Guest

CiscoWorks Wireless LAN Solution Engine (WLSE) Express

CiscoWorks Wireless LAN Solution Engine Express 2.13


CiscoWorks Wireless LAN Solution Engine Express 2.13

OVERVIEW

Q. What is the CiscoWorks Wireless LAN Solution Engine Express (WLSE Express)?
A. CiscoWorks WLSE Express is an integrated management and security solution that helps simplify and automate the deployment and security of Cisco® Aironet® autonomous access points. It provides a solution for small- and midsized-businesses (SMB) and enterprise branch-office WLAN deployments of up to 100 Cisco Aironet Autonomous access points located in one or multiple locations. It provides comprehensive air/radio frequency (RF) and device-management capabilities in ways that simplify deployment, reduce operational complexity, and provide administrators visibility into the WLAN. By automating several RF and device-management tasks, CiscoWorks WLSE Express reduces the costs and time needed for WLAN deployment, management, and security.
CiscoWorks WLSE Express also provides an integrated user authentication and authorization server, making it an ideal solution for remote and branch-office deployments with limited WAN bandwidth. This solution also provides survivability for WAN failure scenarios and allows users to authenticate locally. It supports popular Extensible Authentication Protocol (EAP) types including Cisco LEAP, Protected EAP (PEAP), EAP Flexible Authentication via Secure Tunneling (EAP-FAST), and EAP Transport Layer Security (EAP-TLS).
CiscoWorks WLSE Express supports up to 50 Cisco Aironet Autonomous access points and 500 AAA user accounts, with an optional license upgrade to support 100 Cisco Aironet Autonomous access points and 1000 AAA user accounts. Please refer to the CiscoWorks WLSE Express datasheet on upgrade option for 100 access points.
Q. What is the Cisco Aironet autonomous access point solution?
A. Cisco Aironet access points that are not centrally managed by LWAPP (Lightweight Access Point Protocol) enabled Controllers are referred to as "autonomous" access points.
Q. What are the primary benefits of CiscoWorks WLSE Express and the Cisco Aironet autonomous WLAN solution?
A. Cisco Aironet autonomous WLAN solution reduces overall operational expenses by simplifying network deployment operations and management. With Cisco Aironet autonomous WLAN solution, several, hundreds, or thousands of central or remotely located Cisco access points can be managed from a single management console. Cisco Aironet autonomous WLAN solution's flexibility allows network managers to design networks to meet their specific needs, whether implementing a highly integrated network design or a simple overlay network.
Q. What role does CiscoWorks WLSE Express perform in the Cisco Aironet autonomous WLAN Solution?
A. CiscoWorks WLSE Express provides comprehensive management for the Cisco Aironet autonomous WLAN access point solution. CiscoWorks WLSE Express, working with Cisco Aironet autonomous access points, provides visibility into the RF network, including coverage displays, continual "Air/RF" monitoring, network security with intrusion detection and suppression, simplified deployment, self-healing capabilities, and network optimization. CiscoWorks WLSE Express also assists network managers by automating and simplifying mass configuration deployment, fault and policy monitoring and alerting, tracking wireless clients, and reporting.

