Configuring Controllers
The following sections describe how to configure your controllers using Prime Infrastructure:
Viewing All Controllers
You can view a summary of all controllers in the Prime Infrastructure database.
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 To use the command buttons at the top of the page, select the check box next to one or more controllers.
Step 3 To view specific information about a controller, click on a Device Name.
Related Topics
Wireless Controller Summary Information
When you choose
Configuration > Network > Network Devices
, select
Device Type > Wireless
Controller
, then select a check box next to one or more controllers, summary information appears:
Table 21-1 Wireless Controller Summary Information
|
|
Device Name
|
Name of the controller. Click on a device name to view device details, configure the controller, apply templates, view and schedule configuration archives, and view and update the controller software image.
|
Reachability
|
Reachability status is updated based on the last execution information of the Device Status background task.
|
IP Address/DNS
|
Local network IP address of the controller management interface. Click the icon under the IP address to launch the controller web user interface in a new browser window.
|
Device Type
|
Based on the series, device types are grouped. For example:
-
WLC2100—21xx Series Wireless LAN Controllers
-
2500—25xx Series Wireless LAN Controllers
-
4400—44xx Series Wireless LAN Controllers
-
5500—55xx Series Wireless LAN Controllers
-
7500—75xx Series Wireless LAN Controllers
-
WiSM—WiSM (slot number, port number)
-
WiSM2—WiSM2 (slot number, port number)
|
AP Discovery Status
|
Indicates whether the AP discovery has completed.
|
Software Version
|
The operating system release.version.dot.maintenance number of the code currently running on the controller.
|
Mobility Group Name
|
Name of the mobility or WPS group.
|
Related Topics
Controller-Specific Commands
When you choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
and select the checkbox next to one or more devices, the following buttons appear at the top of the page:
-
Delete—Allows you to delete a controller.
-
Edit—Allows you to edit general parameters, SNMP parameters, Telnet/SSH parameters, HTTP parameters, and IPSec parameters.
-
Sync—
-
Groups & Sites—Allows you to add and remove controllers from location groups and sites.
-
Reboot—Enables you to confirm the restart of your controller after saving configuration changes. You can select these reboot options:
– Save Config to Flash—Data is saved to the controller in non-volatile RAM (NVRAM) and is preserved in the event of a power cycle. If the controller is rebooted, all applied changes are lost unless the configuration has been saved.
– Reboot APs
– Swap AP Image
-
Download—Allows you to select the following options to download software to controllers.
– Download Software—Choose from TFTP, FTP, SFTP to download software to the selected controller or all controllers in the selected groups after you have a configuration group established.
– Download IDS Signatures
– Download Customized Web Auth
– Download Vendor Device Certificate
– Download Vendor CA Certificate
– Bulk Update Controllers
– Save Config to Flash
– Discover Templates from Controller
– Templates Applied to Controller
– Audit Now
– Update Credentials
Related Topics
Auditing Controllers
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Select the check box(es) of the applicable controller(s).
Step 3 Click
Configure >
Audit Now
.
Step 4 Click
OK
in the pop-up dialog box to remove the template associations from configuration objects in the database as well as template associations for this controller from associated configuration groups (This is a template-based audit only).
Related Topics
Controller Audit Reports
After you perform an audit on a controller, the Audit Report displays the following information:
-
Device Name
-
Time of Audit
-
Audit Status
-
Applied and Config Group Template Discrepancies information including the following:
– Template type (template name)
– Template application method
– Audit status (For example, mismatch, identical)
– Template attribute
– Value in Prime Infrastructure
– Value in Controller
-
Other Prime Infrastructure Discrepancies including the following:
– Configuration type (name)
– Audit Status (For example, mismatch, identical)
– Attribute
– Value in Prime Infrastructure
– Value in Controller
– Total enforcements for configuration groups with background audit enabled. If discrepancies are found during the audit in regards to the configuration groups enabled for background audit, and if the enforcement is enabled, this section lists the enforcements made during the controller audit. If the total enforcement count is greater than zero, this number appears as a link. Click the link to view a list of the enforcements made from Prime Infrastructure.
-
Failed Enforcements for Configuration Groups with background audit enabled—If the failed enforcement count is greater than zero, this number appears as a link. Click the link to view a list of failure details (including the reason for the failure) returned by the device.
-
Restore Prime Infrastructure Values to Controller or Refresh Configuration from Controller—If there are configuration differences found as a result of the audit, you can either click
Restore Prime Infrastructure Values to controller
or Sync to bring Prime Infrastructure configuration in sync with the controller.
– Choose
Restore Prime Infrastructure Values to Controller
to push the discrepancies to the device.
Related Topic
Updating Controller Credentials
To update SNMP and Telnet credentials, you must do so on each controller.You cannot update SNMP/Telnet credential details for multiple controllers at the same time.
SNMP write access parameters are needed for modifying controller configuration. With read-only access parameters, configuration can be displayed only and not modified.
To update the SNMP/Telnet credentials, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Select the check box(es) of the applicable controller(s).
Step 3 Click
Configure >
Update Credentials
.
Step 4 Complete the required fields, then click
OK
.
Related Topic
Updating Controller Credentials in Bulk
You can update multiple controllers credentials by importing a CSV file.
To update controller(s) information in bulk, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, select
Wireless Controllers
.
Step 2 Select the check box(es) of the applicable controller(s).
Step 3 Click
Download > Bulk Update Controllers
.
Step 4 Enter the CSV filename in the Select CSV File text box or click
Browse
to locate the desired file.
Step 5 Click
Update and Sync
.
Related Topic
Rebooting Controllers
You should save the current controller configuration prior to rebooting. To reboot a controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, select
Wireless Controllers
, then click
Reboot > Reboot Controllers
.
Step 2 Select the required Reboot Controller option:
-
Save Config to Flash—Data is saved to the controller in non-volatile RAM (NVRAM) and is preserved in the event of a power cycle. If the controller is rebooted, all applied changes are lost unless the configuration has been saved.
-
Reboot APs—Select the check box to enable a reboot of the access point after making any other updates.
-
Swap AP Image—Indicates whether or not to reboot controllers and APs by swapping AP images. This could be either Yes or No.
Step 3 Click
OK
.
Related Topic
Downloading Software to Controllers
To download software to a controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controllers
.
Step 2 Select the check box(es) of the applicable controller(s).
Step 3 Click
Download
and select one of the following options:
-
Download Software TFTP
-
Download Software FTP
-
Download Software SFTP
Step 4 Complete the required fields.
Step 5 Select the download type. The pre-download option is displayed only when all selected controllers are using Release 7.0.x.x or later.
-
Now—Executes the download software operation immediately. If you select this option, proceed with Step 7.
-
Scheduled—Specify the scheduled download options.
– Schedule download to controller—Select this check box to schedule download software to controller.
– Pre-download software to APs—Select this check box to schedule the pre-download software to APs. The APs download the image and then reboot when the controller reboots. To see Image Predownload status per AP, enable the task in the
Administration > Dashboards > Job Dashboard > System Jobs > Wireless Poller > AP Image Pre-Download Status
, and run an AP Image Predownload report from the Report Launch Pad.
– FlexConnect AP Upgrade—Select this option to enable one access point of each model in the local network to download the image. The remaining access points will then download the image from the master access point using the pre-image download feature over the local network, which reduces the WAN latency.
Step 6 Select the Schedule options.
Schedule enough time (at least 30 minutes) between Download and Reboot so that all APs can complete the software pre-download. If any AP is in pre-download progress state at the time of the scheduled reboot, the controller will not reboot. You must wait for the pre-download to finish for all the APs, and then reboot the controller manually.
Step 7 Enter the FTP credentials including username, password, and port.
You can use special characters such as @, #, ^, *, ~, _, -, +, =, {, }, [, ], :, ., and / in the password. You cannot use special characters such as $, ', \, %, &, (, ), ;, ", <, >, , , ? , and | as part of the FTP password. The special character "!" (exclamation mark) works when the password policy is disabled.
Step 8 Select whether the file is located on the
Local machine
or an
FTP Server
. If you select FTP Server, the software files are uploaded to the FTP directory specified during the installation.
Step 9 Click
Download
.
If the transfer times out, choose the FTP server option in the
File is located on
field; the server filename is populated and Prime Infrastructure retries the operation.
Configuring
IPaddr
Upload Configuration/Logs from Controllers
You can upload a controller system configuration to the specified TFP or TFTP server as a file. Both File FTP and TFTP are supported for uploading and downloading files to and from Prime Infrastructure. To upload files from a controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Click a Device Name, then click the
Configuration
tab.
Step 3 From the left sidebar menu, choose
System > Commands
.
Step 4 Select the
FTP
or
TFTP
radio button, then select
Upload File from Controller
and click
Go
.
Step 5 Complete the required fields.
Prime Infrastructure uses an integral TFTP and FTP server. This means that third-party TFTP and FTP servers cannot run on the same workstation as Prime Infrastructure because Prime Infrastructure and the third-party servers use the same communication port.
Step 6 Click
OK
. The selected file is uploaded to your TFTP or FTP server and named what you entered in the File Name text box.
Downloading IDS Signatures to Controllers
Prime Infrastructure can download Intrusion Detection System (IDS) signature files to a controller. If you specify to download the IDS signature file from a local machine, Prime Infrastructure initiates a two-step operation:
1. The local file is copied from the administrator workstation to Prime Infrastructure’s built-in TFTP server.
2. The controller retrieves that file.
If the IDS signature file is already in the Prime Infrastructure server’s TFTP directory, the downloaded web page automatically populates the filename.
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Select the check box(es) of the applicable controller(s).
Step 3 Click
Download > Download IDS Signatures
.
Step 4 Complete the required fields.
Step 5 Click
Download
.
If the transfer times out, choose the FTP server option in the
File is located on
field; the server filename is populated and Prime Infrastructure retries the operation.
Related Topics
Downloading Customized WebAuthentication Bundles to Controllers
You can compress the page and image files used for displaying a web authentication login page, known as webauth bundles, and download the file to a controller.
Controllers accept a .tar or .zip file of up to 1 MB in size. The 1 MB limit includes the total size of uncompressed files in the bundle.
To download customized web authentication bundles to a controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Select the check box(es) of the applicable controller(s).
Step 3 Click
Download > Download Customized WebAuth
.
Step 4 To download an example login.tar bundle file, click on the preview image displayed, then edit the login.html file and save it as a .tar or .zip file. The file contains the pages and image files required for the web authentication display.
Step 5 Download the .tar or .zip file to the controller.
Step 6 Select where the file is located.
If you select local machine, you can upload either a .zip or .tar file type. Prime Infrastructure converts .zip files to .tar files. If you choose a TFTP server download, you can specify a .tar files only.
Step 7 Complete the required fields, then click
Download
.
If the transfer times out, choose the FTP server option in the
File is located on
field; the server filename is populated and Prime Infrastructure retries the operation.
After Prime Infrastructure completes the download, you are directed to a new page and are able to authenticate.
Related Topics
Downloading Vendor Device Certificates to Controllers
Each wireless device (controller, access point, and client) has its own device certificate. If you want to use your own vendor-specific device certificate, you must download it to the controller.
To download a vendor device certificate to a controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Select the check box(es) of the applicable controller(s).
Step 3 Click
Download > Download Vendor Device Certificate
.
Step 4 Complete the required fields, then click
Download
.
Related Topic
Downloading Vendor CA Certificates to Controllers
Controllers and access points have a certificate authority (CA) certificate that is used to sign and validate device certificates. The controller is shipped with a Cisco-installed CA certificate. This certificate might be used by EAP-TLS and EAP-FAST (when not using PACs) to authenticate wireless clients during local EAP authentication. However, if you want to use your own vendor-specific CA certificate, you must download it to the controller.
To download a vendor CA certificate to the controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Select the check box(es) of the applicable controller(s).
Step 3 Click
Download > Download Vendor Device Certificate
.
Step 4 Complete the required fields, then click
Download
.
Related Topic
Saving Controller Configurations to Flash
To save the configuration to flash memory, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Select the check box(es) of the applicable controller(s).
Step 3 Click
Configure > Save Config to Flash
.
Related Topic
Synchronizing Configurations from Controllers
To synchronize the configuration from the controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Select the check box(es) of the applicable controller(s).
Step 3 Click
Sync
.
Step 4 Click Yes to proceed.
Related Topic
Managing Controller Templates
You can specify for which Prime Infrastructure configurations you want to have associated templates.
The templates that are discovered do not retrieve management or local user passwords.
The following rules apply for template discovery:
-
Template Discovery discovers templates that are not found in Prime Infrastructure.
-
Existing templates are not discovered.
-
Template Discovery does not retrieve dynamic interface configurations for a controller. You must create a new template to apply the dynamic interface configurations on a controller.
Related Topic
Discovering Controller Templates
To discover current templates, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Select the check box(es) of the applicable controller(s).
Step 3 Click
Configure >
Discover Templates from Controller
.
The Discover Templates page displays the number of discovered templates, each template type and each template name.
Step 4 Select the
Enabling this option will create association between discovered templates and the device listed above
check box so that discovered templates are associated to the configuration on the device and are shown as applied on that controller.
The template discovery refreshes the configuration from the controller prior to discovering templates.
Step 5 Click
OK
in the warning dialog box to continue with the discovery.
For the TACACS+ Server templates, the configuration on the controller with same server IP address and port number but different server types are aggregated into one single template with the corresponding Server Types set on the Discovered Template. For the TACACS+ Server templates, the Admin Status on the discovered template reflects the value of Admin Status on the first configuration from the controller with same Server IP address and port number.
Related Topic
Viewing Templates Applied to Controllers
You can view all templates currently applied to a specific controller. Prime Infrastructure displays templates applied in the partition only.
To view applied templates, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Select the check box(es) of the applicable controller(s).
Step 3 Click
Configure >
Templates Applied to a Controller
.
The page displays each applied template name, template type, the date the template was last saved, and the date the template was last applied.
Step 4 Click the template name link to view the template details. See the Managing Controller Templates for more information.
Related Topic
Replacing Old Controller Models with New Models
When you want to replace an old controller model with a new one without changing the IP address, do the following:
1. Delete the old controller from Prime Infrastructure and wait for the confirmation that the device was deleted.
2. Replace the controller with the new model in the setup with same IP address.
3. Re-add the IP address to Prime Infrastructure.
Related Topic
Modifying Controller Properties
To change controller properties such as the device name, location, SNMP parameters, or Telnet/SSH parameters, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Select a wireless controller, then click
Edit
.
Step 3 Modify the fields as desired, then click one of the following buttons:
-
Update
-
Update & Sync
-
Verify Credentials
-
Cancel
to return to the previous or default settings.
Related Topic
Configuring Controller System Parameters
This section describes how to configure the controller system parameters and contains the following topics:
Modifying General System Properties for Controllers
To view the general system parameters for a current controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Click a Device Name, then click the
Configuration
tab.
Step 3 From the left sidebar menu, choose
System > General - System
. The general system parameters appear.
Step 4 Make the required changes, then click
Save
.
Related Topic
Enabling AP Failover Priority
When a controller fails, the backup controller configured for the access point suddenly receives a number of Discovery and Join requests. If the controller becomes overloaded, it might reject some of the access points.
By assigning failover priority to an access point, you have some control over which access points are rejected. When the backup controller is overloaded, join requests of access points configured with a higher priority levels take precedence over lower-priority access points.
To configure failover priority settings for access points, you must first enable the AP Failover Priority feature.
To enable the AP Failover Priority feature, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Click a Device Name, then click the
Configuration
tab.
