Table Of Contents
Cisco IOS Commands for Access Points
and Bridgesaaa authentication login default local cache
aaa authorization exec default local cache
accounting (SSID configuration mode)
admission-control (QOS Class interface configuration mode)
admit-traffic (SSID configuration mode)
admit-traffic (QOS Class interface configuration mode)
anonymous-id (dot1x credentials configuration mode)
authentication (local server configuration mode)
authentication network-eap (SSID configuration mode)
authentication open (SSID configuration mode)
authentication shared (SSID configuration mode)
bridge-group block-unknown-source
bridge-group spanning-disabled
bridge-group subscriber-loop-control
channel-match (LBS configuration mode)
clear dot11 aaa authentication mac-authen filter-cache
clear ip igmp snooping membership
clear wlccp wds recovery statistics
cw-max (QOS Class interface configuration mode)
cw-min (QOS Class interface configuration mode)
debug wlccp ap rm enhanced-neighbor-list
description (dot1x credentials configuration mode)
dot11 aaa authentication attributes service-type login-only
dot11 aaa authentication mac-authen filter-cache
dot1x eap profile (configuration interface mode)
dot1x eap profile (SSID configuration mode)
exception crashinfo buffersize
fixed-slot (QOS Class interface configuration mode)
group (local server configuration mode)
guest-mode (SSID configuration mode)
information-element ssidl (SSID configuration mode)
infrastructure-ssid (SSID configuration mode)
interface dot11 (LBS configuration mode)
match (class-map configuration)
max-associations (SSID configuration mode)
mbssid (SSID configuration mode)
method (eap profile configuration mode)
method (LBS configuration mode)
multicast address (LBS configuration mode)
nas (local server configuration mode)
packet-type (LBS configuration mode)
password (dot1x credentials configuration mode)
pki-trustpoint (dot1x credentials configuration mode)
radius local-server pac-generate
server-address (LBS configuration mode)
show dot11 aaa authentication mac-authen filter-cache
show dot11 statistics client-traffic
show interfaces dot11radio aaa
show interfaces dot11radio statistics
show radius local-server statistics
show wlccp ap rm enhanced-neighbor-list
snmp-server enable traps envmon temperature
transmit-op (QOS Class interface configuration mode)
username (dot1x credentials configuration mode)
user (local server configuration mode)
vlan (SSID configuration mode)
wlccp wds aaa authentication mac-authen filter-cache
Cisco IOS Commands for Access Points
and Bridges
This chapter lists and describes Cisco IOS commands in Cisco IOS Release 12.3(8)JA that you use to configure and manage your access point, bridge, and wireless LAN. The commands are listed alphabetically.
aaa authentication login default local cache
To set a local login cache for authentication, authorization, and accounting (AAA) authentication, use the aaa authentication login default local cache command in global configuration mode. To disable the local login cache, use the no form of this command:
[no] aaa authentication login default local cache [word | radius | tacacs+]
Syntax Description
Command Default
There is no default for this command.
Command Modes
Global configuration
Command History
Examples
The following example creates a local cache for an AAA authentication list called tac_admin set as the default list used for all login authentications. This authentication checks the local cache first, and if the information is not available, the authentication server (group tac_admin) is contacted and the information is also stored in the local cache.
AP(config)# aaa authentication login default cache tac_admin group tac_adminRelated Commands
aaa authorization exec default local cache
To set a local cache for AAA exec authorization, use the aaa authorization exec default local cache command in global configuration mode. To disable the local cache, use the no form of this command:
[no] aaa authorization exec default local cache [word| radius | tacacs+]
Syntax Description
Command Default
There is no default for this command.
Command Modes
Global configuration
Command History
Examples
The following example creates a local exec mode cache for an AAA authorization list called tac_admin set as the default list used for all login authorizations. This authorization checks the local cache first, and if the information is not available, the authorization server (group tac_admin) is contacted and the information is also stored in the local cache.
AP(config)# aaa authorization exec default cache tac_admin group tac_adminRelated Commands
aaa cache profile
To set storage rules for the AAA cache, use the aaa cache profile command in global configuration mode. To disable the AAA cache profile, use the no form of this command:
[no] aaa cache profile name
[no] profile exact match [no-auth]
[no] regexp match expression [any | only] [no-auth]
[no] all [no-auth]Syntax Description
Command Default
There is no default for this command.
Command Modes
Global configuration
Command History
Examples
The following example sets a name of admin_cache for the AAA cache profile and only stores AAA server responses with the username administrator in the cache.
AP(config)# aaa cache admin_cacheAP(config-profile-map)# profile administratorRelated Commands
aaa pod server
To enable inbound user sessions to be disconnected when specific session attributes are presented, use the aaa pod server global configuration command. To disable this feature, use the no form of this command.Packet of Disconnect (POD) consists of a method of terminating a session that has already been connected. The POD is a RADIUS disconnect_request packet and is intended to be used in situations where the authenticating agent server wants to disconnect the user after the session has been accepted by the RADIUS access_accept packet.aaa pod server {
auth-type [all | any | session-key] |
clients IP-address |
ignore [server-key | session-key] |
port number |
server-key string}no aaa pod server
Syntax Description
Defaults
The POD server function is disabled.
Command Modes
Global configuration
Command History
12.1(3)T
This command was introduced.
12.3(8)JA
The clients and ignore keywords were added.
Usage Guidelines
For a session to be disconnected, the values in one or more of the key fields in the POD request must match the values for a session on one of the network access server ports. Which values must match depends on the auth-type attribute defined in the command. If no auth-type is specified, all four values must match. If no match is found, all connections remain intact and an error response is returned. The key fields are as follows:
•
User-Name
•
•
•
Related Commands
accounting (SSID configuration mode)
Use the accounting SSID configuration mode command to enable RADIUS accounting for the radio interface (for the specified SSID). Use the no form of the command to disable accounting.
[no] accounting list-name
Syntax Description
Defaults
This command has no defaults.
Command Modes
SSID configuration interface
Command History
Usage Guidelines
You create accounting lists using the aaa accounting command. These lists indirectly reference the server where the accounting information is stored.
Examples
This example shows how to enable RADIUS accounting and set the RADIUS server name:
AP(config-if-ssid)# accounting radius1This example shows how to disable RADIUS accounting:
AP(config-if-ssid)# no accountingRelated Commands
admission-control (QOS Class interface configuration mode)
Use the admission-control QOS Class interface configuration mode command to require call admission control (CAC) traffic for a radio interface. Use the no form of the command to remove the setting.
[no] admission-control
Note
Note
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no defaults.
Command Modes
QOS Class interface configuration mode
Command History
Examples
This example shows how to configure CAC admission control as a requirement for the radio interface:
AP(config)# interface dot11radio 0AP(config-if)# dot11 qos class voiceAP(config-if-qosclass)# admission-controlThis example shows how to remove the CAC admission control requirement on the radio interface:
AP(config-if-qosclass)# no admission-controlRelated Commands
admit-traffic (SSID configuration mode)
Use the admit-traffic SSID configuration mode command to enable or disable call admission control (CAC) traffic for an SSID. Use the no form of the command to disable all CAC traffic for the SSID.