DEVICE SUPPORT

Q. How many Cisco Aironet autonomous access points can CiscoWorks WLSE Express manage?
A. CiscoWorks WLSE Express manages up to 50 Cisco Aironet access points, with an optional license upgrade to support 100 Cisco Aironet access points.
Q. How many users does the integrated user authentication and authorization server on CiscoWorks WLSE Express support?
A. The standard CiscoWorks WLSE Express supports up to 500 users, or up to 1000 users with the license upgrade version of CiscoWorks WLSE Express, which supports 100 Cisco Aironet access points.
Q. What EAP protocols are supported on CiscoWorks WLSE Express integrated authentication and authorization server?
A. CiscoWorks WLSE Express supports LEAP, EAP-FAST, PEAP, and EAP-TLS.
Q. Does CiscoWorks WLSE Express provide feature parity with CiscoWorks WLSE in terms of management feature support?
A. Yes.
Q. Which Cisco Aironet access points are supported by CiscoWorks WLSE Express?
A. CiscoWorks WLSE Express supports Cisco Aironet 1242 AG, 1230 AG, 1200, 1130 AG, 1100, and 350 series access points. It also supports the Cisco Aironet 1310 Access Point/Bridge and Cisco Aironet 1400 Wireless Bridge.
Q. Does CiscoWorks WLSE Express support the Cisco 1000 Series lightweight access points (formerly Airespace access points)?
A. No. The Cisco 1000 Series lightweight access points are supported by the Cisco Wireless Control System.
Q. Do Cisco Aironet access points need to run Cisco IOS® Software to support the Cisco Integrated Wireless framework?
A. Yes, only Cisco Aironet access points running Cisco IOS Software can support Cisco Integrated Wireless and send RF management data back to CiscoWorks WLSE Express.
Q. Does CiscoWorks WLSE Express 2.13 support Cisco Aironet 1200 and Aironet 350 series access points running VxWorks software?
A. No. CiscoWorks WLSE Express 2.12 and above does not support VxWorks-based access points. Customers that want to continue to manage VxWorks access points have to stay on CiscoWorks WLSE Express 2.11.
Q. Does CiscoWorks WLSE Express support Cisco Aironet wireless bridges?
A. Yes, CiscoWorks WLSE Express provides network management support, including configuration, monitoring, and reporting for the Cisco Aironet 1400 and Aironet 1300 in wireless bridge mode. CiscoWorks WLSE provides Cisco Integrated Wireless RF Management support for the Cisco Aironet 1300 when it is configured in access-point mode.
Q. Does CiscoWorks WLSE Express support IEEE 802.11a, b, and g networks?
A. Yes. CiscoWorks WLSE Express supports IEEE 802.11a, b, and g networks.
Q. Does CiscoWorks WLSE support the Cisco Wireless IP Phone 7920?
A. The Cisco Wireless IP Phone 7920 is supported by CiscoWorks WLSE Express as a wireless client. CiscoWorks WLSE Express provides client-association reports and client-tracking support for the Cisco Wireless IP Phone 7920. The client-tracking feature can be used for troubleshooting and finding associated access points.
Q. Does CiscoWorks WLSE Express support the Cisco Catalyst® 6500 Series Wireless LAN Services Module (WLSM)?
A. Yes. CiscoWorks WLSE Express interoperates with the Cisco Distributed WLAN Wireless Domain Services (WDS) software feature. WDS can run on both Cisco Aironet access points and the Cisco Catalyst 6500 Series WLSM. WDS aggregates radio management information received from the access points and client devices and sends this information to the CiscoWorks WLSE Express where it is used to manage, monitor, and control the RF environment. CiscoWorks WLSE Express also generates reports for monitoring WLSM clients/mobility groups.

