Table Of Contents
Release Notes for Cisco Aironet
1100 and 1200 Series Access Points
for Cisco IOS Release 12.2(11)JA3Finding the IOS Software Version
Upgrading to a New Software Release
Converting to Cisco IOS Software
IEEE 802.1X Local Authentication Service
Installation in Environmental Air Space
Operating 5-GHz Radio Requires Power Injector, Power Module, or Catalyst 3550-24 PWR Switch
Access Point Requires 1200 Series Universal Power Supply and Power Injector
Radio MAC Address Appears in ACU
Radio MAC Address Appears in Access Point Event Log
Mask Field on IP Filters Page Behaves the Same As in CLI
Repeater Access Points Cannot Be Configured As WDS Access Points
Cannot Perform Link Tests on Non-Cisco Aironet Client Devices
Firmware Upgrade Sometimes Fails Using Microsoft Internet Explorer 5.01 SP2
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco Aironet
1100 and 1200 Series Access Points
for Cisco IOS Release 12.2(11)JA3
April 15, 2004
Cisco IOS Release 12.2(11)JA3 resolves caveats for 1100 and 1200 series access points but does not introduce new features. These release notes describe caveats for Cisco IOS Release 12.2(11)JA3 and features and enhancements introduced in Cisco IOS Release 12.2(11)JA.
Contents
These release notes contain the following sections:
•
Obtaining Technical Assistance
•
Introduction
The Cisco Aironet Access Point is a wireless LAN transceiver that acts as the connection point between wireless and wired networks or as the center point of a standalone wireless network. In large installations, the roaming functionality provided by multiple access points enables wireless users to move freely throughout the facility while maintaining uninterrupted access to the network.
You can configure and monitor 1100 and 1200 series access points using the command-line interface (CLI), the browser-based management system, or Simple Network Management Protocol (SNMP).
System Requirements
You can install Cisco IOS Release 12.2(11)JA3 on 1100 series access points and on 1200 series access points that have been configured at the factory to run Cisco IOS software (model AP1230).
To install this release on a 1200 series access point that does not run IOS software, use the conversion utility to convert to IOS software without losing your current configuration. To convert to IOS software without saving your configuration, load the conversion image. The access point reboots with IOS software and factory default settings. Your 1200 series access point must run one of these VxWorks versions before you can convert to IOS software: 12.03T, 12.02T1, 12.01T1, 12.00T, 11.56, or 11.54T. If your access point runs version 12.04, you must downgrade to a supported VxWorks version before you can upgrade to IOS software.
Note
Finding the IOS Software Version
To find the version of IOS software running on your access point, use a Telnet session to log into the access point and enter the show version EXEC command. This example shows command output from an access point running Cisco IOS Release 12.2(8)JA:
ap1200>show versionCisco Internetwork Operating System SoftwareIOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(8)JACopyright (c) 1986-2003 by Cisco Systems, Inc.On access points running IOS software, you can also find the software version on the System Software Version page in the access point's web-browser interface.
If your access point does not run IOS software, the software version appears at the top left of most pages in the web-browser interface.
Upgrading to a New Software Release
For instructions on installing access point software:
1.
http://www.cisco.com/univercd/cc/td/doc/product/wireless/index.htm
2.
Aironet 1200 Series Wireless LAN Products > Cisco Aironet 1200 Series Access Points > Aironet 1200 Series Access Points, Cisco IOS Rel. 12.2(13)JA > Cisco IOS Software Configuration Guide for Cisco Aironet Access Points > Managing Firmware and Configurations > Working with Software Images3.
http://www.cisco.com/public/sw-center/sw-ios.shtml
Log into Cisco.com to use the Cisco IOS Upgrade Planner.
Converting to Cisco IOS Software
If your 1200 series access point does not run IOS software, you can use the conversion utility or the conversion image to convert the access point system to IOS software. Use the conversion utility to maintain the current configuration after the conversion, or load the conversion image to convert to IOS software without saving the current configuration. Your access point must run one of these VxWorks firmware versions before you can convert to IOS software: 12.03T, 12.02T1, 12.01T1, 12.00T, 11.56, or 11.54T.
Note
To download the conversion utility or the converter image, click this link to browse to the Cisco IOS Software Center on Cisco.com:
http://www.cisco.com/public/sw-center/sw-ios.shtml
Log into Cisco.com to use the Feature Navigator or the Cisco IOS Upgrade Planner, or click Wireless Software to go to the Wireless LAN Software page. Download the conversion utility or the conversion image for 1200 series access points. You can also download instructions for using the utility and the image.