[no] admit-traffic
Note
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the admission control is disabled on all SSIDs.
Command Modes
SSID configuration mode
Command History
Examples
This example shows how to enable CAC traffic support for the test SSID:
AP(config)# dot11 ssid testAP(config-ssid)# admit-trafficThis example shows how to disable CAC traffic on the test SSID:
AP(config)# dot11 ssid testAP(config-ssid)# no admit-trafficRelated Commands
admit-traffic (QOS Class interface configuration mode)
Use the admit-traffic QOS Class interface configuration mode command to enable CAC traffic for a radio interface. Use the no form of the command to disable all CAC traffic for the access point.
admit-traffic {narrowband | signaling} {infinite | max-channel percent}
[roam-channel roam]no admit-traffic
Note
Syntax Description
Defaults
This command has no defaults.
Command Modes
QOS Class interface configuration mode
Command History
Examples
This example shows how to configure CAC voice traffic parameters for the radio interface:
AP(config)# interface dot11radio 0AP(config-if)# dot11 qos class voiceAP(config-if-qosclass)# narrowband max-channel 30 roam-channel 10 channel-min 10This example shows how to disable CAC traffic on the radio interface:
AP(config-if-qosclass)# no admin-trafficRelated Commands
anonymous-id (dot1x credentials configuration mode)
Use the anonymous-id dot1x credentials configuration mode command to configure an anonymous username for the dot1x credentials. Use the no form of the command to disable anonymous-id.
[no] anonymous-id name
Syntax Description
Defaults
This command has no defaults.
Command Modes
SSID configuration interface
Command History
Examples
This example shows how to configure a dot1x certificate anonymous username:
AP(config-dot1x-creden)# anonymous-id user1This example shows how to disable the anonymous username:
AP(config-dot1x-creden)# no anonymous-idRelated Commands
dot1x credentials
Configures the dot1x credentials on the access point.
show dot1x credentials
Displays the configured dot1x credentials on the access point.
antenna
Use the antenna configuration interface command to configure the radio receive or transmit antenna settings. Use the no form of this command to reset the receive antenna to defaults.
[no] antenna
{gain gain |
{receive | transmit {diversity | left | right}}}Syntax Description
Defaults
The default antenna configuration is diversity.
Command Modes
Configuration interface
Command History
Examples
This example shows how to specify the right receive antenna option:
AP(config-if)# antenna receive rightThis example shows how to set the receive antenna option to defaults:
AP(config-if)# no antenna receiveThis example shows how to enter an antenna gain setting:
AP(config-if)# antenna gain 1.5Related Commands
Configures the radio power level
show running-config
Displays the current access point operating configuration
authentication (local server configuration mode)
Use the authentication local server configuration command to specify the authentication types that are allowed on the local authenticator. By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based authentication for up to 50 client devices. You use the no form of the authentication command to limit the local authenticator to one or more authentication types.
[no] authentication [eapfast] [leap] [mac]
Note
Syntax Description
Defaults
By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based authentication. To limit the local authenticator to one or two authentication types, use the no form of the command to disable unwanted authentication types.
Command Modes
Local server configuration mode
Command History
Examples
This example shows how to limit the local authenticator to perform only LEAP authentications for client devices:
AP(config-radsrv)# no authentication eapfastAP(config-radsrv)# no authentication macRelated Commands
authentication client
Use the authentication client configuration interface command to configure a LEAP username and password that the access point uses when authenticating to the network as a repeater.
authentication client username username password password
Syntax Description
Defaults
This command has no defaults.
Command Modes
SSID configuration interface
Command History
Examples
This example shows how to configure the LEAP username and password that the repeater uses to authenticate to the network:
AP(config-if-ssid)# authentication client username ap-north password buckeyeRelated Commands
Specifies the SSID and enters the SSID configuration mode
show running-config
Displays the current access point operating configuration
authentication key-management
Use the authentication key-management SSID configuration mode command to configure the radio interface (for the specified SSID) to support authenticated key management. Cisco Centralized Key Management (CCKM) and Wi-Fi Protected Access (WPA) are the key management types supported on the access point.
authentication key-management { [wpa] [cckm] } [ optional ]
Note
Syntax Description
Defaults
This command has no defaults.
Command Modes
SSID configuration interface
Command History
12.2(11)JA
This command was introduced.
12.2(13)JA
This command was modified to allow you to enable both WPA and CCKM for an SSID.
Usage Guidelines
Use this command to enable authenticated key management for client devices.
•
•
•
•
Examples
This example shows how to enable both WPA and CCKM for an SSID:
AP(config-if-ssid)# authentication key-management wpa cckmRelated Commands
Specifies a cipher suite
Specifies the SSID and enters SSID configuration mode
Specifies a pre-shared key for an SSID
authentication network-eap (SSID configuration mode)
Use the authentication network-eap SSID configuration mode command to configure the radio interface (for the specified SSID) to support network-EAP authentication with optional MAC address authentication. Use the no form of the command to disable network-eap authentication for the SSID.
[no] authentication
network-eap list-name
[mac-address list-name]
Note
Syntax Description
list-name
Specifies the list name for EAP authentication
mac-address list-name
Specifies the list name for MAC authentication
Defaults
This command has no defaults.
Command Modes
SSID configuration interface
Command History
Usage Guidelines
Use this command to authenticate clients using the network EAP method, with optional MAC address screening. You define list names for MAC addresses and EAP using the aaa authentication login command. These lists define the authentication methods activated when a user logs in and indirectly identify the location where the authentication information is stored.
Note
Examples
This example shows how to set the authentication to open for devices on a specified address list:
AP(config-if-ssid)# authentication network-eap list1This example shows how to reset the authentication to default values:
AP(config-if-ssid)# no authentication network-eapRelated Commands
authentication open (SSID configuration mode)
Use the authentication open SSID configuration mode command to configure the radio interface (for the specified SSID) to support open authentication and optionally EAP authentication or MAC address authentication. Use the no form of the command to disable open authentication for the SSID.
[no] authentication open
[[optional] eap list-name]
[mac-address list-name [alternate] ]
Note
Syntax Description
Defaults
This command has no defaults.
Command Modes
SSID configuration interface
Command History
Usage Guidelines
Use this command to authenticate clients using the open method, with optional MAC address or EAP screenings. If you use the alternate keyword, the client must pass either MAC address or EAP authentication. Otherwise, the client must pass both authentications. Use the optional keyword to allow client devices using either open or EAP authentication to associate and become authenticated. You define list names for MAC addresses and EAP using the aaa authentication login command. These lists define the authentication methods activated when a user logs in and indirectly identify the location where the authentication information is stored.
Examples
This example shows how to enable open authentication with MAC address restrictions:
AP(config-if-ssid)# authentication open mac-address mac-list1This example shows how to disable open authentication for the SSID:
AP(config-if-ssid)# no authentication openRelated Commands
Specifies shared key authentication
Specifies network EAP authentication
Creates an SSID and enters SSID configuration mode
authentication shared (SSID configuration mode)
Use the authentication shared SSID configuration mode command to configure the radio interface (for the specified SSID) to support shared authentication with optional MAC address authentication and EAP authentication. Use the no form of the command to disable shared authentication for the SSID.
