Table Of Contents
Configuring Devices
Using the Templates
What is a Configuration Template?
Template Choices
IOS Templates
Naming the Template
Using Basic Settings
Setting Up Network Interfaces
Defining Security Settings
Defining Services
Configuring the Event Log
Configuring Wireless Services
Configuring Custom Values
Non-IOS Templates
Naming the Template
Using Basic Settings
Setting Up Association
Configuring the Ethernet Port
Configuring the 11b Radio
Configuring the 11a Radio
Defining the Security Settings
Configuring Services
Configuring Events
Configuring Custom Values
Previewing the Template
Saving the Template
Creating a Template
Copying a Template
Editing a Template
Converting a Template
Deleting a Template
Importing a Template
Exporting a Template
Managing Configuration Archives
Viewing Archived Configurations
Scheduling an Archive Collection
Viewing Archive Status
Editing the Archive
Selecting Overwrite Settings
Deleting Archived Configurations
Comparing Configurations
Exporting a Configuration to a File
Exporting a Configuration to a Template
Managing Jobs
Managing Configuration Jobs
How Do WLSE Configuration Jobs Work?
Recommendations For Running Configuration Jobs
Configuration Job Choices
Creating a Configuration Job
Viewing Configuration Job Status
Managing Archive Jobs
How Do Configuration Archive Jobs Work?
Recommendations For Using Configuration Archives
Archive Job Choices
Creating an Archive Job
Viewing Archive Job Status
Automating Configurations
Assigning a Startup Configuration
Creating a Startup Configuration Template
Creating an IOS Startup Template
Creating a Non-IOS Startup Template
Assigning an Auto-Managed Configuration
Assigning Auto-Managed Configurations
Using Auto-Managed Options
Configuring Devices
The Configure tab allows you to view, create, copy, edit, and delete configuration templates and apply them to large numbers of devices at a time. It also allows you to schedule a configuration job and to check on the job's status.
Following are the subtabs under Configure:
Note 
Some of the subtabs may not be visible to some users.
•Templates—See Using the Templates.
•Archives—See Managing Configuration Archives.
•Jobs—See Managing Jobs.
•Auto Update—See Automating Configurations.
Using the Templates
This is window allows you to create, modify, and delete configuration templates.
The topics covered in this section are:
•What is a Configuration Template?
•Template Choices
•Creating a Template
•Copying a Template
•Editing a Template
•Converting a Template
•Deleting a Template
•Importing a Template
•Exporting a Template
Related Topics
Managing Jobs
What is a Configuration Template?
You can think of a configuration template as a configuration update file for an access point. This file might contain the update for only one parameter or a complete access point configuration.
Templates for non-IOS access points are stored internally as files in the .ini format that is understood by the access points. IOS-based templates are stored as text files containing IOS commands.
You can use the Configure > Templates option to:
•Create a configuration template (see Creating a Template).
•Import templates directly from devices and export them to files (see Exporting a Template).
•Convert non-IOS templates to IOS-based templates (see Converting a Template).
Template Choices
The template choices vary depending upon the type of template you are creating:
•IOS Templates
•Non-IOS Templates
IOS Templates
When you create or edit an IOS configuration template, the following choices appear in the left pane of the Templates window:
1. Template Name—See Naming the Template.
2. Template Categories
Note Any or all of the template categories can be completed in any order.
–Basic Settings—See Using Basic Settings.
–Network Interfaces—See Setting Up Network Interfaces.
–Security—See Defining Security Settings.
–Services—See Defining Services.
–Event Log—See Configuring the Event Log.
–Wireless Services—See Configuring Wireless Services.
–Custom Values—See Configuring Custom Values.
3. Preview—See Previewing the Template.
4. Save—See Saving the Template.
Naming the Template
This option enables to you to name the template.
Procedure
Note Clicking Clear removes all the entries you have made.
Step 1 Select Template Name. The Template Name dialog box appears:
Field
|
Description
|
Name
|
Enter a name for the template.
See Naming Guidelines.
|
Description
|
Enter a description of the purpose of the template.
See Naming Guidelines.
Do not click the Enter key at the end of the description; it will generate an error.
|
Step 2 Select a template category. For additional information, see Template Categories.
Using Basic Settings
Use this option if you need to set up an access point quickly with a simple configuration. This will allow you to enter all the access point's essential settings for basic operation.
Procedure
Step 1 Select Basic Settings. The Basic Settings dialog box displays in the right pane:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-1 Basic Settings
Field
|
Description
|
Configuration Server Protocol
|
Set this entry to match the network's method of IP address assignment.
Select one of the following options:
•DHCP—Use this setting if your network uses Dynamic Host Configuration Protocol, in which IP addresses are "leased" for predetermined periods of time.
•Static IP—Use this setting if your network does has an automatic system for IP address assignment.
|
Default Gateway
|
Enter the IP address of your default Internet gateway.
The entry 255.255.255.255 indicates no gateway.
|
SNMP Community
|
Enter the SNMP community name.
|
Select one of the following: Read-Only, Read-Write
|
Radio0-802.11b
|
SSID
|
Enter any alphanumeric, case-sensitive string, from 1 to 32 characters long.
The SSID is a unique identifier that clients use to associate with the radio.
|
Role in Radio Network
|
Select one of the following:
•Access Point Root—Use this setting for a root access point to become a repeater and associate to a nearby root access point when the wired connection is lost.
•Repeater Non-Root—Use this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent.
|
Broadcast SSID in Beacon
|
Select one of the following:
•Yes—Use this setting to allow devices that do not specify an SSID to associate with the access point.
•No—Use this setting require that the SSID used by the client devices must match exactly the access point's SSID.
|
Optimize Radio Network for
|
Select one of the following:
•Throughput—Use this setting to maximize the data volume handled by the access point; however, it might reduce the access point's range.
•Range—Use this setting to maximize the access point's range; however, it might reduce throughput.
|
Aironet Extensions
|
Select one of the following:
•Enable—Use this setting to enable load balancing, Message Integrity Check (MIC), and WEP key hashing.
•Disable—Use this setting to disables load balancing, Message Integrity Check (MIC), and WEP key hashing.
|
Radio0-802.11a
|
SSID
|
Enter any alphanumeric, case-sensitive string, from 1 to 32 characters long.
The SSID is a unique identifier that clients use to associate with the radio.
|
Role in Radio Network
|
Select one of the following:
•Access Point Root—Use this setting for a root access point to become a repeater and associate to a nearby root access point when the wired connection is lost.
•Repeater Non-Root—Use this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent.
|
Broadcast SSID in Beacon:
|
Select one of the following:
•Yes—Use this setting to allow devices that do not specify an SSID to associate with the access point.
•No—Use this setting require that the SSID used by the client devices must match exactly the access point's SSID.
|
Optimize Radio Network for
|
Select one of the following:
•Throughput—Use this setting to maximize the data volume handled by the access point; however, it might reduce the access point's range.
•Range—Use this setting to maximize the access point's range; however, it might reduce throughput.
•Default—Use this setting to specify the that the access point use settings entered for the Network Interfaces Settings.
|
Aironet Extensions
|
Select one of the following:
•Enable—Use this setting to enable load balancing, Message Integrity Check (MIC), and WEP key hashing.
•Disable—Use this setting to disables load balancing, Message Integrity Check (MIC), and WEP key hashing.
|
Step 2 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Setting Up Network Interfaces
Use this option to configure the device's network interface settings.
Procedure
Step 1 Select Network Interfaces. The menu expands and the Network Interfaces: FastEthernet Settings dialog box displays in the right pane.
Step 2 Select one of the following from the menu:
•FastEthernet—See Configuring Fast Ethernet Settings.
•Radio-802.11b—See Configuring Radio-802.11b Settings.
•Radio-802.11a—See Configuring Radio-802.11a Settings
Configuring Fast Ethernet Settings
Use this option to define the Fast Ethernet port settings.
Procedure
Step 1 Select Network Interfaces > FastEthernet. The Network Interfaces: FastEthernet Settings dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-2 Fast Ethernet Settings
Field
|
Description
|
Enable Ethernet
|
Select one of the following:
•Enable—Use this setting to enable Ethernet.
•Disable—Use this setting to disable Ethernet.
|
Requested Duplex
|
Select one of the following:
•Auto—Use this setting to allow the duplex setting to be automatically negotiated between the access point and the hub, switch, or router to which the access point is connected.
•Half—Use this setting to allow operation in half-duplex mode.
•Full—Use this setting to allow operation in full-duplex mode.
|
Requested Speed
|
Select one of the following:
•Auto—Use this setting to allow the transmission speed to be automatically negotiated between the access point and the hub, switch, or router to which the access point is connected.
•100Mbps—Use this setting to allow a transmission speed of 100 Mbps.
•10Mbps—Use this setting to allow a transmission speed of 10 Mbps.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Radio-802.11b Settings
Use this option to configure the device's 802.11b radio.
Procedure
Step 1 Select Network Interfaces > Radio-802.11b. The Network Interfaces: Radio-802.11b dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-3 Radio-802.11b Settings
Field
|
Description
|
Enable Radio
|
Select one of the following:
•Enable—Use this setting to allow the access point to send packets through its 802.11b radio interface and monitor when other devices use the 802.11b radio interface to send packets.
•Disable—Use this setting to change the administrative state of the radio from up to down.
|
Role in Radio Network
(Fallback mode upon loss of Ethernet connection)
|
This setting is used to configure a fallback role for the access point. The access point automatically assumes the fallback role when its Ethernet port is disabled or disconnected from the wired LAN.
Select one of the following:
•Access Point Root (Fallback to Radio Island)—Use this setting to enable wireless clients to continue to associate even when there is no connection to the wired LAN.
•Access Point Root (Fallback to Radio Shutdown)—Use this setting to force the clients to associate to another access point, if one is available, when the radio shuts down because the wired connection is lost.
•Access Point Root (Fallback to Repeater)—Use this setting for a root access point to become a repeater and associate to a nearby root access point when the wired connection is lost.
•Repeater Non-Root—Use this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent.
|
Data Rates
|
•Click one of the following to automatically set the data transmission rates:
–Best Range—Use this setting to maximize the access point's range; however, it might reduce throughput.
–Best Throughput—Use this setting to maximize the data volume handled by the access point; however, it might reduce the access point's range.
Or
•Select one of the following to manually set the data transmission rates:
–Require—Use this setting to enable transmission at this rate for all packets, both unicast and multicast. At least one data rate must be set to Require. A client must support a required rate before it can associate.
–Enable—Use this setting to enable transmission at this rate for unicast packets only.
–Disable—Use this setting to not allow transmission at this rate.
|
Transmitter Power (mW)
|
Select the power level of the radio transmission.
Note Government regulations define the highest allowable power level for radio devices. This setting must conform to established standards for the country in which you use the device.
To reduce interference, limit the range of your access point, or conserve power, select a lower power setting.
Caution Do not use the 50mW or 10mW setting for Japanese channels.
For a list of maximum power levels allowed in each regulatory domain refer to one of the following:
•URL: http://www.cisco.com/en/US/products/hw/wireless/ps430/products_command_reference_chapter09186a0080147d8b.html#87443
•Cisco IOS Commands for Access in the Cisco Aironet 1200 Series Access Point Command Reference.
|
Limit Client Power (mW)
|
Use this setting to limit the power level on client devices that associate to the access point. When a client device associates to the access point, the access point sends the maximum power level setting to the client.
|
Default Radio Channel
|
From the list, select the radio channel you want for a default.
If you select Least Congested Frequency, the access point scans for the radio channel that is least busy and selects that channel for use. The device scans at power-up and when the radio settings are changed.
|
Least Congested Channel Search
|
If you want to limit the channels the access point scans when the Default Radio Channel is set for Least Congested Frequency, select one or more channels from the list.
|
World Mode Multi-Domain Operation
|
Select one of the following:
•Enable—Use this setting to enable the access point to add channel carrier set information to its beacon.
Client devices with world-mode enabled receive the carrier set information and adjust their settings automatically.
•Disable—Use this setting to not allow the access point to add channel carrier set information to its beacon.
|
Radio Preamble
|
Select one of the following:
•Short—Use this setting to improves throughput performance; Cisco Aironet's Wireless LAN Adapter supports short preambles.
•Long—Use this setting to ensure compatibility between the access point and all early models of Cisco Aironet Wireless LAN Adapters (PC4800 and PC4800A).
|
Receive Antenna
|
From the list, select one of the following:
•Diversity—Use this setting if your access point has two fixed (non-removable) antennas; it tells the access point to use the antenna that receives the best signal.
•Left—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's left connector. (When you look at the access point's back panel, the left antenna is on the left.)
•Right—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's right connector. (When you look at the access point's back panel, the right antenna is on the right.)
|
Transmit Antenna
|
Aironet Extensions
|
Select one of the following:
•Enable—Use this setting to enable load balancing, Message Integrity Check (MIC), and WEP key hashing.
•Disable—Use this setting to disable load balancing, Message Integrity Check (MIC), and WEP key hashing.
|
Ethernet Encapsulation Transform
|
Select one of the following:
•RFC1042—Use this setting to ensure interoperability with non-Cisco Aironet wireless equipment.
•802.1H—Use this setting to provide optimum performance for Cisco Aironet wireless products.
|
Reliable Multicast to WGB
|
Select one of the following:
•Disable—Use this setting to not allow reliable multicast to workgroup bridges.
•Enable—Use this setting to allow reliable multicast to workgroup bridges.
|
Public Secure Packet Forwarding
|
Note Use this setting only if no VLAN is configured. If a VLAN is configured, then enable and disable PSPF by selecting Services > VLAN.
Select one of the following:
•Enable—Use this setting to enable use of the protected port for secure mode configuration. (No exchange of unicast, broadcast, or multicast traffic occurs between protected ports.)
•Disable—Use this setting to disable the use of the port fro secure mode configuration.
|
Beacon Period
|
Enter the amount of time between beacons in kilomicroseconds. (One kilomicrosecond equals 1,024 microseconds.)
|
Data Beacon Rate (DTIM)
|
Enter the amount of time, always a multiple of the beacon period, to determine how often the beacon contains a delivery traffic indication message (DTIM).
The DTIM tells power-save client devices that a packet is waiting for them.
If the beacon period is set at 100, its default setting, and the data beacon rate is set at 2, its default setting, then the access point sends a beacon containing a DTIM every 200 kilomicrosecond.
|
Max. Data Retries
|
Enter the maximum number of attempts the access point makes to send a packet before giving up and dropping the packet.
|
RTS Max. Retries
|
Enter the maximum number of times the access point issues an RTS before stopping the attempt to send the packet through the radio.
|
Fragmentation Threshold
|
Enter a setting to determine the size at which packets are fragmented (sent as several pieces instead of as one block).
Use a low setting in areas where communication is poor or where there is a great deal of radio interference.
|
RTS Threshold
|
Enter a setting to determine the packet size at which the access point issues a request to send (RTS) before sending the packet.