Step 3 From the left sidebar menu, choose
General - System
.
Step 4 From the AP Failover Priority drop-down list, choose
Enabled
.
Configuring AP Failover Priority
To configure an access point failover priority, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select an AP Name.
Step 2 From the AP Failover Priority drop-down list, choose the applicable priority (
Low
,
Medium
,
High, Critical
). The default priority is Low.
Configuring 802.3 Bridging
The controller supports 802.3 frames and applications that use them, such as those typically used for cash registers and cash register servers. However, to make these applications work with the controller, the 802.3 frames must be bridged on the controller.
Support for raw 802.3 frames allows the controller to bridge non-IP frames for applications not running over IP. Only this raw 802.3 frame format is currently supported.
To configure 802.3 bridging using Prime Infrastructure, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Click a Device Name, then click the
Configuration
tab.
Step 3 Choose
System > General - System
to access the General page.
Step 4 From the 802.3 Bridging drop-down list, choose
Enable
to enable 802.3 bridging on your controller or
Disable
to disable this feature. The default value is Disable.
Step 5 Click
Save
to confirm your changes.
802.3x Flow Control
Flow control is a technique for ensuring that a transmitting entity, such as a modem, does not overwhelm a receiving entity with data. When the buffers on the receiving device are full, a message is sent to the sending device to suspend the transmission until the data in the buffers has been processed.
By default, flow control is disabled. You can only enable a Cisco switch to receive PAUSE frames but not to send them.
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Click a Device Name, then click the
Configuration
tab.
Step 3 Choose
System > General - System
to access the General page.
Step 4 Click
Enable
in the 802.3x Flow Control field.
Configuring Lightweight Access Point Protocol Transport Mode
Lightweight Access Point Protocol transport mode indicates the communications layer between controllers and access points. Cisco IOS-based lightweight access points do not support Layer 2 lightweight access point mode. These access points can only be run with Layer 3.
To convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 lightweight access point transport mode using Prime Infrastructure user interface, follow these steps. This procedure causes your access points to go offline until the controller reboots and the associated access points re associate to the controller.
Step 1 Make sure that all controllers and access points are on the same subnet.
You must configure the controllers and associated access points to operate in Layer 2 mode before completing the conversion.
Step 2 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 3 Click a Device Name, click the
Configuration
tab, then choose
System > General - System
to access the General page.
a. Change lightweight access point transport mode to Layer2 and click
Save
.
b. If Prime Infrastructure displays the following message, click
OK
:
Please reboot the system for the CAPWAP Mode change to take effect.
Step 4 Select the controller, then click
Reboot > Reboot Controllers
.
Step 5 Select the Save Config to Flash option.
Step 6 After the controller reboots, follow these steps to verify that the CAPWAP transport mode is now Layer 2:
a. Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
b. Click the device name of the applicable controller.
c. Verify that the current CAPWAP transport mode is Layer2 from the
System > General - System
page.
You have completed the CAPWAP transport mode conversion from Layer 3 to Layer 2. The operating system software now controls all communications between controllers and access points on the same subnet.
Aggressive Load Balancing
In routing, load balancing refers to the capability of a router to distribute traffic over all its network ports that are the same distance from the destination address. Good load-balancing algorithms use both line speed and reliability information. Load balancing increases the use of network segments, thus increasing effective network bandwidth.
Aggressive load balancing actively balances the load between the mobile clients and their associated access points.
Link Aggregation
Link aggregation allows you to reduce the number of IP addresses needed to configure the ports on your controller by grouping all the physical ports and creating a link aggregation group (LAG). In a 4402 model, two ports are combined to form a LAG whereas in a 4404 model, all four ports are combined to form a LAG.
You cannot create more than one LAG on a controller.
If LAG is enabled on a controller, the following configuration changes occur:
-
Any dynamic interfaces that you have created are deleted in order to prevent configuration inconsistencies in the interface database.
-
Interfaces cannot be created with the “Dynamic AP Manager” flag set.
The advantages of creating a LAG include the following:
-
Assurance that, if one of the links goes down, the traffic is moved to the other links in the LAG. As long as one of the physical ports is working, the system remains functional.
-
You do not need to configure separate backup ports for each interface.
-
Multiple AP-manager interfaces are not required because only one logical port is visible to the application.
When you make changes to the LAG configuration, the controller has to be rebooted for the changes to take effect.
Wireless Management
Because of IPsec operation, management via wireless is only available to operators logging in across WPA, Static WEP, or VPN Pass Through WLANs. Wireless management is not available to clients attempting to log in via an IPsec WLAN.
Mobility Anchor Group Keep Alive Interval
You can specify the delay between tries for clients attempting to join another access point. This decreases the time it takes for a client to join another access point following a controller failure because the failure is quickly identified, the clients are moved away from the problem controller, and the clients are anchored to another controller.
Related Topics
Restoring Controller Factory Defaults
You can reset the controller configuration to the factory default. This overwrites all applied and saved configuration parameters. You are prompted for confirmation to reinitialize your controller.
All configuration data files are deleted, and upon reboot, the controller is restored to its original non-configured state. This removes all IP configuration, and you need a serial connection to restore its base configuration.
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Click a Device Name, then click the
Configuration
tab.
Step 3 From the left sidebar menu, choose
System > Commands
, and from the Administrative Commands drop-down list, choose
Reset to Factory Default
, and click
Go
to access this page.
Step 4 After confirming configuration removal, you must reboot the controller and select the
Reboot Without Saving
option.
Related Topic
Setting Controller Time and Date
You can manually set the current time and date on the controller.
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Click a Device Name, then click the
Configuration
tab.
Step 3 From the left sidebar menu, choose
System > Commands
, and from the Configuration Commands drop-down list choose
Set System Time
, and click
Go
.
Step 4 Modify the required parameters:
-
Current Time—Shows the time currently being used by the system.
-
Month/Day/Year—Choose the month/day/year from the drop-down list.
-
Hour/Minutes/Seconds—Choose the hour/minutes/seconds from the drop-down list.
-
Delta (hours)—Enter the positive or negative hour offset from GMT (Greenwich Mean Time).
-
Delta (minutes)—Enter the positive or negative minute offset from GMT.
-
Daylight Savings—Select to enable Daylight Savings Time.
Uploading Configuration and Logs from Controllers
You can upload files from controllers to a local TFTP (Trivial File Transfer Protocol) server. You must enable TFTP to use the Default Server option on the
Administration System Settings > Server Settings
page.
Prime Infrastructure uses an integral TFTP server. This means that third-party TFTP servers cannot run on the same workstation as Prime Infrastructure, because the Cisco Prime Infrastructure and the third-party TFTP servers use the same communication port.
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Click a Device Name, then click the
Configuration
tab.
Step 3 From the left sidebar menu, choose
System > Commands
.
Step 4 From the Upload/Download Commands drop-down list, choose
Upload File from Controller
, then click
Go
.
By default, configuration file encryption is disabled. Uploading configuration file is unsecured without encryption.
Step 5 To enable encryption before uploading files, click the link at the bottom of the Upload File from Controller page.
Step 6 Complete the required fields, then click
OK
. The selected file is uploaded to your TFTP server with the name you specified.
Related Topic
Downloading Configurations to Controllers
You can download configuration files to your controller from a local TFTP (Trivial File Transfer Protocol) server.
Prime Infrastructure uses an integral TFTP server. This means that third-party TFTP servers cannot run on the same workstation as Prime Infrastructure, because the Cisco Prime Infrastructure and the third-party TFTP servers use the same communication port.
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Click a Device Name, then click the
Configuration
tab.
Step 3 From the left sidebar menu, choose
System > Commands
.
Step 4 From the Upload/Download Commands drop-down list, choose
Download Config
, then click
Go
.
Step 5 Complete the required fields, then click OK.
Related Topic
Configuring Controller System Interfaces
Choose Configuration > Network > Network Devices, then select Device Type > Wireless Controller to configure controller system interfaces.
Related Topics
Adding Interfaces to Controllers
To add an interface:
Step 1 Choose
Configuration > Network > Network Devices, then select Device Type > Wireless Controller.
Step 2 Click a Device Name, then click the Configuration tab.
Step 3 From the left sidebar menu, choose
System > Interfaces
.
Step 4 From the Select a command drop-down list, choose
Add Interface
> Go.
Step 5 Complete the required fields, then click Save.
Related Topics
Viewing or Modifying Controller Interface Details
To view the existing interfaces:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click a Device Name, then click the Configuration tab.
Step 3 From the left sidebar menu, choose
System > Interfaces
. The following parameters appear:
-
Check box—Check box to select the dynamic interface for deletion. Choose
Delete Dynamic Interfaces
from the Select a command drop-down list.
-
Interface Name —User-defined name for the interface (for example, Management, Service-Port, Virtual).
-
VLAN Id—VLAN identifier between 0 (untagged) and 4096, or N/A.
-
Quarantine—Select the check box if the interface has a quarantine VLAN ID configured on it.
-
IP Address—IP address of the interface.
-
Interface Type—Interface Type: Static (Management, AP-Manager, Service-Port, and Virtual interfaces) or Dynamic (operator-defined interfaces).
-
AP Management Status—Status of AP Management interfaces and the parameters include Enabled, Disabled, and N/A. Only the management port can be configured as Redundancy Management Interface port.
Related Topics
Deleting Dynamic Interfaces
The dynamic interface cannot be deleted if it has been assigned to any interface group. To delete a dynamic interface:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type > Wireless Controller
.
Step 2 Click a Device Name, then click the Configuration tab.
Step 3 From the left sidebar menu, choose
System > Interfaces
.
Step 4 Select the check box of the dynamic interface that you want to delete and choose
Delete Dynamic Interfaces
from the Select a command drop-down list.
Step 5 Click
OK
to confirm the deletion.
Related Topics
Configuring Controller System Interface Groups
Interface groups are logical groups of interfaces. Interface groups facilitate user configuration where the same interface group can be configured on multiple WLANs or while overriding a WLAN interface per AP group. An interface group can exclusively contain either quarantine or nonquarantine interfaces. An interface can be part of multiple interface groups.
Follow these recommendations while configuring controller system interface groups:
-
Ensure that the interface group name is different from the interface name.
-
Guest LAN interfaces cannot be part of interface groups
The Interface Groups feature is supported by Cisco Wireless Controller software release 7.0.116.0 and later.
Related Topics
Adding Interface Groups
To add an interface group:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type > Wireless Controller
.
Step 2 Click on a Device Name, then click the Controller tab.
Step 3 From the left sidebar menu, choose
System > Interface Groups
.
Step 4 From the Select a command drop-down list, choose
Add Interface Group
and click Go.
Step 5 Complete the required fields, then click Add.
The Interface dialog box appears.
Step 6 Select the interfaces that you want to add to the group, and click
Select
.
Step 7 To remove an Interface from the Interface group, from the Interface Group page, select the Interface and click
Remove
.
Step 8 Click Save to confirm the changes made.
Related Topics
Deleting Interface Groups
You cannot delete interface groups that are assigned to:
-
WLANs
-
AP groups
-
Foreign Controller Mapping for WLANs
-
WLAN templates
-
AP group templates
To delete an interface group:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type > Wireless Controller
.
Step 2 Click on a Device Name, then click the Controller tab.
Step 3 Click the Device Name of the applicable controller.
Step 4 From the left sidebar menu, choose
System > Interface Groups
.
Step 5 Select the check box of the interface group that you want to delete.
Step 6 From the Select a command drop-down list, choose
Delete Interface Group
, and click
Go
.
Step 7 Click
OK
to confirm the deletion.
Related Topics
Viewing Interface Groups
To view existing interface groups:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type > Wireless Controller
.
Step 2 Click on a Device Name, then click the Controller tab.
Step 3 From the left sidebar menu, choose
System > Interface Groups
. The following parameters appear:
-
Name—User-defined name for the interface group (For example, group1, group2).
-
Description—(Optional) Description for the Interface Group.
-
Interfaces—Count of the number of interfaces belonging to the group.
Step 4 Click the Interface Group Name link.
The Interface Groups Details page appears with the Interface group details as well as the details of the Interfaces that form part of that particular Interface group.
Related Topics
NAC Integration
The Cisco Network Admission Control (NAC) appliance, also known as Cisco Clean Access (CCA), is a Network Admission Control (NAC) product that allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether machines are compliant with security policies and repairs vulnerabilities before permitting access to the network. The NAC appliance is available in two modes: in-band and out-of-band. Customers can deploy both modes if desired, each geared toward certain types of access (in-band for supporting wireless users and out-of-band for supporting wired users, for example).
Related Topics
Guidelines for Using SNMP NAC
Follow these guidelines when using SNMP NAC out-of-band integration:
-
The NAC appliance supports up to 3500 users, and the controller supports up to 5000 users. Therefore, multiple NAC appliances might need to be deployed.
-
Because the NAC appliance supports static VLAN mapping, you must configure a unique quarantine VLAN for each interface configured on the controller. For example, you might configure a quarantine VLAN of 110 on controller 1 and a quarantine VLAN of 120 on controller 2. However, if two WLANs or guest LANs use the same distribution system interface, they must use the same quarantine VLAN, provided they have one NAC appliance deployed in the network. The NAC appliance supports unique quarantine-to-access VLAN mapping.
-
For posture reassessment based on session expiry, you must configure the session timeout on both the NAC appliance and the WLAN, making sure that the session expiry on the WLAN is greater than that on the NAC appliance.
-
When a session timeout is configured on an open WLAN, the timing out of clients in the Quarantine state is determined by the timer on the NAC appliance. Once the session timeout expires for WLANs using web authentication, clients deauthenticate from the controller and must perform posture validation again.
-
NAC out-of-band integration is supported only on WLANs configured for FlexConnect central switching. It is not supported for use on WLANs configured for FlexConnect local switching.
-
If you want to enable NAC on an access point group VLAN, you must first enable NAC on the WLAN. Then you can enable or disable NAC on the access point group VLAN. If you ever decide to disable NAC on the WLAN, be sure to disable it on the access point group VLAN as well.
-
NAC out-of-band integration is not supported for use with the WLAN AAA override feature.
-
All Layer 2 and Layer 3 authentication occurs in the quarantine VLAN. To use external web authentication, you must configure the NAC appliance to allow HTTP traffic to and from external web servers and to allow the redirect URL in the quarantine VLAN.
Related Topics
-
Cisco NAC Appliance Configuration
Guidelines for Using RADIUS NAC
Follow these guidelines when using RADIUS NAC:
-
RADIUS NAC is available only for WLAN with 802.1x/WPA/WPA2 Layer 2 security.
-
RADIUS NAC cannot be enabled when FlexConnect local switching is enabled.
-
AAA override should be enabled to configure RADIUS NAC.
Related Topics
Configuring NAC Out-of-Band Integration (SNMP NAC): Workflow
To configure SNMP NAC out-of-band integration, follow this workflow:
1. Configure the quarantine VLAN for a dynamic interface—The NAC appliance supports static VLAN mapping, and you must configure a unique quarantine VLAN for each interface that is configured on the controller.
2. Configure NAC out-of-band support on a WLAN or guest LAN—To enable NAC support on an access point group VLAN, you must first enable NAC on the WLAN or guest LAN.
3. Configure NAC Out-of-band support for a specific AP group—To configure NAC out-of-band support for specific access point groups.
Related Topics
Configuring Quarantine VLAN for Dynamic Interface
To configure the quarantine VLAN for a dynamic interface:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Choose which controller you are configuring for out-of-band integration by clicking it in the IP Address column.
Step 3 Choose
System > Interfaces
from the left sidebar menu.