[no] authentication shared
[mac-address list-name]
[eap list-name]
Note
Syntax Description
mac-address list-name
Specifies the list name for MAC authentication
eap list-name
Specifies the list name for EAP authentication
Defaults
This command has no defaults.
Command Modes
SSID configuration interface
Command History
Usage Guidelines
Use this command to authenticate clients using the shared method, with optional MAC address or EAP screenings. You define list names for MAC addresses and EAP using the aaa authentication login command. These lists define the authentication methods activated when a user logs in and indirectly identify the location where the authentication information is stored.
Examples
This example shows how to set the authentication to shared for devices on a MAC address list:
AP(config-if-ssid)# authentication shared mac-address mac-list1This example shows how to reset the authentication to default values:
AP(config-if-ssid)# no authentication sharedRelated Commands
beacon
Use the beacon configuration interface command to specify how often the beacon contains a Delivery Traffic Indicator Message (DTIM). Use the no form of this command to reset the beacon interval to defaults.
[no] beacon {period Kms | dtim-period count}
Syntax Description
Defaults
The default period is 100.
The default dtim-period is 2.
Command Modes
Configuration interface
Command History
Usage Guidelines
Clients normally wake up each time a beacon is sent to check for pending packets. Longer beacon periods let the client sleep longer and preserve power. Shorter beacon periods reduce the delay in receiving packets.
Controlling the DTIM period has a similar power-saving result. Increasing the DTIM period count lets clients sleep longer, but delays the delivery of multicast packets. Because multicast packets are buffered, large DTIM period counts can cause a buffer overflow.
Examples
This example shows how to specify a beacon period of 15 Kms (15.36 milliseconds):
AP(config-if)# beacon period 15This example shows how to set the beacon parameter to defaults:
AP(config-if)# no beaconRelated Commands
boot buffersize
To modify the buffer size used to load configuration files, use the boot buffersize global configuration command. Use the no form of the command to return to the default setting.
[ no ] boot buffersize bytes
Syntax Description
Defaults
The default buffer size for loading configuration files is 32 KB.
Command Modes
Global configuration
Command History
Usage Guidelines
Increase the boot buffer size if your configuration file size exceeds 512 KB.
Examples
This example shows how to set the buffer size to 512 KB:
AP(config)# boot buffersize 524288boot ios-break
Use the boot ios-break global configuration command to enable an access point or bridge to be reset using a send break Telnet command.
After you enter the boot ios-break command, you can connect to the access point console port and press Ctrl-] to bring up the Telnet prompt. At the Telnet prompt, enter send break. The access point reboots and reloads the image.
[ no ] boot ios-break
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
Examples
This example shows how to enable an access point or bridge to be reset using a send break Telnet command:
AP(config)# boot ios-breakboot mode-button
Use the boot mode-button global configuration command to enable or disable the operation of the mode button on access points with a console port. This command can be used to prevent password recovery and to prevent unauthorized users from gaining access to the access point CLI.
Use the no form of the command to disable the access point mode button.
[ no ] boot mode-button
Caution
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
Global configuration
Command History
12.3(7)JA
This command was introduced.
Note
Examples
This example shows how to disable the Mode button on an access point with a console port:
AP(config)# no boot mode-buttonThis example shows how to reenable the Mode button on an access point with a console port:
AP(config)# boot mode-button
Note
Related Commands
show boot
Displays the current boot configuration.
Displays the current status of the mode-button.
boot upgrade
Use the boot upgrade global interface command to configure access points and bridges to automatically load a configuration and use DHCP options to upgrade system software.
When your access point renews its IP address with a DHCP request, it uses the details configured on the DHCP server to download a specified configuration file from a TFTP server. If a boot system command is part of the configuration file and the unit's current software version is different, the access point or bridge image is automatically upgraded to the version in the configuration. The access point or bridge reloads and executes the new image.
[ no ] boot upgrade
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
Global configuration
Command History
Examples
This example shows how to prevent an access point or bridge from automatically loading a configuration and upgrading system software:
AP(config)# no boot upgradebridge aging-time
Use the bridge aging-time global configuration command to configure the length of time that a dynamic entry can remain in the bridge table from the time the entry is created or last updated.
bridge group aging-time seconds
Note
Syntax Description
Defaults
The default aging time is 300 seconds.
Command Modes
Global configuration
Command History
Examples
This example shows how to configure the aging time for bridge group 1:
bridge(config)# bridge 1 aging-time 500Related Commands
bridge forward-time
Use the bridge forward-time global configuration command to configure the forward delay interval on the bridge.
bridge group aging-time seconds
Note
Syntax Description
Defaults
The default forward time is 30 seconds.
Command Modes
Global configuration
Command History
Examples
This example shows how to configure the forward time for bridge group 2:
bridge(config)# bridge 2 forward-time 60Related Commands
bridge hello-time
Use the bridge hello-time global configuration command to configure the interval between hello bridge protocol data units (BPDUs).
bridge group hello-time seconds
Note
Syntax Description
Defaults
The default hello time is 2 seconds.
Command Modes
Global configuration
Command History
Examples
This example shows how to configure the hello time for bridge group 1:
bridge(config)# bridge 1 hello-time 15Related Commands
bridge max-age
Use the bridge max-age global configuration command to configure the interval that the bridge waits to hear BPDUs from the spanning tree root. If the bridge does not hear BPDUs from the spanning tree root within this specified interval, it assumes that the network has changed and recomputes the spanning-tree topology.
bridge group max-age seconds
Note
Syntax Description
group
Specifies the bridge group
seconds
Specifies the max-age interval in seconds (enter a value between 10 and 200 seconds)
Defaults
The default max-age is 15 seconds.
Command Modes
Global configuration
Command History
Examples
This example shows how to configure the max age for bridge group 1:
bridge(config)# bridge 1 max-age 20Related Commands
bridge priority
Use the bridge priority global configuration command to configure the spanning tree priority for the bridge. STP uses the bridge priority to select the spanning tree root. The lower the priority, the more likely it is that the bridge will become the spanning tree root.
The radio and Ethernet interfaces and the native VLAN on the bridge are assigned to bridge group 1 by default. When you enable STP and assign a priority on bridge group 1, STP is enabled on the radio and Ethernet interfaces and on the primary VLAN, and those interfaces adopt the priority assigned to bridge group 1. You can create bridge groups for sub-interfaces and assign different STP settings to those bridge groups.
bridge group priority priority
Note
Syntax Description
group
Specifies the bridge group to be configured
priority
Specifies the STP priority for the bridge
Defaults
The default bridge priority is 32768.
Command Modes
Global configuration
Command History
Examples
This example shows how to configure the priority for the bridge:
bridge(config-if)# bridge 1 priority 900Related Commands
bridge protocol ieee
Use the bridge number protocol ieee global configuration command to enable Spanning Tree Protocol (STP) on the bridge. STP is enabled for all interfaces assigned to the bridge group that you specify in the command.