A low RTS Threshold setting can be useful in areas where many client devices are associating with the access point, or in areas where the clients are far apart and can detect only the access point and not each other.
|
Repeater Parent AP Timeout
|
Enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list.
|
Repeater Parent AP MAC1 though MAC 4
|
Enter the MAC address for the access point to which the repeater should associate.
You can enter MAC addresses for up to four parent access points. The repeater attempts to associate to MAC address 1 first; if that access point does not respond, the repeater tries the next access point in its parent list.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Radio-802.11a Settings
Use this option to configure the device's 802.11a radio.
Procedure
Step 1 Select Network Interfaces > Radio-802.11a. The Network Interfaces: Radio-802.11a dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-4 Radio-802.11a Settings
Field
|
Description
|
Enable Radio
|
Select one of the following:
•Enable—Use this setting to allow the access point to send packets through its 802.11a radio interface and monitor when other devices use the 802.11a radio interface to send packets.
•Disable—Use this setting to change the administrative state of the radio from up to down.
|
Role in Radio Network
(Fallback mode upon loss of Ethernet connection)
|
This setting is used to configure a fallback role for the access point. The access point automatically assumes the fallback role when its Ethernet port is disabled or disconnected from the wired LAN.
Select one of the following:
•Access Point Root (Fallback to Radio Island)—Use this setting to enable wireless clients to continue to associate even when there is no connection to the wired LAN.
•Access Point Root (Fallback to Radio Shutdown)—Use this setting to force the clients to associate to another access point, if one is available, when the radio shuts down because the wired connection is lost.
•Access Point Root (Fallback to Repeater)—Use this setting for a root access point to become a repeater and associate to a nearby root access point when the wired connection is lost.
•Repeater Non-Root—Use this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent.
|
Data Rates
|
•Click one of the following to automatically set the data transmission rates:
–Best Range—Use this setting to maximize the access point's range; however, it might reduce throughput.
–Best Throughput—Use this setting to maximize the data volume handled by the access point; however, it might reduce the access point's range.
–Default—Use this setting to compromise between range and throughput, providing good range and good throughput.
Or
•Select one of the following to manually set the data transmission rates:
–Require—Use this setting to enable transmission at this rate for all packets, both unicast and multicast. At least one data rate must be set to Require. A client must support a required rate before it can associate.
–Enable—Use this setting to enable transmission at this rate for unicast packets only.
–Disable—Use this setting to not allow transmission at this rate.
|
Transmitter Power (mW)
|
Select the power level of the radio transmission.
Note Government regulations define the highest allowable power level for radio devices. This setting must conform to established standards for the country in which you use the device.
To reduce interference, limit the range of your access point, or conserve power, select a lower power setting.
For a list of maximum power levels allowed in each regulatory domain refer to one of the following:
•URL: http://www.cisco.com/en/US/products/hw/wireless/ps430/products_command_reference_chapter09186a0080147d8b.html#87443
•Cisco IOS Commands for Access in the Cisco Aironet 1200 Series Access Point Command Reference.
|
Limit Client Power (mW)
|
Use this setting to limit the power level on client devices that associate to the access point. When a client device associates to the access point, the access point sends the maximum power level setting to the client.
|
Default Radio Channel
|
From the list, select the radio channel you want for a default.
If you select Least Congested Frequency, the access point scans for the radio channel that is least busy and selects that channel for use. The device scans at power-up and when the radio settings are changed.
|
Least Congested Channel Search
|
If you want to limit the channels the access point scans when the Default Radio Channel is set for Least Congested Frequency, select one or more channels from the list.
|
Receive Antenna
|
From the list, select one of the following:
•Diversity—Use this setting if your access point has two fixed (non-removable) antennas; it tells the access point to use the antenna that receives the best signal.
•Left—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's left connector. (When you look at the access point's back panel, the left antenna is on the left.)
•Right—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's right connector. (When you look at the access point's back panel, the right antenna is on the right.)
|
Transmit Antenna
|
Aironet Extensions
|
Select one of the following:
•Enable—Use this setting to enable load balancing, Message Integrity Check (MIC), and WEP key hashing.
•Disable—Use this setting to disable load balancing, Message Integrity Check (MIC), and WEP key hashing.
|
Ethernet Encapsulation Transform
|
Select one of the following:
•RFC1042—Use this setting to ensure interoperability with non-Cisco Aironet wireless equipment.
•802.1H—Use this setting to provide optimum performance for Cisco Aironet wireless products.
|
Reliable Multicast to WGB
|
Select one of the following:
•Disable—Use this setting to not allow reliable multicast to workgroup bridges.
•Enable—Use this setting to allow reliable multicast to workgroup bridges.
|
Public Secure Packet Forwarding
|
Note Use this setting only if no VLAN is configured. If a VLAN is configured, then enable and disable PSPF by selecting Services > VLAN.
Select one of the following:
•Enable—Use this setting to enable use of the protected port for secure mode configuration. (No exchange of unicast, broadcast, or multicast traffic occurs between protected ports.)
•Disable—Use this setting to disable the use of the port fro secure mode configuration.
|
Beacon Period
|
Enter the amount of time between beacons in kilomicroseconds. (One kilomicrosecond equals 1,024 microseconds.)
|
Data Beacon Rate (DTIM)
|
Enter the amount of time, always a multiple of the beacon period, to determine how often the beacon contains a delivery traffic indication message (DTIM).
The DTIM tells power-save client devices that a packet is waiting for them.
If the beacon period is set to 100, its default setting, and the data beacon rate is set to 2, its default setting, then the access point sends a beacon containing a DTIM every 200 kilomicrosecond.
|
Max. Data Retries
|
Enter the maximum number of attempts the access point makes to send a packet before giving up and dropping the packet.
|
RTS Max. Retries
|
Enter the maximum number of times the access point issues an RTS before stopping the attempt to send the packet through the radio.
|
Fragmentation Threshold
|
Enter a setting to determine the size at which packets are fragmented (sent as several pieces instead of as one block).
Use a low setting in areas where communication is poor or where there is a great deal of radio interference.
|
RTS Threshold
|
Enter a setting to determine the packet size at which the access point issues a request to send (RTS) before sending the packet.
A low RTS Threshold setting can be useful in areas where many client devices are associating with the access point, or in areas where the clients are far apart and can detect only the access point and not each other.
|
Repeater Parent AP Timeout
|
Enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list.
|
Repeater Parent AP MAC1 though MAC 4
|
Enter the MAC address for the access point to which the repeater should associate.
You can enter MAC addresses for up to four parent access points. The repeater attempts to associate to MAC address 1 first; if that access point does not respond, the repeater tries the next access point in its parent list.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Defining Security Settings
Use this option to configure the device's security settings.
Procedure
Step 1 Select Security. The menu expands and the Security: Admin Access dialog box displays in the right pane.
Step 2 Select one of the following from the menu:
•Admin Access—See Configuring Admin Access Settings.
•SSID 802.11x—See Configuring SSID 802.11x Settings.
•WEP 802.11x—See Configuring WEP 802.11x Settings.
•Server Manager—See Configuring Server Manager Settings.
•Advanced Security—See Configuring Advanced Security.
•Local Radius Server—See Setting Up the Local RADIUS Server.
Configuring Admin Access Settings
Use this option to add users to the system, remove users from the system, and assign user capabilities.
Procedure
Step 1 Select Security > Admin Access. The Security: Admin Access dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-5 Admin Access Settings
Field
|
Description
|
Administrator Authenticated by
|
Select one of the following:
•Default Authentication (Global Password)—Use this setting to skip the username and enter only a password.
You will need to enter the password in the Default Authentication (Global Password field below).
•Local User List Only (Individual Password)—Use this setting to designate the local user list for authentication.
You will need to have at least one Read-Write user in the Local User List on the access point or in the Local User List field below.
•Authentication Server Only—Use this setting to designate the server for authentication.
•Authentication Server if not found in Local List—Use this setting to designate the server for authentication if not in the local list.
You will need to have at least one Read-Write user in the Local User List on the access point or in the Local User List field below.
|
Default Authentication (Global Password)
|
Default Authentication Password
|
Enter the password to be used as the default.
|
Confirm Authentication Password
|
Reenter the password.
|
Local User List (Individual Passwords)
|
User List
|
Lists the existing users.
To delete a username from the list, select it, then click Delete.
|
Username
|
Enter the username.
|
Password
|
Enter the password
|
Confirm Password
|
Reenter the password
|
Capability Settings
|
Select one of the settings, then click Add.
|
Delete Users
|
User ID
|
Enter the user identification, then click >>.
|
Users to Delete
|
Lists the users to be deleted.
To remove users from the list, click <<.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring SSID 802.11x Settings
Use this option to configure SSID 802.11b and 802.11a settings.
Procedure
Step 1 Select Security > SSID Manager. The Security: SSID Manager dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-6 SSID 802.11x Settings
Field
|
Description
|
SSID List
|
Lists the currently configured SSIDs.
To delete an SSID from the list, select it, then click Delete.
|
SSID
|
Enter any alphanumeric, case-sensitive string, from 1 to 32 characters long.
The SSID is a unique identifier that clients use to associate with the radio.
|
VLAN
|
Enter the identification number of the VLAN.
|
Authentication Methods Accepted
|
Open Authentication
|
Select one of the following from the list:
•MAC Authentication—Use this setting to specify that client devices that associate to the access point with open authentication, use MAC authentication.
•EAP—Use this setting to specify that client devices that associate to the access point with open authentication, use EAP authentication.
•MAC Authentication and EAP—Use this setting to allow client devices that associate to the access point using 802.11 open authentication to first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication.
•MAC Authentication or EAP—Use this setting to allow client devices that associate to the access point using open authentication to first attempt MAC authentication. If MAC authentication succeeds, the client device joins the network; if the client is also using EAP authentication, it attempts to authenticate using EAP. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication.
|
Shared Authentication
|
Select one of the following from the list:
•MAC Authentication—Use this setting to specify that client devices that associate to the access point with shared authentication, use MAC authentication.
•EAP—Use this setting to specify that client devices that associate to the access point with shared authentication, use EAP authentication.
•MAC Authentication and EAP—Use this setting to specify that client devices that associate to the access point with shared authentication, use MAC and EAP authentication.
|
Network EAP
|
Select the following from the list:
MAC Authentication—Use this setting to specify that client devices that associate to the access point with network EAP authentication, use MAC authentication.
|
Server Priorities
|
EAP Authentication Severs
|
Select one of the following:
•Use Defaults—Use this setting to use the defaults.
•Use Server Group—Use this setting to specify a server group then enter the group name.
•Customize—Use this setting to create a new server group.
•New Group Name—Enter a name for the new group.
•Priority—Enter the server IP address or hostname.
–Auth Port—Enter the authentication port.
–Acct Port—Enter the accounting port.
or
–Select a name from the list.
|
MAC Authentication Servers
|
Authenticated Key Management
|
From the list, select one of the following:
Note For 802.11a you select either CCKM or WPA; for 802.11b, you can select both.
•None—Use this setting to indicate you do not want to use authenticated key management.
•Mandatory—Use this setting to indicate authenticated key management is mandatory.
•Optional—Use this setting to indicate authenticated key management is optional.
|
CCKM
|
Select this option to use Cisco Centralized Key Management (CCKM).
Using CCKM, authenticated client devices can roam from one access point to another without any perceptible delay during reassociation. An access point on your network acts as a wireless domain services (WDM) and creates a cache of security credentials for CCKM-enabled client devices on the subnet. The WDM's cache of credentials reduces the time required for reassociation when a CCKM-enabled client device roams to a new access point.
Note To enable CCKM for an SSID, you must configure network-EAP authentication.
|
WPA
|
Select this option to use Wi-Fi Protected Access (WPA).
The WPA key management uses a combination of encryption methods to protect communication between client devices and the access point.
If authentication key management is WPA, the client and authentication server authenticate to each other using an EAP authentication method (e.g., EAP-TLS) and generate a Pairwise Master Key.
Note To enable WPA for an SSID, you must also enable Open authentication and/or Network EAP.
|
WPA Pre-shared Key
|
Enter a key for the access point to support client devices using WPA key management.
For versions earlier than 12.2(11)JA, Enter a WEP key. For 40-bit encryption, enter 10 hexadecimal digits; for 128-bit encryption, enter 26 hexadecimal digits.
Select either ASCII or Hexadecimal. If you use hexadecimal, you must enter 64 hexadecimal characters (unencrypted key) to complete the 256-bit key. If you use ASCII, you must enter a minimum of 8 letters, numbers, or symbols, and the access point expands the key for you. Up to 63 ASCII characters are allowed.
|
EAP Client Username
|
Enter the username used for EAP authentication when the repeater access point is associating with a parent access point.
|
Password
|
Enter the EAP client password.
|
Association Limit
|
Enter the maximum number of clients that may associate to a particular SSID. This limit prevents access points from getting overloaded and helps to provide an adequate level of service to associated clients.
|
Proxy Mobile IP
|
Select one of the following:
•Enable—Use this setting to use this server for storing security association (SA) bindings for mobile agents. The access point uses this server to retrieve the SPI and key associated with the IP address of the client to which it is trying to roam. The SPI and key is then sent to the home agent to validate the client before allowing it to roam.
•Disable—Use this setting if you do not want the server used for storing SA bindings for mobile agents.
|
Accounting
|
From the list, select one of the following:
•Enable—Use this setting to indicate whether you want this server to record usage data of clients associating with the access point.
•Disable—Use this setting to turn off accounting for your wireless network
|
Accounting Server Priorities
|
Select one of the following:
•Use Defaults—Use this setting to select the defaults.
•Use Server Group—Use this setting to specify a server group, then enter the name of the group.
•Customize—Use this setting to create a new server group, then enter the name of the group.
•Priority—Enter the server IP address or hostname.
•Auth Port—Enter the authentication port.
–Acct Port—Enter the accounting port.
or
–Select a name from the list.
|
Step 3 Click Save.
Step 4 To delete an entry from the listbox, select it, then click Delete.
Step 5 Complete the following to set global SSID properties:
Table 4-7 Setting SSID 802.11x Global Properties
Field
|
Description
|
Set Guest Mode SSID
|
Enter the your access point's guest-mode SSID. The access point includes the SSID in its beacon and allows associations from client devices that do not specify an SSID.
|
Set Infrastructure SSID
|
Enter the SSID that other access points and workgroup bridges use to associate to this access point. If you do not designate an SSID as the infrastructure SSID, infrastructure devices can associate to the access point using any SSID.
|
Force infrastructure device to associate only to this SSID
|
Select this option to force infrastructure devices to associate to the access point using the specified SSID.
|
Step 6 Complete the following to delete an SSID:
Table 4-8 Setting SSID 802.11x Global Properties
Field
|
Description
|
SSID
|
Enter the SSID you want to delete, then click >>. The SSID is added to the SSID to Delete list.
|
SSID to Delete
|
Lists the SSIDs to delete. To remove an SSID from this list, click <<.
|
Step 7 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring WEP 802.11x Settings
Use this option to select authentication types for the access point. The WEP keys allow you to encrypt radio signals sent by the device and decrypt radio signals received by the device.
