Installation and Configuration Guide for the CiscoWorks Wireless LAN Solution Engine, 2.7 - Configuring Devices for Management - WLSE 1105/1130/1130-19 [CiscoWorks Wireless LAN Solution Engine (WLSE)]

Table Of Contents

Setting Up Devices—CiscoWorks 1105/1130/1130-19

Setting Up Non-IOS Access Points and Bridges

Set Up Using the Web Interface

Set Up Using a WLSE Configuration Template

Setting Up IOS Access Points

Basic Network Management Setup—IOS Devices

Using the AP CLI for Network Management Setup

Using the AP Web Interface for Network Management Set Up

Using WLSE Configuration Templates for Network Management Set Up

Radio Management Setup—IOS Devices

About WDS Devices

About Configuring Authentication

Radio Management Setup Quick Reference

Using Access Points as WDS Devices

Using a Wireless LAN Services Module (WSM) as the WDS Device

Configuring Infrastructure Access Points to Register with WDS Access Points

Configuring Infrastructure Access Points to Register with a Wireless LAN Services Module (WSM)

Configuring Scanning APs

Configuring the WLSE

Confirming the Configuration

Setting Up Routers and Switches

Setting Up AAA Servers

Setting Up Devices—CiscoWorks 1105/1130/1130-19

You must set up devices before the WLSE can discover and manage them and before you can use WLSE features such as monitoring, reporting, configuration, firmware upgrade, and radio management. This section describes initial setup tasks for the following devices:

•Non-IOS access points and bridges—See Setting Up Non-IOS Access Points and Bridges

•IOS access points and bridges—See Setting Up IOS Access Points

•Routers and switches—See Setting Up Routers and Switches

•AAA servers—Setting Up AAA Servers

Setting Up Non-IOS Access Points and Bridges

This section provides setup procedures to prepare non-IOS access points for basic network management by the WLSE. You can perform initial setup in two ways:

•Open a web browser session on each access point—See Set Up Using the Web Interface.

•Use the WLSE startup configuration option for first-time device configuration and apply a configuration template to a number of access points—See Set Up Using a WLSE Configuration Template.

After discovering and managing devices, you can use WLSE configuration templates for configuration changes—See the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

Set Up Using the Web Interface

To use this method, you must first configure each access point or bridge for web browsing.

Log in to the Web interface of the AP to be configured and set the following parameters.

Table 5-1 Set Up Procedures for Non-IOS Access Points and Bridges

Tasks

Procedure

Notes

1. Enable Cisco Discovery Protocol (CDP).¹

1. In the Summary Status page, click Setup.

2. Under Services: Cisco Services, click Cisco Discovery Protocol and select Enabled.

3. Click Apply or OK.

Required for the WLSE to use CDP to discover the device.

If you are not using CDP, add all APs as seed devices or import devices. See Discovering Devices.

2. Enable SNMP.

1. In the Summary Status page, click Setup.

2. Under Services, click SNMP.

3. Select Enabled.

4. (Optional) Enter a System Name, System Location, and System Contact.

5. Click Apply or OK.

SNMP is required for the WLSE to discover devices, populate reports, transfer configuration information to devices, and upgrade device firmware.

Setting the system name, system contact, and system location ensures that this information is included in device detail displays.

3. Set the read/write community string.

1. In the Summary Status page, click Setup.

2. Under Services, click Security.

3. Click User Information; then click Add New User or select an existing user.

4. Check all capabilities.

Note Ident privileges are required only for APs that are running a firmware version earlier than 12.01(T).

5. Click Apply or OK.

The username is the AP's read/write community, which is required for discovery, reports, and configuration and firmware jobs.²

You must also enter all AP community strings on the WLSE. See Enter SNMP Community Strings for All Managed Devices.

4. Add an HTTP user and enable the User Manager.³

You can use the same user that you created in Task 3, if the user has write, firmware, admin, and ident capabilities.

