Feedback
Table Of Contents
Basic Wireless Device Configuration
Starting a Wireless Configuration Session
Cisco IOS Command Line Interface
Configuring Wireless Security Settings
Configuring Wireless Quality of Service
Configuring the Access Point in Hot Standby Mode
Upgrading to Cisco Unified Software
Secure an IP Address on the Access Point
Confirm that the Mode Setting is Enabled
Troubleshooting an Upgrade or Reverting the AP to Autonomous Mode
Downgrading the Software on the Access Point
Recovering Software on the Access Point
Basic Wireless Device Configuration
This chapter describes how to configure the autonomous wireless device on the Cisco 880 Series Integrated Services Router (ISR).
Note
To upgrade the autonomous software to Cisco Unified software on the embedded wireless device, see the "Upgrading to Cisco Unified Software" section for instructions.
The wireless device is embedded and does not have an external console port for connections. To configure the wireless device, use a console cable to connect a personal computer to the host router's console port, and perform these procedures to establish connectivity and configure the wireless settings.
•
•
•
•
Starting a Wireless Configuration Session
Note
Enter the following commands in global configuration mode on the router's Cisco IOS CLI.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Tip
Closing the Session
To close the session between the wireless device and the router's console, follow these steps:
Wireless Device
1.
Router
1.
2.
Configuring Wireless Settings
Note
Configure the wireless device with the tool that matches the software on the device.
•
•
Note
After upgrading to Cisco Unified Wireless software, use the web-browser interface to configure the device at the following URL:
http://cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap2-gui.html
Cisco Express Setup
To configure the autonomous wireless device, use the web-browser tool:
Step 1
Step 2
Step 3
Step 4
http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap4-first.html#wp1103336Cisco IOS Command Line Interface
To configure the autonomous wireless device, use the Cisco IOS CLI tool to perform the following tasks:
•
•
Configuring the Radio
Configure the radio parameters on the wireless device to transmit signals in autonomous or Cisco Unified mode. For specific configuration procedures, see the "Configuring Radio Settings" section.
Configuring Wireless Security Settings
•
•
Configuring Authentication
Authentication types are tied to the Service Set Identifiers (SSIDs) that are configured for the access point. To serve different types of client devices with the same access point, configure multiple SSIDs.
Before a wireless client device can communicate on your network through the access point, the client device must authenticate to the access point by using open or shared-key authentication. For maximum security, client devices should also authenticate to your network using MAC address or Extensible Authentication Protocol (EAP) authentication. Both authentication types rely on an authentication server on your network.
To select an authentication type, see Authentication Types for Wireless Devices at http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityAuthenticationTypes.html.
To set up a maximum security environment, see RADIUS and TACACS+ Servers in a Wireless Environment at http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityRadiusTacacs_1.html.
Configuring Access Point as Local Authenticator
To provide local authentication service or backup authentication service for a WAN link failure or a server failure, you can configure an access point to act as a local authentication server. The access point can authenticate up to 50 wireless client devices using Lightweight Extensible Authentication Protocol (LEAP), Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST), or MAC-based authentication. The access point performs up to five authentications per second.
You configure the local authenticator access point manually with client usernames and passwords because it does not synchronize its database with RADIUS servers. You can specify a VLAN and a list of SSIDs that a client is allowed to use.
For details about setting up the wireless device in this role, see Using the Access Point as a Local Authenticator at http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityLocalAuthent.html.
Configuring WEP and Cipher Suites
Wired Equivalent Privacy (WEP) encryption scrambles the data transmitted between wireless devices to keep the communication private. Wireless devices and their wireless client devices use the same WEP key to encrypt and decrypt data. WEP keys encrypt both unicast and multicast messages. Unicast messages are addressed to one device on the network. Multicast messages are addressed to multiple devices on the network.
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco Centralized Key Management (CCKM).
Cipher suites that contain Temporal Key Integrity Protocol (TKIP) provide the greatest security for your wireless LAN. Cipher suites that contain only WEP are the least secure.
For encryption procedures, see Configuring WEP and Cipher Suites at http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityCipherSuitesWEP.html.