Procedure
Step 1 Select Security > WEP 802.11x. The Security: WEP Key Manager dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-9 WEP 802.11x Settings
Field
|
Description
|
Set Encryption Mode and Keys for VLAN
|
Enter the VLAN for which you want to set the encryption mode and keys.
If you enter None, properties are applied globally.
|
VLAN List
|
Lists the currently configured VLANs.
To remove a VLAN from the list, select it, then click Delete.
|
Encryption Modes
|
None
|
Select this option if the device communicates only with client devices that are not using WEP.
|
WEP Encryption
|
Select this option if you want to use WEP key encryption.
|
From the list, select one of the following:
•Optional—Use this option to allow client devices to communicate with the access point either with or without WEP.
•Mandatory—Use this option to require client devices to use WEP when communicating with the access point. Devices not using WEP are not allowed to communicate.
|
Check one of the following:
•Cisco Compliant TKIP Features—Use this option to enable Temporal Key Integrity Protocol (TKIP).
When TKIP is enabled, all WEP-enabled client devices associated to the access point must support WEP key hashing, or they will not be able to communicate with the access point.
•Enable MIC—Use this setting if you to enable Message Integrity Check (MIC). When you enable MIC, only MIC-capable client devices can communicate with the access point.
•Enable Per Packet Keying—Use this option to enable MIC on both the access point and all associated client devices. A few bytes are added to each packet to make the packets tamper-proof.
|
Cipher
|
Select this option to enable Wi-Fi Protected Access (WPA) or Cisco Centralized Key Management (CCKM).
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN.
From the list, select the one of the cipher suites.
•WEP—Wired equivalent privacy is the least secured cipher suite.
•TKIP—Temporal key integrity protocol is the most secured cipher suite.
•CKIP—Cisco Key Integrity Protocol is Cisco's WEP key permutation technique based on an early algorithm.
•CMIC—Cisco Message Integrity Check) is Cisco's message integrity check mechanism designed to detect forgeries attracts.
|
WEP Keys
|
Encryption Keys 1 through 4
|
Transmit Key
|
Select to indicate this is the key you want to use to transmit packets. Only one key can be selected at a time.
|
Encryption Key
|
Enter the type of encryption key used:
•For 40-bit WEP keys, enter as 10 hexadecimal digits (0-9, a-f, or A-F).
•For 128-bit WEP keys, enter as 26 hexadecimal digits (0-9, a-f, or A-F).
|
Key Size
|
From the list, select one of the following:
•40 bit
•128 bit
|
Broadcast Key Rotation Interval
|
Select one of the following:
•Disable Rotation—Use this setting to disable broadcast key rotation.
•Enable Rotation with Interval—Use this setting for the access point to provide a dynamic broadcast WEP key and to change it at the selected interval.
|
WPA Group Key Update
|
Select the appropriate checkbox to determine how frequently the access point changes and distributes the group key to WPA-enabled client devices.
•Enable Group Key Update on Membership Termination—Select this setting if clients do not roam frequently among access points.
The access point generates and distributes a new group key when any authenticated station disassociates from the access point. This option keeps the group key private to only currently active members. However, it may generate some overhead if clients in your network roam frequently.
•Enable Group Key Update on Member's Capability Change—Use this setting, when in WPA migration mode, to improve the security of the key management capable clients when there are no legacy clients associated to the access point.
The access point generates and distributes a dynamic group key when the last non-key management (static WEP) client disassociates, and it distributes the statically configured WEP key when the first non-key management (static WEP) client authenticates.
|
Step 3 Click Save. The VLAN is added to the list box.
Step 4 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Server Manager Settings
Use this option to enter the authentication settings. The RADIUS server on the your network uses EAP to provide authentication service for wireless client devices.
Procedure
Step 1 Select Security > Server Manager. The Security: Server Manager dialog box appears.
Step 2 Complete the following to add a server to the list:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-10 Backup Radius Server
Field
|
Description
|
Backup Radius Server
|
Select one of the following:
•Create—Use this setting to create a backup RADIUS server.
•Delete—Use this setting to delete a backup RADIUS server.
|
Backup Radius Server
|
Enter the hostname or IP address of the RADIUS server you are either creating or deleting.
|
Shared Secret
|
Enter the server's shared secret.
|
Corporate Servers
|
Current Server List
|
Lists the servers that are currently configured.
To remove a server from the list, select it, then click Delete.
|
RADIUS
|
Select this option if you are configuring settings for RADIUS.
|
TACACS+
|
Select this option if you are configuring settings for TACACS+.
|
Server
|
Enter the hostname or IP address for the selected server.
|
Shared Secret
|
Enter the shared secret used by your server.
|
Authentication Port
|
Enter the port number your server uses for authentication. Enter the port number the server uses for authentication.
|
Accounting Port
|
Enter the port number your server uses for accounting.
|
Step 3 Click Save. The server appears on the list.
Step 4 To delete a server, select it from the list, then click Delete.
Step 5 Complete the following to set default server priorities:
Table 4-11 Default Server Priority Settings
Field
|
Description
|
EAP Authentication
|
•Priority—Enter the server IP address or hostname.
•Auth Port—Enter the authentication port used by the server.
•Acct Port—Enter the accounting port used by the server.
|
MAC Authentication
|
Accounting
|
Admin Authentication (RADIUS)
|
Admin Authentication (TACACS+)
|
Proxy Mobile IP Authentication
|
Step 6 Complete the following to set global server properties:
Table 4-12 Global Server Properties
Field
|
Description
|
Accounting Update Interval
|
Enter the interval at which the accounting updates should be performed.
The accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming.
|
TACACS+ Server Timeout
|
Enter the number of seconds the access point should wait before resending the request.
|
RADIUS Server Timeout
|
Enter the number of seconds the access point should wait before resending the request.
|
RADIUS Server Retransmit Retries
|
Enter the number of seconds the access point should wait before giving up contacting the server.
|
Dead Server List
|
When a server is found to be unresponsive after numerous retransmissions and time-outs, it is assumed to be dead and is put in a dead server list.
Select one of the following:
•Disable—Use this setting to disable the feature.
•Enable; Server remains on list for—Use this setting to enable the feature and to set the length of time for which the server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
|
RADIUS Attributes
|
Remove Existing WISPr Location-ID
|
Select to remove the existing location identification configured on the access point, which is sent with authentication and account requests, and use the ISO and E.164 country codes, and E.164 area code instead.
|
ISO Country Code
|
Enter a unique two-letter code.
Information about the ISO 3166 country codes can be found at the following URL: http://www.iso.ch/iso/en/prods-services/iso3166ma/index.html
|
E.164 Country Code
|
Enter a three-digit code for special uses.
Information about the ISO 3166 country codes can be found at the following URL: http://www.iso.ch/iso/en/prods-services/iso3166ma/index.html.
|
E.164 Area Code
|
Enter a three-digit code based on the International Telecommunication Union (ITU) Telecommunication Standardization Sector (ITU-T) recommendations.
Information about ITU-T can be found at the following URL: http://www.itu.int/ITU-T/
|
Step 7 Complete the following to delete RADIUS servers:
Table 4-13 Deleting Servers and Server Groups
Field
|
Description
|
Servers to Delete
|
Lists the servers to delete.
To delete a server from the list, select it, then click Delete.
|
Delete Server
|
Enter the server you want to delete, then select either RADIUS or TACACS+.
|
Authentication Port
|
Enter the port number your RADIUS/TACACS+ server uses for authentication.
|
From Group
|
Enter the name of the group from which you want to delete the server.
|
Delete Server also?
|
If you want to delete the server from the group and delete the server itself, select, then click >>. The group name is added to the list.
Click Add Server to Delete List and the server name is added to the Servers to Delete.
|
Step 8 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Advanced Security
Use this option to set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication.
When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication. If MAC authentication succeeds, the client device joins the network. If the client is also using EAP authentication, it attempts to authenticate using EAP. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication.
Procedure
Step 1 Select Security > Advanced Security. The Security: Advanced Security dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-14 Advanced Security
Field
|
Description
|
MAC Address Authentication
|
MAC Addresses Authenticated by
|
Select one of the following:
•Local List Only—Use this setting if you want the authentication to be stored on the access point, and enter MAC addresses.
•Authentication Server Only—Use this setting if you want the authentication to be stored on the server.
•Authentication Server if not found in Local List—Use this setting if you want to try MAC authentication list first and then automatically try the Authentication server list.
|
Holdoff Time
|
Client Holdoff Time
|
Select one of the following:
•Disable Holdoff—Use this setting to disable the client holdoff feature.
•Enable Holdoff with Interval—Use this setting to specify the number of seconds a client device must wait before it can reattempt to authenticate following a failed authentication.
|
TKIP MIC Failure Holdoff Time (Radio0-802.11X)
|
Select one of the following:
•Disable Holdoff—Use this setting to disable the TCIP MIC failure holdoff feature.
•Enable Holdoff with Interval—Use this setting to enable the TKIP MIC failure hold time. The number of seconds you enter specifies the amount of time the access point blocks all TKIP clients on the interface.
|
Local MAC Address List
|
Local List
|
The local MAC address list is displayed in this listbox.
To delete an entry, select it, then click Delete.
|
New MAC Address
|
Enter the MAC address, then click Add.
|
Radio0-802.11b EAP Authentication
|
EAP Reauthentication Interval
|
Select one of the following:
•Disable Reauthentication—Use this setting to disable reauthentication.
•Enable Reauthentication with Interval—Use this setting to enter the interval in seconds that the access point waits before forcing an authenticated client to reauthenticate.
•Enable Reauthentication with Interval given by Authentication Server—Use this setting to use the reauthentication period specified by the authentication server.
|
EAP Client Timeout
|
Enter the number of seconds the access point should wait for a reply from a client attempting to authenticate before the authentication fails.
|
Radio1-802.11a EAP Authentication
|
EAP Reauthentication Interval
|
Select one of the following:
•Disable Reauthentication—Use this setting to disable reauthentication.
•Enable Reauthentication with Interval—Use this setting to enter the interval in seconds that the access point waits before forcing an authenticated client to reauthenticate.
•Enable Reauthentication with Interval given by Authentication Server—Use this setting to use the reauthentication period specified by the authentication server.
|
EAP Client Timeout
|
Enter the number of seconds the access point should wait for a reply from a client attempting to authenticate before the authentication fails.
|
Association Access List
|
Filter client association with MAC address access list
|
Select one of the following:
•Enable— Use this setting to enable a MAC address filter for clients who are trying to associate with the access point.
•Disable—Use this setting to prevent clients from associating based on their MAC addresses.
|
Filter
|
Enter the MAC address filter or select one from the list.
|
Step 3 Complete the following to delete local MAC addresses:
Table 4-15 Deleting Local MAC Addresses
Field
|
Description
|
MAC Address
|
Enter the address you want to delete, then click >>. The address is added to the MAC Addresses to Delete list.
|
MAC Addresses to Delete
|
Lists the MAC dress to delete.
To remove an address from the list, select it, then click <<.
|
Step 4 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Setting Up the Local RADIUS Server
Use this option to configure local server settings.
Procedure
Step 1 Select Security > Local Radius Server. The Security: Local Radius Server - General Set-Up dialog box appears.
Using this option you can do the following:
•Set up the network access server—See Setting Up Network Access Servers.
•Set up user groups—Setting Up User Groups.
•Set up individual users—Setting Up Individual Users.
•Delete servers, groups, and users—Deleting Servers, Groups, and Users.
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Setting Up Network Access Servers
Procedure
Step 1 Complete the following:
Table 4-16 Local Radius Server - Network Access Server
Field
|
Description
|
Current Network Access Servers
|
Lists the network access servers.
To remove a server from the list, select it, then click Delete.
|
Network Access Server
|
Enter the IP address of the RADIUS server.
|
Shared Secret
|
Enter the shared secret text string used between the access point and the RADIUS server.
|
Step 2 Click Save. The server appears in the Current Network Access Severs list.
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Setting Up User Groups
Procedure
Step 1 Complete the following:
Table 4-17 Local Radius Server - User Groups
Field
|
Description
|
Current User Group
|
Lists the user groups.
To remove a group from the list, select it, then click Delete.
|
Group Name
|
Enter a name for the a new group.
|
Session Timeout
|
Use this setting to specify the maximum number of seconds of service to be provided to the user before the session terminates.
|
Number of failed Authentications
|
Enter the number of times a user assigned to this group can provide an incorrect password; when the user fails this number of authentication attempts, the access point locks out the user. This setting helps prevent or delay password "dictionary" attacks.
|
Lockout
|
Select one of the following:
•Infinite—Use this setting to manually unlock any locked-out users.
•Interval—Use this setting to specify the length of time that the access point locks out a user before the user can reattempt authentication.
|
VLAN ID
|
Enter the identification number of the VLAN.
|
SSID
|
Enter the SSID (any alphanumeric, case-sensitive string, from 1 to 32 characters long), then click Add.
|
SSID List
|
Lists all the SSIDs.
To delete and SSID from the list, select it, then click Delete.
|
Step 2 Click Save. The Group name is added to the Current User Group List.
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Setting Up Individual Users
Procedure
Step 1 Complete the following:
Table 4-18 Local Radius Server - Individual Users
Field
|
Description
|
Current User List
|
Lists the current usernames.
|
Username
|
Enter the username.
|
Password
|
Enter the password, then select Text or NT Hash.
|
Confirm Password
|
Reenter the password.
|
Group Name
|
From the list, select the group name or None if the user does not belong to any group.
|
Step 2 Click Save. The user name is added to the Current User List.
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Deleting Servers, Groups, and Users
Procedure
Step 1 Complete the following:
Table 4-19 Deleting Servers, Groups, and Users
Field
|
Description
|
Server
|
Enter the server you want to delete, then click Add. The server name is added to the Servers to Delete list.
|
Servers to Delete
|
Select the server to delete, then click Delete.
|
Group
|
Enter the group you want to delete, then click Add. The group name is added to the Groups to Delete list.
|
Groups to Delete
|
Select the group to delete, then click Delete.
|
User
|
Enter the user you want to delete, then click Add. The user name is added to the Servers to Delete list.
|
Users to Delete
|
Select the user to delete, then click Delete.
|
Step 2 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Defining Services
Use this option to configure various system features and support services on the device.
Procedure
Step 1 Select Services. The menu expands and the Security: Telnet/SSH dialog box displays in the right pane.
Step 2 Select one of the following from the menu:
•Telnet/SSH—See Configuring Telnet/SSH.
•Hot Standby—See Configuring Hot Standby.
•CDP—See Configuring CDP.
•DNS—See Configuring DNS.
•MAC address filters—See Configuring MAC Address Filters.
•IP filters—See Configuring IP Filters.
•Ethertype filters—See Configuring Ethertype Filters.
•HTTP—See Configuring HTTP.
•Proxy Mobile IP—See Configuring Proxy Mobile IP.
•QoS policies—See Configuring QoS Policies.