1. In the Summary Status page, click Setup.

2. Click Security.

3. Click User Information; then click Add New User or select an existing user.

4. Enter a username and password and select Firmware; then click Apply.

5. Return to the Security Setup page and click User Manager.

6. Select Enabled; then click Apply or OK.

Allows configuration uploads from the WLSE to access points.

You must also enter all AP HTTP users and passwords on the WLSE. See Enter HTTP Credentials for Non-IOS Access Points.

5. If you will use HTTP to initiate configuration or firmware downloads, select TFTP as the transfer protocol between the WLSE and APs.

1. In the Summary Status page, click Setup.

2. Under Services, click FTP.

3. Select TFTP as the file transfer protocol.

4. In the Default File Server text box, enter the IP address of the WLSE.

5. Click Apply or OK.

TFTP is used for transferring configuration and firmware changes to access points.

Selecting the WLSE as the TFTP server is not required if you only use SNMP for configuration and firmware.

¹Do not run CDP on radio ports.

²For example, if the AP has a user "lab" with password "cisco", its SNMP credential is lab::10:1:::lab. Its HTTP username and password are lab/cisco. If the SNMP credential is set incorrectly, jobs will fail.

³You can use a non-standard HTTP port. If HTTP browsing is not enabled, you must enable it. Enter the console and navigate to Security > Web Server. Enable Allow Non-Console Browsing.

Set Up Using a WLSE Configuration Template

You can perform initial configuration on access points by using the WLSE's startup template feature. Startup configuration works in conjunction with a DHCP server. The access points get their IP addresses from the DHCP server. If you prefer static IP addressing, you can either configure the DHCP server like a BOOTP server (using MAC address-to-IP address mapping) or configure the static IP address individually on each access point afterwards.

For information on using a startup template, see the online help or the "Managing Device Configuration" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

Setting Up IOS Access Points

This section provides:

•Procedures to prepare IOS access points for basic network management by the WLSE—See Basic Network Management Setup—IOS Devices.

•Procedures to prepare IOS access points and the WLSE for participation in the Cisco Structured Wireless-Aware Network (SWAN)—See Radio Management Setup—IOS Devices.

Basic Network Management Setup—IOS Devices

You can set up IOS access points and bridges in the following ways:

•Log into each device by using Telnet or SSH and use the device's CLI commands—See Using the AP CLI for Network Management Setup.

•Log into each device's Web interface—See Using the AP Web Interface for Network Management Set Up.

•Use the WLSE's automatic configuration option for first-time device configuration and applying a configuration template to a number of access points—See Chapter 7, Managing Device Configuration, in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

After you set up a device, all of its MIB variables can be accessed and the device can be discovered by the WLSE.

After discovering and managing devices, you can use WLSE configuration templates for configuration changes—See the online help or the "Using IOS Templates" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

Note VLAN information for IOS access points might not be collected by the WLSE if WEP keys are not configured in each VLAN. This affects VLAN reports, grouping, and faults. VLAN information becomes accessible through SNMP as soon as WEP keys are configured.

Using the AP CLI for Network Management Setup

To configure IOS devices by using the device CLI:

Procedure

Step 1 Access the device CLI via Telnet, SSH, or the console.

Step 2 Enter configuration mode.

Step 3 Enable Cisco Discovery Protocol (CDP) by entering the following commands for each interface that will participate in CDP. Do not enable CDP on radio interfaces.
configure terminal
interface interface
cdp run
where interface is the name of the interface; for example FastEthernet0.

Note You can find out whether CDP has been enabled by using the show cdp command in enable mode.

Note If you do not want to use CDP, you can add all access points as seeds or import devices. For more information, see Discovering Devices.

Step 4 To configure SNMP, enter the following commands in the sequence shown. The first command includes the ISO view. The read-only community string, is required for discovery and the fault and report features on the WLSE. The read/write community string is required for AP firmware management, AP configuration, and all radio-management functions (client walkabout, radio scanning, and so on).

a. Include the ISO view:
snmp-server view iso iso included
a. Configure the read-only community:
snmp-server community ro_ommunity_string view iso ro
b. Configure the read/write community:
snmp-server community rw_community_string view iso rw
Note The community strings must also be entered on the WLSE. See Enter SNMP Community Strings for All Managed Devices.

