Cisco Prime Infrastructure 3.0 User Guide

Viewing All Controllers

You can view a summary of all controllers in the Prime Infrastructure database.

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 To use the command buttons at the top of the page, select the check box next to one or more controllers.

Step 3 To view specific information about a controller, click on a Device Name.

Related Topics

• Wireless Controller Summary Information
• Controller-Specific Commands

Wireless Controller Summary Information

When you choose Configuration > Network > Network Devices , select Device Type > Wireless Controller , then select a check box next to one or more controllers, summary information appears:

Related Topics

• Controller-Specific Commands

Controller-Specific Commands

When you choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller and select the checkbox next to one or more devices, the following buttons appear at the top of the page:

• Delete—Allows you to delete a controller.
• Edit—Allows you to edit general parameters, SNMP parameters, Telnet/SSH parameters, HTTP parameters, and IPSec parameters.
• Sync—
• Groups & Sites—Allows you to add and remove controllers from location groups and sites.
• Reboot—Enables you to confirm the restart of your controller after saving configuration changes. You can select these reboot options:

– Save Config to Flash—Data is saved to the controller in non-volatile RAM (NVRAM) and is preserved in the event of a power cycle. If the controller is rebooted, all applied changes are lost unless the configuration has been saved.

– Reboot APs

– Swap AP Image

• Download—Allows you to select the following options to download software to controllers.

– Download Software—Choose from TFTP, FTP, SFTP to download software to the selected controller or all controllers in the selected groups after you have a configuration group established.

– Download IDS Signatures

– Download Customized Web Auth

– Download Vendor Device Certificate

– Download Vendor CA Certificate

– Bulk Update Controllers

• Configure

– Save Config to Flash

– Discover Templates from Controller

– Templates Applied to Controller

– Audit Now

– Update Credentials

Related Topics

• Viewing All Controllers
• Wireless Controller Summary Information
• Auditing Controllers
• Updating Controller Credentials in Bulk
• Rebooting Controllers
• Downloading Software to Controllers

Auditing Controllers

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Select the check box(es) of the applicable controller(s).

Step 3 Click Configure > Audit Now .

Step 4 Click OK in the pop-up dialog box to remove the template associations from configuration objects in the database as well as template associations for this controller from associated configuration groups (This is a template-based audit only).

Related Topics

• Controller Audit Reports
• Viewing Templates Applied to Controllers

Controller Audit Reports

After you perform an audit on a controller, the Audit Report displays the following information:

• Device Name
• Time of Audit
• Audit Status
• Applied and Config Group Template Discrepancies information including the following:

– Template type (template name)

– Template application method

– Audit status (For example, mismatch, identical)

– Template attribute

– Value in Prime Infrastructure

– Value in Controller

• Other Prime Infrastructure Discrepancies including the following:

– Configuration type (name)

– Audit Status (For example, mismatch, identical)

– Attribute

– Value in Prime Infrastructure

– Value in Controller

– Total enforcements for configuration groups with background audit enabled. If discrepancies are found during the audit in regards to the configuration groups enabled for background audit, and if the enforcement is enabled, this section lists the enforcements made during the controller audit. If the total enforcement count is greater than zero, this number appears as a link. Click the link to view a list of the enforcements made from Prime Infrastructure.

• Failed Enforcements for Configuration Groups with background audit enabled—If the failed enforcement count is greater than zero, this number appears as a link. Click the link to view a list of failure details (including the reason for the failure) returned by the device.
• Restore Prime Infrastructure Values to Controller or Refresh Configuration from Controller—If there are configuration differences found as a result of the audit, you can either click Restore Prime Infrastructure Values to controller or Sync to bring Prime Infrastructure configuration in sync with the controller.

– Choose Restore Prime Infrastructure Values to Controller to push the discrepancies to the device.

Related Topic

• Auditing Controllers

Updating Controller Credentials

To update SNMP and Telnet credentials, you must do so on each controller.You cannot update SNMP/Telnet credential details for multiple controllers at the same time.

SNMP write access parameters are needed for modifying controller configuration. With read-only access parameters, configuration can be displayed only and not modified.

To update the SNMP/Telnet credentials, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Select the check box(es) of the applicable controller(s).

Step 3 Click Configure > Update Credentials .

Step 4 Complete the required fields, then click OK .

Related Topic

• Updating Controller Credentials in Bulk

Updating Controller Credentials in Bulk

You can update multiple controllers credentials by importing a CSV file.

To update controller(s) information in bulk, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , select Wireless Controllers .

Step 2 Select the check box(es) of the applicable controller(s).

Step 3 Click Download > Bulk Update Controllers .

Step 4 Enter the CSV filename in the Select CSV File text box or click Browse to locate the desired file.

Step 5 Click Update and Sync .

Related Topic

• Updating Controller Credentials
• Rebooting Controllers
• Replacing Old Controller Models with New Models
• Modifying Controller Properties

Rebooting Controllers

You should save the current controller configuration prior to rebooting. To reboot a controller, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , select Wireless Controllers , then click Reboot > Reboot Controllers .

Step 2 Select the required Reboot Controller option:

• Save Config to Flash—Data is saved to the controller in non-volatile RAM (NVRAM) and is preserved in the event of a power cycle. If the controller is rebooted, all applied changes are lost unless the configuration has been saved.
• Reboot APs—Select the check box to enable a reboot of the access point after making any other updates.
• Swap AP Image—Indicates whether or not to reboot controllers and APs by swapping AP images. This could be either Yes or No.

Step 3 Click OK .

Related Topic

• Updating Controller Credentials
• Replacing Old Controller Models with New Models
• Modifying Controller Properties

Downloading Software to Controllers

To download software to a controller, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controllers .

Step 2 Select the check box(es) of the applicable controller(s).

Step 3 Click Download and select one of the following options:

• Download Software TFTP
• Download Software FTP
• Download Software SFTP

Step 4 Complete the required fields.

Step 5 Select the download type. The pre-download option is displayed only when all selected controllers are using Release 7.0.x.x or later.

• Now—Executes the download software operation immediately. If you select this option, proceed with Step 7.
• Scheduled—Specify the scheduled download options.

– Schedule download to controller—Select this check box to schedule download software to controller.

– Pre-download software to APs—Select this check box to schedule the pre-download software to APs. The APs download the image and then reboot when the controller reboots. To see Image Predownload status per AP, enable the task in the Administration > Dashboards > Job Dashboard > System Jobs > Wireless Poller > AP Image Pre-Download Status , and run an AP Image Predownload report from the Report Launch Pad.

– FlexConnect AP Upgrade—Select this option to enable one access point of each model in the local network to download the image. The remaining access points will then download the image from the master access point using the pre-image download feature over the local network, which reduces the WAN latency.

Step 6 Select the Schedule options.

Schedule enough time (at least 30 minutes) between Download and Reboot so that all APs can complete the software pre-download. If any AP is in pre-download progress state at the time of the scheduled reboot, the controller will not reboot. You must wait for the pre-download to finish for all the APs, and then reboot the controller manually.

Step 7 Enter the FTP credentials including username, password, and port.

You can use special characters such as @, #, ^, *, ~, _, -, +, =, {, }, [, ], :, ., and / in the password. You cannot use special characters such as $, ', \, %, &, (, ), ;, ", <, >, , , ? , and | as part of the FTP password. The special character "!" (exclamation mark) works when the password policy is disabled.

Step 8 Select whether the file is located on the Local machine or an FTP Server . If you select FTP Server, the software files are uploaded to the FTP directory specified during the installation.

Step 9 Click Download .

If the transfer times out, choose the FTP server option in the File is located on field; the server filename is populated and Prime Infrastructure retries the operation.

Configuring IPaddr Upload Configuration/Logs from Controllers

You can upload a controller system configuration to the specified TFP or TFTP server as a file. Both File FTP and TFTP are supported for uploading and downloading files to and from Prime Infrastructure. To upload files from a controller, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click a Device Name, then click the Configuration tab.

Step 3 From the left sidebar menu, choose System > Commands .

Step 4 Select the FTP or TFTP radio button, then select Upload File from Controller and click Go .

Step 5 Complete the required fields.

Prime Infrastructure uses an integral TFTP and FTP server. This means that third-party TFTP and FTP servers cannot run on the same workstation as Prime Infrastructure because Prime Infrastructure and the third-party servers use the same communication port.

Step 6 Click OK . The selected file is uploaded to your TFTP or FTP server and named what you entered in the File Name text box.

Downloading IDS Signatures to Controllers

Prime Infrastructure can download Intrusion Detection System (IDS) signature files to a controller. If you specify to download the IDS signature file from a local machine, Prime Infrastructure initiates a two-step operation:

1. The local file is copied from the administrator workstation to Prime Infrastructure’s built-in TFTP server.

2. The controller retrieves that file.

If the IDS signature file is already in the Prime Infrastructure server’s TFTP directory, the downloaded web page automatically populates the filename.

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Select the check box(es) of the applicable controller(s).

Step 3 Click Download > Download IDS Signatures .

Step 4 Complete the required fields.

Step 5 Click Download .

If the transfer times out, choose the FTP server option in the File is located on field; the server filename is populated and Prime Infrastructure retries the operation.

Related Topics

• Viewing All Controllers
• Rebooting Controllers
• Downloading Software to Controllers
• Replacing Old Controller Models with New Models
• Modifying Controller Properties

Downloading Customized WebAuthentication Bundles to Controllers

You can compress the page and image files used for displaying a web authentication login page, known as webauth bundles, and download the file to a controller.

Controllers accept a .tar or .zip file of up to 1 MB in size. The 1 MB limit includes the total size of uncompressed files in the bundle.

To download customized web authentication bundles to a controller, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Select the check box(es) of the applicable controller(s).

Step 3 Click Download > Download Customized WebAuth .

Step 4 To download an example login.tar bundle file, click on the preview image displayed, then edit the login.html file and save it as a .tar or .zip file. The file contains the pages and image files required for the web authentication display.

Step 5 Download the .tar or .zip file to the controller.

Step 6 Select where the file is located.

If you select local machine, you can upload either a .zip or .tar file type. Prime Infrastructure converts .zip files to .tar files. If you choose a TFTP server download, you can specify a .tar files only.

Step 7 Complete the required fields, then click Download .

If the transfer times out, choose the FTP server option in the File is located on field; the server filename is populated and Prime Infrastructure retries the operation.

After Prime Infrastructure completes the download, you are directed to a new page and are able to authenticate.

Related Topics

• Viewing All Controllers
• Downloading Software to Controllers
• Replacing Old Controller Models with New Models
• Modifying Controller Properties

Downloading Vendor Device Certificates to Controllers

Each wireless device (controller, access point, and client) has its own device certificate. If you want to use your own vendor-specific device certificate, you must download it to the controller.

To download a vendor device certificate to a controller, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Select the check box(es) of the applicable controller(s).

Step 3 Click Download > Download Vendor Device Certificate .

Step 4 Complete the required fields, then click Download .

Related Topic

• Downloading Vendor CA Certificates to Controllers
• Downloading Software to Controllers
• Replacing Old Controller Models with New Models
• Modifying Controller Properties

Downloading Vendor CA Certificates to Controllers

Controllers and access points have a certificate authority (CA) certificate that is used to sign and validate device certificates. The controller is shipped with a Cisco-installed CA certificate. This certificate might be used by EAP-TLS and EAP-FAST (when not using PACs) to authenticate wireless clients during local EAP authentication. However, if you want to use your own vendor-specific CA certificate, you must download it to the controller.

To download a vendor CA certificate to the controller, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Select the check box(es) of the applicable controller(s).

Step 3 Click Download > Download Vendor Device Certificate .

Step 4 Complete the required fields, then click Download .

Related Topic

• Downloading Vendor Device Certificates to Controllers
• Viewing All Controllers
• Rebooting Controllers
• Downloading Software to Controllers
• Replacing Old Controller Models with New Models
• Modifying Controller Properties

Saving Controller Configurations to Flash

To save the configuration to flash memory, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Select the check box(es) of the applicable controller(s).

Step 3 Click Configure > Save Config to Flash .

Related Topic

• Synchronizing Configurations from Controllers
• Rebooting Controllers
• Downloading Software to Controllers
• Replacing Old Controller Models with New Models
• Modifying Controller Properties

Synchronizing Configurations from Controllers

To synchronize the configuration from the controller, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Select the check box(es) of the applicable controller(s).

Step 3 Click Sync .

Step 4 Click Yes to proceed.

Related Topic

• Saving Controller Configurations to Flash
• Rebooting Controllers
• Downloading Software to Controllers
• Replacing Old Controller Models with New Models
• Modifying Controller Properties

Managing Controller Templates

You can specify for which Prime Infrastructure configurations you want to have associated templates.

The templates that are discovered do not retrieve management or local user passwords.

The following rules apply for template discovery:

• Template Discovery discovers templates that are not found in Prime Infrastructure.
• Existing templates are not discovered.
• Template Discovery does not retrieve dynamic interface configurations for a controller. You must create a new template to apply the dynamic interface configurations on a controller.

Related Topic

• Discovering Controller Templates
• Rebooting Controllers
• Downloading Software to Controllers
• Replacing Old Controller Models with New Models
• Modifying Controller Properties

Discovering Controller Templates

To discover current templates, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Select the check box(es) of the applicable controller(s).

Step 3 Click Configure > Discover Templates from Controller .

The Discover Templates page displays the number of discovered templates, each template type and each template name.

Step 4 Select the Enabling this option will create association between discovered templates and the device listed above check box so that discovered templates are associated to the configuration on the device and are shown as applied on that controller.

The template discovery refreshes the configuration from the controller prior to discovering templates.

Step 5 Click OK in the warning dialog box to continue with the discovery.

For the TACACS+ Server templates, the configuration on the controller with same server IP address and port number but different server types are aggregated into one single template with the corresponding Server Types set on the Discovered Template. For the TACACS+ Server templates, the Admin Status on the discovered template reflects the value of Admin Status on the first configuration from the controller with same Server IP address and port number.

Related Topic

• Managing Controller Templates

Viewing Templates Applied to Controllers

You can view all templates currently applied to a specific controller. Prime Infrastructure displays templates applied in the partition only.

To view applied templates, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Select the check box(es) of the applicable controller(s).

Step 3 Click Configure > Templates Applied to a Controller .

The page displays each applied template name, template type, the date the template was last saved, and the date the template was last applied.

Step 4 Click the template name link to view the template details. See the Managing Controller Templates for more information.

Related Topic

• Auditing Controllers
• Replacing Old Controller Models with New Models

Replacing Old Controller Models with New Models

When you want to replace an old controller model with a new one without changing the IP address, do the following:

1. Delete the old controller from Prime Infrastructure and wait for the confirmation that the device was deleted.

2. Replace the controller with the new model in the setup with same IP address.

3. Re-add the IP address to Prime Infrastructure.

Related Topic

• Modifying Controller Properties

Modifying Controller Properties

To change controller properties such as the device name, location, SNMP parameters, or Telnet/SSH parameters, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Select a wireless controller, then click Edit .

Step 3 Modify the fields as desired, then click one of the following buttons:

• Update
• Update & Sync
• Verify Credentials
• Cancel to return to the previous or default settings.

Related Topic

• Configuring Controller System Parameters

Configuring Controller System Parameters

This section describes how to configure the controller system parameters and contains the following topics:

• Modifying General System Properties for Controllers
• Related Topics
• Setting Controller Time and Date

Modifying General System Properties for Controllers

To view the general system parameters for a current controller, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click a Device Name, then click the Configuration tab.

Step 3 From the left sidebar menu, choose System > General - System . The general system parameters appear.

Step 4 Make the required changes, then click Save .

Related Topic

• Wireless Controllers > System > General - System Field Descriptions

Enabling AP Failover Priority

When a controller fails, the backup controller configured for the access point suddenly receives a number of Discovery and Join requests. If the controller becomes overloaded, it might reject some of the access points.

