-
Cisco IOS Software Configuration Guide for Cisco Aironet 1300 Series Outdoor Access Point/Bridge 12.3(7)JA
-
Preface
-
Overview
-
Configuring the Access Point/Bridge for the
-
Using the Web-Browser Interface
-
Using the Command-Line Interface
-
Administering the Access Point/Bridge
-
Configuring Radio Settings
-
Configuring Multiple SSIDs
-
Configuring Spanning Tree Protocol
-
Configuring Cipher Suites and WEP
-
Configuring Authentication Types
-
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services
-
Configuring RADIUS and TACACS+ Servers
-
Configuring VLANs
-
Configuring QoS
-
Configuring Filters
-
Configuring CDP
-
Configuring SNMP
-
Managing Firmware and Configurations
-
Configuring System Message Logging
-
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode
-
Troubleshooting
-
Protocol Filters
-
Supported MIBs
-
Error and Event Messages
-
Glossary
-
Table Of Contents
Administering the Access Point/Bridge
Preventing Unauthorized Access to Your Access Point/Bridge
Protecting Access to Privileged EXEC Commands
Default Password and Privilege Level Configuration
Setting or Changing a Static Enable Password
Protecting Enable and Enable Secret Passwords with Encryption
Configuring Username and Password Pairs
Configuring Multiple Privilege Levels
Setting the Privilege Level for a Command
Logging Into and Exiting a Privilege Level
Controlling Access Point/Bridge Access with RADIUS
Configuring RADIUS Login Authentication
Configuring RADIUS Authorization for User Privileged Access and Network Services
Displaying the RADIUS Configuration
Controlling Access Point/Bridge Access with TACACS+
Configuring TACACS+ Login Authentication
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
Displaying the TACACS+ Configuration
Configuring Ethernet Speed and Duplex Settings
Configuring the Access Point/Bridge for Local Authentication and Authorization
Configuring the Authentication Cache and Profile
Configuring the Access Point/Bridge to Provide DHCP Service
Monitoring and Maintaining the DHCP Server Access Point
Configuring the Access Point for Secure Shell
Configuring Client ARP Caching
Understanding Client ARP Caching
Managing the System Time and Date
Understanding the System Clock
Understanding Network Time Protocol
Configuring NTP Authentication
Configuring NTP Broadcast Service
Configuring NTP Access Restrictions
Configuring the Source IP Address for NTP Packets
Displaying the NTP Configuration
Configuring Time and Date Manually
Displaying the Time and Date Configuration
Configuring Summer Time (Daylight Saving Time)
Configuring a System Name and Prompt
Default System Name and Prompt Configuration
Displaying the DNS Configuration
Configuring a Message-of-the-Day Login Banner
Administering the Access Point/Bridge
This chapter describes how to administer your access point/bridge. This chapter contains these sections:
•
Preventing Unauthorized Access to Your Access Point/Bridge
•
•
•
•
•
•
•
•
•
•
Preventing Unauthorized Access to Your Access Point/Bridge
You can prevent unauthorized users from reconfiguring your access point/bridge and viewing configuration information. Typically, you want network administrators to have access to the access point/bridge while you restrict access to users who connect through a terminal or workstation from within the local network.
To prevent unauthorized access to your access point/bridge, you should configure one of these security features:
•
Note
Usernames and passwords are case-sensitive.•
Protecting Access to Privileged EXEC Commands
A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can issue after they have logged into a network device.
Note
This section describes how to control access to the configuration file and privileged EXEC commands. It contains this configuration information:
•
•
•
•
•
Default Password and Privilege Level Configuration
Table 5-1 shows the default password and privilege level configuration.
Setting or Changing a Static Enable Password
The enable password controls access to the privileged EXEC mode.
Note
Beginning in privileged EXEC mode, follow these steps to set or change a static enable password:
This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access):
bridge(config)# enable password l1u2c3k4y5Protecting Enable and Enable Secret Passwords with Encryption
To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands. Both commands accomplish the same thing; that is, you can establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level you specify.
We recommend that you use the enable secret command because it uses an improved encryption algorithm.
If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.
Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords:
If both the enable and enable secret passwords are defined, users must enter the enable secret password.
Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels. For more information, see the "Configuring Multiple Privilege Levels" section.
If you enable password encryption, it applies to all passwords including username passwords, authentication key passwords, the privileged command password, and console and virtual terminal line passwords.
To remove a password and level, use the no enable password [level level] or no enable secret [level level] global configuration command. To disable password encryption, use the no service password-encryption global configuration command.
