Feedback
Contents
CLI Commands
The Cisco Wireless LAN solution command-line interface (CLI) enables operators to connect an ASCII console to the Cisco Wireless LAN Controller and configure the controller and its associated access points.
Show Commands
- show 802.11
- show aaa auth
- show acl
- show acl cpu
- show advanced eap
- show database summary
- show exclusionlist
- show ike
- show IPsec
- show ipv6 acl
- show ipv6 summary
- show l2tp
- show ldap
- show ldap statistics
- show ldap summary
- show local-auth certificates
- show local-auth config
- show local-auth statistics
- show nac statistics
- show nac summary
- show netuser
- show netuser guest-roles
- show network
- show network summary
- show ntp-keys
- show rules
- show switchconfig
- Show Rogue Commands
- Show TACACS Commands
- Show WPS Commands
show 802.11
Syntax Description
Examples
This example shows to display basic 802.11a network settings:
> show 802.11a 802.11a Network.................................. Enabled 11nSupport....................................... Enabled 802.11a Low Band........................... Enabled 802.11a Mid Band........................... Enabled 802.11a High Band.......................... Enabled 802.11a Operational Rates 802.11a 6M Rate.............................. Mandatory 802.11a 9M Rate.............................. Supported 802.11a 12M Rate............................. Mandatory 802.11a 18M Rate............................. Supported 802.11a 24M Rate............................. Mandatory 802.11a 36M Rate............................. Supported 802.11a 48M Rate............................. Supported 802.11a 54M Rate............................. Supported 802.11n MCS Settings: MCS 0........................................ Supported MCS 1........................................ Supported MCS 2........................................ Supported MCS 3........................................ Supported MCS 4........................................ Supported MCS 5........................................ Supported MCS 6........................................ Supported MCS 7........................................ Supported MCS 8........................................ Supported MCS 9........................................ Supported MCS 10....................................... Supported MCS 11....................................... Supported MCS 12....................................... Supported MCS 13....................................... Supported MCS 14....................................... Supported MCS 15....................................... Supported 802.11n Status: A-MPDU Tx: Priority 0............................... Enabled Priority 1............................... Disabled Priority 2............................... Disabled Priority 3............................... Disabled Priority 4............................... Disabled Priority 5............................... Disabled Priority 6............................... Disabled Priority 7............................... Disabled Beacon Interval.................................. 100 CF Pollable mandatory............................ Disabled CF Poll Request mandatory........................ Disabled --More-- or (q)uit CFP Period....................................... 4 CFP Maximum Duration............................. 60 Default Channel.................................. 36 Default Tx Power Level........................... 0 DTPC Status..................................... Enabled Fragmentation Threshold.......................... 2346 TI Threshold..................................... -50 Legacy Tx Beamforming setting.................... Disabled Traffic Stream Metrics Status.................... Enabled Expedited BW Request Status...................... Disabled World Mode....................................... Enabled EDCA profile type................................ default-wmm Voice MAC optimization status.................... Disabled Call Admission Control (CAC) configuration Voice AC: Voice AC - Admission control (ACM)............ Disabled Voice max RF bandwidth........................ 75 Voice reserved roaming bandwidth.............. 6 Voice load-based CAC mode..................... Disabled Voice tspec inactivity timeout................ Disabled Voice Stream-Size............................. 84000 Voice Max-Streams............................. 2 Video AC: Video AC - Admission control (ACM)............ Disabled Video max RF bandwidth........................ Infinite Video reserved roaming bandwidth.............. 0This example shows how to display basic 802.11h network settings:
> show 802.11h 802.11h ......................................... powerconstraint : 0 802.11h ......................................... channelswitch : Disable 802.11h ......................................... channelswitch mode : 0show aaa auth
To display the configuration settings for the AAA authentication server database, use the show aaa auth command.
show acl
To display the access control lists (ACLs) that are configured on the controller, use the show acl command.
Syntax Description
Examples
This example shows how to display a summary of the access control lists:
> show acl summary ACL Counter Status Disabled ---------------------------------------- IPv4 ACL Name Applied -------------------------------- ------- acl1 Yes acl2 Yes acl3 Yes ---------------------------------------- IPv6 ACL Name Applied -------------------------------- ------- acl6 NoThis example shows how to display the detailed information of the access control lists:
> show acl detailed acl_name Source Destination Source Port Dest Port I Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter - --- ------------------ ------------------ ---- --------- --------- ----- ------ ------- 1 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 0 Deny 0 2 In 0.0.0.0/0.0.0.0 200.200.200.0/ 6 80-80 0-65535 Any Permit 0 255.255.255.0 DenyCounter : 0
NoteThe Counter field increments each time a packet matches an ACL rule, and the DenyCounter field increments each time a packet does not match any of the rules.
show acl cpu
To display the access control lists (ACLs) configured on the central processing unit (CPU), use the show acl cpu command.
show advanced eap
Examples
This example shows how to display the EAP settings:
> show advanced eap EAP-Identity-Request Timeout (seconds)........... 1 EAP-Identity-Request Max Retries................. 20 EAP Key-Index for Dynamic WEP.................... 0 EAP Max-Login Ignore Identity Response........... enable EAP-Request Timeout (seconds).................... 1 EAP-Request Max Retries.......................... 20 EAPOL-Key Timeout (milliseconds)................. 1000 EAPOL-Key Max Retries............................ 2show database summary
Examples
This example shows how to display a summary of the local database configuration:
> show database summary Maximum Database Entries......................... 2048 Maximum Database Entries On Next Reboot.......... 2048 Database Contents MAC Filter Entries........................... 2 Exclusion List Entries....................... 0 AP Authorization List Entries................ 1 Management Users............................. 1 Local Network Users.......................... 1 Local Users.............................. 1 Guest Users.............................. 0 Total..................................... 5show exclusionlist
To display a summary of all clients on the manual exclusion list (blacklisted) from associating with this Cisco wireless LAN controller, use the show exclusionlist command.
Examples
Examples
This example shows how to display the exclusion list:
> show exclusionlist No manually disabled clients. Dynamically Disabled Clients ---------------------------- MAC Address Exclusion Reason Time Remaining (in secs) ----------- ---------------- ------------------------ 00:40:96:b4:82:55 802.1X Failure 51show ike
show IPsec
To display active Internet Protocol Security (IPsec) security associations (SAs), use the show IPsec command.
Syntax Description
Examples
This example shows how to display brief information about the active Internet Protocol Security (IPsec) security associations (SAs):
> show IPsec brief 209.165.200.254Related Commands
config radius acct ipsec authentication
config radius acct ipsec disable
config radius acct ipsec enable
config radius acct ipsec encryption
config radius auth IPsec encryption
config radius auth IPsec authentication
config radius auth IPsec disable
config radius auth IPsec encryption
config radius auth IPsec ike
config trapflags IPsec
config wlan security IPsec disable
config wlan security IPsec enable
config wlan security IPsec authentication
config wlan security IPsec encryption
config wlan security IPsec config
config wlan security IPsec ike authentication
config wlan security IPsec ike dh-group
config wlan security IPsec ike lifetime
config wlan security IPsec ike phase1
config wlan security IPsec ike contivity
show ipv6 acl
To display the IPv6 access control lists (ACLs) that are configured on the controller, use the show ipv6 acl command.
Syntax Description
Examples
This example shows how to display the detailed information of the access control lists:
> show ipv6 acl detailed acl6 Rule Index....................................... 1 Direction........................................ Any IPv6 source prefix............................... ::/0 IPv6 destination prefix.......................... ::/0 Protocol......................................... Any Source Port Range................................ 0-65535 Destination Port Range........................... 0-65535 DSCP............................................. Any Flow label....................................... 0 Action........................................... Permit Counter.......................................... 0 Deny Counter................................... 0show ipv6 summary
Examples
This example shows how to display the IPv6 configuration settings:
> show ipv6 summary Global Config............................... Enabled Reachable-lifetime value.................... 300 Stale-lifetime value........................ 86400 Down-lifetime value......................... 86400 RA Throttling............................... Enabled RA Throttling allow at-least................ 1 RA Throttling allow at-most................. no-limit RA Throttling max-through................... no-limit RA Throttling throttle-period............... 60 RA Throttling interval-option............... throttle NS Mulitcast CacheMiss Forwarding........... Disabledshow ldap
To display the Lightweight Directory Access Protocol (LDAP) server information for a particular LDAP server, use the show ldap command.
Examples
This example shows how to display the detailed LDAP server information:
> show ldap 1 Server Index..................................... 1 Address.......................................... 2.3.1.4 Port............................................. 389 Enabled.......................................... Yes User DN.......................................... name1 User Attribute................................... attr1 User Type........................................ username1 Retransmit Timeout............................... 3 seconds Bind Method ..................................... Anonymousshow ldap statistics
To display all Lightweight Directory Access Protocol (LDAP) server information, use the show ldap statistics command.
Examples
This example shows how to display the LDAP server statistics:
> show ldap statistics Server Index..................................... 1 Server statistics: Initialized OK................................. 0 Initialization failed.......................... 0 Initialization retries......................... 0 Closed OK...................................... 0 Request statistics: Received....................................... 0 Sent........................................... 0 OK............................................. 0 Success........................................ 0 Authentication failed.......................... 0 Server not found............................... 0 No received attributes......................... 0 No passed username............................. 0 Not connected to server........................ 0 Internal error................................. 0 Retries........................................ 0 Server Index..................................... 2 ...show ldap summary
To display the current Lightweight Directory Access Protocol (LDAP) server status, use the show ldap summary command.
