Table Of Contents
Using Templates
Adding Controller Templates
Configuring an NTP Server Template
Configuring General Templates
Configuring QoS Templates
Configuring a Traffic Stream Metrics QoS Template
Configuring WLAN Templates
Security
QoS
Advanced
Configuring a File Encryption Template
Configuring a RADIUS Authentication Template
Configuring a RADIUS Accounting Template
Configuring a LDAP Server Template
Configuring a TACACS+ Server Template
Configuring a Network Access Control Template
Configuring a Local EAP General Template
Configuring a Local EAP Profile Template
Configuring an EAP-FAST Template
Configuring Network User Credential Retrieval Priority Templates
Configuring a Local Network Users Template
Configuring Guest User Templates
Configuring a User Login Policies Template
Configuring a MAC Filter Template
Configuring an Access Point Authorization
Configuring a Manually Disabled Client Template
Configuring a CPU Access Control List (ACL) Template
Configuring a Rogue Policies Template
Configuring a Trusted AP Policies Template
Configuring a Client Exclusion Policies Template
Configuring an Access Point Authentication and MFP Template
Configuring a Web Authentication Template
Downloading a Customized Web Authentication Page
Configuring Access Control List Templates
Configuring a Policy Name Template (for 802.11a or 802.11b/g)
Configuring High Density Templates
Configuring a Voice Parameter Template (for 802.11a or 802.11b/g)
Configuring a Video Parameter Template (for 802.11a or 802.11b/g)
Configuring a Roaming Parameters Template (for 802.11a or 802.11b/g)
Configuring an RRM Threshold Template (for 802.11a or 802.11b/g)
Configuring an RRM Interval Template (for 802.11a or 802.11b/g)
Configuring an 802.11h Template
Configuring a Mesh Template
Configuring a Known Rogue Access Point Template
Configuring a Trap Receiver Template
Configuring a Trap Control Template
Configuring a Telnet SSH Template
Configuring a Syslog Template
Configuring a Local Management User Template
Configuring a User Authentication Priority Template
Applying Controller Templates
Adding Access Point Templates
Configuring Access Point/Radio Templates
Using Templates
This chapter describes how to add and apply controller templates. Information on creating (adding) access point templates is also provided.
Templates allow you to set parameters that you can then apply to multiple devices without having to re-enter the common information.
Note 
Template information can be overridden on individual devices.
This chapter contains these sections:
•Adding Controller Templates
•Applying Controller Templates
•Adding Access Point Templates
Adding Controller Templates
Follow these steps to add a new controller template.
Step 1 Choose Configure > Controller Templates.
Step 2 Choose Add Template from the Select a command drop-down menu and click GO.
Step 3 Enter the template name.
Step 4 Provide a description of the template.
Step 5 Click Save.
A summary of the templates that can be added is highlighted below:
•Configuring an NTP Server Template
•Configuring General Templates
•Configuring QoS Templates
•Configuring a Traffic Stream Metrics QoS Template
•Configuring WLAN Templates
•Configuring a File Encryption Template
•Configuring a RADIUS Authentication Template
•Configuring a RADIUS Accounting Template
•Configuring a LDAP Server Template
•Configuring a TACACS+ Server Template
•Configuring a Network Access Control Template
•Configuring a Local EAP General Template
•Configuring a Local EAP Profile Template
•Configuring an EAP-FAST Template
•Configuring Network User Credential Retrieval Priority Templates
•Configuring a Local Network Users Template
•Configuring Guest User Templates
•Configuring a User Login Policies Template
•Configuring a MAC Filter Template
•Configuring an Access Point Authorization
•Configuring a Manually Disabled Client Template
•Configuring a CPU Access Control List (ACL) Template
•Configuring a Rogue Policies Template
•Configuring a Trusted AP Policies Template
•Configuring a Client Exclusion Policies Template
•Configuring an Access Point Authentication and MFP Template
•Configuring a Web Authentication Template
•Configuring Access Control List Templates
•Configuring a Policy Name Template (for 802.11a or 802.11b/g)
•Configuring High Density Templates
•Configuring a Voice Parameter Template (for 802.11a or 802.11b/g)
•Configuring a Video Parameter Template (for 802.11a or 802.11b/g)
•Configuring a Roaming Parameters Template (for 802.11a or 802.11b/g)
•Configuring an RRM Threshold Template (for 802.11a or 802.11b/g)
•Configuring an RRM Interval Template (for 802.11a or 802.11b/g)
•Configuring an 802.11h Template
•Configuring a Mesh Template
•Configuring a Known Rogue Access Point Template
•Configuring a Trap Receiver Template
•Configuring a Trap Control Template
•Configuring a Telnet SSH Template
•Configuring a Syslog Template
•Configuring a Local Management User Template
•Configuring a User Authentication Priority Template
•Configuring Access Point/Radio Templates
Configuring an NTP Server Template
Follow these steps to add a new network time protocol (NTP) server template to the controller configuration or make modifications to an existing NTP template. NTP is used to synchronize computer clocks on the internet.