RF MANAGEMENT AND WIRELESS DOMAIN SERVICES

Q. What is Wireless Domain Services (WDS)?
A. WDS is a collection of Cisco IOS Software features that enhance WLAN client mobility, help to ensure WLAN security, and simplify WLAN deployment and management. WDS can be located in Cisco Aironet access points or Cisco Catalyst switches. The WDS sends RF measurements to CiscoWorks WLSE Express for wireless intrusion detection and RF management.
Q. What platforms can operate a WDS device?
A. WDS device can be a Cisco Aironet 1242 AG, 1230 AG, Aironet 1200, Aironet 1130 AG, or Aironet 1100 series access point, or a Cisco Catalyst 6500 Series WLSM.
Q. Is WDS required for RF management when the Cisco Distributed WLAN autonomous access-point solution is used?
A. Yes. A WDS device is required for the Cisco Distributed WLAN access-point solution. For deployments that use access point-based WDS, at least one WDS access point per subnet is required for RF management of that subnet.
Q. How is WDS related to CiscoWorks WLSE Express?
A. RF measurements taken by access points (and optionally Cisco or Cisco compatible client devices) within a given subnet are aggregated by the WDS device and forwarded to CiscoWorks WLSE Express for analysis. Based on the measurements received from the WDS device, CiscoWorks WLSE Express can detect rogue access points, interference from other devices, provide assisted site surveys, and support WLAN self-healing for optimal channel and power-level setting.
Q. Can Cisco Aironet access points support clients while scanning the air/RF environment?
A. Yes. Cisco Aironet access points are multifunctional. In addition to serving clients, they also provide air/RF monitoring.
Q. Are third-party switches supported for rogue access-point switch-port tracing and shutdown?
A. No. CiscoWorks WLSE Express uses the Cisco Discovery Protocol and other Cisco SNMP MIBs to trace rogue access points to specific switch ports, and thus supports Cisco switches exclusively.
Q. Can a rogue access point configured on a different channel than the access point scanning the RF environment be detected?
A. Yes. Cisco Aironet access points can monitor both the serving channel and nonserving channels, so a rogue access point configured on a different channel than the access point scanning the RF environment can be detected.
Q. Is there service disruption to associated clients, when an access point performs air/RF scanning?
A. No. There is no service disruption to associated clients when an access point performs air/RF scanning.
Q. Can an IEEE 802.11a rogue access point be detected by an IEEE 802.11b/g radio?
A. No. An IEEE 802.11a radio is required to detect an IEEE 802.11 rogue access point. The dual-mode IEEE 802.11a/b/g Cisco Aironet 1230 AG, Aironet 1200, or Aironet 1130 AG series access points can be deployed to detect IEEE 802.11a/b/g rogue access points.

WIRELESS LAN INTRUSION DETECTION AND PROTECTION

Q. Does the Cisco Distributed WLAN autonomous access-point solution support a WLAN intrusion detection system (IDS)?
A. Yes. The Cisco Distributed WLAN autonomous access-point solution supports a WLAN IDS. WLAN IDS helps to secure WLANs from malicious and unauthorized access. It detects and suppresses rogue access points, detects unassociated clients, detects unauthorized networks, and mitigates network attacks. The system is deployable as either an integrated or dedicated solution through Cisco Aironet access points.
Q. What is the Integrated WLAN IDS for Distributed WLAN autonomous access points?
A. Integrated WLAN IDS uses a Cisco Aironet access point deployed with its radio (802.11a, b, or g) placed in multifunction mode to service client devices and provide WLAN intrusion monitoring. In this configuration, an access point functions as both an active 802.11 infrastructure device and as an 802.11 scanning device. Basic WLAN IDS capabilities such as rogue access-point detection and unauthorized client network detection are supported.
Q. What is the Dedicated WLAN IDS for Distributed WLAN autonomous access points?
A. Dedicated WLAN IDS uses a Cisco Aironet access point deployed with its radio (802.11a, b, or g) placed in scanning-only mode to support only WLAN intrusion monitoring. In this configuration, an access point functions as an 802.11 scanning-only device providing continuous, 24-hour monitoring of the RF environment. The access point's full bandwidth is dedicated to intrusion detection RF monitoring.
Q. How do I deploy Cisco Aironet access points operating in scanning-only mode?
A. Cisco Aironet access points operating in scanning-only mode are deployed as dedicated access points to detect intrusions. Because scanner-mode access points are not supporting client devices only a small number of access points, with higher gain antennas, need to be deployed for complete dedicated WLAN IDS. Scanner-mode access points can also be deployed as an overlay to an existing integrated WLAN for advanced WLAN IDS support.
Q. How does CiscoWorks WLSE Express contain any rogue access points that have been detected through air/RF monitoring?
A. CiscoWorks WLSE Express traces the switch port of the detected rogue access point. It provides an effective means of tracing rogue access points by monitoring and using the clients associated to rogue access points. When a switch port is traced, CiscoWorks WLSE Express can shut down the switch port, disabling the rogue device from accessing the network.
Q. What is Management Frame Protection in CiscoWorks WLSE Express?
A. CiscoWorks WLSE Express also provides Management Frame Protection (MFP), by which management frames between Access Points are authenticated, eliminating several WLAN attacks that arise due to spoofing of authorized devices. CiscoWorks WLSE Express enables MFP in the network and provides visibility into network events associated with MFP detection/protection