show local-auth certificates
To display local authentication certificate information, use the show local-auth certificates command:
Examples
This example shows how to display the authentication certificate information stored locally:
> show local-auth certificates Certificates available for Local EAP authentication: Certificate issuer .............................. vendor CA certificate: Subject: C=AU, ST=NSW, L=Sydney, O=Cisco Systems OU=WNBU Sydney, CN=wnbu-syd-acs-a.cisco.com Issuer: C=AU, ST=NSW, L=Sydney, O=Cisco Systems OU=WNBU Sydney, CN=wnbu-syd-acs-a.cisco.com Valid: 2005 Jun 15th, 04:53:49 GMT to 2008 Jun 15th, 05:03:34 GMT Device certificate: Subject: MAILTO=test@test.net, C=AU, ST=NSW, L=Sydney O=Cisco Systems, OU=WNBU Sydney, CN=concannon Issuer: C=AU, ST=NSW, L=Sydney, O=Cisco Systems OU=WNBU Sydney, CN=wnbu-syd-acs-a.cisco.com Valid: 2006 Aug 9th, 05:14:16 GMT to 2007 Aug 9th, 05:24:16 GMT Certificate issuer .............................. cisco CA certificate: Subject: C=US, ST=California, L=San Jose, O=airespace Inc OU=none, CN=ca, MAILTO=support@airespace.com Issuer: C=US, ST=California, L=San Jose, O=airespace Inc OU=none, CN=ca, MAILTO=support@airespace.com Valid: 2003 Feb 12th, 23:38:55 GMT to 2012 Nov 11th, 23:38:55 GMT Device certificate: Subject: C=US, ST=California, L=San Jose, O=airespace Inc CN=000b85335340, MAILTO=support@airespace.com Issuer: C=US, ST=California, L=San Jose, O=airespace Inc OU=none, CN=ca, MAILTO=support@airespace.com Valid: 2005 Feb 22nd, 10:52:58 GMT to 2014 Nov 22nd, 10:52:58 GMT Certificate issuer .............................. legacy CA certificate: Subject: C=US, ST=California, L=San Jose, O=airespace Inc OU=none, CN=ca, MAILTO=support@airespace.com Issuer: C=US, ST=California, L=San Jose, O=airespace Inc OU=none, CN=ca, MAILTO=support@airespace.com Valid: 2003 Feb 12th, 23:38:55 GMT to 2012 Nov 11th, 23:38:55 GMT Device certificate: Subject: C=US, ST=California, L=San Jose, O=airespace Inc CN=000b85335340, MAILTO=support@airespace.com Issuer: C=US, ST=California, L=San Jose, O=airespace Inc OU=none, CN=ca, MAILTO=support@airespace.com Valid: 2005 Feb 22nd, 10:52:58 GMT to 2014 Nov 22nd, 10:52:58 GMTshow local-auth config
Examples
This example shows how to display the local authentication configuration information:
> show local-auth config User credentials database search order: Primary ................................... Local DB Configured EAP profiles: Name ...................................... fast-test Certificate issuer .................... default Enabled methods ....................... fast Configured on WLANs ................... 2 EAP Method configuration: EAP-TLS: Certificate issuer .................... default Peer verification options: Check against CA certificates ..... Enabled Verify certificate CN identity .... Disabled Check certificate date validity ... Enabled EAP-FAST: TTL for the PAC ....................... 3 600 Initial client message ................ <none> Local certificate required ............ No Client certificate required ........... No Vendor certificate required ........... No Anonymous provision allowed ........... Yes Authenticator ID ...................... 7b7fffffff0000000000000000000000 Authority Information ................. Test EAP Profile.................................... tls-prof Enabled methods for this profile .......... tls Active on WLANs ........................... 1 3EAP Method configuration: EAP-TLS: Certificate issuer used ............... cisco Peer verification options: Check against CA certificates ..... disabled Verify certificate CN identity .... disabled Check certificate date validity ... disabledshow local-auth statistics
To display local Extensible Authentication Protocol (EAP) authentication statistics, use the show local-auth statistics command:
Examples
This example shows how to display the local authentication certificate statistics:
> show local-auth statistics Local EAP authentication DB statistics: Requests received ............................... 14 Responses returned .............................. 14 Requests dropped (no EAP AVP) ................... 0 Requests dropped (other reasons) ................ 0 Authentication timeouts ......................... 0 Authentication statistics: Method Success Fail ------------------------------------ Unknown 0 0 LEAP 0 0 EAP-FAST 2 0 EAP-TLS 0 0 PEAP 0 0 Local EAP credential request statistics: Requests sent to LDAP DB ........................ 0 Requests sent to File DB ........................ 2 Requests failed (unable to send) ................ 0 Authentication results received: Success ....................................... 2 Fail .......................................... 0 Certificate operations: Local device certificate load failures .......... 0 Total peer certificates checked ................. 0 Failures: CA issuer check ............................... 0 CN name not equal to identity ................. 0 Dates not valid or expired .................... 0show nac statistics
To display detailed Network Access Control (NAC) information about a Cisco wireless LAN controller, use the show nac statistics command.
Examples
This example shows how to display detailed statistics of network access control settings:
> show nac statistics Server Index....................................................... 1 Server Address..................................................... xxx.xxx.xxx.xxx Number of requests sent............................................ 0 Number of retransmissions.......................................... 0 Number of requests received........................................ 0 Number of malformed requests received.............................. 0 Number of bad auth requests received............................... 0 Number of pending requests......................................... 0 Number of timed out requests....................................... 0 Number of misc dropped request received............................ 0 Number of requests sent............................................ 0show nac summary
To display NAC summary information for a Cisco wireless LAN controller, use the show nac summary command.
Examples
This example shows how to display a summary information of network access control settings:
> show nac summary NAC ACL Name ............................................... Index Server Address Port State ----- ---------------------------------------- ---- ----- 1 xxx.xxx.xxx.xxx 13336 Enabledshow netuser
To display the configuration of a particular user in the local user database, use show netuser command.
Syntax Description
Examples
This example shows how to display a summary of all users in the local user database:
> show netuser summary Maximum logins allowed for a given username ........UnlimitedThis example shows how to display detailed information on the specified network user:
> show netuser detail john10 username........................................... abc WLAN Id............................................. Any Lifetime............................................ Permanent Description......................................... test usershow netuser guest-roles
To display a list of the current quality of service (QoS) roles and their bandwidth parameters, use the show netuser guest-roles command.
Examples
This example shows how to display a QoS role for the guest network user:
> show netuser guest-roles Role Name.............................. Contractor Average Data Rate.................. 10 Burst Data Rate.................... 10 Average Realtime Rate.............. 100 Burst Realtime Rate................ 100 Role Name.............................. Vendor Average Data Rate.................. unconfigured Burst Data Rate.................... unconfigured Average Realtime Rate.............. unconfigured Burst Realtime Rate................ unconfiguredshow network summary
To display the network configuration of the Cisco wireless LAN controller, use the show network summary command.
Examples
This example shows how to display a summary configuration:
> show network summary RF-Network Name............................. RF Web Mode.................................... Disable Secure Web Mode............................. Enable Secure Web Mode Cipher-Option High.......... Disable Secure Web Mode Cipher-Option SSLv2......... Disable Secure Web Mode RC4 Cipher Preference....... Disable OCSP........................................ Disabled OCSP responder URL.......................... Secure Shell (ssh).......................... Enable Telnet...................................... Enable Ethernet Multicast Mode..................... Disable Mode: Ucast Ethernet Broadcast Mode..................... Disable Ethernet Multicast Forwarding............... Disable Ethernet Broadcast Forwarding............... Disable AP Multicast/Broadcast Mode................. Unicast IGMP snooping............................... Disabled IGMP timeout................................ 60 seconds IGMP Query Interval......................... 20 seconds MLD snooping................................ Disabled MLD timeout................................. 60 seconds MLD query interval.......................... 20 seconds User Idle Timeout........................... 300 seconds AP Join Priority............................ Disable ARP Idle Timeout............................ 300 seconds ARP Unicast Mode............................ Disabled Cisco AP Default Master..................... Disable Mgmt Via Wireless Interface................. Disable Mgmt Via Dynamic Interface.................. Disable Bridge MAC filter Config.................... Enable Bridge Security Mode........................ EAP Over The Air Provisioning of AP's........... Enable Apple Talk ................................. Disable Mesh Full Sector DFS........................ Enable AP Fallback ................................ Disable Web Auth CMCC Support ...................... Disabled Web Auth Redirect Ports .................... 80 Web Auth Proxy Redirect ................... Disable Web Auth Captive-Bypass .................. Disable Web Auth Secure Web ....................... Enable Fast SSID Change ........................... Disabled AP Discovery - NAT IP Only ................. Enabled IP/MAC Addr Binding Check .................. Enabled CCX-lite status ............................ Disable oeap-600 dual-rlan-ports ................... Disable oeap-600 local-network ..................... Enable mDNS snooping............................... Disabled mDNS Query Interval......................... 15 minutesshow ntp-keys
show rules
Examples
This example shows how to display active internal firewall rules:
> show rules -------------------------------------------------------- Rule ID.............: 3 Ref count...........: 0 Precedence..........: 99999999 Flags...............: 00000001 ( PASS ) Source IP range: (Local stack) Destination IP range: (Local stack) -------------------------------------------------------- Rule ID.............: 25 Ref count...........: 0 Precedence..........: 99999999 Flags...............: 00000001 ( PASS ) Service Info Service name........: GDB Protocol............: 6 Source port low.....: 0 Source port high....: 0 Dest port low.......: 1000 Dest port high......: 1000 Source IP range: IP High............: 0.0.0.0 Interface..........: ANY Destination IP range: (Local stack) --------------------------------------------------------show switchconfig
To display parameters that apply to the Cisco wireless LAN controller, use the show switchconfig command.
Examples
This example shows how to display parameters that apply to the Cisco wireless LAN controller:
> show switchconfig 802.3x Flow Control Mode......................... Disabled FIPS prerequisite features....................... Enabled Boot Break....................................... Enabled secret obfuscation............................... Enabled Strong Password Check Features: case-check ...........Disabled consecutive-check ....Disabled default-check .......Disabled username-check ......DisabledShow Rogue Commands
- show rogue adhoc custom summary
- show rogue adhoc detailed
- show rogue adhoc friendly summary
- show rogue adhoc malicious summary
- show rogue adhoc unclassified summary
- show rogue adhoc summary
- show rogue ap custom summary
- show rogue ap clients
- show rogue ap detailed
- show rogue ap summary
- show rogue ap friendly summary
- show rogue ap malicious summary
- show rogue ap unclassified summary
- show rogue auto-contain
- show rogue client detailed
- show rogue client summary
- show rogue ignore-list
- show rogue rule detailed
- show rogue rule summary
show rogue adhoc custom summary
show rogue adhoc detailed
To display details of an ad-hoc rogue access point detected by the Cisco wireless LAN controller, use the show rogue adhoc client detailed command.
Syntax Description
Examples
This example shows how to display detailed ad-hoc rogue MAC address information:
> show rogue adhoc client detailed 02:61:ce:8e:a8:8c Adhoc Rogue MAC address.......................... 02:61:ce:8e:a8:8c Adhoc Rogue BSSID................................ 02:61:ce:8e:a8:8c State............................................ Alert First Time Adhoc Rogue was Reported.............. Tue Dec 11 20:45:45 2007 Last Time Adhoc Rogue was Reported............... Tue Dec 11 20:45:45 2007 Reported By AP 1 MAC Address.............................. 00:14:1b:58:4a:e0 Name..................................... AP0014.1ced.2a60 Radio Type............................... 802.11b SSID..................................... rf4k3ap Channel.................................. 3 RSSI..................................... -56 dBm SNR...................................... 15 dB Encryption............................... Disabled ShortPreamble............................ Disabled WPA Support.............................. Disabled Last reported by this AP............... Tue Dec 11 20:45:45 2007show rogue adhoc friendly summary
To display information about friendly rogue ad-hoc rogue access points, use the show rogue adhoc friendly summary command.
Examples
This example shows how to display information about friendly rogue ad-hoc rogue access points:
> show rogue adhoc friendly summary Number of Adhocs............................0 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- -----------------------show rogue adhoc malicious summary
To display information about malicious rogue ad-hoc rogue access points, use the show rogue adhoc malicious summary command.
Examples
This example shows how to display details of malicious rogue ad-hoc rogue access points:
> show rogue adhoc malicious summary Number of Adhocs............................0 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- -----------------------show rogue adhoc unclassified summary
To display information about unclassified rogue ad-hoc rogue access points, use the show rogue adhoc unclassified summary command.
Examples
This example shows how to display information about unclassified rogue ad-hoc rogue access points:
> show rogue adhoc unclassified summary Number of Adhocs............................0 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- -----------------------show rogue adhoc summary
To display a summary of the ad-hoc rogue access points detected by the Cisco wireless LAN controller, use the show rogue adhoc summary command.
Examples
This example shows how to display a summary of all ad-hoc rogues:
> show rogue adhoc summary Detect and report Ad-Hoc Networks................ Enabled Client MAC Address Adhoc BSSID State # APs Last Heard ------------------ ----------- ----- --- ------- xx:xx:xx:xx:xx:xx super Alert 1 Sat Aug 9 21:12:50 2004 xx:xx:xx:xx:xx:xx Alert 1 Aug 9 21:12:50 2003 xx:xx:xx:xx:xx:xx Alert 1 Sat Aug 9 21:10:50 2003show rogue ap custom summary
To display information about custom rogue ad-hoc rogue access points, use the show rogue adhoc custom summary command.
Examples
This example shows how to display details of custom rogue ad-hoc rogue access points:
> show rogue ap custom summary Number of APs............................0 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- -----------------------Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap clients
To display details of rogue access point clients detected by the Cisco wireless LAN controller, use the show rogue ap clients command.
Syntax Description
Examples
This example shows how to display details of rogue access point clients:
> show rogue ap clients xx:xx:xx:xx:xx:xx MAC Address State # APs Last Heard ----------------- ------------------ ----- ------------------------- 00:bb:cd:12:ab:ff Alert 1 Fri Nov 30 11:26:23 2007Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap detailed
To display details of a rogue access point detected by the Cisco wireless LAN controller, use the show rogue-ap detailed command.
