even if the other configuration tasks are in progress.

How Much Time?

When calculating the amount of time it takes to configure an access point, the factors to consider are:

How long does it take to download the template via TFTP or push IOS CLI commands to the access point?

TFTP download and IOS CLI command pushes are highly dependent on network performance. The WLSE has an internal configuration parameter that specifies a timeout value for configuration jobs. If the WLSE is unable to complete the job within the timeout period, it will declare the job as a failure. A timeout value that is set too low may cause the WLSE to prematurely abort configuration jobs or improperly report a device configuration failure. So if you have high latency issues or a congested network, increase the configuration timeout setting.

How long does it take for the access point to reboot if required by the configuration change?

The amount of time to reboot and load new firmware is usually constant. However, if the access point uses DHCP to get an IP address or retrieve a configuration file when it comes up after a reboot, this time is also affected by network performance. This may cause issues with the configuration job timeout, so you may need to increase the timeout.

Here are some other factors that might influence configuration times:

Configuration jobs sometimes fail due to configuration parameter dependencies on the access points. Consult the access point documentation to understand if there are any configuration dependencies if you have issues with configuration jobs failing.

Large templates take longer to apply and are more prone to issues with parameter dependencies. If you are applying a large template and seeing configuration failures, it may be useful to break the template into multiple templates and run multiple configuration jobs.

For example, configuration tasks can be greatly simplified by using the WLSE device grouping feature. Suppose a WLSE administrator has created a group for the access points in Site A, sub-groups for Channels 1, 6, and 11, and moved the appropriate access points into the channel groups. Now, the administrator can create three separate templates to set the Channel IDs to Channels 1, 6, and 11. Then to set the access points to the correct channel, three configuration jobs can be created to map the correct template to the corresponding channel group.

Calculating the Estimated Change Window

Configuration jobs should be kept to a reasonable size. Typically, a job with 100 devices is a reasonably sized job, but that can vary. A configuration job should be able to complete within a change window. To calculate this window, use a formula similar to the one recommended for firmware:

T = (n / 10) * t + s 

where:

T is the total time for the change window

n is the number of devices in the configuration job

t is the estimated time to configure a single device

s is the safety factor.

In this formula, T is often a constant defined by IT policies. For example, many campuses allow for a change window of no more than two hours. If you determine that it will take more than T to configure the access points, plan the upgrades in phases, each of which can be completed well within the change window. It is always a good idea to plan configuration changes conservatively. One conservative way to use this formula is to use the configuration timeout setting as your value for t.

Configuration Job Choices

When you create or edit a configuration job, the following choices appear in the left pane of the Jobs window:


Note All these steps, except Schedule Job, must be completed but do not have to be done in order.


1. Job Name—See Naming the Configuration Job.

2. Select Template—See From the menu in the left pane, go to the next step, Select Devices. For additional information, see Selecting Devices..

3. Select Devices—See Selecting Devices.

4. Schedule Job—See Scheduling a Configuration Job.

5. Options—See Setting Configuration Job Options.

6. Save—See Saving the Configuration Job.


Caution Clicking on another Configure subtab before you have saved your entries in this window will cause the window to reset and you will lose all the information you entered.

Naming the Configuration Job

Procedure


Step 1 Click Job Name. The Job Name dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Job windows up until that point.


Table 4-93 Job Name 

Field
Description

Job Name

Enter a name for the job.

See Naming Guidelines.

Description

Enter a description of the job.

See Naming Guidelines.


Step 3 From the menu in the left pane, go to the next step, Select Template. For additional information, see Selecting a Template.


Selecting a Template

Procedure


Step 1 Click Select Template. The Select Template window appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Job windows up until that point.


Table 4-94 Select Template 

Field
Description

Configuration Template

From the list, select the template which you want to apply to the devices.

Name

Displays the name of the selected template.

Device Types

Displays the device types that are valid for the selected template.

Device Versions

Displays the device versions for the device types listed in the Device Type field.

Each device type's valid versions are displayed in sequence and grouped using parentheses.

Description

Displays the template description.