DEPLOYMENT, MANAGEMENT, AND TROUBLESHOOTING

Q. How does CiscoWorks WLSE Express provide automatic configuration for factory default access-point deployment?
A. Automatic configuration facilitates automatic downloading of configurations to newly deployed access points and bridges based on customer-defined templates. This simplifies and speeds up the deployment of new access points. CiscoWorks WLSE Express provides a deployment wizard that allows administrators to define their configuration policies for access points up front based on the location. With WLSE Express 2.12 and above, device specific settings such as hostname, channel and power can also be automatically applied when new access point gets plugged in. The wizard also simplifies and automates the setup for access-point-based WDS. CiscoWorks WLSE Express can automatically designate a primary and backup access-point-based WDS per subnet and automatically generate configurations and credentials.
Q. How does access point automatic configuration work?
A. The network administrator can use the CiscoWorks WLSE Express deployment wizard and specify the access-point configuration policies and setup based on the location (subnet). When the new access point boots, it receives the CiscoWorks WLSE Express information from the Dynamic Host Configuration Protocol (DHCP) server and downloads the default configuration. Specific configuration templates based on device type, subnet, and software version can be applied automatically on authorized access points. With WLSE Express 2.12 and above, device specific settings such as hostname, channel and power can also be automatically applied when new access point gets plugged in.
Q. Can shared keys and other security parameters be configured automatically?
A. Yes. Shared keys and other security parameters can be configured using the specific configuration templates based on device type, subnet, and so on.
Q. Can CiscoWorks WLSE Express be used to archive access-point and bridge configurations?
A. Yes. CiscoWorks WLSE Express can save up to four configurations for each device. Device configuration can be archived on demand, or scheduled to run periodically. Users can view, search, and compare configurations.
Q. Is a client walkabout required for the assisted site survey?
A. No. Client walkabouts are optional for the assisted site survey. CiscoWorks WLSE Express can provide optimal channel and power-level settings based on only the access-point air/RF monitoring phase of the assisted site survey. However, performing client walkabouts during the assisted site survey is recommended because it increases the coverage for RF management and it makes the site surveys more effective. A Cisco client adapter or a Cisco compatible client adapter can be used to perform a client walkabout.
Q. What does a "scan-only" or "scanner-mode" access point provide?
A. Scanner-mode access points are dedicated access points that are used to monitor the air/RF environment for intrusions. Scanner-mode access points do not support client associations; they only monitor the air/RF environment. They provide enhanced WLAN IDS features such as detecting unregistered wireless clients, in addition to basic WLAN IDS capabilities such as rogue access-point detection and unauthorized client network detection. They provide continuous, 24-hour, uninterrupted air/RF scanning.
Q. How does the Cisco Aironet autonomous access-point solution provide self-healing?
A. If CiscoWorks WLSE Express detects that an access point has failed, it compensates by automatically adjusting the power and cell coverage of nearby access points. Self Healing runs on the WLSE Express and uses SNMP to adjust neighboring APs in response to the loss or recovery of a radio. WLAN self-healing minimizes the outage impact to wireless client devices and maximizes the availability of wireless applications.
Q. When CiscoWorks WLSE Express adjusts the power of access points to cover for a lost radio access point during WLAN self-healing, is there service disruption to existing client devices?
A. No. There is no service disruption to client devices associated to access points that have increased their power during WLAN self-healing.
Q. Can CiscoWorks WLSE Express be used to track a wireless client device?
A. Yes. CiscoWorks WLSE Express can be used to discover the associated access point of a specific client device. Client lookup by MAC address, user name, and client name are supported. User name lookup is supported for IEEE 802.1X Cisco LEAP and Protected Extensible Authentication Protocol (PEAP) running on Cisco Secure Access Control Server. Because WDS notifies CiscoWorks WLSE Express when a client roams, this information is available in near real time as opposed to a polling-based model.