•QoS radio 802.11x—See Configuring QoS Radio 802.11x.
•SNMP—See Configuring SNMP.
•NTP—See Configuring NTP.
•VLAN—See Configuring VLAN.
•ARP Cache—See Configuring ARP Cache.
Configuring Telnet/SSH
Use this option to configure the access point to work through Telnet or SSH.
Procedure
Step 1 Select Services > Telnet/SSH. The Services: Telnet/SSH dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-20 Telnet/SSH
Field
|
Description
|
Telnet
|
Select one of the following:
•Enabled—Use this setting to enable Telnet access to the management system.
•Disabled—Use this setting to disable Telnet access to the management system.
|
Terminal Type
|
Select one of the following:
•Teletype—Use this setting if your terminal emulator does not support ANSI.
•ANSI—Use this setting to offer graphic features such as reverse video buttons and underlined links.
|
Columns
|
Enter a number to define the width of the terminal emulator display within the range of 64 characters to 132 characters.
|
Lines
|
Enter a number to define the height of the terminal emulator display within the range of 16 characters to 50 characters.
|
Secure Shell Configuration
|
Secure Shell
|
Select one of the following:
•Enabled—Use this setting to enable secure shell.
•Disabled—Use this setting to disable secure shell.
|
System Name
|
Enter a system name for your access point.
|
Domain Name
|
Enter a domain name for your access point.
|
RSA Key Size
|
Enter the additional bits used for authentication.
Note For SSH, you must enter a key size or it will remain disabled.
|
Authentication Timeout (optional)
|
Enter the timeout in seconds, not to exceed 120 seconds for the length of time for authentication to take place.
|
Authentication Retries (optional)
|
Enter the number of authentication retries.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Hot Standby
Use this option to configure an access point for hot standby mode. Hot standby mode designates an access point as a backup for another access point.
The standby access point is placed near the access point it monitors, and is configured exactly the same as the monitored access point.
The standby access point associates with the monitored access point as a client and queries the monitored access point regularly through both the Ethernet and the radio ports. If the monitored access point fails to respond, the standby access point comes online and takes the monitored access point's place in the network.
Procedure
Step 1 Select Services > Hot Standby. The Services: Hot Standby dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-21 Hot Standby
Field
|
Description
|
Hot Standby Mode
|
Select one of the following:
•Enabled—Use this setting to enable hot standby mode on the access point.
•Disabled—Use this setting to disable hot standby mode on the access point.
|
MAC Address for the Monitored 802.11bRadio
|
Enter the MAC address of the access point to be monitored.
|
MAC Address for the Monitored 802.11a Radio
|
Polling Interval
|
Enter the number of seconds between queries that the access point sends to the monitored access point's radio and Ethernet ports.
|
Timeout for Each Polling
|
Enter the number of seconds the access point waits for a response from the monitored access point before it assumes that the monitored access point has malfunctioned.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring CDP
Use this option to enable, disable, or adjust the access point's CDP settings.
Procedure
Step 1 Select Services > CDP. The Services: CDP-Cisco Discovery Protocol dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-22 CDP Settings
Field
|
Description
|
Cisco Discovery Protocol (CDP)
|
Select one of the following:
•Enabled—Use this setting to enable CDP on the access point.
•Disabled—Use this setting to disable CDP on the access point.
|
Packet Hold Time (optional)
|
Enter the number of seconds other CDP-enabled devices should consider the access point's CDP information valid.
|
Packets Sent Every (optional)
|
Enter the number of seconds between each CDP packet the access point sends.
This value should always be less than the packet hold time.
|
Individual Port Enable
|
Ethernet
|
Select one of the following:
•Enabled—Use this option to enable CDP on the Ethernet port.
•Disabled—Use this option to disable CDP on the Ethernet port.
|
Radio0-802.11b
|
Select one of the following:
•Enabled—Use this option to enable CDP on the radio port.
•Disabled—Use this option to disable CDP on the radio port.
|
Radio0-802.11a
|
Select one of the following:
•Enabled—Use this option to enable CDP on the radio port.
•Disabled—Use this option to disable CDP on the radio port.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring DNS
Use this option to configure the access point to work with your network's Domain Name System (DNS) server.
Procedure
Step 1 Select Services > DNS. The Services: DNS-Domain Name Service dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-23 DNS Settings
Field
|
Description
|
Domain Name System (DNS)
|
Select one of the following:
•Enabled—Use this setting if your network uses DNS.
•Disabled—Use this setting if you network does not use DNS.
|
Domain Name (optional)
|
Enter the domain name.
|
Name Server IP Addresses
|
Enter the IP addresses of up to three domain name servers on your network.
|
Delete Name Severs
|
Server
|
Enter the server you want to delete, then click >>. The server name is added to the Servers to Delete list.
|
Servers to Delete
|
Select the server to delete, then click <<.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring MAC Address Filters
Use this option to configure MAC address filters.
MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify.
Procedure
Step 1 Select Services > MAC address filters. The Services: Filters - MAC Address Filters dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-24 MAC Address Filters
Field
|
Description
|
Create and Apply
|
Select this option to create and apply MAC address filters.
|
Create Only
|
Select this option to create MAC address filters, but not apply them.
|
Apply Only
|
Select this option to apply the MAC address filters.
|
Filters List
|
Lists the currently configured filters.
To delete a filter from the list, select it, then click Delete Filter.
|
Filter Index
|
Enter a number from 700 to 799. The number you assign creates an access control list (ACL) for the filter.
|
Add MAC Address
|
Enter the MAC address.
|
Mask
|
Enter the subnet mask.
|
Action
|
From the list, select one of the following actions:
•Forward—Use this setting to forward the MAC addresses.
•Block—Use this setting to block the MAC addresses.
|
VLAN ID
|
Enter the VLAN identification number then click >>.
To remove a VLAN ID from the list, select it, then click <<.
|
Bridge-Group
|
Enter a valid bridge group number used by the interface for which you want to create or delete filters.
|
Apply Filter to
|
FastEthernet
|
Select one of the following:
•Incoming—Use this option to apply the filter to the incoming packets.
•Outgoing—Use this option to apply the filter to the outgoing packets.
Click AddFilter.
|
Radio0-802.11b
|
Radio0-802.11a
|
Default Action
|
Select one of the following:
•Block All
•Forward All
then click Update.
The filter's default action must be the opposite of the action for at least one of the addresses in the filter. For example, if you enter several addresses and you select Block as the action for all of them, you must choose Forward All as the filter's default action.
|
Filters Classes
|
Lists MAC addresses.
To remove the MAC address from the Filters Classes list, select it, then click Delete.
|
Delete Filters
|
Filters
|
To delete a filter, select it from the list, then click Delete.
|
Filter Index
|
Enter the filter index number.
|
VLAN ID
|
Enter the VLAN identification number, then click >> to add it to the list.
To delete a VLAN ID from the list, click <<.
|
Bridge-Group
|
Enter a valid bridge group number.
|
Remove Filter from
|
FastEthernet
|
Select one of the following:
•Incoming—Use this option to remove the filter from the incoming packets.
•Outgoing—Use this option to remove the filter from the outgoing packets.
Click AddFilter.
|
Radio0-802.11b
|
Radio0-802.11a
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring IP Filters
Use this option to create IP filters that prevent or allow the use of IP address(es), IP protocols, and TCP/UDP ports through the access point's Ethernet and radio ports.
If you use this template to apply IP filters to access points with versions 12.2(4)JA, 12.2(4)JA1, or 12.2(8)JA, the configuration commands generated through the template may not display correctly on the access point's UI.
To work around this problem, do the following:
1. Use this template to create the IP filters and select Create Only.
2. Click Preview.
3. Copy and paste the commands in the Preview window into a custom template (see Configuring Custom Values).
4. Note the following WLSE-generated commands:
permit/deny ip source-ip source-mask dest-ip dest-mask
permit/deny tcp/udp any any eq port-number
5. Change the commands as follows:
–For versions 12.2(4)JA or 12.2(4)JA1, enter the following custom values:
permit/deny ip source-ip source-mask any
permit/deny tcp/udp any eq port-number any
–For version12.2(8)JA, enter the following custom values:
permit/deny tcp/udp any eq port-number any
Procedure
Step 1 Select Services > IP Filters. The Services: Filters - IP Filters dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-25 IP Filters
Field
|
Description
|
Create and Apply
|
Select this option to create and apply IP address filters.
|
Create Only
|
Select this option to create IP address filters, but not apply them.
|
Apply Only
|
Select this option to apply the IP address filters.
|
Filter Name List
|
List the currently configured filters.
To delete a filter from the list, select it, then click Delete Filter.
|
Filter Name
|
Enter a name for the filter.
|
Default Action
|
From the list, select one of the following:
•Block All—Use this setting to block all IP addresses.
•Forward All—Use this setting to forward all IP addresses.
then click Update.
|
IP Address
|
Destination Address
|
Enter the IP address that you want to filter.
Note This is not valid for versions 12.2(4) or 12.2(4)JA1.
|
Mask
|
Enter the mask for the destination IP address. Enter the mask with periods separating the three groups of four characters (255.255.255.240, for example).
If you enter 255.255.255.255 as the mask, the access point accepts any IP address.
If you enter 0.0.0.0, the access point looks for an exact match with the IP address you entered.
The mask you enter in this field behaves the same way that a mask behaves when you enter it in the CLI.
|
Source Address
|
Enter the IP address you want to filter.
|
Mask
|
Enter the mask for the source IP address. Enter the mask with periods separating the three groups of four characters (255.255.255.240, for example). The method for entering the mask depends on the release.
If you are using the 12.2(4)JA release, entering 0.0.0.0 as the mask causes the access point to accept any IP address.
If you enter 255.255.255.255, the access point looks for an exact match with the IP address you entered in the IP Address field.
If you are using the 12.2(8)JA or later release, entering 255.255.255.255 as the mask causes the access point to accept any IP address.
If you enter 0.0.0.0, the access point looks for an exact match with the IP address you entered in the IP Address field.
|
Action
|
From the list, select one of the following:
•Forward —Use this setting to forward the IP address.
•Block —Use this setting to block the IP address.
Click Add.
|
IP Protocol
|
IP Protocol
|
Do one of the following:
•From the list, select a protocol.
•Enter a custom protocol.
|
Action
|
From the list, select one of the following:
•Forward —Use this setting to forward the IP protocol.
•Block —Use this setting to block the IP protocol.
Click Add.
|
UDP/TCP Port
|
TCP Port
|
Do one of the following:
•From the list, select a TCP port.
•Enter a custom port.
|
Action
|
From the list, select one of the following:
•Forward —Use this setting to forward the TCP port.
•Block —Use this setting to block the IP TCP port.
Click Add.
|
UDP Port
|
Do one of the following:
•From the list, select a TCP port.
•Enter a custom port.
|
Action
|
From the list, select one of the following:
•Forward —Use this setting to forward the UDP port.
•Block —Use this setting to block the IP UDP port.
Click Add.
|
VLAN ID
|
Enter the VLAN identification number then click >>.
To remove a VLAN ID from the list, select it, then click <<.
|
Apply Filter to
|
FastEthernet
|
Select one of the following:
•Incoming—Use this option to apply the filter to the incoming packets.
•Outgoing—Use this option to apply the filter to the outgoing packets.
Click Apply.
|
Radio0-802.11b
|
Radio0-802.11a
|
Filters Classes
|
Lists the currently configured filters.
To delete a filter, select it, then click Delete.
|
Delete Filters
|
Filters
|
To delete a filter, select it from the list, then click Delete.
|
Filter Name
|
Enter the filter name.
|
VLAN ID
|
Enter the VLAN identification number, then click >> to add it to the list.
To remove a VLAN ID from the list, click <<.
|
Remove Filter from
|
FastEthernet
|
Select one of the following:
•Incoming—Use this option to remove the filter from the incoming packets.
•Outgoing—Use this option to remove the filter from the outgoing packets.
Click AddFilter.
|
Radio0-802.11b
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Ethertype Filters
Use this option to configure Ethertype filters to prevent or allow the use of specific L3 protocols through the access point's Ethernet and radio ports.
Procedure
Step 1 Select Services > Ethertype Filters. The Services: Filters - Ethertype Filters dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-26 Ethertype Filters
Field
|
Description
|
Create and Apply
|
Select this option to create and apply Ethertype filters.
|
Create Only
|
Select this option to create Ethertype filters, but not apply them.
|
Apply Only
|
Select this option to apply the Ethertype filters.
|
Filters List
|
Lists the currently configured filters.
To remove a filter from the list, select it, then click Delete Filter.
|
Filter Index
|
Enter a number from 200 to 299. The number you assign creates an access control list (ACL) for the filter.
|
Add EtherType
|
Enter an Ethertype number.
|
Mask
|
Enter the mask for the Ethertype.
|
Action
|
From the list, select one of the following:
•Forward —Use this setting to forward the traffic.
•Block —Use this setting to block the traffic.
|
VLAN ID
|
Enter the VLAN identification number then click >>.
To remove a VLAN ID from the list, select it, then click <<.
|
Bridge-Group
|
Enter a valid bridge group number used by the interface for which you want to create or delete filters.
|
Apply Filter to
|
FastEthernet
|
Select one of the following:
•Incoming—Use this option to apply the filter to the incoming packets.
•Outgoing—Use this option to apply the filter to the outgoing packets.
Click Apply.
|
Radio0-802.11b
|
Radio0-802.11a
|
Default Action
|
From the list, select one of the following:
•Block All—Use this setting to block all.
•Forward All—Use this setting to forward all.
then click Update.
|
Filters Classes
|
Lists the currently configured filters.
To delete a filter, select it, then click Delete.
|
Delete Filters
|
Filters
|
To delete a filter, select it from the list, then click Delete.
|
Filter Index
|
Enter the filter index.
|
VLAN ID
|
Enter the VLAN identification number, then click Add to add it to the list.
To delete a VLAN ID from the list, click Delete.
|
Bridge-Group
|
Enter a valid bridge group number.
|
Remove Filter from
|
FastEthernet
|
Select one of the following:
•Incoming—Use this option to remove the filter from the incoming packets.
•Outgoing—Use this option to remove the filter from the outgoing packets.
Click AddFilter.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring HTTP
Use this option to configure HTTP settings for the access point.
Procedure
Step 1 Select Services > HTTP. The Services: HTTP-Web Server dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-27 HTTP
Field
|
Description
|
Allow Web-based Configuration Management
|
Select one of the following:
•Enabled—Use this setting to allow web-based browsing to the management system.
•Disabled—Use this setting to disallow web-based browsing to the management system.
|
HTTP Port
|
Enter the port through which the access point provides web access.
|
Default Help Root URL
|
Enter the URL where the device can locate help files.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Proxy Mobile IP
Use this option to allow access points to help client devices from other networks remain connected to their home networks. The visiting client devices do not need special software, the access point provides proxy mobile IP services for the client.