Step 1 Choose Configure > Controller Templates.
Step 2 To add a new template, choose Add Template from the Select a command drop-down menu and click GO. To modify an existing template, click to select a template in the Template Name column. The NTP Server Template window appears (see Figure 10-1), and the number of controllers the template is applied to automatically populates.
Figure 10-1 NTP Servers Template
Step 3 Enter the NTP server IP address.
Step 4 Click Save.
Configuring General Templates
Follow these steps to add a new template with general information for a controller or make a change to an existing template.
Step 1 Choose Configure > Controller Templates.
Step 2 From the left sidebar menu, choose System > General.
Step 3 To add a new template, choose Add Template from the Select a command drop-down menu and click GO. To modify an existing template, click to select a template in the Template Name column. The General Template window appears (see Figure 10-2).
Figure 10-2 General Template
Step 4 Use the drop-down menu to enable or disable flow control mode.
Step 5 Use the drop-down menu to enable or disable 802.3 bridging.
Step 6 Specify Layer 2 or Layer 3 transport mode. When set to Layer 3, the LWAPP uses IP addresses to communicate with the access points; these IP addresses are collected from a mandatory DHCP server. When set to Layer 2, the LWAPP uses proprietary code to communicate with the access points.
Step 7 At the Ethernet Multicast Support drop-drop menu, choose Disable to disable multicast support on the controller or Multicast to enable multicast support on the controller. Choose Unicast if the controller, upon receiving a multicast packet, forwards the packets to all the associated access points. H-REAP supports only unicast mode.
Step 8 Choose if you want to enable or disable aggressive load balancing.
Step 9 Choose to enable or disable peer-to-peer blocking mode. If you choose Disable, any same-subnet clients communicate through the controller. If you choose Enable, any same-subnet clients communicate through a higher-level router.
Step 10 At the Over Air AP Provision Mode drop-down menu, choose enable or disable.
Step 11 At the AP Fallback drop-down menu, choose enable or disable. Enabling fallback causes an access point which lost a primary controller connection to automatically return to service when the primary controller returns.
Step 12 Choose to enable or disable Apple talk bridging.
Step 13 Choose to enable or disable the fast SSID option. If enabled, the client connects instantly to the controller between SSIDs without having appreciable loss of connectivity. Normally, each client is connected to a particular WLAN identified by the SSID. If the client moves out of reach of the connected access point, the client has to reconnect to the controller using a different access point. This normal process consumes some time as the DHCP (Dynamic Host Configuration Protocol) server has to assign an IP address to the client.
Step 14 Because the master controller is normally not used in a deployed network, the master controller setting is automatically disabled upon reboot or OS code upgrade. You may enable the controller to be configured as the master controller from the Master Controller Mode drop-down menu.
Step 15 Choose to enable or disable access to the controller management interface from wireless clients. Because of IPSec operation, management via wireless is only available to operators logging in across WPA, Static WEP, or VPN Pass Through WLANs. Wireless management is not available to clients attempting to log in via an IPSec WLAN.
Step 16 Choose to enable or disable link aggregation. Link aggregation allows you to reduce the number of IP addresses needed to configure the ports on your controller by grouping all the physical ports and creating a link aggregation group (LAG). In a 4402 model, two ports are combined to form a LAG whereas in a 4404 model, all four ports are combined to form a LAG.
If LAG is enabled on a controller, the following configuration changes occur:
•Any dynamic interfaces that you have created will be deleted. This is done to prevent configuration inconsistencies in the interface database.
•Interfaces cannot be created with the "Dynamic AP Manager" flag set.
Note You cannot create more than one LAG on a controller.
The advantages of creating a LAG are as follows:
•It ensures that if one of the links goes down, the traffic is moved to the other links in the LAG. Hence, as long as one of the physical ports is working, the system remains functional.
•It eliminates the need to configure separate backup ports for each interface.
•Multiple AP-manager interfaces are not required since only one logical port is visible to the application.
Note When you make changes to the LAG configuration, the controller has to be rebooted for the changes to take effect.
Step 17 Choose to enable or disable symmetric mobility tunneling. With symmetric mobility tunneling, the controller provides inter-subnet mobility for clients roaming from one access point to another within a wireless LAN. The client traffic on the wired network is directly routed by the foreign controller. If a router has reverse path filtering (RPF) enabled (which provides additional checks on incoming packets), the communication is blocked. Symmetric mobility tunneling allows the client traffic to reach the controller designated as the anchor, even with RPF enabled.
Note All controllers in a mobility group should have the same symmetric tunneling mode.
Note For symmetric tunneling to take effect, you must reboot.
Step 18 Enter the operator-defined RF mobility group name in the Default Mobility Domain Name field.