By assigning failover priority to an access point, you have some control over which access points are rejected. When the backup controller is overloaded, join requests of access points configured with a higher priority levels take precedence over lower-priority access points.

To configure failover priority settings for access points, you must first enable the AP Failover Priority feature.

To enable the AP Failover Priority feature, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click a Device Name, then click the Configuration tab.

Step 3 From the left sidebar menu, choose General - System .

Step 4 From the AP Failover Priority drop-down list, choose Enabled .

Configuring AP Failover Priority

To configure an access point failover priority, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select an AP Name.

Step 2 From the AP Failover Priority drop-down list, choose the applicable priority ( Low , Medium , High, Critical ). The default priority is Low.

Configuring 802.3 Bridging

The controller supports 802.3 frames and applications that use them, such as those typically used for cash registers and cash register servers. However, to make these applications work with the controller, the 802.3 frames must be bridged on the controller.

Support for raw 802.3 frames allows the controller to bridge non-IP frames for applications not running over IP. Only this raw 802.3 frame format is currently supported.

To configure 802.3 bridging using Prime Infrastructure, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click a Device Name, then click the Configuration tab.

Step 3 Choose System > General - System to access the General page.

Step 4 From the 802.3 Bridging drop-down list, choose Enable to enable 802.3 bridging on your controller or Disable to disable this feature. The default value is Disable.

Step 5 Click Save to confirm your changes.

802.3x Flow Control

Flow control is a technique for ensuring that a transmitting entity, such as a modem, does not overwhelm a receiving entity with data. When the buffers on the receiving device are full, a message is sent to the sending device to suspend the transmission until the data in the buffers has been processed.

By default, flow control is disabled. You can only enable a Cisco switch to receive PAUSE frames but not to send them.

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click a Device Name, then click the Configuration tab.

Step 3 Choose System > General - System to access the General page.

Step 4 Click Enable in the 802.3x Flow Control field.

Configuring Lightweight Access Point Protocol Transport Mode

Lightweight Access Point Protocol transport mode indicates the communications layer between controllers and access points. Cisco IOS-based lightweight access points do not support Layer 2 lightweight access point mode. These access points can only be run with Layer 3.

To convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 lightweight access point transport mode using Prime Infrastructure user interface, follow these steps. This procedure causes your access points to go offline until the controller reboots and the associated access points re associate to the controller.

Step 1 Make sure that all controllers and access points are on the same subnet.

You must configure the controllers and associated access points to operate in Layer 2 mode before completing the conversion.

Step 2 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 3 Click a Device Name, click the Configuration tab, then choose System > General - System to access the General page.

a. Change lightweight access point transport mode to Layer2 and click Save .

b. If Prime Infrastructure displays the following message, click OK :

Step 4 Select the controller, then click Reboot > Reboot Controllers .

Step 5 Select the Save Config to Flash option.

Step 6 After the controller reboots, follow these steps to verify that the CAPWAP transport mode is now Layer 2:

a. Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

b. Click the device name of the applicable controller.

c. Verify that the current CAPWAP transport mode is Layer2 from the System > General - System page.

You have completed the CAPWAP transport mode conversion from Layer 3 to Layer 2. The operating system software now controls all communications between controllers and access points on the same subnet.

Aggressive Load Balancing

In routing, load balancing refers to the capability of a router to distribute traffic over all its network ports that are the same distance from the destination address. Good load-balancing algorithms use both line speed and reliability information. Load balancing increases the use of network segments, thus increasing effective network bandwidth.

Aggressive load balancing actively balances the load between the mobile clients and their associated access points.

Link Aggregation

Link aggregation allows you to reduce the number of IP addresses needed to configure the ports on your controller by grouping all the physical ports and creating a link aggregation group (LAG). In a 4402 model, two ports are combined to form a LAG whereas in a 4404 model, all four ports are combined to form a LAG.

You cannot create more than one LAG on a controller.

If LAG is enabled on a controller, the following configuration changes occur:

• Any dynamic interfaces that you have created are deleted in order to prevent configuration inconsistencies in the interface database.
• Interfaces cannot be created with the “Dynamic AP Manager” flag set.

The advantages of creating a LAG include the following:

• Assurance that, if one of the links goes down, the traffic is moved to the other links in the LAG. As long as one of the physical ports is working, the system remains functional.
• You do not need to configure separate backup ports for each interface.
• Multiple AP-manager interfaces are not required because only one logical port is visible to the application.

When you make changes to the LAG configuration, the controller has to be rebooted for the changes to take effect.

Wireless Management

Because of IPsec operation, management via wireless is only available to operators logging in across WPA, Static WEP, or VPN Pass Through WLANs. Wireless management is not available to clients attempting to log in via an IPsec WLAN.

Mobility Anchor Group Keep Alive Interval

You can specify the delay between tries for clients attempting to join another access point. This decreases the time it takes for a client to join another access point following a controller failure because the failure is quickly identified, the clients are moved away from the problem controller, and the clients are anchored to another controller.

Related Topics

• Restoring Controller Factory Defaults
• Setting Controller Time and Date
• Downloading Configurations to Controllers

Restoring Controller Factory Defaults

You can reset the controller configuration to the factory default. This overwrites all applied and saved configuration parameters. You are prompted for confirmation to reinitialize your controller.

All configuration data files are deleted, and upon reboot, the controller is restored to its original non-configured state. This removes all IP configuration, and you need a serial connection to restore its base configuration.

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click a Device Name, then click the Configuration tab.

Step 3 From the left sidebar menu, choose System > Commands , and from the Administrative Commands drop-down list, choose Reset to Factory Default , and click Go to access this page.

Step 4 After confirming configuration removal, you must reboot the controller and select the Reboot Without Saving option.

Related Topic

• Rebooting Controllers
• Setting Controller Time and Date
• Downloading Configurations to Controllers

Setting Controller Time and Date

You can manually set the current time and date on the controller.

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click a Device Name, then click the Configuration tab.

Step 3 From the left sidebar menu, choose System > Commands , and from the Configuration Commands drop-down list choose Set System Time , and click Go .

Step 4 Modify the required parameters:

• Current Time—Shows the time currently being used by the system.
• Month/Day/Year—Choose the month/day/year from the drop-down list.
• Hour/Minutes/Seconds—Choose the hour/minutes/seconds from the drop-down list.
• Delta (hours)—Enter the positive or negative hour offset from GMT (Greenwich Mean Time).
• Delta (minutes)—Enter the positive or negative minute offset from GMT.
• Daylight Savings—Select to enable Daylight Savings Time.

Uploading Configuration and Logs from Controllers

You can upload files from controllers to a local TFTP (Trivial File Transfer Protocol) server. You must enable TFTP to use the Default Server option on the Administration System Settings > Server Settings page.

Prime Infrastructure uses an integral TFTP server. This means that third-party TFTP servers cannot run on the same workstation as Prime Infrastructure, because the Cisco Prime Infrastructure and the third-party TFTP servers use the same communication port.

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click a Device Name, then click the Configuration tab.

Step 3 From the left sidebar menu, choose System > Commands .

Step 4 From the Upload/Download Commands drop-down list, choose Upload File from Controller , then click Go .

By default, configuration file encryption is disabled. Uploading configuration file is unsecured without encryption.

Step 5 To enable encryption before uploading files, click the link at the bottom of the Upload File from Controller page.

Step 6 Complete the required fields, then click OK . The selected file is uploaded to your TFTP server with the name you specified.

Related Topic

• Downloading Configurations to Controllers
• Restoring Controller Factory Defaults
• Setting Controller Time and Date
• Downloading Configurations to Controllers

Downloading Configurations to Controllers

You can download configuration files to your controller from a local TFTP (Trivial File Transfer Protocol) server.

Prime Infrastructure uses an integral TFTP server. This means that third-party TFTP servers cannot run on the same workstation as Prime Infrastructure, because the Cisco Prime Infrastructure and the third-party TFTP servers use the same communication port.

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click a Device Name, then click the Configuration tab.

Step 3 From the left sidebar menu, choose System > Commands .

Step 4 From the Upload/Download Commands drop-down list, choose Download Config , then click Go .

Step 5 Complete the required fields, then click OK.

Related Topic

• Uploading Configuration and Logs from Controllers
• Restoring Controller Factory Defaults
• Setting Controller Time and Date

Configuring Controller System Interfaces

Choose Configuration > Network > Network Devices, then select Device Type > Wireless Controller to configure controller system interfaces.

Related Topics

• Adding Interfaces to Controllers
• Viewing or Modifying Controller Interface Details
• Deleting Dynamic Interfaces
• NAC Integration
• Wired Guest Access

Adding Interfaces to Controllers

To add an interface:

Step 1 Choose Configuration > Network > Network Devices, then select Device Type > Wireless Controller.

Step 2 Click a Device Name, then click the Configuration tab.

Step 3 From the left sidebar menu, choose System > Interfaces .

Step 4 From the Select a command drop-down list, choose Add Interface > Go.

Step 5 Complete the required fields, then click Save.

Related Topics

• Viewing or Modifying Controller Interface Details
• Deleting Dynamic Interfaces

Viewing or Modifying Controller Interface Details

To view the existing interfaces:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click a Device Name, then click the Configuration tab.

Step 3 From the left sidebar menu, choose System > Interfaces . The following parameters appear:

• Check box—Check box to select the dynamic interface for deletion. Choose Delete Dynamic Interfaces from the Select a command drop-down list.
• Interface Name —User-defined name for the interface (for example, Management, Service-Port, Virtual).
• VLAN Id—VLAN identifier between 0 (untagged) and 4096, or N/A.
• Quarantine—Select the check box if the interface has a quarantine VLAN ID configured on it.
• IP Address—IP address of the interface.
• Interface Type—Interface Type: Static (Management, AP-Manager, Service-Port, and Virtual interfaces) or Dynamic (operator-defined interfaces).
• AP Management Status—Status of AP Management interfaces and the parameters include Enabled, Disabled, and N/A. Only the management port can be configured as Redundancy Management Interface port.

Related Topics

• Adding Interfaces to Controllers
• Deleting Dynamic Interfaces

Deleting Dynamic Interfaces

The dynamic interface cannot be deleted if it has been assigned to any interface group. To delete a dynamic interface:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click a Device Name, then click the Configuration tab.

Step 3 From the left sidebar menu, choose System > Interfaces .

Step 4 Select the check box of the dynamic interface that you want to delete and choose Delete Dynamic Interfaces from the Select a command drop-down list.

Step 5 Click OK to confirm the deletion.

Related Topics

• Adding Interface Groups
• Viewing or Modifying Controller Interface Details

Configuring Controller System Interface Groups

Interface groups are logical groups of interfaces. Interface groups facilitate user configuration where the same interface group can be configured on multiple WLANs or while overriding a WLAN interface per AP group. An interface group can exclusively contain either quarantine or nonquarantine interfaces. An interface can be part of multiple interface groups.

Follow these recommendations while configuring controller system interface groups:

• Ensure that the interface group name is different from the interface name.
• Guest LAN interfaces cannot be part of interface groups

The Interface Groups feature is supported by Cisco Wireless Controller software release 7.0.116.0 and later.

Related Topics

• Adding Interface Groups
• Deleting Interface Groups
• Viewing Interface Groups

Adding Interface Groups

To add an interface group:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click on a Device Name, then click the Controller tab.

Step 3 From the left sidebar menu, choose System > Interface Groups .

Step 4 From the Select a command drop-down list, choose Add Interface Group and click Go.

Step 5 Complete the required fields, then click Add.

The Interface dialog box appears.

Step 6 Select the interfaces that you want to add to the group, and click Select .

Step 7 To remove an Interface from the Interface group, from the Interface Group page, select the Interface and click Remove .

Step 8 Click Save to confirm the changes made.

Related Topics

• Configuring Controller System Interface Groups
• Deleting Interface Groups

Deleting Interface Groups

You cannot delete interface groups that are assigned to:

• WLANs
• AP groups
• Foreign Controller Mapping for WLANs
• WLAN templates
• AP group templates

To delete an interface group:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click on a Device Name, then click the Controller tab.

Step 3 Click the Device Name of the applicable controller.

Step 4 From the left sidebar menu, choose System > Interface Groups .

Step 5 Select the check box of the interface group that you want to delete.

Step 6 From the Select a command drop-down list, choose Delete Interface Group , and click Go .

Step 7 Click OK to confirm the deletion.

Related Topics

• Configuring Controller System Interface Groups

Viewing Interface Groups

To view existing interface groups:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click on a Device Name, then click the Controller tab.

Step 3 From the left sidebar menu, choose System > Interface Groups . The following parameters appear:

• Name—User-defined name for the interface group (For example, group1, group2).
• Description—(Optional) Description for the Interface Group.
• Interfaces—Count of the number of interfaces belonging to the group.

Step 4 Click the Interface Group Name link.

The Interface Groups Details page appears with the Interface group details as well as the details of the Interfaces that form part of that particular Interface group.

Related Topics

• Configuring Controller System Interface Groups

NAC Integration

The Cisco Network Admission Control (NAC) appliance, also known as Cisco Clean Access (CCA), is a Network Admission Control (NAC) product that allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether machines are compliant with security policies and repairs vulnerabilities before permitting access to the network. The NAC appliance is available in two modes: in-band and out-of-band. Customers can deploy both modes if desired, each geared toward certain types of access (in-band for supporting wireless users and out-of-band for supporting wired users, for example).

Related Topics

• Guidelines for Using SNMP NAC
• Configuring NAC Out-of-Band Integration (SNMP NAC): Workflow

Guidelines for Using SNMP NAC

Follow these guidelines when using SNMP NAC out-of-band integration:

• The NAC appliance supports up to 3500 users, and the controller supports up to 5000 users. Therefore, multiple NAC appliances might need to be deployed.
• Because the NAC appliance supports static VLAN mapping, you must configure a unique quarantine VLAN for each interface configured on the controller. For example, you might configure a quarantine VLAN of 110 on controller 1 and a quarantine VLAN of 120 on controller 2. However, if two WLANs or guest LANs use the same distribution system interface, they must use the same quarantine VLAN, provided they have one NAC appliance deployed in the network. The NAC appliance supports unique quarantine-to-access VLAN mapping.
• For posture reassessment based on session expiry, you must configure the session timeout on both the NAC appliance and the WLAN, making sure that the session expiry on the WLAN is greater than that on the NAC appliance.
• When a session timeout is configured on an open WLAN, the timing out of clients in the Quarantine state is determined by the timer on the NAC appliance. Once the session timeout expires for WLANs using web authentication, clients deauthenticate from the controller and must perform posture validation again.
• NAC out-of-band integration is supported only on WLANs configured for FlexConnect central switching. It is not supported for use on WLANs configured for FlexConnect local switching.
• If you want to enable NAC on an access point group VLAN, you must first enable NAC on the WLAN. Then you can enable or disable NAC on the access point group VLAN. If you ever decide to disable NAC on the WLAN, be sure to disable it on the access point group VLAN as well.
• NAC out-of-band integration is not supported for use with the WLAN AAA override feature.
• All Layer 2 and Layer 3 authentication occurs in the quarantine VLAN. To use external web authentication, you must configure the NAC appliance to allow HTTP traffic to and from external web servers and to allow the redirect URL in the quarantine VLAN.

Related Topics

• Cisco NAC Appliance Configuration

Guidelines for Using RADIUS NAC

Follow these guidelines when using RADIUS NAC:

• RADIUS NAC is available only for WLAN with 802.1x/WPA/WPA2 Layer 2 security.
• RADIUS NAC cannot be enabled when FlexConnect local switching is enabled.
• AAA override should be enabled to configure RADIUS NAC.