Procedure
Step 1 Select Services > Proxy Mobile IP. The Services: Proxy Mobile IP dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-28 Proxy Mobile IP
Field
|
Description
|
Proxy Mobile IP
|
Select one of the following:
•Enabled—Use this setting to enable the proxy mobile IP feature on the access point.
•Disabled—Use this setting to disable the proxy mobile IP features.
|
Select either Radio 802-11b or Radio 802.11a
|
GRE encapsulation in the Registration Request
|
Select one of the following:
•Enabled—Use this setting to enable the access point to request the encapsulation type in all mobile node registration requests.
•Disabled—Use this setting to disable this feature.
|
Reverse Tunnel in the Registration Request
|
Select one of the following:
•Enabled—Use this setting to enable the access point to request reverse tunnel encapsulation in all mobile mode registration requests.
•Disabled—Use this setting to disable this feature.
|
Authoritative Access Points (Hostname or IP Address)
|
Enter the hostname or IP address of up to three authoritative access points (AAPs) on the wireless network. At least one AAP is required for the proxy mobile IP feature to work.
|
Current SA Bindings List
|
Lists the clients that are able to establish contact with a foreign agent in another network segment or network other than the client's home network.
|
New/Edit SA Binding
|
IP Address Range
|
Enter the range IP addresses within which client devices must reside in order to be valid.
|
Security Parameter Index
|
Enter an index for the IP address range.
The index is a 32-bit number (8 hexadecimal digits) assigned to the initiator of the security association request by the receiving IPSec endpoint. On receiving a packet, the destination address, protocol, and SPI are used to determine the security association. The security association allows the node to authenticate or decrypt the packet according to the security policy configured for that security association.
|
Key
|
1. Enter a key (ASCII or Hexadecimal) used to access a foreign agent.
2. Select ASCII or Hexadecimal to indicate the type of key entered.
|
Step 3 Click Add. The entry is added to the Current SA Bindings list.
Step 4 To Delete and entry, select it from the Current SA Bindings list, then click Delete.
Step 5 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring QoS Policies
Use this option to configure quality of service policies.
If you know the applications used by wireless client devices, the applications' sensitivity to delay, and the amount of traffic associated with the applications, you can configure QoS to improve performance.
Procedure
Step 1 Select Services > QoS Policies. The Services: QoS Policies dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-29 QoS Policies
Field
|
Description
|
Create and Apply
|
Select this option to create and apply QoS policies.
|
Create Only
|
Select this option to create QoS policies., but not apply them.
|
Apply Only
|
Select this option to apply the QoS policies.
|
QoS Element for Wireless Phones
|
Select one of the following:
•Enable—Use this setting to specify that wireless phone clients' traffic has a higher priority than the rest of the clients.
•Disable—Use this setting to disable this feature.
|
IGMP Snooping Helper
|
Select one of the following:
•Enable—Use this setting to enable Internet Group Membership Protocol (IGMP) snooping. When this feature is enabled, the access point sends a general IGMP query to the network infrastructure on behalf of the client every time the client associates or reassociates to the access point. By doing so, the multicast stream is maintained for the client as it roams.
•Disable—Use this setting to disable this feature.
|
AVVID Priority Mapping - Map Ethernet Packets with CoS 5 to CoS 6
|
Select one of the following:
•Yes—Use this setting if your network is based on the Cisco AVVID specification. This setting will prioritize voice packets coming with priority 5 (video).
•No—Use this setting if your network is not based on the Cisco AVVID specification.
|
Policy List
|
Lists the names of the existing policies.
To remove a name from the list, select it, then click Delete Policy.
|
Policy Name
|
Enter a name for the policy.
|
Classifications
|
Lists the classifications assigned to that policy.
To delete a classification, select it, then click Delete.
|
Match Classifications
|
Precedence
|
If the packets that you need to prioritize contain IP precedence information select an IP precedence classification from the list.
|
Apply Class of Service
|
From the list, select the class of service that the access point will apply to packets of the type that you selected from the Precedence list, then click Add.
|
IP DSCP
|
If the packets that you need to prioritize contain IP DSCP information, select an IP DSCP classification from the list or create a new one.
|
Apply Class of Service
|
From the list, select the class of service that the access point will apply to packets of the type that you selected from the IP DSCP list, then click Add.
|
IP Protocol 119
|
If you need to prioritize the packets from Spectralink on your wireless LAN, select the class of service the access point will apply to the phone packets, then click Add.
|
Apply Class of Service
|
Filter
|
If you need to assign a priority to filtered packets, from the list, select the filter to include in the policy or create a new one.
|
Apply Class of Service
|
From the list, select the class of service that the access point will apply to packets that match the filter that you selected or entered, then click Add.
|
Default Classification for Packets on the VLAN
|
If you want to set a default classification for all packets on a VLAN, select the class of service that the access point will apply to packets on a VLAN, then click Add.
|
VLAN ID
|
Enter the VLAN identification number, then click >> to add it to the list.
|
VLAN ID List
|
To delete a VLAN ID from the list, click <<.
|
Apply Policy to
|
FastEthernet
|
Select one of the following:
•Incoming—Use this option to apply the filter to the incoming packets.
•Outgoing—Use this option to apply the filter to the outgoing packets.
Click ApplyPolicy.
|
Radio0-802.11b
|
Radio0-802.11a
|
Remove Policy from Interface/VLANs
|
Policy List
|
To delete a policy, select it from the list, then click Delete.
|
Policy Name
|
Enter the name of the policy.
|
VLAN ID
|
Enter the VLAN identification number, then click >> to add it to the list.
|
VLAN ID List
|
To delete a VLAN ID from the list, click <<.
|
Remove Policy from
|
FastEthernet
|
Select one of the following:
•Incoming—Use this option to remove the filter from the incoming packets.
•Outgoing—Use this option to remove the filter from the outgoing packets.
Click AddPolicy.
|
Radio0-802.11B
|
Radio0-802.11A
|
Remove Policy Map and Class Map
|
Policy List
|
Lists the policies. Select the policy to remove, then click Delete.
|
Policy Name
|
Enter the policy name, then click Add Policy. The name appears in the Policy List.
|
Class Name
|
Enter the class name. Click >> to add it to the Class Name List
|
Class Name List
|
Click << to remove the class name from the list.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring QoS Radio 802.11x
Use this option to define traffic class QoS policies. The access point uses the radio traffic class definitions to calculate backoff times for each packet.
Procedure
Step 1 Select Services > QoS Radio 802.11x. The Services: QoS Policies - Traffic Class Definition dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-30 QoS Radio 802.11x Traffic Class Definition
Field
|
Description
|
802.11e 4 Level Qos
|
Select for version 12.2(13)JA and above.
|
802.1D 8 Level Qos
|
Select for versions below 12.2(13)JA.
|
Background
|
•Min Contention Window—Enter the minimum contention window value. The access point computes Contention Window values.
•Max Contention Window—Enter the maximum contention window value. The access point computes Contention Window values.
•Fixed Slot Time—Enter a value for a fixed slot time.
|
Best Effort
|
Video
|
Voice
|
802.1D 8 Level QoS
|
Select if you are setting 8 QOS levels.
|
Best Effort
|
•Min Contention Window—Enter the minimum contention window value. The value listed is to the power of 2. The access point computes Contention Window values.
•Max Contention Window—Enter the maximum contention window value. The value listed is to the power of 2. The access point computes Contention Window values.
•Fixed Slot Time—Enter a value for a fixed slot time.
|
Background
|
Spare
|
Excellent Effort
|
Controlled Load
|
Video <100ms Latency
|
Voice <100ms Latency
|
Network Control
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring SNMP
Use this option to configure settings for notifications to be sent to an SNMP server.
Procedure
Step 1 Select Services > SNMP. The Services: SNMP- Simple Network Management Protocol dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-31 SNMP
Field
|
Description
|
Simple Network Management Protocol (SNMP)
|
Select one of the following:
•Enabled—Use this setting to allow event notifications to be sent to an SNMP server.
•Disabled—Use this setting to disallow event notifications to be sent to an SNMP server.
|
System Name (optional)
|
Enter the name of the access point.
The name in this field is reported to your SNMP's management station as the name of the device when you use SNMP to communicate with the access point.
|
System Location (optional)
|
Enter a description of the access point's physical location, such as the building or room in which it is installed.
|
System Contact (optional)
|
Enter the name the system administrator responsible for the access point.
|
SNMP Request Communities
|
Current Community Strings
|
Lists the current community strings.
To delete an entry, select it, then click Delete.
To edit an entry, select it.
|
Edit Community Strings
|
•SNMP Community—The SNMP Community value for the selected community string displays. SNMP community strings authenticate access to MIB objects and function as embedded passwords.
•Object Identifier (Optional)—The Object Identifier value for the selected community string displays. Enter a new object identifier for the community string. The object identifier limits the scope of the SNMP MIB object that the user can access through the community string.
For for example, if you enter iso as the Object Identifier value for the public string, then only users using the public string can access the OID that is represented by the SNMP variable name iso, including all the variables that come under this variable starting at this point. (This is the MIB family view to which the community has access.)
•Select one of the following one of the following: Read-Only or Read-Write.
|
SNMP Trap Destination
|
1. Enter the IP address or the host name of the server running the SNMP Management software.
2. Select one of the following:
–Enable All Trap Notifications—Use this setting to enable all traps.
–Enable Specific Traps—Use this setting to select one or more of trap types.
3. Click Save.
|
Delete Communities and SNMP Trap Destinations
|
Community
|
Enter the community to delete, then click >>.
|
Communities to Delete
|
Lists the communities to be deleted.
To delete a community, select it, then click <<.
|
SNMP Trap
|
Enter the IP address or the host name of the server to delete.
|
Communities
|
Enter the community associated with the SNMP trap, then click >>.
|
Destinations to Delete
|
Lists the SNMP trap destinations to be deleted.
To delete a destination, select it, then click <<.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring NTP
This option allows you to configure the date and time on using NTP (Network Time Protocol) servers.
Procedure
Step 1 Select Services > NTP. The Services: NTP - Network Time Protocol dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-32 NTP
Field
|
Description
|
NTP Server
|
Network Time Protocol (NTP)
|
Select one of the following:
•Enabled—Use this setting to use of NTP.
•Disabled—Use this setting to disallow the use NTP.
|
Time Server IP Address (optional)
|
Enter the server's IP address.
|
Time Settings
|
GMT Offset
|
From the list, select one of the options.
|
Use Daylight Savings Time
|
Select one of the following:
•Yes—Use this setting to use daylight savings time.
•No—Use this setting if you are not going to use daylight savings time.
|
Manually Set Date
|
Use this setting to manually set the date.
|
Manually Set Time
|
Use this setting to manually set the time.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring VLAN
Using this option, you can configure VLANs on the access point.
Procedure
Step 1 Select Services > VLAN. The Services: VLAN dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-33 VLAN
Field
|
Description
|
Global VLAN Properties
|
Set Native VLAN
|
From the list, select a VLAN for the default.
|
Assigned VLANs
|
Current VLAN List
|
Lists the current VLANs.
To delete a VLAN from the list, select it, then click Delete.
|
Create VLAN
|
VLAN ID
|
Enter a VLAN ID.
|
Bridge-Group
|
Enter the bridge group number.
•If the VLAN ID you entered is less than 255, and you do not enter a value in this field, then the same number for the bridge group is automatically assigned.
•If the VLAN ID you entered is 255 or greater you will need to know what bridge group numbers are unused on the access point and enter one of them.
When a VLAN is created directly on the access point, the access point dynamically assigns a bridge group to the VLAN. So, if you create a VLAN ID of 123, then the bridge group is 123.
If the VLAN is larger than 255, the access point starts at 255 and decrements the count until it gets to an unused bridge group number. So, if you create a VLAN ID of 500, the access point assigns a bridge group of 255 if that number is unused. If it is used, it will then try 254, and so on until it finds an unused number for the bridge group.
|
Enable Public Secure Packet Forwarding
|
Select to enable public secure packet forwarding (PSPF).
With PSPF enabled, client devices cannot communicate with other client devices on the wireless network. This feature is useful for public wireless networks like those installed in airports or on college campuses.
|
Radio0-802.11B
Radio1-802.11A
|
Select the radio.
|
SSID
|
Enter an SSID, then click Add.
|
Delete VLANs
|
VLANs to Delete
|
Lists the VLANs to delete.
To delete VLAN from the list, select it, then click Delete.
|
VLAN ID
|
Enter the identification number of the VLAN you want to add to the VLANs to Delete list.
|
Radio0-802.11B
Radio1-802.11A
|
Select the radio to delete.
|
SSID
|
Enter the SSID, then click Add. The VLAN appears in the VLANs to Delete list.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring ARP Cache
Address resolution protocol (ARP) is used to find the MAC address that corresponds to a particular IP address. Using this option, the access point remembers the IP addresses of its clients and will not send ARP requests to them.
This feature helps improve performance because it reduces traffic load over the wireless link. If all client IP address are not known, the access point drops the ARP request, and caching is prevented.
Procedure
Step 1 Select Services > ARP Cache. The Services: ARP Caching dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-34 ARP Cache
Field
|
Description
|
Client ARP Caching
|
Select one of the following:
•Enable—Use this setting to allow ARP caching.
•Disable—Use this setting to disable the feature.
|
Forward ARP Requests To Radio Interfaces When Not All Client IP Addresses Are Known
|
Select when all client IP address are not known, so that the access point forwards the ARP request to all its clients, and caching is prevented
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring the Event Log
This option enables to you to customize the display of access point events.
Procedure
Step 1 Select Event Log. The menu expands and the Event Log: Configuration Options dialog box displays in the right pane.
Step 2 Select one of the following from the menu:
•Configuration Options—See Setting Configuration Options.
•Notification Options—See Setting Notification Options.
Setting Configuration Options
Procedure
Step 1 Select Event Log > Configuration Options. The Event Log: Configuration Options dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-35 Configuration Options
Field
|
Description
|
Disposition of Events (by Severity Level)
|
Emergency
|
Check one or more of the following for each of the events:
•Display on Event Log
•Notify via SNMP/Syslog Trap
•Record for SNMP/Syslog History Table
•Display on Telnet/SSH Monitor
|
Alert
|
Critical
|
Error
|
Warning
|
Notification
|
Information
|
Debugging
|
Time Stamp Format for Future Events
|
Select one of the following:
•System Uptime—Use this setting to use the system uptime in the timestamp.
•Global Standard Time—Use this setting to use the global standard time in the timestamp.
•Local Time—Use this setting to use the local time in the timestamp.
|
Event Log Size
|
Enter the maximum size of the event log.
|
History Table Size
|
Enter the maximum number of messages in the history table.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Setting Notification Options
Procedure
Step 1 Select Event Log > Notification Options. The Event Log: Notification Options dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-36 Notification Options
Field
|
Description
|
Events Generate Syslog Messages
|
Select one of the following:
•Enable—Use this setting to allow events to generate syslog messages.
