Access Point Communication Protocols
In controller software release 5.2 or later, Cisco lightweight access points use the IETF standard Control and Provisioning of Wireless Access Points Protocol (CAPWAP) to communicate with the controller and other lightweight access points on the network. Controller software releases prior to 5.2 use the Lightweight Access Point Protocol (LWAPP) for these communications.
CAPWAP, which is based on LWAPP, is a standard, interoperable protocol that enables a controller to manage a collection of wireless access points. CAPWAP is being implemented in controller software release 5.2 and later for these reasons:
-
To provide an upgrade path from Cisco products that use LWAPP to next-generation Cisco products that use CAPWAP
-
To manage RFID readers and similar devices
-
To enable controllers to interoperate with third-party access points in the future
LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless. For example, the controller discovery process and the firmware downloading process when using CAPWAP are the same as when using LWAPP. The one exception is for Layer 2 deployments, which are not supported by CAPWAP.
You can deploy CAPWAP controllers and LWAPP controllers on the same network. The CAPWAP-enabled software allows access points to join either a controller running CAPWAP or LWAPP. The only exception is the Cisco Aironet 1140 Series Access Point, which supports only CAPWAP and therefore joins only controllers running CAPWAP. For example, an 1130 series access point can join a controller running either CAPWAP or LWAPP whereas an 1140 series access point can join only a controller running CAPWAP.
Note The 5500 series controllers only support CAPWAP because 6.0 is the first software release for these controllers.
Guidelines for Using CAPWAP
Follow these guidelines when using CAPWAP:
-
If your firewall is currently configured to allow traffic only from access points using LWAPP, you must change the rules of the firewall to allow traffic from access points using CAPWAP.
-
Make sure that the CAPWAP UDP ports 5246 and 5247 (similar to the LWAPP UDP ports 12222 and 12223) are enabled and are not blocked by an intermediate device that could prevent an access point from joining the controller.
-
If access control lists (ACLs) are in the control path between the controller and its access points, you need to open new protocol ports to prevent access points from being stranded.
Configuring Data Encryption
Cisco 5500 series controllers enable you to encrypt CAPWAP control packets (and optionally CAPWAP data packets) that are sent between the access point and the controller using Datagram Transport Layer Security (DTLS). DTLS is a standards-track Internet Engineering Task Force (IETF) protocol based on TLS. CAPWAP control packets are management packets exchanged between a controller and an access point while CAPWAP data packets encapsulate forwarded wireless frames. CAPWAP control and data packets are sent over separate UDP ports: 5246 (control) and 5247 (data). If an access point does not support DTLS data encryption, DTLS is enabled only for the control plane, and a DTLS session for the data plane is not established.
Note Only 5500 series controllers support data encryption. This feature is not available on other controller platforms. If an access point with data encryption enabled tries to join any other controller, the access point joins the controller, but data packets are sent unencrypted.
Note Cisco 1130 and 1240 series access points support DTLS data encryption with software-based encryption, and 1140 and 1250 series access points support DTLS data encryption with hardware-based encryption. Data-encrypted access points can join a 5500 series controller only if the wplus license is installed on the controller. If the wplus license is not installed, the access points cannot join the controller.
DTLS data encryption is enabled automatically for OfficeExtend access points but disabled by default for all other access points. Most access points are deployed in a secure network within a company building, so data encryption is not necessary. In contrast, the traffic between an OfficeExtend access point and the controller travels through an unsecure public network, so data encryption is more important for these access points. When data encryption is enabled, traffic is encrypted at the access point before it is sent to the controller and at the controller before it is sent to the client.
Note Encryption limits throughput at both the controller and the access point, and maximum throughput is desired for most enterprise networks.
Caution In a Cisco unified local wireless network environment, do not enable DTLS on the Cisco 1130 and 1240 access points, as it may result in severe throughput degradation and may render the APs unusable.
Note Refer to the “OfficeExtend Access Points” section for more information on OfficeExtend access points.
You can use the controller GUI or CLI to enable or disable DTLS data encryption for a specific access point or for all access points.
Using the GUI to Configure Data Encryption
Using the controller GUI, follow these steps to enable DTLS data encryption for access points on the controller.
Step 1 Make sure that the wplus license is installed on the 5500 series controller. Once the license is installed, you can enable data encryption for the access points.
Note Note Refer to the Configuring Controller Settings chapter for information on obtaining and installing licenses.
Step 2 Choose
Wireless
>
Access Points
>
All APs
to open the All APs page.
Step 3 Click the name of the access point for which you want to enable data encryption.
Step 4 Choose the
Advanced
tab to open the All APs > Details for (Advanced) page (see Figure 1).
Figure 1 All APs > Details for (Advanced) Page
Step 5 Check the
Data Encryption
check box to enable data encryption for this access point or uncheck it to disable this feature. The default value is unchecked.
Note Changing the data encryption mode requires the access points to rejoin the controller.
Step 6 Click
Apply
to commit your changes.
Step 7 Click
Save Configuration
to save your changes.
Using the CLI to Configure Data Encryption
Using the controller CLI, follow these steps to enable DTLS data encryption for access points on the controller.
Step 1 To enable or disable data encryption for all access points or a specific access point, enter this command:
config ap link-encryption {
enable
|
disable
} {
all
| Cisco_AP}
The default value is disabled.
Note Changing the data encryption mode requires the access points to rejoin the controller.
Step 2 When prompted to confirm that you want to disconnect the access point(s) and attached client(s), enter
Y
.
Step 3 To save your changes, enter this command:
save config
Step 4 To see the encryption state of all access points or a specific access point, enter this command:
show ap link-encryption {
all
| Cisco_AP}
Information similar to the following appears:
Encryption Dnstream Upstream Last AP Name State Count Count Update -------------- ---------- -------- -------- -------- AP1140 En 232 2146 23:49
auth err: 198 replay err: 0 AP1240 En 6191 15011 22:13
This command also shows authentication errors, which tracks the number of integrity check failures, and replay errors, which tracks the number of times that the access point receives the same packet.
Step 5 To see a summary of all active DTLS connections, enter this command:
show dtls connections
Information similar to the following appears:
AP Name Local Port Peer IP Peer Port Ciphersuite ------------- ------------- ---------------- ------------- ---------------------------- AP1130 Capwap_Ctrl 172.20.225.163 62369 TLS_RSA_WITH_AES_128_CBC_SHA AP1250 Capwap_Ctrl 172.20.225.166 19917 TLS_RSA_WITH_AES_128_CBC_SHA AP1140 Capwap_Ctrl 172.20.225.165 1904 TLS_RSA_WITH_AES_128_CBC_SHA AP1140 Capwap_Data 172.20.225.165 1904 TLS_RSA_WITH_AES_128_CBC_SHA AP1130 Capwap_Data 172.20.225.163 62369 TLS_RSA_WITH_AES_128_CBC_SHA AP1250 Capwap_Data 172.20.225.166 19917 TLS_RSA_WITH_AES_128_CBC_SHA
Note If you experience any problems with DTLS data encryption, enter this command to debug all DTLS messages, events, traces, or packets: debug dtls {all | event | trace | packet} {enable | disable}.
Viewing CAPWAP MTU Information
To view the maximum transmission unit (MTU) for the CAPWAP path on the controller, enter this command. The MTU specifies the maximum size of any packet (in bytes) in a transmission.
show ap config general
Cisco_AP
Information similar to the following appears:
Cisco AP Identifier.............................. 9 Cisco AP Name.................................... Maria-1250 Country code..................................... US - United States Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A AP Country code.................................. US - United States AP Regulatory Domain............................. 802.11bg:-A 802.11a:-A Switch Port Number .............................. 1 MAC Address...................................... 00:1f:ca:bd:bc:7c IP Address Configuration......................... DHCP IP Address....................................... 1.100.163.193 IP NetMask....................................... 255.255.255.0 CAPWAP Path MTU............................... 1485
...
Debugging CAPWAP
Use these CLI commands to obtain CAPWAP debug information:
-
debug capwap events {enable | disable}—Enables or disables debugging of CAPWAP events.
-
debug capwap errors {enable | disable}—Enables or disables debugging of CAPWAP errors.
-
debug capwap detail {enable | disable}—Enables or disables debugging of CAPWAP details.
-
debug capwap info {enable | disable}—Enables or disables debugging of CAPWAP information.
-
debug capwap packet {enable | disable}—Enables or disables debugging of CAPWAP packets.
-
debug capwap payload {enable | disable}—Enables or disables debugging of CAPWAP payloads.
-
debug capwap hexdump {enable | disable}—Enables or disables debugging of the CAPWAP hexadecimal dump.
-
debug capwap dtls-keepalive {enable | disable}—Enables or disables debugging of CAPWAP DTLS data keepalive packets.
The Controller Discovery Process
In a CAPWAP environment, a lightweight access point discovers a controller by using CAPWAP discovery mechanisms and then sends the controller a CAPWAP join request. The controller sends the access point a CAPWAP join response allowing the access point to join the controller. When the access point joins the controller, the controller manages its configuration, firmware, control transactions, and data transactions.
Upgrade and downgrade paths from LWAPP to CAPWAP or from CAPWAP to LWAPP are supported. An access point with an LWAPP image starts the discovery process in LWAPP. If it finds an LWAPP controller, it starts the LWAPP discovery process to join the controller. If it does not find a LWAPP controller, it starts the discovery in CAPWAP. If the number of times that the discovery process starts with one discovery type (CAPWAP or LWAPP) exceeds the maximum discovery count and the access point does not receive a discovery response, the discovery type changes to the other type. For example, if the access point does not discover the controller in LWAPP, it starts the discovery process in CAPWAP.
Note If an access point is in the UP state and its IP address changes, the access point tears down the existing CAPWAP tunnel and rejoins the controller. In previous software releases, the access point notifies the controller, and the session continues with the changed IP address without tearing down the session.
Note You must install software release 4.0.155.0 or later on the controller before connecting 1100 and 1300 series access points to the controller. The 1120 and 1310 access points were not supported prior to software release 4.0.155.0.
Note During the discovery process, the 1140 series access point will only query for Cisco CAPWAP Controllers. It will not query for LWAPP controllers. If you want this access point to query for both LWAPP and CAPWAP controllers then you need to update the DNS.
Note The Cisco controllers cannot edit or query any access point information using the CLI if the name of the access point contains a space.
Note Make sure that the controller is set to the current time. If the controller is set to a time that has already occurred, the access point might not join the controller because its certificate may not be valid for that time.
Access points must be discovered by a controller before they can become an active part of the network. The lightweight access points support these controller discovery processes:
-
Layer 3 CAPWAP or LWAPP discovery—Can occur on different subnets from the access point and uses IP addresses and UDP packets rather the MAC addresses used by Layer 2 discovery.
-
Over-the-air provisioning (OTAP)—This feature is supported by Cisco 5500 and 4400 series controllers. If this feature is enabled on the controller (on the controller General page or through the
config network otap-mode
{
enable
|
disable
} CLI command), all associated access points transmit wireless CAPWAP or LWAPP neighbor messages, and new access points receive the controller IP address from these messages. This feature is disabled by default and should remain disabled when all access points are installed.
Note Disabling OTAP on the controller does not disable it on the access point. OTAP cannot be disabled on the access point.
Note For more information about OTAP, see
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100516-ustnd-otap.html
-
Locally stored controller IP address discovery—If the access point was previously associated to a controller, the IP addresses of the primary, secondary, and tertiary controllers are stored in the access point’s non-volatile memory. This process of storing controller IP addresses on an access point for later deployment is called priming the access point.
-
DHCP server discovery—This feature uses DHCP option 43 to provide controller IP addresses to the access points. Cisco switches support a DHCP server option that is typically used for this capability. For more information about DHCP option 43, see the “Using DHCP Option 43 and DHCP Option 60” section.
-
DNS discovery—The access point can discover controllers through your domain name server (DNS). For the access point to do so, you must configure your DNS to return controller IP addresses in response to CISCO-LWAPP-CONTROLLER.localdomain, where localdomain is the access point domain name. When an access point receives an IP address and DNS information from a DHCP server, it contacts the DNS to resolve CISCO-LWAPP-CONTROLLER.localdomain. When the DNS sends a list of controller IP addresses, the access point sends discovery requests to the controllers.
Verifying that Access Points Join the Controller
When replacing a controller, you need to make sure that access points join the new controller.
Using the GUI to Verify that Access Points Join the Controller
Follow these steps to ensure that access points join the new controller.
Step 1 Follow these steps to configure the new controller as a master controller.
a. Choose
Controller >
Advanced
>
Master Controller Mode
to open the Master Controller Configuration page.
b. Check the
Master Controller Mode
check box.
c. Click
Apply
to commit your changes.
d. Click
Save Configuration
to save your changes.
Step 2 (Optional) Flush the ARP and MAC address tables within the network infrastructure. Ask your network administrator for more information about this step.
Step 3 Restart the access points.
Step 4 Once all the access points have joined the new controller, configure the controller not to be a master controller by unchecking the
Master Controller Mode
check box on the Master Controller Configuration page.
Using the CLI to Verify that Access Points Join the Controller
Follow these steps to ensure that access points join the new controller.
Step 1 To configure the new controller as a master controller, enter this command:
config network master-base enable
Step 2 (Optional) Flush the ARP and MAC address tables within the network infrastructure. Ask your network administrator for more information about this step.