Syntax Description
Examples
This example shows how to display detailed information of a rogue access point:
> show rogue ap detailed xx:xx:xx:xx:xx:xx Rogue BSSID...................................... 00:0b:85:63:d1:94 Is Rogue on Wired Network........................ No Classification................................... Unclassified State............................................ Alert First Time Rogue was Reported.................... Fri Nov 30 11:24:56 2007 Last Time Rogue was Reported..................... Fri Nov 30 11:24:56 2007 Reported By AP 1 MAC Address.............................. 00:12:44:bb:25:d0 Name..................................... flexconnect Radio Type............................... 802.11g SSID..................................... edu-eap Channel.................................. 6 RSSI..................................... -61 dBm SNR...................................... -1 dB Encryption............................... Enabled ShortPreamble............................ Enabled WPA Support.............................. Disabled Last reported by this AP.............. Fri Nov 30 11:24:56 2007This example shows how to display detailed information of a rogue access point with a customized classification:
> show rogue ap detailed xx:xx:xx:xx:xx:xx Rogue BSSID...................................... 00:17:0f:34:48:a0 Is Rogue on Wired Network........................ No Classification................................... custom Severity Score .................................. 1 Class Name........................................VeryMalicious Class Change by.................................. Rogue Rule Classified at ................................... -60 dBm Classified by.................................... c4:0a:cb:a1:18:80 State............................................ Contained State change by.................................. Rogue Rule First Time Rogue was Reported.................... Mon Jun 4 10:31:18 2012 Last Time Rogue was Reported..................... Mon Jun 4 10:31:18 2012 Reported By AP 1 MAC Address.............................. c4:0a:cb:a1:18:80 Name..................................... SHIELD-3600-2027 Radio Type............................... 802.11g SSID..................................... sri Channel.................................. 11 RSSI..................................... -87 dBm SNR...................................... 4 dB Encryption............................... Enabled ShortPreamble............................ Enabled WPA Support.............................. Enabled Last reported by this AP................. Mon Jun 4 10:31:18 2012Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap summary
To display a summary of the rogue access points detected by the Cisco wireless LAN controller, use the show rogue-ap summary command.
Examples
This example shows how to display a summary of all rogue access points:
> show rogue ap summary Rogue Location Discovery Protocol................ Disabled Rogue ap timeout................................. 1200 Rogue on wire Auto-Contain....................... Disabled Rogue using our SSID Auto-Contain................ Disabled Valid client on rogue AP Auto-Contain............ Disabled Rogue AP timeout................................. 1200 Rogue Detection Report Interval.................. 10 Rogue Detection Min Rssi......................... -128 Rogue Detection Transient Interval............... 0 Rogue Detection Client Num Thershold............. 0 Total Rogues(AP+Ad-hoc) supported................ 2000 Total Rogues classified.......................... 729 MAC Address Classification # APs # Clients Last Heard ----------------- ------------------ ----- --------- ----------------------- xx:xx:xx:xx:xx:xx friendly 1 0 Thu Aug 4 18:57:11 2005 xx:xx:xx:xx:xx:xx malicious 1 0 Thu Aug 4 19:00:11 2005 xx:xx:xx:xx:xx:xx malicious 1 0 Thu Aug 4 18:57:11 2005 xx:xx:xx:xx:xx:xx malicious 1 0 Thu Aug 4 18:57:11 2005Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap friendly summary
To display a list of the friendly rogue access points detected by the controller, use the show rogue-ap friendly summary command.
Examples
This example shows how to display a summary of all friendly rogue access points:
> show rogue ap friendly summary Number of APs.................................... 1 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- --------------------------- XX:XX:XX:XX:XX:XX Internal 1 0 Tue Nov 27 13:52:04 2007Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap malicious summary
To display a list of the malicious rogue access points detected by the controller, use the show rogue ap malicious summary command.
Examples
This example shows how to display a summary of all malicious rogue access points:
> show rogue ap malicious summary Number of APs.................................... 2 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- --------------------------- XX:XX:XX:XX:XX:XX Alert 1 0 Tue Nov 27 13:52:04 2007 XX:XX:XX:XX:XX:XX Alert 1 0 Tue Nov 27 13:52:04 2007Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap unclassified summary
To display a list of the unclassified rogue access points detected by the controller, use the show rogue ap unclassified summary command.
Examples
This example shows how to display a list of all unclassified rogue access points:
> show rogue ap unclassified summary Number of APs.................................... 164 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- ----------------------- XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:12:52 2007 XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:29:01 2007 XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:26:23 2007 XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:26:23 2007Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue auto-contain
show rogue client detailed
To display details of a rogue client detected by a Cisco wireless LAN controller, use the show rogue client detailed command.
Syntax Description
Examples
This example shows how to display detailed information for a rogue client:
> show rogue client detailed xx:xx:xx:xx:xx:xx Rogue BSSID...................................... 00:0b:85:23:ea:d1 State............................................ Alert First Time Rogue was Reported.................... Mon Dec 3 21:50:36 2007 Last Time Rogue was Reported..................... Mon Dec 3 21:50:36 2007 Rogue Client IP address.......................... Not known Reported By AP 1 MAC Address.............................. 00:15:c7:82:b6:b0 Name..................................... AP0016.47b2.31ea Radio Type............................... 802.11a RSSI..................................... -71 dBm SNR...................................... 23 dB Channel.................................. 149 Last reported by this AP.............. Mon Dec 3 21:50:36 2007show rogue client summary
To display a summary of the rogue clients detected by the Cisco wireless LAN controller, use the show rogue client summary command.
Examples
This example shows how to display a list of all rogue clients:
> show rogue client summary Validate rogue clients against AAA............... Disabled Total Rogue Clients supported.................... 2500 Total Rogue Clients present...................... 3 MAC Address State # APs Last Heard ----------------- ------------------ ----- ----------------------- xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:09:11 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:03:11 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:03:11 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:09:11 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 18:57:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:12:08 2005show rogue ignore-list
To display a list of rogue access points that are configured to be ignored, use the show rogue ignore-list command.
Examples
This example shows how to display a list of all rogue access points that are configured to be ignored:
> show rogue ignore-list MAC Address ----------------- xx:xx:xx:xx:xx:xxRelated Commands
config rogue adhoc
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue rule
config trapflags rogueap
show rogue ignore-list
show rogue client summary
show rogue ap unclassified summary
show rogue ap malicious summary
show rogue ap friendly summary
config rogue client
show rogue ap summary
show rogue ap clients
show rogue ap detailed
config rogue rule
show rogue rule detailed
To display detailed information for a specific rogue classification rule, use the show rogue rule detailed command.
Syntax Description
Examples
This example shows how to display detailed information on a specific rogue classification rule:
> show rogue rule detailed Rule2 Priority......................................... 2 Rule Name........................................ Rule2 State............................................ Enabled Type............................................. Malicious Severity Score................................... 1 Class Name....................................... Very_Malicious Notify........................................... All State ........................................... Contain Match Operation.................................. Any Hit Count........................................ 352 Total Conditions................................. 2 Condition 1 type......................................... Client-count value........................................ 10 Condition 2 type......................................... Duration value (seconds).............................. 2000 Condition 3 type......................................... Managed-ssid value........................................ Enabled Condition 4 type......................................... No-encryption value........................................ Enabled Condition 5 type......................................... Rssi value (dBm).................................. -50 Condition 6 type......................................... Ssid SSID Count................................... 1 SSID 1.................................... testshow rogue rule summary
To display the rogue classification rules that are configured on the controller, use the show rogue rule summary command.
Examples
This example shows how to display a list of all rogue rules that are configured on the controller:
> show rogue rule summary Priority Rule Name State Type Match Hit Count -------- ----------------------- -------- ------------- ----- --------- 1 mtest Enabled Malicious All 0 2 asdfasdf Enabled Malicious All 0This example shows how to display a list of all rogue rules that are configured on the controller:
> show rogue rule summary Priority Rule Name Rule state Class Type Notify State Match Hit Count -------- -------------------------------- ----------- ----------- -------- -------- ------ --------- 1 rule2 Enabled Friendly Global Alert All 234 2 rule1 Enabled Custom Global Alert All 0Show TACACS Commands
- show tacacs acct statistics
- show tacacs athr statistics
- show tacacs auth statistics
- show tacacs summary
show tacacs acct statistics
To display detailed radio frequency identification (RFID) information for a specified tag, use the show tacacs acct statistics command.
Examples
This example shows how to display detailed RFID information:
> show tacacs acct statistics Accounting Servers: Server Index..................................... 1 Server Address................................... 10.0.0.0 Msg Round Trip Time.............................. 0 (1/100 second) First Requests................................... 1 Retry Requests................................... 0 Accounting Response.............................. 0 Accounting Request Success....................... 0 Accounting Request Failure....................... 0 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. -1 Timeout Requests................................. 1 Unknowntype Msgs................................. 0 Other Drops...................................... 0show tacacs athr statistics
Examples
This example shows how to display TACACS server authorization statistics:
> show tacacs athr statistics Authorization Servers: Server Index..................................... 3 Server Address................................... 10.0.0.3 Msg Round Trip Time.............................. 0 (1/100 second) First Requests................................... 0 Retry Requests................................... 0 Received Responses............................... 0 Authorization Success............................ 0 Authorization Failure............................ 0 Challenge Responses.............................. 0 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 0 Timeout Requests................................. 0 Unknowntype Msgs................................. 0 Other Drops...................................... 0show tacacs auth statistics
Examples
This example shows how to display TACACS server authentication statistics:
> show tacacs auth statistics Authentication Servers: Server Index..................................... 2 Server Address................................... 10.0.0.2 Msg Round Trip Time.............................. 0 (msec) First Requests................................... 0 Retry Requests................................... 0 Accept Responses................................. 0 Reject Responses................................. 0 Error Responses.................................. 0 Restart Responses................................ 0 Follow Responses................................. 0 GetData Responses................................ 0 Encrypt no secret Responses...................... 0 Challenge Responses.............................. 0 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 0 Timeout Requests................................. 0 Unknowntype Msgs................................. 0 Other Drops...................................... 0show tacacs summary
Examples
This example shows how to display TACACS server summary information:
> show tacacs summary Authentication Servers Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 2 10.0.0.2 6 Enabled 30 Accounting Servers Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 1 10.0.0.0 10 Enabled 2 Authorization Servers Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 3 10.0.0.3 4 Enabled 2 ...Show WPS Commands
Use the show wps commands to display Wireless Protection System (WPS) settings.
- show wps ap-authentication summary, page 2-304
- show wps cids-sensor, page 2-305
- show wps mfp, page 2-306
- show wps shun-list, page 2-307
- show wps signature detail, page 2-308
- show wps signature events, page 2-309
- show wps signature summary, page 2-310
- show wps summary, page 2-311
- show wps wips statistics, page 2-313
- show wps wips summary, page 2-314
- show wps ap-authentication summary
- show wps cids-sensor
- show wps mfp
- show wps shun-list
- show wps signature detail
- show wps signature events
- show wps signature summary
- show wps summary
- show wps wips statistics
- show wps wips summary
show wps ap-authentication summary
To display the access point neighbor authentication configuration on the controller, use the show wps ap-authentication summary command.
show wps cids-sensor
To display Intrusion Detection System (IDS) sensor summary information or detailed information on a specified Wireless Protection System (WPS) IDS sensor, use the show wps cids-sensor command.