Step 4 Click the Interface Name.
Step 5 Choose
Add Interface
from the Select a command drop-down list and click Go.
Step 6 In the Interface Name text box, enter a name for this interface, such as “quarantine.”
Step 7 In the VLAN ID text box, enter a non-zero value for the access VLAN ID, such as “10.”
Step 8 Select the
Quarantine
check box if the interface has a quarantine VLAN ID configured on it.
Step 9 Configure any remaining fields for this interface, such as the IP address, netmask, and default gateway.
Note To avoid issues when adding the wireless controller to Prime Infrastructure, the Dynamic Interface should not be in the same subnet as Prime Infrastructure.
Step 10 Enter an IP address for the primary and secondary DHCP server.
Step 11 Click
Save
.
Related Topics
Configuring NAC Out-of-Band Support on WLANs or Guest LANs
To configure NAC out-of-band support on a WLAN or guest LAN, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click on a Device Name.
Step 3 Choose
WLANs > WLAN
from the left sidebar menu.
Step 4 Choose Add a WLAN from the Select a command drop-down list, and click
Go
.
Step 5 If you have a template established that you want to apply to this controller, choose the guest LAN template name from the drop-down list. Otherwise, click the
click here
link to create a new template.
Step 6 Click the
Advanced
tab.
Step 7 To configure SNMP NAC support for this WLAN or guest LAN, choose
SNMP NAC
from the NAC Stage drop-down list. To disable SNMP NAC support, choose
None
from the NAC Stage drop-down list, which is the default value.
Step 8 Click
Apply
to commit your changes.
Related Topics
Configuring NAC Out-of-Band Support for Specific AP Groups
To configure NAC out-of-band support for a specific AP group, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click on a Device Name, then click the Controller tab.
Step 3 Choose
WLANs > AP Groups VLAN
from the left sidebar menu to open the AP Groups page.
Step 4 Click the name of the desired AP group.
Step 5 From the Interface Name drop-down list, choose the quarantine enabled interface.
Step 6 To configure SNMP NAC support for this AP group, choose
SNMP NAC
from the Nac State drop-down list. To disable NAC out-of-band support, choose
None
from the Nac State drop-down list, which is the default value.
Step 7 Click
Apply
to commit your changes.
Related Topics
Viewing Client State
To see the current state of the client (either Quarantine or Access), follow these steps:
Step 1 Choose
Monitor > Clients and Users
to open the Clients. Perform a search for clients.
Step 2 Click the MAC address of the desired client to open the Clients > Detail page. The NAC state appears as access, invalid, or quarantine in the Security Information section.
Related Topics
Wired Guest Access
Wired Guest Access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Wired guest access ports might be available in a guest office or specific ports in a conference room.
Like wireless guest user accounts, wired guest access ports are added to the network using the Lobby Ambassador feature. Wired Guest Access can be configured in a standalone configuration or in a dual controller configuration employing an anchor and foreign controller. This latter configuration is used to further isolate wired guest access traffic but is not required for deployment of wired guest access.
Wired Guest Access ports initially terminate on a Layer 2 access switch or switch port which is configured with VLAN interfaces for wired guest access traffic. The wired guest traffic is then trunked from the access switch to a wireless LAN controller. This controller is configured with an interface that is mapped to a wired guest access VLAN on the access switch.
If two controllers are being used, the controller (foreign) that receives the wired guest traffic from the switch then forwards the wired guest traffic to an anchor controller that is also configured for wired guest access. After successful hand off of the wired guest traffic to the anchor controller, a bidirectional Ethernet over IP (EoIP) tunnel is established between the foreign and anchor controllers to handle this traffic.
Although wired guest access is managed by anchor and foreign anchors when two controllers are deployed, mobility is not supported for wired guest access clients. In this case, DHCP and web authentication for the client are handled by the anchor controller.
You can specify how much bandwidth a wired guest user is allocated in the network by configuring and assigning a role and bandwidth contract.
Related Topics
Configuring and Enabling Wired Guest User Access: Workflow
To configure and enable the wired guest user access, follow this workflow:
1. Configure a dynamic interface (VLAN) for wired guest access—Create a dynamic interface to enable the wired guest user access.
2. Configure a wired LAN for guest user access—Configure a new LAN, which is a guest LAN.
Related Topics
Configuring a Dynamic Interface for Wired Guest User Access
To configure and enable a dynamic interface (VLAN) for wired guest user access on the network:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click on a Device Name, then click the Controller tab.
Step 3 Choose
System > Interfaces
from the left sidebar menu.
Step 4 Choose
Add Interface
from the Select a command drop-down list, and click
Go
.
Step 5 Complete the required fields.
Step 6 Click
Save
.
Related Topics
Configuring a Wired LAN for Guest User Access
To configure a wired LAN for guest user access:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click on a Device Name.
Step 3 To configure a wired LAN for guest user access, choose
WLANs > WLAN configuration
from the left sidebar menu.
Step 4 Choose
Add a WLAN
from the Select a command drop-down list, and click
Go
.
Step 5 If you have a template established that you want to apply to this controller, choose the guest LAN template name from the drop-down list. Otherwise, click the
click here
link to create a new template.
Step 6 In the WLAN > New Template general page, enter a name in the Profile Name text box that identifies the guest LAN. Do not use any spaces in the name entered.
Step 7 Select the
Enabled
check box for the WLAN Status field.
Step 8 From the Ingress Interface drop-down list, choose the VLAN that you created in Step 3. This VLAN provides a path between the wired guest client and the controller by way of the Layer 2 access switch.
Step 9 From the Egress Interface drop-down list, choose the name of the interface. This WLAN provides a path out of the controller for wired guest client traffic.If you have only one controller in the configuration, choose
management
from the Egress Interface drop-down list.
Step 10 Click the
Security > Layer 3
tab to modify the default security policy (web authentication) or to assign WLAN specific web authentication (login, logout, login failure) pages and the server source.
a. To change the security policy to passthrough, select the
Web Policy
check box and select the
Passthrough
radio button. This option allows users to access the network without entering a username or password.
An Email Input check box appears. Select this check box if you want users to be prompted for their e-mail address when attempting to connect to the network.
b. To specify custom web authentication pages, unselect the Global WebAuth Configuration
Enabled
check box.
When the Web Auth Type drop-down list appears, choose one of the following options to define the web login page for the wireless guest users:
Default Internal
—Displays the default web login page for the controller. This is the default value.
Customized Web Auth
—Displays custom web login, login failure, and logout pages. When the customized option is selected, three separate drop-down lists for login, login failure, and logout page selection appear. You do not need to define a customized page for all three of the options. Choose
None
from the appropriate drop-down list if you do not want to display a customized page for that option.
External
—Redirects users to an external server for authentication. If you choose this option, you must also enter the URL of the external server in the URL text box.
You can select specific RADIUS or LDAP servers to provide external authentication in the Security > AAA pane. The RADIUS and LDAP external servers must be already configured to have selectable options in the Security > AAA pane. You can configure these servers on the RADIUS Authentication Servers, TACACS+ Authentication Servers page, and LDAP Servers page.
Step 11 If you selected External as the Web Authentication Type, choose
Security > AAA
and choose up to three RADIUS and LDAP servers using the drop-down lists.
Step 12 Click
Save
.
Step 13 Repeat this process if a second (anchor) controller is being used in the network.
Related Topics
Creating an Ingress Interface
To create an Ingress interface:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click on a Device Name, then click the Controller tab.
Step 3 Choose
System > Interfaces
from the left sidebar menu.
Step 4 Choose
Add Interface
from the Select a command drop-down list, and click
Go
.
Step 5 In the Interface Name text box, enter a name for this interface, such as guestinterface.
Step 6 Enter a VLAN identifier for the new interface.
Step 7 Select the
Guest LAN
check box.
Step 8 Enter the primary and secondary port numbers.
Step 9 Click
Save
.
Related Topics
Creating an Egress Interface
To create an Egress interface:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click on a Device Name, then click the Controller tab.
Step 3 Choose
System > Interfaces
from the left sidebar menu.
Step 4 Choose
Add Interface
from the Select a command drop-down list, and click
Go
.
Step 5 In the Interface Name text box, enter a name for this interface, such as quarantine.
Step 6 In the vlan Id text box, enter a non-zero value for the access VLAN ID, such as 10.
Step 7 Select the
Quarantine
check box and enter a non-zero value for the Quarantine VLAN identifier, such as 110.
You can have NAC-support enabled on the WLAN or guest WLAN template Advanced tab for interfaces with Quarantine enabled.
Step 8 Enter the IP address, Netmask, and Gateway information.
Step 9 Enter the primary and secondary port numbers.
Step 10 Provide an IP address for the primary and secondary DHCP server.
Step 11 Configure any remaining fields for this interface, and click
Save
.
You are now ready to create a wired LAN for guest access.
Related Topics
Configuring Controller Network Routes
The Network Route page enables you to add a route to the controller service port. This route allows you to direct all Service Port traffic to the designated management IP address.
Related Topics
Viewing Existing Network Routes
To view existing network routes:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click on a Device Name, then click the Controller tab.
Step 3 Choose
System > Network Route
from the left sidebar menu. The following parameters appear:
-
IP Address—The IP address of the network route.
-
IP Netmask—Network mask of the route.
-
Gateway IP Address—Gateway IP address of the network route.
Related Topics
Adding Network Routes
To add a network route, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click on a Device Name, then click the Controller tab.
Step 3 Choose
System > Network Route
from the left sidebar menu.
Step 4 From the Select a command drop-down list, choose
Add Network Route
.
Step 5 Click
Go
.
Step 6 Complete the required fields, then click Save.
Related Topics
Viewing Controller Spanning Tree Protocol Parameters
Spanning Tree Protocol (STP) is a link management protocol that provides path redundancy while preventing undesirable loops in the network.
To view or manage current STP parameters:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click on a Device Name, then click the Controller tab.
Step 3 Choose
System > Spanning Tree Protocol
from the left sidebar menu. The Spanning Tree Protocol page displays the following parameters:
-
Protocol Spec—The current protocol specification.
-
Admin Status—Select this check box to enable.
-
Priority—The numerical priority number of the ideal switch.
-
Maximum Age (seconds)—The amount of time (in seconds) before the received protocol information recorded for a port is discarded.
-
Hello Time (seconds)—Determines how often (in seconds) the switch broadcasts its hello message to other switches.
-
Forward Delay (seconds)—The time spent (in seconds) by a port in the learning/listening states of the switches.
Related Topics
Configuring Controller Mobility Groups
By creating a mobility group, you can enable multiple network controllers to dynamically share information and forward data traffic when inter-controller or inter-subnet roaming occurs. Controllers can share the context and state of client devices and controller loading information. With this information, the network can support inter-controller wireless LAN roaming and controller redundancy.
If it is possible for a wireless client in your network to roam from an access point joined to one controller to an access point joined to another controller, both controllers should be in the same mobility group.
Related Topics
Messaging Among Mobility Groups
The controller provides inter-subnet mobility for clients by sending mobility messages to other member controllers:
-
There can be up to 72 members in the list with up to 24 in the same mobility group.
-
The controller sends a Mobile Announce message to members in the mobility list each time a new client associates to it.
-
In Prime Infrastructure and Wireless Controller software release 5.0 and later, the controller uses multicast mode to send the Mobile Announce messages. This allows the controller to send only one copy of the message to the network, which delivers it to the multicast group containing all the mobility members.
Related Groups
Mobility Group Prerequisites
Before you add controllers to a mobility group, you must verify that the following prerequisites are met for all controllers that are to be included in the group:
-
All controllers must be configured for the same CAPWAP transport mode (Layer 2 or Layer 3).
-
IP connectivity must exist between the management interfaces of all controllers.
-
All controllers must be configured with the same mobility group name.
-
All controllers must be configured with the same virtual interface IP address.
-
You must have gathered the MAC address and IP address of every controller that is to be included in the mobility group. This information is necessary because you will be configuring all controllers with the MAC address and IP address of all the other mobility group members.
Related Groups
Viewing Current Mobility Group Members
To view current mobility group members:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click on a Device Name, then click the Controller tab.
Step 3 Choose
System > Mobility Groups
from the left sidebar menu.
Related Groups
Adding Mobility Group Members from a List of Controllers
To add a mobility group member from a list of existing controllers:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click on a Device Name, then click the Controller tab.
Step 3 Choose
System > Mobility Groups
from the left sidebar menu.
Step 4 From the Select a command drop-down list, choose
Add Group Members
.
Step 5 Click
Go
.
Step 6 Select the check box(es) for the controller to be added to the mobility group.
Step 7 Click
Save
.
Related Groups
Manually Adding Mobility Group Members
If there were no controllers found to add to the mobility group, you can add members manually. To manually add members to the mobility group, follow these steps:
Step 1 Click the
click here
link from the Mobility Group Member details page.
Step 2 In the Member MAC Address text box, enter the MAC address of the controller to be added.
Step 3 In the Member IP Address text box, enter the management interface IP address of the controller to be added.
If you are configuring the mobility group in a network where Network Address Translation (NAT) is enabled, enter the IP address sent to the controller from the NAT device rather than the controller management interface IP address. Otherwise, mobility fails among controllers in the mobility group.
Step 4 Enter the multicast group IP address to be used for multicast mobility messages in the Multicast Address text box. The local mobility member group address must be the same as the local controller group address.
Step 5 In the Group Name text box, enter the name of the mobility group.
Step 6 Click
Save
.
Step 7 Repeat Steps 1 through 6 for the remaining Cisco Wireless Controller devices.
Related Topics
Setting the Mobility Scalability Parameters
Before You Begin
You must configure Mobility Groups prior setting up the mobility scalability parameters.
To set the mobility message parameters:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click the Device Name of a controller whose software version is 5.0 or later.
Step 3 From the left sidebar menu, choose
System > General
.
Step 4 From the Multicast Mobility Mode drop-down list, specify if you want to enable or disable the ability for the controller to use multicast mode to send Mobile Announce messages to mobility members.
Step 5 If you enabled multicast messaging by setting multicast mobility mode to enabled, you must enter the group IP address at the Mobility Group Multicast-address field to begin multicast mobility messaging. You must configure this IP address for the local mobility group but it is optional for other groups within the mobility list. If you do not configure the IP address for other (non-local) groups, the controllers use unicast mode to send mobility messages to those members.
Step 6 Click
Save
.
Related Topics
Configuring Controller Network Time Protocol
To add a new NTP Server:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click the Device Name of the applicable controller.
Step 3 From the left sidebar menu, choose
System > Network Time Protocol
.
Step 4 From the Select a command drop-down list, choose
Add NTP Server
.
Step 5 Click
Go
.
Step 6 From the Select a template to apply to this controller drop-down list, choose the applicable template to apply to this controller.
Related Topics
Background Scanning on 1510s in Mesh Networks
Background scanning allows Cisco Aironet 1510 Access Points to actively and continuously monitor neighboring channels for more optimal paths and parents. Because the access points are searching on neighboring channels as well as the current channel, the list of optimal alternate paths and parents is greater.
Identifying this information prior to the loss of a parent results in a faster transfer and the best link possible for the access points. Additionally, access points might switch to a new channel if a link on that channel is found to be better than the current channel in terms of fewer hops, stronger signal-to-noise ratio (SNR), and so on.
Background scanning on other channels and data collection from neighbors on those channels are performed on the primary backhaul between two access points:
The primary backhaul for 1510s operate on the 802.11a link.
Background scanning is enabled on a global basis on the associated controller of the access point. Latency might increase for voice calls when they are switched to a new channel.