New Features
Cisco IOS Release 12.2(11)JA3 does not introduce new features. This section lists features that were introduced in Cisco IOS Release 12.2(11)JA.
Wi-Fi Protected Access
Wi-Fi Protected Access (WPA) is now supported on Cisco Aironet access points. WPA is the Wi-Fi Alliance specification for interoperable wireless LAN security. It supports IEEE 802.1X authentication using extensible authentication protocol (EAP) authentication types and temporal key integrity protocol (TKIP) encryption.
Fast Secure Roaming
Fast secure roaming for Cisco or Cisco Compatible wireless client devices using the Cisco Centralized Key Management (CCKM) protocol is available with this release. Fast, secure roaming is used to support time-sensitive applications such as wireless Voice over IP (VoIP), enterprise resource planning (ERP) or Citrix-based solutions. Fast secure roaming is a component of wireless domain services.
IEEE 802.1X Local Authentication Service
This feature allows a Cisco IOS software enabled device to authenticate wireless clients when connectivity to the AAA server is not available. It incorporates an IEEE 802.1X enabled RADIUS server that supports EAP authentication types into Cisco IOS software. This allows the Cisco Aironet access point to authenticate wireless clients when the wide area network (WAN) link is down or the RADIUS server at the central site is not available. This provides remote site survivability by allowing an access point to continue to access local resources such as file servers or printers in remote site deployments with non-redundant WAN links.
This release supports the EAP authentication type Cisco LEAP and operates with Cisco Secure Access Control Server (ACS) version 2.6 or later. IEEE 802.1X local authentication service is a component of wireless domain services.
Wireless Domain Services
Wireless domain services (WDS) is a collection of Cisco IOS software features that enhance wireless LAN (WLAN) client mobility and simplify WLAN deployment and management. The WDS feature set supported in this release includes fast secure roaming and IEEE 802.1X local authentication service.
Installation Notes
This section contains information you should keep in mind when installing 1100 and 1200 series access points.
Installation in Environmental Air Space
This section provides information on installing 1200 series access points in environmental air space, such as above suspended ceilings.
Cisco Aironet 1100 and 1200 Series Access Points provide adequate fire resistance and low smoke-producing characteristics suitable for operation in a building's environmental air space, such as above suspended ceilings, in accordance with Section 300-22(C) of the National Electrical Code (NEC) and Sections 2-128, 12-010(3) and 12-100 of the Canadian Electrical Code, Part 1, C22.1.
Caution
Note
Power Considerations
This section describes issues you should consider before applying power to an access point.
Caution
Caution
Caution
Use Only One Power Option
You cannot provide redundant power to the access point with both DC power to its power port and inline power from a patch panel or powered switch to the access point's Ethernet port. If you apply power to the access point from both sources, the switch or power patch panel might shut down the port to which the access point is connected. Figure 1 shows the power configuration that can shut down the port on the patch panel or powered switch.
Figure 1 Improper Power Configuration Using Two Power Sources
Operating 5-GHz Radio Requires Power Injector, Power Module, or Catalyst 3550-24 PWR Switch
The 1200 series power injector and the 1200 series power module support operation of the 5-GHz radio in the access point. Currently, the Catalyst 3550-24 PWR switch supports power for both the 2.4-GHz radio and the 5-GHz radio. Other switches and power patch panels might not provide enough power for the 5-GHz radio.
Access Point Requires 1200 Series Universal Power Supply and Power Injector
The 350 series universal power supply and power injector are not compatible with the 1200 series access point. If you use a power injector or a power module to provide power to a 1200 series access point, you must use a 1200 series universal power supply. If you need to use a power injector to inject power into the access point's Ethernet port, you must use a 1200 series power injector.
Antenna Installation
For instructions on the proper installation and grounding of external antennas for 1200 series access points, refer to the National Fire Protection Association's NFPA 70, National Electrical Code, Article 810, and the Canadian Standards Association's Canadian Electrical Code, Section 54.
Warning
Important Notes
This section describes important information about the access point.
Radio MAC Address Appears in ACU
When a Cisco Aironet client device associates to an 1100 or 1200 series access point running IOS software, the access point MAC address that appears on the Status page in the Aironet Client Utility (ACU) is the MAC address for the access point radio. The MAC address for the access point Ethernet port is printed on the label on the back of the access point.