MONITORING

Q. How does CiscoWorks WLSE Express gather fault and performance data?
A. The CiscoWorks WLSE Express queries standard Simple Network Management Protocol (SNMP) MIBs from Cisco devices whenever possible. Administrators can specify polling intervals and define thresholds for monitored data. When thresholds are exceeded, CiscoWorks WLSE Express can generate northbound alarms and traps through SNMP traps, syslog messages, and e-mail notifications. This allows wireless fault information from deployed CiscoWorks WLSE Express devices to be consolidated using a higher-level network management system, such as HP OpenView or the Cisco Information Center.
Q. Can there be multiple syslog or trap receivers that receive messages from the CiscoWorks WLSE Express?
A. Yes. Multiple syslog or trap receivers can be defined.
Q. Does CiscoWorks WLSE Express receive SNMP traps from the WLAN infrastructure?
A. No. CiscoWorks WLSE Express monitors the WLAN infrastructure using SNMP polling and in turn generates SNMP trap messages to be forwarded to other network management applications when user-defined thresholds are exceeded.
Q. How much historical data can CiscoWorks WLSE Express store?
A. CiscoWorks WLSE Express can save up to a few weeks of historical data. Administrators can specify both aggregation and truncation frequencies for the monitored data.
Q. Does CiscoWorks WLSE Express support Multiple Basic Service Set Identifiers (MBSSID) on Cisco Aironet access points?
A. Yes, CiscoWorks WLSE Express can be used to configure and monitor MBSSIDs. Security policies for multiple basic Service Set Identifiers (SSIDs) can be defined and monitored.

USER INTERFACE

Q. Can a device-level access-point interface be launched from CiscoWorks WLSE Express?
A. Yes. A device-level Web interface can be launched and independently used to configure an access point or a bridge from CiscoWorks WLSE Express.
Q. Does CiscoWorks WLSE Express provide a visual representation of Cisco Aironet access points?
A. Yes. CiscoWorks WLSE Express provides GUI visualization of Cisco Aironet access points and coverage displays with its Location Manager feature. Administrators can import a floor plan (.jpeg or .gif formats) and place the access points in approximate locations. A rogue access point's location is shown on the floor plan GUI.

APPLIANCE

Q. Where should CiscoWorks WLSE Express reside in the network?
A. A. There are several deployment options. It can be deployed in each remote site to provide localized security and management for all the Cisco Aironet access points deployed in that site. Alternatively, for commercial and small deployments it can be deployed in the network operations center (NOC) to manage several locations consisting of 50-100 Cisco Aironet access points.
Q. Can the CiscoWorks WLSE Express hardware be upgraded?
A. No. The CiscoWorks 1030 for WLSE, which is the hardware that CiscoWorks WLSE Express runs on, has a fixed configuration. No components of the CiscoWorks 1030 can be upgraded or replaced in the field. As application needs change, new hardware configurations will be introduced into the product family to support changing requirements. This approach enhances the reliability and supportability of the CiscoWorks WLSE Express.
Q. Does the CiscoWorks WLSE Express support data backup and restore capabilities?
A. A. Yes. The CiscoWorks WLSE Express configuration data can be backed up to another device and later restored. Data backup can also be scheduled to run periodically, to minimize the data loss in the event of a CiscoWorks WLSE Express failure.
Q. Does CiscoWorks WLSE Express support redundancy?
A. Yes. The CiscoWorks WLSE Express supports warm-standby redundancy. A backup server can be configured to take over the wireless management in the case of a primary CiscoWorks WLSE Express failure. Data on primary and backup servers can be synchronized periodically (the minimum is 15 minutes). Multiple CiscoWorks WLSE Express servers can be assigned and referenced by a virtual IP address to make this transparent to the user. Both primary and backup CiscoWorks WLSE Express servers have to reside on the same subnet.
Q. Can CiscoWorks WLSE Express software run on a customer-provided workstation or server?
A. No. CiscoWorks WLSE Express software is available only preinstalled on the specialized CiscoWorks 1030 for WLSE hardware.