Configuring Wireless VLANs
If you use VLANs on your wireless LAN and assign SSIDs to VLANs, you can create multiple SSIDs by using any of the four security settings defined in the "Security Types" section. A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A VLAN consists of a number of end systems, either hosts or network equipment (such as bridges and routers), that are connected by a single bridging domain. The bridging domain is supported on various pieces of network equipment such as LAN switches that operate bridging protocols between them with a separate group of protocols for each VLAN.
For more information about wireless VLAN architecture, see Configuring Wireless VLANs at http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/wireless_vlans.html.
Note
Assigning SSIDs
You can configure up to 16 SSIDs on a wireless device in the role of an access point, and you can configure a unique set of parameters for each SSID. For example, you might use one SSID to allow guests limited access to the network and another SSID to allow authorized users access to secure data.
For more about creating multiple SSIDs, see Service Set Identifiers at http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/ServiceSetID.html.
Note
Security Types
Table 4-1 describes the four security types that you can assign to an SSID.
Table 4-1 Types of SSID Security
No security
This is the least secure option. You should use this option only for SSIDs in a public space and you should assign it to a VLAN that restricts access to your network.
—
Static WEP key
This option is more secure than no security. However, static WEP keys are vulnerable to attack. If you configure this setting, you should consider limiting association to the wireless device based on the MAC address. For more information, see Cipher Suites and WEP at
http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityCipherSuitesWEP.html.
OrIf your network does not have a RADIUS server, consider using an access point as a local authentication server.
For instructions, see Using the Access Point as a Local Authenticator at http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityLocalAuthent.html.Mandatory WEP. Client devices cannot associate using this SSID without a WEP key that matches the wireless device key.
EAP1 authentication
This option enables 802.1X authentication (such as LEAP2 , PEAP3 , EAP-TLS4 , EAP-FAST5 , EAP-TTLS6 , EAP-GTC7 , EAP-SIM8 , and other 802.1X/EAP-based products)
This setting uses mandatory encryption, WEP, open authentication plus EAP, network EAP authentication, no key management, and RADIUS server authentication port 1645.
You are required to enter the IP address and shared secret key for an authentication server on your network (server authentication port 1645). Because 802.1X authentication provides dynamic encryption keys, you do not need to enter a WEP key.
Mandatory 802.1X authentication. Client devices that associate using this SSID must perform 802.1X authentication.
If radio clients are configured to authenticate using EAP-FAST, open authentication with EAP should also be configured. If you do not configure open authentication with EAP, the following warning message appears:
SSID CONFIG WARNING: [SSID]: If radio clients are using EAP-FAST, AUTH OPEN with EAP should also be configured.WPA9
This option permits wireless access to users who are authenticated against a database. Access is through the services of an authentication server. Users' IP traffic is then encrypted with stronger algorithms than those used in WEP.
This setting uses encryption ciphers, TKIP10 , open authentication plus EAP, network EAP authentication, key management WPA mandatory, and RADIUS server authentication port 1645.
As with EAP authentication, you must enter the IP address and shared secret key for an authentication server on your network (server authentication port 1645).
Mandatory WPA authentication. Client devices that associate using this SSID must be WPA capable.
If radio clients are configured to authenticate using EAP-FAST, open authentication with EAP should also be configured. If you do not configure open authentication with EAP, the following warning message appears:
SSID CONFIG WARNING: [SSID]: If radio clients are using EAP-FAST, AUTH OPEN with EAP should also be configured.
1 EAP = Extensible Authentication Protocol.
2 LEAP = Lightweight Extensible Authentication Protocol.
3 PEAP = Protected Extensible Authentication Protocol.
4 EAP-TLS = Extensible Authentication Protocol—Transport Layer Security.
5 EAP-FAST = Extensible Authentication Protocol—Flexible Authentication via Secure Tunneling.
6 EAP-TTLS = Extensible Authentication Protocol—Tunneled Transport Layer Security.
7 EAP-GTC = Extensible Authentication Protocol—Generic Token Card.
8 EAP-SIM = Extensible Authentication Protocol—Subscriber Identity Module.
9 WPA = Wi-Fi Protected Access.
10 TKIP = Temporal Key Integrity Protocol.
Configuring Wireless Quality of Service
Configuring quality of service (QoS) can provide preferential treatment to certain traffic at the expense of other traffic. Without QoS, the device offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput. To configure QoS for your wireless device, see Quality of Service in a Wireless Environment at http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/QualityOfService.html.