Version Check Enabled

Indicates whether the version check is enabled.


Step 3 From the menu in the left pane, go to the next step, Select Devices. For additional information, see Selecting Devices.


Selecting Devices

Procedure


Step 1 Click Select Devices. The Select window appears.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Job windows up until that point.


Step 2 From the device selector, click the folder from which you want to build a device list.

Clicking the folder displays the folder's contents in the Available Devices list box.

Repeat this step as many times as necessary to select devices from the folder in which they reside.

Step 3 From the Available Devices list, select folders or individual devices, then click >>. The devices appear in the Selected Devices list box.


Note If you select a folder, the template will be applied to all of the devices in that folder. If a device is subsequently added to the folder, the template is applied to that device.


Step 4 To remove devices, select them from the Selected Devices list, then click <<.

Step 5 From the menu in the left pane, go to the next step, Select Template. For additional information, see Scheduling a Configuration Job.


Scheduling a Configuration Job

Procedure


Step 1 Click Schedule Job. The Schedule Job dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Job windows up until that point.


Table 4-95 Schedule Job

Field
Description

Run Now

Click to run the job.

Note This option ignores any dates you have entered in Start Date and Start Time.

Start Date

From the lists, select the month, day, and year you want your job to run.

Start Time

From the list, select the hour and minutes of the day you want your job to run.

Repeat

Enable

Check to run the job repeatedly.

Every

Indicate how often you want the job to repeat by entering a numerical value, then selecting an interval of time: Hours, Days, Months, or Years.


Step 3 From the menu in the left pane, go to the next step, Options. For additional information, see Saving the Configuration Job.


Setting Configuration Job Options

Procedure


Step 1 Click Options in the left pane to complete creating a job. The Options dialog box appears in the right pane.

Step 2 Complete the following:

Field
Description

On completion, email to

Enter a comma-separated list of email addresses to be notified when the job completes.

Email only if job fails

Select this checkbox if you want recipients to be notified only if the job fails.

Apply Configuration using

Select either Telnet or SSH.

Write NVRAM on Success

Check if you want the this template, after the job has succeeded, to be used by the access point in the event of a reload.



Tip If email notification is not working, you may need to configure the mailroute by selecting Administration > Appliance > Configure Mailroute.


Step 3 From the menu in the left pane, go to the next step, Save. For additional information, see Saving the Configuration Job.


Saving the Configuration Job

Procedure


Step 1 Click Save in the left pane to complete creating a job. The Save dialog box appears in the right pane with the job details.

Step 2 Click Save. A window displays comments to indicate whether the job has passed the validation tests.

If the job encounters validations problems, a window displays the found errors or warnings.

Warnings—They are issued when there are version mismatches and are not critical. You can still force the template on the devices despite the warnings. Warnings are caused by one of the following reasons:

The selected device is running a software version that is not currently supported by the WLSE. You can work around this by importing the latest supported device version from Cisco.com. See Updating Supported Firmware Versions.

The selected device version does not match the device versions supported by the selected template.

Errors—They are issued based on device type mismatches and are critical. You cannot force a configuration template on a device with job errors; you must correct the problem.


Creating a Configuration Job

Using this option, you can create a configuration job or an archive job.


Note Your login determines whether you can use this option.


Procedure


Step 1 Select Configure > Jobs.

Step 2 Click Config Job. The Jobs Window appears.

Step 3 Select the numbered choices in the left pane to create a job. For a description, see Configuration Job Choices.


Viewing Configuration Job Status

This is window allows you to view job status. It also allows you to filter a job, edit a job, view details about the job and undo a job.

Device data is polled is every 15 minutes by default, and the duration that job data is retained is 30 days. To change either default, see Updating Supported Firmware Versions.

The topics covered in this section are:

Creating a Configuration Job

Viewing the Configuration Job

Filtering a Configuration Job

Editing a Configuration Job

Running a Configuration Job Again

Deleting a Configuration Job

Copying a Configuration Job

Viewing Job Run Details


Note Your login determines whether you can use this option.