Related Topics

• NAC Integration

Configuring NAC Out-of-Band Integration (SNMP NAC): Workflow

To configure SNMP NAC out-of-band integration, follow this workflow:

1. Configure the quarantine VLAN for a dynamic interface—The NAC appliance supports static VLAN mapping, and you must configure a unique quarantine VLAN for each interface that is configured on the controller.

2. Configure NAC out-of-band support on a WLAN or guest LAN—To enable NAC support on an access point group VLAN, you must first enable NAC on the WLAN or guest LAN.

3. Configure NAC Out-of-band support for a specific AP group—To configure NAC out-of-band support for specific access point groups.

Related Topics

• Configuring Quarantine VLAN for Dynamic Interface
• Configuring NAC Out-of-Band Support on WLANs or Guest LANs
• Configuring NAC Out-of-Band Support for Specific AP Groups

Configuring Quarantine VLAN for Dynamic Interface

To configure the quarantine VLAN for a dynamic interface:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Choose which controller you are configuring for out-of-band integration by clicking it in the IP Address column.

Step 3 Choose System > Interfaces from the left sidebar menu.

Step 4 Click the Interface Name.

Step 5 Choose Add Interface from the Select a command drop-down list and click Go.

Step 6 In the Interface Name text box, enter a name for this interface, such as “quarantine.”

Step 7 In the VLAN ID text box, enter a non-zero value for the access VLAN ID, such as “10.”

Step 8 Select the Quarantine check box if the interface has a quarantine VLAN ID configured on it.

Step 9 Configure any remaining fields for this interface, such as the IP address, netmask, and default gateway.

Note To avoid issues when adding the wireless controller to Prime Infrastructure, the Dynamic Interface should not be in the same subnet as Prime Infrastructure.

Step 10 Enter an IP address for the primary and secondary DHCP server.

Step 11 Click Save .

Related Topics

• Configuring NAC Out-of-Band Support on WLANs or Guest LANs
• Configuring NAC Out-of-Band Support for Specific AP Groups

Configuring NAC Out-of-Band Support on WLANs or Guest LANs

To configure NAC out-of-band support on a WLAN or guest LAN, follow these steps:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click on a Device Name.

Step 3 Choose WLANs > WLAN from the left sidebar menu.

Step 4 Choose Add a WLAN from the Select a command drop-down list, and click Go .

Step 5 If you have a template established that you want to apply to this controller, choose the guest LAN template name from the drop-down list. Otherwise, click the click here link to create a new template.

Step 6 Click the Advanced tab.

Step 7 To configure SNMP NAC support for this WLAN or guest LAN, choose SNMP NAC from the NAC Stage drop-down list. To disable SNMP NAC support, choose None from the NAC Stage drop-down list, which is the default value.

Step 8 Click Apply to commit your changes.

Related Topics

• Configuring NAC Out-of-Band Support for Specific AP Groups
• Wired Guest Access

Configuring NAC Out-of-Band Support for Specific AP Groups

To configure NAC out-of-band support for a specific AP group, follow these steps:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click on a Device Name, then click the Controller tab.

Step 3 Choose WLANs > AP Groups VLAN from the left sidebar menu to open the AP Groups page.

Step 4 Click the name of the desired AP group.

Step 5 From the Interface Name drop-down list, choose the quarantine enabled interface.

Step 6 To configure SNMP NAC support for this AP group, choose SNMP NAC from the Nac State drop-down list. To disable NAC out-of-band support, choose None from the Nac State drop-down list, which is the default value.

Step 7 Click Apply to commit your changes.

Related Topics

• Configuring Quarantine VLAN for Dynamic Interface
• Configuring NAC Out-of-Band Support on WLANs or Guest LANs
• Wired Guest Access

Viewing Client State

To see the current state of the client (either Quarantine or Access), follow these steps:

Step 1 Choose Monitor > Clients and Users to open the Clients. Perform a search for clients.

Step 2 Click the MAC address of the desired client to open the Clients > Detail page. The NAC state appears as access, invalid, or quarantine in the Security Information section.

Related Topics

• Configuring NAC Out-of-Band Integration (SNMP NAC): Workflow

Wired Guest Access

Wired Guest Access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Wired guest access ports might be available in a guest office or specific ports in a conference room.

Like wireless guest user accounts, wired guest access ports are added to the network using the Lobby Ambassador feature. Wired Guest Access can be configured in a standalone configuration or in a dual controller configuration employing an anchor and foreign controller. This latter configuration is used to further isolate wired guest access traffic but is not required for deployment of wired guest access.

Wired Guest Access ports initially terminate on a Layer 2 access switch or switch port which is configured with VLAN interfaces for wired guest access traffic. The wired guest traffic is then trunked from the access switch to a wireless LAN controller. This controller is configured with an interface that is mapped to a wired guest access VLAN on the access switch.

If two controllers are being used, the controller (foreign) that receives the wired guest traffic from the switch then forwards the wired guest traffic to an anchor controller that is also configured for wired guest access. After successful hand off of the wired guest traffic to the anchor controller, a bidirectional Ethernet over IP (EoIP) tunnel is established between the foreign and anchor controllers to handle this traffic.

Although wired guest access is managed by anchor and foreign anchors when two controllers are deployed, mobility is not supported for wired guest access clients. In this case, DHCP and web authentication for the client are handled by the anchor controller.

You can specify how much bandwidth a wired guest user is allocated in the network by configuring and assigning a role and bandwidth contract.

Related Topics

• Configuring and Enabling Wired Guest User Access: Workflow

Configuring and Enabling Wired Guest User Access: Workflow

To configure and enable the wired guest user access, follow this workflow:

1. Configure a dynamic interface (VLAN) for wired guest access—Create a dynamic interface to enable the wired guest user access.

2. Configure a wired LAN for guest user access—Configure a new LAN, which is a guest LAN.

Related Topics

• Configuring a Dynamic Interface for Wired Guest User Access
• Configuring a Wired LAN for Guest User Access

Configuring a Dynamic Interface for Wired Guest User Access

To configure and enable a dynamic interface (VLAN) for wired guest user access on the network:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click on a Device Name, then click the Controller tab.

Step 3 Choose System > Interfaces from the left sidebar menu.

Step 4 Choose Add Interface from the Select a command drop-down list, and click Go .

Step 5 Complete the required fields.

Step 6 Click Save .

Related Topics

• Configuring and Enabling Wired Guest User Access: Workflow

Configuring a Wired LAN for Guest User Access

To configure a wired LAN for guest user access:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click on a Device Name.

Step 3 To configure a wired LAN for guest user access, choose WLANs > WLAN configuration from the left sidebar menu.

Step 4 Choose Add a WLAN from the Select a command drop-down list, and click Go .

Step 5 If you have a template established that you want to apply to this controller, choose the guest LAN template name from the drop-down list. Otherwise, click the click here link to create a new template.

Step 6 In the WLAN > New Template general page, enter a name in the Profile Name text box that identifies the guest LAN. Do not use any spaces in the name entered.

Step 7 Select the Enabled check box for the WLAN Status field.

Step 8 From the Ingress Interface drop-down list, choose the VLAN that you created in Step 3. This VLAN provides a path between the wired guest client and the controller by way of the Layer 2 access switch.

Step 9 From the Egress Interface drop-down list, choose the name of the interface. This WLAN provides a path out of the controller for wired guest client traffic.If you have only one controller in the configuration, choose management from the Egress Interface drop-down list.

Step 10 Click the Security > Layer 3 tab to modify the default security policy (web authentication) or to assign WLAN specific web authentication (login, logout, login failure) pages and the server source.

a. To change the security policy to passthrough, select the Web Policy check box and select the Passthrough radio button. This option allows users to access the network without entering a username or password.

An Email Input check box appears. Select this check box if you want users to be prompted for their e-mail address when attempting to connect to the network.

b. To specify custom web authentication pages, unselect the Global WebAuth Configuration Enabled check box.

When the Web Auth Type drop-down list appears, choose one of the following options to define the web login page for the wireless guest users:

Default Internal —Displays the default web login page for the controller. This is the default value.

Customized Web Auth —Displays custom web login, login failure, and logout pages. When the customized option is selected, three separate drop-down lists for login, login failure, and logout page selection appear. You do not need to define a customized page for all three of the options. Choose None from the appropriate drop-down list if you do not want to display a customized page for that option.

External —Redirects users to an external server for authentication. If you choose this option, you must also enter the URL of the external server in the URL text box.

You can select specific RADIUS or LDAP servers to provide external authentication in the Security > AAA pane. The RADIUS and LDAP external servers must be already configured to have selectable options in the Security > AAA pane. You can configure these servers on the RADIUS Authentication Servers, TACACS+ Authentication Servers page, and LDAP Servers page.

Step 11 If you selected External as the Web Authentication Type, choose Security > AAA and choose up to three RADIUS and LDAP servers using the drop-down lists.

Step 12 Click Save .

Step 13 Repeat this process if a second (anchor) controller is being used in the network.

Related Topics

• Configuring and Enabling Wired Guest User Access: Workflow

Creating an Ingress Interface

To create an Ingress interface:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click on a Device Name, then click the Controller tab.

Step 3 Choose System > Interfaces from the left sidebar menu.

Step 4 Choose Add Interface from the Select a command drop-down list, and click Go .

Step 5 In the Interface Name text box, enter a name for this interface, such as guestinterface.

Step 6 Enter a VLAN identifier for the new interface.

Step 7 Select the Guest LAN check box.

Step 8 Enter the primary and secondary port numbers.

Step 9 Click Save .

Related Topics

• Creating an Egress Interface

Creating an Egress Interface

To create an Egress interface:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click on a Device Name, then click the Controller tab.

Step 3 Choose System > Interfaces from the left sidebar menu.

Step 4 Choose Add Interface from the Select a command drop-down list, and click Go .

Step 5 In the Interface Name text box, enter a name for this interface, such as quarantine.

Step 6 In the vlan Id text box, enter a non-zero value for the access VLAN ID, such as 10.

Step 7 Select the Quarantine check box and enter a non-zero value for the Quarantine VLAN identifier, such as 110.

You can have NAC-support enabled on the WLAN or guest WLAN template Advanced tab for interfaces with Quarantine enabled.

Step 8 Enter the IP address, Netmask, and Gateway information.

Step 9 Enter the primary and secondary port numbers.

Step 10 Provide an IP address for the primary and secondary DHCP server.

Step 11 Configure any remaining fields for this interface, and click Save .

You are now ready to create a wired LAN for guest access.

Related Topics

• Creating an Ingress Interface

Configuring Controller Network Routes

The Network Route page enables you to add a route to the controller service port. This route allows you to direct all Service Port traffic to the designated management IP address.

Related Topics

• Viewing Existing Network Routes
• Adding Network Routes

Viewing Existing Network Routes

To view existing network routes:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click on a Device Name, then click the Controller tab.

Step 3 Choose System > Network Route from the left sidebar menu. The following parameters appear:

• IP Address—The IP address of the network route.
• IP Netmask—Network mask of the route.
• Gateway IP Address—Gateway IP address of the network route.

Related Topics

• Configuring Controller Network Routes

Adding Network Routes

To add a network route, follow these steps:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click on a Device Name, then click the Controller tab.

Step 3 Choose System > Network Route from the left sidebar menu.

Step 4 From the Select a command drop-down list, choose Add Network Route .

Step 5 Click Go .

Step 6 Complete the required fields, then click Save.

Related Topics

• Configuring Controller Network Routes

Viewing Controller Spanning Tree Protocol Parameters

Spanning Tree Protocol (STP) is a link management protocol that provides path redundancy while preventing undesirable loops in the network.

To view or manage current STP parameters:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click on a Device Name, then click the Controller tab.

Step 3 Choose System > Spanning Tree Protocol from the left sidebar menu. The Spanning Tree Protocol page displays the following parameters:

• Protocol Spec—The current protocol specification.
• Admin Status—Select this check box to enable.
• Priority—The numerical priority number of the ideal switch.
• Maximum Age (seconds)—The amount of time (in seconds) before the received protocol information recorded for a port is discarded.
• Hello Time (seconds)—Determines how often (in seconds) the switch broadcasts its hello message to other switches.
• Forward Delay (seconds)—The time spent (in seconds) by a port in the learning/listening states of the switches.

Related Topics

• Configuring Controller Network Routes
• Configuring Controller System Parameters

Configuring Controller Mobility Groups

By creating a mobility group, you can enable multiple network controllers to dynamically share information and forward data traffic when inter-controller or inter-subnet roaming occurs. Controllers can share the context and state of client devices and controller loading information. With this information, the network can support inter-controller wireless LAN roaming and controller redundancy.

If it is possible for a wireless client in your network to roam from an access point joined to one controller to an access point joined to another controller, both controllers should be in the same mobility group.

Related Topics

• Messaging Among Mobility Groups
• Mobility Group Prerequisites
• Viewing Current Mobility Group Members
• Adding Mobility Group Members from a List of Controllers
• Manually Adding Mobility Group Members
• Setting the Mobility Scalability Parameters

Messaging Among Mobility Groups

The controller provides inter-subnet mobility for clients by sending mobility messages to other member controllers:

• There can be up to 72 members in the list with up to 24 in the same mobility group.
• The controller sends a Mobile Announce message to members in the mobility list each time a new client associates to it.
• In Prime Infrastructure and Wireless Controller software release 5.0 and later, the controller uses multicast mode to send the Mobile Announce messages. This allows the controller to send only one copy of the message to the network, which delivers it to the multicast group containing all the mobility members.

Related Groups

• Configuring Controller Mobility Groups

Mobility Group Prerequisites

Before you add controllers to a mobility group, you must verify that the following prerequisites are met for all controllers that are to be included in the group:

• All controllers must be configured for the same CAPWAP transport mode (Layer 2 or Layer 3).
• IP connectivity must exist between the management interfaces of all controllers.
• All controllers must be configured with the same mobility group name.
• All controllers must be configured with the same virtual interface IP address.
• You must have gathered the MAC address and IP address of every controller that is to be included in the mobility group. This information is necessary because you will be configuring all controllers with the MAC address and IP address of all the other mobility group members.

Related Groups

• Configuring Controller Mobility Groups

Viewing Current Mobility Group Members

To view current mobility group members:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click on a Device Name, then click the Controller tab.

Step 3 Choose System > Mobility Groups from the left sidebar menu.

Related Groups

• Adding Mobility Group Members from a List of Controllers
• Manually Adding Mobility Group Members

Adding Mobility Group Members from a List of Controllers

To add a mobility group member from a list of existing controllers:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click on a Device Name, then click the Controller tab.

Step 3 Choose System > Mobility Groups from the left sidebar menu.

Step 4 From the Select a command drop-down list, choose Add Group Members .

Step 5 Click Go .

Step 6 Select the check box(es) for the controller to be added to the mobility group.

Step 7 Click Save .

Related Groups

• Viewing Current Mobility Group Members
• Manually Adding Mobility Group Members

Manually Adding Mobility Group Members

If there were no controllers found to add to the mobility group, you can add members manually. To manually add members to the mobility group, follow these steps:

Step 1 Click the click here link from the Mobility Group Member details page.

Step 2 In the Member MAC Address text box, enter the MAC address of the controller to be added.

Step 3 In the Member IP Address text box, enter the management interface IP address of the controller to be added.

If you are configuring the mobility group in a network where Network Address Translation (NAT) is enabled, enter the IP address sent to the controller from the NAT device rather than the controller management interface IP address. Otherwise, mobility fails among controllers in the mobility group.

Step 4 Enter the multicast group IP address to be used for multicast mobility messages in the Multicast Address text box. The local mobility member group address must be the same as the local controller group address.

Step 5 In the Group Name text box, enter the name of the mobility group.

Step 6 Click Save .

Step 7 Repeat Steps 1 through 6 for the remaining Cisco Wireless Controller devices.

Related Topics

• Adding Mobility Group Members from a List of Controllers
• Viewing Current Mobility Group Members

Setting the Mobility Scalability Parameters

Before You Begin

You must configure Mobility Groups prior setting up the mobility scalability parameters.

