Cisco Wireless LAN Controller Configuration Guide, Release 5.1 - Chapter 6 - Configuring WLANs [Cisco 4400 Series Wireless LAN Controllers]

Table Of Contents

Configuring WLANs

WLAN Overview

Configuring WLANs

Creating WLANs

Using the GUI to Create WLANs

Using the CLI to Create WLANs

Configuring DHCP

Internal DHCP Server

External DHCP Servers

DHCP Assignment

Security Considerations

Using the GUI to Configure DHCP

Using the CLI to Configure DHCP

Configuring DHCP Scopes

Configuring MAC Filtering for WLANs

Enabling MAC Filtering

Creating a Local MAC Filter

Configuring a Timeout for Disabled Clients

Assigning WLANs to Interfaces

Configuring the DTIM Period

Using the GUI to Configure the DTIM Period

Using the CLI to Configure the DTIM Period

Configuring Peer-to-Peer Blocking

Guidelines for Using Peer-to-Peer Blocking

Using the GUI to Configure Peer-to-Peer Blocking

Using the CLI to Configure Peer-to-Peer Blocking

Configuring Layer 2 Security

Static WEP Keys

Dynamic 802.1X Keys and Authorization

Configuring a WLAN for Both Static and Dynamic WEP

WPA1 and WPA2

CKIP

Configuring a Session Timeout

Using the GUI to Configure a Session Timeout

Using the CLI to Configure a Session Timeout

Configuring Layer 3 Security

VPN Passthrough

Web Authentication

Assigning a QoS Profile to a WLAN

Using the GUI to Assign a QoS Profile to a WLAN

Using the CLI to Assign a QoS Profile to a WLAN

Configuring QoS Enhanced BSS

Guidelines for Configuring QBSS

Additional Guidelines for Using 7921 and 7920 Wireless IP Phones

Using the GUI to Configure QBSS

Using the CLI to Configure QBSS

Configuring IPv6 Bridging

Guidelines for Using IPv6 Bridging

Using the GUI to Configure IPv6 Bridging

Using the CLI to Configure IPv6 Bridging

Configuring Cisco Client Extensions

Using the GUI to Configure CCX Aironet IEs

Using the GUI to View a Client's CCX Version

Using the CLI to Configure CCX Aironet IEs

Using the CLI to View a Client's CCX Version

Configuring WLAN Override

Using the GUI to Configure WLAN Override

Using the CLI to Configure WLAN Override

Configuring Access Point Groups

Creating Access Point Groups

Assigning Access Points to Access Point Groups

Configuring Web Redirect with 802.1X Authentication

Conditional Web Redirect

Splash Page Web Redirect

Configuring the RADIUS Server

Using the GUI to Configure Web Redirect

Using the CLI to Configure Web Redirect

Disabling Accounting Servers per WLAN

Configuring NAC Out-of-Band Integration

Guidelines for Using NAC Out-of-Band Integration

Using the GUI to Configure NAC Out-of-Band Integration

Using the CLI to Configure NAC Out-of-Band Integration

Configuring WLANs

This chapter describes how to configure up to 16 WLANs for your Cisco UWN Solution. It contains these sections:

•WLAN Overview

•Configuring WLANs

WLAN Overview

The Cisco UWN Solution can control up to 16 WLANs for lightweight access points. Each WLAN has a separate WLAN ID (1 through 16), a separate WLAN SSID (WLAN name), and can be assigned unique security policies.

Lightweight access points broadcast all active Cisco UWN Solution WLAN SSIDs and enforce the policies that you define for each WLAN.

Note Cisco recommends that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that controllers properly route VLAN traffic.

Configuring WLANs

These sections describe how to configure WLANs:

•Creating WLANs

•Configuring DHCP

•Configuring MAC Filtering for WLANs

•Assigning WLANs to Interfaces

•Configuring the DTIM Period

•Configuring Peer-to-Peer Blocking

•Configuring Layer 2 Security

•Configuring a Session Timeout

•Configuring Layer 3 Security

•Assigning a QoS Profile to a WLAN

•Configuring QoS Enhanced BSS

•Configuring IPv6 Bridging

•Configuring Cisco Client Extensions

•Configuring WLAN Override

•Configuring Access Point Groups

•Configuring Web Redirect with 802.1X Authentication

•Disabling Accounting Servers per WLAN

•Configuring NAC Out-of-Band Integration

Creating WLANs

This section provides instructions for creating up to 16 WLANs using either the controller GUI or CLI.

You can configure WLANs with different service set identifiers (SSIDs) or with the same SSID. An SSID identifies the specific wireless network that you want the controller to access. Creating WLANs with the same SSID enables you to assign different Layer 2 security policies within the same wireless LAN. To distinguish among WLANs with the same SSID, you must create a unique profile name for each WLAN.

WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in beacon and probe responses. These are the available Layer 2 security policies:

•None (open WLAN)

•Static WEP or 802.1X

Note Because static WEP and 802.1X are both advertised by the same bit in beacon and probe responses, they cannot be differentiated by clients. Therefore, they cannot both be used by multiple WLANs with the same SSID.

•CKIP

•WPA/WPA2

Note Although WPA and WPA2 cannot both be used by multiple WLANs with the same SSID, two WLANs with the same SSID could be configured with WPA/TKIP with PSK and WPA/TKIP with 802.1X, respectively, or with WPA/TKIP with 802.1X or WPA/AES with 802.1X, respectively.

Using the GUI to Create WLANs

Follow these steps to create WLANs using the GUI.

Step 1 Click Wireless > WLANs to open the WLANs page (see Figure 6-1).

Figure 6-1 WLANs Page

This page lists all of the WLANs currently configured on the controller. Figure 6-1 illustrates multiple WLANs using the same SSID. Specifically, it shows two SSIDs named "user" but with different profile names (user1 and user2). Notice that their security policies are also different.

Note If you want to delete a WLAN, hover your cursor over the blue drop-down arrow for that WLAN and choose Remove.

Step 2 To create a new WLAN, click New. The WLANs > New page appears (see Figure 6-2).

Figure 6-2 WLANs > New Page

Step 3 From the Type drop-down box, choose WLAN to create a WLAN.

Note If you want to create a guest LAN for wired guest users, choose Guest LAN and follow the instructions in the "Configuring Wired Guest Access" section on page 9-23.

Step 4 In the Profile Name field, enter up to 32 alphanumeric characters for the profile name to be assigned to this WLAN. The profile name must be unique.

Step 5 In the WLAN SSID field, enter up to 32 alphanumeric characters for the SSID to be assigned to this WLAN.

Step 6 Click Apply to commit your changes. The WLANs > Edit page appears (see Figure 6-3).

Note You can also access the WLANs > Edit page from the WLANs page by clicking the name of the WLAN that you want to edit.

Figure 6-3 WLANs > Edit Page

Step 7 Use the parameters on the General, Security, QoS, and Advanced tabs to configure this WLAN. Refer to the sections in the rest of this chapter for instructions on configuring specific features for WLANs.

Step 8 On the General tab, check the Status check box to enable this WLAN. Be sure to leave it unchecked until you have finished making configuration changes to the WLAN.

Step 9 Click Apply to commit your changes.

Step 10 Click Save Configuration to save your changes.

Using the CLI to Create WLANs

Use these commands to create WLANs using the CLI.

1. To view the list of existing WLANs and to see whether they are enabled or disabled, enter this command:

show wlan summary

2. To create a new WLAN, enter this command:

config wlan create wlan_id profile_name ssid

Note If you do not specify an ssid, the profile_name parameter is used for both the profile name and the SSID.

Note When WLAN 1 is created in the configuration wizard, it is created in enabled mode. Disable it until you have finished configuring it. When you create a new WLAN using the config wlan create command, it is created in disabled mod. Leave it disabled until you have finished configuring it.

Note If you want to create a guest LAN for wired guest users, follow the instructions in the "Configuring Wired Guest Access" section on page 9-23.

3. To disable a WLAN (for example, before making any modifications to a WLAN), enter this command:

config wlan disable wlan_id

Note If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.

4. To enable a WLAN (for example, after you have finished making configuration changes to the WLAN), enter this command:

config wlan enable wlan_id

5. To delete a WLAN, enter this command:

config wlan delete wlan_id

Configuring DHCP

WLANs can be configured to use the same or different Dynamic Host Configuration Protocol (DHCP) servers or no DHCP server. Two types of DHCP servers are available: internal and external.

Internal DHCP Server

The controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server. The wireless network generally contains 10 access points or fewer, with the access points on the same IP subnet as the controller. The internal server provides DHCP addresses to wireless clients, direct-connect access points, appliance-mode access points on the management interface, and DHCP requests that are relayed from access points. Only lightweight access points are supported. When you want to use the internal DHCP server, you must set the management interface IP address of the controller as the DHCP server IP address.

DHCP option 43 is not supported on the internal server. Therefore, the access point must use an alternative method to locate the management interface IP address of the controller, such as local subnet broadcast, DNS, priming, or over-the-air discovery.

Note Refer to Chapter 7 or the Controller Deployment Guide at this URL for more information on how access points find controllers:
http://www.cisco.com/en/US/products/ps6366/prod_technical_reference_list.html

External DHCP Servers

The operating system is designed to appear as a DHCP Relay to the network and as a DHCP server to clients with industry-standard external DHCP servers that support DHCP Relay. This means that each controller appears as a DHCP Relay agent to the DHCP server. This also means that the controller appears as a DHCP server at the virtual IP Address to wireless clients.

Because the controller captures the client IP address obtained from a DHCP server, it maintains the same IP address for that client during intra-controller, inter-controller, and inter-subnet client roaming.

DHCP Assignment

You can configure DHCP on a per-interface or per-WLAN basis. The preferred method is to use the primary DHCP server address assigned to a particular interface.