Step 3 Restart the access points.
Step 4 To configure the controller not to be a master controller once all the access points have joined the new controller, enter this command:
config network master-base disable
Configuring Global Credentials for Access Points
Cisco IOS access points are shipped from the factory with
Cisco
as the default enable password. This password allows users to log into the non-privileged mode and execute
show
and
debug
commands, posing a security threat. The default enable password must be changed to prevent unauthorized access and to enable users to execute configuration commands from the access point’s console port.
In controller software releases prior to 5.0, you can set the access point enable password only for access points that are currently connected to the controller. In controller software release 5.0 or later, you can set a global username, password, and enable password that all access points inherit as they join the controller. This includes all access points that are currently joined to the controller and any that join in the future. If desired, you can override the global credentials and assign a unique username, password, and enable password for a specific access point.
Also in controller software release 5.0 or later, after an access point joins the controller, the access point enables console port security, and you are prompted for your username and password whenever you log into the access point’s console port. When you log in, you are in non-privileged mode, and you must enter the enable password in order to use the privileged mode.
Note These controller software release 5.0(or later) features are supported on all access points that have been converted to lightweight mode, except the 1100 series. VxWorks access points are not supported.
The global credentials that you configure on the controller are retained across controller and access point reboots. They are overwritten only if the access point joins a new controller that is configured with a global username and password. If the new controller is not configured with global credentials, the access point retains the global username and password configured for the first controller.
Note You need to keep careful track of the credentials used by the access points. Otherwise, you might not be able to log into an access point’s console port. If you ever need to return the access points to the default Cisco/Cisco username and password, you must clear the controller’s configuration and the access point’s configuration to return them to factory default settings. To clear the controller’s configuration, choose Commands > Reset to Factory Default > Reset on the controller GUI, or enter clear config on the controller CLI. To clear the access point’s configuration, enter clear ap config Cisco_AP on the controller CLI. Entering this command does not clear the static IP address of the access point. Once the access point rejoins a controller, it adopts the default Cisco/Cisco username and password.
You can use the controller GUI or CLI to configure global credentials for access points that join the controller.
Using the GUI to Configure Global Credentials for Access Points
Using the controller GUI, follow these steps to configure global credentials for access points that join the controller.
Step 1 Choose
Wireless
>
Access Points
>
Global Configuration
to open the Global Configuration page (see Figure 7).
Figure 7 Global Configuration Page
Step 2 In the Username field, enter the username that is to be inherited by all access points that join the controller.
Step 3 In the Password field, enter the password that is to be inherited by all access points that join the controller.
Step 4 In the Enable Password field, enter the enable password that is to be inherited by all access points that join the controller.
Step 5 Click
Apply
to send the global username, password, and enable password to all access points that are currently joined to the controller or that join the controller in the future.
Step 6 Click
Save Configuration
to save your changes.
Step 7 If desired, you can choose to override the global credentials for a specific access point and assign a unique username, password, and enable password to this access point. Follow these steps to do so:
a. Choose
Access Points
>
All APs
to open the All APs page.
b. Click the name of the access point for which you want to override the global credentials.
c. Choose the
Credentials
tab. The All APs > Details for (Credentials) page appears (see Figure 8).
Figure 8 All APs > Details for (Credentials) Page
d. Check the
Over-ride Global Credentials
check box to prevent this access point from inheriting the global username, password, and enable password from the controller. The default value is unchecked.
e. In the Username, Password, and Enable Password fields, enter the unique username, password, and enable password that you want to assign to this access point.
Note The information that you enter is retained across controller and access point reboots and if the access point joins a new controller.
f. Click
Apply
to commit your changes.
g. Click
Save Configuration
to save your changes.
Note If you ever want to force this access point to use the controller’s global credentials, simply uncheck the Over-ride Global Credentials check box.
Using the CLI to Configure Global Credentials for Access Points
Using the controller CLI, follow these steps to configure global credentials for access points that join the controller.
Step 1 To configure the global username, password, and enable password for all access points currently joined to the controller as well as any access points that join the controller in the future, enter this command:
config ap mgmtuser add username
user
password
password
enablesecret
enable_password
all
Step 2 If desired, you can choose to override the global credentials for a specific access point and assign a unique username, password, and enable password to this access point. To do so, enter this command:
config ap mgmtuser add username
user
password
password
enablesecret
enable_password
Cisco_AP
The credentials that you enter in this command are retained across controller and access point reboots and if the access point joins a new controller.
Note If you ever want to force this access point to use the controller’s global credentials, enter this command: config ap mgmtuser delete Cisco_AP. The following message appears after you execute this command: “AP reverted to global username configuration.”
Step 3 To save your changes, enter this command:
save config
Step 4 To verify that global credentials are configured for all access points that join the controller, enter this command:
show ap summary
Information similar to the following appears:
Number of APs.................................... 1 Global AP User Name.............................. globalap AP Name Slots AP Model Ethernet MAC Location Port Country -------- ------ ------------------- ------------------ ------------------ ---- ------- HReap 2 AIR-AP1131AG-N-K9 00:13:80:60:48:3e default location 1 US
Note If global credentials are not configured, the Global AP User Name field shows “Not Configured.”
Step 5 To see the global credentials configuration for a specific access point, enter this command:
show ap config general
Cisco_AP
Note The name of the access point is case sensitive.
Information similar to the following appears:
Cisco AP Identifier.............................. 0 Cisco AP Name.................................. HReap AP User Mode..................................... AUTOMATIC AP User Name..................................... globalap
Note If this access point is configured for global credentials, the AP User Mode fields shows “Automatic.” If the global credentials have been overwritten for this access point, the AP User Mode field shows “Customized.”
Configuring Authentication for Access Points
You can configure 802.1X authentication between a lightweight access point and a Cisco switch. The access point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous PAC provisioning.
This feature is supported on the following hardware:
-
Cisco Aironet 1130, 1140, 1240, and 1250 series access points
-
All controller platforms running in local, hybrid-REAP, monitor, or sniffer mode. Bridge mode is not supported.
Note In hybrid-REAP mode, you can configure local switching with 802.1X authentication if you have configured a local external RADIUS server configured.
-
All Cisco switches that support authentication
Note Refer to the Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release 6.0 for a list of supported switch hardware and minimum supported software.
You can configure global authentication settings that all access points inherit as they join the controller. This includes all access points that are currently joined to the controller and any that join in the future. If desired, you can override the global authentication settings and assign unique authentication settings for a specific access point.
Observe the following flow for configuring authentication for access points:
1. If the access point is new, do the following:
a. Boot the access point with the installed recovery image.
b. If you choose not to follow this suggested flow and instead enable 802.1X authentication on the switch port connected to the access point prior to the access point joining the controller, enter the following command:
lwapp ap dot1x username
username
password
password
Note If you choose to follow this suggested flow and enable 802.1X authentication on the switch port after the access point has joined the controller and received the configured 802.1X credentials, you do not need to enter this command.
Note This command is available only for access points that are running the 5.1, 5.2, or 6.0 recovery image.
c. Connect the access point to the switch port.
2. Install the 5.1, 5.2, or 6.0 image on the controller and reboot the controller.
3. Allow all access points to join the controller.
4. Configure authentication on the controller. See the “Using the GUI to Configure Authentication for Access Points” section or the “Using the CLI to Configure Authentication for Access Points” section for information on configuring authentication on the controller.
5. Configure the switch to allow authentication. See the “Configuring the Switch for Authentication” section for information on configuring the switch for authentication.
Using the GUI to Configure Authentication for Access Points
Using the controller GUI, follow these steps to configure authentication for access points that join the controller.
Step 1 Choose
Wireless
>
Access Points
>
Global Configuration
to open the Global Configuration page (see Figure 9).
Figure 9 Global Configuration Page
Step 2 Under 802.1x Supplicant Credentials, check the
802.1x Authentication
check box.
Step 3 In the Username field, enter the username that is to be inherited by all access points that join the controller.
Step 4 In the Password and Confirm Password fields, enter the password that is to be inherited by all access points that join the controller.
Note You must enter a strong password in these fields. Strong passwords have the following characteristics:
- They are at least eight characters long.
- They contain a combination of upper- and lowercase letters, numbers, and symbols.
- They are not a word in any language.
Step 5 Click
Apply
to send the global authentication username and password to all access points that are currently joined to the controller and to any that join the controller in the future.
Step 6 Click
Save Configuration
to save your changes.
Step 7 If desired, you can choose to override the global authentication settings and assign a unique username and password to a specific access point. Follow these steps to do so:
a. Choose
Access Points
>
All APs
to open the All APs page.
b. Click the name of the access point for which you want to override the authentication settings.
c. Choose the
Credentials
tab to open the All APs > Details for (Credentials) page (see Figure 10).
Figure 10 All APs > Details for (Credentials) Page
d. Under 802.1x Supplicant Credentials, check the
Over-ride Global Credentials
check box to prevent this access point from inheriting the global authentication username and password from the controller. The default value is unchecked.
e. In the Username, Password, and Confirm Password fields, enter the unique username and password that you want to assign to this access point.
Note The information that you enter is retained across controller and access point reboots and whenever the access point joins a new controller.
f. Click
Apply
to commit your changes.
g. Click
Save Configuration
to save your changes.
Note If you ever want to force this access point to use the controller’s global authentication settings, simply uncheck the Over-ride Global Credentials check box.
Using the CLI to Configure Authentication for Access Points
Using the controller CLI, follow these steps to configure authentication for access points that join the controller.
Step 1 To configure the global authentication username and password for all access points currently joined to the controller as well as any access points that join the controller in the future, enter this command:
config ap dot1xuser add username
user
password
password
all
Note You must enter a strong password for the password parameter. Strong passwords have the following characteristics:
- They are at least eight characters long.
- They contain a combination of upper- and lowercase letters, numbers, and symbols.
- They are not a word in any language.
Step 2 If desired, you can choose to override the global authentication settings and assign a unique username and password to a specific access point. To do so, enter this command:
config ap dot1xuser add username
user
password
password
Cisco_AP
Note You must enter a strong password for the password parameter. See the note in To configure the global authentication username and password for all access points currently joined to the controller as well as any access points that join the controller in the future, enter this command: for the characteristics of strong passwords.
The authentication settings that you enter in this command are retained across controller and access point reboots and whenever the access point joins a new controller.
Note If you ever want to force this access point to use the controller’s global authentication settings, enter this command: config ap dot1xuser delete Cisco_AP. The following message appears after you execute this command: “AP reverted to global username configuration.”
Step 3 To save your changes, enter this command:
save config
Step 4 If you ever want to disable 802.1X authentication for all access points or for a specific access point, enter this command:
config ap dot1xuser disable
{
all
|
Cisco_AP
}
Note You can disable 802.1X authentication for a specific access point only if global 802.1X authentication is not enabled. If global 802.1X authentication is enabled, you can disable 802.1X for all access points only.
Step 5 To view the authentication settings for all access points that join the controller, enter this command:
show ap summary
Information similar to the following appears:
Number of APs.................................... 1 Global AP User Name.............................. globalap Global AP Dot1x User Name........................ globalDot1x
Note If global authentication settings are not configured, the Global AP Dot1x User Name field shows “Not Configured.”
Step 6 To view the authentication settings for a specific access point, enter this command:
show ap config general
Cisco_AP
Note The name of the access point is case sensitive.
Information similar to the following appears:
Cisco AP Identifier.............................. 0 Cisco AP Name.................................. HReap AP Dot1x User Mode............................... AUTOMATIC AP Dot1x User Name............................... globalDot1x
Note If this access point is configured for global authentication, the AP Dot1x User Mode fields shows “Automatic.” If the global authentication settings have been overwritten for this access point, the AP Dot1x User Mode field shows “Customized.”
Configuring the Switch for Authentication
On the switch CLI, enter these commands to enable 802.1X authentication on a switch port:
Switch#
configure terminal
Switch(config)#
dot1x system-auth-control
Switch(config)#
aaa new-model
Switch(config)#
aaa authentication dot1x default group radius
Switch(config)#
radius-server host
ip_addr
auth-port
port
acct-port
port
key
key
Switch(config)#
interface fastethernet2/1
Switch(config-if)#
switchport mode access
Switch(config-if)#
dot1x pae authenticator
Switch(config-if)#
dot1x port-control auto
Switch(config-if)#
end
Autonomous Access Points Converted to Lightweight Mode
You can use an upgrade conversion tool to convert autonomous Cisco Aironet 1100, 1130AG, 1200, 1240AG, and 1300 Series Access Points to lightweight mode. When you upgrade one of these access points to lightweight mode, the access point communicates with a controller and receives a configuration and software image from the controller.
Refer to the Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode document for instructions on upgrading an autonomous access point to lightweight mode. You can find this document at this URL:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01101010.html
Guidelines for Using Access Points Converted to Lightweight Mode
Keep these guidelines in mind when you use autonomous access points that have been converted to lightweight mode:
-
Access points converted to lightweight mode do not support Wireless Domain Services (WDS). Converted access points communicate only with Cisco wireless LAN controllers and cannot communicate with WDS devices. However, the controller provides functionality equivalent to WDS when the access point associates to it.
-
In controller software release 4.2 or later, all Cisco lightweight access points support 16 BSSIDs per radio and a total of 16 wireless LANs per access point. In previous releases, they supported only 8 BSSIDs per radio and a total of 8 wireless LANs per access point. When a converted access point associates to a controller, only wireless LANs with IDs 1 through 16 are pushed to the access point.