To set the mobility message parameters:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click the Device Name of a controller whose software version is 5.0 or later.

Step 3 From the left sidebar menu, choose System > General .

Step 4 From the Multicast Mobility Mode drop-down list, specify if you want to enable or disable the ability for the controller to use multicast mode to send Mobile Announce messages to mobility members.

Step 5 If you enabled multicast messaging by setting multicast mobility mode to enabled, you must enter the group IP address at the Mobility Group Multicast-address field to begin multicast mobility messaging. You must configure this IP address for the local mobility group but it is optional for other groups within the mobility list. If you do not configure the IP address for other (non-local) groups, the controllers use unicast mode to send mobility messages to those members.

Step 6 Click Save .

Related Topics

• Configuring Controller Multicast Mode
• Configuring Controller System Parameters

Configuring Controller Network Time Protocol

To add a new NTP Server:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click the Device Name of the applicable controller.

Step 3 From the left sidebar menu, choose System > Network Time Protocol .

Step 4 From the Select a command drop-down list, choose Add NTP Server .

Step 5 Click Go .

Step 6 From the Select a template to apply to this controller drop-down list, choose the applicable template to apply to this controller.

Related Topics

• Configuring an NTP Server Template
• Configuring Controller System Parameters
• Configuring Controller Network Time Protocol

Background Scanning on 1510s in Mesh Networks

Background scanning allows Cisco Aironet 1510 Access Points to actively and continuously monitor neighboring channels for more optimal paths and parents. Because the access points are searching on neighboring channels as well as the current channel, the list of optimal alternate paths and parents is greater.

Identifying this information prior to the loss of a parent results in a faster transfer and the best link possible for the access points. Additionally, access points might switch to a new channel if a link on that channel is found to be better than the current channel in terms of fewer hops, stronger signal-to-noise ratio (SNR), and so on.

Background scanning on other channels and data collection from neighbors on those channels are performed on the primary backhaul between two access points:

The primary backhaul for 1510s operate on the 802.11a link.

Background scanning is enabled on a global basis on the associated controller of the access point. Latency might increase for voice calls when they are switched to a new channel.

In the EMEA regulatory domain, locating neighbors on other channels might take longer given DFS requirements.

Related Topics

• Background Scanning Scenarios
• Enabling Background Scanning

Background Scanning Scenarios

A few scenarios are provided below to better illustrate how background scanning operates.

In Figure 21-1, when the mesh access point (MAP1) initially comes up, it is aware of both root access points (RAP1 and RAP2) as possible parents. It chooses RAP2 as its parent because the route through RAP2 is better in terms of hops, SNR, and so on. After the link is established, background scanning (once enabled) continuously monitors all channels in search of a more optimal path and parent. RAP2 continues to act as parent for MAP1 and communicates on channel 2 until either the link goes down or a more optimal path is located on another channel.

Figure 21-1 Mesh Access Point (MAP1) Selects a Parent

In Figure 21-2, the link between MAP1 and RAP2 is lost. Data from ongoing background scanning identifies RAP1 and channel 1 as the next best parent and communication path for MAP1 so that link is established immediately without the need for additional scanning after the link to RAP2 goes down.

Figure 21-2 Background Scanning Identifies a New Parent

Related Topics

• Enabling Background Scanning

Enabling Background Scanning

To enable background scanning on an AP1510 RAP or MAP:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click an IP address of the applicable controller.

Step 3 Choose Mesh > Mesh Settings from the left sidebar menu.

Step 4 Select the Background Scanning check box to enable background scanning or unselect it to disable the feature. The default value is disabled.

Step 5 Click Save .

Related Topics

• Background Scanning Scenarios

Configuring Controller QoS Profiles

To make modifications to the quality of service profiles:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click an IP address of the applicable controller.

Step 3 From the left sidebar menu, choose System > QoS Profiles . The following parameters appear:

• Bronze—For Background
• Gold—For Video Applications
• Platinum—For Voice Applications
• Silver—For Best Effort

Step 4 Click the applicable profile to view or edit profile parameters.

Step 5 Click Save .

Related Topics

• Configuring Controller System Parameters

Configuring Controller DHCP Scopes

Controllers have built-in DHCP relay agents. However, when you desire network segments that do not have a separate DHCP server, the controllers can have built-in DHCP scopes that assign IP addresses and subnet masks to wireless client. Typically, one controller can have one or more DHCP scopes that each provide a range of IP addresses.

Related Topics

• Viewing Current DHCP Scopes
• Adding a New DHCP Scope

Viewing Current DHCP Scopes

To view current DHCP (Dynamic Host Configuration Protocol) scopes, follow these steps:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller .

Step 2 Click the Device Name of the applicable controller.

Step 3 From the left sidebar menu, choose System > DHCP Scopes .

Related Topics

• Configuring Controller DHCP Scopes

Adding a New DHCP Scope

To add a new DHCP Scope, follow these steps:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller

Step 2 Click the Device Name of the applicable controller.

Step 3 From the left sidebar menu, choose System > DHCP Scopes .

Step 4 From the Select a command drop-down list, choose Add DHCP Scope and click Go.

Step 5 Configure the required fields, and click Save .

Related Topics

• Configuring Controller DHCP Scopes
• Configuring Controller System Parameters

Viewing Controller User Roles

To view current local net user roles on a controller, follow these steps:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.

Step 2 Click the Device Name of the applicable controller.

Step 3 From the left sidebar menu, choose System > User Roles .

The Local Net User Role parameters appear.

Step 4 Click a Template Name to view the User Role details.

Related Topics

• Adding a New Local Net User Role to Controllers

Adding a New Local Net User Role to Controllers

To add a new local net user role to a controller:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.

Step 2 Click the Device Name of the applicable controller.

Step 3 From the left sidebar menu, choose System > User Roles .

Step 4 From the Select a command drop-down list, choose Add User Role .

Step 5 Select a template from the Select a template to apply to this controller drop-down list.

Step 6 Click Apply .

Related Topics

• Adding a New Local Net User Role to Controllers
• Configuring Controller System Parameters

Configuring a Global Access Point Password

The AP Username Password page enables you to set a global password that all access points inherit as they join a controller. When you are adding an access point, you can also choose to accept this global username and password or override it on a per-access point basis.

Also in controller software release 5.0, after an access point joins the controller, the access point enables console port security and you are prompted for your username and password whenever you log into the access point console port. When you log in, you are in non-privileged mode and you must enter the enable password to use the privileged mode.

To establish a global username and password, follow these steps:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.

Step 2 Click the Device Name of a controller with a Release 5.0 or later.

Step 3 From the left sidebar menu, choose System > AP Username Password .

Step 4 Enter the username and password that you want to be inherited by all access points that join the controller.

For Cisco IOS access points, you must also enter and confirm an enable password.

Step 5 Click Save .

Configuring Global CDP

Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices.

CDP is enabled on the Ethernet and radio ports of a bridge by default.

Global Interface CDP configuration is applied to only the APs with CDP enabled at AP level.

To configure a Global CDP, perform the following steps:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.

Step 2 Click the Device Name of the desired controller.

Step 3 From the left sidebar menu, choose System > Global CDP Configuration from the left sidebar menu. The Global CDP Configuration page appears.

Step 4 Configure the required fields in the Global CDP Configuration page.In the Global CDP group box, configure the following parameters:

• CDP on controller—Choose enable or disable CDP on the controller. This configuration cannot be applied on WiSM2 controllers.
• Global CDP on APs—Choose to enable or disable CDP on the access points.
• Refresh-time Interval (seconds)—In the Refresh Time Interval field, enter the time in seconds at which CDP messages are generated. The default is 60.
• Holdtime (seconds)—Enter the time in seconds before the CDP neighbor entry expires. The default is 180.
• CDP Advertisement Version—Enter which version of the CDP protocol to use. The default is v1.

Step 5 In the CDP for Ethernet Interfaces group box, select the slots of Ethernet interfaces for which you want to enable CDP.

CDP for Ethernet Interfaces fields are supported for Controller Release 7.0.110.2 and later.

Step 6 In the CDP for Radio Interfaces group box, select the slots of Radio interfaces for which you want to enable CDP.

CDP for Radio Interfaces fields are supported for Controller Release 7.0.110.2 and later.

Step 7 Click Save .

Related Topic

• Configuring Controller System Parameters

Configuring AP 802.1X Supplicant Credentials

You can configure 802.1X authentication between lightweight access points and the switch. The access point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous PAC provisioning. You can set global authentication settings that all access points inherit as they join the controller. This includes all access points that are currently joined to the controller and any that join in the future.

If desired, you can override the global authentication settings and assign unique authentication settings for a specific access point.

To enable global supplicant credentials, follow these steps:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.

Step 2 Click the Device Name of the desired controller.

Step 3 From the left sidebar menu, choose System > AP 802.1X Supplicant Credentials .

Step 4 Select the Global Supplicant Credentials check box.

Step 5 Enter the supplicant username.

Step 6 Enter and confirm the applicable password.

Step 7 Click Save. Once saved, you can click Audit to perform an audit on this controller.

Related Topics

• Configuring Controller System Parameters
• 802.11 Parameters

Configuring Controller DHCP

To configure DHCP (Dynamic Host Configuration Protocol) information for a controller:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.

Step 2 Click the Device Name of the desired controller.

Step 3 From the left sidebar menu, choose System > DHCP .

Step 4 Add or modify the following parameters:

• DHCP Option 82 Remote Id Field Format—Choose AP-MAC, AP-MAC-SSID, AP-ETHMAC, or AP-NAME-SSID from the drop-down list.

To set the format for RemoteID field in DHCP option 82
If Ap-Mac is selected, then set the RemoteID format as AP-Mac . If Ap-Mac-ssid is selected, then set the RemoteID format as AP-Mac:SSID .

• DHCP Proxy—Select the check box to enable DHCP by proxy.

When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from the client to the configured servers. Consequently, at least one DHCP server must be configured on either the interface associated with the WLAN or the WLAN itself.

Step 5 Enter the DHCP Timeout in seconds after which the DHCP request times out. The default setting is 5. Allowed values range from 5 to 120 seconds. DHCP Timeout is applicable for Controller Release 7.0.114.74 and later.

Step 6 Click Save .

Once saved, you can click Audit to perform an audit on this controller.

Related Topics

• Configuring Controller System Parameters

Configuring Controller Multicast Mode

Prime Infrastructure provides an option to configure IGMP (Internet Group Management Protocol) snooping and timeout values on the controller.

IGMP

To configure multicast mode and IGMP snooping for a controller:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.

Step 2 Click the Device Name of the desired controller.

Step 3 From the left sidebar menu, choose System > Multicast .

Step 4 From the Ethernet Multicast Support drop-down list, choose the applicable Ethernet multicast support (Unicast or Multicast).

Step 5 If Multicast is selected, enter the multicast group IP address.

Step 6 Select the Global Multicast Mode check box to make the multicast mode available globally.

IGMP Snooping and timeout can be set only if Ethernet Multicast mode is Enabled. Select to enable IGMP Snooping.

Step 7 Choose Enable from the Multicast Mobility Mode drop-down list to change the IGMP snooping status or to set the IGMP timeout. When IGMP snooping is enabled, the controller gathers IGMP reports from the clients and then sends each access point a list of the clients listening to any multicast group. The access point then forwards the multicast packets only to those clients.

The timeout interval has a range of 3 to 300 and a default value of 60. When the timeout expires, the controller sends a query to all WLANs. Those clients which are listening in the multicast group then send a packet back to the controller.

Step 8 If you enabled the Multicast Mobility Mode, enter the mobility group multicast address.

Step 9 Select the Multicast Direct check box to enable videos to be streamed over a wireless network.

Step 10 Choose Enable from the Multicast Mobility Mode drop-down list to change MLD configuration.

Step 11 Select the Enable MLD Snooping check box to enable IPv6 MLD snooping. If you have selected this check box, configure the following parameters:

• MLD Timeout—Enter the MLD timeout value in seconds. The timeout has a range of 3 to 7200 and a default value of 60.
• MLD Query Interval—Enter the MLD query interval timeout value in seconds. The interval has a range of 15 to 2400 and a default value of 20.

Internet Group Management Protocol (IGMP) snooping enables you to limit the flooding of multicast traffic for IPv4. For IPv6, Multicast Listener Discovery (MLD) snooping is used.

Step 12 Configure the Session Banner information, which is the error information sent to the client if the client is denied or dropped from a Media Stream.

Step 13 Click Save .

Once saved, you can click Audit to perform an audit on this controller.

Related Topics

• Configuring Controller System Parameters

Configuring Access Point Timer Settings

Advanced timer configuration for FlexConnect and local mode is available for the controller on Prime Infrastructure.

This feature is only supported on Release 6.0 controllers and later.

Related Topics

• Configuring Advanced Timers

Configuring Advanced Timers

To configure the advanced timers, follow these steps:

Step 1 Choose Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.

Step 2 Choose the controller for which you want to set timer configuration.

Step 3 From the left sidebar menu, choose System > AP Timers .

Step 4 In the AP Timers page, click the applicable Access Point Mode link: Local Mode or FlexConnect Mode.

Step 5 Configure the necessary parameters in the Local Mode AP Timer Settings page or in the FlexConnect Mode AP Timer Settings page accordingly.

• AP timer settings for Local Mode—To reduce the failure detection time, you can configure the fast heartbeat interval (between the controller and the access point) with a smaller timeout value. When the fast heartbeat timer expires (at every heartbeat interval), the access point determines if any data packets have been received from the controller within the last interval. If no packets have been received, the access point sends a fast echo request to the controller. You can then enter a value between 10 and 15 seconds.
• AP timer settings for FlexConnect—Once selected, you can configure the FlexConnect timeout value. Select the AP Primary Discovery Timeout check box to enable the timeout value. Enter a value between 30 and 3600 seconds. 5500 series controllers accept access point fast heartbeat timer values in the range of 1-10.

Step 6 Click Save.

Related Topics

• Configuring Access Point Timer Settings

Configuring Controller WLANs

Because controllers can support 512 WLAN configurations, Prime Infrastructure provides an effective way to enable or disable multiple WLANs at a specified time for a given controller.

To view a summary of the wireless local access networks (WLANs) that you have configured on your network, follow these steps:

Step 1 Choose Configure > Controllers .

Step 2 Click the Device Name of the applicable controller.

Step 3 From the left sidebar menu, choose WLANs > WLAN Configuration .

Step 4 Configure the required fields in the Configure WLAN Summary page appears.

Related Topics

• Configuring Controller WLANs

Viewing Controller WLAN Configurations

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click the Device Name of the wireless controller whose WLAN configurations you want to see.

Step 3 Click the Configuration tab.

Step 4 Under Features , choose WLANs > WLAN Configuration . The WLAN Configuration summary page appears, displaying the list of WLANs currently configured on the controller, including each:

• WLAN ID
• The name of the WLAN configuration profile
• WLAN SSID
• The names of any active security policies
• The WLAN current administrative status (enabled or disabled)
• A link to the list of all currently scheduled WLAN configuration tasks

Step 5 To view WLAN configuration details, click the WLAN ID. The WLAN Configuration details page appears.

Step 6 Use the tabs (General, Security, QoS, and Advanced) to view or edit parameters for the WLAN. Whenever you change a parameter, click Save.

Related Topics

• Configure > Controllers > WLANs > WLAN Configuration
• Adding Policies to Controller WLANs
• Configuring Mobile Concierge (802.11u) on WLANs
• Adding WLANs to Controllers
• Deleting Controller WLANs
• Scheduling Status Changes for Multiple Controller WLANs
• Viewing WLAN Mobility Anchors

Adding Policies to Controller WLANs

Step 1 Click Add Row.

Step 2 Select a policy name that you want to map to the WLAN, from the drop-down list.