•Disable—Use this setting to disable the feature.
|
Syslog Server Hostname or IP Address
|
Enter the hostname or IP address of the syslog server.
|
Syslog Facility
|
From the list, select the syslog facility.
|
Delete Syslog Server
|
Server Hostname or IP Address to remove
|
Enter the Syslog server hostname or IP address to be deleted.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Wireless Services
This option provides context control to the nodes by maintaining a cache of all client contexts within a given subnet.
Procedure
Step 1 Select Wireless Services. The menu expands and the Wireless Services: AP dialog box displays in the right pane.
Step 2 Select one of the following from the menu:
•AP Configuration—See Configuring the AP.
•WDS—See Configuring WDS.
Configuring the AP
Use this option to configure the access point to interact with wireless services.
Procedure
Step 1 Select Wireless Services > AP Configuration. The Wireless Services: AP dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-37 AP Configuration
Field
|
Description
|
Wireless Services
|
Select one of the following:
•Enabled—Use this setting to enable services.
•Disabled—Use this setting to disable services.
|
Username
|
Enter a username.
|
Password
|
Enter a password.
|
Confirm Password
|
Reenter the password.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring WDS
Use this option to configure wireless domain services and to set its priority.
Procedure
Step 1 Select Wireless Services > WDS. The Wireless Services: WDS - Wireless Domain Services - Settings dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-38 WDS Settings
Field
|
Description
|
Global Properties
|
Use this AP as Wireless Domain Services
|
Select to enable the access point to provide Wireless Domain Services.
|
Wireless Domain Services Priority
|
Enter a number between 1 and 255 to indicate the priority.
The priority is structured so that a WDS will not replace an active WDS with the same priority value, even it has a higher node ID.
|
WNM IP Address
|
Enter the access point's IP address.
|
Server Groups
|
Server Group List
|
Lists the configured servers.
To delete a server, select it, then click Delete.
|
Server Group Name
|
Enter the name of the server group.
•Priority—Enter the server IP address or hostname.
•Auth Port—Enter the authentication port.
•Acct Port—Enter the accounting port.
or
•Select a name from the list.
|
Use Group for
|
Select one of the following:
•Infrastructure Authentication—Use this setting to initiate infrastructure authentication by sending a path initialization request message to its WDS, which acts as the IN authenticator.
•Client Authentication—Use this setting to provide client authentication services.
Select the type of client authentication.
|
SSID
|
Enter the SSID or leave blank to apply to all SSIDs, then click >> to add to the SSID List.
The click Save.
|
Delete Server Group
|
Server Group Name
|
Enter the server group to delete.
|
Use Group For
|
Select one of the following:
•Infrastructure Authentication—Use this setting to initiate infrastructure authentication by sending a path initialization request message to its WDS, which acts as the IN authenticator.
•Client Authentication—Use this setting to provide client authentication services.
Select the type of client authentication.
Then click >> to add to the Server Group List to Delete.
|
Step 3 Click Save. The server is added to the Authentication Server List.
Step 4 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Custom Values
This option enables to you to enter custom values that might not be available in the Template Menu. It also allows you to quickly enter a value, if you know the exact value you want to change, instead of going through the menu.
Note This option should be used only by advanced users.
Templates with custom values are not validated.
Procedure
Step 1 Select Configure > Templates > Custom Values. The Custom IOS Values dialog box appears.
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Note If the custom value you enter is the same as an existing one in the Template Menu, the custom value will override the value in the menu.
Step 2 Enter the IOS commands.
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Non-IOS Templates
When you create or edit a non-IOS configuration template, the following choices appear in the left pane of the Templates window:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
When you create or edit a configuration template, the following choices appear in the left pane of the Templates window:
1. Template Name—See Naming the Template.
2. Template Categories
Note Any or all of the template categories can be completed in any order.
–Basic Settings—See Using Basic Settings.
–Association—See Setting Up Association.
–Ethernet—See Configuring the Ethernet Port.
–11b Radio—See Configuring the 11b Radio.
–11a Radio—See Configuring the 11a Radio.
–Security—See Defining the Security Settings.
–Services—See Configuring Services.
–Events—See Configuring Events.
–Custom Values—See Configuring Custom Values.
3. Preview—See Previewing the Template.
4. Save—See Saving the Template.
Naming the Template
This option enables to you to name the template.
Procedure
Note Clicking Clear removes all the entries you have made.
Step 1 Select Template Name. The Template Name dialog box appears:
Field
|
Description
|
Name
|
Enter a name for the template.
See Naming Guidelines.
|
Description
|
Enter a description of the purpose of the template.
See Naming Guidelines.
Do not click the Enter key at the end of the description; it will generate an error.
|
Step 2 Select a template category. For additional information, see Template Categories.
Using Basic Settings
Use this option if you need to set up an access point quickly with a simple configuration. This will allow you to enter all the access point's essential settings for basic operation.
Procedure
Step 1 Select Basic Settings. The Basic Settings dialog box displays in the right pane:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-39 Basic Settings
Field
|
Description
|
Reboot Device
|
From the list, select Yes if you want to allow device reboots.
|
SysName
|
Enter a system name.
The system name appears in the titles of the management system pages and in the access point's Association Table page.
This is not an essential setting, but it helps identify the access point on your network.
|
SysLocation
|
Enter the system's location.
This is not an essential setting, but it helps identify the access point on your network.
|
SysContact
|
Enter a contact name.
This is not an essential setting but it helps identify the person responsible for the access point on your network.
|
Configuration Server Protocol
|
Set this entry to match the network's method of IP address assignment.
From the list, select one of the following options:
•None-Static IP—Use this if your network does not have an automatic system for IP address assignment.
•BOOTP—Use this if your network uses Bootstrap Protocol, in which IP addresses are hard-coded based on MAC addresses.
•DHCP—Use this if your network uses Dynamic Host Configuration Protocol, in which IP addresses are "leased" for predetermined periods of time.
|
Default Subnet Mask
|
Enter an IP subnet mask to identify the subnetwork so the IP address can be recognized on the LAN.
If DHCP or BOOTP is not enabled, this field is the subnet mask.
If DHCP or BOOTP is enabled, this field provides the subnet mask only if no server responds to the access point's DHCP or BOOTP request.
|
Default Gateway
|
Enter the IP address of your default Internet gateway.
The entry 255.255.255.255 indicates no gateway.
|
Radio Service Set ID (SSID)
|
Enter any alphanumeric, case-sensitive string, from 1 to 32 characters long.
The SSID is a unique identifier that client devices use to associate with the access point. The SSID helps client devices distinguish between multiple wireless networks in the same vicinity and provides access to VLANs by wireless client devices.
Several access points on a network or subnetwork can share an SSID.
|
Role in Network
|
From the list, select one of the following:
•Access Point—Use this setting if the access point is connected to the wired LAN.
•Repeater—Use this setting for access points not connected to the wired LAN.
•Survey Client—Use this setting when performing a site survey for a repeater access point. When you select this setting, clients are not allowed to associate and the bridge's STP function is disabled.
•Root Bridge—Use this setting to set a bridge as the root bridge. (One bridge in each group of bridges must be set as the root bridge.) The root bridge cannot associate with another root bridge.
•Non-Root Bridge w/ Client—Use this setting for non-root bridges that accept associations from client devices and for bridges acting as repeaters. A non-root bridge will only associate to another bridge (root or non-root).
•Non-Root Bridge w/o Client—Use this setting for non-root bridges that should not accept associations from client devices. A non-root bridge (without clients) can connect to a wired LAN and only associates to another bridge (root or non-root).
|
Ensure Compatibility with 1MB/sec Clients
|
From the list, select one of the following:
•Enable— Use this setting to operate at a maximum speed of one megabit per second.
•Disable—Use this setting if you do not want devices to operate at a maximum speed of one megabit per second.
|
Ensure Compatibility with 2MB/sec Clients
|
From the list, select one of the following:
•Enable— Use this setting to operate at a maximum speed of two megabits per second.
•Disable—Use this setting if you do not want devices to operate at a maximum speed of two megabits per second.
|
Ensure Compatibility with non-Aironet 802.11
|
From the list, select one of the following:
•Enable—Use this setting to automatically configure the device to be compatible with other Cisco devices on your wireless LAN.
•Disable—Use this setting to not automatically configure the device to be compatible with other Cisco devices on your wireless LAN.
|
Step 2 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Setting Up Association
Use this option to set up spanning tree protocol (STP) on bridges and to set up filtering to control the flow of data through the access point.
Procedure
Step 1 Select Association. The menu expands and the Association dialog box displays in the right pane.
Step 2 Select one of the following from the Association menu:
•Spanning Tree—See Defining Spanning Tree Protocol.
•Address Filters—See Defining Address Filters.
•Ethertype Filters—See Defining Ethertype Filters.
•IP Protocol Filters—See Defining IP Protocol Filters.
•IP Port Filters—See Defining IP Port Filters.
•Policy Groups—See Configuring Policy Groups.
•VLANs—See Configuring VLANs.
•Quality of Service—See Configuring Quality of Service.
•Service Sets—See Configuring Service Sets.
•Primary Service Set—See Configuring Primary Service Set.
•Advanced—See Defining Advanced Associations.
•Port Assignments—See Configuring Port Assignments.
•DSCP to CoS—See Configuring DSCP to CoS.
Defining Spanning Tree Protocol
This option is used for only bridges.
Procedure
Step 1 Select Association > Spanning Tree. The Association: Spanning Tree Protocol dialog box appears.
Step 2 Click See detail for information on which bridges this configuration is valid.
Step 3 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-40 Spanning Tree Protocol Settings
Field
|
Description
|
Spanning Tree Protocol (STP)
|
From the list, select one of the following:
•Enable—Use this setting to enable STP on the bridge.
•Disable—If you do not want STP enabled the bridge.
|
Always Unblock Ethernet when STP is disabled
|
From the list, select one of the following:
•Yes—Use this setting to maintain a bridge link when STP is disabled.
•No—Use this setting to not maintain a bridge link when STP is disabled.
Click See detail to see for which versions this setting is valid.
|
Root Configuration
|
Priority (0-65535)
|
Enter a number to influence which bridge is designated the root bridge in the spanning tree.
When bridges have the same priority setting, STP uses the MAC addresses as a tiebreaker.
The bridge with the lowest priority setting is likely to be designated the root bridge in the tree.
|
Max Age (6-40 Seconds)
|
Enter the number of seconds to define how long the bridge waits before deciding the network has changed and the spanning tree needs to be rebuilt.
For example, with Max Age set to 20, the bridge attempts to rebuild the spanning tree if it does not receive a hello BDPU from the root bridge in the spanning tree within 20 seconds.
|
Hello Time (1-10 Seconds)
|
Enter the number of seconds to define how often the root bridge in the spanning tree sends out a hello BPDU telling the other bridges that the network topology has not changed and that the spanning tree should remain the same.
|
Forward Delay (4-30 Seconds)
|
Enter the number of seconds to define how long the bridge's ports should stay in the listening and learning transition states if there is a change in the spanning tree.
|
Port Configuration
|
Path Cost (1-65535)
|
Enter a number to indicates the relative efficiency of a port's network link.
A port with a high path cost is less likely to become a bridge's root port.
|
Priority (0-255)
|
Enter a number to influence whether STP designates a port as a bridge's root port.
A port with a low priority setting is more likely to become a bridge's root port.
|
Enable
|
From the list, select one of the following for each port configured:
•Enable—Use this setting to indicate whether the port participates in STP. (This determines whether the port blocks or forwards traffic.)
•Disable—Use this setting to indicate that the port does not participate in STP.
|
Step 4 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Defining Address Filters
Using this option, you can:
•Create a MAC address filter
•Remove a MAC address filter
Procedure
Step 1 Select Association > Address Filters. The Association: Address Filters dialog box appears.
Step 2 To add or delete a new MAC address filter complete the following fields:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-41 Address Filters Settings
Field
|
Description
|
New Destination MAC Address
|
Enter a destination MAC address by entering the address in one of the following ways:
•With colons separating the character pairs (00:40:96:12:34:56, for example).
•Without any intervening characters (004096123456, for example).
|
Allowed
|
Click to pass traffic to the MAC address.
|
Disallowed
|
Click to discard traffic to the MAC address.
|
Delete MAC Address
|
Enter the MAC address to delete
|
Lookup MAC address on Authentication Server if not in an Existing Filter List?
|
Click one of the following:
•Yes—Use this setting to allow looking up a MAC address on the authentication server.
•No—Use this setting to disallow looking up a MAC address.
|
Is MAC Authentication alone sufficient for a client to be fully authenticated?
|
From the list, select one of the following:
•Yes—Use this setting to specify that client devices that associate to the access point using 802.11 open authentication, first attempt MAC authentication.
•No—Use this setting to specify that MAC authentication alone is not sufficient.
Click See detail to see for which versions this setting is valid.
|
Step 3 To add a MAC address to the enter the MAC address, then click >> to add it to the Current MAC Address Filters list.
Step 4 To delete a MAC address, enter the MAC address to delete in the Delete MAC address field, then click >>.
Step 5 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Defining Ethertype Filters
Procedure
Step 1 Select Association > Ethertype Filters. The Association: Ethertype Filters dialog box appears.
Step 2 Using this option:
•Create new filters—See Creating New Ethertype Filters.
•Create Special Cases—See Creating Special Cases.
Creating New Ethertype Filters
Procedure
Step 1 To create and enable protocol filters for the access point's Ethernet port, enter the following:
Note For a list of protocols, refer to Appendix B, Protocol Filter Lists in the Cisco Aironet Access Point Software Configuration Guide. The guide can be found on Cisco.com by selecting Products and Services > Wireless LAN Products > Cisco Aironet 350 Series > Configuration Guides Books.
Table 4-42 Creating New Ethertype Filters Settings
Field
|
Description
|
New Ethertype Filter
|
Set ID
|
Enter an identification number for the filter set.
|
Set Name
|
Enter a descriptive filter set name.
See Naming Guidelines.
|
Default Disposition
|
From the list, select one of the following:
•Forward—Use this setting to forward protocol traffic.
•Block—Use this setting to block protocol traffic.
|
Default Time to Live (msec)
|
Unicast
|
Enter the number of milliseconds unicast packets should stay in the access point's buffer before they are discarded.
|
Multicast
|
Enter the number of milliseconds multicast packets should stay in the access point's buffer before they are discarded.
|
Step 2 Click >>. The new name is added to the Ethertype Filters list.
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Creating Special Cases
Procedure
Step 1 Select the default filter for which you want to define a special case.
Step 2 Enter the following:
Table 4-43 Ethertype Filter Special Cases Settings
Field
|
Description
|
New Special Cases
|
Ethertype
|
Enter the Ethertype filter name.
|
Disposition
|
From the list, select one of the following:
•Default—Use the disposition you set for the Ethertype filter.
•Forward—Use this setting to forward protocol traffic.
•Block—Use this setting to block protocol traffic.
|
Priority
|
From the list, select one of the following:
•Default—This setting is the same as best effort, which applies to normal LAN traffic.