Syntax Description
Examples
This example shows how to display all settings for the selected sensor:
> show wps cids-sensor detail1 IP Address....................................... 10.0.0.51 Port............................................. 443 Query Interval................................... 60 Username......................................... Sensor_user1 Cert Fingerprint................................. SHA1: 00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00 Query State...................................... Disabled Last Query Result................................ Unknown Number of Queries Sent........................... 0show wps mfp
Syntax Description
Examples
This example shows how to display a summary of the MFP configuration and status:
> show wps mfp summary Global Infrastructure MFP state.................. DISABLED (*all infrastructure settings are overridden) Controller Time Source Valid..................... False WLAN Infra. Client WLAN ID WLAN Name Status Protection Protection ------- ------------------------- --------- ---------- ---------- 1 homeap Disabled *Enabled Optional but inactive (WPA2 not configured) 2 7921 Enabled *Enabled Optional but inactive (WPA2 not configured) 3 open1 Enabled *Enabled Optional but inactive (WPA2 not configured) 4 7920 Enabled *Enabled Optional but inactive (WPA2 not configured) Infra. Operational --Infra. Capability-- AP Name Validation Radio State Protection Validation -------------------- ---------- ----- -------------- ---------- ---------- AP1252AG-EW *Enabled b/g Down Full Full a Down Full FullThis example shows how to display the MFP statistics:
> show wps mfp statistics BSSID Radio Validator AP Last Source Addr Found Error Type Count Frame Types ----------------- ----- -------------------- ----------------- ------ ---------- ---- ---------- ----------- no errorsshow wps shun-list
show wps signature detail
Syntax Description
Examples
This example shows how to display information on the attacks detected by standard signature 1:
> show wps signature detail 1 Signature-ID..................................... 1 Precedence....................................... 1 Signature Name................................... Bcast deauth Type............................................. standard FrameType........................................ management State............................................ enabled Action........................................... report Tracking......................................... per Signature and Mac Signature Frequency.............................. 500 pkts/interval Signature Mac Frequency.......................... 300 pkts/interval Interval......................................... 10 sec Quiet Time....................................... 300 sec Description...................................... Broadcast Deauthentication Frame Patterns: 0(Header):0x0:0x0 4(Header):0x0:0x0show wps signature events
To display more information about the attacks detected by a particular standard or custom signature, use the show wps signature events command.
Syntax Description
Examples
This example shows how to display the number of attacks detected by all enabled signatures:
> show wps signature events summary Precedence Signature Name Type # Events ---------- -------------------- -------- -------- 1 Bcast deauth Standard 2 2 NULL probe resp 1 Standard 1This example shows how to display a summary of information on the attacks detected by standard signature 1:
> show wps signature events standard 1 summary Precedence....................................... 1 Signature Name................................... Bcast deauth Type............................................. Standard Number of active events.......................... 2 Source MAC Addr Track Method Frequency # APs Last Heard ----------------- -------------- --------- ----- ------------------------ 00:a0:f8:58:60:dd Per Signature 50 1 Wed Oct 25 15:03:05 2006 00:a0:f8:58:60:dd Per Mac 30 1 Wed Oct 25 15:02:53 2006show wps signature summary
To see individual summaries of all of the standard and custom signatures installed on the controller, use the show wps signature summary command.
Examples
This example shows how to display a summary of all of the standard and custom signatures:
> show wps signature summary Signature-ID..................................... 1 Precedence....................................... 1 Signature Name................................... Bcast deauth Type............................................. standard FrameType........................................ management State............................................ enabled Action........................................... report Tracking......................................... per Signature and Mac Signature Frequency.............................. 50 pkts/interval Signature Mac Frequency.......................... 30 pkts/interval Interval......................................... 1 sec Quiet Time....................................... 300 sec Description...................................... Broadcast Deauthentication Frame Patterns: 0(Header):0x00c0:0x00ff 4(Header):0x01:0x01 ...show wps summary
Examples
This example shows how to display WPS summary information:
> show wps summary Auto-Immune Auto-Immune.................................... Disabled Client Exclusion Policy Excessive 802.11-association failures.......... Enabled Excessive 802.11-authentication failures....... Enabled Excessive 802.1x-authentication................ Enabled IP-theft....................................... Enabled Excessive Web authentication failure........... Enabled Trusted AP Policy Management Frame Protection.................... Disabled Mis-configured AP Action....................... Alarm Only Enforced encryption policy................... none Enforced preamble policy..................... none Enforced radio type policy................... none Validate SSID................................ Disabled Alert if Trusted AP is missing................. Disabled Trusted AP timeout............................. 120 Untrusted AP Policy Rogue Location Discovery Protocol.............. Disabled RLDP Action.................................. Alarm Only Rogue APs Rogues AP advertising my SSID................ Alarm Only Detect and report Ad-Hoc Networks............ Enabled Rogue Clients Validate rogue clients against AAA........... Enabled Detect trusted clients on rogue APs.......... Alarm Only Rogue AP timeout............................... 1300 Signature Policy Signature Processing........................... Enabled ...show wps wips statistics
To display the current state of the Cisco Wireless Intrusion Prevention System (wIPS) operation on the controller, use the show wps wips statistics command.
Examples
This example shows how to display the statistics of the wIPS operation:
> show wps wips statistics Policy Assignment Requests............ 1 Policy Assignment Responses........... 1 Policy Update Requests................ 0 Policy Update Responses............... 0 Policy Delete Requests................ 0 Policy Delete Responses............... 0 Alarm Updates......................... 13572 Device Updates........................ 8376 Device Update Requests................ 0 Device Update Responses............... 0 Forensic Updates...................... 1001 Invalid WIPS Payloads................. 0 Invalid Messages Received............. 0 NMSP Transmitted Packets.............. 22950 NMSP Transmit Packets Dropped......... 0 NMSP Largest Packet................... 1377show wps wips summary
To display the adaptive Cisco Wireless Intrusion Prevention System (wIPS) configuration that the Wireless Control System (WCS) forwards to the controller, use the show wps wips summary command.
Config Commands
- config 802.11b preamble
- config aaa auth
- config aaa auth mgmt
- config acl apply
- config acl counter
- config acl create
- config acl cpu
- config acl delete
- config acl rule
- config auth-list add
- config auth-list ap-policy
- config auth-list delete
- config advanced eap
- config advanced timers auth-timeout
- config advanced timers eap-timeout
- config advanced timers eap-identity-request-delay
- config cts sxp
- config cts sxp connection
- config cts sxp default password
- config cts sxp retry period
- config database size
- config exclusionlist
- config ldap
- config ldap add
- config ldap simple-bind
- config local-auth active-timeout
- config local-auth eap-profile
- config local-auth method fast
- config local-auth user-credentials
- config ipv6 acl
- config netuser add
- config netuser delete
- config netuser description
- config network bridging-shared-secret
- config network web-auth captive-bypass
- config network web-auth port
- config network web-auth proxy-redirect
- config network web-auth secureweb
- config network webmode
- config network web-auth
- Configure RADIUS Account Commands
- Configure RADIUS Authentication Server Commands
- Configure Rogue Commands
- Configure TACACS Commands
- Configure Wireless LAN Security Commands
- Configure WPS Commands
config 802.11b preamble
To change the 802.11b preamble as defined in subclause 18.2.2.2 to long (slower, but more reliable) or short (faster, but less reliable), use the config 802.11b preamble command.
Syntax Description
Usage Guidelines
NoteYou must reboot the Cisco Wireless LAN Controller (reset system) with save to implement this command.
This parameter must be set to long to optimize this Cisco wireless LAN controller for some clients, including SpectraLink NetLink telephones.
This command can be used any time that the CLI interface is active.
config aaa auth
To configure the AAA authentication search order for management users, use the config aaa auth command.
Syntax Description
Usage Guidelines
You can enter two AAA server types as long as one of the server types is local. You cannot enter radius and tacacs together.
config aaa auth mgmt
To configure the order of authentication when multiple databases are configured, use the config aaa auth mgmt command.
Syntax Description
(Optional) Configures the order of authentication for RADIUS servers.
(Optional) Configures the order of authentication for TACACS servers.
config acl apply
Syntax Description
Usage Guidelines
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
config acl counter
To see if packets are hitting any of the access control lists (ACLs) configured on your controller, use the config acl counter command.
Syntax Description
Usage Guidelines
ACL counters are available only on the following controllers: 4400 series, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch.
config acl create
Syntax Description
Usage Guidelines
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
config acl cpu
config acl delete
Syntax Description
Usage Guidelines
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
config acl rule
config aclrule { action rule_name rule_index { permit | deny} | add rule_name rule_index | change index rule_name old_index new_index | delete rule_name rule_index | destination address rule_name rule_index ip_address netmask | destination port range rule_name rule_index start_port end_port | direction rule_name rule_index { in | out | any} | dscp rule_name rule_index dscp | protocol rule_name rule_index protocol | source address rule_name rule_index ip_address netmask | source port range rule_name rule_index start_port end_port | swap index rule_name index_1 index_2}
Syntax Description
Usage Guidelines
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
config auth-list add
Syntax Description
config auth-list ap-policy
config auth-list delete
config advanced eap
To configure advanced extensible authentication protocol (EAP) settings, use the config advanced eap command.
config advanced eap { bcast-key-interval seconds | eapol-key-timeout timeout | eapol-key-retries retries | identity-request-timeout timeout | identity-request-retries retries | key-index index | max-login-ignore-identity-response { enable | disable} request-timeout timeout | request-retries retries}
Syntax Description
config advanced timers auth-timeout
config advanced timers eap-timeout
config advanced timers eap-identity-request-delay
To configure the advanced Extensible Authentication Protocol (EAP) identity request delay in seconds, use the config advanced timers eap-identity-request-delay command.
Syntax Description
config cts sxp
config cts sxp connection
To configure a Cisco TrustSec SXP (CTS) connection on the controller, use the config cts sxp connection command.
Syntax Description
config cts sxp default password
To configure the default password for MD5 Authentication of SXP messages, use the config cts sxp default password command.
Syntax Description
Default password for MD5 Authentication of SXP messages. The password should contain a minimum of six characters.
config cts sxp retry period
config database size
config exclusionlist
Syntax Description
Examples
This example shows how to create a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:
> config exclusionlist add xx:xx:xx:xx:xx:xx labThis example shows how to delete a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:
> config exclusionlist delete xx:xx:xx:xx:xx:xx labconfig ldap
config ldap add
To configure a Lightweight Directory Access Protocol (LDAP) server, use the config ldap add command.
Syntax Description
config ldap simple-bind
To configure the local authentication bind method for the Lightweight Directory Access Protocol (LDAP) server, use the config ldap simple-bind command.
Syntax Description
config local-auth active-timeout
To specify the amount of time in which the controller attempts to authenticate wireless clients using local Extensible Authentication Protocol (EAP) after any pair of configured RADIUS servers fails, use the config local-auth active-timeout command.
Syntax Description
config local-auth eap-profile
To configure local Extensible Authentication Protocol (EAP) authentication profiles, use the config local-auth eap-profile command.
config local-auth eap-profile {[ add | delete] profile_name | cert-issuer { cisco | vendor} | method method local-cert { enable | disable} profile_name | method method client-cert { enable | disable} profile_name | method method peer-verify ca-issuer { enable | disable} | method method peer-verify cn-verify{ enable | disable} | method method peer-verify date-valid { enable | disable}
Syntax Description
Examples
This example shows how to create a local EAP profile named FAST01:
> config local-auth eap-profile add FAST01This example shows how to add the EAP-FAST method to a local EAP profile:
> config local-auth eap-profile method add fast FAST01This example shows how to specify Cisco as the issuer of the certificates that will be sent to the client for an EAP-FAST profile:
> config local-auth eap-profile method fast cert-issuer ciscoThis example shows how to specify that the incoming certificate from the client be validated against the CA certificates on the controller:
> config local-auth eap-profile method fast peer-verify ca-issuer enableconfig local-auth method fast
config local-auth method fast { anon-prov [ enable | disable] | authority-id auth_id pac-ttl days | server-key key_value}
Syntax Description
Examples
This example shows how to disable the controller to allows anonymous provisioning:
> config local-auth method fast anon-prov disableThis example shows how to configure the authority identifier 0125631177 of the local EAP-FAST server:
> config local-auth method fast authority-id 0125631177This example shows how to configure the number of days to 10 for the PAC to remain viable:
> config local-auth method fast pac-ttl 10config local-auth user-credentials
To configure the local Extensible Authentication Protocol (EAP) authentication database search order for user credentials, use the config local-auth user credentials command.