Step 19 At the Mobility Anchor Group Keep Alive Interval, determine the delay between tries for clients attempting to join another access point. With this guest tunneling N+1 redundancy feature, the time it takes for a client to join another access point following a controller failure is decreased because a failure is quickly identified, the clients are moved away from the problem controller, and the clients are anchored to another controller.
Note When you hover over the parameter field with the mouse, the valid range for that field appears.
Step 20 At the Mobility Anchor Group Keep Alive Retries, specify the number of queries to anchor before the client declares it unreachable.
Note When you hover over the parameter field with the mouse, the valid range for that field appears.
Step 21 Enter the RF network group name between 8 and 19 characters. Radio Resource Management (RRM) neighbor packets are distributed among access points within an RF network group. The Cisco access points only accept RRM neighbor packets sent with this RF network name. The RRM neighbor packets sent with different RF network names will be dropped.
Step 22 Specify the time out for idle clients. The factory default is 300 seconds. When the timeout expires, the client loses authentication, briefly disassociates from the access point, reassociates, and re-authenticates.
Step 23 Specify the timeout in seconds for the address resolution protocol. The factory default is 300 seconds.
Step 24 At the CDP on controller drop-down menu, choose if you want to enable CDP on the controller. CDP is a device discovery protocol that runs on all Cisco manufactured equipment (such as routers, bridges, communication servers, and so on).
Step 25 At the Global CDP on APs drop-down menu, choose if you want to enable CDP on the access point.
Step 26 At the Refresh Time Interval parameter, enter the interval at which CDP messages are generated. With the regeneration, the neighbor entries are refreshed.
Step 27 At the Holdtime parameter, enter the time in seconds before the CDP neighbor entry expires.
Step 28 At the CDP Advertisement Version parameter, enter which version of the CDP protocol to use.
Step 29 Click Save.
Configuring QoS Templates
Follow these steps to make modifications to the quality of service profiles.
Step 1 Choose Configure > Controller Templates.
Step 2 On the left sidebar menu, choose System > QoS Profiles. The QoS Template window appears (see Figure 10-3), and the number of controllers the template is applied to automatically populates.
Figure 10-3 QoS Profile Template
Step 3 Set the following values in the Per-User Bandwidth Contracts portion of the window. All have a default of 0 or Off.
•Average Data Rate - The average data rate for non-UDP traffic.
•Burst Data Rate - The peak data rate for non-UDP traffic.
•Average Real-time Rate - The average data rate for UDP traffic.
•Burst Real-time Rate - The peak data rate for UDP traffic.
Step 4 Set the following values for the Over-the-Air QoS portion of the window.
•Maximum QoS RF Usage per AP - The maximum air bandwidth available to clients. The default is 100%.
•QoS Queue Depth - The depth of queue for a class of client. The packets with a greater value are dropped at the access point.
Step 5 Set the following values in the Wired QoS Protocol portion of the window.
•Wired QoS Protocol - Choose 802.1P to activate 802. 1P priority tags or None to deactivate 802.1P priority flags.
•802.1P Tag - Choose 802.1P priority tag for a wired connection from 0 to 7. This tag is used for traffic and LWAPP packets.
Step 6 Click Save.
Configuring a Traffic Stream Metrics QoS Template
Traffic stream metrics are a series of statistics about VoIP over your wireless LAN and informs you of the QoS of the wireless LAN. These statistics are different than the end-to-end statistics provided by VoIP systems. End-to-end statistics provide information on packet loss and latency covering all the links comprising the call path. However, traffic stream metrics are statistics for only the WLAN segment of the call. Because of this, system administrators can quickly determine whether audio problems are being caused by the WLAN or by other network elements participating in a call. By observing which access points have impaired QoS, system administrators can quickly determine the physical area where the problem is occurring. This is important when lack of radio coverage or excessive interference is the root problem.
Four QoS values (packet latency, packet jitter, packet loss, and roaming time), which can affect the audio quality of voice calls, are monitored. All the wireless LAN components participate in this process. Access points and clients measure the metrics, access points collect the measurements and then send them to the controller. The access points update the controller with traffic stream metric information every 90 seconds, and 10 minutes of data is stored at one time. Cisco Wireless Control System queries the controller for the metrics and displays them in the Traffic Stream Metrics QoS Status. These metrics are compared to threshold values to determine their status level and if any of the statistics are displaying a status level of fair (yellow) or degraded (red), the administrator should investigate the QoS of the wireless LAN.
For the access points to collect measurement values, traffic stream metrics must be enabled on the controller.
Step 1 Choose Configure > Controller Templates.
Step 2 On the left sidebar menu, choose System > Traffic Stream Metrics QoS. The Traffic Stream Metrics QoS Status Configuration window appears (see Figure 10-4).
Figure 10-4 Traffic Stream Metrics QoS Status Template
The Traffic Stream Metrics QoS Status Configuration window shows several QoS values. An administrator can monitor voice and video quality of the following:
•Upstream delay
•Upstream packet loss rate
•Roaming time
•Downstream packet loss rate
•Downstream delay
Packet Loss Rate (PLR) affects the intelligibility of voice. Packet delay can affect both the intelligibility and conversational quality of the connection. Excessive roaming time produces undesired gaps in audio.