In the EMEA regulatory domain, locating neighbors on other channels might take longer given DFS requirements.
Related Topics
Background Scanning Scenarios
A few scenarios are provided below to better illustrate how background scanning operates.
In Figure 21-1, when the mesh access point (MAP1) initially comes up, it is aware of both root access points (RAP1 and RAP2) as possible parents. It chooses RAP2 as its parent because the route through RAP2 is better in terms of hops, SNR, and so on. After the link is established, background scanning (once enabled) continuously monitors all channels in search of a more optimal path and parent. RAP2 continues to act as parent for MAP1 and communicates on channel 2 until either the link goes down or a more optimal path is located on another channel.
Figure 21-1 Mesh Access Point (MAP1) Selects a Parent
In Figure 21-2, the link between MAP1 and RAP2 is lost. Data from ongoing background scanning identifies RAP1 and channel 1 as the next best parent and communication path for MAP1 so that link is established immediately without the need for additional scanning after the link to RAP2 goes down.
Figure 21-2 Background Scanning Identifies a New Parent
Related Topics
Enabling Background Scanning
To enable background scanning on an AP1510 RAP or MAP:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click an IP address of the applicable controller.
Step 3 Choose
Mesh > Mesh Settings
from the left sidebar menu.
Step 4 Select the
Background Scanning
check box to enable background scanning or unselect it to disable the feature. The default value is disabled.
Step 5 Click
Save
.
Related Topics
Configuring Controller QoS Profiles
To make modifications to the quality of service profiles:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click an IP address of the applicable controller.
Step 3 From the left sidebar menu, choose
System > QoS Profiles
. The following parameters appear:
-
Bronze—For Background
-
Gold—For Video Applications
-
Platinum—For Voice Applications
-
Silver—For Best Effort
Step 4 Click the applicable profile to view or edit profile parameters.
Step 5 Click
Save
.
Related Topics
Configuring Controller DHCP Scopes
Controllers have built-in DHCP relay agents. However, when you desire network segments that do not have a separate DHCP server, the controllers can have built-in DHCP scopes that assign IP addresses and subnet masks to wireless client. Typically, one controller can have one or more DHCP scopes that each provide a range of IP addresses.
Related Topics
Viewing Current DHCP Scopes
To view current DHCP (Dynamic Host Configuration Protocol) scopes, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
.
Step 2 Click the Device Name of the applicable controller.
Step 3 From the left sidebar menu, choose
System > DHCP Scopes
.
Related Topics
Adding a New DHCP Scope
To add a new DHCP Scope, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller
Step 2 Click the Device Name of the applicable controller.
Step 3 From the left sidebar menu, choose
System > DHCP Scopes
.
Step 4 From the Select a command drop-down list, choose
Add DHCP Scope
and click Go.
Step 5 Configure the required fields, and click
Save
.
Related Topics
Viewing Controller User Roles
To view current local net user roles on a controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.
Step 2 Click the Device Name of the applicable controller.
Step 3 From the left sidebar menu, choose
System > User Roles
.
The Local Net User Role parameters appear.
Step 4 Click a Template Name to view the User Role details.
Related Topics
Adding a New Local Net User Role to Controllers
To add a new local net user role to a controller:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.
Step 2 Click the Device Name of the applicable controller.
Step 3 From the left sidebar menu, choose
System > User Roles
.
Step 4 From the Select a command drop-down list, choose
Add User Role
.
Step 5 Select a template from the Select a template to apply to this controller drop-down list.
Step 6 Click
Apply
.
Related Topics
Configuring a Global Access Point Password
The AP Username Password page enables you to set a global password that all access points inherit as they join a controller. When you are adding an access point, you can also choose to accept this global username and password or override it on a per-access point basis.
Also in controller software release 5.0, after an access point joins the controller, the access point enables console port security and you are prompted for your username and password whenever you log into the access point console port. When you log in, you are in non-privileged mode and you must enter the enable password to use the privileged mode.
To establish a global username and password, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.
Step 2 Click the Device Name of a controller with a Release 5.0 or later.
Step 3 From the left sidebar menu, choose
System > AP Username Password
.
Step 4 Enter the username and password that you want to be inherited by all access points that join the controller.
For Cisco IOS access points, you must also enter and confirm an enable password.
Step 5 Click
Save
.
Configuring Global CDP
Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices.
CDP is enabled on the Ethernet and radio ports of a bridge by default.
Global Interface CDP configuration is applied to only the APs with CDP enabled at AP level.
To configure a Global CDP, perform the following steps:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.
Step 2 Click the Device Name of the desired controller.
Step 3 From the left sidebar menu, choose
System > Global CDP Configuration
from the left sidebar menu. The Global CDP Configuration page appears.
Step 4 Configure the required fields in the Global CDP Configuration page.In the Global CDP group box, configure the following parameters:
-
CDP on controller—Choose enable or disable CDP on the controller. This configuration cannot be applied on WiSM2 controllers.
-
Global CDP on APs—Choose to enable or disable CDP on the access points.
-
Refresh-time Interval (seconds)—In the Refresh Time Interval field, enter the time in seconds at which CDP messages are generated. The default is 60.
-
Holdtime (seconds)—Enter the time in seconds before the CDP neighbor entry expires. The default is 180.
-
CDP Advertisement Version—Enter which version of the CDP protocol to use. The default is v1.
Step 5 In the CDP for Ethernet Interfaces group box, select the slots of Ethernet interfaces for which you want to enable CDP.
CDP for Ethernet Interfaces fields are supported for Controller Release 7.0.110.2 and later.
Step 6 In the CDP for Radio Interfaces group box, select the slots of Radio interfaces for which you want to enable CDP.
CDP for Radio Interfaces fields are supported for Controller Release 7.0.110.2 and later.
Step 7 Click
Save
.
Related Topic
Configuring AP 802.1X Supplicant Credentials
You can configure 802.1X authentication between lightweight access points and the switch. The access point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous PAC provisioning. You can set global authentication settings that all access points inherit as they join the controller. This includes all access points that are currently joined to the controller and any that join in the future.
If desired, you can override the global authentication settings and assign unique authentication settings for a specific access point.
To enable global supplicant credentials, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.
Step 2 Click the Device Name of the desired controller.
Step 3 From the left sidebar menu, choose
System > AP 802.1X Supplicant Credentials
.
Step 4 Select the
Global Supplicant Credentials
check box.
Step 5 Enter the supplicant username.
Step 6 Enter and confirm the applicable password.
Step 7 Click Save. Once saved, you can click
Audit
to perform an audit on this controller.
Related Topics
Configuring Controller DHCP
To configure DHCP (Dynamic Host Configuration Protocol) information for a controller:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.
Step 2 Click the Device Name of the desired controller.
Step 3 From the left sidebar menu, choose
System > DHCP
.
Step 4 Add or modify the following parameters:
-
DHCP Option 82 Remote Id Field Format—Choose
AP-MAC, AP-MAC-SSID, AP-ETHMAC, or AP-NAME-SSID
from the drop-down list.
To set the format for RemoteID field in DHCP option 82
If Ap-Mac is selected, then set the RemoteID format as
AP-Mac
. If Ap-Mac-ssid is selected, then set the RemoteID format as
AP-Mac:SSID
.
-
DHCP Proxy—Select the check box to enable DHCP by proxy.
When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from the client to the configured servers. Consequently, at least one DHCP server must be configured on either the interface associated with the WLAN or the WLAN itself.
Step 5 Enter the DHCP Timeout in seconds after which the DHCP request times out. The default setting is 5. Allowed values range from 5 to 120 seconds. DHCP Timeout is applicable for Controller Release 7.0.114.74 and later.
Step 6 Click
Save
.
Once saved, you can click
Audit
to perform an audit on this controller.
Related Topics
Configuring Controller Multicast Mode
Prime Infrastructure provides an option to configure IGMP (Internet Group Management Protocol) snooping and timeout values on the controller.
IGMP
To configure multicast mode and IGMP snooping for a controller:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.
Step 2 Click the Device Name of the desired controller.
Step 3 From the left sidebar menu, choose
System > Multicast
.
Step 4 From the Ethernet Multicast Support drop-down list, choose the applicable Ethernet multicast support (Unicast or Multicast).
Step 5 If Multicast is selected, enter the multicast group IP address.
Step 6 Select the Global Multicast Mode check box to make the multicast mode available globally.
IGMP Snooping and timeout can be set only if Ethernet Multicast mode is Enabled. Select to enable IGMP Snooping.
Step 7 Choose
Enable
from the Multicast Mobility Mode drop-down list to change the IGMP snooping status or to set the IGMP timeout. When IGMP snooping is enabled, the controller gathers IGMP reports from the clients and then sends each access point a list of the clients listening to any multicast group. The access point then forwards the multicast packets only to those clients.
The timeout interval has a range of 3 to 300 and a default value of 60. When the timeout expires, the controller sends a query to all WLANs. Those clients which are listening in the multicast group then send a packet back to the controller.
Step 8 If you enabled the Multicast Mobility Mode, enter the mobility group multicast address.
Step 9 Select the
Multicast Direct
check box to enable videos to be streamed over a wireless network.
Step 10 Choose
Enable
from the Multicast Mobility Mode drop-down list to change MLD configuration.
Step 11 Select the
Enable MLD Snooping
check box to enable IPv6 MLD snooping. If you have selected this check box, configure the following parameters:
-
MLD Timeout—Enter the MLD timeout value in seconds. The timeout has a range of 3 to 7200 and a default value of 60.
-
MLD Query Interval—Enter the MLD query interval timeout value in seconds. The interval has a range of 15 to 2400 and a default value of 20.
Internet Group Management Protocol (IGMP) snooping enables you to limit the flooding of multicast traffic for IPv4. For IPv6, Multicast Listener Discovery (MLD) snooping is used.
Step 12 Configure the Session Banner information, which is the error information sent to the client if the client is denied or dropped from a Media Stream.
Step 13 Click
Save
.
Once saved, you can click
Audit
to perform an audit on this controller.
Related Topics
Configuring Access Point Timer Settings
Advanced timer configuration for FlexConnect and local mode is available for the controller on Prime Infrastructure.
This feature is only supported on Release 6.0 controllers and later.
Related Topics
Configuring Advanced Timers
To configure the advanced timers, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices, then from the Devices Groups menu on the left, select Device Type> Wireless Controller.
Step 2 Choose the controller for which you want to set timer configuration.
Step 3 From the left sidebar menu, choose
System > AP Timers
.
Step 4 In the AP Timers page, click the applicable Access Point Mode link: Local Mode or FlexConnect Mode.
Step 5 Configure the necessary parameters in the Local Mode AP Timer Settings page or in the FlexConnect Mode AP Timer Settings page accordingly.
-
AP timer settings for Local Mode—To reduce the failure detection time, you can configure the fast heartbeat interval (between the controller and the access point) with a smaller timeout value. When the fast heartbeat timer expires (at every heartbeat interval), the access point determines if any data packets have been received from the controller within the last interval. If no packets have been received, the access point sends a fast echo request to the controller. You can then enter a value between 10 and 15 seconds.
-
AP timer settings for FlexConnect—Once selected, you can configure the FlexConnect timeout value. Select the
AP Primary Discovery Timeout
check box to enable the timeout value. Enter a value between 30 and 3600 seconds. 5500 series controllers accept access point fast heartbeat timer values in the range of 1-10.
Step 6 Click Save.
Related Topics
Configuring Controller WLANs
Because controllers can support 512 WLAN configurations, Prime Infrastructure provides an effective way to enable or disable multiple WLANs at a specified time for a given controller.
To view a summary of the wireless local access networks (WLANs) that you have configured on your network, follow these steps:
Step 1 Choose
Configure > Controllers
.
Step 2 Click the Device Name of the applicable controller.
Step 3 From the left sidebar menu, choose
WLANs > WLAN Configuration
.
Step 4 Configure the required fields in the Configure WLAN Summary page appears.
Related Topics
Configuring Controller Security Parameters
Configuring Controller File Encryption
You can configure file encryption to ensure that data is encrypted when you upload or download controller configuration files from a TFTP server.
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > File Encryption
.
Step 4 Check the
File Encryption
box.
Step 5 In the Encryption Key field, enter a text string of exactly 16 characters. Reenter the key in the Confirm Encryption Key field.
Step 6 Click
Save
.
Related Topics
Configuring Controllers AAA Security
This section describes how to configure controller security AAA parameters and contains the following topics:
Configuring AAA General Parameters
The General page allows you to configure the local database entries on a controller.
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > General - AAA
.
Step 4 Enter the maximum number of allowed database entries. The valid range is 512 - 2048.
Step 5 Reboot your server to apply the changes.
Related Topic
Viewing AAA RADIUS Auth Servers
You can view a summary of existing RADIUS authentication servers
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > RADIUS Auth Servers
. The following RADIUS Auth Servers parameters appear:
-
Server Index—Access priority number for the RADIUS server (display only). Click to go to Configure IPaddr > RADIUS Authentication Server.
-
Server Address—IP address of the RADIUS server (read-only).
-
Port Number—Controller port number (read-only).
-
Admin Status—Enable or Disable.
-
Network User—Enable or Disable.
-
Management User—Enable or Disable.
Related Topics
Adding Authentication Servers
To add an authentication server, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > RADIUS Auth Servers
.
Step 4 From the Select a command drop-down list, choose
Add Auth Server
to open the Radius Authentication Server > Add From Template page.
Step 5 Choose a template from the Select a template to apply to this controller drop-down list.
Step 6 Click
Apply
.
To create a new template for Radius authentication servers, choose
Configuration > Templates > Features and Technologies > Controller > Security > AAA > RADIUS Auth Servers
.
Related Topic
Viewing AAA RADIUS Acct Servers
To view a summary of existing RADIUS accounting servers, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > RADIUS Acct Servers
. RADIUS Acct Server parameters include the following:
-
Server Index—Access priority number for the RADIUS server (read-only). Click to open the Radius Acct Servers Details page.
To edit or audit the current accounting server parameters, click the Server Index for the applicable accounting server.
-
Server Address—IP address of the RADIUS server (read-only).
-
Port Number—Controller port number (read-only).
-
Admin Status—Enable or Disable.
-
Network User—Enable or Disable.
Related Topic
Adding an Accounting Server
To add an accounting server, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > RADIUS Acct Servers
.
Step 4 From the Select a command drop-down list, choose
Add Acct Server
to open the Radius Acct Servers Details > Add From Template page.
Step 5 Choose a template from the Select a template to apply to this controller drop-down list.
Step 6 From the drop-down list, choose a controller on which to apply to this template.
Step 7 Click
Apply
.
To create a new template for Radius accounting servers, choose
Configuration > Templates > Features and Technologies > Controller > Security > AAA > RADIUS Acct Servers
.
Related Topic
Deleting an Accounting Server
To delete an accounting server, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > RADIUS Acct Servers
.
Step 4 Select the check box(es) for the applicable accounting server(s).
Step 5 From the Select a command drop-down list, choose
Delete Acct Server
.
Step 6 Click
Go
.
Step 7 Click
OK
in the pop-up dialog box to confirm the deletion.
Related Topic
Configuring AAA RADIUS Fallback Parameters
To configure RADIUS fallback parameters, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > RADIUS Fallback
.
Step 4 Make the required changes, then click
Save
.
Step 5 Click
Audit
to check the present configuration status of Prime Infrastructure and the c
ontroller.
Related Topic
Configuring AAA LDAP Servers
You can add and delete LDAP servers to controllers. Prime Infrastructure supports LDAP configuration for both an anonymous or authenticated bind.