Syntax Description
Specifies that the local database is searched for the user credentials.
(Optional) Specifies that the Lightweight Directory Access Protocol (LDAP) database is searched for the user credentials.
config ipv6 acl
To create or delete an IPv6 acl on the Cisco wireless LAN controller, use the config ipv6 acl command.
config ipv6 acl { apply ipv6_acl_name | create ipv6_acl_name | delete ipv6_acl_name | rule { action rule_name rule_index { permit | deny} | add rule_name rule_index | change index rule_name old_index new_index | delete rule_name rule_index | destination address rule_name rule_index ip_address netmask | destination port range rule_name rule_index start_port end_port | direction rule_name rule_index { in | out | any} | dscp rule_name rule_index dscp | protocol rule_name rule_index protocol | source address rule_name rule_index ip_address netmask | source port range rule_name rule_index start_port end_port | swap index rule_name index_1 index_2}}
Syntax Description
IPv6 ACL name that contains up to 32 alphanumeric characters.
destination port range
Configure a rule's destination port range.
Usage Guidelines
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
config netuser add
To add a guest user on a WLAN or wired guest LAN to the local user database on the controller, use the config netuser add command.
config netuser add username password { wlan wlan_id | guestlan guestlan_id} userType guest lifetime lifetime description description
Syntax Description
Usage Guidelines
Local network usernames must be unique because they are stored in the same database.
Examples
This example shows how to add a permanent username Jane to the wireless network for 1 hour:
> config netuser add jane able2 1 wlan_id 1 userType permanentThis example shows how to add a guest username George to the wireless network for 1 hour:
> config netuser add george able1 guestlan 1 3600config netuser delete
config netuser description
Syntax Description
Network username. The username can contain up to 24 alphanumeric characters.
(Optional) User description. The description can be up to 32 alphanumeric characters enclosed in double quotes.
config network bridging-shared-secret
Syntax Description
Usage Guidelines
This command creates a secret that encrypts backhaul user data for the mesh access points that connect to the switch.
The zero-touch configuration must be enabled for this command to work.
config network web-auth captive-bypass
To configure the controller to support bypass of captive portals at the network level, use the config network web-auth captive-bypass command.
Syntax Description
config network web-auth port
To configure an additional port to be redirected for web authentication at the network level, use the config network web-auth port command.
Syntax Description
config network web-auth proxy-redirect
To configure proxy redirect support for web authentication clients, use the config network web-auth proxy-redirect command.
Syntax Description
Allows proxy redirect support for web authentication clients.
Disallows proxy redirect support for web authentication clients.
config network web-auth secureweb
To configure the secure web (https) authentication for clients, use the config network web-auth secureweb command.
Syntax Description
config network web-auth
Syntax Description
Configures additional ports for web authentication redirection.
Configures proxy redirect support for web authentication clients.
Enables proxy redirect support for web authentication clients.
Note Web-auth proxy redirection will be enabled for ports 80, 8080, and 3128, along with user defined port 345.
Disables proxy redirect support for web authentication clients.
Configure RADIUS Account Commands
- config radius acct
- config radius acct ipsec authentication
- config radius acct ipsec disable
- config radius acct ipsec enable
- config radius acct ipsec encryption
- config radius acct ipsec ike
- config radius acct mac-delimiter
- config radius acct network
- config radius acct retransmit-timeout
config radius acct
To add, delete, or configure settings for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct command.
config radius acct {{ enable | disable | delete} index} | add index server_ip port { ascii | hex} secret}
Syntax Description
RADIUS server index. The controller begins the search with 1.
RADIUS server’s UDP port number for the interface protocols.
Command Default
When adding a RADIUS server, the port number defaults to 1813 and the state is enabled.
config radius acct ipsec authentication
To configure IPsec authentication for the Cisco wireless LAN controller, use the config radius acct ipsec authentication command.
Syntax Description
config radius acct ipsec disable
config radius acct ipsec enable
config radius acct ipsec encryption
To configure IPsec encryption for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec encryption command.
Syntax Description
config radius acct ipsec ike
To configure Internet Key Exchange (IKE) for the Cisco wireless LAN controller, use the config radius acct ipsec command.
config radius acct ipsec ike dh-group { group-1 | group-2 | group-5} | lifetime seconds | phase1 { aggressive | main}} index
Syntax Description
config radius acct mac-delimiter
To specify the delimiter to be used in the MAC addresses that are sent to the RADIUS accounting server, use the config radius acct mac-delimiter command.
Syntax Description
Sets the delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).
Sets the delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).
Sets the delimiter to a single hyphen (for example, xxxxxx-xxxxxx).
config radius acct network
Syntax Description
Enables the server as a network user’s default RADIUS server.
Disables the server as a network user’s default RADIUS server.
config radius acct retransmit-timeout
To change the default transmission timeout for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct retransmit-timeout command.
Syntax Description
Configure RADIUS Authentication Server Commands
- config radius auth
- config radius auth IPsec authentication
- config radius auth IPsec disable
- config radius auth IPsec encryption
- config radius auth IPsec ike
- config radius auth keywrap
- config radius auth mac-delimiter
- config radius auth management
- config radius auth mgmt-retransmit-timeout
- config radius auth network
- config radius auth retransmit-timeout
- config radius auth rfc3576
- config radius auth server-timeout
- config radius aggressive-failover disabled
- config radius backward compatibility
- config radius callStationIdCase
- config radius callStationIdType
- config radius fallback-test
config radius auth
To add, delete, or configure settings for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth command.
config radius auth {{ enable | disable | delete} index | add index server_ip port { ascii | hex} secret}
Syntax Description
RADIUS server index. The controller begins the search with 1.
Adds a RADIUS authentication server. See the “Defaults” section.
RADIUS server’s UDP port number for the interface protocols.
Command Default
When adding a RADIUS server, the port number defaults to 1813 and the state is enabled.
config radius auth IPsec authentication
To configure IPsec support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec authentication command.
Syntax Description
config radius auth IPsec disable
To disable IPsec support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec disable command.
Syntax Description
config radius auth IPsec encryption
To configure IPsec encryption support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec encryption command.
Syntax Description
config radius auth IPsec ike
To configure Internet Key Exchange (IKE) for the Cisco wireless LAN controller, use the config radius auth IPsec ike command.
config radius auth IPsec ike { dh-group { group-1 | group-2 | group-5} | lifetime seconds | phase1 { aggressive | main}} index
Syntax Description
config radius auth keywrap
To enable and configure Advanced Encryption Standard (AES) key wrap, which makes the shared secret between the controller and the RADIUS server more secure, use the config radius auth keywrap command.
Syntax Description
config radius auth mac-delimiter
To specify a delimiter to be used in the MAC addresses that are sent to the RADIUS authentication server, use the config radius auth mac-delimiter command.
Syntax Description
Sets a delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).
Sets a delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).
Sets a delimiter to a single hyphen (for example, xxxxxx-xxxxxx).
config radius auth management
To configure a default RADIUS server for management users, use the config radius auth management command.
Syntax Description
Enables the server as a management user’s default RADIUS server.
Disables the server as a management user’s default RADIUS server.
config radius auth mgmt-retransmit-timeout
To configure a default RADIUS server retransmission timeout for management users, use the config radius auth mgmt-retransmit-timeout command.
Syntax Description
config radius auth network
config radius auth retransmit-timeout
To change a default transmission timeout for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth retransmit-timeout command.
Syntax Description
config radius auth rfc3576
To configure RADIUS RFC-3576 support for the authentication server for the Cisco wireless LAN controller, use the config radius auth rfc3576 command.
Syntax Description
Usage Guidelines
RFC 3576, which is an extension to the RADIUS protocol, allows dynamic changes to a user session. RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session. Disconnect messages cause a user session to be terminated immediately; CoA messages modify session authorization attributes such as data filters.
config radius auth server-timeout
To configure a retransmission timeout value for a RADIUS accounting server, use the config radius auth server-timeout command.
Syntax Description
config radius aggressive-failover disabled
To configure the controller to mark a RADIUS server as down (not responding) after the server does not reply to three consecutive clients, use the config radius aggressive-failover disabled command.
config radius backward compatibility
config radius callStationIdCase
To configure callStationIdCase information sent in RADIUS messages for the Cisco wireless LAN controller, use the config radius callStationIdCase command.
Syntax Description
config radius callStationIdType
To configure the callStationIdType information sent in RADIUS messages for the Cisco wireless LAN controller, use the config radius callStationIdType command.
config radius callStationIdType { ipaddr | macaddr | ap-macaddr | ap-macaddr-ssid | ap-group-name | flex-group-name | ap-name | ap-name-ssid | ap-location| vlan-id}
Syntax Description
Configures the Call Station ID type to use the IP address (only Layer 3).
Configures the Call Station ID type to use the system’s MAC address (Layers 2 and 3).
Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3).
Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3) in the format <AP MAC address>:<SSID>
ap-group-name
Configures the Call Station ID type to use the AP group name. If the AP is not part of any AP group, “default-group” is taken as the AP group name.
flex-group-name
Configures the Call Station ID type to use the FlexConnect group name. If the FlexConnect AP is not part of any FlexConnect group, the system MAC address is taken as the Call Station ID.
ap-name
Configures the Call Station ID type to use the access point’s name.
ap-name-ssid
Configures the Call Station ID type to use the access point’s name in the format <AP name>:<SSID>
ap-location
Configures the Call Station ID type to use the access point’s location.
vlan-id
Configures the Call Station ID type to use the system’s VLAN-ID.
Usage Guidelines
The controller sends the Called Station ID attribute to the RADIUS server in all authentication and accounting packets . The Called Station ID attribute can be used to classify users to different groups based on the attribute value. The command is applicable only for the Called Station and not for the Calling Station.
You cannot send only the SSID as the Called-Station-ID, you can only combine the SSID with either the access point MAC address or the access point name.
Examples
This example shows how to configure the call station ID type to use the IP address:
> config radius callStationIdType ipAddrThis example shows how to configure the call station ID type to use the system’s MAC address:
> config radius callStationIdType macAddrThis example shows how to configure the call station ID type to use the access point’s MAC address:
> config radius callStationIdType ap-macAddrconfig radius fallback-test
config radius fallback-test mode { off | passive | active} | username username} | { interval interval}
Syntax Description
Causes the controller to revert to a preferable server (with a lower server index) from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
Causes the controller to revert to a preferable server (with a lower server index) from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller ignores all inactive servers for all active RADIUS requests.
Username. The username can be up to 16 alphanumeric characters.
Examples
This example shows how to disable the RADIUS accounting server fallback behavior:
> config radius fallback-test mode offThis example shows how to configure the controller to revert to a preferable server from the available backup servers without using the extraneous probe messages:
> config radius fallback-test mode passiveThis example shows how to configure the controller to revert to a preferable server from the available backup servers by using RADIUS probe messages:
> config radius fallback-test mode activeConfigure Rogue Commands
- config rogue adhoc
- config rogue ap classify
- config rogue ap friendly
- config rogue ap rldp
- config rogue ap ssid
- config rogue ap timeout
- config rogue auto-contain level
- config rogue ap valid-client
- config rogue client
- config rogue detection
- config rogue detection min-rssi
- config rogue detection monitor-ap
- config rogue rule
config rogue adhoc
To globally or individually configure the status of an Independent Basic Service Set (IBSS or ad-hoc) rogue access point, use the config rogue adhoc command.
config rogue adhoc { enable | disable | external rogue_MAC | alert { rogue_MAC | all} | auto-contain [ monitor_ap] | contain rogue_MAC 1234_aps| }
config rogue adhoc { delete { all | mac-address mac-address} | classify { friendly state { external | internal} mac-address | malicious state { alert | contain} mac-address | unclassified state { alert | contain } mac-address}
Syntax Description
Configure external state on the rogue access point that is outside the network and poses no threat to WLAN security. The controller acknowledges the presence of this rogue access point.