There are three levels of measurement:
•Normal: Normal QoS (green)
•Fair: Fair QoS (yellow)
•Degraded: Degraded QoS (red)
System administrators should employ some judgement when setting the green, yellow, and red alarm levels. Some factors to consider are:
•Environmental factors including interference and radio coverage which can affect PLR.
•End-user expectations and system administrator requirements for audio quality on mobile devices (lower audio quality can permit greater PLR).
•Different codec types used by the phones have different tolerance for packet loss.
•Not all calls will be mobile-to-mobile; therefore, some will have less stringent PLR requirements for the wireless LAN.
Configuring WLAN Templates
WLAN templates allow you to define various WLAN profiles for application to different controllers.
In WCS software release 4.0.96.0 and later releases, you can configure multiple WLANs with the same SSID. This feature enables you to assign different Layer 2 security policies within the same wireless LAN. To distinguish among WLANs with the same SSID, you need to create a unique profile name for each WLAN.
These restrictions apply when configuring multiple WLANs with the same SSID:
•WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in the beacons and probes. These are the available Layer 2 security policies:
–None (open WLAN)
–Static WEP or 802.1
–CKIP
–WPA/WPA2
•Broadcast SSID must be enabled on the WLANs that share an SSID so that the access points can generate probe responses for these WLANs.
•Hybrid-REAP access points do not support multiple SSIDs.
•The WLAN override feature is not supported for use with multiple SSIDs.
Follow these steps to add a new WLAN template or make modifications to an existing WLAN template.
Step 1 Choose Configure > Controller Templates.
Step 2 Choose WLANs > WLAN from the left sidebar menu.
The WLAN Template window appears with a summary of all existing defined WLANs. The following information headings are used to define the WLANs listed on the WLAN Template General window (see Figure 10-5).
•Template Name - The user-defined name of the template. Clicking the name displays parameters for this template.
•Profile Name - User-defined profile name used to distinguish WLANs with the same SSID.
Note This heading is not present in software release prior to 4.0.96.0.
•SSID - Displays the name of the WLAN.
•WLAN Status - Sets the status of the WLAN to enabled when checked.
•Security Policies - Determines whether 802.1X is enabled. None indicates no 802.1X.
Step 3 To add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click a URL in the Template Name column. The WLAN Template window appears (see Figure 10-5).
Figure 10-5 WLAN Template
Step 4 Use the Radio Policy drop-down menu to set the WLAN policy to apply to All (802.11a/b/g), 802.11a only, 802.11g only, 802.11b/g only, or 802.11a/g only.
Step 5 Use the Interface drop-down menu to choose the available names of interfaces created by the Controller > Interfaces module.
Step 6 Click the Broadcast SSID to activate SSID broadcasts for this WLAN.
Step 7 Click Save.
Step 8 To further configure the WLAN template, choose from the following:
•Click the Security tab to establish which AAA can override the default servers on this WLAN and to establish the security mode for Layer 2 and 3. Continue to the "Security" section.
•Click the QoS tab to establish which quality of service will be expected for this WLAN. Continue to the "QoS" section.
•Click the Advanced tab to configure any other details about the WLAN, such as DHCP assignments and management frame protection. Continue to the "Advanced" section.
Security
After choosing Security, you have an additional three tabs: Layer 2, Layer 3, and AAA Servers.
Layer 2
When you choose the Layer 2 tab, the window as shown in Figure 10-6 appears.
Figure 10-6 Layer 2 Window
Step 1 Use the Layer 2 Security drop-down menu to choose between None, WPA, WPA-2, Static WEP, 802.1X, Cranite, Fortress, Static WEP-802.1x, CKIP, and WPA1 + WPA2 as described in the table below.
Table 10-1 Layer 2 Security Options
Parameter
|
Description
|
None
|
No Layer 2 security selected.
|
802.1X
|
WEP 802.1X data encryption type (Note 1):
40/64 bit key.
104/128 bit key.
128/152 bit key.
|
WPA
|
This is a 3.2 controller code option and is not supported in 4.0 or later versions.
|
WPA-2
|
This is a 3.2 controller code option and is not supported in 4.0 or later versions.
|
Static WEP
|
Static WEP encryption parameters:
Key sizes: 40/64, 104/128 and 128/152 bit key sizes.
Key Index: 1 to 4 (Note 2).
Encryption key required.
Select encryption key format in ASCII or HEX.
|
Cranite
|
Configure the WLAN to use the FIPS140-2 compliant Cranite WirelessWall Software Suite, which uses AES encryption and VPN tunnels to encrypt and verify all data frames carried by the Cisco Wireless LAN Solution.
|
Fortress
|
FIPS 40-2 compliant Layer 2 security feature.
|
Static WEP-802.1X
|
Use this setting to enable both Static WEP and 802.1x policies. If this option is selected, static WEP and 802.1x parameters are displayed at the bottom of the page.