Related Topics

Using the Templates

Viewing the Configuration Job

Procedure


Step 1 Select the status of the job you want to view from the Job State list.

Step 2 Select the type of job you want to view from the Job Type list.

Step 3 Click Apply. The window refreshes and the jobs are displayed.

The tables vary depending on the type of Job State and Job Type you selected: Scheduled and Unscheduled, Running, or All.

Scheduled and Unscheduled

Field
Description

Job Name

The job name.

Recurring

Whether the job recurs.

Next Schedule

For scheduled jobs, this indicates the next time the job will run. For completed jobs, this is last time the job ran.

Last Run Status

The status of the last run.

Note Jobs that cause an access point to reboot are listed as Unverified.


Running


Tip You can stop a running job by clicking Stop Job.


Field
Description

Job Name

The job name.

Recurring

Whether the job recurs.

Job Start Time

The time the job started.

Percent Complete

The percent of the job that has completed running.

Next Schedule

The next time the job is scheduled to run.


All

Field
Description

Job Name

The job name.

Recurring

Whether the job recurs.

Job State

The state of the job.

Note A job in a DidNotStart state must be rescheduled.

Next Schedule

For scheduled jobs, this indicates the next time the job will run. For completed jobs, this is last time the job ran.

Last Run Status

The status of the job the last time it ran.

Note Jobs that cause an access point to reboot are listed as Unverified.


Step 4 To sort table data, click on the column heading by which you want to sort the data:

A triangle indicates ascending order.

An upside-down triangle indicates descending order.

No triangle indicates that the data is not sorted.

Step 5 Do any of the following:


Note If the option is not available for the job type, the buttons are grayed.


Filter the job—See Filtering a Configuration Job.

Edit the job—See Editing a Configuration Job.

Run the job again—See Running a Configuration Job Again.

Delete the job—See Deleting a Configuration Job.

Copy a job—See Copying a Configuration Job.

View the run details—See Viewing Job Run Details.

Refresh the screen—Click Refresh.


Filtering a Configuration Job

Use this option to filter jobs from the displayed list. Filtering this way allows you to display a limited set of jobs, making it easier to search for a particular job if you know the name.

Procedure


Step 1 Click Filter Job. The Filter Job dialog box appears.

Step 2 Enter the name, or part of the a name, on which to filter. Use % as a wildcard to filter jobs. For example, entering %name% will filter all the jobs that contain "name."

Step 3 Click Apply filter. The Job window refreshes and the matching jobs are displayed on the Jobs list.


Note The filter is applied only until the page is refreshed.



Editing a Configuration Job

Use this option to edit jobs from the displayed list of jobs.

Procedure


Step 1 Select the job from the list which you would like to edit.

Step 2 Click Edit Job. The Job Name dialog box appears.

Step 3 Select the choices in the Template Menu to create a configuration template. For a description, see Configuration Job Choices.


Running a Configuration Job Again

Use this option to run jobs again from the displayed list of jobs.


Note This option works only for Run Now jobs.


Procedure


Step 1 Select the job from the list which you would like to edit.

Step 2 Click Run Again. A confirmation box appears verifying the job was run.


Deleting a Configuration Job

Use this option to delete jobs from the displayed list of jobs. Jobs that are scheduled, unscheduled, completed and did not start can be deleted. Jobs that are running cannot be deleted; they can be stopped.

Procedure


Step 1 Select the job from the list which you would like to delete.

Step 2 Click Delete Job.


Copying a Configuration Job

Use this option to copy unscheduled jobs from the displayed list of jobs, which can be run later on demand.

Procedure


Step 1 Select the job from the list which you would like to copy.

Step 2 Click Copy Job. A dialog box appears.

Step 3 Enter a name for the job, then click OK. The screen refreshes and the job is listed.


Viewing Job Run Details

Use this option to view details about a job, or to undo a job from the displayed list of jobs.

Procedure


Step 1 From the table displayed in Configure > Jobs window, select a job for which you would like to see details, then click Job Run Detail.

Step 2 The details window appears with the Job Runs table:

Field
Description

Select Run

Used to select a job for which you want to see more details.