Generates an SMNP trap upon detection of the ad-hoc rogue, and generates an immediate alert to the system administrator for further action.
Contains all wired ad-hoc rogues detected by the controller.
Contains the offending device so that its signals no longer interfere with authorized clients.
Maximum number of Cisco access points assigned to actively contain the ad-hoc rogue access point (1 through 4, inclusive).
delete
Deletes ad-hoc rogue access points.
all
Deletes all ad-hoc rogue access points.
mac-address
Deletes ad-hoc rogue access point with the specified MAC address.
mac-address
MAC address of the ad-hoc rogue access point.
classify
Configures ad-hoc rogue access point classification.
friendly state
Classifies ad-hoc rogue access points as friendly.
internal
Configures alert state on rogue access point that is inside the network and poses no threat to WLAN security. The controller trusts this rogue access point.
malicious state
Classifies ad-hoc rogue access points as malicious.
alert
Configures alert state on the rogue access point that is not in the neighbor list or in the user configured friendly MAC list. The controller forwards an immediate alert to the system administrator for further action.
contain
Configures contain state on the rogue access point. Controller contains the offending device so that its signals no longer interfere with authorized clients.
unclassified state
Classifies ad-hoc rogue access points as unclassified.
Command Default
The default for this command is enabled and is set to alert. The default for auto-containment is disabled.
Usage Guidelines
The controller continuously monitors all nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses RLDP to determine if the rogue is attached to your wired network.
NoteRLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the DHCP Discover request sent by the RLDP client. Also, RLDP is not supported if the rogue access point channel requires dynamic frequency selection (DFS).
When you enter any of the containment commands, the following warning appears:
Using this feature may have legal consequences. Do you want to continue? (y/n) :The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Enter the auto-contain command with the monitor_ap argument to monitor the rogue access point without containing it. Enter the auto-contain command without the optional monitor_ap to automatically contain all wired ad-hoc rogues detected by the controller.
Examples
This example shows how to enable the detection and reporting of ad-hoc rogues:
> config rogue adhoc enableThis example shows how to enable alerts for all ad-hoc rogue access points:
> config rogue adhoc alert allThis example shows how to classify an ad-hoc rogue access point as friendly and configure external state on it:
> config rogue adhoc classify friendly state internal 11:11:11:11:11:11config rogue ap classify
Syntax Description
Configures the controller to acknowledge the presence of this access point.
Configures the controller to forward an immediate alert to the system administrator for further action.
Configures the controller to contain the offending device so that its signals no longer interfere with authorized clients.
Command Default
These commands are disabled by default. Therefore, all unknown access points are categorized as unclassified by default.
Usage Guidelines
A rogue access point cannot be moved to the unclassified class if its current state is contain.
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Examples
This example shows how to classify a rogue access point as friendly and can be trusted:
> config rogue ap classify friendly state internal 11:11:11:11:11:11This example shows how to classify a rogue access point as malicious and to send an alert:
> config rogue ap classify malicious state alert 11:11:11:11:11:11This example shows how to classify a rogue access point as unclassified and to contain it:
> config rogue ap classify unclassified state contain 11:11:11:11:11:11Related Commands
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap friendly
To add a new friendly access point entry to the friendly MAC address list, or delete an existing friendly access point entry from the list, use the config rogue ap friendly command.
Syntax Description
Adds this rogue access point from the friendly MAC address list.
Deletes this rogue access point from the friendly MAC address list.
MAC address of the rogue access point that you want to add or delete.
Examples
This example shows how to add a new friendly access point with MAC address 11:11:11:11:11:11 to the friendly MAC address list:
> config rogue ap friendly add 11:11:11:11:11:11Related Commands
config rogue ap classify
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap rldp
To enable, disable, or initiate the Rogue Location Discovery Protocol (RLDP), use the config rogue ap rldp command.
Syntax Description
When entered without the optional argument monitor_ap_only, enables RLDP on all access points.
When entered without the optional argument monitor_ap_only, automatically contains all rogue access points.
(Optional) RLDP is enabled (when used with alarm-only keyword), or automatically contained (when used with auto-contain keyword) is enabled only on the designated monitor access point.
Usage Guidelines
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Examples
This example shows how to enable RLDP on all access points:
> config rogue ap rldp enable alarm-onlyThis example shows how to enable RLDP on monitor-mode access point ap_1:
> config rogue ap rldp enable alarm-only ap_1This example shows how to start RLDP on the rogue access point with MAC address 123.456.789.000:
> config rogue ap rldp initiate 123.456.789.000This example shows how to disable RLDP on all access points:
> config rogue ap rldp disableRelated Commands
config rogue ap classify
config rogue ap friendly
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap ssid
To generate an alarm only, or to automatically contain a rogue access point that is advertising your network’s service set identifier (SSID), use the config rogue ap ssid command.
Syntax Description
Generates only an alarm when a rogue access point is discovered to be advertising your network’s SSID.
Automatically contains the rogue access point that is advertising your network’s SSID.
Usage Guidelines
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Examples
This example shows how to automatically contain a rogue access point that is advertising your network’s SSID:
> config rogue ap ssid auto-containRelated Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap timeout
To specify the number of seconds after which the rogue access point and client entries expire and are removed from the list, use the config rogue ap timeout command.
Syntax Description
Examples
This example shows how to set an expiration time for entries in the rogue access point and client list to 2400 seconds:
> config rogue ap timeout 2400Related Commands
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue auto-contain level
Syntax Description
Rogue auto-containment level in the range of 1 to 4.
Note Up to four APs can be used to auto-contain when a rogue AP is moved to contained state through any of the auto-containment policies.
(Optional) Configures auto-containment using only monitor AP mode.
Usage Guidelines
The controller continuously monitors all nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses any of the configured autocontainment policies to start autocontainment. The policies for initiating autocontainment are rogue on wire (detected through RLDP or rogue detector AP), rogue using managed SSID, Valid client on Rogue AP, and AdHoc Rogue.
NoteRLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the DHCP Discover request sent by the RLDP client. Also, RLDP is not supported if the rogue access point channel requires dynamic frequency selection (DFS).
When you enter any of the containment commands, the following warning appears:
Using this feature may have legal consequences. Do you want to continue? (y/n) :The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
config rogue ap valid-client
To generate an alarm only, or to automatically contain a rogue access point to which a trusted client is associated, use the config rogue ap valid-client command.
Syntax Description
Generates only an alarm when a rogue access point is discovered to be associated with a valid client.
Automatically contains a rogue access point to which a trusted client is associated.
Usage Guidelines
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Examples
This example shows how to automatically contain a rogue access point that is associated with a valid client:
> config rogue ap valid-client auto-containRelated Commands
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap ssid
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue client
Syntax Description
Configures AAA server or local database to validate whether rogue clients are valid clients.
Enables the AAA server or local database to check rogue client MAC addresses for validity.
Disables the AAA server or local database to check rogue client MAC addresses for validity.
Configures the controller to forward an immediate alert to the system administrator for further action.
Configures the controller to contain the offending device so that its signals no longer interfere with authorized clients.
Maximum number of Cisco access points to actively contain the rogue access point (1–4).
config rogue detection
To enable or disable rogue detection, use the config rogue detection command.
NoteIf an AP itself is configured with the name ‘all’, the ‘all access points’ case takes precedence over the AP that is named ‘all’.
Syntax Description
Usage Guidelines
Rogue detection is enabled by default for all access points joined to the controller except for OfficeExtend access points. OfficeExtend access points are deployed in a home environment and are likely to detect a large number of rogue devices.
config rogue detection min-rssi
To configure the minimum Received Signal Strength Indicator (RSSI) value at which APs can detect rogues and create a rogue entry in the controller, use the config rogue detection min-rssi command.
Syntax Description
Usage Guidelines
This feature is applicable to all the AP modes.
There can be many rogues with very weak RSSI values that do not provide any valuable information in rogue analysis. Therefore, you can use this option to filter rogues by specifying the minimum RSSI value at which APs should detect rogues.
config rogue detection monitor-ap
To configure the rogue report interval for all monitor mode Cisco APs, use the config rogue detection monitor-ap command.
Syntax Description
Specifies the interval at which rogues are consistently scanned for by APs after the first time the rogues are scanned.
Usage Guidelines
This feature is applicable to APs that are in monitor mode only.
Using the transient interval values, you can control the time interval at which APs should scan for rogues. APs can also filter the rogues based on their transient interval values.
config rogue rule
config rogue rule { add ap priority priority classify { custom severity-score classification-name | friendly | malicious} notify { all | global | none | local} state { alert | contain | internal | external} rule_name | classify { custom severity-score classification-name | friendly | malicious} rule_name | condition ap { set | delete} condition_type condition_value rule_name | { enable | delete | disable} { all | rule_name} | match { all | any} | priority priority| notify { all | global | none | local} rule_name | state { alert | contain | internal | external} rule_name}
Syntax Description
Adds a rule with match any criteria and the priority that you specify.
custom
Classifies devices matching the rule as custom.
severity-score
Custom classification severity score of the rule. The range is from 1 to 100.
classification-name
Custom classification name. The name can be up to 32 case-sensitive, alphanumeric characters.
notify
Configures type of notification upon rule match.
all
Notifies the controller and a trap receiver such as Cisco Prime Infrastructure.
global
Notifies only a trap receiver such as Cisco Prime Infrastructure.
local
Notifies only the controller.
none
Notifies neither the controller nor a trap receiver such as Cisco Prime Infrastructure.
state
Configures state of the rogue access point after a rule match.
alert
Configures alert state on the rogue access point that is not in the neighbor list or in the user configured friendly MAC list. The controller forwards an immediate alert to the system administrator for further action.
contain
Configures contain state on the rogue access point. Controller contains the offending device so that its signals no longer interfere with authorized clients.
external
Configures external state on the rogue access point that is outside the network and poses no threat to WLAN security. The controller acknowledges the presence of this rogue access point.
internal
Configures alert state on rogue access point that is inside the network and poses no threat to WLAN security. The controller trusts this rogue access point.
Rule to which the command applies, or the name of a new rule.
Specifies the conditions for a rule that the rogue access point must meet.
Adds conditions to a rule that the rogue access point must meet.
Removes conditions to a rule that the rogue access point must meet.
Type of the condition to be configured. The condition types are listed below:
- client-count—Requires that a minimum number of clients be associated to the rogue access point. The valid range is 1 to 10 (inclusive).
- duration—Requires that the rogue access point be detected for a minimum period of time. The valid range is 0 to 3600 seconds (inclusive).
- managed-ssid—Requires that the rogue access point’s SSID be known to the controller.
- no-encryption—Requires that the rogue access point’s advertised WLAN does not have encryption enabled.
- rssi—Requires that the rogue access point have a minimum RSSI value. The range is from –95 to –50 dBm (inclusive).
- ssid—Requires that the rogue access point have a specific SSID.
Value of the condition. This value is dependent upon the condition_type. For instance, if the condition type is ssid, then the condition value is either the SSID name or all.
Specifies whether a detected rogue access point must meet all or any of the conditions specified by the rule in order for the rule to be matched and the rogue access point to adopt the classification type of the rule.
Changes the priority of a specific rule and shifts others in the list accordingly.
Usage Guidelines
For your changes to be effective, you must enable the rule. You can configure up to 64 rules.