Static WEP encryption parameters:
Key sizes: 40/64, 104/128 and 128/152 bit key sizes.
Key Index: 1 to 4 (Note 2).
Enter encryption key.
Select encryption key format in ASCII or HEX.
WEP 802.1X data encryption type (Note 1):
40/64 bit key.
104/128 bit key.
128/152 bit key.
|
WPA1+WPA2
|
Use this setting to enable WPA1, WPA2 or both. See the WPA1 and WPA2 parameters displayed on the window when WPA1+WPA2 is selected. WPA1 enables Wi-Fi Protected Access with TKIP-MIC Data Encryption. When WPA1+WPA2 is selected, you can use Cisco's Centralized Key Management (CCKM) authentication key management, which allows fast exchange when a client roams from one access point to another.
When WPA1+WPA2 is selected as the Layer 2 security policy, and Pre-Shared Key is enabled, than neither CCKM or 802.1X can be enabled. Although, both CCKM and 802.1X can be enabled at the same time.
|
CKIP
|
Cisco Key Integrity Protocol (CKIP). A Cisco access point advertises support for CKIP in beacon and probe response packets. CKIP can be configured only when Aironet IE is enabled on the WAN.
When selected, these CKIP parameters are displayed.
Key length: Specify key length.
Key (ASCII or HEX): Specify encryption key.
MMH Mode: Enable or disable (check box).
KP: Enable or disable (check box).
|
Step 2 Check the MAC Filtering check box if you want to filter clients by MAC address.
Step 3 If you selected either WPA1 or WPA2 in Step 1, you must specify the type of WPA encryption: either TKIP or AES.
Step 4 Choose the desired type of authentication key management. The choices are 802.1x, CCKM, PSK, or CCKM+802.1x.
Note If you choose PSK, you must enter the password and type (ASCII or hexadecimal).
Step 5 Click Save.
Layer 3
When you choose the Layer 3 tab, the window shown in Figure 10-7 appears.
Figure 10-7 Layer 3 Window
Step 1 Use the Layer 3 security drop-down menu to choose between None and VPN Pass Through. The window parameters change according to the selection you make. If you choose VPN pass through, you must enter the VPN gateway address.
Step 2 Check the Web Policy check box if you want to select policies like authentication, passthrough, or conditional web redirect.
Step 3 Click Save.
AAA Servers
When you choose the AAA Servers tab, the window shown in Figure 10-8 appears.
Figure 10-8 AAA Servers Window
Step 4 Use the drop-down menus in the RADIUS and LDAP servers section to choose authentication and accounting servers. This selects the default RADIUS server for the specified WLAN and overrides the RADIUS server that is configured for the network. If all three RADIUS servers are configured for a particular WLAN, server 1 has the highest priority and so on. If no LDAP servers are chosen here, WCS uses the default LDAP server order from the database.
Step 5 Click the Local EAP Authentication check box if you have an EAP profile already configured that you want to enable. Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down.
Step 6 When AAA Override is enabled, and a client has conflicting AAA and controller WLAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the operating system moves clients from the default Cisco WLAN Solution to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system also uses QoS and ACL provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as identity networking.)
For instance, if the corporate WLAN primarily uses a management interface assigned to VLAN 2, and if AAA override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.
When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is only performed by the AAA server if the controller WLANs do not contain any client-specific authentication parameters.
The AAA override values may come from a RADIUS server, for example.
Step 7 Click Save.
QoS
When you select the QoS tab from the WLAN Template window, the window as shown in Figure 10-9 appears.
Figure 10-9 QoS Window
Step 1 Use the QoS drop-down menu to choose Platinum (voice), Gold (video), Silver (best effort), or Bronze (background). Services such as VoIP should be set to gold while non-discriminating services such as text messaging can be set to bronze.
Step 2 Use the WMM Policy drop-down menu to choose Disabled, Allowed (so clients can communicate with the WLAN), or Required to make it mandatory for clients to have WMM enabled for communication.
Step 3 Click the 7920 AP CAC check box if you want to enable support on Cisco 7920 phones.
Step 4 If you want WLAN to support older versions of the software on 7920 phones, click to enable the 7920 Client CAC check box. The CAC limit is set on the access point for newer versions of software.
Step 5 Click Save.
Advanced
When you click the Advanced tab on the WLAN Template window, the window shown in Figure 10-10 appears.
Figure 10-10 Advanced Window
Step 1 Click the check box if you want to enable Hybrid REAP local switching. For more information on Hybrid REAP, see "Configuring Hybrid REAP" section on page 12-4. If you enable it, the hybrid-REAP access point handles client authentication and switches client data packets locally.