•Background—Use this setting for bulk transfers and other activities that are allowed on the network but should not impact network use by other users and applications.
•Excellent Effort—Use this setting for a network's most important users.
•Controlled Load—Use this setting for important business applications that are subject to some form of admission control.
•Interactive Video—Use this setting for traffic with less than 100 ms delay.
•Interactive Voice—Use this setting for traffic with less than 10 ms delay.
•Network Control—Use this setting for traffic that must get through to maintain and support the network infrastructure.
|
Time to Live (msec)
|
Unicast
|
Enter the number of milliseconds unicast packets should stay in the access point's buffer before they are discarded.
|
Multicast
|
Enter the number of milliseconds multicast packets should stay in the access point's buffer before they are discarded.
|
Alert
|
From the list, select one of the following:
•Yes—Use this setting to send an alert to the event log when a user transmits or receives the protocol through the access point.
•No—Use this setting to not send an alert to the event log.
|
Step 3 Click >>. The new name is added to the list box.
Step 4 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Defining IP Protocol Filters
Procedure
Step 1 Select Association > IP Protocol Filters. The Association: IP Protocol Filters dialog box appears.
Step 2 With this option you can:
•Create new filters—See Creating New IP Protocol Filters.
•Create Special Cases—See Creating Special Cases.
Creating New IP Protocol Filters
Procedure
Step 1 To create and enable IP protocol filters, enter the following:
Note For a list of protocols, refer to Appendix B, Protocol Filter Lists in the Cisco Aironet Access Point Software Configuration Guide. The guide can be found on Cisco.com by selecting Products and Services > Wireless LAN Products > Cisco Aironet 350 Series > Configuration Guides Books.
Table 4-44 IP Protocol Filter Settings
Field
|
Description
|
New Protocol Filter
|
Set ID
|
Enter an identification number for the filter set.
|
Set Name
|
Enter a descriptive filter set name.
See Naming Guidelines.
|
Default Disposition
|
From the list, select one of the following:
•Forward—Use this setting to forward protocol traffic.
•Block—Use this setting to block protocol traffic.
|
Default Time to Live (msec)
|
Unicast
|
Enter the number of milliseconds unicast packets should stay in the access point's buffer before they are discarded.
|
Multicast
|
Enter the number of milliseconds multicast packets should stay in the access point's buffer before they are discarded.
|
Step 2 Click >>. The new name is added to the Current Protocol Filters list.
Step 3 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Creating Special Cases
Procedure
Step 1 Select the default filter for which you want to define a special case.
Step 2 Enter the following:
Table 4-45 IP Protocol Filters Special Cases Settings
Field
|
Description
|
New Special Cases
|
Protocol
|
Enter the IP protocol name.
|
Disposition
|
From the list, select one of the following:
•Default—Use the disposition you set for the protocol filter.
•Forward—Use this setting to forward traffic.
•Block—Use this setting to block traffic.
|
Priority
|
From the list, select one of the following:
•Default—This setting is the same as best effort, which applies to normal LAN traffic.
•Background—Use this setting for bulk transfers and other activities that are allowed on the network but should not impact network use by other users and applications.
•Excellent Effort—Use this setting for a network's most important users.
•Controlled Load—Use this setting for important business applications that are subject to some form of admission control.
•Interactive Video—Use this setting for traffic with less than 100 ms delay.
•Interactive Voice—Use this setting for traffic with less than 10 ms delay.
•Network Control—Use this setting for traffic that must get through to maintain and support the network infrastructure.
|
Time to Live (msec)
|
Unicast
|
Enter the number of milliseconds unicast packets should stay in the access point's buffer before they are discarded.
|
Multicast
|
Enter the number of milliseconds multicast packets should stay in the access point's buffer before they are discarded.
|
Alert
|
From the list, select one of the following:
•Yes—Use this setting to send an alert to the event log when a user transmits or receives the protocol through the access point.
•No—Use this setting to not send an alert to the event log.
|
Step 3 Click >>. The new name is added to the list box.
Step 4 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Defining IP Port Filters
Procedure
Step 1 Select Association > IP Port Filters. The Association: IP Port Filters dialog box appears.
Step 2 With this option you can:
•Create new filters—See Creating New Port Filters.
•Create Special Cases—See Creating Special Cases.
Creating New Port Filters
Note For a list of protocols, refer to Appendix B, Protocol Filter Lists in the Cisco Aironet Access Point Software Configuration Guide. The guide can be found on Cisco.com by selecting Products and Services > Wireless LAN Products > Cisco Aironet 350 Series > Configuration Guides Books.
Procedure
Step 1 To create and enable port filters, enter the following:
Table 4-46 IP Port Filter Settings
Field
|
Description
|
New Port Filter
|
Set ID
|
Enter an identification number for the filter set.
|
Set Name
|
Enter a descriptive filter set name.
See Naming Guidelines.
|
Default Disposition
|
From the list, select one of the following:
•Forward—Use this setting to forward traffic.
•Block—Use this setting to block traffic.
|
Default Time to Live (msec)
|
Unicast
|
Enter the number of milliseconds unicast packets should stay in the access point's buffer before they are discarded.
|
Multicast
|
Enter the number of milliseconds multicast packets should stay in the access point's buffer before they are discarded.
|
Step 2 Click >>. The new name is added to the Current Port Filters list.
Step 3 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Creating Special Cases
Procedure
Step 1 Select the default filter for which you want to define a special case.
Step 2 Enter the following:
Table 4-47 IP Port Filters Special Cases Settings
Field
|
Description
|
New Special Cases
|
Port
|
Enter the IP Port filter name.
|
Disposition
|
From the list, select one of the following:
•Default—Use the disposition you set for the port filter.
•Forward—Use this setting to forward protocol traffic.
•Block—Use this setting to block protocol traffic.
|
Priority
|
From the list, select one of the following:
•Default—This setting is the same as best effort, which applies to normal LAN traffic.
•Background—Use this setting for bulk transfers and other activities that are allowed on the network but should not impact network use by other users and applications.
•Excellent Effort—Use this setting for a network's most important users.
•Controlled Load—Use this setting for important business applications that are subject to some form of admission control.
•Interactive Video—Use this setting for traffic with less than 100 ms delay.
•Interactive Voice—Use this setting for traffic with less than 10 ms delay.
•Network Control—Use this setting for traffic that must get through to maintain and support the network infrastructure.
|
Time to Live (msec)
|
Unicast
|
Enter the number of milliseconds unicast packets should stay in the buffer before they are discarded.
|
Multicast
|
Enter the number of milliseconds multicast packets should stay in the buffer before they are discarded.
|
Alert
|
From the list, select one of the following:
•Yes—Use this setting to send an alert to the event log when a user transmits or receives the protocol through the access point.
•No—Use this setting to not send an alert to the event log.
|
Step 3 Click >>. The new name is added to the Special Cases list.
Step 4 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Policy Groups
Policy groups are used to configure access parameters to a logical group of stations in a consistent manner from a single place. For example, protocol filters can be applied to frames for a selected group of stations.
Procedure
Step 1 Select Association > Policy Group. The Association: Policy Group dialog box appears.
Click See detail to see for which versions this setting is valid.
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Step 2 Using this option you can:
•Add a policy group—See Adding a New Policy Group.
•Delete an exiting Policy Group From a Device—See Deleting an Existing Policy Group from a Device.
Adding a New Policy Group
Procedure
Step 1 To add a new policy group, enter the following:
Table 4-48 New Policy Group Settings
Field
|
Description
|
Group ID
|
Enter an identification number for the policy group.
|
Group Name
|
Enter a name for the policy group, then click >>.
|
Policy Groups to Add.
|
Lists the policy groups to be added.
To remove a group from the list, click <<.
|
Ethertype
|
Receive
|
Enter the ID of a defined Ethertype filter, or select one of the filters you created using Association > Ethertype Filters.
|
Transmit
|
Enter the ID of a defined Ethertype filter, or select one of the filters you created using Association > Ethertype Filters.
|
IP Protocol
|
Receive
|
Enter the ID of a defined IP protocol filter, or select one of the filters you created using Association > IP Protocol Filters.
|
Transmit
|
Enter the ID of a defined IP protocol filter, or select one of the filters you created using Association > IP Protocol Filters.
|
IP Port
|
Receive
|
Enter the ID of a defined IP port filter, or select one of the filters you created using Association > IP Port Filters.
|
Transmit
|
Enter the ID of a defined IP port filter, or select one of the filters you created using Association > IP Port Filters.
|
Step 2 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Deleting an Existing Policy Group from a Device
Procedure
Step 1 Enter the group identification number in the Group ID text box, then click >> to add it to the Policy Groups to Delete list.
To remove a group from the list, click <<.
Step 2 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring VLANs
Access points and bridges in a VLAN network, which are running specific software versions, can provide a wireless VLAN trunk link between two wired segments of the network.
Using this option, you can configure VLANs on the access point.
Procedure
Step 1 Select Association > VLANs. The Association: VLAN dialog box appears.
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Step 2 Click See detail to see for which versions this option is valid.
Step 3 Enter the following information:
Table 4-49 VLAN Configuration
Field
|
Description
|
VLAN (802.1Q) Tagging
|
From the list, select one of the following:
•Enabled—Use this setting to allow IEEE 802.1Q protocol tagging on VLAN packets.
The IEEE 802.1Q protocol is used to interconnect multiple switches and routers, and for defining VLAN topologies.
•Disabled—Use this setting to not allow tagging.
|
Native VLAN ID
|
Enter identification number of the access point's native VLAN.
Note This setting must agree with the native VLAN ID setting on the switch.
|
Single VLAN ID which allows unencrypted packets
|
Enter an identification number to allow unencrypted packets. An entry with a value of 0 (zero requires the use of encryption.)
|
Optionally allow Encrypted Packets on unencrypted VLAN
|
From the list, select one of the following:
•Yes—Use this setting to allow point-to-point encryption.
•No—Use this setting to not allow point-to-point encryption.
|
Step 4 Using this option you can:
•Add a new VLAN—See Adding a New VLAN.
•Delete an exiting VLAN from a Device—See Deleting an Existing VLAN.
Adding a New VLAN
Procedure
Step 1 To add a new VLAN, enter the following:
Table 4-50 New VLAN Settings
Field
|
Description
|
VLAN ID
|
Enter the identification number of the VLAN.
Note This setting must match the setting on the switch.
|
VLAN Name
|
Enter the a unique name for the VLAN configured on the access point.
|
VLAN Enable
|
From the list, select one of the following:
•Enabled—Use this setting to enable the VLAN.
•Disabled—Use this setting to disable the VLAN.
|
Default Priority
|
From the list, select one of the following:
•Background—Use this setting for bulk transfers and other activities that are allowed on the network but should not impact network use by other users and applications.
•Default—Use this setting for normal LAN traffic.
•Excellent Effort—Use this setting for the network's most important users.
•Controlled Load—Use this setting for important business applications that are subject to some form of admission control.
•Interactive Video—Use this setting for traffic with less than 100 ms delay.
•Interactive Voice—Use this setting for traffic with less than 10ms delay.
•Network Control—Use this setting for traffic that must get through to maintain and support the network infrastructure.
|
Default Policy Group
|
Enter the default policy group number, or select one you created using Association > Policy Groups.
|
Enhanced MIC verify WEP
|
From the list, select one of the following:
•None—Use this setting if you do not want Message Integrity Check (MIC) enabled.
•MMH—Use this setting if you want MIC enabled to protect WEP keys.
Note When you enable MIC, only MIC-capable client devices can communicate with the access point.
|
Temp Key Integrity Protocol
|
From the list, select one of the following:
•None—Use this setting if you do not want to enable the temporal key integrity protocol (TKIP), or WEP key hashing.
•Cisco—Use this setting to enable TKIP.
Note When TKIP is enabled, all WEP-enabled client devices associated to the access point must support WEP key hashing, or they will not be able to communicate with the access point.
|
WEP Key Rotation Interval
|
Use this setting to enable or disable broadcast key rotation.
•To enable it, enter the rotation interval in seconds.
If you enter 900, for example, the access point sends a new broadcast WEP key to all associated client devices every 15 minutes.
Note When you enable broadcast key rotation, only wireless client devices using LEAP or EAP-TLS authentication can use the access point. Client devices using static WEP (with open, shared key, or EAP-MD5) cannot use the access point when you enable broadcast key rotation.
•To disable it, enter 0 (zero).
|
Alert?
|
From the list, select one of the following:
•Yes—Use this setting if you are not adding an encrypted VLAN.
•No—Use this setting if you are adding an encrypted VLAN.
|
WEP Keys 1 through 4
|
Enter the encryption keys used: 40 bit or 128 bit hexadecimal digits.
|
Size
|
For each WEP key, select one of the following: Not set, 40 bit, or 128 bit.
|
Step 2 Click >> to add the VLAN to the VLANs to Add list.
Step 3 To make sure the VLAN ID you want to create does not already exist, click Update.
Step 4 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Deleting an Existing VLAN
Procedure
Step 1 Enter the VLAN identification number in the VLAN ID text box, then click >> to add it to the VLANs to Delete list.
Step 2 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Quality of Service
This option is used to configure the access point's Quality of Service feature.
Procedure
Step 1 Select Association > Quality of Service. The Association: Quality of Service dialog box appears.
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Step 2 Click See detail to see for which versions this option is valid.
Step 3 Enter the following information:
Table 4-51 Quality of Service Settings
Field
|
Description
|
Generate QBBS Element
|
From the list, select one of the following:
•Yes—Use this setting to enable support for basic 802.11 Quality of Service.
•No—Use this setting to disable support for basic 802.11 Quality of Service.
|
User Symbol Extensions
|
From the list, select one of the following:
•Yes—Use this setting enables support for Symbol Voice over IP (VoIP phones).
•No—Use this setting to disable support for Symbol VoIP phones.
|
Send IGMP General Query
|
From the list, select one of the following:
•Yes—Use this setting to allow the access point to send an IGMP General Query to all associated stations when they complete all required high-level authentication.
•No—Use this setting to not allow the access point to send an IGMP General Query.
|
Background
|
From the CWmin and CWmax lists, select the minimum and maximum contention window values for each traffic category.
|
|
(spare)
|
Best Effort (default)
|
Excellent Effort
|
Controlled Load
|
Interactive Video
|
Interactive Voice
|
Network Control
|
Step 4 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Service Sets
This option allows you to define service sets.
Procedure
Step 1 Select Association > Service Sets. The Association: Service Sets dialog box appears.
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Step 2 Click See detail to see for which versions this option is valid.
Step 3 Enter the following information:
Table 4-52 Service Set Settings
Field
|
Description
|
Device
|
SSID for use by Infrastructure Stations (such as Repeaters)
|
Enter the SSID to be used by repeaters and workgroup bridges to associate to the access point.
This SSID should be mapped to the native VLAN ID in order to facilitate communications between infrastructure devices and a non-root access point or bridge.
|
Disallow Infrastructure Stations on any other SSID
|
From the list, select one of the following:
•Yes—This setting prevents repeaters or workgroup bridges from associating to SSIDs other than the infrastructure SSID.