Reclassification of rogue APs according to the RSSI condition of the rogue rule occurs only when the RSSI changes more than +/- 2 dBm of the configured RSSI value. Manual and automatic classification override custom rogue rules. Rules are applied to manually changed rogues if their class type changes to unclassified and state changes to alert. Adhoc rogues are classified and do not go to the pending state. You can have up to 50 classification types.Examples
This example shows how to create a rule called rule_1 with a priority of 1 and a classification as friendly:
> config rogue rule add ap priority 1 classify friendly rule_1This example shows how to enable rule_1:
> config rogue rule enable rule_1This example shows how to change the priority of the last command:
> config rogue rule priority 2 rule_1This example shows how to change the classification of the last command:
> config rogue rule classify malicious rule_1This example shows how to disable the last command:
> config rogue rule disable rule_1This example shows how to delete SSID_2 from the user-configured SSID list in rule-5:
> config rogue rule condition ap delete ssid ssid_2 rule-5This example shows how to create a custom rogue rule:
> config rogue rule classify custom 1 VeryMalicious rule6Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
Configure TACACS Commands
- config tacacs acct
- config tacacs athr
- config tacacs athr mgmt-server-timeout
- config tacacs auth
- config tacacs auth mgmt-server-timeout
config tacacs acct
config tacacs acct add { server_index ip_address port type secret_key} | delete server_index | disable server_index | enable server_index | retransmit-timeout { server_index seconds}
Syntax Description
Examples
This example shows how to add a new TACACS+ accounting server index 3 with the IP address 10.0.0.0, port number 10, and secret key 12345678 in ASCII:
> config tacacs acct add 1 10.0.0.0 10 ascii 12345678This example shows how to change the default retransmit timeout of 30 seconds for the TACACS+ accounting server:
> config tacacs acct retransmit-timeout 30config tacacs athr
config tacacs athr add { server_index ip_address port type secret_key} | delete server_index | disable server_index | enable server_index | retransmit-timeout { server_index seconds}
Syntax Description
Examples
This example shows how to add a new TACACS+ authorization server index 3 with the IP address 10.0.0.0, port number 4, and secret key 12345678 in ASCII:
> config tacacs athr add 3 10.0.0.0 4 ascii 12345678This example shows how to change the default retransmit timeout of 30 seconds for the TACACS+ authorization server:
> config tacacs athr retransmit-timeout 30config tacacs athr mgmt-server-timeout
To configure a default TACACS+ authorization server timeout for management users, use the config tacacs athr mgmt-server-timeout command.
Syntax Description
config tacacs auth
config tacacs auth add { server_index ip_address port type secret_key} | delete server_index | disable server_index | enable server_index | retransmit-timeout { server_index seconds}
Syntax Description
Examples
This example shows how to add a new TACACS+ authentication server index 2 with the IP address 10.0.0.3, port number 6, and secret key 12345678 in ASCII:
> config tacacs auth add 2 10.0.0.3 6 ascii 12345678This example shows how to change the default retransmit timeout of 30 seconds for TACACS+ authentication server:
> config tacacs auth retransmit-timeout 30config tacacs auth mgmt-server-timeout
To configure a default TACACS+ authentication server timeout for management users, use the config tacacs auth mgmt-server-timeout command.
Syntax Description
Configure Wireless LAN Security Commands
- config wlan security 802.1X
- config wlan security ckip
- config wlan security cond-web-redir
- config wlan security eap-passthru
- config wlan security ft
- config wlan security ft over-the-ds
- config wlan security IPsec disable
- config wlan security IPsec enable
- config wlan security IPsec authentication
- config wlan security IPsec encryption
- config wlan security IPsec config
- config wlan security IPsec ike authentication
- config wlan security IPsec ike dh-group
- config wlan security IPsec ike lifetime
- config wlan security IPsec ike phase1
- config wlan security IPsec ike contivity
- config wlan security passthru
- config wlan security pmf
- config wlan security splash-page-web-redir
- config wlan security static-wep-key authentication
- config wlan security static-wep-key disable
- config wlan security static-wep-key enable
- config wlan security static-wep-key encryption
- config wlan security tkip
- config wlan security web-auth
- config wlan security web-passthrough acl
- config wlan security web-passthrough disable
- config wlan security web-passthrough email-input
- config wlan security web-passthrough enable
- config wlan security wpa akm 802.1x
- config wlan security wpa akm cckm
- config wlan security wpa akm ft
- config wlan security wpa akm pmf
- config wlan security wpa akm psk
- config wlan security wpa disable
- config wlan security wpa enable
- config wlan security wpa ciphers
- config wlan security wpa gtk-random
- config wlan security wpa wpa1 disable
- config wlan security wpa wpa1 enable
- config wlan security wpa wpa2 disable
- config wlan security wpa wpa2 enable
- config wlan security wpa wpa2 cache
- config wlan security wpa wpa2 cache sticky
- config wlan security wpa wpa2 ciphers
config wlan security 802.1X
To change the state of 802.1X security on the wireless LAN Cisco radios, use the config wlan security 802.1X command.
config wlan security 802.1X { enable { wlan_id | foreignAp} | disable { wlan_id | foreignAp} | encryption { wlan_id | foreignAp} { 0 | 40 | 104} | on-macfilter-failure { enable | disable}}
Syntax Description
encryption
Specifies the static WEP keys and indexes.
Specifies a WEP key size of 0 (no encryption) bits. The default value is 104.
Note Specifies a WEP key size of 40 bits. The default value is 104.
Note Specifies a WEP key size of 104 bits. The default value is 104.
Note on-macfilter-failure
Configures 802.1X on MAC filter failure.
enable
Enables 802.1X authentication on MAC filter failure.
disable
Disables 802.1X authentication on MAC filter failure.
Usage Guidelines
To change the encryption level of 802.1X security on the wireless LAN Cisco radios, use the following key sizes:
config wlan security ckip
To configure Cisco Key Integrity Protocol (CKIP) security options for the wireless LAN, use the config wlan security ckip command.
config wlan security ckip { enable | disable} wlan_id [ akm psk set-key { hex | ascii} { 40 | 104} key key_index wlan_id | mmh-mic { enable | disable} wlan_id | kp { enable | disable} wlan_id]
Syntax Description
(Optional) Configures encryption key management for the CKIP wireless LAN.
Sets the static encryption key length to 40 bits for the CKIP WLAN. 40-bit keys must contain 5 ASCII text characters or 10 hexadecimal characters.
Sets the static encryption key length to 104 bits for the CKIP WLAN. 104-bit keys must contain 13 ASCII text characters or 26 hexadecimal characters.
(Optional) Configures multi-modular hash message integrity check (MMH MIC) validation for the CKIP wireless LAN.
(Optional) Configures key-permutation for the CKIP wireless LAN.
config wlan security cond-web-redir
config wlan security eap-passthru
To configure the 802.1X frames pass through on to the external authenticator, use the config wlan security eap-passthru command.
Syntax Description
Enables 802.1X frames pass through to external authenticator.
Disables 802.1X frames pass through to external authenticator.
config wlan security ft
Syntax Description
Examples
This example shows how to enable 802.11r fast transition roaming support on WLAN 2:
> config wlan security ft enable 2This example shows how to set the reassociation timeout value of 20 seconds for 802.11r fast transition roaming support on WLAN 2:
> config wlan security ft reassociation-timeout 20 2config wlan security ft over-the-ds
To configure 802.11r fast transition parameters over a distributed system, use the config wlan security ft over-the-ds command.
Syntax Description
Enables 802.11r fast transition roaming support over a distributed system.
Disables 802.11r fast transition roaming support over a distributed system.
Usage Guidelines
Ensure that you have disabled the WLAN before you proceed.
Ensure that 802.11r fast transition is enabled on the WLAN.
config wlan security IPsec disable
config wlan security IPsec enable
config wlan security IPsec authentication
To modify the IPsec security authentication protocol used on the wireless LAN, use the config wlan security IPsec authentication command.
Syntax Description
config wlan security IPsec encryption
config wlan security IPsec config
To configure the proprietary Internet Key Exchange (IKE) CFG-Mode parameters used on the wireless LAN, use the config wlan security IPsec config command.
Syntax Description
Usage Guidelines
IKE is used as a method of distributing the session keys (encryption and authentication), as well as providing a way for the VPN endpoints to agree on how the data should be protected. IKE keeps track of connections by assigning a bundle of Security Associations (SAs), to each connection.
config wlan security IPsec ike authentication
To modify the IPsec Internet Key Exchange (IKE) authentication protocol used on the wireless LAN, use the config wlan security IPsec ike authentication command.
config wlan security IPsec ike authentication { certificates { wlan_id | foreignAp} | pre-share-key { wlan_id | foreignAp} key | xauth-psk { wlan_id | foreignAp} key}
Syntax Description
config wlan security IPsec ike dh-group
To modify the IPsec Internet Key Exchange (IKE) Diffie Hellman group used on the wireless LAN, use the config wlan security IPsec ike dh-group command.
Syntax Description
config wlan security IPsec ike lifetime
To modify the IPsec Internet Key Exchange (IKE) lifetime used on the wireless LAN, use the config wlan security IPsec ike lifetime command.
Syntax Description
config wlan security IPsec ike phase1
config wlan security IPsec ike contivity
config wlan security passthru
To modify the IPsec pass-through used on the wireless LAN, use the config wlan security passthru command.
Syntax Description
config wlan security pmf
To configure 802.11w Management Frame Protection (MFP) on a WLAN, use the config wlan security pmf command.
config wlan security pmf { disable | optional | required | association-comeback association-comeback_timeout | saquery-retrytimeout saquery-retry_timeout} wlan_id
Syntax Description
disable Disables 802.11w MFP protection on a WLAN.
optional Enables 802.11w MFP protection on a WLAN.
required Requires clients to negotiate 802.11w MFP protection on a WLAN.
association-comeback Configures the 802.11w association comeback time.
association-comeback_timeout Association comeback interval in seconds. Time interval that an associated client must wait before the association is tried again after it is denied with a status code 30. The status code 30 message is "Association request rejected temporarily; Try again later”.
The range is from 1 to 20 seconds.
saquery-retrytimeout Configures the 802.11w Security Association (SA) query retry timeout.
saquery-retry_timeout Time interval identified in the association response to an already associated client before the association can be tried again. This time interval checks if the client is a real client and not a rogue client during the association comeback time. If the client does not respond within this time, the client association is deleted from the controller. The range is from 100 to 500 ms.
wlan_id Wireless LAN identifier from 1 to 512.
Command Default
Default SA query retry timeout is 200 milliseconds.
Default association comeback timeout is 1 second.
Usage Guidelines
802.11w introduces an Integrity Group Temporal Key (IGTK) that is used to protect broadcast or multicast robust management frames. IGTK is a random value, assigned by the authenticator station (controller) used to protect MAC management protocol data units (MMPDUs) from the source STA. The 802.11w IGTK key is derived using the four way handshake and is used only on WLANs that are configured with WPA or WPA2 security at Layer 2.
Examples
This example shows how to enable 802.11w MFP protection on a WLAN:
> config wlan security pmf optional 1config wlan security splash-page-web-redir
config wlan security static-wep-key authentication
To configure static Wired Equivalent Privacy (WEP) key 802.11 authentication on a wireless LAN, use the config wlan security static-wep-key authentication command.
Syntax Description
config wlan security static-wep-key disable
config wlan security static-wep-key enable
config wlan security static-wep-key encryption
To configure the static Wired Equivalent Privacy (WEP) keys and indexes, use the config wlan security static-wep-key encryption command.
Syntax Description
Usage Guidelines
One unique WEP key index can be applied to each wireless LAN. Because there are only four WEP key indexes, only four wireless LANs can be configured for static WEP Layer 2 encryption.
config wlan security tkip
To configure the Temporal Key Integrity Protocol (TKIP) Message Integrity Check (MIC) countermeasure hold-down timer, use the config wlan security tkip command.
Syntax Description
hold-down Configures the TKIP MIC countermeasure hold-down timer.
time TKIP MIC countermeasure hold-down time in seconds. The range is from 0 to 60 seconds.
wlan_id Wireless LAN identifier from 1 to 512.