This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2:
ap(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8Configuring Username and Password Pairs
You can configure username and password pairs, which are locally stored on the access point/bridge. These pairs are assigned to lines or interfaces and authenticate each user before that user can access the access point/bridge. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password:
To disable username authentication for a specific user, use the no username name global configuration command.
To disable password checking and allow connections without a password, use the no login line configuration command.
Note
Configuring Multiple Privilege Levels
By default, Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to a more restricted group of users.
This section includes this configuration information:
•
•
Setting the Privilege Level for a Command
Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode:
When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip route command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
To return to the default privilege for a given command, use the no privilege mode level level command global configuration command.
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands:
ap(config)# privilege exec level 14 configureap(config)# enable password level 14 SecretPswd14Logging Into and Exiting a Privilege Level
Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level:
Step 1
enable level
Log in to a specified privilege level.
For level, the range is 0 to 15.
Step 2
disable level
Exit to a specified privilege level.
For level, the range is 0 to 15.
Controlling Access Point/Bridge Access with RADIUS
This section describes how to control administrator access to the access point/bridge using Remote Authentication Dial-In User Service (RADIUS). For complete instructions on configuring the access point/bridge to support RADIUS, see "Configuring RADIUS and TACACS+ Servers."
RADIUS provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands.
Note
These sections describe RADIUS configuration:
•
•
•
•
Default RADIUS Configuration
RADIUS and AAA are disabled by default.
To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the access point/bridge through the CLI.
Configuring RADIUS Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required.
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa new-model
Enable AAA.
Step 3
aaa authentication login {default | list-name} method1 [method2...]
Create a login authentication method list.
•
•
•
Select one of these methods:
•
•
Step 4
line [console | tty | vty] line-number [ending-line-number]
Enter line configuration mode, and configure the lines to which you want to apply the authentication list.
Step 5
login authentication {default | list-name}
Apply the authentication list to a line or set of lines.
•
•
Step 6
end
Return to privileged EXEC mode.
Step 7
show running-config
Verify your entries.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Defining AAA Server Groups
You can configure the access point/bridge to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. If you configure two different host entries on the same RADIUS server for the same service (such as accounting), the second configured host entry acts as a fail-over backup to the first one.
You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords.
Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it:
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa new-model
Enable AAA.
Step 3
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]
Specify the IP address or host name of the remote RADIUS server host.
•
•
•
•
•
Note
To configure the access point/bridge to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different. The access point/bridge software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host.
Step 4
aaa group server radius group-name
Define the AAA server-group with a group name.
This command puts the access point/bridge in a server group configuration mode.
Step 5
server ip-address
Associate a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group.
Each server in the group must be previously defined in Step 2.
Step 6
end
Return to privileged EXEC mode.
Step 7
show running-config
Verify your entries.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Step 9
Enable RADIUS login authentication. See the "Configuring RADIUS Login Authentication" section.
To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.
In this example, the access point/bridge is configured to recognize two different RADIUS group servers (group1 and group2). Group1 has two different host entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry.
apap(config)# aaa new-modelap(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001ap(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646ap(config)# aaa group server radius group1ap(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001ap(config-sg-radius)# exitap(config)# aaa group server radius group2ap(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001ap(config-sg-radius)# exitConfiguring RADIUS Authorization for User Privileged Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the access point/bridge uses information retrieved from the user's profile, which is in the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it.
You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user's network access to privileged EXEC mode.
The aaa authorization exec radius local command sets these authorization parameters:
•
•
Note
Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services:
To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.
Displaying the RADIUS Configuration
To display the RADIUS configuration, use the show running-config privileged EXEC command.
Controlling Access Point/Bridge Access with TACACS+
This section describes how to control administrator access to the access point/bridge using Terminal Access Controller Access Control System Plus (TACACS+). For complete instructions on configuring the access point/bridge to support TACACS+, see "Configuring RADIUS and TACACS+ Servers."
TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands.
Note
These sections describe TACACS+ configuration:
•
•
•
•
Default TACACS+ Configuration
TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management application.When enabled, TACACS+ can authenticate administrators accessing the access point/bridge through the CLI.
Configuring TACACS+ Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.
A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required.
To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the access point/bridge uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it.
You can use the aaa authorization global configuration command with the tacacs+ keyword to set parameters that restrict a user's network access to privileged EXEC mode.
The aaa authorization exec tacacs+ local command sets these authorization parameters:
•
•
Note
Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for privileged EXEC access and network services:
To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.
Displaying the TACACS+ Configuration
To display TACACS+ server statistics, use the show tacacs privileged EXEC command.