H-REAP local switching is only applicable to the Cisco 1130/1240/1250 series access points. It is not supported with L2TP, PPTP, CRANITE, and FORTRESS authentications, and it is not applicable to WLAN IDs 9-16.
Step 2 At the Session Timeout parameter, set the maximum time a client session can continue before requiring reauthorization.
Step 3 Check the Aironet IE check box if you want to enable support for Aironet information elements (IEs) for this WLAN. If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request.
Step 4 Click if you want to enable IPv6.
Note Layer 3 security must be set to None for this to be enabled.
Step 5 A list of defined access control lists (ACLs) is provided at the Override Interface ACL drop-down menu. (Refer to the "Configuring Access Control List Templates" section for steps on defining ACLs.) Upon choosing an ACL from the list, the WLAN associates the ACL to the WLAN. Selecting an ACL is optional, and the default for this parameter is None.
Step 6 Click the check box if you want to enable automatic client exclusion. If you enable client exclusion, you must also set the Timeout Value in seconds for disabled client machines. Client machines are excluded by MAC address and their status can be observed. A timeout setting of 0 indicates that administrative control is required to re-enable the client.
Note When session timeout is not set, it implies that an excluded client remains and won't timeout from the excluded state. It does not imply that the exclusion feature is disabled.
Step 7 When you click the check box to override DHCP server, another parameter appears where you can enter the IP address of your DHCP server. For some WLAN configurations, this is required. Three valid configurations are as follows:
•DHCP Required and a valid DHCP server IP address - All WLAN clients obtain an IP address from the DHCP server.
•DHCP is not required and a valid DHCP server IP address - All WLAN clients obtain an IP address from the DHCP server or use a static IP address.
•DHCP not required and DHCP server IP address 0.0.0.0 - All WLAN clients are forced to use a static IP address. All DHCP requests are dropped.
An invalid combination is clicking to require DHCP address assignment and entering a DHCP server IP address.
Step 8 If the MFP Signature Generation check box is checked, it enables signature generation for the 802.11 management frames transmitted by an access point associated with this WLAN. Signature generation makes sure that changes to the transmitted management frames by an intruder are detected and reported.
Step 9 At the MFP Client Protection drop-down menu, choose Optional, Disabled, or Required for configuration of individual WLANs of a controller. If infrastructure MFP is not enabled, this drop-down menu is unavailable.
Note Client-side MFP is only available for those WLANs configured to support CCXv5 (or later) clients, and WPA2 must first be configured.
Step 10 Click Save.
Configuring a File Encryption Template
This page enables you to add a new file encryption template or make modifications to an existing file encryption template.
Step 1 Choose Configure > Controller Templates.
Step 2 From the left sidebar menu, choose Security > File Encryption.
Step 3 To add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The File Encryption Template appears (see Figure 10-11).
Figure 10-11 File Encryption Template
Step 4 Check if you want to enable file encryption.
Step 5 Enter an encryption key text string of exactly 16 ASCII characters.
Step 6 Retype the encryption key.
Step 7 Click Save.
Configuring a RADIUS Authentication Template
This page allows you to add a template for RADIUS authentication server information or make modifications to an existing template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.
Step 1 Choose Configure > Controller Templates.
Step 2 On the left sidebar menu, choose Security > RADIUS Authentication Servers.
Step 3 To add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select the template in the Template Name column. The RADIUS Authentication Server Template window appears (see Figure 10-12), and the number of controllers the template is applied to automatically populates.
The IP address of the RADIUS server and the port number for the interface protocol is also displayed.
Figure 10-12 RADIUS Authentication Server Template
Step 4 Use the drop-down menu to choose either ASCII or hex shared secret format.
Step 5 Enter the RADIUS shared secret used by your specified server.
Step 6 Click if you want to enable key wrap. If this option is enabled, the authentication request is sent to RADIUS servers that have key encryption key (KEK) and message authenticator code keys (MACK) configured. Also, when enabled, the parameters below appear:
•Shared Secret Format: Determine whether ASCII or hexadecimal.
•KEK Shared Secret: Enter KEK shared secret.
•MACK Shared Secret: Enter MACK shared secret.
•Each time the controller is notified with the shared secret, the existing shared secret is overwritten with the new shared secret.
Note Each time the controller is notified with the shared secret, the existing shared secret is overwritten with the new shared secret.
Step 7 Click if you want to enable administration privileges.
Step 8 Click if you want to enable support for RFC 3576. RFC 3576 is an extension to the Remote Authentication Dial In User Service (RADIUS) protocol. It allows dynamic changes to a user session and includes support for disconnecting users and changing authorizations applicable to a user session. With these authorizations, support is provided for Disconnect and Change-of-Authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately, whereas CoA messages modify session authorization attributes such as data filters.
Step 9 Click if you want to enable network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.
Step 10 Click if you want to enable management authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the management user.
Step 11 Specify the time in seconds after which the RADIUS authentication request times out and a retransmission is attempted by the controller. You can specify a value between 2 and 30 seconds.