INTEGRATION

Q. How does CiscoWorks WLSE Express integrate with other network management systems?
A. When network faults are detected or user-defined performance thresholds are exceeded, CiscoWorks WLSE Express generates notifications through SNMP trap and syslog messages that can be forwarded to other network management systems. CiscoWorks WLSE Express also provides an Extensible Markup Language (XML) API for exporting device lists, faults, reports, and other settings for third-party integration and customization.
Q. What is the integration between the CiscoWorks WLSE Express and CiscoWorks LAN Management Solution (LMS)?
A. CiscoWorks LMS provides broad, generalized network-operations management for a wide range of Cisco devices. It integrates with CiscoWorks WLSE Express in the following ways:

• CiscoWorks WLSE Express can be launched from CiscoWorks LMS and vice versa.

• A list of IP addresses and credentials from the inventory can be imported and exported between CiscoWorks LMS and CiscoWorks WLSE Express. Device import can be automated.

Q. Is CiscoWorks LMS required for CiscoWorks WLSE Express to work?
A. No. CiscoWorks LMS is not required for CiscoWorks WLSE Express to function.
Q. Is CiscoWorks WLSE Express required for CiscoWorks LMS to manage Cisco wireless devices?
A. No. CiscoWorks LMS can perform standard maintenance operations on Cisco Aironet access points just as it does for any other Cisco device. However, the operations in CiscoWorks LMS are generalized, and not specific to the unique factors involved in managing Cisco wireless-aware infrastructure. For complete management of wireless technology, CiscoWorks WLSE or WLSE Express is required.
Q. What is the integration between the CiscoWorks WLSE and Access Control Server (ACS)?
A. Access Control Server provides role based Authentication for users logging into WLSE. ACS groups can be created with user role mapping. ACS provides some default roles like Sys-Admin. Operator etc. User roles other than the default ones available in ACS needs to be still created in the WLSE. The result of this integration is:

1. Centralized user account management with user to role mapping

2. No user accounts need to be created in WLSE

3. No user roles need to be created in WLSE (For default ACS roles)

ORDERING

Q. Are hardware and software service support programs available? How are they ordered?
A. Yes. A Software Application Support (SAS) service contract can be purchased that provides Cisco Technical Assistance Center (TAC) support, Cisco.com Software Center access, and minor updates. You can also purchase a Cisco SMARTnet® hardware service contract that provides hardware support for the CiscoWorks 1030 for WLSE. Contact your service representative for available options.
Q. How can I upgrade the CiscoWorks WLSE Express to support up to 100 Cisco Aironet access points?
A. Upgrading CiscoWorks WLSE Express to manage 100 Cisco Aironet access points and 1000 AAA users can be done by ordering an additional 50-device license.
Q. How do I gain access to CiscoWorks WLSE Express software updates?
A. Software patches and updates are posted to the Cisco.com Software Center. Customers with existing SAS contracts can also obtain the latest release of CiscoWorks WLSE Express 2.13 software through the Product Upgrade Tool at: http://www.cisco.com/upgrade.

FOR MORE INFORMATION

For more information about Cisco Aironet products, visit: http://www.cisco.com/go/aironet
For more information about CiscoWorks WLSE, visit: http://www.cisco.com/go/wlse
For more information about Cisco Secure ACS, visit: http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html