Step 3 Enter the priority. The priority ranges from 1 to 16.

Two policies cannot have the same priority.

Step 4 Click Save .

If you want to delete a policy, select the check box corresponding to the policy that you want to delete and click Delete.

Related Topics

• Viewing Controller WLAN Configurations
• Configuring Mobile Concierge (802.11u) on WLANs
• Adding WLANs to Controllers
• Deleting Controller WLANs
• Scheduling Status Changes for Multiple Controller WLANs
• Viewing WLAN Mobility Anchors

Configuring Mobile Concierge (802.11u) on WLANs

Cisco Mobile Concierge is a solution that enables 802.1X-capable clients to interwork with external networks without pre-authorization. Mobile Concierge provides service availability information to clients that can help them to associate to available networks more quickly, easily, and securely.

The services offered by the network can be broadly classified into two protocols:

• 802.11u MSAP
• 802.11u HotSpot 2.0

The following guidelines and limitations apply to Mobile Concierge:

• Mobile Concierge is not supported on FlexConnect Access Points.
• 802.11u configuration upload is not supported. If you perform a configuration upgrade and upload a configuration on the controller, the HotSpot configuration on the WLANs is lost.

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click the Device Name of the wireless controller on which you want to configure Mobile Concierge.

Step 3 Click the Configuration tab.

Step 4 Under Features , choose WLANs > WLAN Configuration . The WLAN Configuration summary page appears, displaying the list of WLANs currently configured on the controller,

Step 5 Click the WLAN ID of the WLAN on which you want to configure Mobile Concierge.

Step 6 Click the Hot Spot tab.

Step 7 Click the 802.11u Configuration sub-tab and complete the fields as follows:

a. Select the 802.11u Status check box to enable 802.11u on the WLAN.

b. Select the Internet Access check box to enable this WLAN to provide Internet services.

c. From the Network Type drop-down list, choose the appropriate description for the 802.11u service you want to configure on this WLAN. The following options are available:

– Private Network

– Private Network with Guest Access

– Chargeable Public Network

– Free Public Network

– Emergency Services Only Network

– Personal Device Network

– Test or Experimental

– Wildcard

d. Choose the authentication type that you want to configure for the 802.11u parameters on this network:

– Not configured

– Acceptance of Terms and Conditions

– Online Enrollment

– DNS Redirection

– HTTP/HTTPS Redirection

e. In the HESSID field, enter the Homogeneous Extended Service Set Identifier value. The HESSID is a 6-octet MAC address that identifies the homogeneous ESS.

f. In the IPv4 Address Type field, choose the method of assigning IPv4 addresses:

– Not Available

– Public

– Port Restricted

– Single NAT Private

– Double NAT Private

– Port Restricted and Single NAT Private

– Port Restricted and Double NAT Private

– Unknown

g. In the IPv6 Address Type field, choose the method of assigning IPv6 addresses:

– Not Available

– Available

– Unknown

Step 8 Click the Others sub-tab and complete the fields as follows:

a. In the OUI List group box, click Add Row and enter the following details:

– OUI name

– Is Beacon

– OUI Index

Click Save to add the OUI (Organizationally Unique Identifier) entry to this WLAN.

b. In the Domain List group box, click Add Row and enter the following details:

– Domain Name—The domain name operating in the 802.11 access network.

– Domain Index—Choose the domain index from the drop-down list.

Click Save to add the domain entry to this WLAN.

c. In the Cellular section, click Add Row and enter the following details:

– Country Code—The 3-character cellular country code.

– Network Code—The 3-character cellular network code.

Click Save to add the cellular entry to this WLAN.

Step 9 Click the Realm sub-tab and complete the fields as follows:

a. Click Add Row and enter the realm name.

b. Click Save to add the realm entry to this WLAN.

Step 10 Click the Service Advertisements sub-tab and complete the fields as follows:

a. Select the MSAP Enable check box to enable service advertisements.

b. If you enable MSAP, enter the server index for this WLAN. The server index field uniquely identifies an MSAP server instance serving a venue that is reachable through the BSSID.

MSAP (Mobility Services Advertisement Protocol) is designed to be used primarily by mobile devices that are configured with a set of policies for establishing network services. These services are available for devices that offer higher-layer services, or network services that are enabled through service providers. Service advertisements use MSAP to provide services to mobile devices prior to association to a Wi-Fi access network. This information is conveyed in a service advertisement. A single-mode or dual-mode mobile device queries the network for service advertisements before association. The device's network discovery and the selection function may use the service advertisements in its decision to join the network.

Step 11 Click the Hotspot 2.0 sub-tab and complete the fields as follows:

a. Choose the Enable option from the HotSpot2 Enable drop-down list.

b. In the WAM Metrics group box, specify the following:

– WAN Link Status—The link status. The valid range is 1 to 3.

– WAN SIM Link Status—The symmetric link status. For example, you can configure the uplink and downlink to have different speeds or same speeds.

– Down Link Speed—The downlink speed. The maximum value is 4,194,304 kbps.

– Up Link Speed—The uplink speed. The maximum value is 4,194,304 kbps.

c. In the Operator Name List, click Add Row and enter the following details:

– Operator Name—Specify the name of the 802.11 operator.

– Operator Index—Select an operator index. The range is from 1 to 32.

– Language Code—An ISO-14962-1997 encoded string defining the language. This string is a three character language code.

Click Save to add the operator to the list.

• In the Port Config List, click Add Row and enter the following details:

– IP Protocol—The IP protocol that you want to enable. The following options are ESP, FTP, ICMP, and IKEV2.

– Port No—The port number that is enabled on this WLAN.

– Status—The status of the port.

Click Save to add the port configuration to the list.

Step 12 Click Save to save the Mobile Concierge configuration.

Related Topics

• Viewing Controller WLAN Configurations
• Adding Policies to Controller WLANs
• Adding WLANs to Controllers
• Deleting Controller WLANs
• Scheduling Status Changes for Multiple Controller WLANs
• Viewing WLAN Mobility Anchors

Adding WLANs to Controllers

You can add a WLANs to controllers through the template configuration.

Step 1 Choose Configuration > Template > Features & Technologies > Controller > WLANs > WLAN Configuration .

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New.

Step 3 Complete the required fields in the General, Security, QoS, Advanced, HotSpot, Policy Mappings tabs, and then click Save as New Template.

Step 4 Proceed to deploy the template by click Deploy.

Related Topics

• Controller > WLANs > WLAN Configuration
• Viewing Controller WLAN Configurations
• Adding Policies to Controller WLANs
• Configuring Mobile Concierge (802.11u) on WLANs
• Deleting Controller WLANs
• Scheduling Status Changes for Multiple Controller WLANs
• Viewing WLAN Mobility Anchors

Deleting Controller WLANs

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click the Device Name of the appropriate controller.

Step 3 From the left sidebar menu, choose WLANs > WLAN Configuration .

Step 4 Select the check boxes of the WLANs that you want to delete.

Step 5 Choose Select a command> Delete a WLAN > Go .

Step 6 Click OK to confirm the deletion.

Related Topics

• Viewing Controller WLAN Configurations
• Adding Policies to Controller WLANs
• Configuring Mobile Concierge (802.11u) on WLANs
• Adding WLANs to Controllers
• Scheduling Status Changes for Multiple Controller WLANs
• Viewing WLAN Mobility Anchors

Scheduling Status Changes for Multiple Controller WLANs

Prime Infrastructure lets you change the status of more than one WLAN at a time on any given controller. You can select multiple WLANs and select the date and time for that status change to take place.

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click the Device Name of the appropriate controller.

Step 3 From the left sidebar menu, choose WLANs > WLAN Configuration .

Step 4 Select the check boxes of the WLANs that you want to schedule for a status change.

Step 5 From the Select a command drop-down list, choose Schedule Status to open the WLAN Schedule Task Detail page.

The selected WLANs are listed at the top of the page.

Step 6 Enter a Scheduled Task Name to identify this status change schedule.

Step 7 Choose the new Admin Status (Enabled or Disabled) from the drop-down list.

Step 8 Choose the schedule time using the hours and minutes drop-down lists.

Step 9 Click the calendar icon to choose a schedule date or enter the date in the text box (MM/DD/YYYY).

Step 10 Select the appropriate Recurrence radio button to determine the frequency of the status change (Daily, Weekly, or No Recurrence).

Step 11 Click Submit to initiate the status change schedule.

Related Topics

• Viewing WLAN Configuration Scheduled Task Results (user guide section)
• Viewing Controller WLAN Configurations
• Adding Policies to Controller WLANs
• Configuring Mobile Concierge (802.11u) on WLANs
• Adding WLANs to Controllers
• Deleting Controller WLANs
• Viewing WLAN Mobility Anchors

Viewing WLAN Mobility Anchors

Mobility anchors are controllers defined as anchors for WLANs. Clients (that is, any 802.11 mobile station, such as a laptop) are always attached to one of the anchors.

You can use mobility anchors to restrict a WLAN to a single subnet, regardless of the client’s network entry point. Users can access a public or guest WLAN throughout the enterprise but will still be restricted to a specific subnet. You can also use guest WLANs to provide geographical load balancing, as WLANs can represent a particular section of a building (such as a lobby, restaurant, and so on).

When a client first associates to a controller of a mobility group that has been preconfigured as a mobility anchor for a WLAN, the client associates to the controller locally, and a local session is created for the client. Clients can be anchored only to preconfigured anchor controllers of the WLAN. For a given WLAN, you should configure the same set of anchor controllers on all controllers in the mobility group.

When a client first associates to a controller of a mobility group that has not been configured as a mobility anchor for a WLAN, the client associates to the controller locally, a local session is created for the client, and the controller is announced to the other controllers in the same mobility group. If the announcement is not answered, the controller contacts one of the anchor controllers configured for the WLAN and creates a foreign session for the client on the local switch. Packets from the client are encapsulated and delivered to the wired network. Packets to the client are received by the anchor controller and forwarded to the foreign controller through a mobility tunnel using EtherIP. The foreign controller encapsulates the packets and forwards them to the client.

A 2000 series controller cannot be designated as an anchor for a WLAN. However, a WLAN created on a 2000 series controllers can have a 4100 series controller or a 4400 series controller as its anchor.

The L2TP Layer 3 security policies are unavailable for WLANs configured with a mobility anchor.

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click the Device Name of the appropriate controller.

Step 3 From the left sidebar menu, choose WLANs > WLAN Configuration .

Step 4 Click a WLAN ID to view the parameters for a specific WLAN.

Step 5 Click the Advanced tab.

Step 6 Click the Mobility Anchors link. Prime Infrastructure displays the IP address and current status (for example, reachable) for each anchor.

Related Topics

• Viewing Controller WLAN Configurations
• Adding Policies to Controller WLANs
• Configuring Mobile Concierge (802.11u) on WLANs
• Adding WLANs to Controllers
• Deleting Controller WLANs
• Scheduling Status Changes for Multiple Controller WLANs

Working with WLAN AP Groups

Site-specific VLANs or AP (access point) groups allow you to segment WLANs into different broadcast domains. This will allow you to minimize the total number of broadcast domains, which permits more effective load balancing and bandwidth allocation.

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click the Device Name of the appropriate controller.

Step 3 From the left sidebar menu, choose WLAN > AP Groups . The AP groups summary page displays.

This page displays a summary of the AP groups configured on your network.

From here you can add, remove, or view details of an AP group.

Step 4 Click the AP group name on the Access Points tab to view or edit its access point(s).

Step 5 Click the WLAN Profiles tab to view, edit, add, or delete WLAN profiles.

Related Topics

• Creating Controller WLAN AP Groups
• Deleting Controller WLAN AP Groups
• Deleting Controller WLAN AP Groups
• Configuring Controller WLANs
• Auditing Controller WLAN AP Groups

Creating Controller WLAN AP Groups

Use the AP Groups detail page to add AP (access point) groups. Note that if the target controller is earlier than version 5.2, AP Groups are called AP Group VLANs .

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click the Device Name of the appropriate controller.

Step 3 From the left sidebar menu, choose WLAN > AP Groups.

Step 4 Choose Select a command > Add AP Groups > Go . The AP Groups details page displays.

Step 5 Create a new AP group, as follows:

a. Enter a name for the AP group.

b. Enter a description for the new AP group (this group description is optional).

Step 6 Add access points to the new AP group, as follows:

a. Click the Access Points tab.

b. Click Add . The Access Point page displays a list of available access points.

c. Select the check boxes of the access points you want to add.

d. Click Select .

Step 7 Add a WLAN profile, as follows:

a. Click the WLAN Profiles tab.

b. Click Add .

To display all available WLAN profile names, delete the current WLAN profile name from the text box. When the current WLAN profile name is deleted from the text box, all available WLAN profiles appear in the drop-down list.

Each access point is limited to 16 WLAN profiles. Each access point broadcasts all WLAN profiles unless the WLAN override feature is enabled. The WLAN override feature allows you to disable any of the 16 WLAN profiles per access point.

The WLAN override feature applies only to older controllers that do not support the 512 WLAN feature (can support up to 512 WLAN profiles).

c. Type a WLAN profile name or choose one from the WLAN Profile Name drop-down list.

d. Enter an interface/interface group or choose one from the Interface/Interface Group drop-down list.

To display all available interfaces, delete the current interface in the Interface text box. When the current interface is deleted from the Interface text box, all available interfaces appear in the drop-down list.

e. Select the NAC Override check box, if applicable. NAC override is disabled by default.

f. Specify the policy configuration parameters by clicking the Add/Edit link.

– Policy Name—Name of the policy.

– Policy Priority—Configure policy priority between 1 and 16. No two policies can have same priority.

Only 16 Policy mappings are allowed per WLAN. Selected policy template for the mapping will be applied first if it does not exist on the controller.

g. When access points and WLAN profiles are added, click Save .

Step 8 (Optional): Add an RF profile, as follows:

a. Click the RF Profiles tab:

b. Complete the fields as follows:

• 802.11a—Choose an RF profile for APs with 802.11a radios.
• 802.11b—Choose an RF profile for APs with 802.11b radios.

Step 9 When you are finished adding APs, WLAN profiles, and RF profiles to the new AP Group, click Save .

Changing the WLAN-interface mapping in an AP Group removes the local VLAN mapping for FlexConnect APs in this group. These mappings need to be reconfigured after applying this change.

Related Topics

• Creating RF Profiles Templates (802.11)
• Working with WLAN AP Groups
• Deleting Controller WLAN AP Groups
• Auditing Controller WLAN AP Groups

Deleting Controller WLAN AP Groups

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click the Device Name of the appropriate controller.

Step 3 From the left sidebar menu, choose WLAN > AP Groups .

Step 4 Select the check box(es) of the AP Groups that you want to delete.

Step 5 Choose Select a command > Delete AP Groups > Go .

Step 6 Click OK to confirm the deletion.

Related Topics

• Working with WLAN AP Groups
• Creating Controller WLAN AP Groups
• Auditing Controller WLAN AP Groups

Auditing Controller WLAN AP Groups

It is possible for difference to occur between the values Prime Infrastructure has stored for an AP group and the actual values stored in the current controller and access points device configurations. Auditing the AP group will help you determine if this has occurred and resolve them.

Step 1 Choose Configuration > Network > Network Devices , then select Device Type > Wireless Controller .

Step 2 Click the Device Name of the appropriate controller.

Step 3 From the left sidebar menu, choose WLAN > AP Groups .

Step 4 Click the name of the access point group that you want to audit.

Step 5 Click Audit.