Per-Interface Assignment

You can assign DHCP servers for individual interfaces. The management interface, AP-manager interface, and dynamic interfaces can be configured for a primary and secondary DHCP server, and the service-port interface can be configured to enable or disable DHCP servers.

Note Refer to Chapter 3 for information on configuring the controller's interfaces.

Per-WLAN Assignment

You can also define a DHCP server on a WLAN. This server will override the DHCP server address on the interface assigned to the WLAN.

Security Considerations

For enhanced security, Cisco recommends that you require all clients to obtain their IP addresses from a DHCP server. To enforce this requirement, all WLANs can be configured with a DHCP Addr. Assignment Required setting, which disallows client static IP addresses. If DHCP Addr. Assignment Required is selected, clients must obtain an IP address via DHCP. Any client with a static IP address is not be allowed on the network. The controller monitors DHCP traffic because it acts as a DHCP proxy for the clients.

Note WLANs that support management over wireless must allow management (device-servicing) clients to obtain an IP address from a DHCP server. See the "Using Management over Wireless" section on page 5-51 for instructions on configuring management over wireless.

If slightly less security is tolerable, you can create WLANs with DHCP Addr. Assignment Required disabled. Clients then have the option of using a static IP address or obtaining an IP address from a designated DHCP server.

You are also allowed to create separate WLANs with DHCP Addr. Assignment Required disabled and a DHCP server IP address of 0.0.0.0. These WLANs drop all DHCP requests and force clients to use a static IP address. Note that these WLANs do not support management over wireless connections.

Note Refer to Chapter 4 for instructions on globally configuring DHCP proxy.

This section provides both GUI and CLI instructions for configuring DHCP.

Using the GUI to Configure DHCP

Follow these steps to configure DHCP using the GUI.

Step 1 Follow the instructions in the "Using the GUI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces" section on page 3-11 or "Using the GUI to Configure Dynamic Interfaces" section on page 3-16 to configure a primary DHCP server for a management, AP-manager, or dynamic interface that will be assigned to the WLAN.

Note When you want to use the internal DHCP server, you must set the management interface IP address of the controller as the DHCP server IP address.

Step 2 Click WLANs to open the WLANs page.

Step 3 Click the profile name of the WLAN for which you wish to assign an interface. The WLANs > Edit (General) page appears.

Step 4 On the General tab, uncheck the Status check box and click Apply to disable the WLAN.

Step 5 Re-click the profile name of the WLAN.

Step 6 On the General tab, choose the interface for which you configured a primary DHCP server to be used with this WLAN from the Interface drop-down box.

Step 7 Click the Advanced tab to open the WLANs > Edit (Advanced) page.

Step 8 If you want to define a DHCP server on the WLAN that will override the DHCP server address on the interface assigned to the WLAN, check the DHCP Server Override check box and enter the IP address of the desired DHCP server in the DHCP Server IP Addr edit box. The default value for the check box is disabled.

Note The preferred method for configuring DHCP is to use the primary DHCP address assigned to a particular interface instead of the DHCP server override.

Step 9 If you want to require all clients to obtain their IP addresses from a DHCP server, check the DHCP Addr. Assignment Required check box. When this feature is enabled, any client with a static IP address is not allowed on the network. The default value is disabled.

Step 10 Click Apply to commit your changes.

Step 11 On the General tab, check the Status check box and click Apply to re-enable the WLAN.

Step 12 Click Save Configuration to save your changes.

Using the CLI to Configure DHCP

Follow these steps to configure DHCP using the CLI.

Step 1 Follow the instructions in the "Using the CLI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces" section on page 3-13 or "Using the CLI to Configure Dynamic Interfaces" section on page 3-18 to configure a primary DHCP server for a management, AP-manager, or dynamic interface that will be assigned to the WLAN.

Step 2 To disable the WLAN, enter this command:

config wlan disable wlan_id

Step 3 To specify the interface for which you configured a primary DHCP server to be used with this WLAN, enter this command:

config wlan interface wlan_id interface_name

Step 4 If you want to define a DHCP server on the WLAN that will override the DHCP server address on the interface assigned to the WLAN, enter this command:

config wlan dhcp_server wlan_id dhcp_server_ip_address

Note The preferred method for configuring DHCP is to use the primary DHCP address assigned to a particular interface instead of the DHCP server override. If you enable the override, you can use the show wlan command to verify that the DHCP server has been assigned to the WLAN.

Step 5 To re-enable the WLAN, enter this command:

config wlan enable wlan_id

Configuring DHCP Scopes

Controllers have built-in DHCP relay agents. However, when network administrators desire network segments that do not have a separate DHCP server, the controllers can have built-in DHCP scopes that assign IP addresses and subnet masks to wireless clients. Typically, one controller can have one or more DHCP scopes that each provide a range of IP addresses.