The radio and Ethernet interfaces and the native VLAN on the bridge are assigned to bridge group 1 by default. When you enable STP and assign a priority on bridge group 1, STP is enabled on the radio and Ethernet interfaces and on the primary VLAN, and those interfaces adopt the priority assigned to bridge group 1. You can create bridge groups for sub-interfaces and assign different STP settings to those bridge groups.
bridge number protocol ieee [ suspend ]
Note
Syntax Description
number
Specifies the bridge group for which STP is enabled
suspend
Suspends STP on the bridge until you re-enable it.
Defaults
STP is disabled by default.
Command Modes
Global configuration
Command History
Examples
This example shows how to enable STP for bridge group 1:
bridge(config)# bridge 1 protocol ieeeRelated Commands
bridge-group block-unknown-source
Use the bridge-group block-unknown-source configuration interface command to block traffic from unknown MAC addresses on a specific interface. Use the no form of the command to disable unknown source blocking on a specific interface.
For STP to function properly, block-unknown-source must be disabled for interfaces participating in STP.
bridge-group group block-unknown-source
Syntax Description
Defaults
When you enable STP on an interface, block unknown source is disabled by default.
Command Modes
Configuration interface
Command History
Examples
This example shows how to disable block unknown source for bridge group 2:
bridge(config-if)# no bridge-group 2 block-unknown-sourceRelated Commands
bridge-group path-cost
Use the bridge-group path-cost configuration interface command to configure the path cost for the bridge Ethernet and radio interfaces. Spanning Tree Protocol (STP) uses the path cost to calculate the shortest distance from the bridge to the spanning tree root.
bridge-group group path-cost cost
Note
Syntax Description
Defaults
The default path cost for the Ethernet interface is 19, and the default path cost for the radio interface is 33.
Command Modes
Configuration interface
Command History
Examples
This example shows how to configure the path cost for bridge group 2:
bridge(config-if)# bridge-group 2 path-cost 25Related Commands
bridge-group port-protected
Use the bridge-group port-protected configuration interface command to enable protected port for public secure mode configuration. In Cisco IOS software, there is no exchange of unicast, broadcast, or multicast traffic between protected ports.
bridge-group bridge-group
port-protectedSyntax Description
Defaults
This command has no defaults.
Command Modes
Configuration interface
Command History
Examples
This example shows how to enable protected port for bridge group 71:
AP(config-if)# bridge-group 71 port-protectedRelated Commands
bridge-group priority
Use the bridge-group priority configuration interface command to configure the spanning tree priority for the bridge Ethernet and radio interfaces. Spanning Tree Protocol (STP) uses the interface priority to select the root interface on the bridge.
The radio and Ethernet interfaces and the native VLAN on the bridge are assigned to bridge group 1 by default. When you enable STP and assign a priority on bridge group 1, STP is enabled on the radio and Ethernet interfaces and on the primary VLAN, and those interfaces adopt the priority assigned to bridge group 1. You can create bridge groups for sub-interfaces and assign different STP settings to those bridge groups.
bridge-group group priority priority
Syntax Description
group
Specifies the bridge group to be configured
priority
Specifies the STP priority for the bridge group
Defaults
The default priority for both the Ethernet and radio interfaces is 128.
Command Modes
Configuration interface
Command History
Examples
This example shows how to configure the priority for an interface on bridge group 2:
bridge(config-if)# bridge-group 2 priority 150Related Commands
bridge-group spanning-disabled
Use the bridge-group spanning-disabled configuration interface command to disable Spanning Tree Protocol (STP) on a specific interface. Use the no form of the command to enable STP on a specific interface.
For STP to function properly, spanning-disabled must be disabled for interfaces participating in STP.
bridge-group group spanning-disabled
Syntax Description
Defaults
STP is disabled by default.
Command Modes
Configuration interface
Command History
Examples
This example shows how to disable STP for bridge group 2:
bridge(config-if)# bridge-group 2 spanning-disabledRelated Commands
bridge-group subscriber-loop-control
Use the bridge-group subscriber-loop-control configuration interface command to enable loop control on virtual circuits associated with a bridge group. Use the no form of the command to disable loop control on virtual circuits associated with a bridge group.
For Spanning Tree Protocol (STP) to function properly, subscriber-loop-control must be disabled for interfaces participating in STP.
bridge-group group subscriber-loop-control
Syntax Description
Defaults
When you enable STP for an interface, subscriber loop control is disabled by default.
Command Modes
Configuration interface
Command History
Examples
This example shows how to disable subscriber loop control for bridge group 2:
bridge(config-if)# no bridge-group 2 subscriber-loop-controlRelated Commands
bridge-group unicast-flooding
Use the bridge-group unicast-flooding configuration interface command to enable unicast flooding for a specific interface. Use the no form of the command to disable unicast flooding for a specific interface.
bridge-group group unicast-flooding
Syntax Description
Defaults
Unicast flooding is disabled by default.
Command Modes
Configuration interface
Command History
Examples
This example shows how to configure unicast flooding for bridge group 2:
bridge(config-if)# bridge-group 2 unicast-floodingRelated Commands
broadcast-key
Use the broadcast-key configuration interface command to configure the time interval between rotations of the broadcast encryption key used for clients. Use the no form of the command to disable broadcast key rotation.
[no] broadcast-key
[vlan vlan-id]
[change secs]
[ membership-termination ]
[ capability-change ]
Note
Note
Syntax Description
Defaults
This command has no defaults.
Command Modes
Configuration interface
Command History
Examples
This example shows how to configure vlan10 to support broadcast key encryption with a 5-minute key rotation interval:
AP(config-if)# broadcast-key vlan 10 change 300This example shows how to disable broadcast key rotation:
AP(config-if)# no broadcast-keycache authentication profile
Use the cache authentication profile server configuration command to configure the cache authentication profile. Use the no form of the command to disable the cache authentication profile.
[no] cache authentication profile name
Note
Syntax Description
Defaults
This command has no defaults.
Command Modes
Server group configuration.
Command History
Examples
This example shows how to configure a RADIUS cache authentication profile:
AP(config)# aaa group server radius rad_adminAP(config-sg-radius)# server 10.19.21.105AP(config-sg-radius)# cache expiry 5AP(config-sg-radius)# cache authentication profile admin_cacheThis example shows how to to configure a TACACS+ cache authentication profile:
AP(config)# aaa group server tacacs+ tac_adminAP(config-sg-tacacs+)# server 10.19.21.125AP(config-sg-tacacs+)# cache expiry 5AP(config-sg-tacacs+)# cache authentication profile admin_cacheRelated Commands
cache authorization profile
Use the cache authorization profile server configuration command to configure the cache authorization profile. Use the no form of the command to disable the cache authorization profile.
[no] cache authorization profile name
Note
Syntax Description
Defaults
This command has no defaults.
Command Modes
Server group configuration.
Command History
Examples
This example shows how to configure a RADIUS cache authorization profile:
AP(config)# aaa group server radius rad_adminAP(config-sg-radius)# server 10.19.21.105AP(config-sg-radius)# cache expiry 5AP(config-sg-radius)# cache authorization profile admin_cacheThis example shows how to to configure a TACACS+ cache authorization profile:
AP(config)# aaa group server tacacs+ tac_adminAP(config-sg-tacacs+)# server 10.19.21.125AP(config-sg-tacacs+)# cache expiry 5AP(config-sg-tacacs+)# cache authorization profile admin_cacheRelated Commands
cache expiry
Use the cache expiry server group configuration command to configure the expiration time of the server group cache. Use the no form of the command to disable the cache expiration.