To access the LDAP Servers page, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > LDAP Servers
.
This page displays LDAP servers currently used by this controller and contains the following parameters:
-
Check box—Select the check box to choose an LDAP server for deletion.
-
Server Index—A number assigned to identify the LDAP server. Click the index number to go the LDAP server configuration page.
-
Server Address—The LDAP server IP address.
-
Port Number—The port number used to communicate with the LDAP server.
-
Admin Status—Server template status.
Indicates if use of the LDAP server template is enabled or disabled.
Step 4 Click on a column title to toggle whether the information in sorted in ascending or descending order.
Related Topics
Adding LDAP Servers
To add an LDAP Server, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > LDAP Servers
.
Step 4 From the Select a command drop-down list, choose
Add LDAP Server
.
Step 5 Click
Go
.
Related Topic
Deleting LDAP Servers
To delete the LDAP Server, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > LDAP Servers
.
Step 4 Select the check box(es) of the LDAP servers that you want to delete.
Step 5 From the Select a command drop-down list, choose
Delete LDAP Servers
.
Step 6 Click
Go
.
Related Topic
Configuring New LDAP Bind Requests
Prime Infrastructure supports LDAP configuration for both an anonymous or authenticated bind. A bind is a socket opening that performs a lookup.
To configure LDAP bind requests, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > LDAP Servers
.
Step 4 Click a value under the Server Index column.
Step 5 From the Bind Type drop-down list, choose
Authenticated
or
Anonymous
. If you choose Authenticated, you must enter a bind username and password as well.
Step 6 In the Server User Base DN text box, enter the distinguished name of the subtree in the LDAP server that contains a list of all the users.
Step 7 In the Server User Attribute text box, enter the attribute that contains the username in the LDAP server.
Step 8 In the Server User Type text box, enter the ObjectType attribute that identifies the user.
Step 9 In the Retransmit Timeout text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.
Step 10 Select the
Admin Status
check box if you want the LDAP server to have administrative privileges.
Step 11 Click
Save
.
Related Topic
Configuring AAA TACACS+ Servers
You can add and delete TACACS+ servers to controllers. To access the TACACS+ Servers page, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > TACACS+ Servers
.
This page displays TACACS+ servers currently used by this controller and contains the following parameters:
-
Check box—Select the check box to choose a TACACS+ server for deletion.
-
Server Type—The TACACS+ server type—accounting, authorization, or authentication.
-
Server Index—A number assigned to identify the TACACS+ server and set its use priority. Click the index number to go the TACACS+ server configuration page.
-
Server Address—The TACACS+ server IP address.
-
Port Number—The port number used to communicate with the TACACS+ server.
-
Admin Status—Server template status. Indicates if use of the TACACS+ server template is enabled.
You can select one of the following options from the Select a command drop-down list:
-
Add TACACS+ Server—Choose this option, then click
Go
to add a TACACS+ server to the controller.
-
Delete TACACS+ Servers—Choose this option, then click
Go
to delete all TACACS+ servers with a selected check box from the controller.
Step 4 Click on a column title to toggle whether the information in sorted in ascending or descending order.
Related Topic
Viewing AAA Local Net Users
You can view summary of the existing local network user controllers for clients who are allowed to access a specific WLAN. This is an administrative bypass of the RADIUS authentication process. Layer 3 Web Authentication must be enabled. The client information is passed to the RADIUS authentication server first, and if the client information does not match a RADIUS database entry, this local database is polled. Clients located in this database are granted access to network services if the RADIUS authentication fails or does not exist.
To view existing local network users, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > Local Net Users
. The Local Net Users page displays the following local net user parameters:
-
Username—User-defined identification.
-
WLAN ID—Any WLAN ID, 1 through 16; 0 for all WLANs; 17 for third-party WLAN that this local net user is allowed to access.
-
Description—Optional user-defined description.
Related Topics
Deleting Local Net Users
To delete a local net user, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > Local Net Users
.
Step 4 Select the check box(es) for the applicable local net user(s).
Step 5 From the Select a command drop-down list, choose
Delete Local Net Users
.
Step 6 Click
Go
.
Step 7 Click
OK
in the dialog box to confirm the deletion.
Related Topic
Configuring AAA MAC Filtering
You can view MAC Filter information. You cannot use MAC address in the broadcast range.
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > MAC Filtering
. The MAC Filtering page displays the following parameters:
– RADIUS Compatibility Mode—User-defined RADIUS server compatibility: Cisco ACS, FreeRADIUS, or Other.
– MAC Delimiter—The MAC delimiters can be Colon (xx:xx:xx:xx:xx:xx), Hyphen (xx-xx-xx-xx-xx-xx), Single Hyphen (xxxxxx-xxxxxx), or No Delimiter (xxxxxxxxxxxx), as required by the RADIUS server.
– MAC Address—Client MAC address. Click to open Configure
IPaddr
> MAC Filter.
– WLAN ID—1 through 16, 17 = Third-party AP WLAN, or 0 = all WLANs.
– Interface—Displays the associated Interface Name.
– Description—Displays an optional user-defined description.
Step 4 From the Select a command drop-down list, choose
Add MAC Filters
to add a MAC Filter,
Delete MAC Filters
to delete the template(s), or
Edit MAC Filter
Parameters to edit the MAC Filters.
Step 5 Click
Go
.
Related Topic
Configuring AAA AP/MSE Authorization
The AP/MSE Authorization page displays the access point policies and the list of authorized access points along with the type of certificate that an access point uses for authorization.
You cannot use MAC address in the broadcast range.
To access the AP/MSE Authorization page, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > AP or MSE Authorization
. The AP/MSE Authorization page displays the following parameters:
– Authorize APs—Enabled or Disabled.
– Accept SSC-APs—Enabled or Disabled.
– AP/MSE Base Radio MAC Address—The MAC address of the authorized access point. Click the AP/MSE Base Radio MAC Address to view AP/MSE Authorization details.
– Type
– Certificate Type—MIC or SSC.
– Key Hash—The 40-hex long SHA1 key hash. The key hash is displayed only if the certificate type is SSC.
Related Topics
Editing AP/MSE Policies
To edit AP/MSE Authorization access point policies, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > AP or MSE Authorization
.
Step 4 From the Select a command drop-down list, select Edit AP Policies, then click
Go
.
Step 5 Edit the following parameters, if necessary:
-
Authorize APs—Select the check box to enable access point authorization.
-
Accept SSC-APs—Select the check box to enable the acceptance of SSE access points.
Step 6 Click
Save
to confirm the changes,
Audit
to perform an audit on these device values, or
Cancel
to close this page with no changes.
Related Topic
Configuring AAA Web Auth Configuration
The Web Auth Configuration page enables the user to configure the web auth configuration type. If the type is configured as customized, the user downloaded web auth replaces the controller-provided internal web auth page.
To access the Web Auth Configuration page, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > Web Auth Configuration
.
Step 4 Select the Web Auth Type from the drop-down list.
Step 5 Configure the web auth parameters depending on the type chosen:
– Custom Redirect URL—URL where the user is redirected after a successful authentication. For example, if the value entered for this text box is http://www.example.com, the user is directed to the company home page.
– Logo Display—Enable or disable logo display.
– Web Auth Page Title—Title displayed on web authentication page.
– Web Auth Page Message—Message displayed on web authentication page.
You can download an example login page and customizing the page. If you are using a customized web authentication page, it is necessary to download the example login.tar bundle file from the server, edit the login.html file and save it as either a .tar or .zip file, then download the .tar or .zip file to the controller.
Click the preview image to download this sample login page as a TAR. After editing the HTML you might click here to redirect to the Download Web Auth page. See the Downloading Customized WebAuthentication Bundles to Controllers for more information.
– External Redirect URL—Location of the login.html on an external server on the network.
If there are not any external web auth servers configured, you have the option of configuring one.
Related Topic
Configuring AAA Password Policy
This page enables you to determine your password policy.
To make modifications to an existing password policy, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > AAA > Password Policy
.
Step 4 Modify the password policy parameters as appropriate.
Step 5 Click
Save
.
If you disable password policy options, you see a “Disabling the strong password check(s) will be a security risk as it allows weak passwords” message.
Related Topic
Local EAP on Controllers
Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down.
When you enable local EAP, the controller serves as the authentication server and the local user database, making it independent of an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users.
Related Topic
Configuring Local EAP General Parameters
You can specify a timeout value for local EAP. You can then add a template with this timeout value or make changes to an existing template.
If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then re-authenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.
To specify a timeout value for local EAP, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Local EAP > General - Local EAP.
Step 4 Enter the Local Auth Active Timeout in the Local Auth Active Timeout text box (in seconds). Local Auth Active Timeout refers to the timeout period during which Local EAP is always used after all Radius servers are failed.
Step 5 The following values should be adjusted if you are using EAP-FAST, manual password entry, one-time password, or 7920/7921 phones.
You must increase the 802.1x timeout values on the controller (default=2 seconds) for the client to obtain the PAC using automatic provisioning. We recommend the default timeout on the Cisco ACS server of 20 seconds.
-
Local EAP Identify Request Timeout =1 (in seconds)
-
Local EAP Identity Request Maximum Retries=20 (in seconds)
-
Local EAP Dynamic Wep Key Index=0
-
Local EAP Request Timeout=20 (in seconds)
-
Local EAP Request Maximum Retries=2
-
EAPOL-Key Timeout=1000 (in milli-seconds)
-
EAPOL-Key Max Retries=2
-
Max-Login Ignore Identity Response
Roaming fails if these values are not set the same across multiple controllers.
Step 6 Click
Save
.
Related Topics
Local EAP Profiles
You can apply a template for a local EAP profile or make modifications to an existing template.
The LDAP backend database supports only these local EAP methods: EAP-TLS and EAP-FAST with certificates. LEAP and EAP-FAST with PACs are not supported for use with the LDAP backend database.
Related Topics
Viewing Existing Local EAP Profiles
To view existing local EAP profiles, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Local EAP > Local EAP Profiles
. The Local EAP Profiles page displays the following parameters:
-
EAP Profile Name—User-defined identification.
-
LEAP—Authentication type that leverages Cisco Key Integrity Protocol (CKIP) and MMH message integrity check (MIC) for data protection. A username and password are used to perform mutual authentication with the RADIUS server through the access point.
-
EAP-FAST—Authentication type (Flexible Authentication via Secure Tunneling) that uses a three-phased tunnel authentication process to provide advanced 802.1x EAP mutual authentication. A username, password, and PAC (protected access credential) are used to perform mutual authentication with the RADIUS server through the access point.
-
TLS—Authentication type that uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. It requires a client certificate for authentication.
-
PEAP—Protected Extensible Authentication Protocol.
Related Topics
Adding Local EAP Profiles
To add a local EAP profile, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Local EAP > Local EAP Profile
.
Step 4 From the
Select a command
drop-down list, choose
Add Local EAP Profile
.
Step 5 Choose a template from the Select a template to apply to this controller drop-down list.
Step 6 Click
Apply
.
Related Topics
Configuring Local EAP General EAP-FAST Parameters
The EAP-FAST authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1x EAP mutual authentication. A username, password, and PAC are used to perform mutual authentication with the RADIUS server through the access point.
To set EAP-FAST Parameters, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Local EAP > EAP-FAST Parameters.
Step 4 Enter the following parameters:
-
Time to live for the PAC—The number of days for the PAC to remain viable. The valid range is 1 to 1000 days; the default setting is ten days.
-
Authority ID—The authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal characters but it must be an even number of characters.
-
Authority Info—The authority identifier of the local EAP-FAST server in text format.
-
Server Key—The key (in hexadecimal characters) used to encrypt and decrypt PACs.
-
Confirm Server Key—Verify the correct Server Key by re-typing it.
-
Anonymous Provision—Select the check box to enable anonymous provisioning.This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If this feature is disabled, PACs must be manually provisioned.
Step 5 Click
Save
.
Related Topics
Configuring Local EAP General Network Users Priority
To specify the order that LDAP and local databases use to retrieve user credential information, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Local EAP > Network Users Priority.
Step 4 Use the left and right pointing arrows to include or exclude network credentials in the right-most list.
Step 5 Use the up and down buttons to determine the order credentials are attempted.
Step 6 Click
Save
.
Related Topics
Configuring Controller Web Auth Certificates
You can download a web authorization certificate or regenerate the internally-generated web auth certificate.
Caution Each certificate has a variable-length embedded RSA Key. The RSA key can vary from 512 bits, which is relatively insecure, through thousands of bits, which is very secure. When you are obtaining a new certificate from a certificate authority (such as the Microsoft CA), make sure the RSA key embedded in the certificate is at least 768 Bits.
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Web Auth Certificate
.
Step 4 Click
Download Web Auth Certificate
to access the Download Web Auth Certificate to Controller page.
Related Topics
Configuring Controller User Login Policies
To configure the user login policies for controllers, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > User Login Policies.
Step 4 Enter the maximum number of concurrent logins allowed for a single username.
Step 5 Click
Save
.
Managing Manually Disabled Clients
The Disabled Clients page enables you to view excluded (blacklisted) client information.
Clients who fail to authenticate three times when attempting to associate are automatically blocked, or excluded, from further association attempts for an operator-defined timeout. After the Excluded timeout, the client is allowed to retry authentication until it associates or fails authentication and is excluded again.
You cannot use MAC address in the broadcast range.
To access the Manually Disabled Clients page, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Manually Disabled Clients
. The Manually Disabled Clients page displays the following parameters:
-
MAC Address—Disabled Client MAC addresses. Click a list item to edit the disabled client description.
-
Description—Optional description of disabled client.
Configuring Controller Access Control Lists
You can view, edit, or add a new access control list (ACLs) for controllers.
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Access Control Lists
.
-
Check box—Use the check box to select one or more ACLs for deletion.
-
ACL Name—User-defined name of this template. Click an ACL item to view its parameters.
Related Topic
Configuring Access Control List Rules
You can create and modify access control list Access Control Lists (ACL) rules applied to controllers.
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Access Control Lists
.
Step 4 Click an ACL name.
-
Check box—Select to delete access control list rules.
-
Seq#—You can define up to 64 Rules for each ACL. The Rules for each ACL are listed in contiguous sequence from 1 to 64. That is, if Rules 1 through 4 are already defined and you add Rule 29, it is added as Rule 5.
If you add or change a Sequence number, Prime Infrastructure adjusts the other rule sequence numbers to retain the contiguous sequence. For instance, if you have Sequence numbers 1 through 7 defined and change number 7 to 5, operating system automatically reassigns Sequence 6 to 7 and Sequence 5 to 6.
-
Action—Permit, Deny.
-
Source IP/Mask—Source IP address and mask.
-
Destination IP/Mask—Destination IP address and mask.
-
Protocol—Protocol to use for this ACL:
– Any—All protocols
– TCP—Transmission Control Protocol
– UDP—User Datagram Protocol
– ICMP—Internet Control Message Protocol
– ESP—IP Encapsulating Security Payload
– AH—Authentication Header
– GRE—Generic Routing Encapsulation
– IP—Internet Protocol
– Eth Over IP—Ethernet over Internet Protocol
– Other Port OSPF—Open Shortest Path First
– Other—Any other IANA protocol (http://www.iana.org/)
If TCP or UDP is selected, Source Port and Dest Port parameters appear:
– Source Port—Source Port. Can be Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other and Port Range.
– Dest Port—Destination port. If TCP or UDP is selected, can be Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other and Port Range.
-
DSCP (Differentiated Services Code Point)—Any, or 0 through 255.
Adding New ACL Rules
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Access Control Lists
.