The Audit button is located at the bottom of the page, next to the Save and Cancel buttons

Related Topics

• Working with WLAN AP Groups
• Creating Controller WLAN AP Groups
• Deleting Controller WLAN AP Groups

Supported Platforms for FlexConnect

FlexConnect is supported only on these components:

• 1130AG, 1240AG, 1142, and 1252 APs
• Cisco 2000, and 4400 series controllers,
• Catalyst 3750G Integrated Wireless LAN Controller Switch
• Cisco Wireless Services Module (WiSM)
• Controller Network Module for Integrated Services Routers

Related Topics

• FlexConnect Guidelines and Limitations
• FlexConnect Authentication Process
• FlexConnect Operation Modes
• FlexConnect States

FlexConnect Guidelines and Limitations

Follow these guidelines when you configure FlexConnect:

• You can deploy FlexConnect with either a static IP address or a DHCP address. The DHCP server must be available locally and must be able to provide the IP address for the AP during bootup.
• The maximum transmission unit (MTU) must be at least 500 bytes.
• Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication.
• The controller can send multicast packets in the form of unicast or multicast packets to the AP. In FlexConnect mode, the AP can receive multicast packets only in unicast form.
• FlexConnect supports CCKM full authentication but not CCKM fast roaming.
• FlexConnect supports a 1-1 network address translation (NAT) configuration and port address translation (PAT) for all features except true multicast. Multicast is supported across NAT boundaries when configured using the Unicast option.
• VPN, IPsec, L2TP, PPTP, Fortress authentication, and Cranite authentication are supported for locally switched traffic if these security types are accessible locally at the AP.
• NAC out-of-band integration is supported only on WLANs configured for FlexConnect central switching. It is not supported for use on WLANs configured for FlexConnect local switching.
• For FlexConnect APs, the interface mapping at the controller for WLANs configured for FlexConnect local switching is inherited at the AP as the default VLAN tagging. This can be easily changed per SSID and per FlexConnect AP. Non-FlexConnect APs tunnel all traffic back to the controller, and VLAN tagging is dictated by each interface mapping of the WLAN
• VLAN is not enabled on the FlexConnect AP by default. When FlexConnect is enabled, the AP inherits the VLAN ID associated to the WLAN. This configuration is saved in the AP and received after the successful join response. By default, the native VLAN is 1. One native VLAN must be configured per FlexConnect AP in a VLAN-enabled domain. Otherwise, the AP cannot send and receive packets to and from the controller. When the client is assigned a VLAN from the RADIUS server, that VLAN is associated to the locally switched WLAN.

Related Topics

• FlexConnect Authentication Process

FlexConnect Authentication Process

A FlexConnect AP searches for a controller on booting up. The AP joins the controller, downloads the latest software image from the controller and configuration information, and initializes the radio. It saves the downloaded configuration in non-volatile memory for use in standalone mode.

A FlexConnect AP identifies the controller IP address in one of the following ways:

• If the AP has been assigned an IP address from a DHCP server, it discovers a controller through the regular CAPWAP discovery process [Layer 3 broadcast, over-the-air provisioning (OTAP), DNS, or DHCP option 43]. OTAP does not work when the AP is booting up for the first time.
• If the AP has been assigned a static IP address, it discovers a controller through any of the CAPWAP discovery process methods except DHCP option 43. If the AP is unable to discover a controller through Layer 3 broadcast or OTAP, we recommend DNS resolution. With DNS, any AP with a static IP address that knows of a DNS server can find at least one controller.
• If you want the AP to discover a controller from a remote network where CAPWAP discovery mechanisms are not available, you can use priming. This method enables you to specify (through the AP command-line interface) the controller to which the AP should connect.

Related Topics

• Supported Platforms for FlexConnect
• FlexConnect Guidelines and Limitations
• FlexConnect Operation Modes
• FlexConnect States

FlexConnect Operation Modes

The two modes of operation for FlexConnect APs are:

• Connected mode— In this mode the FlexConnect AP has CAPWAP connectivity with the controller.
• Standalone mode—In this mode the controller is unreachable and the FlexConnect AP enters standalone mode and authenticates clients by itself.

When a FlexConnect AP enters standalone mode:

– All clients that are on centrally switched WLANs are disassociated.

– For 802.1X or web-authentication WLANs, existing clients are not disassociated, but the FlexConnect AP stops sending beacons when the number of associated clients reaches zero.

– Disassociation messages are sent to new clients associating to 802.1X or web-authentication WLANs.

– Controller-dependent activities such as 802.1X authentication, NAC, and web authentication (guest access) are disabled, and the AP does not send any Intrusion Detection System (IDS) reports to the controller.

– Radio Resource Management (RRM) features (such as neighbor discovery; noise, interference, load, and coverage measurements, use of the neighbor list, and rogue containment and detection) are disabled. However, a FlexConnect AP supports dynamic frequency selection in standalone modes.

The FlexConnect AP maintains client connectivity even after entering standalone mode. However, once the AP reestablishes a connection with the controller, it disassociates all clients, applies new configuration information from the controller, and reallows client connectivity.

The LEDs on the AP change as the device enters different FlexConnect modes.

Related Topics

• Supported Platforms for FlexConnect
• FlexConnect Guidelines and Limitations
• FlexConnect Authentication Process
• FlexConnect States

FlexConnect States

The FlexConnect WLAN can be in any one of the following states depending on the configuration and state of controller connectivity:

• Central authentication, central switching —In this state, the controller handles client authentication, and all client data tunnels back to the controller. This state is valid only in connected mode.
• Central authentication, local switching —In this state, the controller handles client authentication, and the FlexConnect AP switches data packets locally. This state is supported only when the FlexConnect AP is in connected mode.
• Local authentication, local switching —In this state, the FlexConnect AP handles client authentication and switches client data packets locally. The authentication capabilities are present in the AP itself and thus reduces the latency requirements. Local authentication can only be enabled on the WLAN of a FlexConnect AP that is in local switching mode.This state is valid in standalone mode and connected mode.

Local authentication is useful when the following conditions cannot be met:

– A minimum bandwidth of 128 kbps.

– Round trip latency no greater than 100 ms.

– Maximum transmission unit (MTU) no smaller than 500 bytes.

Local authentication does not support:

– Guest Authentication.

– RRM information.

– Local radius.

– Roaming till the WLC and the other FlexConnect APs in the group are updated with the client information.

• Authentication down, switching down —In this state, the WLAN disassociates existing clients and stops sending beacon and probe responses. This state is valid only in standalone mode.
• Authentication down, local switching —In this state, the WLAN rejects any new clients trying to authenticate, but it continues sending beacon and probe responses to keep existing clients alive. This state is valid only in standalone mode.

The WLANS enter the following states when a FlexConnect AP enters the standalone mode:

• Local authentication, local switching state if the WLANs are configured as open, shared, WPA-PSK, or WPA2-PSK authentication and continue new client authentications.
• Authentication down, switching down state if the WLANs configured to central switching.
• Authentication down, local switching state if the WLANs configured to local-switch.

Related Topics

• Supported Platforms for FlexConnect
• FlexConnect Guidelines and Limitations
• FlexConnect Authentication Process
• FlexConnect Operation Modes
• Configuring FlexConnect: Workflow

Configuring FlexConnect: Workflow

To configure FlexConnect, you must follow the instructions in this section in the following order:

1. Configuring the Switch at the Remote Site.

2. Configuring the Controller.

3. Configuring an AP for FlexConnect.

4. Connecting Client Devices to the WLANs.

Configuring the Switch at the Remote Site

To prepare the switch at the remote site, follow these steps:

Step 1 Connect the AP that is enabled for FlexConnect to a trunk or access port on the switch.

Step 2 Configure the switch to support the FlexConnect AP.

Related Topics

• Example: Configuring FlexConnect on Switches at Remote Sites
• Configuring the Controller for a Centrally Switched WLAN
• Configuring the Controller for a Locally Switched WLAN
• Configuring the Controller for a Centrally Switched WLAN for Guest Access

Example: Configuring FlexConnect on Switches at Remote Sites

In this sample configuration:

• The FlexConnect AP is connected to trunk interface FastEthernet 1/0/2 with native VLAN 100. The AP needs IP connectivity on the native VLAN.
• The remote site has local servers/resources on VLAN 101.
• A DHCP pool is created in the local switch for both VLANs in the switch.
• The first DHCP pool (NATIVE) is used by the FlexConnect AP, and the second DHCP pool (LOCAL-SWITCH) is used by the clients when they associate to a WLAN that is locally switched.

The addresses in this sample configuration are for illustration purposes only. The addresses that you use must fit into your upstream network.

Related Topics

• Configuring the Switch at the Remote Site
• Configuring the Controller for a Centrally Switched WLAN
• Configuring the Controller for a Locally Switched WLAN
• Configuring the Controller for a Centrally Switched WLAN for Guest Access

Configuring the Controller for a Centrally Switched WLAN

To create a centrally switched WLAN:

Step 1 Choose Configuration > Network > Network Devices > Wireless Controllers .

Step 2 Click the Device Name of the appropriate controller.

Step 3 From the left sidebar menu, choose WLAN > WLAN Configuration to access the WLAN Configuration page.

Step 4 Choose Add a WLAN from the Select a command drop-down list, and click Go.

Cisco APs can support up to 16 WLANs per controller. However, some Cisco APs do not support WLANs that have a WLAN ID greater than 8. In such cases when you attempt to create a WLAN the following message is displayed:

Not all types of AP support WLAN ID greater than 8, do you wish to continue?

Click OK to creates a WLAN with the next available WLAN ID.

If you have earlier deleted a WLAN that has a WLAN ID less than 8, then that ID is applied to the next created WLAN.

Step 5 Choose a template from the drop-down list to apply it to the controller.

To create a new WLAN template, click Click here link to be redirected to the template creation page.

Step 6 Choose WPA1+WPA2 from the Layer 2 Security drop-down list.

Step 7 Check the Status check box under General Policies to enable the WLAN.

If NAC is enabled and you have created a quarantined VLAN for use with this, make sure to select it from the Interface drop-down list under General Policies. Also, check the Allow AAA Override check box to ensure that the controller validates a quarantine VLAN assignment.

Step 8 Click Save.

Related Topics

• Configuring the Switch at the Remote Site
• Configuring the Controller for a Locally Switched WLAN
• Configuring the Controller for a Centrally Switched WLAN for Guest Access

Configuring the Controller for a Locally Switched WLAN

To create a locally switched WLAN:

Step 1 Create a new WLAN as described in Configuring the Controller for a Centrally Switched WLAN , Step 1 to Step 5.

Step 2 Click the WLAN ID and modify the configuration parameters.

Choose WPA1+WPA2 from the Layer 2 Security drop-down list. Make sure you choose PSK authentication key management and enter a preshared key.

Step 3 Check the Admin Status check box to this WLAN.

Step 4 Check the FlexConnect Local Switching check box to enable local switching.

Step 5 Click Save to commit your changes.

Related Topics

• Configuring the Switch at the Remote Site
• Configuring the Controller for a Centrally Switched WLAN
• Configuring the Controller for a Centrally Switched WLAN for Guest Access

Configuring the Controller for a Centrally Switched WLAN for Guest Access

To create a Centrally Switched WLAN for Guest Access to tunnel guest traffic to the controller:

Step 1 Create a new WLAN as described in Configuring the Controller for a Centrally Switched WLAN , Step 1 to Step 5.

Step 2 Click the WLAN to modify the following configuration parameters:

a. Choose None from the Layer 2 Security and Layer 3 Security drop-down lists on the Security tab.

b. Check the Web Policy check box.

c. Select Authentication .

d. Configure a preauthentication access control list (ACL) on the WLAN if you are using an external web server, and then choose this ACL as the WLAN preauthentication ACL.

Step 3 Check the Status check box under General Policies to enable the WLAN.

Step 4 Click Save to commit your changes.

Related Topics

• Configuring the Switch at the Remote Site
• Configuring the Controller for a Centrally Switched WLAN
• Configuring the Controller for a Locally Switched WLAN
• Adding Guest Users to a Centrally Switched WLAN for Guest Access
• Web Authentication Templates

Adding Guest Users to a Centrally Switched WLAN for Guest Access

To add a local user:

Step 1 Select Configure > Controller Template Launch Pad .

Step 2 Select Security > Local Net Users from the left sidebar menu.

Step 3 From the Select a Command drop-down list select Add Template click Go .

Step 4 Uncheck the Import from File check box.

Step 5 Enter a username and password for the local user.

Step 6 From the Profile drop-down list, choose the appropriate SSID.

Step 7 Enter a description of the guest user account.

Step 8 Click Save .

Related Topics

• Configuring the Controller for a Centrally Switched WLAN for Guest Access

Configuring an AP for FlexConnect

To configure an AP for FlexConnect, follow these steps:

Step 1 Add the AP physically to the network.

Step 2 Select Configure > Access Points .

Step 3 Select the AP from the AP Name list.

Step 4 Select Configure > AP Configuration Templates > Lightweight AP or Autonomous AP if the AP Mode field does not display FlexConnect.

If the AP Mode field displays FlexConnect skip to Step 8.

Step 5 Select the AP from the AP Name list. The Lightweight AP Template Detail page appears.

Step 6 Check the FlexConnect Mode supported check box to view all the profile mappings.

If you are changing the mode to FlexConnect and if the AP is not already in FlexConnect mode, all other FlexConnect parameters are not applied on the AP.

Step 7 Check VLAN Support check box and enter the number of the native VLAN on the remote network in the Native VLAN ID text box.

Step 8 Click the Apply/Schedule tab to save your changes.

Step 9 Click the Edit link in the Locally Switched VLANs section to change the number of VLANs from which a client IP address is obtained.

Step 10 Click Save to save your changes.

Repeat this procedure for any additional APs that need to be configured for FlexConnect at the remote site.

Related Topics

• Configuring the Switch at the Remote Site
• Configuring the Controller for a Centrally Switched WLAN
• Configuring the Controller for a Locally Switched WLAN

Connecting Client Devices to the WLANs

Follow the instructions for your client device to create profiles that connect to the WLANs you created while configuring the controller.

In our example, you create three profiles on the client:

1. To connect to the centrally switched WLAN, create a client profile that uses WPA/WPA2 with PEAP-MSCHAPV2 authentication. When the client becomes authenticated, it gets an IP address from the management VLAN of the controller.

2. To connect to the locally switched WLAN, create a client profile that uses WPA/WPA2 authentication. When the client becomes authenticated, it gets an IP address from VLAN 101 on the local switch.

3. To connect to the centrally switched WLAN for Guest Access, create a profile that uses open authentication. When the client becomes authenticated, it gets an IP address from VLAN 101 on the network local to the AP. After the client connects, the local user types any HTTP address in the web browser. You are automatically directed to the controller to complete the web-authentication process. When the web login page appears, enter the username and password.

To see if data traffic of the client is being locally or centrally switched, choose Monitor > Devices > Clients .

Related Topics

• Configuring the Switch at the Remote Site
• Configuring the Controller for a Centrally Switched WLAN
• Configuring the Controller for a Locally Switched WLAN
• Configuring the Controller for a Centrally Switched WLAN for Guest Access

FlexConnect AP Groups

FlexConnect enables you to configure and control APs in a remote location through a wide area network (WAN) link without deploying a controller in each location. There is no deployment restriction on the number of FlexConnect APs per location, but you can organize and group the APs.

By forming AP groups with similar configurations, a procedure such as CCKM fast roaming can be processed faster than going through the controller individually.

For example, to activate CCKM fast roaming, the FlexConnect APs must know the CCKM cache for all devices that could associate with it. If you have a controller with 300 APs and 1000 devices that can potentially connect, it is quicker and more practical to process and send the CCKM cache for the FlexConnect group rather than for all 1000 devices. One particular FlexConnect group could focus on a small number of APs so that devices in that group connect to and roam between those few APs. With the established group, features such as CCKM cache and backup RADIUS are configured for the entire FlexConnect group rather than being configured in each AP.