Configuring the Access Point in Hot Standby Mode
In hot standby mode, an access point is designated as a backup for another access point. The standby access point is placed near the access point that it monitors and is configured exactly like the monitored access point. The standby access point associates with the monitored access point as a client and sends Internet Access Point Protocol (IAPP) queries to the monitored access point through the Ethernet and radio ports. If the monitored access point fails to respond, the standby access point comes online and takes the monitored access point's place in the network.
Except for the IP address, the standby access point's settings should be identical to the settings on the monitored access point. If the monitored access point goes offline and the standby access point takes its place in the network, matching settings ensure that client devices can switch easily to the standby access point. For more information, see Hot Standby Access Points at http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/RolesHotStandby.html.
Upgrading to Cisco Unified Software
To run the access point in Cisco Unified mode, upgrade the software by performing the following procedures:
•
•
Software Prerequisites
•
•
Preparing for the Upgrade
To prepare for the upgrade, peform the following tasks:
•
•
Secure an IP Address on the Access Point
Secure an IP address on the access point so it that can communicate with the WLC and download the Unified image upon bootup. The host router provides the access point DHCP server functionality through the DHCP pool. The access point communicates with the WLC and setup option 43 for the controller IP address in the DHCP pool configuration. The following is a sample configuration:
ip dhcp pool embedded-ap-poolnetwork 60.0.0.0 255.255.255.0dns-server 171.70.168.183default-router 60.0.0.1option 43 hex f104.0a0a.0a0f (single WLC IP address(10.10.10.15) in hex format)int vlan1ip address 60.0.0.1 255.255.255.0For more information about the WLC discovery process, see Cisco Wireless LAN Configuration Guide at http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/ccfig40.html.
Confirm that the Mode Setting is Enabled
To confirm that the mode setting is enabled, follow these steps:
Step 1
Step 2
Step 3
Step 4
# show bootBOOT path-list: flash:ap802-k9w7-mx.124/ap802-k9w7-mx.124Config file: flash:/config.txtPrivate Config file: flash:/private-configEnable Break: noManual Boot: yesHELPER path-list: noNVRAM/Config filebuffer size: 32768Mode Button: onRadio Core TFTP:ap#Performing the Upgrade
To upgrade the autonomous software to Cisco Unified software, follow these steps:
Step 1
Router# configure terminalRouter(config)# service-module wlan-ap 0 bootimage unifiedRouter(config)# end
Note
To identify the access point's boot image path, use the show boot command in privileged EXEC mode on the access point console:
autonomous-AP# show boot BOOT path-list: flash:/ap802-rcvk9w8-mx/ap802-rcvk9w8-mx
Step 2
Troubleshooting an Upgrade or Reverting the AP to Autonomous Mode
Q.
A.
–
–
–
Q.
My access point is stuck in the recovery image and does not upgrade to the Unified software. Why?A.
Upgrading AP bootloader
For AP802, the bootloader is available as part of the host router image. To upgrade the bootloader, perform the following steps:
Step 1
Router# show platform versionPlatform Revisions/Versions :.WLAN AP Boot loader (bundled):AP802 Boot Loader (AP802-BOOT-M) Version 12.4(25e)JA1, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCompiled Wed 30-May-12 03:46 by prod_rel_teamStep 2
For information on how to open a session between a router and an access point, see the "Starting a Wireless Configuration Session" section.
Step 3
At the WLAN AP bootloader, use the version command.
ap: versionAP802 Boot Loader (AP802-BOOT-M) Version 12.4(25e)JA1, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCompiled Wed 30-May-12 03:46 by prod_rel_teamAt the WLAN AP IOS, use the show version command.
ap# show version.BOOTLDR: AP802 Boot Loader (AP802-BOOT-M) Version 12.4(25e)JA1, RELEASE SOFTWARE (fc1)<snip>Configuration register is 0xFStep 4
Router# service-module wlan-ap 0 upgrade bootloaderRouter# service-module wlan-ap 0 resetDowngrading the Software on the Access Point
To reset the access point boot to the last autonomous image, use the service-module wlan-ap0 bootimage autonomous command in privileged EXEC mode on the host router running on the first core. To reload the access point with the autonomous software image, use the service-module wlan-ap 0 reload command.