Step 4 Click an ACL name.
Step 5 Click an applicable Seq#, or choose
Add New Rule
to access this page.
FlexConnect Access Control Lists
The ACLs on FlexConnect provide a mechanism to cater to the need for access control at the FlexConnect access point for protection and integrity of locally switched data traffic from the access point.
Related Topics
Adding FlexConnect Access Control Lists
To add an Access Control List for FlexConnect access points, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > FlexConnect ACLs
.
Step 4 From the Select a command drop-down list, choose
Add FlexConnect ACLs
.
Step 5 Click
Go
.
You cannot add a FlexConnect ACL if there is no template created. If you try to create an FlexConnect ACL when there are no templates available, you are redirected to the New Controller Templates page where you can create a template for FlexConnect ACL.
Step 6 Choose a template from the drop-down list to apply to the controller, and click
Apply
.
The FlexConnect ACL that you created appears in Configure > Controllers >
IP Address
> Security > FlexConnect ACLs.
Related Topics
Deleting FlexConnect Access Control Lists
To delete a FlexConnect ACL, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > FlexConnect ACLs
.
Step 4 From the FlexConnect ACLs page, select one or more FlexConnect ACLs to delete.
Step 5 From the Select a command drop-down list, choose
Delete FlexConnect ACLs
.
Step 6 Click
Go
.
Related Topics
Configuring CPU Access Control Lists
Access control lists (ACLs) can be applied to the controller CPU to control traffic to the CPU.
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > CPU Access Control Lists
.
Step 4 Select the
Enable CPU ACL
check box to enable the CPU ACL. The following parameters are available:
-
ACL Name—Choose the ACL to use from the ACL Name drop-down list.
-
CPU ACL Mode—Choose which data traffic direction this CPU ACL list controls.
Related Topics
Configuring the IDS Sensor List
When the sensors identify an attack, they alert the controller to shun the offending client. When you add a new IDS (Intrusion Detection System) sensor, you register the controller with that IDS sensor so that the sensor can send shunned client reports to the controller. The controller also polls the sensor periodically.
To view IDS sensors, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > IDS Sensor Lists
.
The IDS Sensor page lists all IDS sensors that have been configured for this controller. Click an IP address to view details for a specific IDS sensor.
Certificate Authority (CA) Certificates
A Certificate Authority (CA) certificate is a digital certificate issued by one certificate authority (CA) for another certification CA. \
Related Topics
Importing CA Certificates
To import a CA certificate from a file, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > IP Sec Certificates > CA Certificate
.
Step 4 Click
Browse
to navigate to the applicable certificate file.
Step 5 Click
Open
, then click
Save
.
Related Topics
Pasting CA Certificates Directly
To paste a CA certificate directly, follow these steps:
Step 1 Copy the CA certificate to your computer clipboard.
Step 2 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 3 Click the device name of the applicable controller.
Step 4 From the left sidebar menu, choose
Security > IP Sec Certificates > CA Certificate
.
Step 5 Select the
Paste
check box.
Step 6 Paste the certificate directly into the text box.
Step 7 Click
Save
.
Related Topics
Identity Certificates
This page lists the existing network Identity (ID) certificates by certificate name. An ID certificate can be used by web server operators to ensure secure server operation. ID certificates are available only if the controller is running Cisco Unified Wireless Network Software Version 3.2 or higher.
Importing ID Certificates
To import an ID certificate from a file, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > IP Sec Certificates > ID Certificate
.
Step 4 From the Select a command drop-down list, choose
Add Certificate
.
Step 5 Click
Go
.
Step 6 Enter the Name and Password.
Step 7 Click
Browse
to navigate to the applicable certificate file.
Step 8 Click
Open
, then click
Save
.
Related Topics
Pasting ID Certificates
To paste an ID certificate directly, follow these steps:
Step 1 Copy the ID certificate to your computer clipboard.
Step 2 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 3 Click the device name of the applicable controller.
Step 4 From the left sidebar menu, choose
Security > IP Sec Certificates > ID Certificate
.
Step 5 From the Select a command drop-down list, choose
Add Certificate
.
Step 6 Click
Go
.
Step 7 Enter the Name and Password.
Step 8 Select the
Paste
check box.
Step 9 Paste the certificate directly into the text box.
Step 10 Click
Save
.
Related Topics
Configuring Wireless Protection Policies
This section describes the wireless protection policy configurations and contains the following topics:
Configuring Rogue Policies
You can set up policies for rogue access points. Make sure that rogue detection is enabled on the desired access points. Rogue detection is enabled by default for all access points joined to a controller (except for OfficeExtend access points). However, in Prime Infrastructure software Release 6.0 or later, you can enable or disable rogue detection for individual access points by selecting or unselecting the
Rogue Detection
check box in the Access Point Details page.
Rogue detection is disabled by default for OfficeExtend access points because these access points, which are deployed in a home environment, are likely to detect a large number of rogue devices
To access the Rogue Policies page, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Wireless Protection Policies > Rogue Policies
. The following parameters appear:
-
Rogue Location Discovery Protocol—RLDP determines whether or not the rogue is connected to the enterprise wired network. Choose one of the following from the drop-down list:
– Disable—Disables RLDP on all access points. This is the default value.
– All APs—Enables RLDP on all access points.
– Monitor Mode APs—Enables RLDP only on access points in monitor mode.
– Expiration Timeout for Rogue AP and Rogue Client Entries (seconds)—Enter the number of seconds after which the rogue access point and client entries expire and are removed from the list. The valid range is 240 to 3600 seconds and the default value is 1200 seconds.
If a rogue access point or client entry times out, it is removed from the controller only if its rogue state is Alert or Threat for any classification type.
– Rogue Detection Report Interval—Enter the time interval in seconds at which the APs should send the rogue detection report to the controller. Valid range is 10 seconds to 300 seconds, and the default value is 10 seconds. This feature is applicable to APs that are in monitor mode only.
– Rogue Detection Minimum RSSI—Enter the minimum RSSI value that a rogue should have for the APs to detect and for the rogue entry to be created in the controller. Valid range is -70 dBm to -128 dBm, and the default value is -128 dBm. This feature is applicable to all the AP modes.
There can be many rogues with very weak RSSI values that do not provide any valuable information in the rogue analysis. Therefore, you can use this option to filter the rogues by specifying the minimum RSSI value at which the APs should detect rogues.
– Rogue Detection Transient Interval—Enter the time interval at which a rogue has to be consistently scanned for by the AP after the first time the rogue is scanned. By entering the transient interval, you can control the time interval at which the AP should scan for rogues. The APs can filter the rogues based on their transient interval values. Valid range is between 120 seconds to 1800 seconds, and the default value is 0. This feature is applicable to APs that are in monitor mode only.
– Validate rogue clients against AAA—Select the check box to use the AAA server or local database to validate if rogue clients are valid clients. The default value is unselected.
– Detect and report Adhoc networks—Select the check box to enable ad-hoc rogue detection and reporting. The default value is selected.
Related Topics
Configuring Rogue AP Rules
This page enables you to view and edit current Rogue AP Rules.
To access the Rogue AP Rules page, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Wireless Protection Policies > Rogue AP Rules
. The Rogue AP Rules displays the Rogue AP Rules, the rule types (Malicious or Friendly), and the rule sequence.
Step 4 Click a Rogue AP Rule to view or edit its details.
Related Topics
Configuring Client Exclusion Policies
This page enables you to set, enable, or disable the client exclusion policies applied to the controller.
To access the Client Exclusion Policies page, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Wireless Protection Policies > Client Exclusion Policies
. The following parameters appear:
-
Excessive 802.11a Association Failures—If enabled, clients are excluded on the sixth 802.11 association attempt, after five consecutive failures.
-
Excessive 802.11a Authentication Failures—If enabled, clients are excluded on the sixth 802.11 authentication attempt, after five consecutive failures.
-
Excessive 802.11x Authentication Failures—If enabled, clients are excluded on the fourth 802.1X authentication attempt, after three consecutive failures.
-
Excessive 802.11 Web Authentication Failures—If enabled, clients are excluded on the fourth web authentication attempt, after three consecutive failures.
-
IP Theft Or Reuse—If enabled, clients are excluded if the IP address is already assigned to another device.
Step 4 Click
Save
to save the changes made to the client exclusion policies and return to the previous page or click
Audit
to compare Prime Infrastructure values with those used on the controller.
Related Topics
Configuring IDS Signatures
You can configure IDS Signatures, or bit-pattern matching rules used to identify various types of attacks in incoming 802.11 packets, on the controller. When the signatures are enabled, the access points joined to the controller perform signature analysis on the received 802.11 data or management frames and report any discrepancies to the controller. If an attack is detected, an appropriate mitigation action is initiated.
Cisco supports 17 standard signatures on controllers.
Related Topics
Viewing Controller Standard Signature Parameters
The Standard Signature Parameters page shows the list of Cisco-supplied signatures that are currently on the controller.
To access the Standard Signatures page, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Wireless Protection Policies > Standard Signatures
. This page displays the following parameters:
-
Precedence—The order in which the controller performs the signature checks.
-
Name—The type of attack the signature is trying to detect.
-
Frame Type—Management or data frame type on which the signature is looking for a security attack.
-
Action—What the controller is directed to do when the signature detects an attack. For example:
– None—No action is taken.
– Report—Report the detection.
-
State—Enabled or Disabled.
-
Description—A more detailed description of the type of attack the signature is trying to detect.
Step 4 Click a signature Name to view individual parameters and to enable or disable the signature.
Related Topics
Downloading Signature Files
To download a signature file, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Wireless Protection Policies > Standard Signatures
or
Security > Wireless Protection Policies > Custom Signatures
.
Step 4 From the Select a command drop-down list, choose
Download Signature Files
.
Step 5 Click
Go
.
Step 6 Copy the signature file (*.sig) to the default directory on your TFTP server.
Step 7 Choose
Local Machine
from the File is Located On. If you know the filename and path relative to the server root directory, you can also choose
TFTP server
.
Step 8 Enter the maximum number of times the controller should attempt to download the signature file in the Maximum Retries.
Step 9 Enter the maximum amount of time in seconds before the controller times out while attempting to download the signature file in the Timeout.
Step 10 The signature files are uploaded to the c:\tftp directory. Specify the local filename in that directory or click
Browse
to navigate to it. A “revision” line in the signature file specifies whether the file is a Cisco-provided standard signature file or a site-tailored custom signature file (custom signature files must always have revision=custom).
If the transfer times out for some reason, choose the TFTP server option in the File Is Located On field, and the server filename is populated for you and retried. The local machine option initiates a two-step operation. First, the local file is copied from the administrator workstation to Prime Infrastructure own built-in TFTP server. Then the controller retrieves that file. For later operations, the file is already in Prime Infrastructure server TFTP directory, and the downloaded web page now automatically populates the filename.
Step 11 Click
OK
.
Related Topics
Uploading Signature Files
You can upload a signature file from controllers. Make sure you have a Trivial File Transfer Protocol (TFTP) server available for the signature download. Keep these guidelines in mind when setting up a TFTP server:
-
If you are downloading through the service port, the TFTP server must be on the same subnet as the service port because the service port cannot be routed.
-
If you are downloading through the distribution system network port, the TFTP server can be on the same or a different subnet because the distribution system port cannot be routed.
-
A third-party TFTP server cannot run on the same computer as Prime Infrastructure because Prime Infrastructure built-in TFTP server and third-party TFTP server use the same communication port:
Step 1 Obtain a signature file from Cisco (
standard
signature file).
Step 2 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 3 Click the device name of the applicable controller.
Step 4 From the left sidebar menu, choose
Security > Wireless Protection Policies > Standard Signatures
or
Security > Wireless Protection Policies > Custom Signatures
.
Step 5 From the Select a command drop-down list, choose
Upload Signature Files from controller
.
Step 6 Specify the TFTP server name being used for the transfer.
Step 7 If the TFTP server is new, enter the TFTP IP address in the
Server IP Address
field.
Step 8 Choose
Signature Files
from the File Type drop-down list.
The signature files are uploaded to the root directory which was configured for use by the TFTP server. You can change to a different directory at the Upload to File field (this field only shows if the Server Name is the default server). The controller uses this local filename as a base name and then adds _std.sig as a suffix for standard signature files and _custom.sig as a suffix for custom signature files.
Step 9 Click
OK
.
Related Topics
Global Settings for Standard and Custom Signatures
This command enables all signatures that were individually selected as enabled. If this text box remains unselected, all files are disabled, even those that were previously enabled. When the signatures are enabled, the access points joined to the controller perform signature analysis on the received 802.11 data or management frames and report any discrepancies to the controller.
To enable all standard and custom signatures currently on the controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the Select a command drop-down list, choose
Edit Signature Parameters
.
Step 4 Click
Go
.
Step 5 Select the
Enable Check for All Standard and Custom Signatures
check box.
Step 6 Click
Save
.
Related Topic
Enabling or Disabling Individual Signatures
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the Select a command drop-down list, choose
Edit Signature Parameters
.
Step 4 Click an applicable Name for the type of attack you want to enable or disable.
The Standard Signature parameters page shows the list of Cisco-supplied signatures that are currently on the controller. The Custom Signatures page shows the list of customer-supplied signatures that are currently on the controller. The following parameters are displayed in both the signature page and the detailed signature page:
-
Precedence—The order, or precedence, in which the controller performs the signature checks.
-
Name—The type of attack the signature is trying to detect.
-
Description—A more detailed description of the type of attack that the signature is trying to detect.
-
Frame Type—Management or data frame type on which the signature is looking for a security attack.
-
Action—What the controller is directed to do when the signature detects an attack. One possibility is
None
, where no action is taken, and another is Report, to report the detection.
-
Frequency—The signature frequency or the number of matching packets per interval that must be identified at the detecting access point level before an attack is detected. The range is 1 to 32,000 packets per interval and the default value is 50 packets per interval.
-
Quiet Time—The length of time (in seconds) after which no attacks have been detected at the individual access point level, and the alarm can stop. This time appears only if the MAC information is all or both. The range is 60 to 32,000 seconds and the default value is 300 seconds.
-
MAC Information—Whether the signature is to be tracked per network or per MAC address or both at the detecting access point level.
-
MAC Frequency—The signature MAC frequency or the number of matching packets per interval that must be identified at the controller level before an attack is detected. The range is 1 to 32,000 packets per interval and the default value is 30 packets per interval.
-
Interval—Enter the number of seconds that must elapse before the signature frequency threshold is reached within the configured interval. The range is 1 to 3600 seconds and the default value is 1 second.
-
Enable—Select this check box to enable this signature to detect security attacks or unselect it to disable this signature.
-
Signature Patterns—The pattern that is being used to detect a security attack.
Step 5 From the Enable drop-down list, choose
Yes
. Because you are downloading a customized signature, you should enable the files named with the _custom.sgi and disable the standard signature with the same name but differing suffix. For example, if you are customizing broadcast probe flood, you want to disable broadcast probe flood in the standard signatures but enable it in custom signatures.
Step 6 Click
Save
.
Related Topics
Configuring Custom Signatures
The Custom Signature page shows the list of customer-supplied signatures that are currently on the controller.
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Wireless Protection Policies > Custom Signatures
. This page displays the following parameters:
-
Precedence—The order in which the controller performs the signature checks.
-
Name—The type of attack the signature is trying to detect.
-
Frame Type—Management or data frame type on which the signature is looking for a security attack.
-
Action—What the controller is directed to do when the signature detects an attack. For example:
– None—No action is taken.
– Report—Report the detection.