Step 12 If you click to enable the IP security mechanism, additional IP security parameters are added to the window, and the additional steps in 13 to 19 are required. If you disable it, click Save and skip Steps 13 to 19.
Step 13 Use the drop-down menu to choose which IP security authentication protocol to use. The options are HMAC-SHA1, HMAC-MD5, and None.
Message Authentication Codes (MAC) are used between two parties that share a secret key to validate information transmitted between them. HMAC (Hash MAC) is a mechanism based on cryptographic hash functions and can be used in combination with any iterated cryptographic hash function. HMAC-MD5 and HMAC-SHA1 are two constructs of the HMAC using the MD5 hash function and the SHA1 hash function. HMAC also uses a secret key for calculation and verification of the message authentication values.
Step 14 Set the IP security encryption mechanism to use. Options are as follows:
•DES—Data Encryption Standard is a method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.
•Triple DES—Data Encryption Standard that applies three keys in succession.
•AES 128 CBC—Advanced Encryption Standard uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in Cipher Clock Chaining (CBC) mode.
•None—No IP security encryption mechanism.
Step 15 The IKE authentication is not an editable field. Internet Key Exchange protocol (IKE) is used as a method of distributing the session keys (encryption and authentication), as well as providing a way for the VPN endpoints to agree on how data should be protected. IKE keeps track of connections by assigning a bundle of security associations (SAs) to each connection.
Step 16 Use the IKE phase 1 drop-down menu to choose either agressive or main. This sets the internet key exchange protocol (IKE). IKE phase 1 is used to negotiate how IKE should be protected. Aggressive mode passes more information in fewer packets, with the benefit of a slightly faster connection, at the cost of transmitting the identities of the security gateways in the clear.
Step 17 At the Lifetime parameter, set the timeout interval (in seconds) when the session expires.
Step 18 Set the IKE Diffie Hellman group. The options are group 1 (768 bits), group 2 (1024 bits), or group 5 (1536 bits). Diffie-Hellman techniques are used by two devices to generate a symmetric key where you can publicly exchange values and generate the same symmetric key.
Although all three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1 and Group 2 based keys might occur slightly faster because of their smaller prime number size.
Step 19 Click Save.
Configuring a RADIUS Accounting Template
This page allows you to add a new template for RADIUS accounting server information or make modifications to an existing template.
Step 1 Choose Configure > Controller Templates.
Step 2 From the left sidebar menu, choose Security > RADIUS Acct Servers.
Step 3 To add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The RADIUS Accounting Template appears (see Figure 10-13), and the number of controllers the template is applied to automatically populates. The IP address of the RADIUS server and the port number for the interface protocols are also displayed.
Figure 10-13 RADIUS Accounting Server Templates
Step 4 Use the Shared Secret Format drop-down menu to choose either ASCII or hexadecimal.
Step 5 Enter the RADIUS shared secret used by your specified server.
Step 6 Retype the shared secret.
Step 7 Click if you want to establish administrative privileges for the server.
Step 8 Click if you want to enable the network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.
Step 9 Specify the time in seconds after which the RADIUS authentication request will timeout and a retransmission by the controller will occur. You can specify a value between 2 and 30 seconds.
Step 10 Click Save.
Configuring a LDAP Server Template
This section explains how to configure a Lightweight Directory Access Protocol (LDAP) server as a backend database, similar to a RADIUS or local user database. An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user. For example, local EAP may use an LDAP server as its backend database to retrieve user credentials. This page allows you to add a new template for an LDAP server or make modifications to an existing template.
Step 1 Choose Configure > Controller Templates.
Step 2 From the left sidebar menu, choose Security > LDAP Servers.
Step 3 To add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The LDAP Server Template appears (see Figure 10-14). The IP address of the LDAP server and the port number for the interface protocols are displayed.
Figure 10-14 LDAP Server Template
Step 4 In the Server User Base DN field, enter the distinguished name of the subtree in the LDAP server that contains a list of all the users.
Step 5 In the Server User Attribute field, enter the attribute that contains the username in the LDAP server.
Step 6 In the Server User Type field, enter the ObjectType attribute that identifies the user.
Step 7 If you are adding a new server, choose Secure from the Use TLS for Sessions to Server drop-down menu if you want all LDAP transaction to use a secure TLS tunnel. Otherwise, choose none.
Step 8 In the Retransmit Timeout field, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.
Step 9 Check the Admin Status check box if you want the LDAP server to have administrative privileges.
Step 10 Click Save.
Configuring a TACACS+ Server Template
This page allows you to add a new TACACS+ server template or make modifications to an existing template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.
Step 1 Choose Configure > Controller Templates.
Step 2 On the left sidebar menu, choose Security > TACACS+ Server.
Step 3 To add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a user in the Template Name column. The TACACS+ Server Template appears (see Figure 10-15). The IP address and the port number of the TACACS+ template are displayed.