-
Access points converted to lightweight mode must get an IP address and discover the controller using DHCP, DNS, or IP subnet broadcast.
-
After you convert an access point to lightweight mode, the console port provides read-only access to the unit.
-
The 1130AG and 1240AG access points support hybrid-REAP mode. See the
Configuring Hybrid REAP chapter
for details.
-
The upgrade conversion tool adds the self-signed certificate (SSC) key-hash to only one of the controllers on the Cisco WiSM. After the conversion has been completed, add the SSC key-hash to the second controller on the Cisco WiSM by copying the SSC key-hash from the first controller to the second controller. To copy the SSC key-hash, open the AP Policies page of the controller GUI (
Security
>
AAA
>
AP
Policies
) and copy the SSC key-hash from the SHA1 Key Hash column under AP Authorization List (see Figure 13). Then, using the second controller’s GUI, open the same page and paste the key-hash into the SHA1 Key Hash field under Add AP to Authorization List. If you have more than one Cisco WiSM, use WCS to push the SSC key-hash to all the other controllers.
Reverting from Lightweight Mode to Autonomous Mode
After you use the upgrade tool to convert an autonomous access point to lightweight mode, you can convert the access point from a lightweight unit back to an autonomous unit by loading a Cisco IOS release that supports autonomous mode (Cisco IOS release 12.3(7)JA or earlier). If the access point is associated to a controller, you can use the controller to load the Cisco IOS release. If the access point is not associated to a controller, you can load the Cisco IOS release using TFTP. In either method, the access point must be able to access a TFTP server that contains the Cisco IOS release to be loaded.
Using a Controller to Return to a Previous Release
Follow these steps to revert from lightweight mode to autonomous mode using a wireless LAN controller:
Step 1 Log into the CLI on the controller to which the access point is associated.
Step 2 Enter this command:
config ap tftp-downgrade tftp-server-ip-address filename access-point-name
Step 3 Wait until the access point reboots and reconfigure the access point using the CLI or GUI.
Using the MODE Button and a TFTP Server to Return to a Previous Release
Follow these steps to revert from lightweight mode to autonomous mode by using the access point MODE (reset) button to load a Cisco IOS release from a TFTP server:
Step 1 The PC on which your TFTP server software runs must be configured with a static IP address in the range of 10.0.0.2 to 10.0.0.30.
Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.123-7.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.
Step 3 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200 series access point.
Step 4 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
Step 5 Disconnect power from the access point.
Step 6 Press and hold the MODE button while you reconnect power to the access point.
Note The MODE button on the access point must be enabled. Follow the steps in the “Disabling the Reset Button on Access Points Converted to Lightweight Mode” section to check the status of the access point MODE button.
Step 7 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds), and release the MODE button.
Step 8 Wait until the access point reboots as indicated by all LEDs turning green followed by the Status LED blinking green.
Step 9 After the access point reboots, reconfigure the access point using the GUI or the CLI.
Authorizing Access Points
In controller software releases prior to 5.2, the controller may either use self-signed certificates (SSCs) to authenticate access points or send the authorization information to a RADIUS server (if access points have manufactured-installed certificates [MICs]). In controller software release 5.2 or later, you can configure the controller to use a local significant certificate (LSC).
Authorizing Access Points Using SSCs
The Control and Provisioning of Wireless Access Points protocol (CAPWAP) secures the control communication between the access point and controller by means of a secure key distribution requiring X.509 certificates on both the access point and controller. CAPWAP relies on a priori provisioning of the X.509 certificates. Cisco Aironet access points shipped before July 18, 2005 do not have a MIC, so these access points create an SSC when upgraded to operate in lightweight mode. Controllers are programmed to accept local SSCs for authentication of specific access points and do not forward those authentication requests to a RADIUS server. This behavior is acceptable and secure.
Authorizing Access Points Using MICs
You can configure controllers to use RADIUS servers to authorize access points using MICs. The controller uses an access point’s MAC address as both the username and password when sending the information to a RADIUS server. For example, if the MAC address of the access point is 000b85229a70, both the username and password used by the controller to authorize the access point are 000b85229a70.
Note The lack of a strong password by the use of the access point’s MAC address should not be an issue because the controller uses MIC to authenticate the access point prior to authorizing the access point through the RADIUS server. Using MIC provides strong authentication.
Note If you use the MAC address as the username and password for access point authentication on a RADIUS AAA server, do not use the same AAA server for client authentication.
Authorizing Access Points Using LSCs
You can use an LSC if you want your own public key infrastructure (PKI) to provide better security, to have control of your certificate authority (CA), and to define policies, restrictions, and usages on the generated certificates.
The LSC CA certificate is installed on access points and controllers. You need to provision the device certificate on the access point. The access point gets a signed X.509 certificate by sending a certRequest to the controller. The controller acts as a CA proxy and receives the certRequest signed by the CA for the access point.
Note Access points that are configured for bridge mode are not supported.
Using the GUI to Configure LSC
Using the controller GUI, follow these steps to enable the use of LSC on the controller.
Step 1 Choose
Security
>
Certificate
>
LSC
to open the Local Significant Certificates (LSC) - General page (see Figure 11).
Figure 11 Local Significant Certificates (LSC) - General Page
Step 2 To enable LSC on the system, check the
Enable LSC on Controller
check box.
Step 3 In the CA Server URL field, enter the URL to the CA server. You can enter either a domain name or an IP address.
Step 4 In the Params fields, enter the parameters for the device certificate. The key size is a value from 384 to 2048 (in bits), and the default value is 2048.
Step 5 Click
Apply
to commit your changes.
Step 6 To add the CA certificate into the controller’s CA certificate database, hover your cursor over the blue drop-down arrow for the certificate type and choose
Add
.
Step 7 Choose the
AP Provisioning
tab to open the Local Significant Certificates (LSC) - AP Provisioning page (see Figure 12).
Figure 12 Local Significant Certificates (LSC) - AP Provisioning Page
Step 8 To provision the LSC on the access point, check the
Enable
check box and click
Update
.
Step 9 When a message appears indicating that the access points will be rebooted, click
OK
.
Step 10 In the Number of Attempts to LSC field, enter the number of times that the access point attempts to join the controller using an LSC before the access point reverts to the default certificate (MIC or SSC). The range is 0 to 255 (inclusive), and the default value is 3.
Note If you set the number of retries to a non-zero value and the access point fails to join the controller using an LSC after the configured number of retries, the access point reverts to the default certificate. If you set the number of retries to 0 and the access point fails to join the controller using an LSC, the access point does not attempt to join the controller using the default certificate.
Note If you are configuring LSC for the first time, Cisco recommends that you configure a non-zero value.
Step 11 To add access points to the provision list, enter the access point MAC address in the
AP Ethernet MAC Addresses
field and click
Add
.
Note To remove an access point from the provision list, hover your cursor over the blue drop-down arrow for the access point and choose Remove.
Note If you configure an access point provision list, only the access points in the provision list are provisioned when you enable AP provisioning. If you do not configure an access point provision list, all access points with a MIC or SSC certificate that join the controller are LSC provisioned.
Step 12 Click
Apply
to commit your changes.
Step 13 Click
Save Configuration
to save your changes.
Using the CLI to Configure LSC
Using the controller CLI, follow these steps to enable the use of LSC on the controller.
Step 1 To enable LSC on the system, enter this command:
config certificate lsc
{
enable
|
disable
}
Step 2 To configure the URL to the CA server, enter this command:
config certificate lsc ca-server http:
//url:port/path
where
url
can be either a domain name or IP address.
Note You can configure only one CA server. To configure a different CA server, delete the configured CA server using the config certificate lsc ca-server delete command; then configure a different CA server.
Step 3 To add the LSC CA certificate into the controller’s CA certificate database, enter this command:
config certificate lsc ca-cert
{
add
|
delete
}
Step 4 To configure the parameters for the device certificate, enter this command:
config certificate lsc subject-params
country state city orgn dept email
Note The common name (CN) is generated automatically on the access point using the current MIC/SSC format Cxxxx-MacAddr, where xxxx is the product number.
Step 5 To configure a key size, enter this command:
config certificate lsc other-params
keysize
The
keysize
is a value from 384 to 2048 (in bits), and the default value is 2048.
Step 6 To add access points to the provision list, enter this command:
config certificate lsc ap-provision auth-list add
AP_mac_addr
Note To remove access points from the provision list, enter this command: config certificate lsc ap-provision auth-list delete AP_mac_addr.
Note If you configure an access point provision list, only the access points in the provision list are provisioned when you enable AP provisioning (in To provision the LSC on the access point, enter this command:). If you do not configure an access point provision list, all access points with a MIC or SSC certificate that join the controller are LSC provisioned.
Step 7 To configure the number of times that the access point attempts to join the controller using an LSC before the access point reverts to the default certificate (MIC or SSC), enter this command:
config certificate lsc ap-provision revert-cert
retries
where
retries
is a value from 0 to 255, and the default value is 3.
Note If you set the number of retries to a non-zero value and the access point fails to join the controller using an LSC after the configured number of retries, the access point reverts to the default certificate. If you set the number of retries to 0 and the access point fails to join the controller using an LSC, the access point does not attempt to join the controller using the default certificate.
Note If you are configuring LSC for the first time, Cisco recommends that you configure a non-zero value.
Step 8 To provision the LSC on the access point, enter this command:
config certificate lsc ap-provision
{
enable
|
disable
}
Step 9 To view the LSC summary, enter this command:
show certificate lsc summary
Information similar to the following appears:
LSC Enabled.......................................... Yes LSC CA-Server........................................ http://10.0.0.1:8080/caserver LSC AP-Provisioning.................................. Yes Provision-List................................... Not Configured LSC Revert Count in AP reboots................... 3 Country.......................................... 4 State............................................ ca City............................................. ss Orgn............................................. org Dept............................................. dep Email............................................ dep@co.com KeySize.......................................... 390 CA Cert.......................................... Not Configured RA Cert....................................... Not Configured
Step 10 To view details about the access points that are provisioned using LSC, enter this command:
show certificate lsc ap-provision
Information similar to the following appears:
LSC AP-Provisioning........................... Yes Provision-List................................ Present Idx Mac Address
--- ------------
Using the GUI to Authorize Access Points
Using the controller GUI, follow these steps to authorize access points.
Step 1 Choose
Security
>
AAA
>
AP Policies
to open the AP Policies page (see Figure 13).
Figure 13 AP Policies Page
Step 2 If you want the access point to accept self-signed certificates (SSCs), manufactured-installed certificates (MICs), or local significant certificates (LSCs), check the appropriate check box.
Step 3 If you want the access points to be authorized using a AAA RADIUS server, check the
Authorize MIC APs against auth-list or AAA
check box.
Step 4 If you want the access points to be authorized using an LSC, check the
Authorize LSC APs against auth-list
check box.
Step 5 Click
Apply
to commit your changes.
Step 6 Follow these steps to add an access point to the controller’s authorization list:
a. Click
Add
to access the Add AP to Authorization List area.
b. In the MAC Address field, enter the MAC address of the access point.
c. From the Certificate Type drop-down box, choose
MIC
,
SSC
, or
LSC
.
d. Click
Add
. The access point appears in the access point authorization list.
Note To remove an access point from the authorization list, hover your cursor over the blue drop-down arrow for the access point and choose Remove.
Note To search for a specific access point in the authorization list, enter the MAC address of the access point in the Search by MAC field and click Search.
Using the CLI to Authorize Access Points
Using the controller CLI, follow these steps to authorize access points.
Step 1 To configure an access point authorization policy, enter this command:
config auth-list ap-policy
{
authorize-ap
{
enable
|
disable
} |
authorize-lsc-ap
{
enable
|
disable
}}
Step 2 To configure an access point to accept manufactured-installed certificates (MICs), self-signed certificates (SSCs), or local significant certificates (LSCs), enter this command:
config auth-list ap-policy
{
mic | ssc | lsc
{
enable
|
disable
}}
Step 3
To add an access point to the authorization list, enter this command:
config auth-list add
{
mic
|
ssc
|
lsc
}
ap_mac
[
ap_key
]
where
ap_key
is an optional key hash value equal to 20 bytes or 40 digits.
Note To delete an access point from the authorization list, enter this command:
config auth-list delete ap_mac.
Step 4 To view the access point authorization list, enter this command:
show auth-list
Information similar to the following appears:
Authorize MIC APs against AAA ....................... disabled Authorize LSC APs against Auth-List ................. disabled Allow APs with MIC - Manufactured Installed C ....... enabled Allow APs with SSC - Self-Signed Certificate ........ enabled Allow APs with LSC - Locally Significant Cert ....... enabled Mac Addr Cert Type Key Hash ----------------------- ---------- --------------------------------------------- 00:12:79:de:65:99 SSC ca528236137130d37049a5ef3d1983b30ad7e543 00:16:36:91:9a:27 MIC 593f34e7cb151997a28cc7da2a6cac040b329636
Using DHCP Option 43 and DHCP Option 60
Cisco Aironet access points use the type-length-value (TLV) format for DHCP option 43. DHCP servers must be programmed to return the option based on the access point’s DHCP Vendor Class Identifier (VCI) string (DHCP option 60).
Table 1
lists the VCI strings for Cisco access points capable of operating in lightweight mode.