Caution IOS access points that do not have an ISO view will be placed in the Misconfigured Devices system group after discovery and a fault will be generated. The fault refers to a "dot 11 MIB" problem.

Step 5 (Optional) It is useful to set the system name, contact, and location SNMP variables to make the device more manageable. Use the following commands:
configuration terminal
hostname access_point
snmp-server location AP_location
snmp-server contact AP_contact
where access_point is the system name, AP_location is its location, and AP_contact is the name of the contact person.

Step 6 You can use either Telnet or SSH to push configuration templates to IOS access points. To use templates to configure IOS access points, you must configure either Telnet or SSH or both, as follows.

•To enable and configure SSH, enter the following commands. In these commands, hostname is the hostname of the access point, and domain_name is your network's domain name (for example, cisco.com). At the prompt for the number of bits in the modulus, press Return to accept the default or enter a value.
hostname hostname
ip domain-name domain_name
crypto key generate rsa
How many bits in the modulus [512]:
The following commands are recommended, but optional:
ip ssh time-out 120
ip ssh authentication-retries 3
•To configure Telnet, enter the following commands:
line 0 4
no access-class 111 in
The following commands are recommended, but optional:
width 80
length 24
Step 7 Exit global configuration mode, then enter the following command:
write memory
Using the AP Web Interface for Network Management Set Up

To configure IOS devices by using the device Web interface:

Procedure

Step 1 Log into the Web interface of the access point.

Step 2 To enable CDP, select SERVICES from the menu, then click CDP:

a. After Cisco Discovery Protocol (CDP), select Enabled.

b. Click Apply.

Note If you do not wish to use CDP, you can add all access points as seeds or import devices. For more information, see Discovering Devices.

Step 3 You can use either Telnet or SSH (secure shell protocol) to push configuration templates to IOS access points. To use templates to configure IOS access points, you must configure either Telnet or SSH or both.

•To enable and configure SSH (secure shell protocol), enter the following:

1. Select SERVICES > Telnet/SSH.

2. Enable Secure Shell.

3. Enter a System Name.

4. Enter a Domain Name (for example, cisco.com).

5. (Optional) Enter the RSA key size.

6. (Optional) Enter the Authentication Timeout.

7. (Optional) Enter Authentication Retries.

8. Click Apply.

•To enable and configure Telnet:

1. Select SERVICES > Telnet/SSH.

2. Enable Telnet.

3. (Optional) Enable Teletype.

4. Enter the number of Columns.

5. Enter the number of Lines.

6. Click Apply.

Step 4 To enable SNMP:

a. Select Services > SNMP.

b. After Simple Network Management Protocol (SNMP), select Enabled.

c. Enter the System Name (sysName), System Location (sysLocation), and System Contact (sysContact).

d. Click Apply.

Step 5 In the SNMP Request Communities section, enter a read-only community string. This community string is required for discovery and the fault and report features.

a. Enter the community string in the SNMP Community field.

b. Enter iso in the Object Identifier field.

Note IOS access points that do not have an ISO view will be placed in the Misconfigured Devices system group after discovery, and a fault will be generated. The fault message refers to a "dot11 MIB problem."

c. Select Read-Only.

d. Click Apply.

Step 6 In the SNMP Request Communities section, enter a read/write community string. This community string is required for all radio-management features.

a. Enter the community string in the SNMP Community field.

b. Select Read-Write.

c. Enter iso in the Object Identifier field.

d. Click Apply.

Step 7 The community strings created in Steps 5 and 6 must be entered on the WLSE before the device can be discovered and the other WLSE features can be used. For more information, see Enter SNMP Community Strings for All Managed Devices.

Using WLSE Configuration Templates for Network Management Set Up

You can perform initial configuration by using the WLSE's startup template feature. For information on using a startup template, see the online help or the "Managing Device Configuration" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

Radio Management Setup—IOS Devices

Note Make sure you also configure all access points for basic network management. See Basic Network Management Setup—IOS Devices.