Figure 10-15 TACACS+ Server Template
Step 4 Select the server type. The choices are authentication, authorization, or accounting.
Step 5 Use the drop-down menu to choose either ASCII or hex shared secret format.
Step 6 Enter the TACACS+ shared secret used by your specified server.
Step 7 Re-enter the shared secret in the Confirm Shared Secret field.
Step 8 Check the Admin Status check box if you want the TACACS+ server to have administrative privileges.
Step 9 Specify the time in seconds after which the TACACS+ authentication request times out and a retransmission is attempted by the controller.
Step 10 Click Save.
Configuring a Network Access Control Template
This page allows you to add a new template for network access control or make modifications to an existing template.
Step 1 Choose Configure > Controller Templates.
Step 2 From the left sidebar menu, choose Security > Network Access Control.
Step 3 To add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The Network Access Control Template appears (see Figure 10-16). The IP address and port number for the interface protocols are displayed.
Figure 10-16 Network Access Control Template
Step 4 Enter the shared secret used by your specified server.
Step 5 Re-enter the shared secret in the Confirm Shared Secret field.
Step 6 Check the Admin Status check box if you want the server to have administrative privileges.
Step 7 Click Save.
Configuring a Local EAP General Template
This page allows you to specify a timeout value for local EAP. You can then add a template with this timeout value or make changes to an existing template.
Note If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.
Step 1 Choose Configure > Controller Templates.
Step 2 From the left sidebar menu, choose Security > Local EAP General.
Step 3 To add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The Local EAP General Template appears (see Figure 10-17).
Figure 10-17 Local EAP General Template
Step 4 In the Local Auth Active Timeout field, enter the amount of time (in seconds) that the controller attempts to authenticate wireless clients using local EAP after any pair of configured RADIUS servers fail. The valid range is 1 to 3600 seconds, and the default setting is 1000 seconds.
Step 5 Click Save.
Configuring a Local EAP Profile Template
This page allows you to add a new template for the local EAP profile or make modifications to an existing template. Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, thereby removing dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users.
Note The LDAP backend database supports only these local EAP methods: EAP-TLS and EAP-FAST with certificates. LEAP and EAP-FAST with PACs are not supported for use with the LDAP backend database.
Step 1 Choose Configure > Controller Templates.
Step 2 From the left sidebar menu, choose Security > Local EAP Profiles.
Step 3 To add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The Local EAP Profiles Template appears (see Figure 10-18).
Figure 10-18 Local EAP Profiles Template
Step 4 Each EAP profile must be associated with an authentication type(s). Choose the desired authentication type from the choices below:
•LEAP — This authentication type leverages Cisco Key Integrity Protocol (CKIP) and MMH message integrity check (MIC) for data protection. A username and password are used to perform mutual authentication with the RADIUS server through the access point.
•EAP-FAST — This authentication type (Flexile Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1x EAP mutual authentication. A username, password, and PAC (protected access credential) are used to perform mutual authentication with the RADIUS server through the access point.
•TLS — This authentication type uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. It requires a client certificate for authentication.
Step 5 Use the Certificate Issues drop-down menu to determine whether Cisco or another vendor issued the certificate for authentication. Only EAP-FAST and TLS require a certificate.
Step 6 If you want the incoming certificate from the client to be validated against the certificate authority (CA) certificates on the controller, check the Check Against CA Certificates check box.
Step 7 If you want the common name (CN) in the incoming certificate to be validated against the CA certificates' CN on the controller, check the Verify Certificate CN Identity check box.
Step 8 If you want the controller to verify that the incoming device certificate is still valid and has not expired, check the Check Against Date Validity check box.
Step 9 If you want the device certificate on the controller to be used for authentication, check the Local Certificate Required check box. This certification is applicable only to EAP-FAST.
Step 10 If you want the wireless clients to send their device certificates to the controller in order to authenticate, check the Client Certificate Required check box. This certification is only applicable to EAP-FAST.
Step 11 Click Save.
Step 12 Follow these steps to enable local EAP on a WLAN:
a. Choose WLAN > WLANs from the left sidebar menu.
b. Click the profile name of the desired WLAN.
c. Click the Security > AAA Servers tab to access the AAA Servers page.
d. Check the Local EAP Authentication check box to enable local EAP for this WLAN.
Step 13 Click Save.
Configuring an EAP-FAST Template
This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1x EAP mutual authentication. A username, password, and PAC are used to perform mutual authentication with the RADIUS server through the access point. This page allows you to add a new template for the EAP-FAST profile or make modifications to an existing template.
Step 1 Choose Configure > Controller Templates.
Step 2 From the left sidebar menu, choose Security > EAP-FAST Parameters.
Step 3 To add a new template, choose Add Template from the Select a command drop-down menu and click GO. To make modifications to an existing template, click to select a template in the Template Name column. The EAP-FAST Parameters Template appears (see Figure 10-18).
Figure 10-19 EAP-FAST Parameters Template
Step 4