Table 1 VCI Strings For Lightweight Access Points
|
|
Cisco Aironet 1130 Series
|
Cisco AP c1130
|
Cisco Aironet 1140 Series
|
Cisco AP c1140
|
Cisco Aironet 1200 Series
|
Cisco AP c1200
|
Cisco Aironet 1240 Series
|
Cisco AP c1240
|
Cisco Aironet 1250 Series
|
Cisco AP c1250
|
Cisco AP801 Embedded Access Point
|
Cisco AP801
|
This is the format of the TLV block:
-
Type: 0xf1 (decimal 241)
-
Length: Number of controller IP addresses * 4
-
Value: List of the IP addresses of controller management interfaces
Refer to the product documentation for your DHCP server for instructions on configuring DHCP option 43. The Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode document contains example steps for configuring option 43 on a DHCP server.
Troubleshooting the Access Point Join Process
Access points can fail to join a controller for many reasons: a RADIUS authorization is pending, self-signed certificates are not enabled on the controller, the access point and controller’s regulatory domains do not match, and so on.
Note For join information specific to an OfficeExtend access point, refer to the “OfficeExtend Access Points” section.
Controller software release 5.2 or later enables you to configure the access points to send all CAPWAP-related errors to a syslog server. You do not need to enable any debug commands on the controller because all of the CAPWAP error messages can be viewed from the syslog server itself.
The state of the access point is not maintained on the controller until it receives a CAPWAP join request from the access point. Therefore, it can be difficult to determine why the CAPWAP discovery request from a certain access point was rejected. In order to troubleshoot such joining issues without enabling CAPWAP debug commands on the controller, the controller collects information for all access points that send a discovery message to this controller and maintains information for any access points that have successfully joined this controller.
The controller collects all join-related information for each access point that sends a CAPWAP discovery request to the controller. Collection begins with the first discovery message received from the access point and ends with the last configuration payload sent from the controller to the access point.
You can view join-related information for the following numbers of access points:
-
Up to 250 access points for 5500 series controllers
-
Up to 300 access points for 4400 series controllers, the Cisco WiSM, and the Catalyst 3750G Integrated Wireless LAN Controller Switch
-
Up to three times the maximum number of access points supported by the platform for the 2100 series controllers and the Controller Network Module within the Cisco 28/37/38xx Series Integrated Services Routers
When the controller is maintaining join-related information for the maximum number of access points, it does not collect information for any more access points.
An access point sends all syslog messages to IP address 255.255.255.255 by default when any of the following conditions are met:
-
An access point running software release 4.2 or later has been newly deployed.
-
An existing access point running a software release prior to 4.2 has been upgraded to 4.2 or a later release.
-
An existing access point running software release 4.2 or later has been reset after clearing the configuration.
If any of these conditions are met and the access point has not yet joined a controller, you can also configure a DHCP server to return a syslog server IP address to the access point using option 7 on the server. The access point then starts sending all syslog messages to this IP address.
You can also configure the syslog server IP address through the access point CLI, provided the access point is currently not connected to the controller. The relevant command is
lwapp ap log-server
syslog_server_IP_address.
When the access point joins a controller for the first time, the controller pushes the global syslog server IP address (the default is 255.255.255.255) to the access point. After that, the access point sends all syslog messages to this IP address, until it is overridden by one of the following scenarios:
-
The access point is still connected to the same controller, and the global syslog server IP address configuration on the controller has been changed using the
config ap syslog host global
syslog_server_IP_address
command. In this case, the controller pushes the new global syslog server IP address to the access point.
-
The access point is still connected to the same controller, and a specific syslog server IP address has been configured for the access point on the controller using the
config ap syslog host specific
Cisco_AP
syslog_server_IP_address
command. In this case, the controller pushes the new specific syslog server IP address to the access point.
-
The access point gets disconnected from the controller, and the syslog server IP address has been configured from the access point CLI using the
lwapp ap log-server
syslog_server_IP_address
command. This command works only if the access point is not connected to any controller.
-
The access point gets disconnected from the controller and joins another controller. In this case, the new controller pushes its global syslog server IP address to the access point.
Whenever a new syslog server IP address overrides the existing syslog server IP address, the old address is erased from persistent storage, and the new address is stored in its place. The access point also starts sending all syslog messages to the new IP address, provided the access point can reach the syslog server IP address.
You can configure the syslog server for access points using the controller GUI and view the access point join information using the controller GUI or CLI.
Configuring the Syslog Server for Access Points
Follow these steps to configure the syslog server for access points using the controller CLI.
Step 1 Perform one of the following:
-
To configure a global syslog server for all access points that join this controller, enter this command:
config ap syslog host global
syslog_server_IP_address
Note By default, the global syslog server IP address for all access points is 255.255.255.255. Make sure that the access points can reach the subnet on which the syslog server resides before configuring the syslog server on the controller. If the access points cannot reach this subnet, the access points are unable to send out syslog messages.
-
To configure a syslog server for a specific access point, enter this command:
config ap syslog host specific
Cisco_AP
syslog_server_IP_address
Note By default, the syslog server IP address for each access point is 0.0.0.0, indicating that it is not yet set. When the default value is used, the global access point syslog server IP address is pushed to the access point.
Step 2 To save your changes, enter this command:
save config
Step 3 To see the global syslog server settings for all access points that join the controller, enter this command:
show ap config global
Information similar to the following appears:
AP global system logging host.................... 255.255.255.255
Step 4 To see the syslog server settings for a specific access point, enter this command:
show ap config general
Cisco_AP
Viewing Access Point Join Information
Join statistics for an access point that sends a CAPWAP discovery request to the controller at least once are maintained on the controller even if the access point is rebooted or disconnected. These statistics are removed only when the controller is rebooted or when you choose to clear the statistics.
Using the GUI to View Access Point Join Information
Using the controller GUI, follow these steps to view access point join information.
Step 1 Choose
Monitor
>
Statistics
>
AP Join
to open the AP Join Stats page (see Figure 14).
Figure 14 AP Join Stats Page
This page lists all of the access points that are joined to the controller or that have tried to join. It shows the radio MAC address, access point name, current join status, Ethernet MAC address, IP address, and last join time for each access point.
The total number of access points appears in the upper right-hand corner of the page. If the list of access points spans multiple pages, you can view these pages by clicking the page number links. Each page shows the join statistics for up to 25 access points.
Note If you ever want to remove an access point from the list, hover your cursor over the blue drop-down arrow for that access point and click Remove.
Note If you ever want to clear the statistics for all access points and start over, click Clear Stats on All APs.
Step 2 If you want to search for specific access points in the list of access points on the AP Join Stats page, follow these steps to create a filter to display only access points that meet certain criteria (such as MAC address or access point name).
Note This feature is especially useful if your list of access points spans multiple pages, preventing you from viewing them all at once.
a. Click
Change Filter
to open the Search AP window (see Figure 15).
Figure 15 Search AP Window
b. Check one of the following check boxes to specify the criteria used when displaying access points:
-
MAC Address
—Enter the base radio MAC address of an access point.
-
AP Name
—Enter the name of an access point.
Note When you enable one of these filters, the other filter is disabled automatically.
c. Click
Find
to commit your changes. Only the access points that match your search criteria appear on the AP Join Stats page, and the Current Filter parameter at the top of the page specifies the filter used to generate the list (for example, MAC Address:00:1e:f7:75:0a:a0 or AP Name:pmsk-ap).
Note If you want to remove the filter and display the entire access point list, click Clear Filter.
Step 3 To see detailed join statistics for a specific access point, click the radio MAC address of the access point. The AP Join Stats Detail page appears (see Figure 16).
Figure 16 AP Join Stats Detail Page
This page provides information from the controller’s perspective on each phase of the join process and shows any errors that have occurred.
Using the CLI to View Access Point Join Information
Use these CLI commands to view access point join information:
-
To see the MAC addresses of all the access points that are joined to the controller or that have tried to join, enter this command:
show ap join stats summary all
Information similar to the following appears:
Number of APs.............................................. 4 Base Mac AP EthernetMac AP Name IP Address Status 00:0b:85:57:bc:c0 00:0b:85:57:bc:c0 AP1130 10.10.163.217 Joined 00:1c:0f:81:db:80 00:1c:63:23:ac:a0 AP1140 10.10.163.216 Not joined 00:1c:0f:81:fc:20 00:1b:d5:9f:7d:b2 AP1 10.10.163.215 Joined 00:21:1b:ea:36:60 00:0c:d4:8a:6b:c1 AP2 10.10.163.214 Not joined
-
To see the last join error detail for a specific access point, enter this command:
show ap join stats summary
ap_mac
where
ap_mac
is the MAC address of the 802.11 radio interface.
Note To obtain the MAC address of the 802.11 radio interface, enter this command on the access point CLI: show interfaces Dot11Radio 0
Information similar to the following appears:
Is the AP currently connected to controller................ Yes Time at which the AP joined this controller last time...... Aug 21 12:50:36.061 Type of error that occurred last........................... AP got or has been disconnected Reason for error that occurred last........................ The AP has been reset by the controller Time at which the last join error occurred.............. Aug 21 12:50:34.374
-
To see all join-related statistics collected for a specific access point, enter this command:
show ap join stats detailed
ap_mac
Information similar to the following appears:
Discovery phase statistics - Discovery requests received.............................. 2 - Successful discovery responses sent...................... 2 - Unsuccessful discovery request processing................ 0 - Reason for last unsuccessful discovery attempt........... Not applicable - Time at last successful discovery attempt................ Aug 21 12:50:23.335 - Time at last unsuccessful discovery attempt.............. Not applicable - Join requests received................................... 1 - Successful join responses sent........................... 1 - Unsuccessful join request processing..................... 1 - Reason for last unsuccessful join attempt................ RADIUS authorization - Time at last successful join attempt..................... Aug 21 12:50:34.481 - Time at last unsuccessful join attempt................... Aug 21 12:50:34.374 Configuration phase statistics - Configuration requests received.......................... 1 - Successful configuration responses sent.................. 1 - Unsuccessful configuration request processing............ 0 - Reason for last unsuccessful configuration attempt....... Not applicable - Time at last successful configuration attempt............ Aug 21 12:50:34.374 - Time at last unsuccessful configuration attempt.......... Not applicable Last AP message decryption failure details - Reason for last message decryption failure............... Not applicable Last AP disconnect details - Reason for last AP connection failure.................... The AP has been reset by the controller - Type of error that occurred last......................... AP got or has been disconnected - Reason for error that occurred last...................... The AP has been reset by the controller - Time at which the last join error occurred............... Aug 21 12:50:34.374
-
To clear the join statistics for all access points or for a specific access point, enter this command:
clear ap join stats
{
all
|
ap_mac
}
Using a Controller to Send Debug Commands to Access Points Converted to Lightweight Mode
Enter this command to enable the controller to send debug commands to an access point converted to lightweight mode:
debug
ap
{enable | disable | command
cmd
} Cisco_AP
When this feature is enabled, the controller sends debug commands to the converted access point as character strings. You can send any debug command supported by Cisco Aironet access points that run Cisco IOS software in lightweight mode.
Converted Access Points Send Crash Information to Controller
When a converted access point unexpectedly reboots, the access point stores a crash file on its local flash memory at the time of the crash. After the unit reboots, it sends the reason for the reboot to the controller. If the unit rebooted because of a crash, the controller pulls up the crash file using existing CAPWAP messages and stores it in the controller flash memory. The crash info copy is removed from the access point flash memory when the controller pulls it from the access point.
Converted Access Points Send Radio Core Dumps to Controller
When a radio module in a converted access point generates a core dump, the access point stores the core dump file of the radio on its local flash memory at the time of the radio crash. It sends a notification message to the controller indicating which radio generated a core dump file. The controller sends a trap alerting the network administrator, and the administrator can retrieve the radio core file from the access point.
The retrieved core file is stored in the controller flash and can subsequently be uploaded through TFTP or FTP to an external server for analysis. The core file is removed from the access point flash memory when the controller pulls it from the access point.
Using the CLI to Retrieve Radio Core Dumps
Using the controller CLI, follow these steps to retrieve the radio core dump file.
Step 1 To transfer the radio core dump file from the access point to the controller, enter this command:
config ap crash-file get-radio-core-dump slot Cisco_AP
For the slot parameter, enter the slot ID of the radio that crashed.
Step 2 To verify that the file was downloaded to the controller, enter this command:
show ap crash-file
Information similar to the following appears:
lrad_AP1130.rdump0 (
156
)
The number in parentheses indicates the size of the file. The size should be greater than zero if a core dump file is available.
Using the GUI to Upload Radio Core Dumps
Using the controller GUI, follow these steps to upload the radio core dump file to a TFTP or FTP server.
Step 1 Choose
Commands
>
Upload File
to open the Upload File from Controller page (see Figure 17).
Figure 17 Upload File from Controller Page
Step 2 From the File Type drop-down box, choose
Radio Core Dump
.
Step 3 From the Transfer Mode drop-down box, choose
TFTP
or
FTP
.
Step 4 In the IP Address field, enter the IP address of the TFTP or FTP server.
Step 5 In the File Path field, enter the directory path of the file.
Step 6 In the File Name field, enter the name of the radio core dump file.
Note The filename that you enter should match the filename generated on the controller. You can determine the filename on the controller by entering the show ap crash-file command.