Setting up access points for radio management involves configuring all access points to register with Wireless Domain Services (WDS). WDS provides wireless client roaming and radio management aggregation.

Only Cisco Aironet 1100 and 1200 series access points support WDS. For information about the supported access points and IOS firmware versions, see the WLSE 2.7 Supported Devices Table on cisco.com.

This section contains the following information:

•About WDS Devices

•About Configuring Authentication

•Radio Management Setup Quick Reference

•Using Access Points as WDS Devices

•Using a Wireless LAN Services Module (WSM) as the WDS Device

•Configuring Infrastructure Access Points to Register with WDS Access Points

•Configuring Infrastructure Access Points to Register with a Wireless LAN Services Module (WSM)

•Configuring Scanning APs

•Configuring the WLSE

•Confirming the Configuration

About WDS Devices

The device that supplies WDS can be either one of the following:

•A Cisco Aironet 1100 or 1200 series access point

Each WDS access point supports one AP subnet. You can add additional WDS access points for redundancy. The priorities you set on the WDS access points determine which one is the primary, and which ones are backups.

•A Wireless LAN Services Module (WSM)

Each WSM can support multiple AP subnets, as long as all of the subnets are served by the switch in which the WSM is installed.

About Configuring Authentication

To use WDS, both the infrastructure APs and the WLSE must use LEAP to authenticate to the WDS devices. For this purpose, you can use:

•Local authentication on a WDS device. See Using Access Points as WDS Devices.

•AAA servers that you have already configured, or you can configure servers as described in Setting Up AAA Servers.

In addition, server groups must be created on the WDS access points for:

•Infrastructure authentication

For information on creating server groups for infrastructure APs, see Using Access Points as WDS Devices.

•Client authentication

For information on creating server groups for client authentication, see the AP documentation.

Radio Management Setup Quick Reference

Table 5-2 lists the high-level setup tasks and sections in this document where you can find detailed instructions.

Table 5-2 Radio Management Setup Tasks Quick Reference

Task

References

Configure WDS devices

Using Access Points as WDS Devices

Using a Wireless LAN Services Module (WSM) as the WDS Device

Configure infrastructure access points to authenticate to a WDS device

Configuring Infrastructure Access Points to Register with WDS Access Points

Configuring Infrastructure Access Points to Register with a Wireless LAN Services Module (WSM)

Configure access points to be scanning-only APs

Configuring Scanning APs

Configure the WLSE with WLCCP credentials

Configuring the WLSE

Define authentication servers

About Configuring Authentication

Confirm the configuration

Confirming the Configuration

Using Access Points as WDS Devices

Note Before making changes to device configuration, you should back up the current configuration, and test the new configuration on non-production devices.

WDS must be active on an access point in each subnet in which APs are placed; you can also define backup WDS access points in each AP subnet. Configuring WDS requires:

•Defining the AAA servers and server groups that the WDS will use to LEAP authenticate infrastructure access points and the WLSE.

•Enabling WDS and set WDS priorities.

•Entering the WNM IP address.

There are three ways to configure WDS access points:

•Use the access point web interface—See Using the Web Interface to Configure WDS Points.

•Use the access point CLI interface—See Using the CLI Interface to Configure WDS Access Points.

•Use a WLSE configuration template—Using a WLSE Configuration Template to Configure WDS Access Points.

Note If you are using redundant WLSEs for high availability, use the VIP address as the IP address of the WLSE when configuring WDS. For more information on redundancy, see the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

Using the Web Interface to Configure WDS Points

To configure WDS access points by using the web interface:

Step 1 Log in to an AP that will serve as a WDS device.

Step 2 Select Wireless Services > WDS.

Step 3 Select the General Set-Up tab.

Step 4 To enable WDS, select Use this AP as Wireless Domain Services.

Step 5 Enter a value between 1 and 255 in the Wireless Domain Services Priority field.

The priority value is used to determine which AP will be the active WDS AP when multiple APs are configured to run WDS. The highest priority is 255.

Step 6 Configure the Wireless Network Manager (WNM) options:

a. Select Configure Wireless Network Manager.

b. Enter the IP address of your WLSE in the Wireless Network Manager IP Address field.

c. Click Apply.

Step 7 Define the AAA server group(s) for LEAP authenticating the WLSE and the infrastructure access points participating in SWAN:

a. Select the Server Groups tab.

b. Enter a server group name.

c. From the Priority lists, select the appropriate AAA servers.

If no AAA servers have been entered, click Define Servers to add the servers, then select the appropriate servers. Consult the AP online help for assistance in entering AAA servers into the AP.

d. Under Use Group For, select Infrastructure Authentication.

Step 8 Configure the WDS AP to authenticate itself to the WDS so that it can participate in the SWAN hierarchy:

a. Select Wireless Services > AP.

b. Select Enable.

c. Enter a username and password that can be LEAP authenticated by the AAA servers in the infrastructure server group.

Step 9 To commit the configuration, click Apply.

Note To configure authentication for wireless clients, see the AP documentation.

Using the CLI Interface to Configure WDS Access Points

Tip Consult the IOS and access point documentation for details on the subtleties of IOS commands.

The key steps in configuring the WDS are:

•Configure AAA servers to authenticate SWAN infrastructure access points and the WLSE.

•Configure WDS.

•Configure the WNM.

To configure the WDS access points using the IOS command line interface:

Step 1 Log in to an access point that will be a WDS device.

Step 2 Turn on AAA services:
aaa new-model
Step 3 Define the RADIUS servers that you will use for infrastructure authentication and/or client authentication. Consult your RADIUS server documentation for the correct port numbers. CiscoSecure ACS uses port 1645 for authorization and port 1646 for accounting.
radius-server host [ ip_address | hostname ] auth-port port  
acct-port port key shared_secret_key
Step 4 Define a server group for infrastructure authentication:
aaa group server radius server_group_name server radius_server
Step 5 Define at least one additional server group for wireless client authentication.

Step 6 Configure the AP to run WDS:
wlccp wds priority priority interface BVI1
where priority is a value from 1 to 255. Priority determines which AP will be the active WDS AP when multiple APs are configured to run WDS. The highest priority is 255.

Step 7 Configure the Wireless Network Manager (WNM) component:
wlccp wnm ip address wlse_ip_address
where wlse_ip_address is the address of the WLSE.

Step 8 Configure the server group the WDS will use to LEAP authenticate SWAN infrastructure access points. Use the server group name that you created in Step 4.
aaa authentication login named_authentication_list group 
server_group_name
wlccp authentication-server infrastructure named_authentication_list
Step 9 The WDS access point must also register and authenticate itself to the WDS to participate in the SWAN hierarchy; therefore, the WDS AP is also an infrastructure AP. To configure the WDS access point as an infrastructure access point:
wlccp ap username username password password
Note To configure authentication for wireless clients, see the relevant AP documentation.

Using a WLSE Configuration Template to Configure WDS Access Points

You can use the WLSE to configure one or more WDS access points.

The major configuration steps are:

•Create a configuration template to set up AAA servers and the WDS.

•Apply the configuration template to the appropriate access points by running a configuration job.

To configure WDS access points by using a WLSE configuration template:

Step 1 Log in to the WLSE web interface.

Step 2 Select Configure > Templates.

a. Enter a template name, selecting IOS as the template type.

b. Click Create New.

Step 3 Enter the AAA servers for LEAP authenticating the infrastructure access points and the WLSE to the WDS, and the AAA servers for authenticating wireless client devices:

a. Select Security > Server Manager.

b. In the Corporate Servers section, for each server, enter the IP address, select RADIUS, and enter the shared secret.

c. Click Save.

Step 4 Select Wireless Services > WDS to configure the WDS parameters.

In the Global Properties section:

a. Select Enable.

b. Enter the Wireless Domain Services priority. This value determines which access point will serve as the active WDS when multiple access points are configured to run WDS on the same subnet. Valid priority values are 1-255, with 255 being the highest.

c. Enter the WLSE's IP address in the WNM IP Address field.

Step 5 Configure a server group for authenticating the SWAN infrastructure components.

In the Server Groups section:

a. Enter one or more server names or server IP addresses.

b. Under Use Group For, select Infrastructure Authentication.

c. Click Save.

Step 6 The WDS access point must also register and authenticate itself to the WDS to participate in the SWAN hierarchy, so the WDS AP is also an infrastructure AP. To authenticate and register the WDS AP as an infrastructure AP:

a. Select Wireless Services > AP Configuration.

b. Select Enabled as the Wireless Services option.

c. Enter a username and password that can be LEAP authenticated by the AAA servers in the infrastructure server group.

Step 7 (Optional) Select Preview to see a preview of the configuration template.

Step 8 Select Save, then click the Save button.

Step 9 Select Yes to apply the template immediately or select No to save the template. For information on configuration jobs, see the "Managing Device Configuration" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

Note To configure authentication for wireless clients, see the relevant AP documentation.

Using a Wireless LAN Services Module (WSM) as the WDS Device

If you are using a WSM to provide WDS, instead of using APs for WDS, follow the procedures in the WSM documentation to configure it for WDS. Use the IP address of the WLSE as the WNM IP address.

Configuring Infrastructure Access Points to Register with WDS Access Points

Infrastructure access points initiate participation in SWAN by registering and LEAP authenticating with the WDS.

The only required configuration for infrastructure access points is the username and password used to register with the WDS.

There are three ways to configure infrastructure access points to register with WDS:

•Using the access point web interface—See Using the Web Interface to Configure Infrastructure APs.

•Using the access point CLI interface—See Using the Command Line Interface to Configure Infrastructure APs.

•Using a WLSE configuration template—See Using a WLSE Configuration Job to Configure Infrastructure APs.

Using the Web Interface to Configure Infrastructure APs

To use the web-based interface to configure infrastructure APs:

Step 1 Log in to the AP's web interface.

Step 2 Select Wireless Services > AP.

Step 3 Select Enabled.

Step 4 Enter the username and password for authenticating the infrastructure AP to the WDS.

Step 5 Click Apply.

Using the Command Line Interface to Configure Infrastructure APs

To use the command line interface to configure infrastructure APs:

Step 1 Log in to the AP's CLI.

Step 2 Enter the following command:
wlccp ap username username password password
where username and password are the credentials for authenticating the infrastructure access point to the WDS.

Using a WLSE Configuration Job to Configure Infrastructure APs

The WLSE can configure multiple infrastructure APs in a single job. To configure infrastructure APs using the WLSE, create a configuration template using the template creation wizard, then apply the template in a configuration job. For more information about using the template creation wizard and the configuration job interface, see the online help or the "Using IOS Templates" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

To configure the username and password used to authenticate the AP to the WDS:

Step 1 Log in to the WLSE web interface.

Step 2 Select Configure > Templates.

Step 3 Select Wireless Services > AP Configuration.

Step 4 Select Enabled.

Step 5 Enter the username and password for LEAP authenticating infrastructure APs to the WDS.

Step 6 Create a configuration job to apply the template to the appropriate devices. For information on configuration jobs, see the online help or the "Managing Device Configuration" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

Configuring Infrastructure Access Points to Register with a Wireless LAN Services Module (WSM)

To configure infrastructure access points to register with a Wireless LAN Services Module, see the relevant AP and WSM documentation on Cisco.com.

Configuring Scanning APs

This section describes how to configure an AP as a scanning-only AP. After you have performed the basic network management configuration and radio management configuration described in this chapter, perform the additional configuration described in this section to make the AP into a scanning AP. Scanning APs can detect and report "bug-lighted" clients (clients associated to unauthorized access points). Scanning APs do not accept client associations.

For more information on scanning APs and other requirements for using scanning APs with a WLSE, see the online help "Radio Management" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

Note Radio scanning requires a read/write SNMP community string on APs. For more information, see Radio Management Setup—IOS Devices,

Table 5-3 lists the high level tasks for setting up scanning APs.