[no] cache expiry hours [enforce | failover]
Note
Syntax Description
Defaults
The default cache expiration time is 24 hours.
Command Modes
Server group configuration
Command History
Examples
This example shows how to configure a RADIUS cache expiration time of 5 hours:
AP(config)# aaa group server radius rad_adminAP(config-sg-radius)# server 10.19.21.105AP(config-sg-radius)# cache expiry 5This example shows how to to configure a TACACS+ cache expiration time of 5 hours:
AP(config)# aaa group server tacacs+ tac_adminAP(config-sg-tacacs+)# server 10.19.21.125AP(config-sg-tacacs+)# cache expiry 5Related Commands
cca
Use the cca configuration interface command to configure the clear channel assessment (CCA) noise floor level for the bridge radio. The value you enter is used as an absolute value of dBm.
cca number
Note
Syntax Description
number
Specifies the radio noise floor in dBm. Enter a number from -60 to 0. Zero configures the radio to use a received validate frame as the CCA indication.
Defaults
The default CCA level is -62 dBm.
Command Modes
Configuration interface
Command History
Examples
This example shows how to configure the CCA level for the bridge radio:
bridge(config-if)# cca 50channel
Use the channel configuration interface command to set the radio channel frequency. Use the no form of this command to reset the channel frequency to defaults.
[no] channel {number | frequency | least-congested}
Note
Syntax Description
number
Specifies a channel number. For a list of channels for the 2.4-GHz radio, see Table 2-1. For a list of channels for the 5-GHz radio, see Table 2-2.
Note
frequency
Specifies the center frequency for the radio channel. For a list of center frequencies for the 2.4-GHz access point radio, see Table 2-1. For a list of center frequencies for the 5-GHz access point radio, see Table 2-2. For a list of center frequencies for the 5-GHz bridge radio, see Table 2-3.
Note
least-congested
Enables or disables the scanning for a least busy radio channel to communicate with the client adapter
Table 2-3 Channels and Center Frequencies for the 1400 Series Bridge 5-GHz Radio
(MHz)149
5745
153
5765
157
5785
161
5805
Defaults
The default channel setting is least-congested.
Command Modes
Configuration interface
Command History
Examples
This example shows how to set the access point radio to channel 10 with a center frequency of 2457.
AP(config-if)# channel 2457This example shows how to set the access point to scan for the least-congested radio channel.
AP(config-if)# channel least-congestedThis example shows how to set the frequency to the default setting:
AP(config-if)# no channelRelated Commands
show controllers dot11radio
Displays the radio controller information and status
channel-match (LBS configuration mode)
Use the channel-match location based services (LBS) configuration mode command to specify that the LBS packet sent by an LBS tag must match the radio channel on which the access point receives the packet. If the channel used by the tag and the channel used by the access point do not match, the access point drops the packet.
[no] channel-match
Syntax Description
This command has no arguments or keywords.
Defaults
The channel match option is enabled by default.
Command History
Examples
This example shows how to enable the channel match option for an LBS profile:
ap(dot11-lbs)# channel-matchRelated Commands
class-map
Use the class-map global configuration command to create a class map to be used for matching packets to the class whose name you specify and to enter class-map configuration mode. Use the no form of this command to delete an existing class map and return to global configuration mode.
[no] class-map name
Syntax Description
Defaults
This command has no defaults, and there is not a default class map.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify the name of the class for which you want to create or modify class-map match criteria and to enter class-map configuration mode. In this mode, you can enter one match command to configure the match criterion for this class.
The class-map command and its subcommands are used to define packet classification, marking, and aggregate policing as part of a globally named service policy applied on a per-interface basis.
After you are in quality of service (QoS) class-map configuration mode, these configuration commands are available:
•
•
•
•
•
Only one match criterion per class map is supported. For example, when defining a class map, only one match command can be issued.
Because only one match command per class map is supported, the match-all and match-any keywords function the same.
Only one access control list (ACL) can be configured in a class map. The ACL can have multiple access control entries (ACEs).
Examples
This example shows how to configure the class map called class1. class1 has one match criterion, which is an access list called 103.
AP(config)# access-list 103 permit any any dscp 10AP(config)# class-map class1AP(config-cmap)# match access-group 103AP(config-cmap)# exitThis example shows how to delete the class map class1:
AP(config)# no class-map class1You can verify your settings by entering the show class-map privileged EXEC command.
Related Commands
clear dot11 aaa authentication mac-authen filter-cache
Use the clear dot11 aaa authentication mac-authen filter-cache privileged EXEC command to clear entries from the MAC authentication cache.
clear dot11 aaa authentication mac-authen filter-cache [address]
Syntax Description
Defaults
This command has no defaults.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear a specific MAC address from the MAC authentication cache:
ap# clear dot11 aaa authentication mac-authen filter-cache 7643.798a.87b2Related Commands
Enable MAC authentication caching on the access point.
Display MAC addresses in the MAC authentication cache.
clear dot11 cckm-statistics
Use the clear dot11 cckm-statistics privileged EXEC command to reset CCKM statistics.
clear dot11 cckm-statistics
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear CCKM statistics:
AP# clear dot11 cckm-statisticsRelated Commands
clear dot11 client
Use the clear dot11 client privileged EXEC command to deauthenticate a radio client with a specified MAC address. The client must be directly associated with the access point, not a repeater.
clear dot11 client {mac-address}
Syntax Description
Defaults
This command has no defaults.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to deauthenticate a specific radio client:
AP# clear dot11 client 0040.9645.2196You can verify that the client was deauthenticated by entering the following privileged EXEC command:
AP# show dot11 associations 0040.9645.2196Related Commands
Displays the radio association table or optionally displays association statistics or association information about repeaters or clients
clear dot11 hold-list
Use the clear dot11 hold-list privileged EXEC command to reset the MAC, LEAP, and EAP authentications hold list.
clear dot11 hold-list
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the hold-off list of MAC authentications:
AP# clear dot11 hold-listclear dot11 statistics
Use the clear dot11 statistics privileged EXEC command to reset statistic information for a specific radio interface or for a particular client with a specified MAC address.
clear dot11 statistics
{interface | mac-address}Syntax Description
interface
Specifies a radio interface number
mac-address
Specifies a client MAC address (in xxxx.xxxx.xxxx format)
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear radio statistics for radio interface 0:
AP# clear dot11 statistics dot11radio 0This example shows how to clear radio statistics for the client radio with a MAC address of 0040.9631.81cf:
AP# clear dot11 statistics 0040.9631.81cfYou can verify that the radio interface statistics are reset by entering the following privileged EXEC command:
AP# show dot11 associations statisticsRelated Commands
Displays client traffic statistics
Displays radio interface information
Displays radio interface statistics
clear eap sessions
Use the clear eap sessions privileged EXEC command to clear the EAP session information on the access point.
clear eap sessions
[credentials profile name]
[interface name [number]]
[method name]
[transport name]Syntax Description
Defaults
Clears all session information on the access point.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear all the EAP session information on the access point:
AP# clear eap sessionsThis command shows how to clear all EAP session information for the fast Ethernet interface:
AP# clear eap sessions interface fastethernet 0This command shows how to clear all EAP session information for the EAP-FAST method:
AP# clear eap sessions method eap-fastRelated Commands
clear iapp rogue-ap-list
Use the clear iapp rogue-ap-list privileged EXEC command to clear the list of IAPP rogue access points.
clear iapp rogue-ap-list
Note
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the IAPP rogue access point list:
AP# clear iapp rogue-ap-listYou can verify that the rogue AP list was deleted by entering the show iapp rogue-ap-list privileged EXEC command.