DHCP scopes are needed for internal DHCP to work. Once DHCP is defined on the controller, we can then point the primary DHCP server IP address on the management, AP-manager, and dynamic interfaces to controller's management interface. You can configure up to 16 DHCP scopes using the controller GUI or CLI.

Using the GUI to Configure DHCP Scopes

Follow these steps to configure DHCP scopes using the GUI.

Step 1 Click Controller > Internal DHCP Server to open the DHCP Scopes page (see Figure 6-4).

Figure 6-4 DHCP Scopes Page

This page lists any DHCP scopes that have already been configured.

Note If you ever want to delete an existing DHCP scope, hover your cursor over the blue drop-down arrow for that scope and choose Remove.

Step 2 To add a new DHCP scope, click New. The DHCP Scope > New page appears.

Step 3 In the Scope Name field, enter a name for the new DHCP scope.

Step 4 Click Apply. When the DHCP Scopes page reappears, click the name of the new scope. The DHCP Scope > Edit page appears (see Figure 6-5).

Figure 6-5 DHCP Scope > Edit Page

Step 5 In the Pool Start Address field, enter the starting IP address in the range assigned to the clients.

Note This pool must be unique for each DHCP scope and must not include the static IP addresses of routers or other servers.

Step 6 In the Pool End Address field, enter the ending IP address in the range assigned to the clients.

Note This pool must be unique for each DHCP scope and must not include the static IP addresses of routers or other servers.

Step 7 In the Network field, enter the network served by this DHCP scope. This is the IP address used by the management interface with Netmask applied, as configured on the Interfaces page.

Step 8 In the Netmask field, enter the subnet mask assigned to all wireless clients.

Step 9 In the Lease Time field, enter the amount of time (from 0 to 65536 seconds) that an IP address is granted to a client.

Step 10 In the Default Routers field, enter the IP address of the optional router(s) connecting the controllers. Each router must include a DHCP forwarding agent, which allows a single controller to serve the clients of multiple controllers.

Step 11 In the DNS Domain Name field, enter the optional domain name system (DNS) domain name of this DHCP scope for use with one or more DNS servers.

Step 12 In the DNS Servers field, enter the IP address of the optional DNS server(s). Each DNS server must be able to update a client's DNS entry to match the IP address assigned by this DHCP scope.

Step 13 In the Netbios Name Servers field, enter the IP address of the optional Microsoft Network Basic Input Output System (NetBIOS) name server(s), such as a s Internet Naming Service (WINS) server.

Step 14 From the Status drop-down box, choose Enabled to enable this DHCP scope or Disabled to disable it.

Step 15 Click Apply to commit your changes.

Step 16 Click Save Configuration to save your changes.

Using the CLI to Configure DHCP Scopes

Follow these steps to configure DHCP scopes using the CLI.

Step 1 To create a new DHCP scope, enter this command:

config dhcp create-scope scope

Note If you ever want to delete a DHCP scope, enter this command: config dhcp delete-scope scope.

Step 2 To specify the starting and ending IP address in the range assigned to the clients, enter this command:

config dhcp address-pool scope start end

Note This pool must be unique for each DHCP scope and must not include the static IP addresses of routers or other servers.

Step 3 To specify the network served by this DHCP scope (the IP address used by the management interface with Netmask applied) and the subnet mask assigned to all wireless clients, enter this command:

config dhcp network scope network netmask

Step 4 To specify the amount of time (from 0 to 65536 seconds) that an IP address is granted to a client, enter this command:

config dhcp lease scope lease_duration

Step 5 To specify the IP address of the optional router(s) connecting the controllers, enter this command:

config dhcp default-router scope router_1 [router_2] [router_3]

Each router must include a DHCP forwarding agent, which allows a single controller to serve the clients of multiple controllers.

Step 6 To specify the optional domain name system (DNS) domain name of this DHCP scope for use with one or more DNS servers, enter this command:

config dhcp domain scope domain

Step 7 To specify the IP address of the optional DNS server(s), enter this command:

config dhcp dns-servers scope dns1 [dns2] [dns3]

Each DNS server must be able to update a client's DNS entry to match the IP address assigned by this DHCP scope

Step 8 To specify the IP address of the optional Microsoft Network Basic Input Output System (NetBIOS) name server(s), such as a s Internet Naming Service (WINS) server, enter this command:

config dhcp netbios-name-server scope wins1 [wins2] [wins3]

Step 9 To enable or disable this DHCP scope, enter this command:

config dhcp {enable | disable} scope

Step 10 To save your changes, enter this command:

save config

Step 11 To see the list of configured DHCP scopes, enter this command:

show dhcp summary

Information similar to the following appears:
Scope Name           Enabled           Address Range
Scope 1 						No 	 	 	 0.0.0.0 -> 0.0.0.0
Scope 2						No			 0.0.0.0 -> 0.0.0.0
Step 12 To display the DHCP information for a particular scope, enter this command:

show dhcp scope

Information similar to the following appears:
Enabled....................................... No
Lease Time.................................... 0
Pool Start.................................... 0.0.0.0
Pool End...................................... 0.0.0.0
Network....................................... 0.0.0.0
Netmask....................................... 0.0.0.0
Default Routers............................... 0.0.0.0 0.0.0.0 0.0.0.0
DNS Domain.................................... 
DNS........................................... 0.0.0.0 0.0.0.0 0.0.0.0
Netbios Name Servers.......................... 0.0.0.0 0.0.0.0 0.0.0.0
Configuring MAC Filtering for WLANs

When you use MAC filtering for client or administrator authorization, you need to enable it at the WLAN level first. If you plan to use local MAC address filtering for any WLAN, use the commands in this section to configure MAC filtering for a WLAN.