Job Start Time

The time the job started.

Job End Time

The time the job ended.

Job Status

The status of the job.

Percent Complete

The percent of the job that completed.


Step 3 Do any of the following:

To view details for a particular job run or to undo a job, select the job, then click Show Run Details. The Job Run details table displays the information. See Viewing the Job Run Details Table.

To view the job run log, click Job Run Log. A window displays all the details for the selected job number.

To refresh the table, click Refresh.


Viewing the Job Run Details Table

The Job Runs Details table displays the following information:

Field
Description

Device Name

The name of the device.

Start Time

The time the job started.

End Time

The time the job ended.

Status

The status of the job.


To sort table data, click on the column heading by which you want to sort the data:

A triangle indicates ascending order.

An upside-down triangle indicates descending order.

No triangle indicates that the data is not sorted.

To select all the jobs in the table, click Select All.

To deselect all the jobs in the table, click DeSelect All.


Note If you have multiple screens, you must Select All or DeSelect All one screen at a time.


To undo the selected configuration job, click Undo.

The Undo feature is not supported for the following:

Custom Values

Security options: Local Admin Authentication under the Local Admin Access; Encryption Key Values under Local AP/Client Security; Shared Secret under Server-Based Security; and Shared Secret under Accounting.

FTP username and password

Previously undone jobs

Routing table configurations (for versions prior to 11.23T only)

Adding a user in place of an existing user on the access point. The Undo feature works for new users.

Managing Archive Jobs

This is window allows you to view a list of archive jobs. It also allows you to create, edit, and perform other operations on archive jobs.

The topics covered in this section are:

How Do Configuration Archive Jobs Work?

Recommendations For Using Configuration Archives

Creating an Archive Job

Viewing Archive Job Status

Filtering an Archive Job

Editing an Archive Job

Running an Archive Job Again

Deleting an Archive Job

Copying a Configuration Job

Viewing Job Run Details.

How Do Configuration Archive Jobs Work?

The Configure > Archive feature allows you to set up a job that will archive an access point configuration. When a configuration archive job runs, the WLSE uses TFTP to download the configuration from the access point. If the configuration is identical to the previous archived configuration, the new configuration is not saved. If the new configuration is different from the previous archive, a new archived configuration is saved as a file on the WLSE.

The feature can archive a maximum four different configurations. By default, archived configurations can be overwritten after the maximum number of configurations has been reached. You can, however, mark an archived configuration as protected, so that it cannot be overwritten. If the maximum numbers of configurations are archived and all of the files are protected against overwrites, the WLSE will not create a new configuration archive.

Using this option, you can also:

View existing archived configurations.

Compare any two archived configurations within a WLSE device group.

Export archived configurations to a file or to a WLSE configuration template.

Related Topics

Recommendations For Using Configuration Archives

Scheduling an Archive Collection

Recommendations For Using Configuration Archives

There are several issues to consider when using the Configuration Archive feature:

Q. When should archive jobs be run?

A. Configurations are downloaded from access points to the WLSE using TFTP, which means that configuration archival is potentially sensitive to network congestion and oversubscription. Therefore, due to the potential sensitivity to network conditions and because configuration archival is a low-priority background task that can be affected by higher priority processes, archive jobs should be run during off-hours.

Q. How many devices should I include in an archive job?

A. The number of devices assigned to a configuration archive job will vary depending on network congestion and WLSE performance factors. Some WLSE users have successfully archived hundreds of configurations in a single job, while others have had difficulty with less than one hundred.

Arriving at a good number for an archive job may be a trial-and-error process. For example, you could start with twenty-five devices. If that is successful, try fifty. Keep adding more devices until configurations are no longer archived satisfactorily.

Q. How often should I archive configurations?

A. The recommended frequency of configuration archival varies with deployment and operational requirements and WLSE performance capabilities. Typically, device configurations do not change much after a network becomes stable. Therefore, after archiving the initial baseline configurations, you might need to run configuration archive jobs as monthly recurring jobs or only after known changes have been made to network configurations.