Step 7 If you chose FTP as the Transfer Mode, follow these steps:
a. In the Server Login Username field, enter the FTP server login name.
b. In the Server Login Password field, enter the FTP server login password.
c. In the Server Port Number field, enter the port number of the FTP server. The default value for the server port is 21.
Step 8 Click
Upload
to upload the radio core dump file from the controller. A message appears indicating the status of the upload.
Using the CLI to Upload Radio Core Dumps
Using the controller CLI, follow these steps to upload the radio core dump file to a TFTP or FTP server.
Step 1 To transfer the file from the controller to a TFTP or FTP server, enter these commands:
-
transfer upload mode
{
tftp
|
ftp
}
-
transfer upload datatype radio-core-dump
-
transfer upload serverip
server_ip_address
-
transfer upload path
server_path_to_file
-
transfer upload filename
filename
Note The filename that you enter should match the filename generated on the controller. You can determine the filename on the controller by entering the show ap crash-file command.
Step 2 If you are using an FTP server, also enter these commands:
-
transfer upload username username
-
transfer upload password password
-
transfer upload port port
Note The default value for the port parameter is 21.
Step 3 To view the updated settings, enter this command:
transfer upload start
Step 4 When prompted to confirm the current settings and start the software upload, answer y.
Uploading Memory Core Dumps from Converted Access Points
By default, access points converted to lightweight mode do not send memory core dumps to the controller. This section provides instructions to upload access point core dumps using the controller GUI or CLI.
Using the GUI to Upload Access Point Core Dumps
Using the controller GUI, follow these steps to upload a core dump file of the access point.
Step 1 Choose
Wireless
>
Access Points
>
All APs
>
access point name
> the
Advanced
tab to open the All APs > Details for (Advanced) page (see Figure 18).
Figure 18 All APs > Details for (Advanced) Page
Step 2 To upload a core dump of the access point, check the
AP Core Dump
check box.
Step 3 In the TFTP Server IP field, enter the IP address of the TFTP server.
Step 4 In the File Name field, enter a name of the access point core dump file (such as
dump.log
).
Step 5 To compress the access point core dump file, check the
File Compression
check box. When you enable this option, the file is saved with a .gz extension (such as
dump.log.gz
). This file can be opened with WinZip.
Step 6 Click
Apply
to commit your changes.
Step 7 Click
Save Configuration
to save your changes.
Using the CLI to Upload Access Point Core Dumps
Using the controller CLI, follow these steps to upload a core dump file of the access point.
Step 1 To upload a core dump of the access point, enter this command on the controller:
config ap core-dump enable tftp_server_ip_address filename {compress | uncompress} {ap_name | all}
where
-
tftp_server_ip_address is the IP address of the TFTP server to which the access point sends core dump files,
Note The access point must be able to reach the TFTP server.
-
filename is the name that the access points uses to label the core file,
-
compress configures the access point to send compressed core files whereas uncompress configures the access point to send uncompressed core files, and
Note When you choose compress, the file is saved with a .gz extension (for example, dump.log.gz). This file can be opened with WinZip.
-
ap_name is the name of a specific access point for which core dumps are uploaded whereas all is all access points converted to lightweight mode.
Step 2 To save your changes, enter this command:
save config
Display of MAC Addresses for Converted Access Points
There are some differences in the way that controllers display the MAC addresses of converted access points on information pages in the controller GUI:
-
On the AP Summary page, the controller lists the Ethernet MAC addresses of converted access points.
-
On the AP Detail page, the controller lists the BSS MAC addresses and Ethernet MAC addresses of converted access points.
-
On the Radio Summary page, the controller lists converted access points by radio MAC address.
Disabling the Reset Button on Access Points Converted to Lightweight Mode
You can disable the reset button on access points converted to lightweight mode. The reset button is labeled MODE on the outside of the access point.
Use this command to disable or enable the reset button on one or all converted access points associated to a controller:
config ap reset-button {enable | disable} {ap-name | all}
The reset button on converted access points is enabled by default.
Configuring a Static IP Address on a Lightweight Access Point
If you want to specify an IP address for an access point rather than having one assigned automatically by a DHCP server, you can use the controller GUI or CLI to configure a static IP address for the access point. Static IP addresses are generally used only for deployments with a limited number of users.
Note Refer to the “Configuring DHCP” section for information on assigning IP addresses using DHCP.
An access point cannot discover the controller using domain name system (DNS) resolution if a static IP address is configured for the access point, unless you specify a DNS server and the domain to which the access point belongs. Previously, these parameters could be configured only using the CLI, but controller software release 6.0 expands this functionality to the GUI.
Note If you configure an access point to use a static IP address that is not on the same subnet on which the access point’s previous DHCP address was, the access point falls back to a DHCP address after the access point reboots. If the access point falls back to a DHCP address, the show ap config general Cisco_AP CLI command correctly shows that the access point is using a fallback IP address. However, the GUI shows both the static IP address and the DHCP address, but it does not identify the DHCP address as a fallback address.
Using the GUI to Configure a Static IP Address
Using the controller GUI, follow these steps to configure a static IP address for a lightweight access point.
Step 1 Choose
Wireless
>
Access Points
>
All APs
to open the All APs page.
Step 2 Click the name of the access point for which you want to configure a static IP address. The All APs > Details for (General) page appears (see Figure 19).
Figure 19 All APs > Details for (General) Page
Step 3 Under IP Config, check the
Static IP
check box if you want to assign a static IP address to this access point. The default value is unchecked.
Step 4 Enter the static IP address, netmask, and default gateway in the corresponding fields.
Step 5 Click
Apply
to commit your changes. The access point reboots and rejoins the controller, and the static IP address that you specified in
Enter the static IP address, netmask, and default gateway in the corresponding fields.
is sent to the access point.
Step 6 After the static IP address has been sent to the access point, you can configure the DNS server IP address and domain name. To do so, follow these steps:
a. In the DNS IP Address field, enter the IP address of the DNS server.
b. In the Domain Name field, enter the name of the domain to which the access point belongs.
c. Click
Apply
to commit your changes.
d. Click
Save Configuration
to save your changes.
Using the CLI to Configure a Static IP Address
Using the controller CLI, follow these steps to configure a static IP address for a lightweight access point.
Step 1 To configure a static IP address on the access point, enter this command:
config ap static-ip enable Cisco_AP ip_address mask gateway
Note To disable static IP for the access point, enter this command: config ap static-ip disable Cisco_AP.
Step 2 To save your changes, enter this command:
save config
The access point reboots and rejoins the controller, and the static IP address that you specified in
To configure a static IP address on the access point, enter this command:
is pushed to the access point.
Step 3 After the static IP address has been sent to the access point, you can configure the DNS server IP address and domain name. To do so, follow these steps:
a. To specify a DNS server so that a specific access point or all access points can discover the controller using DNS resolution, enter this command:
config ap static-ip add nameserver {Cisco_AP |
all
} ip_address
Note To delete a DNS server for a specific access point or all access points, enter this command: config ap static-ip delete nameserver {Cisco_AP | all}.
b. To specify the domain to which a specific access point or all access points belong, enter this command:
config ap static-ip add domain {Cisco_AP |
all
} domain_name
Note To delete a domain for a specific access point or all access points, enter this command: config ap static-ip delete domain {Cisco_AP | all}.
c. To save your changes, enter this command:
save config
Step 4 To see the IP address configuration for the access point, enter this command:
show ap config general
Cisco_AP
Information similar to the following appears:
Cisco AP Identifier.............................. 4 Cisco AP Name................................. AP6
...
IP Address Configuration......................... Static IP assigned IP Address....................................... 10.10.10.118 IP NetMask....................................... 255.255.255.0 Gateway IP Addr............................... 10.10.10.1
Domain........................................... Domain1 Name Server................................... 10.10.10.205
...
Supporting Oversized Access Point Images
Controller software release 5.0 or later allows you to upgrade to an oversized access point image by automatically deleting the recovery image to create sufficient space. This feature affects only access points with 8 MB of flash (the 1100, 1200, and 1310 series access points). All newer access points have a larger flash size than 8 MB.
Note As of August 2007, there are no oversized access point images, but as new features are added, the access point image size will continue to grow.
The recovery image provides a backup image that can be used if an access point power-cycles during an image upgrade. The best way to avoid the need for access point recovery is to prevent an access point from power-cycling during a system upgrade. If a power-cycle occurs during an upgrade to an oversized access point image, you can recover the access point using the TFTP recovery procedure.
Follow these steps to perform the TFTP recovery procedure.
Step 1 Download the required recovery image from Cisco.com (c1100-rcvk9w8-mx, c1200-rcvk9w8-mx, or c1310-rcvk9w8-mx) and install it in the root directory of your TFTP server.
Step 2 Connect the TFTP server to the same subnet as the target access point and power-cycle the access point. The access point boots from the TFTP image and then joins the controller to download the oversized access point image and complete the upgrade procedure.
Step 3 After the access point has been recovered, you may remove the TFTP server.
OfficeExtend Access Points
An OfficeExtend access point provides secure communications from a controller to an access point at a remote location, seamlessly extending the corporate WLAN over the Internet to an employee’s residence. The teleworker’s experience at the home office is exactly the same as it would be at the corporate office. Datagram Transport Layer Security (DTLS) encryption between the access point and the controller ensures that all communications have the highest level of security.
Figure 20 illustrates a typical OfficeExtend access point setup.
Figure 20 Typical OfficeExtend Access Point Setup
Note OfficeExtend access points are designed to work behind a router or other gateway device that is using network address translation (NAT). NAT allows a device, such as a router, to act as an agent between the Internet (public) and a personal network (private), thereby enabling an entire group of computers to be represented by a single IP address. In controller software release 6.0, only one OfficeExtend access point can be deployed behind a single NAT device.
Currently, only Cisco Aironet 1130 series and 1140 series access points that are joined to a Cisco 5500 series controller with a wplus license can be configured to operate as OfficeExtend access points.
Note Your firewall must be configured to allow traffic from access points using CAPWAP. Make sure that UDP ports 5246 and 5247 are enabled and are not blocked by an intermediate device that could prevent an access point from joining the controller.
Implementing Security
Follow these steps to ensure that only valid OfficeExtend access points join the company network.
Step 1 To use local significant certificates (LSCs) to authorize your OfficeExtend access points, follow the instructions in the “Authorizing Access Points Using LSCs” section.
Note Configuring LSC is optional.
Step 2 To implement AAA server validation using the access point’s MAC address, name, or both as the username in authorization requests, enter this command:
config auth-list ap-policy authorize-ap username
{
ap_mac
|
Cisco_AP
|
both
}
Using the access point name for validation can ensure that only the OfficeExtend access points of valid employees can join the controller. To implement this security policy, make sure to name each OfficeExtend access point with an employee ID or employee number. When an employee is terminated, you can then run a script to remove this user from the AAA server database, thereby preventing that employee’s OfficeExtend access point from joining the network.
Step 3 To save your changes, enter this command:
save config
Licensing for an OfficeExtend Access Point
In order to use OfficeExtend access points, a wplus license must be installed and in use on the 5500 series controller. After the license is installed, you can enable the OfficeExtend mode on an 1130 series or 1140 series access point.
If an OfficeExtend access point attempts to join a controller that is using only a base license (and not the wplus license), the following message appears in the controller trap log: “License Not Available for feature: OfficeExtendAP.” To view the controller trap log, choose
Monitor
and click
View All
under “Most Recent Traps” on the controller GUI.
Note Refer to the Configuring Controller Settings chapter for information on obtaining and installing licenses.
Configuring OfficeExtend Access Points
After the 1130 series or 1140 series access point has joined the controller, you can configure it as an OfficeExtend access point using the controller GUI or CLI.
Using the GUI to Configure OfficeExtend Access Points
Using the controller GUI, follow these steps to configure an OfficeExtend access point.
Step 1 Follow these steps to enable hybrid REAP on the access point:
a. Choose Wireless to open the All APs page.
b. Click the name of the desired access point. The All APs > Details for (General) page appears.
c. Choose H-REAP from the AP Mode drop-down box to enable hybrid REAP for this access point.
Step 2 Follow these steps to configure one or more controllers for the access point:
a. Choose the
High Availability
tab to open the All APs > Details for (High Availability) page.
b. Enter the name and IP address of the primary controller for this access point in the Primary Controller Name and Management IP Address fields.
Note You must enter both the name and IP address of the controller. Otherwise, the access point cannot join this controller.
c. If desired, enter the name and IP address of a secondary or tertiary controller (or both) in the corresponding Controller Name and Management IP Address fields.
d. Click
Apply
to commit your changes. The access point reboots and then rejoins the controller.
Note OfficeExtend access points do not use the generic broadcast or over-the air (OTAP) discovery process to locate a controller. You must configure one or more controllers because OfficeExtend access points try to connect only to their configured controllers.
Note The names and IP addresses must be unique for the primary, secondary, and tertiary controllers.
Note Make sure that you configure only 5500 series controllers with a wplus license. If you configure a non-5500 series controller or a 5500 series controller without a wplus license, the OfficeExtend access point cannot join the controller.
Step 3 Follow these steps to enable OfficeExtend access point settings:
a. Re-click the access point name on the All APs page.
b. Choose the
H-REAP
tab to open the All APs > Details for (H-REAP) page (see Figure 21).
Figure 21 All APs > Details for (H-REAP) Page
c. Check the
Enable OfficeExtend AP
check box to enable the OfficeExtend mode for this access point. The default value is checked.