Enabling MAC Filtering

Use these commands to enable MAC filtering on a WLAN:

•Enter config wlan mac-filtering enable wlan_id to enable MAC filtering.

•Enter show wlan to verify that you have MAC filtering enabled for the WLAN.

When you enable MAC filtering, only the MAC addresses that you add to the WLAN are allowed to join the WLAN. MAC addresses that have not been added are not allowed to join the WLAN.

Creating a Local MAC Filter

Controllers have built-in MAC filtering capability, similar to that provided by a RADIUS authorization server.

Use these commands to add MAC addresses to a WLAN MAC filter:

•Enter config macfilter add mac_addr wlan_id [interface_name] [description] [IP_addr] to create a MAC filter entry on the controller, where the following parameters are optional:

–interface_name—The name of the interface.

–description—A brief description of the interface in double quotes (for example, "Interface1").

–IP_addr—The IP address of the local MAC filter database.

•Enter config macfilter ip-address mac_addr IP_addr to assign an IP address to an existing MAC filter entry, if one was not assigned in the config macfilter add command.

•Enter show macfilter to verify that MAC addresses are assigned to the WLAN.

Configuring a Timeout for Disabled Clients

You can configure a timeout for disabled clients. Clients who fail to authenticate three times when attempting to associate are automatically disabled from further association attempts. After the timeout period expires, the client is allowed to retry authentication until it associates or fails authentication and is excluded again. Use these commands to configure a timeout for disabled clients:

•Enter config wlan blacklist wlan_id timeout to configure the timeout for disabled clients. Enter a timeout from 1 to 65535 seconds, or enter 0 to permanently disable the client.

•Use the show wlan command to verify the current timeout.

Assigning WLANs to Interfaces

Use these commands to assign a WLAN to an interface:

•Enter this command to assign a WLAN to an interface:

config wlan interface {wlan_id | foreignAp} interface_id

–Use the interface_id option to assign the WLAN to a specific interface.

–Use the foreignAp option to use a third-party access point.

•Enter show wlan summary to verify the interface assignment status.

Configuring the DTIM Period

In 802.11a/n and 802.11b/g/n networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data.

Normally, the DTIM value is set to 1 (transmit broadcast and multicast frames after every beacon) or 2 (transmit after every other beacon). For instance, if the beacon period of the 802.11a/n or 802.11b/g/n network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames 10 times per second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames 5 times per second. Either of these settings may be suitable for applications, including VoIP, that expect frequent broadcast and multicast frames.

However, the DTIM value can be set as high as 255 (transmit broadcast and multicast frames after every 255th beacon) if all 802.11a/n or 802.11b/g/n clients have power save enabled. Because the clients have to listen only when the DTIM period is reached, they can be set to listen for broadcasts and multicasts less frequently, resulting in longer battery life. For instance, if the beacon period is 100 ms and the DTIM value is set to 100, the access point transmits buffered broadcast and multicast frames once every 10 seconds, allowing the power-saving clients to sleep longer before they have to wake up and listen for broadcasts and multicasts, resulting in longer battery life.

Many applications cannot tolerate a long time between broadcast and multicast messages, resulting in poor protocol and application performance. Cisco recommends a low DTIM value for 802.11a/n and 802.11b/g/n networks that support such clients.

In controller software release 5.0 or later, you can configure the DTIM period for the 802.11a/n and 802.11b/g/n radio networks on specific WLANs. In previous software releases, the DTIM period was configured per radio network only, not per WLAN. The benefit of this change is that now you can configure a different DTIM period for each WLAN. For example, you might want to set different DTIM values for voice and data WLANs.

Note When you upgrade the controller software to release 5.0 or later, the DTIM period that was configured for a radio network is copied to all of the existing WLANs on the controller.

Using the GUI to Configure the DTIM Period

Using the GUI, follow these steps to configure the DTIM period for a WLAN.

Step 1 Click WLANs to open the WLANs page.

Step 2 Click the name of the WLAN for which you want to configure the DTIM period.

Step 3 Uncheck the Status check box to disable the WLAN.

Step 4 Click Apply to commit your changes.

Step 5 Click the Advanced tab to open the WLANs > Edit (Advanced) page (see Figure 6-6).