Q. What should be protected from overwrites?

A. After archiving baseline configurations for the network devices, you should protect these official configurations. For additional protection, export the archive to a file and to a configuration template. A configuration template can be used if a roll-back is required.

Q. How do I work with the limitations of non-IOS-based access points?

A. Due to limitations imposed by the device operating system, not all configured attributes on a non-IOS-based access point are archived. Security related parameters, for example, such as user names and passwords, WEP keys, and AAA servers are not archived. Other non-security related parameters also are not archived. If you create configuration templates for any unratified configuration parameters, you can apply these templates to the appropriate devices when necessary.

Q. How can I take advantage of the WLSE grouping feature?

A. The WLSE grouping feature is especially useful when configuring configuration archive jobs. Each configuration archive job should operate on a logical grouping of devices. For example, it might make sense to archive configurations per campus or per building. See Recommendations For Running Configuration Jobs, for details on organizing the managed WLAN with the WLSE grouping feature.

Q. How can I use the compare feature effectively?

A. The configuration archive compare feature allows you to compare any archived file with any other archived file within a device group. The comparison feature is really most relevant for examining the difference between two configuration archives from access points of the same type or access points that are deployed identically to other access points.

Q. What should I do when some configuration archives fail?

A. Because WLSE configuration archive jobs download configurations using TFTP, some devices might fail during the archive job. The job run log files typically contain information about why the configuration archival for a device might have failed. Typically, rerunning an archive job for any devices that have failed is all that is necessary.

If the entire configuration archive job fails, verify that the WLSE is configured with the correct device credentials. If the WLSE has the correct credentials, there are probably network issues to resolve.

Related Topics

Managing Archive Jobs

Archive Job Choices

When you create or edit an archive job, the following choices appear in the left pane of the Jobs window:


Note Archive collection for non-IOS access points is supported only for device versions 11.23T and higher (AP350/BR350) and 11.56 and higher (AP1200).


1. Job Name—See Naming the Archive Job.

2. Select Devices—See Selecting Devices.

3. Schedule Job—See Scheduling an Archive Job.

4. Finish—See Finishing the Archive Job.


Note All these steps, except Schedule Job, must be completed but do not have to be


Related Topics

Recommendations For Using Configuration Archives

Naming the Archive Job

Procedure


Step 1 Click Job Name. The Job Name dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Job windows up until that point.


Table 4-96 Job Name 

Field
Description

Job Name

Enter a name for the job.

See Naming Guidelines.

Description

Enter a description of the job.

See Naming Guidelines.


Step 3 From the menu in the left pane, go to the next step, Select Devices. For additional information, see Selecting Devices.


Selecting Devices

Procedure


Step 1 Click Select Devices. The Select window appears.


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Job windows up until that point.


Step 2 From the device selector, click the folder from which you want to build a device list.

Clicking the folder displays the folder's contents in the Available Devices list box.

Repeat this step as many times as necessary to select devices from the folder in which they reside.

Step 3 From the Available Devices list, select folders or individual devices, then click >>. The devices appear in the Selected Devices list box.


Note If you select a folder, the template will be applied to all of the devices in that folder. If a device is subsequently added to the folder, the template is applied to that device.


Step 4 To remove devices, select them from the Selected Devices list, then click <<.

Step 5 From the menu in the left pane, go to the next step, Schedule Job. For additional information, see Scheduling a Configuration Job.


Scheduling an Archive Job

Procedure


Step 1 Click Schedule Job. The Schedule Job dialog box appears.

Step 2 Complete the following:


Note Clicking Clear removes all the current entries in the window and any entries you have made in other Job windows up until that point.


Table 4-97 Schedule Job

Field
Description

Run Now

Click to run the job.

Note This option ignores any dates you have entered in Start Date and Start Time.

Start Date

From the lists, select the month, day, and year you want your job to run.

Start Time

From the list, select the hour and minutes of the day you want your job to run.

Repeat

Enable

Check to run the job repeatedly.

Every

Indicate how often you want the job to repeat by entering a numerical value, then selecting an interval of time: Hours, Days, Months, or Years.