Unchecking this check box simply disables OfficeExtend mode for this access point. It does not undo all of the configuration settings on the access point. If you want to clear the access point’s configuration and return it to factory default settings, enter
clear ap config
Cisco_AP on the controller CLI
. If you want to clear only the access point’s personal SSID, click
Reset Personal SSID
.
Note Rogue detection is disabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable rogue detection for a specific access point by checking the Rogue Detection check box on the All APs > Details for (Advanced) page. Rogue detection is disabled by default for OfficeExtend access points because these access points, which are deployed in a home environment, are likely to detect a large number of rogue devices. Refer to the “Managing Rogue Devices” section for more information on rogue detection.
Note DTLS data encryption is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable DTLS data encryption for a specific access point by checking the Data Encryption check box on the All APs > Details for (Advanced) page. Refer to the “Configuring Data Encryption” section for more information on DTLS data encryption.
Note Telnet and SSH access are disabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable Telnet or SSH access for a specific access point by checking the Telnet or SSH check box on the All APs > Details for (Advanced) page. Refer to the “Troubleshooting Access Points Using Telnet or SSH” section for more information on Telnet and SSH.
Note Link latency is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable link latency for a specific access point by checking the Enable Link Latency check box on the All APs > Details for (Advanced) page. Refer to the “Configuring Link Latency” section for more information on this feature.
d. Check the
Enable Least Latency Controller Join
check box if you want the access point to choose the controller with the least latency when joining. Otherwise, leave this check box unchecked, which is the default value. When you enable this feature, the access point calculates the time between discovery request and discovery response and joins the 5500 series controller that responds first.
e. Click
Apply
to commit your changes.
The OfficeExtend AP field on the All APs page shows which access points are configured as OfficeExtend access points.
Step 4 Follow these steps if you want to configure a specific username and password for the OfficeExtend access point. The teleworker can use these credentials to log into the GUI of the OfficeExtend access point.
a. Re-click the access point name on the All APs page.
b. Choose the
Credentials
tab to open the All APs > Details for (Credentials) page.
c. Check the
Over-ride Global Credentials
check box to prevent this access point from inheriting the global username, password, and enable password from the controller. The default value is unchecked.
d. In the Username, Password, and Enable Password fields, enter the unique username, password, and enable password that you want to assign to this access point.
Note The information that you enter is retained across controller and access point reboots and if the access point joins a new controller.
e. Click
Apply
to commit your changes.
f. Click
Save Configuration
to save your changes.
Note If you ever want to force this access point to use the controller’s global credentials, simply uncheck the Over-ride Global Credentials check box.
Step 5 If your controller supports only OfficeExtend access points, refer to the “Configuring RRM” section for instructions on setting the recommended values for DCA interval, channel scan duration, and neighbor packet frequency.
Using the CLI to Configure OfficeExtend Access Points
Using the controller CLI, follow these steps to configure an OfficeExtend access point.
Step 1 To enable hybrid-REAP on the access point, enter this command:
config ap mode h-reap Cisco_AP
Step 2 To configure one or more controllers for the access point, enter one or all of these commands:
config ap primary-base
controller_name Cisco_AP
controller_ip_address
config ap secondary-base
controller_name Cisco_AP
controller_ip_address
config ap tertiary-base
controller_name Cisco_AP
controller_ip_address
Note You must enter both the name and IP address of the controller. Otherwise, the access point cannot join this controller.
Note OfficeExtend access points do not use the generic broadcast or over-the air (OTAP) discovery process to find a controller. You must configure one or more controllers because OfficeExtend access points try to connect only to their configured controllers.
Note The names and IP addresses must be unique for the primary, secondary, and tertiary controllers.
Note Make sure that you configure only 5500 series controllers with a wplus license. If you configure a non-5500 series controller or a 5500 series controller without a wplus license, the OfficeExtend access point cannot join the controller.
Step 3 To enable the OfficeExtend mode for this access point, enter this command:
config hreap office-extend {
enable
|
disable
} Cisco_AP
The default value is enabled. The
disable
parameter simply disables OfficeExtend mode for this access point. It does not undo all of the configuration settings on the access point. If you want to clear the access point’s configuration and return it to factory default settings, enter this command:
clear ap config Cisco_AP
If you want to clear only the access point’s personal SSID, enter this command:
config hreap office-extend
clear-personalssid-config
Cisco_AP.
Note Rogue detection is disabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable rogue detection for a specific access point or for all access points using this command: config rogue detection {enable | disable} {Cisco_AP | all}. Rogue detection is disabled by default for OfficeExtend access points because these access points, which are deployed in a home environment, are likely to detect a large number of rogue devices. Refer to the “Managing Rogue Devices” section for more information on rogue detection.
Note DTLS data encryption is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable DTLS data encryption for a specific access point or for all access points using this command: config ap link-encryption {enable | disable} {Cisco_AP | all}. Refer to the “Configuring Data Encryption” section for more information on DTLS data encryption.
Note Telnet and SSH access are disabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable Telnet or SSH access for a specific access point using this command: config ap {telnet | ssh} {enable | disable} Cisco_AP. Refer to the “Troubleshooting Access Points Using Telnet or SSH” section for more information on Telnet and SSH.
Note Link latency is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable link latency for a specific access point or for all access points currently associated to the controller using this command: config ap link-latency {enable | disable} {Cisco_AP | all}. Refer to the “Configuring Link Latency” section for more information on this feature.
Step 4 To enable the access point to choose the controller with the least latency when joining, enter this command:
config hreap join min-latency {
enable
|
disable
} Cisco_AP
The default value is disabled. When you enable this feature, the access point calculates the time between discovery request and discovery response and joins the 5500 series controller that responds first.
Step 5 To configure a specific username and password that teleworkers can enter to log into the GUI of the OfficeExtend access point, enter this command:
config ap mgmtuser add username
user
password
password
enablesecret
enable_password
Cisco_AP
The credentials that you enter in this command are retained across controller and access point reboots and if the access point joins a new controller.
Note If you ever want to force this access point to use the controller’s global credentials, enter this command: config ap mgmtuser delete Cisco_AP. The following message appears after you execute this command: “AP reverted to global username configuration.”
Step 6 To save your changes, enter this command:
save config
Step 7 If your controller supports only OfficeExtend access points, refer to the “Configuring RRM” section for instructions on setting the recommended value for the DCA interval.
Configuring a Personal SSID on an OfficeExtend Access Point
Instruct teleworkers to follow these steps to log into the GUI of their OfficeExtend access point and configure a personal SSID.
Step 1 Find the IP address of your OfficeExtend access point by doing one of the following:
-
Log into your home router and look for the IP address of your OfficeExtend access point.
-
Ask your company’s IT professional for the IP address of your OfficeExtend access point.
-
Use an application such as Network Magic (a Linksys product) to detect devices on your network and their IP addresses.
Step 2 With the OfficeExtend access point connected to your home router, enter the IP address of the OfficeExtend access point in the Address field of your Internet browser and click
Go
.
Note Make sure you are not connected to your company’s network using a virtual private network (VPN) connection.
Step 3 When prompted, enter the username and password to log into the access point.
Step 4 On the OfficeExtend Access Point Welcome page, click
Enter
. The OfficeExtend Access Point Home page appears (see Figure 22).
Figure 22 OfficeExtend Access Point Home Page
This page shows the access point name, IP address, MAC address, software version, status, channel, transmit power, and client traffic.
Step 5 Choose
Configuration
to open the Configuration page (see Figure 23).
Figure 23 OfficeExtend Access Point Configuration Page
Step 6 Check the
Personal SSID
check box to enable this wireless connection. The default value is disabled.
Step 7 In the SSID field, enter the personal SSID that you want to assign to this access point. This SSID will be locally switched.
Note A controller with an OfficeExtend access point publishes only up to 15 WLANs to each connected access point because it reserves one WLAN for the personal SSID.
Step 8 From the Security drop-down box, choose
Open
,
WPA2/PSK (AES)
, or
104 bit WEP
to set the security type to be used by this access point.
Note If you choose WPA2/PSK (AES), make sure that the client is configured for WPA2/PSK and AES encryption.
Step 9 If you chose WPA2/PSK (AES) in
From the Security drop-down box, choose Open, WPA2/PSK (AES), or 104 bit WEP to set the security type to be used by this access point.
, enter an 8- to 38-character WPA2 passphrase in the Secret field. If you chose 104 bit WEP, enter a 13-character ASCII key in the Key field.
Step 10 Click
Apply
to commit your changes.
Note If you ever want to use the OfficeExtend access point for another application, you can clear this configuration and return the access point to factory default settings by clicking Clear Config. You can also clear the access point’s configuration from the controller CLI by entering this command: clear ap config Cisco_AP.
Viewing OfficeExtend Access Point Statistics
Use these controller CLI commands to view information about the OfficeExtend access points on your network.
-
To see a list of all OfficeExtend access points, enter this command:
show hreap office-extend summary
Information similar to the following appears:
Summary of OfficeExtend AP AP Name Ethernet MAC Encryption Join-Mode Join-Time ----------- ------------------ ----------- ----------- ---------------------------- AP1130 00:22:90:e3:37:70 Enabled Latency Sun Jan 4 21:46:07 2009
AP1140 01:40:91:b5:31:70 Enabled Latency Sat Jan 3 19:30:25 2009
-
To see the link delay for OfficeExtend access points, enter this command:
show hreap office-extend latency
Information similar to the following appears:
Summary of OfficeExtend AP link latency AP Name Status Current Maximum Minimum --------- ----------- ---------- --------- --------- AP1130 Enabled 15 ms 45 ms 12 ms AP1140 Enabled 14 ms 179 ms 12 ms
-
To see the encryption state of all access points or a specific access point, enter this command:
show ap link-encryption
{
all
| Cisco_AP}
Information similar to the following appears:
Encryption Dnstream Upstream Last AP Name State Count Count Update -------------- ---------- -------- -------- -------- AP1140 En 232 2146 23:49
auth err: 198 replay err: 0 AP1240 En 6191 15011 22:13
This command also shows authentication errors, which track the number of integrity check failures, and replay errors, which track the number of times that the access point receives the same packet.
-
To see the data plane status for all access points or a specific access point, enter this command:
show ap data-plane
{
all
| Cisco_AP}
Information similar to the following appears:
Min Data Data Max Data Last AP Name Round Trip Round Trip Round Trip Update ---------------- -------------- -------------- -------------- --------- AP1130 0.012s 0.014s 0.020s 13:46:23 AP1140 0.012s 0.017s 0.111s 13:46:46
Configuring Backup Controllers
A single controller at a centralized location can act as a backup for access points when they lose connectivity with the primary controller in the local region. Centralized and regional controllers need not be in the same mobility group. In controller software release 4.2 or later, you can specify a primary, secondary, and tertiary controller for specific access points in your network. Using the controller GUI or CLI, you can specify the IP addresses of the backup controllers, which allows the access points to fail over to controllers outside of the mobility group.
In controller software release 5.0 or later, you can also configure primary and secondary backup controllers (which are used if primary, secondary, or tertiary controllers are not specified or are not responsive) for all access points connected to the controller as well as various timers, including heartbeat timers and discovery request timers. To reduce the controller failure detection time, you can configure the fast heartbeat interval (between the controller and the access point) with a smaller timeout value. When the fast heartbeat timer expires (at every heartbeat interval), the access point determines if any data packets have been received from the controller within the last interval. If no packets have been received, the access point sends a fast echo request to the controller.
Note You can configure the fast heartbeat timer only for access points in local and hybrid-REAP modes.
The access point maintains a list of backup controllers and periodically sends primary discovery requests to each entry on the list. When the access point receives a new discovery response from a controller, the backup controller list is updated. Any controller that fails to respond to two consecutive primary discovery requests is removed from the list. If the access point’s local controller fails, it chooses an available controller from the backup controller list in this order: primary, secondary, tertiary, primary backup, secondary backup. The access point waits for a discovery response from the first available controller in the backup list and joins the controller if it receives a response within the time configured for the primary discovery request timer. If the time limit is reached, the access point assumes that the controller cannot be joined and waits for a discovery response from the next available controller in the list.
Note When an access point’s primary controller comes back online, the access point disassociates from the backup controller and reconnects to its primary controller. The access point falls back to its primary controller and not to any secondary controller for which it is configured. For example, if an access point is configured with primary, secondary, and tertiary controllers, it fails over to the tertiary controller when the primary and secondary controllers become unresponsive and waits for the primary controller to come back online so that it can fall back to the primary controller. The access point does not fall back from the tertiary controller to the secondary controller if the secondary controller comes back online; it stays connected to the tertiary controller until the primary controller comes back up.
Note If you inadvertently configure a controller that is running software release 5.2 or later with a failover controller that is running a different software release (such as 4.2, 5.0, or 5.1), the access point might take a long time to join the failover controller because the access point starts the discovery process in CAPWAP and then changes to LWAPP discovery.
Using the GUI to Configure Backup Controllers
Using the controller GUI, follow these steps to configure primary, secondary, and tertiary controllers for a specific access point and to configure primary and secondary backup controllers for all access points.
Step 1 Choose
Wireless
>
Access Points
>
Global Configuration
to open the Global Configuration page (see Figure 29).
Figure 29 Global Configuration Page
Step 2 From the Local Mode AP Fast Heartbeat Timer State drop-down box, choose
Enable
to enable the fast heartbeat timer for access points in local mode or
Disable
to disable this timer. The default value is Disable.