Figure 6-6 WLANs > Edit (Advanced) Page

Step 6 Under DTIM Period, enter a value between 1 and 255 (inclusive) in the 802.11a/n and 802.11b/g/n fields. The default value is 1 (transmit broadcast and multicast frames after every beacon).

Step 7 Click Apply to commit your changes.

Step 8 Click the General tab to open the WLANs > Edit (General) page.

Step 9 Check the Status check box to re-enable the WLAN.

Step 10 Click Save Configuration to save your changes.

Using the CLI to Configure the DTIM Period

Using the CLI, follow these steps to configure the DTIM period for a WLAN.

Step 1 To disable the WLAN, enter this command:

config wlan disable wlan_id

Step 2 To configure the DTIM period for either the 802.11a/n or 802.11b/g/n radio network on a specific WLAN, enter this command:

config wlan dtim {802.11a | 802.11b} dtim wlan_id

where dtim is a value between 1 and 255 (inclusive). The default value is 1 (transmit broadcast and multicast frames after every beacon).

Step 3 To re-enable the WLAN, enter this command:

config wlan enable wlan_id

Step 4 To save your changes, enter this command:

save config

Step 5 To verify the DTIM period, enter this command:

show wlan wlan_id

Information similar to the following appears:
WLAN Identifier.................................. 1
Profile Name..................................... employee1
Network Name (SSID).............................. employee
Status........................................... Enabled
...
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Local EAP Authentication...................... Disabled 
...
Configuring Peer-to-Peer Blocking

In controller software releases prior to 4.2, peer-to-peer blocking is applied globally to all clients on all WLANs and causes traffic between two clients on the same VLAN to be transferred to the upstream VLAN rather than being bridged by the controller. This behavior usually results in traffic being dropped at the upstream switch because switches do not forward packets out the same port on which they are received.

In controller software release 4.2 or later, peer-to-peer blocking is applied to individual WLANs, and each client inherits the peer-to-peer blocking setting of the WLAN to which it is associated. In 4.2 or later, you also have more control over how traffic is directed. For example, you can choose to have traffic bridged locally within the controller, dropped by the controller, or forwarded to the upstream VLAN. Figure 6-7 illustrates each option.

Figure 6-7 Peer-to-Peer Blocking Examples

Guidelines for Using Peer-to-Peer Blocking

Follow these guidelines when using peer-to-peer blocking:

•In controller software releases prior to 4.2, the controller forwards Address Resolution Protocol (ARP) requests upstream (just like all other traffic). In controller software release 4.2 or later, ARP requests are directed according to the behavior set for peer-to-peer blocking.

•Peer-to-peer blocking does not apply to multicast traffic.

•Locally switched hybrid-REAP WLANs and hybrid-REAP access points in standalone mode do not support peer-to-peer blocking.

•If you upgrade to controller software release 4.2 or later from a previous release that supports global peer-to-peer blocking, each WLAN is configured with the peer-to-peer blocking action of forwarding traffic to the upstream VLAN.

Using the GUI to Configure Peer-to-Peer Blocking

Follow these steps to configure a WLAN for peer-to-peer blocking using the GUI.

Step 1 Click WLANs to open the WLANs page.

Step 2 Click the name of the WLAN for which you want to configure peer-to-peer blocking.

Step 3 Click the Advanced tab to open the WLANs > Edit (Advanced) page (see Figure 6-8).

Figure 6-8 WLANs > Edit (Advanced) Page

Step 4 Choose one of the following options from the P2P Blocking drop-down box:

•Disabled—Disables peer-to-peer blocking and bridges traffic locally within the controller whenever possible. This is the default value.

Note Traffic is never bridged across VLANs in the controller.

•Drop—Causes the controller to discard the packets.

•Forward-UpStream—Causes the packets to be forwarded on the upstream VLAN. The device above the controller decides what action to take regarding the packets.

Step 5 Click Apply to commit your changes.

Step 6 Click Save Configuration to save your changes.

Using the CLI to Configure Peer-to-Peer Blocking

Follow these steps to configure a WLAN for peer-to-peer blocking using the CLI.

Step 1 To configure a WLAN for peer-to-peer blocking, enter this command:

config wlan peer-blocking {disable | drop | forward-upstream} wlan_id

Note See the description of each parameter in the "Using the GUI to Configure Peer-to-Peer Blocking" section above.

Step 2 To save your changes, enter this command:

save config

Step 3 To see the status of peer-to-peer blocking for a WLAN, enter this command:

show wlan wlan_id

Information similar to the following appears:
WLAN Identifier.................................. 1
Profile Name..................................... test
Network Name (SSID).............................. test
Status........................................... Enabled
...
...
...
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
Local EAP Authentication...................... Disabled 
Configuring Layer 2 Security

This section explains how to assign Layer 2 security settings to WLANs.

Note Clients using the Microsoft Wireless Configuration Manager and 802.1X must use WLANs configured for 40- or 104-bit key length. Configuring for 128-bit key length results in clients that can associate but not authenticate.

Static WEP Keys

Controllers can control static WEP keys across access points. Use these commands to configure static WEP for WLANs:

•Enter this command to disable 802.1X encryption:

config wlan security 802.1X disable wlan_id

•Enter this command to configure 40/64, 104/128, or 128/152-bit WEP keys:

config wlan security static-wep-key encryption wlan_id {40 | 104 | 128} {hex | ascii} key key_index

–Use the 40, 104, or 128 options to specify 40/64-bit, 104/128-bit, or 128/152-bit encryption. The default setting is 104/128.

–Use the hex or ascii option to specify the character format for the WEP key.

–Enter 10 hexadecimal digits (any combination of 0-9, a-f, or A-F) or five printable ASCII characters for 40-bit/64-bit WEP keys; enter 26 hexadecimal or 13 ASCII characters for 104-bit/128-bit keys; enter 32 hexadecimal or 16 ASCII characters for 128-bit/152-bit keys.

–Enter a key index (sometimes called a key slot) of 1 through 4.

Dynamic 802.1X Keys and Authorization

Controllers can control 802.1X dynamic WEP keys using Extensible Authentication Protocol (EAP) across access points and support 802.1X dynamic key settings for WLANs.

Note To use LEAP with lightweight access points and wireless clients, make sure to choose Cisco-Aironet as the RADIUS server type when configuring the CiscoSecure Access Control Server (ACS).

•Enter show wlan wlan_id to check the security settings of each WLAN. The default security setting for new WLANs is 802.1X with dynamic keys enabled. To maintain robust Layer 2 security, leave 802.1X configured on your WLANs.

•To disable or enable the 802.1X authentication, use this command:

config wlan security 802.1X {enable | disable} wlan_id

After you enable 802.1X authentication, the controller sends EAP authentication packets between the wireless client and the authentication server. This command allows all EAP-type packets to be sent to and from the controller.

•If you want to change the 802.1X encryption level for a WLAN, use this command:

config wlan security 802.1X encryption wlan_id [40 | 104 | 128]

–Use the 40 option to specify 40/64-bit encryption.

–Use the 104 option to specify 104/128-bit encryption. (This is the default encryption setting.)

–Use the 128 option to specify 128/152-bit encryption.

Configuring a WLAN for Both Static and Dynamic WEP

You can configure up to four WLANs to support static WEP keys, and you can also configure dynamic WEP on any of these static-WEP WLANs. Follow these guidelines when configuring a WLAN for both static and dynamic WEP:

•The static WEP key and the dynamic WEP key must be the same length.

•When you configure both static and dynamic WEP as the Layer 2 security policy, no other security policies can be specified. That is, you cannot configure web authentication. However, when you configure either static or dynamic WEP as the Layer 2 security policy, you can configure web authentication.

WPA1 and WPA2

Wi-Fi Protected Access (WPA or WPA1) and WPA2 are standards-based security solutions from the Wi-Fi Alliance that provide data protection and access control for wireless LAN systems. WPA1 is compatible with the IEEE 802.11i standard but was implemented prior to the standard's ratification; WPA2 is the Wi-Fi Alliance's implementation of the ratified IEEE 802.11i standard.

By default, WPA1 uses Temporal Key Integrity Protocol (TKIP) and message integrity check (MIC) for data protection while WPA2 uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Both WPA1 and WPA2 use 802.1X for authenticated key management by default. However, these options are also available: PSK, CCKM, and 802.1X+CCKM.

•802.1X—The standard for wireless LAN security, as defined by IEEE, is called 802.1X for 802.11, or simply 802.1X. An access point that supports 802.1X acts as the interface between a wireless client and an authentication server, such as a RADIUS server, to which the access point communicates over the wired network. If 802.1X is selected, only 802.1X clients are supported.

•PSK—When you choose PSK (also known as WPA pre-shared key or WPA passphrase), you need to configure a pre-shared key (or a passphrase). This key is used as the pairwise master key (PMK) between the clients and the authentication server.

•CCKM—Cisco Centralized Key Management (CCKM) uses a fast rekeying technique that enables clients to roam from one access point to another without going through the controller, typically in under 150 milliseconds (ms). CCKM reduces the time required by the client to mutually authenticate with the new access point and derive a new session key during reassociation. CCKM fast secure roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless Voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions. CCKM is a CCXv4-compliant feature. If CCKM is selected, only CCKM clients are supported.

Note The 4.2 or later release of controller software supports CCX versions 1 through 5. CCX support is enabled automatically for every WLAN on the controller and cannot be disabled. The controller stores the CCX version of the client in its client database and uses it to limit client functionality. Clients must support CCXv4 or v5 in order to use CCKM. See the "Configuring Cisco Client Extensions" section for more information on CCX.