Step 3 From the menu in the left pane, go to the next step, Finish. For additional information, see Finishing the Archive Job.


Finishing the Archive Job


Note Archive jobs use SNMP, and will only work properly for non-IOS devices with software releases 11.23T and higher.


Procedure


Step 1 Click Finish in the left pane to complete creating a job. The Finish dialog box appears in the right pane.

Step 2 Complete the following:

Field
Description

On completion, email to

Enter a comma-separated list of email addresses to be notified when the job completes.

Email only if job fails

Select this checkbox if you want recipients to be notified only if the job fails.

Configuration Type

Select the type of configuration.

Note This setting applies to IOS devices only; for non-IOS devices, select either one.



Tip If email notification is not working, you may need to configure the mailroute by selecting Administration > Appliance > Configure Mailroute.


Step 3 Click Save. A confirmation window appears with the job summary.


Creating an Archive Job

Using this option, you can create an archive job.


Note Your login determines whether you can use this option.


Procedure


Step 1 Select Configure > Jobs.

Step 2 Click Archive Job. The Jobs Window appears.

Step 3 Select the numbered choices in the left pane to create a job. For a description, see Archive Job Choices.


Related Topics

Recommendations For Using Configuration Archives

Viewing Archive Job Status

This is window allows you to view job status. It also allows you to filter a job, edit a job, and view details about the job.

The topics covered in this section are:

Viewing the Archive Job

Filtering an Archive Job

Editing an Archive Job

Running an Archive Job Again

Deleting an Archive Job

Copying an Archive Job

Viewing Job Run Details


Note Your login determines whether you can use this option.


Viewing the Archive Job

Procedure


Step 1 Select the status of the job you want to view from the Job State list.

Step 2 Select Archive Regular from the Job Type list.

Step 3 Click Apply. The window refreshes and the jobs are displayed.

The tables vary depending on the type of Job State and Job Type you selected: Scheduled and Unscheduled, Running, or All.

Scheduled and Unscheduled

Field
Description

Job Name

The job name.

Recurring

Whether the job recurs.

Next Schedule

For scheduled jobs, this indicates the next time the job will run. For completed jobs, this is last time the job ran.

Last Run Status

The status of the last run.


Running


Tip You can stop a running job by clicking Stop Job.


Field
Description

Job Name

The job name.

Recurring

Whether the job recurs.

Job Start Time

The time the job started.

Percent Complete

The percent of the job that has completed running.

Next Schedule

The next time the job is scheduled to run.


All

Field
Description

Job Name

The job name.

Recurring

Whether the job recurs.

Job State

The state of the job.

Note A job in a DidNotStart state must be rescheduled.

Next Schedule

For scheduled jobs, this indicates the next time the job will run. For completed jobs, this is last time the job ran.

Last Run Status

The status of the job the last time it ran.

Note Jobs that cause an access point to reboot are listed as Unverified.


Step 4 To sort table data, click on the column heading by which you want to sort the data:

A triangle indicates ascending order.

An upside-down triangle indicates descending order.

No triangle indicates that the data is not sorted.

Step 5 You can do the following:


Note If the option is not available for the job type, the buttons are grayed.


Filter the job—See Filtering an Archive Job.

Edit the job—See Editing a Configuration Job.

Delete the job—See Deleting a Configuration Job.

Run the job again—SeeRunning an Archive Job Again.

Copy a job—See Copying an Archive Job.

View the run details—See Viewing Job Run Details.

Refresh the screen—Click Refresh.


Filtering an Archive Job

Use this option to filter jobs from the displayed list. Filtering this way allows you to display a limited set of jobs, making it easier to search for a particular job if you know the name.

Procedure


Step 1 Click Filter Job. The Filter Job dialog box appears.

Step 2 Enter the name, or part of the a name, on which to filter. Use % as a wildcard to filter jobs. For example, entering %name% will filter all the jobs that contain "name."

Step 3 Click Apply filter. The Job window refreshes and the matching jobs are displayed on the Jobs list.


Note The filter is only applied until the page is refreshed.