Usage Guidelines
TKIP countermeasure mode can occur if the access point receives 2 MIC errors within a 60 second period. When this situation occurs, the access point deauthenticates all TKIP clients that are associated to that 802.11 radio and hold offs any clients for the countermeasure holdoff time.
config wlan security web-auth
To change the status of web authentication used on wireless LAN, use the config wlan security web-auth command.
config wlan security web-auth {{ acl | enable | disable} { wlan_id | foreignAp} [ acl_name | none]} | { on-macfilter-failure wlan_id} | { server-precedence wlan_id | local | ldap | radius} | { flexacl wlan_id [ ipv4_acl_name | none]} | { ipv6 acl wlan_id [ ipv6_acl_name | none]}
Syntax Description
Configures the authentication server precedence order for Web-Auth users.
flexacl
Specifies the IPv4 ACL name. You can enter up to 32 alphanumeric characters.
ipv4_acl_name
(Optional) IPv4 ACL name. You can enter up to 32 alphanumeric characters.
ipv6_acl_name
(Optional) IPv6 ACL name. You can enter up to 32 alphanumeric characters.
config wlan security web-passthrough acl
config wlan security web-passthrough disable
To disable a web captive portal with no authentication required on a wireless LAN, use the config wlan security web-passthrough disable command.
Syntax Description
config wlan security web-passthrough email-input
config wlan security web-passthrough enable
To enable a web captive portal with no authentication required on the wireless LAN, use the config wlan security web-passthrough enable command.
Syntax Description
config wlan security wpa akm 802.1x
config wlan security wpa akm cckm
To configure authentication key-management using Cisco Centralized Key Management (CCKM), use the config wlan security wpa akm cckm command.
Syntax Description
CCKM IE time-stamp tolerance. The range is between 1000 to 5000 milliseconds; the default is 1000 milliseconds.
config wlan security wpa akm ft
To configure authentication key-management using 802.11r fast transition 802.1X, use the config wlan security wpa akm ft command.
config wlan security wpa akm ft [ over-the-air | over-the-ds | psk | [ reassociation-timeout seconds]] { enable | disable} wlan_id
Syntax Description
(Optional) Configures 802.11r fast transition roaming over-the-air support.
(Optional) Configures 802.11r fast transition roaming DS support.
(Optional) Configures the reassociation deadline interval.
The valid range is between 1 to 100 seconds. The default value is 20 seconds.
config wlan security wpa akm pmf
To configure Authenticated Key Management (AKM) of management frames, use the config wlan security wpa akm pmf command.
Syntax Description
802.1x Configures 802.1X authentication for protection of management frames (PMF).
psk Configures preshared keys (PSK) for PMF.
enable Enables 802.1X authentication or PSK for PMF.
disable Disables 802.1X authentication or PSK for PMF.
wlan_id Wireless LAN identifier from 1 to 512.
Usage Guidelines
802.11w has two new AKM suites: 00-0F-AC:5 or 00-0F-AC:6. You must enable WPA and then disable the WLAN to configure PMF on the WLAN.
config wlan security wpa akm psk
config wlan security wpa enable
config wlan security wpa ciphers
To configure the Wi-Fi protected authentication (WPA1) or Wi-Fi protected authentication (WPA2), use the config wlan security wpa ciphers command.
Syntax Description
config wlan security wpa gtk-random
To enable the randomization of group temporal keys (GTK) between access points and clients on a WLAN, use the config wlan security wpa gtk-random command.
Syntax Description
enable Enables the randomization of GTK keys between the access point and clients.
disable Disables the randomization of GTK keys between the access point and clients.
wlan_id WLAN identifier between 1 and 512.
Usage Guidelines
When you enable this command, the clients in the Basic Service Set (BSS) get a unique GTK key. The clients do not receive multicast or broadcast traffic.
config wlan security wpa wpa2 cache
Syntax Description
sticky Configures Sticky Key Caching (SKC) roaming support on the WLAN.
enable Enables SKC roaming support on the WLAN.
disable Disables SKC roaming support on the WLAN.
wlan_id Wireless LAN identifier between 1 and 512.
Usage Guidelines
In SKC (Sticky Key caching) also known as PKC (Pro Active Key caching), the client stores each Pairwise Master Key (PMK) ID (PMKID) against a Pairwise Master Key Security Association (PMKSA). When a client finds an AP for which it has a PMKSA, it sends the PMKID in the association request to the AP. If the PMKSA is alive in the AP, the AP provides support for fast roaming. In SKC, full authentication is done on each new AP to which the client associates and the client must keep the PMKSA associated with all APs.
config wlan security wpa wpa2 cache sticky
To configure Sticky PMKID Caching (SKC) on a WLAN, use the config wlan security wpa wpa2 cache sticky command.Syntax Description
enable Enables SKC on a WLAN.
disable Disables SKC on a WLAN.
wlan_id Wireless LAN identifier between 1 and 512 (inclusive).
Usage Guidelines
Beginning in Release 7.2 and later releases, the controller supports Sticky PMKID Caching (SKC). With sticky PMKID caching, the client receives and stores a different PMKID for every AP it associates with. The APs also maintain a database of the PMKID issued to the client. In SKC also known as PKC (Pro Active Key caching), the client stores each Pairwise Master Key (PMK) ID (PMKID) against a Pairwise Master Key Security Association (PMKSA). When a client finds an AP for which it has the PMKSA, it sends the PMKID in the association request to the AP. If the PMKSA is alive in the AP, the AP provides support for fast roaming. In SKC, full authentication is done on each new AP to which the client associates and the client must keep the PMKSA associated with all APs. For SKC, PMKSA is a per AP cache that the client stores and PMKSA is precalculated based on the BSSID of the new AP.
config wlan security wpa wpa2 ciphers
To configure WPA2 ciphers and enable or disable Advanced Encryption Standard (AES) or Temporal Key Integrity Protocol (TKIP) data encryption for WPA2, use the config wlan security wpa wpa2 ciphers command
Syntax Description
aes Configures AES data encryption for WPA2.
tkip Configures TKIP data encryption for WPA2.
enable Enables AES or TKIP data encryption for WPA2.
disable Disables AES or TKIP data encryption for WPA2.
wlan_id Wireless LAN identifier between 1 and 512.
Configure WPS Commands
- config wps ap-authentication
- config wps auto-immune
- config wps cids-sensor
- config wps client-exclusion
- config wps mfp
- config wps shun-list re-sync
- config wps signature
- config wps signature frequency
- config wps signature interval
- config wps signature mac-frequency
- config wps signature quiet-time
- config wps signature reset
config wps ap-authentication
config wps auto-immune
To enable or disable protection from Denial of Service (DoS) attacks, use the config wps auto-immune command.
Syntax Description
Usage Guidelines
A potential attacker can use specially crafted packets to mislead the Intrusion Detection System (IDS) into treating a legitimate client as an attacker. It causes the controller to disconnect this legitimate client and launch a DoS attack. The auto-immune feature, when enabled, is designed to protect against such attacks. However, conversations using Cisco 792x phones might be interrupted intermittently when the auto-immune feature is enabled. If you experience frequent disruptions when using 792x phones, you might want to disable this feature.
config wps cids-sensor
To configure Intrusion Detection System (IDS) sensors for the Wireless Protection System (WPS), use the config wps cids-sensor command.
config wps cids-sensor { [ add index ip_address username password] | [ delete index] | [ enable index] | [ disable index] | [ port index port] | [ interval index query_interval] | [ fingerprint sha1 fingerprint] }
Syntax Description
config wps client-exclusion
config wps client-exclusion { 802.11-assoc | 802.11-auth | 802.11x-auth | ip-theft | web-auth | all} { enable | disable}
Syntax Description
Specifies that the controller excludes clients on the sixth 802.11 association attempt, after five consecutive failures.
Specifies that the controller excludes clients on the sixth 802.11 authentication attempt, after five consecutive failures.
Specifies that the controller excludes clients on the sixth 802.11X authentication attempt, after five consecutive failures.
Specifies that the control excludes clients if the IP address is already assigned to another device.
Specifies that the controller excludes clients on the fourth web authentication attempt, after three consecutive failures.
Specifies that the controller excludes clients for all of the above reasons.
config wps mfp
config wps shun-list re-sync
To force the controller to synchronization with other controllers in the mobility group for the shun list, use the config wps shun-list re-sync command.
config wps signature
To enable or disable Intrusion Detection System (IDS) signature processing, or to enable or disable a specific IDS signature, use the config wps signature command.
Syntax Description
Enables the IDS signature processing or a specific IDS signature.
Disables IDS signature processing or a specific IDS signature.
Usage Guidelines
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
config wps signature frequency
To specify the number of matching packets per interval that must be identified at the individual access point level before an attack is detected, use the config wps signature frequency command.
Syntax Description
Number of matching packets per interval that must be at the individual access point level before an attack is detected. The range is 1 to 32,000 packets per interval.
Usage Guidelines
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
config wps signature interval
To specify the number of seconds that must elapse before the signature frequency threshold is reached within the configured interval, use the config wps signature interval command.
Syntax Description
Number of seconds that must elapse before the signature frequency threshold is reached. The range is 1 to 3,600 seconds.
Usage Guidelines
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
config wps signature mac-frequency
To specify the number of matching packets per interval that must be identified per client per access point before an attack is detected, use the config wps signature mac-frequency command.
Syntax Description
Number of matching packets per interval that must be identified per client per access point before an attack is detected. The range is 1 to 32,000 packets per interval.
Usage Guidelines
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
config wps signature quiet-time
To specify the length of time after which no attacks have been detected at the individual access point level and the alarm can stop, use the config wps signature quiet-time command.
Syntax Description
Length of time after which no attacks have been detected at the individual access point level and the alarm can stop. The range is 60 to 32,000 seconds.
Usage Guidelines
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
config wps signature reset
To reset a specific Intrusion Detection System (IDS) signature or all IDS signatures to default values, use the config wps signature reset command.
Syntax Description
Usage Guidelines
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
Clear Commands
- clear acl counters
- clear radius acct statistics
- clear tacacs auth statistics
- clear stats local-auth
- clear stats radius
- clear stats tacacs
clear radius acct statistics
clear tacacs auth statistics
To clear the RADIUS authentication server statistics in the controller, use the clear tacacs auth statistics command.
Syntax Description
clear stats local-auth
clear stats radius
Debug Commands
- debug 11w-pmf
- debug aaa
- debug aaa local-auth
- debug bcast
- debug nac
- debug pm
- debug web-auth
- debug wps sig
- debug wps mfp
debug 11w-pmf
Syntax Description
all Configures debug of all 802.11w messages.
keys Configures debug of 802.11w keys.
events Configures debug of 802.11w events.
enable Enables the 802.1w debug.
disable Disables the 802.1w debug.
debug aaa
debug aaa local-auth
debug aaa local-auth { db | shim | eap { framework | method} { all | errors | events | packets | sm}} { enable | disable}
Syntax Description
Configures debugging of the AAA local authentication back-end messages and events.
Configures debugging of the AAA local authentication shim layer events.
Configures debugging of the AAA local Extensible Authentication Protocol (EAP) authentication.
debug bcast
debug pm
debug pm { all disable | { config | hwcrypto | ikemsg | init | list | message | pki | rng | rules | sa-export | sa-import | ssh-l2tp | ssh-appgw | ssh-engine | ssh-int | ssh-pmgr | ssh-ppp | ssh-tcp} { enable | disable}}
Syntax Description
debug web-auth
debug web-auth { redirect{ enable mac mac_address | disable} | webportal-server { enable | disable}}
Syntax Description
redirect Configures debug of web authenticated and redirected clients.
enable Enables debug of web authenticated clients.
mac Configures the MAC address of the web authenticated client.
mac_address MAC address of the web authenticated client.
disable Disables debug of web authentication of clients.
webportal-server Configures debug of portal authentication of clients.
debug wps sig