Configuring Ethernet Speed and Duplex Settings
The access point/bridge power injector contains an embedded 10/100baseT switch, which is unconfigurable. The ports on the switch are set for auto-speed and auto-duplex, and auto-MDIX. Port 0 on the switch is used for the coaxial link to the bridge; port 1 on the switch is used for the RJ-45 jack on the power injector. The other switch ports are unused.
The speed and duplex settings on the bridge FastEthernet0 interface only apply to the link between the bridge port and port 0 in the power injector switch. They are entirely independent of the speed/duplex used on the RJ-45 port on the power injector. Therefore, for best performance, the bridge FastEthernet must always be set to auto speed and auto duplex. This setting results in 100 Mbps, full duplex used on the link between the bridge and power injector.
The Fast Ethernet Settings page contains the following caution:
Caution
The following guidelines for setting Ethernet speed and duplex should always be observed:
•
•
–
–
–
–
Note
•
Failure to follow these guidelines will result in lost data due to late collisions, CRC errors, etc.
Configuring the Access Point/Bridge for Local Authentication and Authorization
You can configure AAA to operate without a server by setting the access point/bridge to implement AAA in local mode. The access point/bridge then handles authentication and authorization. No accounting is available in this configuration.
Beginning in privileged EXEC mode, follow these steps to configure the access point/bridge for local AAA:
To disable AAA, use the no aaa new-model global configuration command. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.
Configuring the Authentication Cache and Profile
The authentication cache and profile feature allows the access point/bridge to cache the authentication/authorization responses for a user so that subsequent authentication/authorization requests do not need to be sent to the AAA server.
Note
The following commands that support this feature are included in Release 12.3(7):
cache expirycache authorization profilecache authentication profileaaa cache profile
Note
The following is an example configuration from an access point configured for Admin authentication using TACACS+ with the auth cache enabled. While this example is based on a TACACS server, the access point could be configured for Admin authentication using RADIUS:
version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap ! ! username Cisco password 7 123A0C041104 username admin privilege 15 password 7 01030717481C091D25 ip subnet-zero ! ! aaa new-model ! ! aaa group server radius rad_eap server 192.168.134.229 auth-port 1645 acct-port 1646 ! aaa group server radius rad_mac server 192.168.134.229 auth-port 1645 acct-port 1646 ! aaa group server radius rad_acct server 192.168.134.229 auth-port 1645 acct-port 1646 ! aaa group server radius rad_admin server 192.168.134.229 auth-port 1645 acct-port 1646 cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache ! aaa group server tacacs+ tac_admin server 192.168.133.231 cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login default local cache tac_admin group tac_admin aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local cache tac_admin group tac_admin aaa accounting network acct_methods start-stop group rad_acct aaa cache profile admin_cache all ! aaa session-id common ! ! ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.133.207 255.255.255.0 no ip route-cache ! ip http server ip http authentication aaa no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! tacacs-server host 192.168.133.231 key 7 105E080A16001D1908 tacacs-server directed-request radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.134.229 auth-port 1645 acct-port 1646 key 7 111918160405041E00 radius-server vsa send accounting ! control-plane ! bridge 1 route ip ! ! ! line con 0 transport preferred all transport output all line vty 0 4 transport preferred all transport input all transport output all line vty 5 15 transport preferred all transport input all transport output all ! endConfiguring the Access Point/Bridge to Provide DHCP Service
These sections describe how to configure the access point/bridge to act as a DHCP server:
•
Setting up the DHCP Server
By default, access points are configured to receive IP settings from a DHCP server on your network. You can also configure an access point to act as a DHCP server to assign IP settings to devices on both your wired and wireless LANs.
When configured as an access point, the access point/bridge becomes a mini-DHCP server by default when it is configured with factory default settings and it cannot receive IP settings from a DHCP server. As a mini-DHCP server, the access point/bridge provides up to 20 IP addresses between 10.0.0.11 and 10.0.0.30 to a PC connected to its Ethernet port and to wireless client devices configured to use either no SSID or tsunami as the SSID, and with all security settings disabled. The mini-DHCP server feature is disabled automatically when you assign a static IP address to the access point/bridge.
Note
For detailed information on DHCP-related commands and options, refer to the Configuring DHCP chapter in the Cisco IOS IP Configuration Guide, Release 12.3. Click this URL to browse to the "Configuring DHCP" chapter:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt1/1cfdhcp.htm
Beginning in privileged EXEC mode, follow these steps to configure an access point to provide DHCP service:
