Configuring Devices for Management, 2.9
Configuring IOS APs for Radio Management
Download this chapter
Configuring IOS APs for Radio ManagementConfiguring IOS APs for Radio Management
Download the complete book
PDF of the Entire Configuration GuidePDF of the Entire Configuration Guide (PDF - 800 KB)
give_us_feedback

Table Of Contents

Configuring IOS Access Points for Radio Management

Introduction

What is WDS and Why Do I Need It?

Understanding WDS Access Points

Understanding WLSM WDS Devices

How To Use WDS Devices

Radio Management Setup Quick Reference

Task 1: Configuring WDS Devices

Configuring WDS Access Points (AP-WDS)

Using the Web Interface to Configure WDS APs

Using the CLI Interface to Configure WDS APs

Using a WLSE Configuration Template to Configure WDS APs

Configuring WDS on a Wireless LAN Services Module (WLSM-WDS)

Task 2: Configuring Infrastructure APs

Using the Web Interface to Configure Infrastructure APs

Using the CLI to Configure Infrastructure APs

Using a WLSE Configuration Job to Configure Infrastructure APs

Task 3: Configuring Scanning APs

Step 3a: Configure Scanning APs for Network and Radio Management

Step 3b: Configure a Scanning AP

Step 3c: Run Inventory

Step 3d: Enable Client Registration Scanning

Task 4: Configuring the WLSE

Task 5: Configuring Authentication

Task 6: Confirming the Configuration

Using the Web Interface to Validate the Configuration

Using the Command-Line Interface to Validate the Configuration


Configuring IOS Access Points for Radio Management

This chapter provides procedures for preparing IOS access points and the WLSE for participation in the Cisco Structured Wireless-Aware Network (SWAN).

Note Alternative methods of device configuration are described in this document. However, after access points are being managed by the WLSE, you should avoid making direct modifications to them (by using the command-line interface or Web interface). Instead, use the WLSE configuration templates to make changes. If configuration changes are made directly and not through the WLSE, the WLSE will not detect them immediately. This can cause inconsistencies in WLSE operations, especially in radio management.

This chapter contains the following topics:

Introduction

Radio Management Setup Quick Reference

Task 1: Configuring WDS Devices

Task 2: Configuring Infrastructure APs

Task 3: Configuring Scanning APs

Task 4: Configuring the WLSE

Task 5: Configuring Authentication

Task 6: Confirming the Configuration

Introduction

Note You must first configure all of the access points for basic network management. See "Configuring IOS Access Points for Network Management."

Setting up access points for radio management involves configuring all access points to register with Wireless Domain Services (WDS). WDS provides wireless client roaming and radio management aggregation.

What is WDS and Why Do I Need It?

The critical software component in the network is a set of IOS features called the Wireless Domain Services (WDS). Two types of devices can supply the WDS:

An access point configured for WDS

Each WDS access point supports one AP subnet. You can add additional WDS access points for redundancy. The priorities you set on the WDS access points determine which one is the active and which ones are backups.

A Wireless LAN Services Module (WLSM)

WLSM is a CAT6K blade that provides WDS services and allows L3 seamless roaming among APs. Each WLSM can support multiple AP subnets, as long as all of the subnets are served by the switch on which the WLSM is installed.

The following topics describe these devices types:

Understanding WDS Access Points

Understanding WLSM WDS Devices

Understanding WDS Access Points

The WDS provides control path technologies that must be active on an AP in each AP subnet; a backup WDS can also be defined in each AP subnet. The WDS provides:

Fast, secure layer-2 wireless client roaming—The WDS acts as an 802.1x authenticator for wireless clients within the layer-2 network.

Radio Management (RM) data aggregation—The WLSE provides intelligent processing of aggregated data collected by the WDS access points from other wireless clients in the network. The WLSE can manage multiple subnets, so it can receive radio data from many APs running WDS.

Caution The WLSE must register with the WDS in each managed AP subnet to receive Radio Manager data. If the WLSE is not registered, none of the Radio Manager functions will work.

Without a WDS to perform data aggregation, the communication between the access points and WLSE looks like this:

Figure 4-1 WLSE-AP Communications—Without WDS

Using this approach, the WLSE can communicate with the APs using only these two methods:

Primary: SNMP

Secondary: CLI over telnet or SSH

When you set up WLSE to manage the APs (the basic network management configuration), your network looks something like this:

Figure 4-2 AP to WLSE Data Aggregation

After you configure the network for Radio Management tasks, the WLSE communicates all Radio Management activities with one or more WDS APs instead of all APs in the network. Each WDS AP collects data from other wireless clients in the network and sends this aggregated data to the WLSE.

Figure 4-3 WLSE-AP Communications—With WDS

Understanding WLSM WDS Devices

A Wireless LAN Services Module (WLSM) device is a module for the Catalyst 6000 switch that provides WDS to the wireless network. Each WLSM supports multiple AP subnets, as long as all of the subnets are served by the switch on which the WLSM is installed.

You can add a second WLSM to serve as a standby. The WLSE authenticates with both the HSRP active and HSRP standby WLSM devices (WLSM uses HSRP to handle redundancies). In the reports, both WLSM devices (HSRP active and HSRP standby) will appear as active WDSs.

If the HSRP active WLSM goes down, the HSRP standby WLSM will communicate with the AP subnets (see Figure 4-4).

Figure 4-4 WLSE-WLSM Communications

Figure 4-5 illustrates a network that uses both AP and WLSM WDS devices to manage the access points in the network. In this example, additional access points have been identified as backup AP-WDS devices (AP1 and AP4), and an additional HSRP-based WLSM-WDS device has been added to as a standby for the active WLSM-WDS.

Figure 4-5 Sample Network Using AP-WDS and WLSM-WDS Devices

How To Use WDS Devices

To use WDS devices:

One access point or one WLSM must be designated as the WDS. The WDS is the only device that speaks to the authentication server.

For AP-WDS devices, WDS must be active on an access point in each subnet in which APs are placed; backup WDS access points can also be defined in each AP subnet.

For WLSM-WDS devices, each WLSM can support multiple AP subnets, as long as all of the subnets are served by the switch on which the WLSM is installed.

The WDS device establishes a relationship with the authentication server (either an external RADIUS server or the local RADIUS server feature in the WDS access point itself) by authenticating to it using a WDS user name and password.

Note For a WLSM-WDS, the only option is the external RADIUS server; WLSM-WDS devices do not support the local RADIUS server feature.

Other access points, called infrastructure access points, communicate with the WDS device. Infrastructure access points must authenticate themselves to the WDS before they are registered. This infrastructure authentication is defined by an infrastructure server group on the WDS device.

Communication between the WDS and the infrastructure access points happens over Wireless LAN Context Control Protocol (WLCCP). For an AP-WDS, WDS multicast messages are used for WDS discovery by the infrastructure access points. Therefore, an AP-WDS device and its associated infrastructure access points must be in the same IP subnet and on the same LAN segment.

Between the WDS and the WLSE, WLCCP uses TCP and User Datagram Protocol (UDP) on port 2887. When the WDS and WLSE are on different subnets, the packets cannot be translated with a protocol like Network Address Translation (NAT).

Client authentication is defined by one or more client server groups on the WDS devices.

When a client attempts to associate to an infrastructure access point:

1. The infrastructure access point passes the user's credentials to the WDS device for evaluation. If it is the first time that the WDS has seen a given user's credentials, it uses the authentication server to validate the credentials.

2. The WDS device then caches the user's credentials so it does not have to return to the authentication server when that user attempts authentication again (for example, reauthentication for rekeying, for roaming, or for when the user starts up the client device).

Any RADIUS-based EAP authentication protocol can be tunneled through WDS (for example, Lightweight EAP [LEAP], Protected EAP [PEAP], EAP-Transport Layer Security [EAP-TLS], or EAP-Flexible Authentication via Secure Tunneling [EAP-FAST]).

Radio Management Setup Quick Reference

Two types of devices can supply the WDS:

A Wireless LAN Services Module (WLSM)

Each WLSM supports multiple AP subnets, as long as all of the subnets are served by the switch on which the WLSM is installed.

An access point configured for WDS

Each WDS access point supports one AP subnet. You can add additional WDS access points for redundancy. The priorities you set on the WDS access points determine which one is the primary and which ones are backups.

Table 4-1 lists the general setup tasks for using these devices to supply the WDS:

Table 4-1 Radio Management Setup Tasks

Task
Description
References

1.

Configure WDS devices

Task 1: Configuring WDS Devices

2.

Configure infrastructure access points to authenticate to a WDS device

Task 2: Configuring Infrastructure APs

3.

Configure access points to be scanning-only APs

Task 3: Configuring Scanning APs

4.

Configure the WLSE with WLCCP credentials

Task 4: Configuring the WLSE

5.

Define authentication methods

Task 5: Configuring Authentication

6.

Confirm the configuration

Task 6: Confirming the Configuration


Task 1: Configuring WDS Devices

Configuring WDS involves:

Defining the AAA servers and server groups that the WDS will use to LEAP authenticate infrastructure access points and the WLSE.

Enabling WDS and setting WDS priorities.

Entering the WNM IP address.

Note Before making changes to device configuration, you should back up the current configuration and test the new configuration on non-production devices.

The following sections describe how to configure the types of WDS devices:

Configuring WDS Access Points (AP-WDS)

Configuring WDS on a Wireless LAN Services Module (WLSM-WDS)

Configuring WDS Access Points (AP-WDS)

Note Only Cisco Aironet 1100 and 1200 series access points support WDS. For information about the supported access points and IOS firmware versions, see the Supported Devices Table for WLSE 2.9 on cisco.com.

There are several ways to configure WDS access points:

Using the Web Interface to Configure WDS APs

Using the CLI Interface to Configure WDS APs

Using a WLSE Configuration Template to Configure WDS APs

Note For a sample WDS configuration, see the document titled Wireless Domain Services Configuration on Cisco.com. To locate this document, use the following navigation path from the Cisco.com home page: Products and Services > Wireless > Cisco Aironet 1200 Series Access Point> Technical Documentation > Configuration Examples.

Using the Web Interface to Configure WDS APs

See the "Designate an Access Point as WDS" section in the tech tip at http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.

Using the CLI Interface to Configure WDS APs

See the "Designate an Access Point as WDS" section in the tech tip at http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.

Tip Consult the IOS and access point documentation for details on the subtleties of IOS commands.

Using a WLSE Configuration Template to Configure WDS APs

You can use the WLSE to configure one or more WDS access points.

The major configuration steps are:

Creating a configuration template to set up AAA servers and the WDS.

Applying the configuration template to the appropriate access points by running a configuration job.

Procedure

Step 1 Log in to the WLSE web interface.

Step 2 Select Configure > Templates.

a. Enter a template name, selecting IOS as the template type.

b. Click Create New.

Step 3 Enter the AAA servers that will be used to LEAP authenticate the infrastructure access points and the WLSE to the WDS, and the AAA servers that will be used to authenticate wireless client devices:

a. From the menu on the left, select Security > Server Manager.

b. In the Corporate Servers section, for each server, enter the IP address, select RADIUS, and enter the shared secret.

c. Click Save.

Step 4 From the menu on the left, select Wireless Services > WDS to configure the WDS parameters.

In the Global Properties section:

a. Select Enable.

b. Enter the Wireless Domain Services priority. This value determines which access point will serve as the active WDS when multiple access points are configured to run WDS on the same subnet. Valid priority values are 1-255, with 255 being the highest.

c. Enter the WLSE's IP address in the WNM IP Address field.

Step 5 Configure a server group for authenticating the SWAN infrastructure components.

In the Server Groups section:

a. Enter one or more server names or server IP addresses.

b. Under Use Group For, select Infrastructure Authentication.

c. Click Save.

Step 6 The WDS access point must also register and authenticate itself to the WDS to participate in the SWAN hierarchy, so the WDS AP is also an infrastructure AP. To authenticate and register the WDS AP as an infrastructure AP:

a. Select Wireless Services > AP Configuration.

b. Select Enable as the Wireless Services option.

c. Enter a username and password that can be LEAP authenticated by the AAA servers in the infrastructure server group.

Step 7 (Optional) From the menu on the left, select Preview to see a preview of the configuration template.

Step 8 From the menu on the left, select Save, then click the Save button.

Step 9 Select Yes to apply the template immediately or select No to save the template. For information on configuration jobs, see Chapter 7, Managing Device Configuration, in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.9.

Configuring WDS on a Wireless LAN Services Module (WLSM-WDS)

To use a WLSM to provide WDS:

Step 1 To configure the WLSM for WDS, follow the procedures in the WLSM documentation. Use the IP address of the WLSE as the WNM IP address.

Step 2 Use the following command to configure the WLSM with the address of the WLSE: 

wlccp wnm ip address WLSE_IP_address

After the following command is entered on the WLSM, the WLSE will automatically discover it.

Task 2: Configuring Infrastructure APs

The infrastructure access points are the APs with which the clients associate. The infrastructure access points ask the WDS to perform authentication for them. There are several ways to configure infrastructure access points to register with a WDS device:

Using the Web Interface to Configure Infrastructure APs

Using the CLI to Configure Infrastructure APs

Using a WLSE Configuration Job to Configure Infrastructure APs

Using the Web Interface to Configure Infrastructure APs

See the "Designate an Access Point as Infrastructure" section in the tech tip at http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.

Using the CLI to Configure Infrastructure APs

See the "Designate an Access Point as Infrastructure" section in the tech tip at http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.

Using a WLSE Configuration Job to Configure Infrastructure APs

When you use a WLSE configuration template, you can configure multiple infrastructure APs in a single job. Use the template creation wizard to create a configuration template, then apply the template in a configuration job.

For more information about using the template creation wizard and the configuration job interface, see WLSE online help or the "Using IOS Templates" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.9.

Procedure

Step 1 Log in to the WLSE web interface.

Step 2 Select Configure > Templates.

a. Enter a template name, selecting IOS as the template type.

b. Click Create New.

Step 3 Select Wireless Services > AP Configuration.

Step 4 Select Enable.

Step 5 Select the mechanism that should be used to discover the WDS device:

For access points that will register with an AP-WDS, select Auto Discovery.

For access points that will register with a WLSM-WDS, select Specified Discovery and enter the IP address of the WLSM-WDS.

Step 6 Enter the username and password for LEAP authenticating infrastructure APs to the WDS.

Step 7 (Optional) Select Preview to see a preview of the configuration template.

Step 8 Select Save, then click the Save button.

Step 9 Select Yes to apply the template immediately or select No to save the template.

Step 10 Create a configuration job to apply the template to the appropriate devices.

For information about configuration jobs, see the online help or the "Managing Device Configuration" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.9.

Task 3: Configuring Scanning APs

This section describes how to configure an AP as a scanning-only AP. After you have performed the basic network management configuration and radio management configuration described in this chapter, perform the additional configuration described in this section to make the AP into a scanning-only AP. Scanning APs can detect and report "bug-lighted" clients (clients associated to unauthorized access points). Scanning-only APs do not accept client associations.

For more information about scanning APs and other requirements for using scanning APs with a WLSE, see the "Radio Management" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.9.

Table 4-2 lists the high level tasks for setting up scanning APs.

Note Radio scanning requires a read/write SNMP community string on APs. For more information, see Introduction,

Table 4-2 Scanning AP Setup Tasks  

Step
Description
References
3a

Configure scanning APs for basic management and radio management.

Do not configure VLAN/SSID on a scanning AP.

Do not configure a scanning AP as a WDS device.

"Configuring IOS Access Points for Network Management."

Task 2: Configuring Infrastructure APs

3b

Configure specific scanning AP parameters.

Step 3b: Configure a Scanning AP

3c

Run inventory on WLSE.

Step 3c: Run Inventory

3d

Enable client registration scanning on WLSE.

Step 3d: Enable Client Registration Scanning


Step 3a: Configure Scanning APs for Network and Radio Management

To configure scanning APs for basic management and radio management:

1. Configure scanning APs for basic network management.

Do not configure VLAN/SSID on a scanning AP.

Do not configure a scanning AP as a WDS device.

See "Configuring IOS Access Points for Network Management".

2. Configure scanning APs for radio management.

See Task 2: Configuring Infrastructure APs.

Step 3b: Configure a Scanning AP

Using a WLSE Configuration Template

To use a WLSE configuration template to configure an access point for scanning only:

1. Select Configuration > Templates > IOS > Basic Settings, then select Scanner Access Point.

2. Select Configuration > Templates > IOS > Network Interfaces. Select a radio and select Scanner Access Point.

Using the AP CLI

To use the AP's CLI to configure an access point for scanning only, enter the following commands: 

config t

int dot11 0 (for interface 0)

station-role scanner

Step 3c: Run Inventory

Select Administration > Devices > Discover > Inventory and run inventory so the WLSE can update the role of the AP. The scanning APs will be listed in the WLSE's Scanning AP system group.

For more information, see the online help or the "Managing Devices" chapter of the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.9

Step 3d: Enable Client Registration Scanning

Select Radio Management > Radio Monitoring and enable Client Registration Scanning to detect bug-lighted clients.

For more information, see the online help or the "Radio Management" chapter of the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.9.

Task 4: Configuring the WLSE

The WLSE is the Wireless Network Manager (WNM) component of SWAN. The WLSE polls and aggregates radio management data from WDS devices and processes this data. The following configuration is required on the WLSE for radio management:

SWAN components communicate via a Cisco proprietary technology called WLCCP. You must enter the WLCCP username and password in the WLSE. This username and password is used to LEAP authenticate the WLSE to the WDS devices in the network. See the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.9.

Enter the SNMP read-only and read/write communities for all managed IOS access points. See the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.9.

Enter Telnet/SSH credentials for IOS access points. See the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.9.

Task 5: Configuring Authentication

Both the infrastructure APs and the WLSE must use LEAP to authenticate to the WDS devices.You can use:

Local authentication (on an AP-WDS device only)—see Task 1: Configuring WDS Devices.

AAA servers that you have already configured, or you can configure servers as described in the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.9.

Note Do not set a session timeout on the ACS server that is less than 600 seconds. A session timeout of less than 600 seconds can disrupt Radio Manager operations.

Create server groups on the WDS devices for:

Infrastructure authentication—See Task 1: Configuring WDS Devices.

Client authentication—See the "Define Client Authentication Method" section in the tech tip at http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.

Task 6: Confirming the Configuration

After the configuration is complete, you should confirm that configuration is correct and that the SWAN components are communicating properly. The following configuration steps are performed on the active WDS devices.

For AP-WDS devices, there are two ways to confirm configuration:

Using the Web interface—See Using the Web Interface to Validate the Configuration.

Using the command-line interface—See Using the Command-Line Interface to Validate the Configuration.

For WLSM-WDS devices, use the command-line interface to confirm the configuration.

To determine which WLSEs are actively providing WDS services, you can display the WDS Summary Report. For more information about this report, see the "Reports" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.9.

Using the Web Interface to Validate the Configuration

Use this procedure to use the web interface (on WDS APs only) to confirm the configurations.

Procedure

Step 1 Log in to the web interface on each active WDS AP.

Step 2 Select Wireless Services > WDS > WDS Status.

Check for the following:

The WDS Information section should display the device WDS state as ACTIVE.

The WDS Registration and AP Information sections should show the correct number of APs (all of the infrastructure APs and the WDS AP).

The Mobile Node Information section should display the wireless clients participating in SWAN.

The Wireless Network Manager section should contain the WLSE IP address. If the WLSE authentication status is SECURITY KEYS SETUP, the WLSE is properly registered.

Using the Command-Line Interface to Validate the Configuration

Use this procedure to confirm the configurations on AP-WDS or WLSM-WDS devices.

Procedure

Step 1 Log in to the CLI on each active WDS device.

Step 2 To validate the WDS configuration, enter: 

# show wlccp wds ap

MAC-ADDR IP-ADDR STATE LIFETIME 

000c.ce12.92ce 172.16.99.212 REGISTERED 62 

000c.85a8.8bdd 172.16.99.213 REGISTERED 391

This command lists all of the infrastructure APs and the WDS.

Step 3 To verify that the WLSE is correctly registered, enter: 

# show wlccp wnm status

WNM IP Address : 172.16.100.81 Status : SECURITY KEYS SETUP

This command should display the WLSE IP address. If the WLSE authentication status is SECURITY KEYS SETUP, the WLSE is properly registered.