Table 5-3 Setting Up Scanning APs Quick Reference

Task

References

1. Configure the scanning APs for basic management and radio management.

•Do not configure VLAN/SSID on the scanning AP.

•Do not configure the scanning AP as a WDS device.

Setting Up IOS Access Points

2. Configure the specific scanning AP parameters.

Configuring a Scanning AP—Using the AP CLI

Configuring a Scanning AP—Using a WLSE Configuration Template

3. Run inventory on the WLSE.

Run Inventory

4. Enable client registration scanning on the WLSE.

Enable Client Registration Scanning

Configuring a Scanning AP—Using the AP CLI

To configure an access point for scanning only, enter the following commands:
config t
int dot11 0 (for interface 0)
station-role scanner
Configuring a Scanning AP—Using a WLSE Configuration Template

To configure an access point for scanning only from a WLSE configuration template:

1. Select Configuration > Templates > IOS > Basic Settings, then select Scanner Access Point.

2. Select Configuration > Templates > IOS > Network Interfaces. Select a radio and select Scanner Access Point.

Run Inventory

Select Administration > Devices > Discover > Inventory and run inventory so the WLSE can update the role of the AP. The scanning APs will be listed in the WLSE's Scanning AP system group.

For more information, see the online help or the "Managing Devices" chapter of the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

Enable Client Registration Scanning

Select Radio Management > Radio Monitoring and enable Client Registration Scanning to detect bug-lighted clients.

For more information, see the online help or the "Radio Management" chapter of the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

Configuring the WLSE

The WLSE is the Wireless Network Manager (WNM) component of SWAN. The WLSE polls and aggregates radio management data from WDS devices and processes this data. The following configuration is required on the WLSE for radio management:

•SWAN components communicate via a Cisco proprietary technology called WLCCP. You must enter the WLCCP username and password in the WLSE. This username and password is used to LEAP authenticate the WLSE to the WDS APs in the network. See Enter WLCCP Credentials for Wireless Domain Services (WDS).

•Enter the SNMP read-only and read/write communities for all managed IOS access points. See Enter SNMP Community Strings for All Managed Devices.

•Enter Telnet/SSH credentials for IOS access points. See Enter Telnet or SSH Credentials for IOS Access Points.

Confirming the Configuration

After you complete all the configuration procedures, you should confirm that the configuration is correct and that the SWAN components are communicating properly. Perform the following confirmation steps on the active WDS APs. There are two ways to confirm configuration:

•Using the Web interface—See Using the Web-based Interface to Validate the Configuration.

•Using the command-line interface—See Using the Command-Line Interface to Validate the Configuration.

Note To determine which WDS APs are actively providing WDS services, you can use the WDS Summary Report on the WLSE. For more information, see the online help or the "Reports" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

Using the Web-based Interface to Validate the Configuration

To confirm the configurations using the web-based interface on WDS APs:

Step 1 Log in to the web interface on each active WDS AP.

Step 2 Select Wireless Services > WDS > WDS Status.

Check for the following:

•The WDS Information section should display the device WDS state as ACTIVE.

•The WDS Registration and AP Information sections should show the correct number of APs (all of the infrastructure APs and the WDS AP).

•The Mobile Node Information section should display the wireless clients participating in SWAN.

•The Wireless Network Manager section should contain the WLSE IP address. If the WLSE authentication status is SECURITY KEYS SETUP, the WLSE is properly registered.

Using the Command-Line Interface to Validate the Configuration

To use the CLI on the WDS APs to validate the configuration:

Step 1 Log in to the CLI on each active WDS AP.

Step 2 To validate the WDS configuration, enter:
show wlccp wds ap
This command lists all of the infrastructure APs and the WDS AP.

Step 3 To verify that the WLSE is correctly registered, enter:
show wlccp wnm status
This command should display the WLSE IP address. If the WLSE authentication status is SECURITY KEYS SETUP, the WLSE is properly registered.