•No—This setting does not prevent repeaters or workgroup bridges from associating to SSIDs other than the infrastructure SSID.
|
Step 4 Using this option you can:
•Add a new Service Set—See Adding a New Service Set.
•Delete an exiting Service Set from a device—See Deleting an Existing Service Set.
Adding a New Service Set
Procedure
Step 1 To add a new Service set, enter the following:
Table 4-53 New Service Set Settings
Field
|
Description
|
Service Set ID (1-24)
|
Enter an identification for the SSID.
|
Service Set Name
|
Enter the SSID, then click >>.
|
Service Sets To Add
|
Lists the added service sets.
To remove a service set from the list, click <<.
|
Maximum Number of Associations
|
Enter a number to limit the maximum number of wireless clients per SSID.
|
Proxy Mobile IP Enabled
|
From the list, select one of the following:
•Yes—This setting allows proxy mobile IP use by all stations associated to this access point.
•No—This setting does not allow proxy mobile IP use.
|
Default VLAN ID
|
Enter the identification number for a defined VLAN, or select one of the VLAN IDs you created using Association >VLANs.
|
Default Policy Group
|
Enter the identification number of a defined policy group, or select one of the policy groups you created using Association > Policy Groups.
|
Accept Authentication Type
|
Open
|
From the list, select one of the following:
•Yes—Allows any device, regardless of its WEP keys, to authenticate and attempt to associate. This is the recommended setting.
•No—Does not allow any device, regardless of its WEP keys, to authenticate and attempt to associate.
|
Shared
|
From the list, select one of the following:
•Yes—Tells the access point to send a plain-text, shared key query to any device attempting to associate with the access point. This query can leave the access point open to a known-text attack from intruders. This is not as secure as the Open setting.
•No—Does not allow the access point to send a plain-text, shared key query to any device attempting to associate with the access point.
|
Network-EAP
|
From the list, select one of the following:
•Yes—Allows EAP-enabled client devices to authenticate through the access point.
•No—Does not allow EAP-enabled client devices to authenticate through the access point.
|
Require EAP
|
Open
|
From the list, select one of the following:
•Yes—Use this option if you use open and EAP authentication to block client devices that are not using EAP from authenticating through the access point.
•No—Use this option if you do not use open and EAP authentication.
|
Shared
|
From the list, select one of the following:
•Yes—Use this option if you use shared and EAP authentication to block client devices that are not using EAP from authenticating through the access point.
•No—Use this option if you do not use shared and EAP authentication.
|
Default Unicast Address Filter
|
Open
|
From the list, select one of the following:
•Allowed—The access point forwards all traffic except packets sent to the MAC addresses set as disallowed with the Address Filters.
•Disallowed—The access point discards all traffic except packets sent to the MAC addresses set as allowed with the Address Filters or on your authentication server.
Select Disallowed for each authentication type that also uses MAC-based authentication.
|
Shared
|
Network-EAP
|
Step 2 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Deleting an Existing Service Set
Procedure
Step 1 Enter the Service Set number in the Service Set ID text box, then click >> to add it to the Service Sets to Delete list.
Step 2 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Primary Service Set
This option allows you to set a default VLAN for the primary SSID on an access point.
Procedure
Step 1 Select Association > Primary Service Set. The Association: Primary Service Set dialog box appears.
Step 2 Complete the following:
Table 4-54 Primary Service Set
Field
|
Description
|
Service Set Name
|
Enter the SSID.
|
Maximum Number of Associations
|
Enter a number to limit the maximum number of wireless clients per SSID.
|
Proxy Mobile IP Enabled
|
From the list, select one of the following:
•Yes—This setting allows proxy mobile IP use by all stations associated to this access point.
•No—This setting does not allow proxy mobile IP use.
|
Default VLAN ID
|
Enter the identification number for a defined VLAN, or select one of the VLAN IDs you created using Association >VLANs.
|
Default Policy Group
|
Enter the identification number of a defined policy group, or select one of the policy groups you created using Association > Policy Groups.
|
Accept Authentication Type
|
Open
|
From the list, select one of the following:
•Yes—Allows any device, regardless of its WEP keys, to authenticate and attempt to associate. This is the recommended setting.
•No—Does not allow any device, regardless of its WEP keys, to authenticate and attempt to associate.
|
Shared
|
From the list, select one of the following:
•Yes—Tells the access point to send a plain-text, shared key query to any device attempting to associate with the access point. This query can leave the access point open to a known-text attack from intruders. This is not as secure as the Open setting.
•No—Does not allow the access point to send a plain-text, shared key query to any device attempting to associate with the access point.
|
Network-EAP
|
From the list, select one of the following:
•Yes—Allows EAP-enabled client devices to authenticate through the access point.
•No—Does not allow EAP-enabled client devices to authenticate through the access point.
|
Require EAP
|
Open
|
From the list, select one of the following:
•Yes—Use this option if you use open and EAP authentication to block client devices that are not using EAP from authenticating through the access point.
•No—Use this option if you do not use open and EAP authentication.
|
Shared
|
From the list, select one of the following:
•Yes—Use this option if you use shared and EAP authentication to block client devices that are not using EAP from authenticating through the access point.
•No—Use this option if you do not use shared and EAP authentication.
|
Default Unicast Address Filter
|
Open
|
From the list, select one of the following:
•Allowed—The access point forwards all traffic except packets sent to the MAC addresses set as disallowed with the Address Filters.
•Disallowed—The access point discards all traffic except packets sent to the MAC addresses set as allowed with the Address Filters or on your authentication server.
Select Disallowed for each authentication type that also uses MAC-based authentication.
|
Shared
|
Network-EAP
|
Step 3 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Defining Advanced Associations
Use this option to control the total number of devices an access point can list in the Association Table and the amount of time the access point continues to track each device class when a device is inactive.
Procedure
Step 1 Select Association > Advanced. The Association: Advanced dialog box appears.
Step 2 To define advanced associations, enter the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-55 Advanced Association Settings
Field
|
Description
|
Alert Severity Level
|
From the list select one of the following:
•systemFatal—Indicates an event that prevents operation of the port or device.
•protocolFatal—Indicates an event that prevents operation of the port or device
•portFatal—Indicates an event that prevents operation of the port or device
•systemAlert—Indicates that you need to take action to correct the condition.
•protocolAlert—Indicates that you need to take action to correct the condition.
•portAlert—Indicates that you need to take action to correct the condition.
•externalAlert—Indicates that you need to take action to correct the condition.
|
|
| |
•systemWarning—Indicates that an error or failure may have occurred.
•protocolWarning—Indicates that an error or failure may have occurred.
•portWarning—Indicates that an error or failure may have occurred.
•externalWarning—Indicates that an error or failure may have occurred.
•systemInfo—Notification that some sort of event has occurred.
•protocolInfo—Notification that some sort of event has ocurred.
•portInfo—Notification that some sort of event has ocurred.
•externalInfo—Notification that some sort of event has ocurred.
|
|
Max Bytes Stored Per Alert Packet
|
Enter the maximum number of bytes the access point stores for each Station Alert packet when packet tracing is enabled.
If you use 0, the access point does not store bytes for Station Alert packets; it only logs the event.
|
Max Fwd Table Entries
|
Note Changing this setting may cause the access point to reboot.
From the list, select one of the settings to designate the maximum number of devices that can appear in the Association Table.
|
Rogue AP alert timeout (minutes)
|
Enter the amount of time in minutes the access point transmits an alert message. (When an access point detects a rogue access point, it sends an alert message to the system log.) When the timeout is reached, the access point stops sending the alert message.
Click See detail to see for which versions this option is valid.
|
Enable RFC 1493 802.1D Stats In MIB
|
From the list, select one of the following:
•Enable—Use this setting to enable the storage of detailed RFC 1493 802.1D statistics in access point memory.
•Disable—Use this setting to disable the storage of detailed RFC 1493 802.1D statistics in access point memory. When you disable extended statistics you conserve memory, and the access point can include more devices in the Association Table.
Click See detail to see for which versions this option is valid.
|
Enable Extended Stats in MIB
|
From the list, select one of the following:
•Enable—Use this setting to enable the storage of detailed statistics in the device's memory.
•Disable—Use this setting to disable the storage of detailed statistics in the device's memory.
When you disable extended statistics you conserve memory, and the device can include more devices in the Association Table.
|
Map Multicast Entries to Broadcast Entry
|
From the list, select one of the following:
•Enable—Use this setting to make the access point more virus-resistant by mapping all multicast MAC addresses into the Broadcast address.
•Disable—Use this setting to disable this feature.
Click See detail to see for which versions this setting is valid.
|
Enable PSPF
|
From the list, select one of the following:
•Enable—Use this setting to enable Publicly Secure Packet Forwarding, which ensures that client devices cannot communicate with other client devices on the wireless network. This feature is useful for public wireless networks like those installed in airports or on college campuses.
•Disable—Use this setting to disable Publicly Secure Packet Forwarding.
Click See detail to see for which versions this option is valid.
|
Unknown Class Timeout
|
Enter the number of seconds the access point continues to track an inactive device depending on its class.
A setting of zero tells the access point to track a device indefinitely no matter how long it is inactive.
A setting of 300 equals 5 minutes; 1800 equals 30 minutes; 28800 equals 8 hours.
|
Multicast Addresses Timeout
|
Infrastructure Hosts Timeout
|
Client Stations Timeout
|
Repeaters Timeout
|
Access Points Timeout
|
Across Bridge Hosts Timeout
|
Non-Root Bridges Timeout
|
Root Bridges Timeout
|
Step 3 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring Port Assignments
When you assign specific ports, your network topology remains constant even when devices reboot.
Procedure
Step 1 Select Association > Port Assignments. The Association: Port Assignments dialog box appears.
Step 2 To define port assignments, enter the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-56 Port Assignments Settings
Field
|
Description
|
ifIndex
|
Lists the port's designator in the Standard MIB-II (RFC1213)-MIB.my interface index.
|
dot1dBasePort
|
Lists the port's designator in the Bridge MIB (RFC1493); BRIDGE-MIB.my interface index.
|
AID
|
Lists the port's 802.11 radio drivers association identifier.
|
Station
|
Enter the MAC address of the device to which you want to assign the port.
|
Step 3 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring DSCP to CoS
This option is use to statically map Differentiated Services Code-Point (DSCP) values to corresponding Class of Service (CoS) values.
Procedure
Step 1 Select Association > DSCP to CoS. The Association: DSCP to CoS Conversion dialog box appears.
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Step 2 Click See detail to see for which versions this option is valid.
Step 3 For each DSCP, enter the CoS conversion. Select one of the following:
•No Change
•Background
•Spare
•Best Effort
•Excellent Effort
•Controlled Load
•Interactive Video
•Interactive Voice
•Network Control
Step 4 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Configuring the Ethernet Port
Use this option to configure the device's Ethernet port.
Procedure
Step 1 Select Ethernet. The menu expands and the Ethernet dialog box displays in the right pane.
Step 2 Select one of the following from the Ethernet menu:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
•Identification—See Identifying the Ethernet Port.
•Filters—See Setting Up Ethernet Filters.
•Hardware—See Setting Up Hardware.
•Advanced—See Defining the Ethernet Advanced Settings.
Identifying the Ethernet Port
Use this option to define basic identity information for the Ethernet port.
Procedure
Step 1 Select Ethernet > Identification. The Ethernet: Identification dialog box displays in the right pane.
Step 2 Enter the following information to identify the port:
Table 4-57 Ethernet Port Settings
Field
|
Description
|
Primary Port
|
From the list, select one of the following:
•Ethernet—Sets the Ethernet port for all access points other than AP1200's as the primary port.
•Ethernet AP 1200—Sets the Ethernet port for AP1200 access points as the primary port.
•Radio 11b—Sets the 11b radio port as the primary port.
•Radio 11a—Sets the 11a radio port as the primary port.
|
Adopt Primary Port Identity
|
Note Changing this setting may cause the access point to reboot.
From the list, select one of the following:
•yes—This adopts the primary port settings (MAC and IP addresses for the Ethernet port).
•no—This uses different MAC and IP addresses for the Ethernet port.
|
Step 3 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Setting Up Ethernet Filters
Use this option to define filters for the Ethernet port, the IP Protocol, and the IP Port.
Procedure
Step 1 Select Ethernet > Filters. The Ethernet: Filters dialog box displays in the right pane.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-58 Ethernet Filters Settings
Field
|
Description
|
Ethertype
|
Receive
|
Enter the ID of a defined Ethertype filter, or select one of the filters you created using Association > Ethertype Filters.
|
Transmit
|
Enter the ID of a defined Ethertype filter, or select one of the filters you created using Association > Ethertype Filters.
|
IP Protocol
|
Receive
|
Enter the ID of a defined IP protocol filter, or select one of the filters you created using Association > IP Protocol Filters.
|
Transmit
|
Enter the ID of a defined IP protocol filter, or select one of the filters you created using Association > IP Protocol Filters.
|
IP Port
|
Receive
|
Enter the ID of a defined IP port filter, or select one of the filters you created using Association > IP Port Filters.
|
Transmit
|
Enter the ID of a defined IP port filter, or select one of the filters you created using Association > IP Port Filters.
|
Step 3 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Setting Up Hardware
This option allows you to select the hardware settings used by the access point's Ethernet port.
Procedure
Step 1 Select Ethernet > Hardware. The Ethernet: Hardware dialog box displays in the right pane.
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Step 2 Click See detail to see for which versions this option is valid.
Step 3 Complete the following:
Table 4-59 Ethernet Hardware Settings
Field
|
Description
|
Loss of Backbone Connectivity # of Secs (1-1000)
|
Enter the number of seconds the system must detect loss of backbone connectivity (i.e. loss of Ethernet link and no active trunk available on any of the radios) before taking the specified by Loss of Backbone Connectivity Action.
|
Loss of Backbone Connectivity Action
|
From the list, select one of the following:
•No action
•Switch to repeater mode
•Shut the radio off
•Restrict to SSID
|
Loss of Backbone Connectivity SSID
|
Enter an SSID index required if the Loss of Backbone Connectivity Action is set to Restrict to SSID, or select the SSID from the list.
|
Step 4 Select one of the following in the left pane:
•Preview to see your changes before you apply them. See Previewing the Template.
•Save to save the template. See Saving the Template.
•Another template category to configure more options. See Template Categories.
Defining the Ethernet Advanced Settings
Use this option to define the settings and operational status of the Ethernet port.
Procedure
Step 1 Select Ethernet > Advanced. The Ethernet: Advanced dialog box displays in the right pane.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 4-60 Ethernet Advanced Settings
Field
|
Description
|
Status
|
From the list, select one of the following:
•up—Enables the Ethernet port for normal operation.
•down—Disables the device's Ethernet port.
|
Packet Forwarding
|
From the list, select one of the following:
•enabled—Allows normal operation.
•disabled—Prevents data from moving between the Ethernet and the radio, which is useful in troubleshooting.
|