All of the FlexConnect APs in a group share the same WLAN, backup RADIUS server, CCKM, and local authentication configuration information. This feature is helpful if you have multiple FlexConnect APs in a remote office or on the floor of a building and you want to configure them all at once. For example, you can configure a backup RADIUS server for a FlexConnect group rather than having to configure the same server on each AP.

The following figure illustrates a typical FlexConnect group deployment with a backup RADIUS server in the branch office.

Figure 21-4 FlexConnect Group Deployment

Related Topics

• FlexConnect Groups and Backup RADIUS Servers
• FlexConnect Groups and CCKM
• FlexConnect Groups and Local Authentication
• Auditing FlexConnect Groups

FlexConnect Groups and Backup RADIUS Servers

You can configure the controller to allow a FlexConnect AP in standalone mode to perform full 802.1x authentication to a backup RADIUS server. You can either configure a primary RADIUS server or both a primary and secondary RADIUS server.

Related Topics

• FlexConnect Groups and CCKM
• FlexConnect Groups and Local Authentication
• Auditing FlexConnect Groups

FlexConnect Groups and CCKM

FlexConnect groups are required for CCKM fast roaming. When you configure your WLAN for CCKM fast secure roaming, EAP-enabled clients securely roam from one access point to another without the need to re-authenticate with the RADIUS server. Using CCKM, an access point uses a fast re-keying technique that enables Cisco client devices to roam from one access point to another typically in under 150 milliseconds. CCKM fast secure roaming ensures that there is no perceptible delay in time-sensitive applications. The FlexConnect access points obtains the CCKM cache information for all the clients that might associate so they can process it quickly instead of sending it back to the controller.

For example, if you have a controller with 300 APs and 100 clients that might associate, sending the CCKM cache for all 100 clients is not practical. If you create a FlexConnect group comprising a limited number of APs, the clients roam only among those four APs, and the CCKM cache is distributed among those four APs only when the clients associate to one of them.

CCKM fast roaming between FlexConnect and non-FlexConnect APs is not supported.

Related Topics

• FlexConnect Groups and Backup RADIUS Servers
• FlexConnect Groups and Local Authentication
• Auditing FlexConnect Groups

FlexConnect Groups and Local Authentication

You can configure the controller to allow a FlexConnect AP in standalone mode to perform LEAP or EAP-FAST authentication for up to 20 statically configured users. The controller sends the static list of usernames and passwords to each FlexConnect AP when it joins the controller. Each AP in the group authenticates only its own associated clients.

This feature is ideal for customers who are migrating from an autonomous AP network to a lightweight FlexConnect AP network and are not interested in maintaining a large user database nor adding another hardware device to replace the RADIUS server functionality available in the autonomous AP.

LEAP or EAP-FAST authentication can be used in conjunction with the FlexConnect backup RADIUS server. If a FlexConnect group is configured with both a backup RADIUS server and local authentication, the FlexConnect AP always attempts to authenticate clients using the primary backup RADIUS server first, followed by the secondary backup RADIUS server (if the primary is not reachable), and finally the FlexConnect AP itself (if the primary and secondary RADIUS servers are not reachable).

Related Topics

• FlexConnect Groups and Backup RADIUS Servers
• FlexConnect Groups and CCKM
• Configuring FlexConnect AP Groups
• Auditing FlexConnect Groups

Viewing FlexConnect AP Groups

You can view a list of existing FlexConnect AP groups.

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose FlexConnect > FlexConnect AP Groups . The FlexConnect AP Groups page opens.

Step 4 Click the group name to view details about the FlexConnect AP group.

Configuring FlexConnect AP Groups

To configure a FlexConnect AP group, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose FlexConnect > FlexConnect AP Groups .

Step 4 From the Select a command drop-down list, click Add FlexConnect AP Group to open the FlexConnect AP Group > Add From Template pane.

Step 5 Choose a template from the Select a template to apply to this controller drop-down list.

Step 6 Click Apply .

Step 7 Configure the required FlexConnect AP Group parameters. You can add, edit, or remove any of the following mappings by clicking the required tab:

• VLAN-ACL Mapping—Valid VLAN ID range is 1-4094.
• WLAN-ACL Mapping—Select the FlexConnect access control list for external web authentication. You can add up to a maximum of 16 WebAuth ACLs.
• WebPolicy ACL—Select the FlexConnect access control list to be added as a web policy. You can add up to a maximum of 16 Web-Policy ACLs.
• Local Split
• Central DHCP

– Central DHCP—When you enable this feature, the DHCP packets received from APs are centrally switched to the controller and then forwarded to the corresponding VLAN based on the AP and the SSID.

– Override DNS—You can enable or disable the overriding of the DNS server address on the interface assigned to the locally switched WLAN. When you override DNS in centrally switched WLANs, the clients get their DNS server IP address from the AP, not from the controller.

– NAT-PAT—You can enable or disable Network Address Translation (NAT) and Port Address Translation (PAT) on locally switched WLANs. You must enable Central DHCP Processing to enable NAT and PAT.

Step 8 To see if an individual access point belongs to a FlexConnect group, click the Users configured in the group link. The FlexConnect AP Group page shows the names of the groups and the access points that belong in it.

Step 9 Click Save .

Step 10 To delete an existing FlexConnect AP group, select the check box of the group you want to remove, and choose Delete FlexConnect AP Group from the Select a command drop-down list.

Related Topic

Add xref to Ref Guide.

• Verifying APs in FlexConnect Groups

Verifying APs in FlexConnect Groups

To verify that an individual AP belongs to a FlexConnect group, click the Users configured in the group link. It takes you to the FlexConnect AP Group page, which shows the names of the groups and the APs that belong to it.

Related Topics

• Auditing FlexConnect Groups

Auditing FlexConnect Groups

If the FlexConnect configuration changes over a period of time either on Prime Infrastructure or the controller, you can audit the configuration. The changes are visible on subsequent screens. You can choose to synchronize the configuration by refreshing Prime Infrastructure or the controller.

Related Topics

• Configuring FlexConnect AP Groups
• Viewing FlexConnect AP Groups

Configuring Controller File Encryption

You can configure file encryption to ensure that data is encrypted when you upload or download controller configuration files from a TFTP server.

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > File Encryption .

Step 4 Check the File Encryption box.

Step 5 In the Encryption Key field, enter a text string of exactly 16 characters. Reenter the key in the Confirm Encryption Key field.

Step 6 Click Save .

Related Topics

• Configuring Controller Security Parameters

Configuring Controllers AAA Security

This section describes how to configure controller security AAA parameters and contains the following topics:

• Configuring AAA General Parameters
• Viewing AAA RADIUS Auth Servers
• Viewing AAA RADIUS Acct Servers
• Configuring AAA RADIUS Fallback Parameters
• Configuring AAA LDAP Servers
• Configuring AAA TACACS+ Servers
• Viewing AAA Local Net Users
• Configuring AAA MAC Filtering
• Configuring AAA AP/MSE Authorization
• Configuring AAA Web Auth Configuration
• Configuring AAA Web Auth Configuration

Configuring AAA General Parameters

The General page allows you to configure the local database entries on a controller.

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > General - AAA .

Step 4 Enter the maximum number of allowed database entries. The valid range is 512 - 2048.

Step 5 Reboot your server to apply the changes.

Related Topic

• Configuring Controllers AAA Security

Viewing AAA RADIUS Auth Servers

You can view a summary of existing RADIUS authentication servers

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > RADIUS Auth Servers . The following RADIUS Auth Servers parameters appear:

• Server Index—Access priority number for the RADIUS server (display only). Click to go to Configure IPaddr > RADIUS Authentication Server.
• Server Address—IP address of the RADIUS server (read-only).
• Port Number—Controller port number (read-only).
• Admin Status—Enable or Disable.
• Network User—Enable or Disable.
• Management User—Enable or Disable.

Related Topics

• Configuring Controllers AAA Security
• Adding Authentication Servers

Adding Authentication Servers

To add an authentication server, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > RADIUS Auth Servers .

Step 4 From the Select a command drop-down list, choose Add Auth Server to open the Radius Authentication Server > Add From Template page.

Step 5 Choose a template from the Select a template to apply to this controller drop-down list.

Step 6 Click Apply .

To create a new template for Radius authentication servers, choose Configuration > Templates > Features and Technologies > Controller > Security > AAA > RADIUS Auth Servers .

Related Topic

• Configuring Controllers AAA Security
• Viewing AAA RADIUS Auth Servers

Viewing AAA RADIUS Acct Servers

To view a summary of existing RADIUS accounting servers, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > RADIUS Acct Servers . RADIUS Acct Server parameters include the following:

• Server Index—Access priority number for the RADIUS server (read-only). Click to open the Radius Acct Servers Details page.

To edit or audit the current accounting server parameters, click the Server Index for the applicable accounting server.

• Server Address—IP address of the RADIUS server (read-only).
• Port Number—Controller port number (read-only).
• Admin Status—Enable or Disable.
• Network User—Enable or Disable.

Related Topic

• Configuring Controllers AAA Security
• Adding an Accounting Server

Adding an Accounting Server

To add an accounting server, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > RADIUS Acct Servers .

Step 4 From the Select a command drop-down list, choose Add Acct Server to open the Radius Acct Servers Details > Add From Template page.

Step 5 Choose a template from the Select a template to apply to this controller drop-down list.

Step 6 From the drop-down list, choose a controller on which to apply to this template.

Step 7 Click Apply .

To create a new template for Radius accounting servers, choose Configuration > Templates > Features and Technologies > Controller > Security > AAA > RADIUS Acct Servers .

Related Topic

• Configuring Controllers AAA Security
• Viewing AAA RADIUS Acct Servers

Deleting an Accounting Server

To delete an accounting server, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > RADIUS Acct Servers .

Step 4 Select the check box(es) for the applicable accounting server(s).

Step 5 From the Select a command drop-down list, choose Delete Acct Server .

Step 6 Click Go .

Step 7 Click OK in the pop-up dialog box to confirm the deletion.

Related Topic

• Configuring Controllers AAA Security
• Viewing AAA RADIUS Acct Servers

Configuring AAA RADIUS Fallback Parameters

To configure RADIUS fallback parameters, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > RADIUS Fallback .

Step 4 Make the required changes, then click Save .

Step 5 Click Audit to check the present configuration status of Prime Infrastructure and the c ontroller.

Related Topic

• Configuring Controllers AAA Security

Configuring AAA LDAP Servers

You can add and delete LDAP servers to controllers. Prime Infrastructure supports LDAP configuration for both an anonymous or authenticated bind.

To access the LDAP Servers page, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > LDAP Servers .

This page displays LDAP servers currently used by this controller and contains the following parameters:

• Check box—Select the check box to choose an LDAP server for deletion.
• Server Index—A number assigned to identify the LDAP server. Click the index number to go the LDAP server configuration page.
• Server Address—The LDAP server IP address.
• Port Number—The port number used to communicate with the LDAP server.
• Admin Status—Server template status.

Indicates if use of the LDAP server template is enabled or disabled.

Step 4 Click on a column title to toggle whether the information in sorted in ascending or descending order.

Related Topics

• Configuring New LDAP Bind Requests
• Configuring Controllers AAA Security

Adding LDAP Servers

To add an LDAP Server, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > LDAP Servers .

Step 4 From the Select a command drop-down list, choose Add LDAP Server .

Step 5 Click Go .

Related Topic

• Configuring Controllers AAA Security

Deleting LDAP Servers

To delete the LDAP Server, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > LDAP Servers .

Step 4 Select the check box(es) of the LDAP servers that you want to delete.

Step 5 From the Select a command drop-down list, choose Delete LDAP Servers .

Step 6 Click Go .

Related Topic

• Configuring Controllers AAA Security

Configuring New LDAP Bind Requests

Prime Infrastructure supports LDAP configuration for both an anonymous or authenticated bind. A bind is a socket opening that performs a lookup.

To configure LDAP bind requests, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > LDAP Servers .

Step 4 Click a value under the Server Index column.

Step 5 From the Bind Type drop-down list, choose Authenticated or Anonymous . If you choose Authenticated, you must enter a bind username and password as well.

Step 6 In the Server User Base DN text box, enter the distinguished name of the subtree in the LDAP server that contains a list of all the users.

Step 7 In the Server User Attribute text box, enter the attribute that contains the username in the LDAP server.

Step 8 In the Server User Type text box, enter the ObjectType attribute that identifies the user.

Step 9 In the Retransmit Timeout text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.

Step 10 Select the Admin Status check box if you want the LDAP server to have administrative privileges.

Step 11 Click Save .

Related Topic

• Configuring Controllers AAA Security

Configuring AAA TACACS+ Servers

You can add and delete TACACS+ servers to controllers. To access the TACACS+ Servers page, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > TACACS+ Servers .

This page displays TACACS+ servers currently used by this controller and contains the following parameters:

• Check box—Select the check box to choose a TACACS+ server for deletion.
• Server Type—The TACACS+ server type—accounting, authorization, or authentication.
• Server Index—A number assigned to identify the TACACS+ server and set its use priority. Click the index number to go the TACACS+ server configuration page.
• Server Address—The TACACS+ server IP address.
• Port Number—The port number used to communicate with the TACACS+ server.
• Admin Status—Server template status. Indicates if use of the TACACS+ server template is enabled.

You can select one of the following options from the Select a command drop-down list:

• Add TACACS+ Server—Choose this option, then click Go to add a TACACS+ server to the controller.
• Delete TACACS+ Servers—Choose this option, then click Go to delete all TACACS+ servers with a selected check box from the controller.

Step 4 Click on a column title to toggle whether the information in sorted in ascending or descending order.

Related Topic

• Configuring Controllers AAA Security

Viewing AAA Local Net Users

You can view summary of the existing local network user controllers for clients who are allowed to access a specific WLAN. This is an administrative bypass of the RADIUS authentication process. Layer 3 Web Authentication must be enabled. The client information is passed to the RADIUS authentication server first, and if the client information does not match a RADIUS database entry, this local database is polled. Clients located in this database are granted access to network services if the RADIUS authentication fails or does not exist.

To view existing local network users, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > Local Net Users . The Local Net Users page displays the following local net user parameters:

• Username—User-defined identification.
• WLAN ID—Any WLAN ID, 1 through 16; 0 for all WLANs; 17 for third-party WLAN that this local net user is allowed to access.
• Description—Optional user-defined description.

Related Topics

• Deleting Local Net Users
• Configuring Controllers AAA Security

Deleting Local Net Users

To delete a local net user, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > Local Net Users .

Step 4 Select the check box(es) for the applicable local net user(s).

Step 5 From the Select a command drop-down list, choose Delete Local Net Users .

Step 6 Click Go .

Step 7 Click OK in the dialog box to confirm the deletion.

Related Topic

• Configuring Controllers AAA Security

Configuring AAA MAC Filtering

You can view MAC Filter information. You cannot use MAC address in the broadcast range.

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > MAC Filtering . The MAC Filtering page displays the following parameters:

• MAC Filter Parameters

– RADIUS Compatibility Mode—User-defined RADIUS server compatibility: Cisco ACS, FreeRADIUS, or Other.

– MAC Delimiter—The MAC delimiters can be Colon (xx:xx:xx:xx:xx:xx), Hyphen (xx-xx-xx-xx-xx-xx), Single Hyphen (xxxxxx-xxxxxx), or No Delimiter (xxxxxxxxxxxx), as required by the RADIUS server.

• MAC Filters

– MAC Address—Client MAC address. Click to open Configure IPaddr > MAC Filter.

– WLAN ID—1 through 16, 17 = Third-party AP WLAN, or 0 = all WLANs.

– Interface—Displays the associated Interface Name.

– Description—Displays an optional user-defined description.

Step 4 From the Select a command drop-down list, choose Add MAC Filters to add a MAC Filter, Delete MAC Filters to delete the template(s), or Edit MAC Filter Parameters to edit the MAC Filters.

Step 5 Click Go .