Related Commands
clear iapp statistics
Use the clear iapp statistics privileged EXEC command to clear all the IAPP statistics.
clear iapp statistics
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the IAPP statistics:
AP# clear iapp statisticsYou can verify that the IAPP statistics were cleared by entering the following privileged EXEC command:
AP# show iapp statisticsRelated Commands
clear ip igmp snooping membership
Use the clear ip igmp snooping membership privileged EXEC command to reset IGMP host membership information on the access point.
clear ip igmp snooping membership
[vlan vlan id ]Syntax Description
Defaults
This command has no defaults.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to reset the IGMP membership information on the access point:
AP# clear ip igmp snooping membershipThis example shows how to reset the IGMP membership information by vlan:
AP# clear ip igmp snooping membership vlan 1Related CommandsT
show ip igmp snooping groups
Displays IGMP snooping group information.
ip igmp snooping vlan
Enables IGMP snooping for a Catalyst VLAN.
clear wlccp wds
Use the clear wlccp wds privileged EXEC command to clear WDS statistics and to remove devices from the WDS database.
clear wlccp wds {[ap [mac-address]] | [mn [mac-address]] | statistics |
aaa authentication mac-authen filter-cache [mac-address]}Syntax Description
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to remove an access point from the WDS database:
AP# clear wlccp wds ap 1572.342d.97f4Related Commands
Displays information on devices participating in Cisco Centralized Key Management (CCKM)
Enables MAC authentication caching on the access point
clear wlccp wds recovery statistics
Use the clear wlccp wds recovery statistics privileged EXEC command to clear WDS recovery statistics.
clear wlccp wds recovery statistics
Syntax Description
This command has no arguments of keywords.
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the WDS recovery statistics:
AP# clear wlccp wds recovery statisticsRelated Commands
Displays information on devices participating in Cisco Centralized Key Management (CCKM)
concatenation
Use the concatenation configuration interface command to enable packet concatenation on the bridge radio. Using concatenation, the bridge combines multiple packets into one packet to reduce packet overhead and overall latency, and to increase transmission efficiency.
concatenation [ bytes ]
Note
Syntax Description
bytes
(Optional) Specifies a maximum size for concatenated packets in bytes. Enter a value from 1600 to 4000.
Defaults
Concatenation is enabled by default, and the default maximum concatenated packet size is 3500.
Command Modes
Configuration interface
Command History
Examples
This example shows how to configure concatenation on the bridge radio:
bridge(config-if)# concatenation 4000countermeasure tkip hold-time
Use the countermeasure tkip hold-time configuration interface command to configure a TKIP MIC failure holdtime. If the access point detects two MIC failures within 60 seconds, it blocks all the TKIP clients on that interface for the holdtime period.
countermeasure tkip hold-time seconds
Syntax Description
seconds
Specifies the length of the TKIP holdtime in seconds (if the holdtime is 0, TKIP MIC failure hold is disabled)
Defaults
TKIP holdtime is enabled by default, and the default holdtime is 60 seconds.
Command Modes
Configuration interface
Command History
Examples
This example shows how to configure the TKIP holdtime on the access point radio:
ap(config-if)# countermeasure tkip hold-time 120cw-max (QOS Class interface configuration mode)
Use the cw-max QOS Class interface configuration mode command to configure the CAC 802.11 maximum contention window size for a radio interface. Use the no form of the command to remove the setting.
[no] cw-max 0-10
Syntax Description
Defaults
When QoS is enabled, the default cw-max settings for access points match the values in Table 2-4, and the default cw-max settings for bridges match the values in Table 2-5.
Table 2-4 Default QoS cw-max Definitions for Access Points
Background
10
Best Effort
10
Video <100ms Latency
5
Voice <100ms Latency
4
Table 2-5 Default QoS cw-max Definitions for Bridges
Background
10
Best Effort
10
Video <100ms Latency
4
Voice <100ms Latency
3
Command Modes
QOS Class interface configuration mode
Command History
Examples
This example shows how to configure the CAC 802.11 maximum contention window size for the radio interface:
AP(config)# interface dot11radio 0AP(config-if)# dot11 qos class voiceAP(config-if-qosclass)# cw-max 2This example shows how to remove the CAC 802.11 maximum contention window for the radio interface:
AP(config-if-qosclass)# no cw-maxRelated Commands
cw-min (QOS Class interface configuration mode)
Use the cw-min QOS Class interface configuration mode command to configure the CAC 802.11 minimum contention window size for a radio interface. Use the no form of the command to remove the setting.
[no] cw-min 0-10
Syntax Description
Defaults
When QoS is enabled, the default cw-min settings for access points match the values in Table 2-6, and the default cw-min settings for bridges match the values in Table 2-7.
Table 2-6 Default QoS cw-min Definitions for Access Points
Background
5
Best Effort
5
Video <100ms Latency
4
Voice <100ms Latency
2
Table 2-7 Default QoS cw-min Definitions for Bridges
Background
4
Best Effort
4
Video <100ms Latency
3
Voice <100ms Latency
2
Command Modes
QOS Class interface configuration mode
Command History
Examples
This example shows how to configure the CAC 802.11 minimum contention window size for the radio interface:
AP(config)# interface dot11radio 0AP(config-if)# dot11 qos class voiceAP(config-if-qosclass)# cw-min 2This example shows how to remove the CAC 802.11 minimum contention window for the radio interface:
AP(config-if-qosclass)# no cw-minRelated Commands
debug dot11
Use the debug dot11 privileged EXEC command to begin debugging of radio functions. Use the no form of this command to stop the debug operation.
[no] debug dot11
{events | packets | forwarding | mgmt | network-map | syslog | virtual-interface}Syntax Description
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to begin debugging of all radio-related events:
AP# debug dot11 eventsThis example shows how to begin debugging of radio packets:
AP# debug dot11 packetsThis example shows how to begin debugging of the radio system log:
AP# debug dot11 syslogThis example shows how to stop debugging of all radio related events:
AP# no debug dot11 eventsRelated Commands
show debugging
Displays all debug settings and the debug packet headers
Displays configuration and status information for the radio interface
debug dot11 aaa
Use the debug dot11 aaa privileged EXEC command to activate debugging of dot11 authentication, authorization, and accounting (AAA) operations. Use the no form of this command to stop the debug operation.
[no] debug dot11 aaa
{accounting | authenticator | dispatcher | manager }Syntax Description
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
12.2(4)JA
This command was introduced.
12.2(15)JA
This command was modified to include the accounting, authenticator, dispatcher, and manager debugging options.