Router# configure terminalRouter(config)# service-module wlan-ap 0 bootimage autonomousRouter(config)# endRouter# writeRouter# service-module wlan-ap 0 reloadRecovering Software on the Access Point
To recover the image on the access point, use the service-module wlan-ap0 reset bootloader command in privileged EXEC mode. This command returns the access point to the bootloader for manual image recovery.
Caution
Images Supported
For information on images supported on the Cisco 880 Series ISRs, see the "Images Supported" section.
Related Documentation
See the following documentation for additional autonomous and unified configuration procedures:
•
•
Table 4-2 Autonomous Mode Documentation
Wireless Overview
Describes the roles of the wireless device on the network.
Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges Versions 12.4(25d)JA and 12.3(8)JEE
http://www.cisco.com/en/US/docs/wireless/access_point/12.4.25d.JA/Command/reference/cr12425d-preface.html
Describes the Cisco IOS Release 12.4(25d)JA and Cisco IOS Release 12.3(8)JEE commands for configuring Cisco Aironet access points and bridges.
Configuring the Radio
Describes how to configure the wireless radio.
Authentication Types for Wireless Devices
Describes the authentication types that are configured on the access point.
RADIUS and TACACS+ Servers in a Wireless Environment
http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityRadiusTacacs_1.html
Describes how to enable and configure the RADIUS1 and TACACS+2 and provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS and TACACS+ are facilitated through AAA3 and can be enabled only through AAA commands.
Using the Access Point as a Local Authenticator
http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityLocalAuthent.html
Describes how to use a wireless device in the role of an access point as a local authenticator, serving as a standalone authenticator for a small wireless LAN or providing backup authentication service. As a local authenticator, the access point performs LEAP, EAP-FAST, and MAC-based authentication for up to 50 client devices.
Cipher Suites and WEP
http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityCipherSuitesWEP.html
Describes how to configure the cipher suites required when using WPA4 and CCKM5 ; WEP6 ; and WEP features including AES7 , MIC8 , TKIP9 , and broadcast key rotation.
Hot Standby Access Points
http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/RolesHotStandby.html
Describes how to configure your wireless device as a hot standby unit.
Configuring Wireless VLANs
http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/wireless_vlans.html
Describes how to configure an access point to operate with the VLANs set up on a wired LAN.
Service Set Identifiers
http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/ServiceSetID.html
In the role of an access point, a wireless device can support up to 16 SSIDs10 . This document describes how to configure and manage SSIDs on the wireless device.
Quality of Service
http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/QualityOfService.html
Describes how to configure QoS11 on your Cisco wireless interface. With this feature, you can provide preferential treatment to certain traffic at the expense of other traffic. Without QoS, the device offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Regulatory Domains and Channels
Lists the radio channels supported by Cisco access products in the regulatory domains of the world.
System Message Logging
http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SysMsgLogging.html
Describes how to configure system message logging on your wireless device.
1 RADIUS = Remote Authentication Dial-In User Service.
2 TACACS+ = Terminal Access Controller Access Control System Plus.
3 AAA = Authentication, Authorization, and Accounting.
4 WPA = Wireless Protected Access.
5 CCKM = Cisco Centralized Key Management.
6 WEP = Wired Equivalent Privacy.
7 AES = Advanced Encryption Standard.
8 MIC = Message Integrity Check.
9 TKIP = Temporal Key Integrity Protocol.
10 SSID = service set identifiers.
11 QoS = quality of service.
Table 4-3 Unified Mode Documentation
Why Migrate to the Cisco Unified Wireless Network?
Wireless LAN Controller (WLC) FAQ
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
Single-Radio AP802
Cisco Wireles LAN Controller Configuration Guide, Release 7.0.116.0
Dual-Radio AP802
Cisco Unified Wireless Network Software Release 7.2.110.0
(7.2 Maintenance Release 1)