Step 3 If you chose Enable in
From the Local Mode AP Fast Heartbeat Timer State drop-down box, choose Enable to enable the fast heartbeat timer for access points in local mode or Disable to disable this timer. The default value is Disable.
, enter a number between 10 and 15 seconds (inclusive) in the Local Mode AP Fast Heartbeat Timeout field to configure the fast heartbeat timer for access points in local mode. Specifying a small heartbeat interval reduces the amount of time it takes to detect a controller failure. The default value is 0 seconds, which disables the timer.
Step 4 From the H-REAP Mode AP Fast Heartbeat Timer State drop-down box, choose
Enable
to enable the fast heartbeat timer for hybrid-REAP access points or
Disable
to disable this timer. The default value is Disable.
Step 5 If you chose Enable in
From the H-REAP Mode AP Fast Heartbeat Timer State drop-down box, choose Enable to enable the fast heartbeat timer for hybrid-REAP access points or Disable to disable this timer. The default value is Disable.
, enter a value between 10 and 15 seconds (inclusive) in the H-REAP Mode AP Fast Heartbeat Timeout field to configure the fast heartbeat timer for hybrid-REAP access points. Specifying a small heartbeat interval reduces the amount of time it takes to detect a controller failure. The default value is 0 seconds, which disables the timer.
Step 6 In the AP Primary Discovery Timeout field, a value between 30 and 3600 seconds (inclusive) to configure the access point primary discovery request timer. The default value is 120 seconds.
Step 7 If you want to specify a primary backup controller for all access points, enter the IP address of the primary backup controller in the Back-up Primary Controller IP Address field and the name of the controller in the Back-up Primary Controller Name field.
Note The default value for the IP address is 0.0.0.0, which disables the primary backup controller.
Step 8 If you want to specify a secondary backup controller for all access points, enter the IP address of the secondary backup controller in the Back-up Secondary Controller IP Address field and the name of the controller in the Back-up Secondary Controller Name field.
Note The default value for the IP address is 0.0.0.0, which disables the secondary backup controller.
Step 9 Click
Apply
to commit your changes.
Step 10 If you want to configure primary, secondary, and tertiary backup controllers for a specific access point, follow these steps:
a. Choose
Access Points
>
All APs
to open the All APs page.
b. Click the name of the access point for which you want to configure primary, secondary, and tertiary backup controllers.
c. Choose the
High Availability
tab to open the All APs > Details for (High Availability) page (see Figure 30).
Figure 30 All APs > Details for (High Availability) Page
d. If desired, enter the name and IP address of the primary backup controller for this access point in the Primary Controller fields.
Note Entering an IP address for the backup controller is optional in this step and the next two steps. If the backup controller is outside the mobility group to which the access point is connected (the primary controller), then you need to provide the IP address of the primary, secondary, or tertiary controller, respectively. The controller name and IP address must belong to the same primary, secondary, or tertiary controller. Otherwise, the access point cannot join the backup controller.
e. If desired, enter the name and IP address of the secondary backup controller for this access point in the Secondary Controller fields.
f. If desired, enter the name and IP address of the tertiary backup controller for this access point in the Tertiary Controller fields.
g. Click
Apply
to commit your changes.
Step 11 Click
Save Configuration
to save your changes.
Using the CLI to Configure Backup Controllers
Using the controller CLI, follow these steps to configure primary, secondary, and tertiary controllers for a specific access point and to configure primary and secondary backup controllers for all access points.
Step 1 To configure a primary controller for a specific access point, enter this command:
config ap primary-base
controller_name Cisco_AP
[
controller_ip_address
]
Note The controller_ip_address parameter in this command and the next two commands is optional. If the backup controller is outside the mobility group to which the access point is connected (the primary controller), then you need to provide the IP address of the primary, secondary, or tertiary controller, respectively. In each command, the controller_name and controller_ip_address must belong to the same primary, secondary, or tertiary controller. Otherwise, the access point cannot join the backup controller.
Step 2 To configure a secondary controller for a specific access point, enter this command:
config ap secondary-base
controller_name Cisco_AP
[
controller_ip_address
]
Step 3 To configure a tertiary controller for a specific access point, enter this command:
config ap tertiary-base
controller_name Cisco_AP
[
controller_ip_address
]
Step 4 To configure a primary backup controller for all access points, enter this command:
config advanced backup-controller primary
backup_controller_name
backup_controller_ip_address
Step 5 To configure a secondary backup controller for all access points, enter this command:
config advanced backup-controller secondary
backup_controller_name
backup_controller_ip_address
Note To delete a primary or secondary backup controller entry, enter 0.0.0.0 for the controller IP address.
Step 6 To enable or disable the fast heartbeat timer for local or hybrid-REAP access points, enter this command:
config advanced timers ap-fast-heartbeat
{
local
|
hreap
|
all
} {
enable | disable}
interval
where
all
is both local and hybrid-REAP access points, and
interval
is a value between 1 and 10 seconds (inclusive). Specifying a small heartbeat interval reduces the amount of time it takes to detect a controller failure. The default value is disabled.
Step 7 To configure the access point heartbeat timer, enter this command:
config advanced timers ap-heartbeat-timeout
interval
where
interval
is a value between 1 and 30 seconds (inclusive). This value should be at least three times larger than the fast heartbeat timer. The default value is 30 seconds.
Step 8 To configure the access point primary discovery request timer, enter this command:
config advanced timers ap-primary-discovery-timeout
interval
where
interval
is a value between 30 and 3600 seconds. The default value is 120 seconds.
Step 9 To configure the access point discovery timer, enter this command:
config advanced timers ap-discovery-timeout
interval
where
interval
is a value between 1 and 10 seconds (inclusive). The default value is 10 seconds.
Step 10 To configure the 802.11 authentication response timer, enter this command:
config advanced timers auth-timeout
interval
where
interval
is a value between 10 and 600 seconds (inclusive). The default value is 10 seconds.
Step 11 To save your changes, enter this command:
save config
Step 12 To view an access point’s configuration, enter these commands:
-
show ap config general
Cisco_AP
-
show advanced backup-controller
-
show advanced timers
Information similar to the following appears for the
show ap config general
Cisco_AP command
:
Cisco AP Identifier.............................. 1 Cisco AP Name.................................... AP5 Country code..................................... US - United States Regulatory Domain allowed by Country............. 802.11bg:-AB 802.11a:-AB AP Country code.................................. US - United States AP Regulatory Domain............................. 802.11bg:-A 802.11a:-N Switch Port Number .............................. 1 MAC Address...................................... 00:13:80:60:48:3e IP Address Configuration......................... DHCP IP Address....................................... 1.100.163.133 Primary Cisco Switch Name........................ 1-4404 Primary Cisco Switch IP Address.................. 2.2.2.2 Secondary Cisco Switch Name...................... 1-4404 Secondary Cisco Switch IP Address................ 2.2.2.2 Tertiary Cisco Switch Name....................... 2-4404 Tertiary Cisco Switch IP Address................. 1.1.1.4
Information similar to the following appears for the
show advanced backup-controller
command
:
AP primary Backup Controller .................... controller1 10.10.10.10 AP secondary Backup Controller ............... 0.0.0.0
Information similar to the following appears for the
show advanced timers
command
:
Authentication Response Timeout (seconds)........ 10 Rogue Entry Timeout (seconds).................... 1300 AP Heart Beat Timeout (seconds).................. 30 AP Discovery Timeout (seconds)................... 10 AP Local mode Fast Heartbeat (seconds)........... 10 (enable) AP Hreap mode Fast Heartbeat (seconds)........... disable AP Primary Discovery Timeout (seconds)........... 120
Configuring Country Codes
Controllers and access points are designed for use in many countries with varying regulatory requirements. The radios within the access points are assigned to a specific regulatory domain at the factory (such as -E for Europe), but the country code enables you to specify a particular country of operation (such as FR for France or ES for Spain). Configuring a country code ensures that each radio’s broadcast frequency bands, interfaces, channels, and transmit power levels are compliant with country-specific regulations.
Generally, you configure one country code per controller, the one matching the physical location of the controller and its access points. However, controller software release 4.1 or later allows you to configure up to 20 country codes per controller. This multiple-country support enables you to manage access points in various countries from a single controller.
Note Although the controller supports different access points in different regulatory domains (countries), it requires all radios in a single access point to be configured for the same regulatory domain. For example, you should not configure a Cisco 1231 access point’s 802.11b/g radio for the US (-A) regulatory domain and its 802.11a radio for the Great Britain (-E) regulatory domain. Otherwise, the controller allows only one of the access point’s radios to turn on, depending on which regulatory domain you selected for the access point on the controller. Therefore, make sure that the same country code is configured for both of the access point’s radios.
For a complete list of country codes supported per product, refer to
http://www.ciscofax.com/
or
http://www.cisco.com/c/en/us/products/collateral/wireless/access-points/product_data_sheet0900aecd80537b6a.html
.
Guidelines for Configuring Multiple Country Codes
Follow these guidelines when configuring multiple country codes:
-
When the multiple-country feature is being used, all controllers intended to join the same RF group must be configured with the same set of countries, configured in the same order.
-
When multiple countries are configured and the radio resource management (RRM) auto-RF feature is enabled, the auto-RF feature is limited to only the channels that are legal in all configured countries and to the lowest power level common to all configured countries. The access points are always able to use all legal frequencies, but non-common channels can only be assigned manually.
Note If an access point was already set to a higher legal power level or is configured manually, the power level is limited only by the particular country to which that access point is assigned.
You can configure country codes through the controller GUI or CLI.
Using the GUI to Configure Country Codes
Follow these steps to configure country codes using the GUI.
Step 1 Follow these steps to disable the 802.11a and 802.11b/g networks:
a. Choose Wireless > 802.11a/n > Network.
b. Uncheck the 802.11a Network Status check box.
c. Click Apply to commit your changes.
d. Choose Wireless > 802.11b/g/n > Network.
e. Uncheck the 802.11b/g Network Status check box.
f. Click Apply to commit your changes.
Step 2 Choose Wireless > Country to open the Country page (see Figure 33).
Figure 33 Country Page
Step 3 Check the check box for each country where your access points are installed.
Step 4 If you checked more than one check box in Check the check box for each country where your access points are installed., a message appears indicating that RRM channels and power levels are limited to common channels and power levels. Click OK to continue or Cancel to cancel the operation.
Step 5 Click Apply to commit your changes.
Step 6 If you selected multiple country codes in Check the check box for each country where your access points are installed., each access point is assigned to a country. Follow these steps to see the default country chosen for each access point and to choose a different country if necessary.
Note If you ever remove a country code from the configuration, any access points currently assigned to the deleted country reboot and when they rejoin the controller, they get re-assigned to one of the remaining countries if possible.
a. Perform one of the following:
– Leave the 802.11a and 802.11b/g networks disabled.
– Re-enable the 802.11a and 802.11b/g networks and then disable only the access points for which you are configuring a country code. To disable an access point, choose Wireless > Access Points > All APs, click the link of the desired access point, choose Disable from the Status drop-down box, and click Apply.
b. Choose Wireless > Access Points > All APs to open the All APs page.
c. Click the link for the desired access point.
d. Choose the
Advanced
tab to open the All APs > Details for (Advanced) page (see Figure 34).
Figure 34 All APs > Details for (Advanced) Page
e. The default country for this access point appears in the Country Code drop-down box. If the access point is installed in a country other than the one shown, choose the correct country from the drop-down box. The box contains only those country codes that are compatible with the regulatory domain of at least one of the access point’s radios.
f. Click Apply to commit your changes.
g. Repeat these steps to assign all access points joined to the controller to a specific country.
h. Re-enable any access points that you disabled in Perform one of the following:.
Step 7 Re-enable the 802.11a and 802.11b/g networks, provided you did not re-enable them in If you selected multiple country codes in Step 3, each access point is assigned to a country. Follow these steps to see the default country chosen for each access point and to choose a different country if necessary..
Step 8 Click Save Configuration to save your settings.
Using the CLI to Configure Country Codes
Follow these steps to configure country codes using the CLI.
Step 1 To see a list of all available country codes, enter this command:
show country supported
Step 2 Enter these commands to disable the 802.11a and 802.11b/g networks:
config 802.11a disable network
config 802.11b disable network
Step 3 To configure the country codes for the countries where your access points are installed, enter this command:
config country code1[,code2,code3,...]