•802.1X+CCKM—During normal operation, 802.1X-enabled clients mutually authenticate with a new access point by performing a complete 802.1X authentication, including communication with the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast secure roaming, CCKM-enabled clients securely roam from one access point to another without the need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM because both CCKM and non-CCKM clients are supported when this option is selected.

On a single WLAN, you can allow WPA1, WPA2, and 802.1X/PSK/CCKM/802.1X+CCKM clients to join. All of the access points on such a WLAN advertise WPA1, WPA2, and 802.1X/PSK/CCKM/
802.1X+CCKM information elements in their beacons and probe responses. When you enable WPA1 and/or WPA2, you can also enable one or two ciphers, or cryptographic algorithms, designed to protect data traffic. Specifically, you can enable AES and/or TKIP data encryption for WPA1 and/or WPA2. TKIP is the default value for WPA1, and AES is the default value for WPA2.

You can configure WPA1+WPA2 through either the GUI or the CLI.

Using the GUI to Configure WPA1+WPA2

Follow these steps to configure a WLAN for WPA1+WPA2 using the controller GUI.

Step 1 Click WLANs to open the WLANs page.

Step 2 Click the profile name of the desired WLAN to open the WLANs > Edit page.

Step 3 Click the Security and Layer 2 tabs to open the WLANs > Edit (Security > Layer 2) page (see Figure 6-9).

Figure 6-9 WLANs > Edit (Security > Layer 2) Page

Step 4 Choose WPA+WPA2 from the Layer 2 Security drop-down box.

Step 5 Under WPA+WPA2 Parameters, check the WPA Policy check box to enable WPA1, check the WPA2 Policy check box to enable WPA2, or check both check boxes to enable both WPA1 and WPA2.

Note The default value is disabled for both WPA1 and WPA2. If you leave both WPA1 and WPA2 disabled, the access points advertise in their beacons and probe responses information elements only for the authentication key management method you choose in Step 7.

Step 6 Check the AES check box to enable AES data encryption or the TKIP check box to enable TKIP data encryption for WPA1, WPA2, or both. The default values are TKIP for WPA1 and AES for WPA2.

Step 7 Choose one of the following key management methods from the Auth Key Mgmt drop-down box: 802.1X, CCKM, PSK, or 802.1X+CCKM.

Step 8 If you chose PSK in Step 7, choose ASCII or HEX from the PSK Format drop-down box and then enter a pre-shared key in the blank field. WPA pre-shared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal characters.

Step 9 Click Apply to commit your changes.

Step 10 Click Save Configuration to save your changes.

Using the CLI to Configure WPA1+WPA2

Follow these steps to configure a WLAN for WPA1+WPA2 using the controller CLI.

Step 1 Enter this command to disable the WLAN:

config wlan disable wlan_id

Step 2 Enter this command to enable or disable WPA for the WLAN:

config wlan security wpa {enable | disable} wlan_id

Step 3 Enter this command to enable or disable WPA1 for the WLAN:

config wlan security wpa wpa1 {enable | disable} wlan_id

Step 4 Enter this command to enable or disable WPA2 for the WLAN:

config wlan security wpa wpa2 {enable | disable} wlan_id

Step 5 Enter these commands to enable or disable AES or TKIP data encryption for WPA1 or WPA2:

•config wlan security wpa wpa1 ciphers {aes | tkip} {enable | disable} wlan_id

•config wlan security wpa wpa2 ciphers {aes | tkip} {enable | disable} wlan_id

The default values are TKIP for WPA1 and AES for WPA2.

Step 6 Enter this command to enable or disable 802.1X, PSK, or CCKM authenticated key management:

config wlan security wpa akm {802.1X | psk | cckm} {enable | disable} wlan_id

The default value is 802.1X.

Step 7 If you enabled PSK in Step 6, enter this command to specify a pre-shared key:

config wlan security wpa akm psk set-key {ascii | hex} psk-key wlan_id

WPA pre-shared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal characters.

Step 8 If you enabled WPA2 with 802.1X authenticated key management or WPA1 or WPA2 with CCKM authenticated key management, the PMK cache lifetime timer is used to trigger reauthentication with the client when necessary. The timer is based on the timeout value received from the AAA server or the WLAN session timeout setting. To see the amount of time remaining before the timer expires, enter this command:

show pmk-cache all

Information similar to the following appears:
PMK-CCKM Cache
                            Entry
Type        Station         Lifetime   VLAN Override        IP Override
------  ------------------- --------   ------------------   ---------------
CCKM    00:07:0e:b9:3a:1b   150 		 	 	 	 	 	 	 	 	 	 	 	 	 	 0.0.0.0 
If you enabled WPA2 with 802.1X authenticated key management, the controller supports opportunistic PMKID caching but not sticky (or non-opportunistic) PMKID caching. In sticky PMKID caching, the client stores multiple PMKIDs. This approach is not practical because it requires full authentication for each new access point and is not guaranteed to work in all conditions. In contrast, opportunistic PMKID caching stores only one PMKID per client and is not subject to the limi