Examples
This example shows how to begin debugging of dot11 AAA accounting packets:
AP# debug dot11 aaa accountingRelated Commands
show debugging
Displays all debug settings
Optionally displays all radio clients
debug dot11 cac
Use the debug dot11 cac privileged EXEC command to begin debugging of admission control radio functions. Use the no form of this command to stop the debug operation.
[no] debug dot11 cac
{events | unit}
Note
Syntax Description
events
Activates debugging of radio admission control events.
unit
Activates verbose debugging of radio admission control events.
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to begin debugging of all admission control radio-related events:
AP# debug dot11 cac eventsThis example shows how to begin verbose debugging of all admission control radio-related events:
AP# debug dot11 cac unitThis example shows how to stop debugging of all admission control radio-related events:
AP# debug dot11 cac eventsThis example shows how to stop verbose debugging of all admission control radio-related events:
AP# no debug dot11 cac unitRelated Commands
debug dot11 dot11radio
Use the debug dot11 dot11radio privileged EXEC command to turn on radio debug options. These options include run RF monitor mode and trace frames received or transmitted on the radio interface. Use the no form of this command to stop the debug operation.
[no] debug dot11 dot11radio interface-number {accept-radio-firmware |
monitor {ack | address | beacon | crc | lines | plcp | print | probe | store} |
print { hex | if | iv | lines | mic | plcp | printf | raw | shortadr } |
radio_debug flag-value | stop-on-failure |
trace {off | print | store}}Syntax Description
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to enable packet printing with MAC addresses in short form:
AP# debug dot11 dot11radio 0 print shortadrThis example shows how to begin monitoring of all packets with CRC errors:
AP# debug dot11 dot11radio 0 monitor crcThis example shows how to stop monitoring of packets with CRC errors:
AP# no debug dot11 dot11radio 0 monitor crcRelated Commands
show debugging
Displays all debug settings and the debug packet headers
Displays configuration and status information for the radio interface
Displays radio interface statistics
debug dot11 ids
Use the debug dot11 ids eap privileged EXEC command to enable debugging for wireless IDS monitoring. Use the no form of the command to disable IDS debugging.
[no] debug dot11 ids {eap | cipher-errors}
Note
Syntax Description
eap
Activates debugging of IDS authentication events
cipher-errors
Activates debugging of cipher errors detected by IDS
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to activate wireless IDS debugging for authentication events:
AP# debug dot11 ids eapRelated Commands
debug dot11 ids mfp
Use the debug dot11 ids mfp privileged EXEC command to debug Management Frame Protection (MFP) operations on the access point.
[no] debug dot11 ids mfp
ap {all |detector | events |generator | io}
wds {all | detectors | events | generators | statistics}|
wlccpSyntax Description
Defaults
There are no defaults for this command.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to debug the MFP detectors on the access point:
ap(config)# debug dot11 ids mfp ap detectorsRelated Commands
Configures MFP parameters on the access point.
Displays MFP parameters on the access point.
debug eap
To display information about Extensible Authentication Protocol (EAP), use the debug eap command in privileged EXEC mode. To disable debugging output, use the no form of this command.
[no] debug eap {all | authenticator | errors | events | fast | gtc | leap | md5 | mschapv2 |
packets | peer | sm | tls}Syntax Description
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to activate debugging for EAP-FAST authentication events:
AP# debug eap fast allThis example shows how to deactivate EAP-FAST authentication debugging:
AP# no debug eap fast allRelated Commands
debug iapp
Use the debug iapp privileged EXEC command to begin debugging of IAPP operations. Use the no form of this command to stop the debug operation.
[no] debug iapp
{packets | event | error}Syntax Description
packets
Displays IAPP packets sent and received by the access point. Link test packets are not displayed
event
Displays significant IAPP events
error
Displays IAPP software and protocol errors
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to begin debugging of IAPP packets:
AP# debug iapp packetThis example shows how to begin debugging of IAPP events:
AP# debug iapp eventsThis example shows how to begin debugging of IAPP errors:
AP# debug iapp errorsRelated Commands
debug radius local-server
Use the debug radius local-server privileged EXEC mode command to control the display of debug messages for the local authenticator.
debug radius local-server {client | eapfast | error | packets }
Syntax Description
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to begin debugging for local authenticator errors:
AP# debug radius local-server errorRelated Commands
Enables the access point as a local authenticator
show debugging
Displays all debug settings and the debug packet headers
debug wlccp ap
Use the debug wlccp ap privileged EXEC command to enable debugging for devices that interact with the access point that provides wireless domain services (WDS).
debug wlccp ap {mn | rm [statistics | context | packet] | state | wds-discovery}
Note
Syntax Description
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to begin debugging for LEAP-enabled client devices participating in Cisco Centralized Key Management (CCKM):
AP# debug wlccp ap mnRelated Commands
show debugging
Displays all debug settings and the debug packet headers
Displays WLCCP information
debug wlccp ap rm enhanced-neighbor-list
Use the debug wlccp ap rm enhanced-neighbor-list privileged EXEC command to enable internal debugging information and error messages of the Enhanced Neighbor List feature. Use the no form of the command to disable the debugging and error messages.
[no] debug wlccp ap rm enhanced-neighbor-list
Note
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to activate debugging and error messages of the Enhanced Neighbor List feature on the access point:
AP# debug wlccp ap rm enhanced-neighbor-listRelated Commands
debug wlccp packet
Use the debug wlccp packet privileged EXEC command to activate display of packets to and from the access point that provides wireless domain services (WDS).
debug wlccp packet
Note
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to activate display of packets to and from the WDS access point:
AP# debug wlccp packetRelated Commands
show debugging
Displays all debug settings and the debug packet headers
Displays WLCCP information
debug wlccp rmlib
Use the debug wlccp rmlib privileged EXEC command to activate display of radio management library functions on the access point that provides wireless domain services (WDS).
debug wlccp rmlib
Note
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to activate display of radio management library functions on the access point that provides WDS:
AP# debug wlccp rmlibRelated Commands
show debugging
Displays all debug settings and the debug packet headers
Displays WLCCP information
debug wlccp wds
Use the debug wlccp wds privileged EXEC command to activate display of wireless domain services (WDS) debug messages.
debug wlccp wds
aggregator [packet]
authenticator {all | dispatcher | mac-authen | process | rxdata | state-machine | txdata}
nm [packet | loopback]
state
statistics
Note
Syntax Description
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
12.2(11)JA
This command was first introduced.
12.2(13)JA
This command was modified to include the aggregator and nm options.
Examples
This example shows how to begin debugging for LEAP-enabled client devices participating in Cisco Centralized Key Management (CCKM):
AP# debug wlccp ap mnRelated Commands
show debugging
Displays all debug settings and the debug packet headers
Displays WLCCP information
description (dot1x credentials configuration mode)
Use the description dot1x credentials configuration mode command to specify a text description for the dot1x credential. Use the no form of the command to disable anonymous-id.
[no] description name
Syntax Description
Defaults
This command has no defaults.