Editing an Archive Job

Use this option to edit jobs from the displayed list of jobs.

Procedure


Step 1 Select the job from the list which you would like to edit.

Step 2 Click Edit Job. The Job Name dialog box appears.

Step 3 Select the choices in the Archive Job Menu to edit the job. For a description, see Archive Job Choices.


Running an Archive Job Again

Use this option to run jobs again from the displayed list of jobs.


Note This option works only for Run Now jobs.


Procedure


Step 1 Select the job from the list which you would like to edit.

Step 2 Click Run Again. A confirmation box appears verifying the job was run.


Deleting an Archive Job

Use this option to delete jobs from the displayed list of jobs. Jobs that are scheduled, unscheduled, completed and did not start can be deleted. Jobs that are running cannot be deleted; they can be stopped.

Procedure


Step 1 Select the job from the list which you would like to delete.

Step 2 Click Delete Job.


Copying an Archive Job

Use this option to copy unscheduled jobs from the displayed list of jobs, which can be run later on demand.

Procedure


Step 1 Select the job from the list which you would like to copy.

Step 2 Click Copy Job. A dialog box appears.

Step 3 Enter a name for the job, then click OK. The screen refreshes and the job is listed.


Viewing Job Run Details

Use this option to view details about a job.

Procedure


Step 1 From the table displayed in Configure > Jobs window, select a job for which you would like to see details, then click Job Run Detail.

Step 2 The details window appears with the Job Runs table:

Field
Description

Select Run

Used to select a job for which you want to see more details.

Job Start Time

The time the job started.

Job End Time

The time the job ended.

Job Status

The status of the job.

Percent Complete

The percent of the job that completed.


Step 3 Do any of the following:

To view details for a particular job run or to undo a job, select the job, then click Show Run Details. The Job Run details table displays the information. See Viewing the Job Run Details Table.

To view the job run log, click Job Run Log. A window displays all the details for the selected job number.

To refresh the table, click Refresh.


Viewing the Job Run Details Table

The Job Runs Details table displays the following information:

Field
Description

Device Name

The name of the device.

Start Time

The time the job started.

End Time

The time the job ended.

Status

The status of the job.


To sort table data, click on the column heading by which you want to sort the data:

A triangle indicates ascending order.

An upside-down triangle indicates descending order.

No triangle indicates that the data is not sorted.

Automating Configurations

This window allows you to automatically upload configuration templates to access points and bridges. Use this feature to:

Apply startup templates through the DHCP server to newly installed devices with manufacturer-default configurations.

Apply a common template to devices after they are discovered, auto managed, and the WLSE has their inventory information.

The topics covered in this section are:

Assigning a Startup Configuration

Assigning an Auto-Managed Configuration

Assigning a Startup Configuration

The startup configuration is used for newly-installed devices that have a manufacturer-default configuration. After the devices are powered on and receive an IP address from a DHCP server, the startup configuration will be automatically uploaded to the devices.


Tip After the access point is powered on and the startup configuration is applied, you may want to prevent the startup configuration from being uploaded to devices again if for some reason the access points reboot.

For non-IOS access points: Prevent the initial configuration from being uploaded to devices after a reboot by setting the bootconfigReadINI variable to never by auto-managed configuration or regular configuration.

For IOS access points (Version 12.2(3)JA or later): Prevent the initial configuration from being uploaded to devices after a reboot by using the IOS config command no boot upgrade.


Before You Begin

1. Create a template for the startup configuration. See Creating a Startup Configuration Template.

2. If you are configuring

A DHCP server, go to step 4.

A router as a DHCP server, go to step 3.

3. To configure a router as a DHCP server, enter the following commands:

ip dhcp pool (name) 
network (network address) (subnet mask) 
bootfile (startup file) 
next-server (WLSE IP address) 
default-router (default router) 
domain-name (domain name) 
dns-server (DNS IP address) 

In this example, use the next-server command instead of option 66 or option 150.