Radio MAC Address Appears in Access Point Event Log
When a client device roams from an access point (such as access point alpha) to another access point (access point bravo), a message appears in the event log on access point alpha stating that the client roamed to access point bravo. The MAC address that appears in the event message is the MAC address for the radio in access point bravo. The MAC address for the access point Ethernet port is printed on the label on the back of the access point.
Mask Field on IP Filters Page Behaves the Same As in CLI
In Cisco IOS Release 12.2(8)JA and later, the mask that you enter in the Mask field on the IP Filters page in the access point GUI behaves the same way that a mask behaves when you enter it in the CLI. If you enter 255.255.255.255 as the mask, the access point accepts any IP address. If you enter 0.0.0.0, the access point looks for an exact match with the IP address that you entered in the IP Address field.
Repeater Access Points Running IOS Software Cannot Associate to Parent Access Points Not Running IOS Software
Repeater access points running Cisco IOS software cannot associate to parent access points that do not run IOS software (340 and 350 series access points, and 1200 series access points that have not been converted to run IOS software).
Repeater Access Points Cannot Be Configured As WDS Access Points
Repeater access points do not support WDS. You cannot configure a repeater access point as a WDS access point, and if a root access point becomes a repeater in fallback mode, it cannot provide WDS.
Crossover Cable Sometimes Needed When Ethernet Speed and Duplex Set to Fixed on 1100 Series Access Points
If you change the speed and duplex settings from auto to fixed on an 1100 series access point's Ethernet port, the auto-MDIX feature on the port is disabled. When auto-MDIX is disabled, you must determine whether to use a straight-through or a crossover cable to connect the access point Ethernet port to another device. If the Ethernet link goes down after you set the speed and duplex to fixed, try changing the Ethernet cable from crossover to straight-through or from straight-through to crossover.
Cannot Perform Link Tests on Non-Cisco Aironet Client Devices
The link test feature on the web-browser interface does not support non-Cisco Aironet client devices.
Firmware Upgrade Sometimes Fails Using Microsoft Internet Explorer 5.01 SP2
A firmware upgrade sometimes fails when you use Microsoft Internet Explorer version 5.01 SP2 to upgrade firmware using the HTTP Upgrade page in the web-browser interface. Use a later version of Microsoft Internet Explorer to perform HTTP firmware upgrades.
Caveats
This section lists Open Caveats and Resolved Caveats in Cisco IOS Release 12.2(11)JA3.
Open Caveats
These caveats are open in Cisco IOS Release 12.2(11)JA3:
•
Workaround: Instead of modifying the filter, delete the filter and recreate it using the web-browser interface.
•
Workaround: When running link tests on the web-browser interface, limit the test to hundreds of packets, or use the CLI to run link tests using thousands of packets.
•
Workaround: Do not use a broadcast MAC address when configuring hot standby.
•
Workaround: Enable the radio interface before running the carrier busy test on the web-browser interface, or run the carrier busy test on the CLI.
•
Apr 30 20:36:34.521: %DOT11-7-AUTH_FAILED: Station 000b.fd75.4180 Authentication failedApr 30 20:36:37.712: %DOT11-6-ASSOC: Interface Dot11Radio0, Station STL-CLIENT-3 000b.fd75.4180 Associated KEY_MGMT[CCKM]You can ignore these messages.
•
Workaround: Before entering the show wlccp wds mn detail command, enter terminal length 0 in privileged EXEC mode to display the show wlccp wds mn detail command output without breaking it into multiple pages.
•
Workaround: Use the CLI to apply filters when 8 or more VLANs are enabled.
•
Workaround: Use the CLI to enable PSPF on a non-native VLAN.
Resolved Caveats
These caveats are resolved in Cisco IOS Release 12.2(11)JA3:
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
•
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
Troubleshooting
For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at http://www.cisco.com/tac. Click Technology Support, choose Wireless from the menu on the left, and click Wireless LAN.
Related Documentation
This section lists documents related to Cisco IOS Release 12.2(11)JA and to 1100 and 1200 series access points:
•
•
•
•
•
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•
http://www.cisco.com/en/US/partner/ordering/index.shtml
•
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides recommended solutions. If your issue is not resolved using the recommended resources, your service request will be assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553 2447For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
http://www.cisco.com/go/marketplace/
•
http://cisco.com/univercd/cc/td/doc/pcat/
•
•
•
http://www.cisco.com/go/iqmagazine
•
•
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the Related Documentation section.
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
Printed in the USA on recycled paper containing 10% postconsumer waste.
Guest