Command Modes
Dot1x credentials configuration interface
Command History
Examples
This example shows how to specify text description for the dot1x credential:
AP(config-dot1x-creden)# description This is a test credentialRelated Commands
dot1x credentials
Configures the dot1x credentials on the access point.
show dot1x credentials
Displays the configured dot1x credentials on the access point.
dfs band
Use the dfs band configuration interface command to prevent the access point from automatically selecting specific groups of 5-GHz channels during dynamic frequency selection (DFS). Use the no form of the command to unblock groups of channels.
[no] dfs band [1] [2] [3] [4] block
Note
Syntax Description
Defaults
By default, no channels are blocked from DFS auto-selection.
Command Modes
Configuration interface
Command History
Examples
This example shows how to prevent the access point from selecting frequencies 5.150 to 5.350 GHz during DFS:
ap(config-if)# dfs band 1 2 blockThis example shows how to unblock frequencies 5.150 to 5.350 for DFS:
ap(config-if)# no dfs band 1 2 blockThis example shows how to unblock all frequencies for DFS:
ap(config-if)# no dfs band blockUsage Guidelines
Some regulatory domains limit the 5-GHz channels that can be used in specific locations; for example, indoors or outdoors. Use the dfs band command to comply with the regulations in your regulatory domain.
Related Commands
distance
Use the distance configuration interface command to specify the distance from a root bridge to the non-root bridge or bridges with which it communicates. The distance setting adjusts the bridge's timeout values to account for the time required for radio signals to travel from bridge to bridge. You do not need to adjust this setting on non-root bridges.
distance kilometers
Note
Note
Syntax Description
Defaults
In installation mode, the default distance setting is 99 km. In all other modes, such as root and non-root, the default distance setting is 0 km.
Command Modes
Configuration interface
Command History
Examples
This example shows how to configure the distance setting for the root bridge radio:
bridge(config-if)# distance 40dot11 aaa authentication attributes service-type login-only
Use the dot11 aaa authentication attributes service-type login-only global configuration command to set the service-type attribute in reauthentication requests to login-only. By default, the access point sends reauthentication requests to the server with the service-type attribute set to authenticate-only. However, some Microsoft IAS servers do not support the authenticate-only service-type attribute. Changing the service-type attribute to login-only ensures that Microsoft IAS servers recognize reauthentication requests from the access point.
dot11 aaa authentication attributes service-type login-only
Syntax Description
This command has no arguments or keywords.
Defaults
The default service-type attribute in reauthentication requests is set to authenticate-only. This command sets the service-type attribute in reauthentication requests to login-only.
Command Modes
Global configuration
Command History
Related Commands
Selects the format for MAC addresses in Called-Station-ID (CSID) and Calling-Station-ID attributes
dot11 aaa authentication mac-authen filter-cache
Use the dot11 aaa authentication mac-authen filter-cache global configuration command to enable MAC authentication caching on the access point. MAC authentication caching reduces overhead because the access point authenticates devices in its MAC-address cache without sending the request to your authentication server. When a client device completes MAC authentication to your authentication server, the access point adds the client's MAC address to the cache.
dot11 aaa authentication mac-authen filter-cache [timeout seconds]
Syntax Description
Defaults
MAC authentication caching is disabled by default. When you enable it, the default timeout value is 1800 (30 minutes).
Command Modes
Global configuration
Command History
Examples
This example shows how to configure MAC authentication caching with a one-hour timeout:
ap(config)# dot11 aaa authentication mac-authen filter-cache timeout 3600Related Commands
Clear MAC addresses from the MAC authentication cache.
Display MAC addresses in the MAC authentication cache.
dot11 aaa csid
Use the dot11 aaa csid global configuration command to select the format for MAC addresses in Called-Station-ID (CSID) and Calling-Station-ID attributes in RADIUS packets.
dot11 aaa csid { default | ietf | unformatted }
Syntax Description
Defaults
The default CSID format looks like this example:
0007.85b3.5f4aCommand Modes
Global configuration
Command History
Usage Guidelines
You can also use the wlccp wds aaa csid command to select the CSID format.
Related Commands
Begin debugging of dot11 authentication, authorization, and accounting (AAA) operations
dot11 association mac-list
To specify a MAC address access list used for dot11 association use the dot11 association mac-list command.
dot11 association mac-list number
Syntax Description
Defaults
No MAC address access list is assigned.
Examples
This example shows the creation of a MAC address access list used to filter one client with a MAC address of 0000.1234.5678.AP(config)# access-list 700 deny 0000.1234.5678 0000.0000.0000 AP(config)# dot11 association mac-list 700Related Commands
dot11 activity-timeout
Use the dot11 activity-timeout global configuration command to configure the number of seconds that the access point tracks an inactive device (the number depends on its device class). The access point applies the unknown device class to all non-Cisco Aironet devices.
dot11 activity-timeout { [ client-station | repeater | bridge | workgroup-bridge | unknown ] [ default <1 - 100000> ] [ maximum <1 - 100000> ] }
Syntax Description
Defaults
Table 2-8 lists the default activity timeouts for each device class. All values are in seconds.
Table 2-8 Default Activity Timeouts
unknown
60
client-station
1800
repeater
28800
bridge
28800
workgroup-bridge
28800
Command Modes
Global configuration
Command History
Examples
This example shows how to configure default and maximum activity timeouts for all device classes:
AP(config)# dot11 activity-timeout default 5000 maximum 24000Usage Guidelines
To set an activity timeout for all device types, set a default or maximum timeout without specifying a device class (for example, enter dot11 activity-timeout default 5000). The access point applies the timeout to all device types that are not already configured with a timeout.
Related Commands
dot11 adjacent-ap age-timeout
Use the dot11 adjacent-ap age-timeout global configuration command to specify the number of hours an inactive entry remains in the list of adjacent access points.
dot11 adjacent-ap age-timeout hours
Note
Syntax Description
Defaults
The default age-timeout is 24 hours.
Command Modes
Global configuration
Command History
Examples
This example shows how to configure the timeout setting for inactive entries in the adjacent access point list:
AP# dot11 adjacent-ap age-timeout 12Related Commands
dot11 arp-cache
Use the dot11 arp-cache global configuration command to enable client ARP caching on the access point. ARP caching on the access point reduces the traffic on your wireless LAN and increases client battery life by stopping ARP requests for client devices at the access point. Instead of forwarding ARP requests to client devices, the access point responds to requests on behalf of associated client devices and drops ARP requests that are not directed to clients associated to the access point. When ARP caching is optional, the access point responds on behalf of clients with IP addresses known to the access point but forwards through its radio port any ARP requests addressed to unknown clients. When the access point knows all the IP addresses for associated clients, it drops any ARP requests not directed to its clients. In its beacon, the access point includes an information element to alert client devices that they can safely ignore broadcast messages to increase battery life.
[no] dot11 arp-cache [optional]
Syntax Description
Defaults
ARP caching is disabled by default.
Command Modes
Global configuration
Command History
Examples
This example shows how to enable ARP caching:
AP(config)# dot11 arp-cachedot11 carrier busy
Use the dot11 carrier busy privileged exec command to display levels of radio activity on each channel.
dot11 interface-number carrier busy
Syntax Description
interface-number
Specifies the radio interface number (The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.)
Defaults
This command has no defaults.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
During the carrier busy test, the acce