-
State—Enabled or Disabled.
-
Description—A more detailed description of the type of attack the signature is trying to detect.
Step 4 Click a signature Name to view individual parameters and to enable or disable the signature.
Related Topics
Configuring AP Authentication and MFP
You can set the access point authentication policy and MFP (Management Frame Protection).
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless
Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Security > Wireless Protection Policies > AP Authentication and MFP
.
This page displays the following fields:
-
RF Network Name—Not an editable text box. The RF Network Name entered in the General
parameters page is displayed here.
-
Protection Type—From the drop-down list, choose one of the following authentication policies:
–
None
—No access point authentication policy.
–
AP Authentication
—Apply authentication policy.
–
MFP
—Apply Management Frame Protection.
-
Alarm Trigger Threshold—(Appears only when AP Authentication is selected as the Protection Type). Set the number of hits to be ignored from an alien access point before raising an alarm.
The valid range is from 1 to 255. The default value is 255.
Related Topics
Configuring General Parameters for 802.11 Controllers
You can edit country selection and timer information on a 802.11 controllers. To access this page, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 Choose
802.11 > General - 802.11
from the left sidebar menu. The page opens and displays the following parameters:
– Country—Countries and the protocols allowed. The maximum number of countries that you can select is 20.
– Selected Countries—Displays countries currently selected.
– Authentication Response Timeout—Configures 802.11 authentication response timeout in seconds.
Related Topics
Setting Multiple Country Codes
To set multiple country support for a single controller that is not part of a mobility group, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 Choose
802.11 > General
from the left sidebar menu.
Step 4 Select the check box to choose which country you want to add. Access points are designed for use in many countries with varying regulatory requirements. You can configure a country code to ensure that it complies with your country regulations.
Access points might not operate properly if they are not designed for use in your country of operation. For example, an access point with part number AIR-AP1030-A-K9 (which is included in the Americas regulatory domain) cannot be used in Australia. Always be sure to purchase access points that match your country regulatory domain. For a complete list of country codes supported per product, see the following URL:
http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html
.
Step 5 Enter the time (in seconds) after which the authentication response times out.
Step 6 Click
Save
.
Related Topics
Configuring Aggressive Load Balancing
Enabling aggressive load balancing on the controller allows lightweight access points to load balance the wireless clients across access points. Clients are load balanced between the access points on the same controller. Load balancing does not occur between access points on different controllers.
When a wireless client attempts to associate to a lightweight access point, association response packets are sent to the client with an 802.11 response packet including status code 17. This code indicates whether the access point can accept any more associations. If the access point is too busy, the client attempts to associate to a different access point in the area. The system determines if an access point is relatively more busy than its neighbor access points that are also accessible to the client.
For example, if the number of clients on AP1 is more than the number of clients on AP2 plus the load-balancing window, then AP1 is considered to be busier than AP2. When a client attempts to associate to AP1, it receives an 802.11 response packet with status code 17, indicating that the access point is busy, and the client attempts to associate to a different access point.
You can configure the controller to deny client associations up to 10 times (if a client attempted to associate 11 times, it is allowed to associate on the 11th try). You can also enable or disable load balancing on a particular WLAN, which is useful if you want to disable load balancing for a select group of clients (such as time-sensitive voice clients).
To configure aggressive load balancing, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 Choose
802.11 > Load Balancing
from the left sidebar menu. The Load Balancing page appears.
Step 4 Enter a value between 1 and 20 for the client window size. The page size becomes part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations:
load-balancing page + client associations on AP with lightest load = load-balancing threshold
In the group of access points accessible to a client device, each access point has a different number of client associations. The access point with the lowest number of clients has the lightest load. The client page size plus the number of clients on the access point with the lightest load forms the threshold. Access points with more client associations than this threshold is considered busy, and clients can associate only to access points with client counts lower than the threshold.
Step 5 Enter a value between 0 and 10 for the max denial count. The denial count sets the maximum number of association denials during load balancing.
Step 6 Click
Save
.
Step 7 To enable or disable aggressive load balancing on specific WLANs, browse to the WLAN Configuration page, and click the
Advanced
tab. For instructions on using the WLAN Configuration page, see Configuring Controller WLANs in Related Topics.
Related Topics
Configuring Band Selection
Band selection enables client radios that are capable of dual-band (2.4- and 5-GHz) operation to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of three non-overlapping channels. To combat these sources of interference and improve overall network performance, you can configure band selection on the controller.
Band selection works by regulating probe responses to clients. It makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channels.
You can enable band selection globally on a controller, or you can enable or disable band selection for a particular WLAN, which is useful if you want to disable it for a select group of clients (such as time-sensitive voice clients).
Band-selection-enabled WLANs do not support time-sensitive applications like voice and video because of roaming delays.
Guidelines for Using Band Selection
Follow these guidelines when using band selection:
-
Band selection can be used only with Cisco Aironet 1140 and 1250 series access points.
-
Band selection operates only on access points that are connected to a controller. A FlexConnect access point without a controller connection does not perform band selection after a reboot.
-
The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running.
-
You can enable both band selection and aggressive load balancing on the controller. They run independently and do not impact one another.
Configuration Steps
To configure band selection, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 Choose
802.11 > Band Select
from the left sidebar menu. The Band Select page appears.
Step 4 Enter a value between 1 and 10 for the probe cycle count. The cycle count sets the number of suppression cycles for a new client. The default cycle count is 2.
Step 5 Enter a value between 1 and 1000 milliseconds for the scan cycle period threshold. This setting determines the time threshold during which new probe requests from a client come from a new scanning cycle. The default cycle threshold is 200 milliseconds.
Step 6 Enter a value between 10 and 200 seconds for the age out suppression field. Age-out suppression sets the expiration time for pruning previously known 802.11b/g clients. The default value is 20 seconds. After this time elapses, clients become new and are subject to probe response suppression.
Step 7 Enter a value between 10 and 300 seconds for the age out dual band field. The age-out period sets the expiration time for pruning previously known dual-band clients. The default value is 60 seconds. After this time elapses, clients become new and are subject to probe response suppression.
Step 8 Enter a value between –20 and –90 dBm for the acceptable client RSSI field. This field sets the minimum RSSI for a client to respond to a probe. The default value is –80 dBm.
Step 9 Click
Save
.
Step 10 To enable or disable band selection on specific WLANs, browse to the WLAN Configuration page and click the
Advanced
tab. For instructions on using the WLAN Configuration page, see Configuring Controller WLANs in Related Topics.
Related Topics
Configuring Preferred Call
The Preferred Call feature enables you to specify highest priority to SIP calls made to some specific numbers. The high priority is achieved by allocating bandwidth to such preferred SIP Calls even when there is no available voice bandwidth in the configured Voice Pool. This feature is supported only for those clients that use SIP based CAC for bandwidth allocation in WCS or WLC.
You can configure up to 6 numbers per controller.
To configure the preferred call support, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11
>
Preferred Call
. The following fields appear if there is an existing preferred call:
-
Description—Description for the preferred call.
-
Number Id—Indicates the unique identifier for the controller and denotes one of the six preferred call numbers assigned to the controller.
-
Preferred Number—Indicates the preferred call number.
Step 4 From the Select a command drop-down list, choose
Add Number
.
Step 5 Select a template to apply to this controller.
You need to select a template to apply to the selected controller. To create a New Template for Preferred Call Numbers, see Configuring Preferred Call Templates in Related Topics.
Step 6 Click
Apply
.
To delete a preferred call, select the check box for the applicable preferred call number and choose
Delete
from the Select a command drop-down list. Click
Go
and then click
OK
to confirm the deletion.
Related Topics
Configuring 802.11 Media Parameters
To configure media parameters for 802.11, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11 > Media Stream
.
Step 4 In the Media Stream Configuration section, configure the following parameters
-
Media Stream Name
-
Multicast Destination Start IP—Start IP address of the media stream to be multicast
-
Multicast Destination End IP—End IP address of the media stream to be multicast
-
Maximum Expected Bandwidth—Maximum bandwidth that a media stream can use
Step 5 In the Resource Reservation Control (RRC) Parameters group box, configure the following parameters:
-
Average Packet Size—Average packet size that a media stream can use.
-
RRC Periodical Update—Resource Reservation Control calculations that are updated periodically; if disabled, RRC calculations are done only once when a client joins a media stream.
-
RRC Priority—Priority of RRC with the highest at 1 and the lowest at 8.
-
Traffic Profile Violation—Appears if the stream is dropped or put in the best effort queue if the stream violates the QoS video profile.
-
Policy—Appears if the media stream is admitted or denied.
Step 6 Click
Save
.
Configuring RF Profiles (802.11)
The RF Profiles page enables you to create or modify RF profiles that get associated to AP Groups.
To configure a RF Profile for a controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 Click
RF Profiles
or choose either
802.11 > RF Profiles
from the left sidebar menu. The RF Profiles page appears. This page lists the existing RF Profile templates.
Step 4 If you want to add a RF profile, choose
Add RF Profile
from the Select a command drop-down list.
Step 5 Click
Go
. The New Controller Template page appears.
Step 6 Configure the following information:
– Template Name—User-defined name for the template.
– Profile Name—User-defined name for the current profile.
– Description—Description of the template.
– Radio Type—The radio type of the access point. This is a drop-down list from which you can choose an RF profile for APs with 802.11a or 802.11b radios.
-
TCP (Transmit Power Control)
– Minimum Power Level Assignment (-10 to 30 dBm)—Indicates the minimum power assigned. The range is -10 to 30 dB, and the default value is 30 dB.
– Maximum Power Level Assignment (-10 to 30 dBm)—Indicates the maximum power assigned. The range is -10 to 30 dB, and the default value is 30 dB.
– Power Threshold v1(-80 to -50 dBm)—Indicates the transmitted power threshold.
– Power Threshold v2(-80 to -50 dBm)—Indicates the transmitted power threshold.
-
Data Rates—Use the Data Rates drop-down lists to specify the rates at which data can be transmitted between the access point and the client. These data rates are available:
– 802.11a—6, 9, 12, 18, 24, 36, 48, and 54 Mbps.
– 802.11b/g—1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps.
For each data rate, choose one of these options:
– Mandatory—Clients must support this data rate to associate to an access point on the controller.
– Supported—Any associated clients that support this data rate might communicate with the access point using that rate. However, the clients are not required to be able to use this rate to associate.
– Disabled—The clients specify the data rates used for communication.
Step 7 Click
Save
.
Related Topics
Configuring SIP Snooping
Keep the following guidelines in mind when using SIP Snooping:
-
SIPs are available only on the Cisco 5500 Series Controllers and on the 1240, 1130, and 11n access points.
-
SIP CAC should only be used for phones that support status code 17 and do not support TSPEC-based admission control.
-
SIP CAC will be supported only if SIP snooping is enabled.
To configure SIP Snooping for a controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 Click the Device Name of the applicable controller.
Step 4 From the left sidebar menu, choose
802.11
>
SIP Snooping
.
Step 5 Configure the following fields:
If single port is to be used, configure both start and end port fields with same number.
Step 6 Click
Save
.
Related Topics
Configuring 802.11a/n Parameters
Configuring 802.11a/n General Parameters
To view 802.11a/n parameters for a specific controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > Parameters
to view the following parameters:
– 802.11a/n Network Status—Select the check box to enable.
– Beacon Period—The amount of time between beacons. The valid range is from 100 to 600 milliseconds.
– Fragmentation Threshold (in bytes)—The size at which packets are fragmented. Use a low setting in areas where communication is poor or where there is a great deal of radio interference.
– Template Applied
– Low, Medium, and High Bands (read-only).
– Dynamic Assessment—Automatic, On Demand, or Disabled.
– Current Tx Level—Range includes: 1 (maximum power allowed per country code setting), 2 (50% power), 3 (25% power), 4 (6.25 to 12.5% power), and 5 (0.195 to 6.25% power). The power levels and available channels are defined by the country code setting and are regulated on a country by country basis.
– Control Interval—In seconds (read-only).
– Dynamic Treatment Power Control—Select the check box to enable.
– Assignment Mode—Automatic, On Demand, or Disabled.
– Update Interval—In seconds.
– Avoid Foreign AP Interference—Enable to have RRM consider interference from foreign Cisco access points (those non-Cisco access points outside RF/mobility domain) when assigning channels.
– Avoid Cisco AP load—Enable to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points.
– Avoid non 802.11 Noise—Enable to have access points avoid channels that have interference from non-access point sources, such as microwave ovens or Bluetooth devices. Disable this field to have RRM ignore this interference.
– Signal Strength Contribution—Not configurable.
– Avoid Persistent Non-WiFi interface
– Ranges between 6 Mbps and 54 Mbps—Supported, Mandatory, or Disabled.
-
Noise/Interference/Rogue Monitoring Channels.
– Channel List—All Channels, Country Channels, DCA Channels. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation from a set of managed devices connected to the controller.
-
CCX Location Measurement—When enabled, it enhances the location accuracy of clients.
– Mode—Select the check box to enable.
– Interval—In seconds. The CCX Location Measurement Interval can be changed only when measurement mode is enabled.
Step 4 Click Save.
Related Topics
Configuring 802.11a/n RRM Thresholds
To configure a 802.11a/n RRM threshold controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > RRM Thresholds
.
Step 4 Make any necessary changes to Coverage Thresholds, Load Thresholds, Other Thresholds, and Noise/Interference/Rogue Monitoring Channels.
When the Coverage Thresholds Min SNR Level (dB) field is adjusted, the value of the Signal Strength (dB) automatically reflects this change. The Signal Strength (dB) field provides information regarding what the target range of coverage thresholds is when adjusting the SNR value.
Step 5 Click
Save
.
Related Topics
Configuring 802.11a/n RRM Intervals
To configure 802.11a/n or 802.11b/g/n RRM intervals for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > RRM Intervals
or
802.11b/g/n > RRM Intervals
.
Note The default for the following four RRM interval parameters is 300 seconds.
Step 4 Enter at which interval you want strength measurements taken for each access point.
Step 5 Enter at which interval you want noise and interference measurements taken for each access point.
Step 6 Enter at which interval you want load measurements taken for each access point.
Step 7 Enter at which interval you want coverage measurements taken for each access point.
Step 8 Click
Save
.
Related Topics
Configuring 802.11a/n RRM Transmit Power Control
The controller dynamically controls access point transmit power based on real-time wireless LAN conditions. Normally, power can be kept low to gain extra capacity and reduce interference. The controller attempts to balance the transmit power of the access point according to how the access points are seen by their third strongest neighbor.
The transmit power control (TPC) algorithm both increases and decreases the power of an access point in response to changes in the RF environment. In most instances, TPC seeks to lower the power of an access point to reduce interference, but in the case of a sudden change in the RF coverage—for example, if an access point fails or becomes disabled—TPC can also increase power on surrounding access points. This feature is different from Coverage Hole Detection. Coverage hole detection is primarily concerned with clients, while TPC is tasked with providing enough RF power to achieve desired coverage levels while avoiding channel interference between access points.
Transmit Power Control version 2 (TPCv2) attempts to reduce the co-channel interference from Cisco AP networks. The former version of TPC is designed to provide strong signal coverage with a tendency to use larger Tx Power, and as a result customers were suffering from overheating in densely deployed networks.
To configure 802.11a/n or 802.11b/g/n RRM TPC, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n-RRM > TPC
.
Step 4 Configure the following TPC parameters:
-
Template Applied—The name of the template applied to this controller.
-
Template Version—Indicates the TPC version.
The TPCv2 option is applicable only for those controllers running 7.2.x release or later.