4. To configure a DHCP server, do the following:

a. Return the WLSE's address. This is done by entering the <IP address of the WLSE> in the Boot Server Host Name field (option number 066) on the DHCP server.

b. Return the name of the initial template file in the DHCP reply message. This is done by entering <startup file name> in the BootfileName field (option number 067) on the DHCP server.

For example, if you had a WLSE with the IP address 10.10.11.12) and an associated startup template with Bootfile Name "newap1200.ini", you would do the following:

a. On the DHCP server, select Scope > Scope Options.

b. Set Scope option 066 (TFTP boot server name or IP address) with 10.10.11.12 (the WLSE's IP address).

c. Set Scope option 067 (Bootfile Name) with newap1200.ini (the new Bootfile Name associated with the startup template file.)

Related Topics

Creating a Startup Configuration Template

Assigning an Auto-Managed Configuration

Procedure


Step 1 Select Configure > Auto Update > Startup Configuration. The Startup Configuration Template dialog box appears.

Step 2 Complete the following:

Field
Description

Startup Templates

Lists the startup templates that have been created.

Bootfile Name

Enter the configuration file name that appears on the DHCP server.

Note For non-IOS access points, this name must have an.ini extension. There are no restrictions for IOS access points.

Description

Enter a description for the configuration.

Configuration Template

From the list select the startup template to assign to the configuration file.

Click Details to see the device types and device versions for which the template is valid.


Step 3 To save the template, click Save.

Step 4 To delete the template, click Delete.


Creating a Startup Configuration Template

The startup configuration is used to bootstrap a device to allow the WLSE to discover it.


Caution The startup configuration template is placed in tftpboot directory and anyone who knows the file name can access it. This template should contain only minimal feature settings.

To create a startup template select Configure > Templates. (To configure the access point manually without using a startup configuration, see Setting Up Devices.)

You can create a startup configuration for:

IOS devices—See Creating an IOS Startup Template.

Non-IOS devices—See Creating a Non-IOS Startup Template.

Creating an IOS Startup Template

Use the following table to guide you in creating a startup configuration template for IOS devices:

Tasks
Template Choice
Notes

Enable Cisco Discovery Protocol (CDP)

Select Services > CDP.

CDP is required for the WLSE to discover devices on the network.

Enable Telnet

Select Services > Telnet/.

Select Enable for Telnet.

Enable SSH

Select Services > Telnet/SSH.

Do the following:

1. Select Enabled for Secure Shell.

2. Enter the system name.

3. Enter the domain name.

Note For any version lower than 12.2(11)JA, you will have to manage the access points, then create and upload a template that enables SSH on those access points.

Enable SNMP

Select Services > SNMP.

SNMP is required for the WLSE to discover and manage the device.

Select Enabled for Simple Network Management Protocol (SNMP).

Create a Read community string

Select Services > SNMP.

Do the following:

1. Enter a community string in the SNMP Community field.

2. Enter iso in the Object Identifier field.

3. Select Read-Only.

Note The read community string must be specified under Administration > Device Credentials.

Create a Write community string

Select Services > SNMP.

Do the following:

1. Enter a community string in the SNMP Community field.

2. Select Write-Only.

Note The write community string must be specified under Administration > Device Credentials.


Creating a Non-IOS Startup Template

Use the following table to guide you in creating a non-IOS startup configuration template:

Tasks
Template Choice
Notes

Enable Cisco Discovery Protocol (CDP)

Select Services > CDP.

CDP is required for the WLSE to discover devices on the network.

Enable SNMP.

(Optional Set the location.)

(Optional Set the system name and system contact.)

Select Services > SNMP.

SNMP is required for the WLSE to discover and manage the device.

Setting the location enables proper grouping of devices into the system-defined Location group. For more information, see Managing Groups.

Set the community string by creating a user with all privileges.

Select Security > Local Admin Access.

To create an user with SNMP read/write privileges, enter a username and password and select the Write, SNMP, Firmware, and Administrator capabilities.

The username of the user with Write and SNMP privileges is used as the SNMP read/write community string.

This community string should also have been configured on the WLSE using Administration > Discover > Device Credentials > SNMP Communities.

The Firmware privilege is required for configuring devices from the WLSE.