Related Topic

• Configuring Controllers AAA Security

Configuring AAA AP/MSE Authorization

The AP/MSE Authorization page displays the access point policies and the list of authorized access points along with the type of certificate that an access point uses for authorization.

You cannot use MAC address in the broadcast range.

To access the AP/MSE Authorization page, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > AP or MSE Authorization . The AP/MSE Authorization page displays the following parameters:

• AP Policies

– Authorize APs—Enabled or Disabled.

– Accept SSC-APs—Enabled or Disabled.

• AP/MSE Authorization

– AP/MSE Base Radio MAC Address—The MAC address of the authorized access point. Click the AP/MSE Base Radio MAC Address to view AP/MSE Authorization details.

– Type

– Certificate Type—MIC or SSC.

– Key Hash—The 40-hex long SHA1 key hash. The key hash is displayed only if the certificate type is SSC.

Related Topics

• Editing AP/MSE Policies
• Configuring Controllers AAA Security

Editing AP/MSE Policies

To edit AP/MSE Authorization access point policies, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > AP or MSE Authorization .

Step 4 From the Select a command drop-down list, select Edit AP Policies, then click Go .

Step 5 Edit the following parameters, if necessary:

• Authorize APs—Select the check box to enable access point authorization.
• Accept SSC-APs—Select the check box to enable the acceptance of SSE access points.

Step 6 Click Save to confirm the changes, Audit to perform an audit on these device values, or Cancel to close this page with no changes.

Related Topic

• Configuring Controllers AAA Security

Configuring AAA Web Auth Configuration

The Web Auth Configuration page enables the user to configure the web auth configuration type. If the type is configured as customized, the user downloaded web auth replaces the controller-provided internal web auth page.

To access the Web Auth Configuration page, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > Web Auth Configuration .

Step 4 Select the Web Auth Type from the drop-down list.

Step 5 Configure the web auth parameters depending on the type chosen:

• Default Internal

– Custom Redirect URL—URL where the user is redirected after a successful authentication. For example, if the value entered for this text box is http://www.example.com, the user is directed to the company home page.

– Logo Display—Enable or disable logo display.

– Web Auth Page Title—Title displayed on web authentication page.

– Web Auth Page Message—Message displayed on web authentication page.

• Customized Web Auth

You can download an example login page and customizing the page. If you are using a customized web authentication page, it is necessary to download the example login.tar bundle file from the server, edit the login.html file and save it as either a .tar or .zip file, then download the .tar or .zip file to the controller.

Click the preview image to download this sample login page as a TAR. After editing the HTML you might click here to redirect to the Download Web Auth page. See the Downloading Customized WebAuthentication Bundles to Controllers for more information.

• External

– External Redirect URL—Location of the login.html on an external server on the network.

If there are not any external web auth servers configured, you have the option of configuring one.

Related Topic

• Configuring Controllers AAA Security
• Downloading Customized WebAuthentication Bundles to Controllers

Configuring AAA Password Policy

This page enables you to determine your password policy.

To make modifications to an existing password policy, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > AAA > Password Policy .

Step 4 Modify the password policy parameters as appropriate.

Step 5 Click Save .

If you disable password policy options, you see a “Disabling the strong password check(s) will be a security risk as it allows weak passwords” message.

Related Topic

• Configuring Controllers AAA Security

Local EAP on Controllers

Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down.

When you enable local EAP, the controller serves as the authentication server and the local user database, making it independent of an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users.

Related Topic

• Configuring Local EAP General Parameters
• Local EAP Profiles
• Configuring Local EAP General EAP-FAST Parameters
• Configuring Local EAP General Network Users Priority

Configuring Local EAP General Parameters

You can specify a timeout value for local EAP. You can then add a template with this timeout value or make changes to an existing template.

If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then re-authenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.

To specify a timeout value for local EAP, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > Local EAP > General - Local EAP.

Step 4 Enter the Local Auth Active Timeout in the Local Auth Active Timeout text box (in seconds). Local Auth Active Timeout refers to the timeout period during which Local EAP is always used after all Radius servers are failed.

Step 5 The following values should be adjusted if you are using EAP-FAST, manual password entry, one-time password, or 7920/7921 phones.

You must increase the 802.1x timeout values on the controller (default=2 seconds) for the client to obtain the PAC using automatic provisioning. We recommend the default timeout on the Cisco ACS server of 20 seconds.

• Local EAP Identify Request Timeout =1 (in seconds)
• Local EAP Identity Request Maximum Retries=20 (in seconds)
• Local EAP Dynamic Wep Key Index=0
• Local EAP Request Timeout=20 (in seconds)
• Local EAP Request Maximum Retries=2
• EAPOL-Key Timeout=1000 (in milli-seconds)
• EAPOL-Key Max Retries=2
• Max-Login Ignore Identity Response

Roaming fails if these values are not set the same across multiple controllers.

Step 6 Click Save .

Related Topics

• Local EAP on Controllers
• Local EAP Profiles
• Configuring Local EAP General EAP-FAST Parameters
• Configuring Local EAP General Network Users Priority

Local EAP Profiles

You can apply a template for a local EAP profile or make modifications to an existing template.

The LDAP backend database supports only these local EAP methods: EAP-TLS and EAP-FAST with certificates. LEAP and EAP-FAST with PACs are not supported for use with the LDAP backend database.

Related Topics

• Viewing Existing Local EAP Profiles
• Adding Local EAP Profiles
• Local EAP on Controllers

Viewing Existing Local EAP Profiles

To view existing local EAP profiles, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > Local EAP > Local EAP Profiles . The Local EAP Profiles page displays the following parameters:

• EAP Profile Name—User-defined identification.
• LEAP—Authentication type that leverages Cisco Key Integrity Protocol (CKIP) and MMH message integrity check (MIC) for data protection. A username and password are used to perform mutual authentication with the RADIUS server through the access point.
• EAP-FAST—Authentication type (Flexible Authentication via Secure Tunneling) that uses a three-phased tunnel authentication process to provide advanced 802.1x EAP mutual authentication. A username, password, and PAC (protected access credential) are used to perform mutual authentication with the RADIUS server through the access point.
• TLS—Authentication type that uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. It requires a client certificate for authentication.
• PEAP—Protected Extensible Authentication Protocol.

Related Topics

• Local EAP on Controllers
• Local EAP Profiles

Adding Local EAP Profiles

To add a local EAP profile, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > Local EAP > Local EAP Profile .

Step 4 From the Select a command drop-down list, choose Add Local EAP Profile .

Step 5 Choose a template from the Select a template to apply to this controller drop-down list.

Step 6 Click Apply .

Related Topics

• Local EAP on Controllers
• Local EAP Profiles
• Configuring Local EAP General Parameters
• Configuring Local EAP General EAP-FAST Parameters
• Configuring Local EAP General Network Users Priority

Configuring Local EAP General EAP-FAST Parameters

The EAP-FAST authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1x EAP mutual authentication. A username, password, and PAC are used to perform mutual authentication with the RADIUS server through the access point.

To set EAP-FAST Parameters, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > Local EAP > EAP-FAST Parameters.

Step 4 Enter the following parameters:

• Time to live for the PAC—The number of days for the PAC to remain viable. The valid range is 1 to 1000 days; the default setting is ten days.
• Authority ID—The authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal characters but it must be an even number of characters.
• Authority Info—The authority identifier of the local EAP-FAST server in text format.
• Server Key—The key (in hexadecimal characters) used to encrypt and decrypt PACs.
• Confirm Server Key—Verify the correct Server Key by re-typing it.
• Anonymous Provision—Select the check box to enable anonymous provisioning.This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If this feature is disabled, PACs must be manually provisioned.

Step 5 Click Save .

Related Topics

• Local EAP on Controllers
• Local EAP Profiles
• Configuring Local EAP General Parameters
• Local EAP Profiles
• Configuring Local EAP General Network Users Priority

Configuring Local EAP General Network Users Priority

To specify the order that LDAP and local databases use to retrieve user credential information, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > Local EAP > Network Users Priority.

Step 4 Use the left and right pointing arrows to include or exclude network credentials in the right-most list.

Step 5 Use the up and down buttons to determine the order credentials are attempted.

Step 6 Click Save .

Related Topics

• Local EAP on Controllers
• Local EAP Profiles
• Certificate Authority (CA) Certificates
• Configuring Controller Web Auth Certificates

Configuring Controller Web Auth Certificates

You can download a web authorization certificate or regenerate the internally-generated web auth certificate.

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > Web Auth Certificate .

Step 4 Click Download Web Auth Certificate to access the Download Web Auth Certificate to Controller page.

Related Topics

• Local EAP on Controllers
• Configuring Local EAP General Parameters
• Local EAP Profiles
• Configuring Local EAP General EAP-FAST Parameters

Configuring Controller User Login Policies

To configure the user login policies for controllers, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > User Login Policies.

Step 4 Enter the maximum number of concurrent logins allowed for a single username.

Step 5 Click Save .

Managing Manually Disabled Clients

The Disabled Clients page enables you to view excluded (blacklisted) client information.

Clients who fail to authenticate three times when attempting to associate are automatically blocked, or excluded, from further association attempts for an operator-defined timeout. After the Excluded timeout, the client is allowed to retry authentication until it associates or fails authentication and is excluded again.

You cannot use MAC address in the broadcast range.

To access the Manually Disabled Clients page, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > Manually Disabled Clients . The Manually Disabled Clients page displays the following parameters:

• MAC Address—Disabled Client MAC addresses. Click a list item to edit the disabled client description.
• Description—Optional description of disabled client.

Configuring Controller Access Control Lists

You can view, edit, or add a new access control list (ACLs) for controllers.

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > Access Control Lists .

• Check box—Use the check box to select one or more ACLs for deletion.
• ACL Name—User-defined name of this template. Click an ACL item to view its parameters.

Related Topic

• Configuring Access Control List Rules
• Configuring CPU Access Control Lists

Configuring Access Control List Rules

You can create and modify access control list Access Control Lists (ACL) rules applied to controllers.

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > Access Control Lists .

Step 4 Click an ACL name.

• Check box—Select to delete access control list rules.
• Seq#—You can define up to 64 Rules for each ACL. The Rules for each ACL are listed in contiguous sequence from 1 to 64. That is, if Rules 1 through 4 are already defined and you add Rule 29, it is added as Rule 5.

If you add or change a Sequence number, Prime Infrastructure adjusts the other rule sequence numbers to retain the contiguous sequence. For instance, if you have Sequence numbers 1 through 7 defined and change number 7 to 5, operating system automatically reassigns Sequence 6 to 7 and Sequence 5 to 6.

• Action—Permit, Deny.
• Source IP/Mask—Source IP address and mask.
• Destination IP/Mask—Destination IP address and mask.
• Protocol—Protocol to use for this ACL:

– Any—All protocols

– TCP—Transmission Control Protocol

– UDP—User Datagram Protocol

– ICMP—Internet Control Message Protocol

– ESP—IP Encapsulating Security Payload

– AH—Authentication Header

– GRE—Generic Routing Encapsulation

– IP—Internet Protocol

– Eth Over IP—Ethernet over Internet Protocol

– Other Port OSPF—Open Shortest Path First

– Other—Any other IANA protocol (http://www.iana.org/)

If TCP or UDP is selected, Source Port and Dest Port parameters appear:

– Source Port—Source Port. Can be Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other and Port Range.

– Dest Port—Destination port. If TCP or UDP is selected, can be Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other and Port Range.

• DSCP (Differentiated Services Code Point)—Any, or 0 through 255.

Adding New ACL Rules

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > Access Control Lists .

Step 4 Click an ACL name.

Step 5 Click an applicable Seq#, or choose Add New Rule to access this page.

Related Topics

• Configuring Controller Access Control Lists
• Configuring CPU Access Control Lists

FlexConnect Access Control Lists

The ACLs on FlexConnect provide a mechanism to cater to the need for access control at the FlexConnect access point for protection and integrity of locally switched data traffic from the access point.

Related Topics

• Adding FlexConnect Access Control Lists
• Deleting FlexConnect Access Control Lists

Adding FlexConnect Access Control Lists

To add an Access Control List for FlexConnect access points, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > FlexConnect ACLs .

Step 4 From the Select a command drop-down list, choose Add FlexConnect ACLs .

Step 5 Click Go .

You cannot add a FlexConnect ACL if there is no template created. If you try to create an FlexConnect ACL when there are no templates available, you are redirected to the New Controller Templates page where you can create a template for FlexConnect ACL.

Step 6 Choose a template from the drop-down list to apply to the controller, and click Apply .

The FlexConnect ACL that you created appears in Configure > Controllers > IP Address > Security > FlexConnect ACLs.

Related Topics

• FlexConnect Access Control Lists

Deleting FlexConnect Access Control Lists

To delete a FlexConnect ACL, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > FlexConnect ACLs .

Step 4 From the FlexConnect ACLs page, select one or more FlexConnect ACLs to delete.

Step 5 From the Select a command drop-down list, choose Delete FlexConnect ACLs .

Step 6 Click Go .

Related Topics

• FlexConnect Access Control Lists

Configuring CPU Access Control Lists

Access control lists (ACLs) can be applied to the controller CPU to control traffic to the CPU.

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > CPU Access Control Lists .

Step 4 Select the Enable CPU ACL check box to enable the CPU ACL. The following parameters are available:

• ACL Name—Choose the ACL to use from the ACL Name drop-down list.
• CPU ACL Mode—Choose which data traffic direction this CPU ACL list controls.

Related Topics

• FlexConnect Access Control Lists
• Configuring Controller Access Control Lists
• Configuring Access Control List Rules

Configuring the IDS Sensor List

When the sensors identify an attack, they alert the controller to shun the offending client. When you add a new IDS (Intrusion Detection System) sensor, you register the controller with that IDS sensor so that the sensor can send shunned client reports to the controller. The controller also polls the sensor periodically.

To view IDS sensors, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > IDS Sensor Lists .

The IDS Sensor page lists all IDS sensors that have been configured for this controller. Click an IP address to view details for a specific IDS sensor.

Certificate Authority (CA) Certificates

A Certificate Authority (CA) certificate is a digital certificate issued by one certificate authority (CA) for another certification CA. \

Related Topics

• Importing CA Certificates
• Pasting CA Certificates Directly

Importing CA Certificates

To import a CA certificate from a file, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > IP Sec Certificates > CA Certificate .

Step 4 Click Browse to navigate to the applicable certificate file.

Step 5 Click Open , then click Save .

Related Topics

• Certificate Authority (CA) Certificates

Pasting CA Certificates Directly

To paste a CA certificate directly, follow these steps:

Step 1 Copy the CA certificate to your computer clipboard.

Step 2 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 3 Click the device name of the applicable controller.

Step 4 From the left sidebar menu, choose Security > IP Sec Certificates > CA Certificate .

Step 5 Select the Paste check box.

Step 6 Paste the certificate directly into the text box.

Step 7 Click Save .

Related Topics

• Certificate Authority (CA) Certificates
• Identity Certificates
• Configuring Controller Web Auth Certificates

Identity Certificates

This page lists the existing network Identity (ID) certificates by certificate name. An ID certificate can be used by web server operators to ensure secure server operation. ID certificates are available only if the controller is running Cisco Unified Wireless Network Software Version 3.2 or higher.

• Importing ID Certificates
• Pasting ID Certificates

Importing ID Certificates

To import an ID certificate from a file, follow these steps:

Step 1 Choose Configuration > Network > Network Devices , then from the Device Groups menu on the left, select Device Type > Wireless Controller .

Step 2 Click the device name of the applicable controller.

Step 3 From the left sidebar menu, choose Security > IP Sec Certificates > ID Certificate .

Step 4 From the Select a command drop-down list, choose Add Certificate .

Step 5 Click Go .

Step 6 Enter the Name and Password.

Step 7 Click Browse to navigate to the applicable certificate file.

Step 8 Click Open , then click Save .

Related Topics