Setting Up Routers and Switches

Note Only routers and switches that have properly configured access points or bridges attached to them will be discovered.

Configure each router and switch as shown in Table 5-4.

Table 5-4 Setup Procedures for Routers and Switches

Task

Procedure

Notes

1. Enable CDP and verify that access points and bridges are visible from the router or switch.

1. In enable mode, verify that CDP is running on the device by using one of the following commands:

•On IOS-based devices—show cdp run.

•On Hybrid OS-based Catalyst switches—show cdp.

2. If CDP is not running, in global configuration mode, enter cdp run to enable CDP.

3. To verify that access points or bridges are visible in the device's CDP table, enter show cdp neighbors.

CDP is required for the WLSE to discover the device.

2. Enable SNMP and set up community strings.

On IOS-based devices, enter configuration mode and use the snmp community community_string ro command.

On Hybrid OS-based Catalyst devices, enter enable mode and use the set snmp community read-only community_string command.

SNMP is required for the WLSE to discover and manage the device.

3. (Optional) Set system name, contact, and location variables.

On IOS-based devices, enter configuration mode and use the following commands to set the system name, system contact, and system location:

•hostname name

•snmp contact contact

•snmp location location

On Hybrid OS-based Catalyst switches, enter enable mode and use the following commands to set the system name, system contact, and system location:

•set system name name command.

•set system contact contact

•set system location location

These variables make the device more manageable.

The system name, system contact, and location will appear in the device detail displays.

Setting Up AAA Servers

The WLSE can monitor the performance of AAA (Authentication, Authorization, and Accounting) services provided by CiscoSecure ACS server and a Cisco Access Registrar (CAR) RADIUS server. The services supported are LEAP, RADIUS, EAP-MD5, and PEAP (EAP-GTC only).

Note This section covers setting up an ACS server. To set up a CAR server, see the CAR documentation on Cisco.com.

Note For PEAP, besides the procedure in this section, you must set up a certificate and private key on the ACS server and then enable PEAP. For more information, see the CiscoSecure ACS documentation.

To enable monitoring of an ACS server, you must:

•Configure CiscoSecure ACS server to recognize the WLSE as a client. Follow the procedure in this section on each server.

Note If two Ethernet interfaces are configured with IP addresses on the WLSE, both addresses must be configured as clients on ACS server.

•Configure the WLSE to add information about servers. For more information, see Adding AAA Servers to the WLSE.

In addition to monitoring AAA servers, you can use an AAA server to authenticate to Wireless Domain Services (WDS) access points. To enable this authentication, make sure an AAA server is configured as described in this section, and configure WDS as described in Radio Management Setup—IOS Devices.

Procedure

Step 1 Log into the CiscoSecure ACS Server that will provide authentication services to the wireless network.

Note You will need the IP address or name of the system on which CiscoSecure ACS Server is running when you configure the WLSE.

Step 2 Click User Setup on the left side of the initial page.

Step 3 Enter a username for the user the WLSE will use for synthetic transactions and click Add/Edit.

Step 4 Enter a password in the first set of Password and Confirm Password fields. Click Submit.

Note You will need this name and password when configuring the WLSE.

Step 5 Click Network Configuration on the left side of the page.

Step 6 Click Add Entry. In the Add AAA Client area, enter the following WLSE information:

Note If two Ethernet interfaces are configured with IP addresses on the WLSE, both addresses must be configured as clients on ACS server.

Field

Description

Client Hostname

WLSE hostname.

Client IP

WLSE IP address.¹

Key

Secret key.²

¹If you are using redundant WLSEs, enter the VIP address. For more information about WLSE redundancy, see the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.7.

²You will need this key when configuring the WLSE.

Step 7 Select RADIUS (Cisco Aironet) from the Authenticate Using list.

Step 8 If you are using this server for Wireless Domain Services (WDS) authentication, configure the server for simultaneous login sessions. See the ACS server documentation for details.

Step 9 Click Submit or Submit+Restart. A restart is required for the changes to take effect.