If you are entering more than one country code, separate each by a comma (for example, config country US,CA,MX). Information similar to the following appears:
Changing country code could reset channel configuration. If running in RFM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. Are you sure you want to continue? (y/n) y
Step 4 Enter Y when prompted to confirm your decision. Information similar to the following appears:
Configured Country............................. Multiple Countries:US,CA,MX Auto-RF for this country combination is limited to common channels and power. KEY: * = Channel is legal in this country and may be configured manually. A = Channel is the Auto-RF default in this country. . = Channel is not legal in this country. C = Channel has been configured for use by Auto-RF. x = Channel is available to be configured for use by Auto-RF. (-) = Regulatory Domains allowed by this country. ------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+- : 1 2 3 4 5 6 7 8 9 0 1 2 3 4 ------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+- US (-AB) : A * * * * A * * * * A . . . CA (-AB) : A * * * * A * * * * A . . . MX (-NA) : A * * * * A * * * * A . . . Auto-RF : C x x x x C x x x x C . . . ------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 802.11A : 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Channels : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 5 5 6 6 : 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 9 3 7 1 5 ------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- US (-AB) : . A . A . A . A A A A A * * * * * . . . * * * A A A A * CA (-ABN) : . A . A . A . A A A A A * * * * * . . . * * * A A A A * MX (-N) : . A . A . A . A A A A A . . . . . . . . . . . A A A A * Auto-RF : . C . C . C . C C C C C . . . . . . . . . . . C C C C x
Step 5 To verify your country code configuration, enter this command:
show country
Step 6 To see the list of available channels for the country codes configured on your controller, enter this command:
show country channels
Information similar to the following appears:
Configured Country............................. Multiple Countries:US,CA,MX Auto-RF for this country combination is limited to common channels and power. KEY: * = Channel is legal in this country and may be configured manually. A = Channel is the Auto-RF default in this country. . = Channel is not legal in this country. C = Channel has been configured for use by Auto-RF. x = Channel is available to be configured for use by Auto-RF. (-) = Regulatory Domains allowed by this country. ------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+- : 1 2 3 4 5 6 7 8 9 0 1 2 3 4 ------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+- US (-AB) : A * * * * A * * * * A . . . CA (-AB) : A * * * * A * * * * A . . . MX (-NA) : A * * * * A * * * * A . . . Auto-RF : C x x x x C x x x x C . . . ------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 802.11A : 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Channels : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 5 5 6 6 : 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 9 3 7 1 5 ------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- US (-AB) : . A . A . A . A A A A A * * * * * . . . * * * A A A A * CA (-ABN) : . A . A . A . A A A A A * * * * * . . . * * * A A A A * MX (-N) : . A . A . A . A A A A A . . . . . . . . . . . A A A A * Auto-RF : . C . C . C . C C C C C . . . . . . . . . . . C C C C x ------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Step 7 To save your settings, enter this command:
save config
Step 8 To see the countries to which your access points have been assigned, enter this command:
show ap summary
Information similar to the following appears:
Number of APs.................................... 2 AP Name Slots AP Model Ethernet MAC Location Port Country -------- ------ ----------------- ----------------- ---------------- ------- -------- ap1 2 AP1030 00:0b:85:5b:8e:c0 default location 1 US ap2 2 AIR-AP1242AG-A-K9 00:14:1c:ed:27:fe default location 1 US
Step 9 If you entered multiple country codes in To configure the country codes for the countries where your access points are installed, enter this command:, follow these steps to assign each access point to a specific country:
a. Perform one of the following:
– Leave the 802.11a and 802.11b/g networks disabled.
– Re-enable the 802.11a and 802.11b/g networks and then disable only the access points for which you are configuring a country code. To re-enable the networks, enter these commands:
config 802.11a enable network
config 802.11b enable network
To disable an access point, enter this command:
config ap disable ap_name
b. To assign an access point to a specific country, enter this command:
config ap country code {ap_name | all}
Make sure that the country code you choose is compatible with the regulatory domain of at least one of the access point’s radios.
Note If you enabled the networks and disabled some access points and then run the config ap country code all command, the specified country code is configured on only the disabled access points. All other access points are ignored.
For example, if you enter config ap country mx all, information similar to the following appears:
To change country code: first disable target AP(s) (or disable all networks). Changing the country may reset any customized channel assignments. Changing the country will reboot disabled target AP(s). Are you sure you want to continue? (y/n) y --------- -------- -------- ap2 US enabled (Disable AP before configuring country) ap1 MX changed (New country configured, AP rebooting)
c. To re-enable any access points that you disabled in Perform one of the following:, enter this command:
config ap enable ap_name
Step 10 If you did not re-enable the 802.11a and 802.11b/g networks in If you entered multiple country codes in Step 3, follow these steps to assign each access point to a specific country:, enter these commands to re-enable them now:
config 802.11a enable network
config 802.11b enable network
Step 11 To save your settings, enter this command:
save config
Configuring Power over Ethernet
When an access point that has been converted to lightweight mode (such as an AP1131 or AP1242) or a 1250 series access point is powered by a power injector that is connected to a Cisco pre-Intelligent Power Management (pre-IPM) switch, you need to configure Power over Ethernet (PoE), also known as inline power.
The dual-radio 1250 series access points can operate in four different modes when powered using PoE:
-
20.0 W (Full Power)
—This mode is equivalent to using a power injector or an AC/DC adapter.
-
16.8 W
—Both transmitters are used but at reduced power. Legacy data rates are not affected, but the M0 to M15 data rates are reduced in the 2.4-GHz band. Throughput should be minimally impacted because all data rates are still enabled. The range is affected because of the lower transmit power. All receivers remain enabled.
-
15.4 W
—Only a single transmitter is enabled. Legacy data rates and M0 to M7 rates are minimally affected. M8 to M15 rates are disabled because they require both transmitters. Throughput is better than that received with legacy access points but less than the 20 and 16.8 W power modes.
-
11.0 W (Low Power)
—The access point runs, but both radios are disabled.
Note When a dual-radio 1250 series access point is powered using 15.4-W PoE, it cannot operate at full functionality, which requires 20 W. The access point can operate with dual radios on 15.4-W PoE, but performance is reduced in terms of throughput and range. If full functionality is required on 15.4 W, you can remove one of the radios from the 1250 series access point chassis or disable it in controller software release 6.0 so that the other radio can operate in full 802.11n mode. After the access point radio is administratively disabled, the access point must be rebooted for the change to take effect. The access point must also be rebooted after you re-enable the radio to put it into reduced throughput mode.
These modes provide the flexibility of running the 1250 series access points with the available wired infrastructure to obtain the desired level of performance. With enhanced PoE switches (such as the Cisco Catalyst 3750-E Series Switches), the 1250 series access points can provide maximum features and functionality with minimum total cost of ownership. Alternatively, if you decide to power the access point with the existing PoE (802.3af) switches, the access point chooses the appropriate mode of operation based on whether it has one radio or two.
Note For more information on the Cisco PoE switches, see http://www.cisco.com/c/en/us/products/switches/epoe.html.
Table 3
shows the maximum transmit power settings for 1250 series access points using PoE.
Table 3 Maximum Transmit Power Settings for 1250 Series Access Points Using PoE
|
|
|
Cyclic Shift Diversity (CSD)
|
Maximum Transmit Power (dBm)
|
|
ePoE Power Optimized Mode (16.8 W)
|
|
2.4 GHz
|
802.11b
|
1
|
—
|
20
|
20
|
20
|
802.11g
|
1
|
—
|
17
|
17
|
17
|
802.11n MCS 0-7
|
1
2
|
Disabled
Enabled (default)
|
17
Disabled
|
17
14 (11 per Tx)
|
17
20 (17 per Tx)
|
802.11n MCS 8-15
|
2
|
—
|
Disabled
|
14 (11 per Tx)
|
20 (17 per Tx)
|
5 GHz
|
802.11a
|
1
|
—
|
17
|
17
|
17
|
802.11n MCS 0-7
|
1
2
|
Disabled
Enabled (default)
|
17
Disabled
|
17
20 (17 per Tx)
|
17
20 (17 per Tx)
|
802.11n MCS 8-15
|
2
|
—
|
Disabled
|
20 (17 per Tx)
|
20 (17 per Tx)
|
Note When powered with a non-Cisco standard PoE switch, the 1250 series access point operates under 15.4 Watts. Even if the non-Cisco switch or midspan device is capable of providing higher power, the access point does not operate in enhanced PoE mode.
You can configure PoE through either the controller GUI or CLI.
Using the GUI to Configure Power over Ethernet
Using the controller GUI, follow these steps to configure PoE.
Step 1 Choose Wireless >
Access Points
> All APs and then the name of the desired access point.
Step 2 Choose the
Advanced
tab to open the All APs > Details for (Advanced) page (see Figure 41).
Figure 41 All APs > Details for (Advanced) Page
The PoE Status field shows the power level at which the access point is operating: High (20 W), Medium (16.8 W), or Medium (15.4 W). This field is not configurable. The controller auto-detects the access point’s power source and displays the power level here.
Note This field applies only to 1250 series access points that are powered using PoE. There are two other ways to determine if the access point is operating at a lower power level. First, the “Due to low PoE, radio is transmitting at degraded power” message appears under the Tx Power Level Assignment section on the 802.11a/n (or 802.11b/g/n) Cisco APs > Configure page. Second, the “PoE Status: degraded operation” message appears in the controller’s trap log on the Trap Logs page.
Step 3 Perform one of the following:
-
Check the Pre-Standard State check box if the access point is being powered by a high-power Cisco switch. These switches provide more than the traditional 6 Watts of power but do not support the intelligent power management (IPM) feature. These switches include:
– 2106 controller,
– WS-C3550, WS-C3560, WS-C3750,
– C1880,
– 2600, 2610, 2611, 2621, 2650, 2651,
– 2610XM, 2611XM, 2621XM, 2650XM, 2651XM, 2691,
– 2811, 2821, 2851,
– 3620, 3631-telco, 3640, 3660,
– 3725, 3745,
– 3825, and 3845.
-
Uncheck the Pre-Standard State check box if power is being provided by a power injector or by a switch not on the above list. This is the default value.
Step 4 Check the Power Injector State check box if the attached switch does not support IPM and a power injector is being used. If the attached switch supports IPM, you do not need to check this check box.
Step 5 If you checked the Power Injector State check box in the previous step, the Power Injector Selection and
Injector Switch MAC Address
parameters appear. The Power Injector Selection parameter enables you to protect your switch port from an accidental overload if the power injector is inadvertently bypassed. Choose one of these options from the drop-down box to specify the desired level of protection:
-
Installed—This option examines and remembers the MAC address of the currently connected switch port and assumes that a power injector is connected. Choose this option if your network contains older Cisco 6-Watt switches and you want to avoid possible overloads by forcing a double-check of any relocated access points.
If you want to configure the switch MAC address, enter the MAC address in the Injector Switch MAC Address field. If you want the access point to find the switch MAC address, leave the Injector Switch MAC Address field blank.
Note Each time an access point is relocated, the MAC address of the new switch port fails to match the remembered MAC address, and the access point remains in low-power mode. You must then physically verify the existence of a power injector and reselect this option to cause the new MAC address to be remembered.
-
Override—This option allows the access point to operate in high-power mode without first verifying a matching MAC address. It is acceptable to use this option if your network does not contain any older Cisco 6-Watt switches that could be overloaded if connected directly to a 12-Watt access point. The advantage of this option is that if you relocate the access point, it continues to operate in high-power mode without any further configuration. The disadvantage of this option is that if the access point is connected directly to a 6-Watt switch, an overload occurs.
Step 6 Click Apply to commit your changes.
Step 7 If you have a dual-radio 1250 series access point and want to disable one of its radios in order to enable the other radio to receive full power, follow these steps:
a. Choose Wireless >
Access Points
> Radios >
802.11a/n
or
802.11b/g/n to open the 802.11a/n (or 802.11b/g/n) Radios page
.
b. Hover your cursor over the blue drop-down arrow for the radio that you want to disable and choose
Configure
.
c. On the 802.11a/n (or 802.11b/g/n) Cisco APs > Configure page, choose
Disable
from the Admin Status drop-down box.
d. Click
Apply
to commit your changes.
e. Manually reset the access point in order for the change to take effect.
Step 8 Click Save Configuration to save your settings.
Using the CLI to Configure Power over Ethernet
Using the controller CLI, enter these commands to configure and view PoE settings.
-
If your network contains any older Cisco 6-Watt switches that could be accidentally overloaded if connected directly to a 12-Watt access point, enter this command:
config ap power injector enable {
Cisco_AP
| all} installed
The access point remembers that a power injector is connected to this particular switch port. If you relocate the access point, you must reissue this command after the presence of a new power injector is verified.
Note Make sure CDP is enabled before issuing this command. Otherwise, this command will fail. See the “Configuring Cisco Discovery Protocol” section for information on enabling CDP.
-
To remove the safety checks and allow the access point to be connected to any switch port, enter this command:
config ap power injector enable {
Cisco_AP
| all} override
It is acceptable to use this command if your network does not contain any older Cisco 6-Watt switches that could be overloaded if connected directly to a 12-Watt access point. The access point assumes that a power injector is always connected. If you relocate the access point, it continues to assume that a power injector is present.
-
If you
know the MAC address of the connected switch port and do not wish to automatically detect it using the installed option, enter this command:
config ap power injector enable {
Cisco_AP
| all}
switch_port_mac_address
-
If you have a dual-radio 1250 series access point and want to disable one of its radios in order to enable the other radio to receive full power, enter this command:
config {802.11a | 802.11b} disable
Cisco_AP
Note You must manually reset the access point in order for the change to take effect.
-
To view the PoE settings for a specific access point, enter this command:
show ap config general
Cisco_AP
Information similar to the following appears:
Cisco AP Identifier.............................. 1 Cisco AP Name.................................... AP1 PoE Pre-Standard Switch.......................... Enabled PoE Power Injector MAC Addr...................... Disabled Power Type/Mode.................................. PoE/Low Power (degraded mode)
The Power Type/Mode field shows “degraded mode” if the access point is not operating at full power.
-
To view the controller’s trap log, enter this command:
show traplog
If the access point is not operating at full power, the trap contains “PoE Status: degraded operation.”