-
Dynamic Assignment—At the Dynamic Assignment drop-down list, choose one of three modes:
– Automatic - The transmit power is periodically updated for all access points that permit this operation.
– On Demand - Transmit power is updated when the Assign Now button is selected.
– Disabled - No dynamic transmit power assignments occur, and values are set to their global default.
-
Maximum Power Assignment—Indicates the maximum power assigned.
– Range: -10 to 30 dB
– Default: 30 dB
-
Minimum Power Assignment—Indicates the minimum power assigned.
– Range: -10 to 30 dB
– Default: 30 dB
-
Dynamic Tx Power Control—Determine if you want to enable Dynamic Tx Power Control.
-
Transmitted Power Threshold—Enter a transmitted power threshold between -50 and -80.
-
Control Interval—In seconds (read-only).
Step 5 Click
Save
.
Related Topics
Configuring 802.11a/n RRM Dynamic Channel Allocation
The Radio Resource Management (RRM) Dynamic Channel Assignment (DCA) page allows you to choose the DCA channels as well as the channel width for this controller.
RRM DCA supports 802.11n 40-MHz channel width in the 5-GHz band. The higher bandwidth allows radios to achieve higher instantaneous data rates. Choosing a larger bandwidth reduces the non-overlapping channels which could potentially reduce the overall network throughput for certain deployments. To view the channel width for the radio of an access point, go to
Monitor > Network Devices > Access Points >
name
> Interfaces
tab. You can also view the channel width and antenna selections by choosing
Configuration > Network > Network Devices > Access Points
and clicking the desired radio in the Radio column.
To configure 802.11 a/n RRM DCA channels for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > RRM DCA
. The 802.11a/n RRM DCA page appears.
You can also configure the channel width on the access point page by choosing
Configure > Access Points
, and clicking the
802.11a/n
link in the Radio column. The Current RF Channel Assignment. is provided, and you can choose a Global assignment method or choose Custom to specify a channel.
Step 4 From the Channel Width drop-down list, choose
20 MHz
or
40 MHz
. Prior to software release 5.1, 40-MHz channels were only statically configurable. Only radios with 20-MHz channels were supported by DCA. With 40 MHz, radios can achieve higher instantaneous data rates; however, larger bandwidths reduce the number of non-overlapping channels so certain deployments could have reduced overall network throughput.
Note Be cautious about deploying a mix of 20-MHz and 40-MHz devices. The 40-MHz devices have slightly different channel access rules which might negatively impact the 20-MHz devices.
Step 5 Select the check boxes for the appropriate DCA channels. The selected channels are listed in the Selected DCA channels list.
Step 6 Enable or disable event-driven Radio Resource Management (RRM) using the following parameters. Event Driven RRM is used when a CleanAir-enabled access point detects a significant level of interference.
-
Event Driven RRM—Enable or Disable spectrum event-driven RRM. By default, Event Driven RRM is enabled.
-
Sensitivity Threshold—If Event Driven RRM is enabled, this field displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.
Step 7 Click
Save
.
Related Topics
Configuring 802.11a/n RRM Radio Grouping
To configure 802.11a/n or 802.11b/g/n RRM Radio Grouping for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > RRM > RF Grouping
.
Step 4 Choose a grouping mode from the drop-down list. The following parameters appear:
-
Automatic—Allows you to activate the automatic RRM Grouping Algorithm. This is the default mode.
-
Off—Allows you to deactivate the automatic grouping.
-
Leader—Allows you to assign members to the group.
Step 5 Choose a group update interval (secs) from the drop-down list. When grouping is on, this interval (in seconds) represents the period with which the grouping algorithm is run by the Group Leader. The grouping algorithm also runs when the group contents changes and the automatic grouping is enabled. A dynamic grouping can be started upon request from the system administrator. Default value is 600 seconds.
Step 6 In the Group Members group box, click
Add >
. The selected controller moves from the Available Controllers to the RF Group Members list.
The RF Group Members group box appears only when the grouping mode is set to Leader. The maximum number of controllers that can be added to a RF Group is 20.
Step 7 Click
Save
.
Related Topics
Configuring 802.11a/n Media Parameters
To configure the media parameters for 802.11a/n, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > Media Parameters
.
Step 4 On the
Voice
tab, configure the following parameters:
-
Admission Control (ACM)—Select the check box to enable admission control.
For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, Call Admission Control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.
-
CAC Method—If Admission Control (ACM) is enabled, specify the CAC method as either load-based or static.
Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.
In load-based CAC, the access point periodically measures and updates the utilization of the RF channel, channel interference, and the additional calls that the access point can admit. The access point admits a new call only if the channel has enough unused bandwidth to support that call. By doing so, load-based CAC prevents over-subscription of the channel and maintains QoS under all conditions of WLAN loading and interference.
-
Maximum Bandwidth Allowed—Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled. The valid range is 5 to 85.
-
Reserved Roaming Bandwidth—Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled. The valid range is 0 to 25.
-
Expedited Bandwidth—Select the check box to enable expedited bandwidth as an extension of CAC for emergency calls.
You must have an expedited bandwidth that is CCXv5 compliant so that a TSPEC request is given higher priority.
-
SIP CAC—Select the check box to enable SIP CAC.
SIP CAC should be used only for phones that support status code 17 and do not support TSPEC-based admission control.
-
SIP Codec—Specify the codec name you want to use on this radio. The available options are G.711, G.729, and User Defined.
-
SIP Call Bandwidth—Specify the bandwidth in kilobits per second that you want to assign per SIP call on the network. This field can be configured only when the SIP Codec selected is User Defined.
-
SIP Sample Interval—Specify the sample interval in milliseconds that the codec must operate in.
-
Max Voice Calls per Radio—Specify the maximum number of voice calls that can be made per Radio.
-
Max Roaming Reserved Calls per Radio—Specify the maximum number roaming calls that can be reserved per Radio. The Max Voice Calls per Radio and Max Roaming Reserved Calls per Radio options are available only if the CAC Method is specified as Static and SIP CAC is enabled.
-
Metric Collection—Select the check box to enable metric collection.
Traffic stream metrics are a series of statistics about VoIP over your wireless LAN which inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.
Step 5 On the
Video
tab, configure the following parameters:
-
Admission Control (ACM)—Select the check box to enable admission control.
-
Maximum Bandwidth Allowed—Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled. For controller versions 6.0.188.0 and earlier, the valid range is 0 to 100. For controller versions 6.0.188.1 and later, the valid range is 5 to 85.
-
Reserved Roaming Bandwidth—Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled. The valid range is 0 to 25, and the default is 0.
-
Static CAC method— From the SIP Codec drop-down list, choose one of the following options to set the CAC method. The default value is G.711. The options are as follows:
– Load-Based
– Static
Static CAC method is radio based and load-based CAC method is channel based
-
SIP CAC—Select the SIP CAC check box to enable Static CAC support. By default, this check box is disabled. SIP CAC will be supported only if SIP snooping is enabled. SIPs are available only on the following controllers: 4400, 5500. Also, SIPs are available only for the following access points: 1240, 1130, and 11n.
-
Unicast Video Redirect—Select the
Unicast Video Redirect
check box to enable all non-media stream packets in video queue are redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.
-
Client Minimum Phy Rate—Choose the physical data rate required for the client to join a media stream from the Client Minimum Phy Rate drop-down list.
-
Multicast Direct Enable—Select the
Multicast Direct Enable
check box to set the Media Direct for any WLAN with Media Direct enabled on a WLAN on this radio.
-
Maximum Number of Streams per Radio—Specify the maximum number of streams per Radio to be allowed.
-
Maximum Number of Streams per Client—Specify the maximum number of streams per Client to be allowed.
-
Best Effort QOS Admission—Select the
Best Effort QOS Admission
check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used. If disabled and maximum video bandwidth has been used, then any new client request is rejected.
Step 6 On the
General
tab, configure the following field:
-
Maximum Media Bandwidth (0 to 85%)—Specify the percentage of maximum of bandwidth allowed. This option is only available when CAC is enabled.
Step 7 Click
Save
.
Related Topics
Configuring 802.11a/n EDCA Parameters
The EDCA parameters (EDCA profile and Streaming MAC Enable settings) for 802.11a/n and 802.11b/g/n can be configured either by individual controller or through a controller template to improve voice QoS support.
To configure 802.11a/n or 802.11b/g/n EDCA parameters for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > EDCA Parameters
or
802.11b/g/n > EDCA Parameters
.
Step 4 Choose the EDCA Profile from the drop-down list.
Profiles include Wi-Fi Multimedia (WMM), Spectralink Voice Priority (SVP), Voice Optimized, and Voice & Video Optimized. WMM is the default EDCA profile. You must shut down radio interface before configuring EDCA Parameters.
Step 5 Select the
Enable Streaming MAC
check box to enable this feature.
Only enable Streaming MAC if all clients on the network are WMM compliant.
Related Topics
Configuring 802.11a/n Roaming Parameters
To configure 802.11a/n or 802.11b/g/n EDCA parameters for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > Roaming Parameters
.
Step 4 From the Mode drop-down list, choose
Default values
or
Custom values
.
-
Default values—The default values (read-only) are automatically displayed in the text boxes.
-
Custom values—Activates the text boxes to enable editing of the roaming parameters.
Step 5 In the Minimum RSSI text box, enter a value for the minimum Received Signal Strength Indicator (RSSI) required for the client to associate to an access point.
-
Range: -80 to -90 dBm
-
Default: -85 dBm
If the client average received signal power dips below this threshold, reliable communication is typically impossible; clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.
Step 6 In the Hysteresis text box, enter a value to indicate how strong the signal strength of a neighboring access point must for the client to roam to it.
This field is intended to reduce the amount of “ping ponging” between access points if the client is physically located on or near the border between two access points.
-
Range: 2 to 4 dB
-
Default: 3 dB
Step 7 In the Adaptive Scan Threshold text box, enter the RSSI value, from a client associated access point, below which the client must be able to roam to a neighboring access point within the specified transition time.
This field provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.
-
Range: -70 to -77 dB
-
Default: -72 dB
Step 8 In the Transition Time text box, enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client associated access point is below the scan threshold.
The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.
-
Range: 1 to 10 seconds
-
Default: 5 seconds
Step 9 Click
Save
.
Related Topics
Configuring 802.11a/n 802.11h Parameters
To configure 802.11h parameters for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > 802.11h
or
802.11b/g/n > 802.11h
.
Step 4 Select the
power constraint
check box to enable TPC.
Step 5 Select the
channel announcement
check box to enable channel announcement. Channel announcement is a method in which the access point announces when it is switching to a new channel and the new channel number.
Step 6 Click
Save
.
Related Topics
Configuring 802.11a/n High Throughput (802.11n) Parameters
To configure 802.11a/n or 802.11b/g/n high throughput parameters, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > High Throughput
or
802.11b/g/n > High Throughput
.
Step 4 Select the
802.11n Network Status Enabled
check box to enable high throughput.
Step 5 In the MCS (Data Rate) Settings, choose which level of data rate you want supported. MCS is modulation coding schemes which are similar to 802.11a data rate. As a default, 20 MHz and short guarded interval is used.When you select the Supported check box, the chosen numbers appear in the Selected MCS Indexes page.
Step 6 Click
Save
.
Related Topics
Configuring 802.11a/n CleanAir Parameters
To configure 802.11a/n CleanAir parameters, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > CleanAir
to view the following information.
-
CleanAir—Select the check box to enable CleanAir functionality on the 802.11 a/n network, or unselect to disable CleanAir functionality. The default value is selected.
-
Reporting Configuration—Use the parameters in this section to configure the interferer devices you want to include for your reports.
– Report—Select the
report interferers
check box to enable CleanAir system to report and detect sources of interference, or unselect it to prevent the controller from reporting interferers. The default value is selected.
– Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferences to Detect text box and any that do not need to be detected appear in the Interferers to Ignore text box. Use the > and < buttons to move interference sources between these two text boxes. By default, all interference sources are detected.
– Select the
Persistent Device Propagation
check box to enable propagation of information about persistent devices that can be detected by CleanAir. Persistent device propagation enables designating information about interference types and propagating this information to the neighboring access points. Persistent interferers are present at the a location and interfere with the WLAN operations even if they are not detectable at all times.
-
Alarm Configuration—This section enables you to configure triggering of air quality alarms.
– Air Quality Alarm—Select the
Air Quality Alarm
check box to enable the triggering of air quality alarms, or unselect the box to disable this feature. The default value is selected.
– Air Quality Alarm Threshold—If you selected the Air Quality Alarm check box, enter a value between 1 and 100 (inclusive) in the Air Quality Alarm Threshold text box to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered. A value of 1 represents the worst air quality, and 100 represents the best. The default value is 35.
– Air Quality Unclassified category Alarm—Select the
Air Quality Unclassified category Alarm
check box to enable the alarms to be generated for unclassified interference category. CleanAir can detect and monitor unclassified interferences. Unclassified interference are interference that are detected but do not correspond to any of the known interference types.
The Unclassified category alarm is generated when the unclassified severity goes above the configured threshold value for unclassified severity or when the air quality index goes below the configured threshold value for Air Quality Index.
– Air Quality Unclassified Category Severity Threshold—If you selected the Air Quality Unclassified category Alarm check box, enter a value between 1 and 99 (inclusive) in the Air Quality Unclassified Severity Threshold text box to specify the threshold at which you want the unclassified category alarm to be triggered. The default is 20.
– Interferers For Security Alarm—Select the
Interferers For Security Alarm
check box to trigger interferer alarms when the controller detects specified device types, or unselect it to disable this feature. The default value is selected.
– Make sure that any sources of interference that need to trigger interferer alarms appear in the Interferers Selected for Security Alarms text box and any that do not need to trigger interferer alarms appear in the Interferers Ignored for Security Alarms text box. Use the
>
and
<
buttons to move interference sources between these two boxes. By default, all interference sources trigger interferer alarms.
-
Event Driven RRM—To trigger spectrum event-driven Radio Resource Management (RRM) to run when a CleanAir-enabled access point detects a significant level of interference, follow these steps:
– Event Driven RRM—Displays the current status of spectrum event-driven RRM.
– Sensitivity Threshold—If Event Driven RRM is enabled, this text box displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.
Related Topics
Configuring 802.11b/g/n General Parameters
To view 802.11b/g/n parameters for a specific controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11b/g/n Parameters
to view the following parameters:
– 802.11b/g Network Status—Select the check box to enable.
– 802.11g Support—Select the check box to enable.
– Beacon Period—In milliseconds.
– DTIM Period—The number of beacon intervals that might elapse between transmission of beacon frames containing a traffic indicator message (TIM) element whose delivery count field is 0.
– Fragmentation Threshold—In bytes.
– Short Preamble—Select the check box to enable.
– Template Applied.
– Dynamic Assessment—Automatic, On Demand, or Disabled.
– Current Tx Level.
– Control Interval—In seconds (Read-only).
– Dynamic Treatment Power Control—Select the check box to enable.
– Assignment Mode—Automatic, On Demand, or Disabled.
– Update Interval—In seconds.
– Avoid Foreign AP Interference—Select the check box to enable.
– Avoid Cisco AP load—Select the check box to enable.
– Avoid non 802.11 Noise—Select the check box to enable.
– Signal Strength Contribution—Select the check box to enable.
– Ranges between 1 Mbps and 54 Mbps—Supported, Mandatory, or Disabled.
-
Noise/Interference/Rogue Monitoring Channels
– Channel List—All Channels, Country Channels, DCA Channels.
– Mode—Select the check box to enable.
– Interval—In seconds.
The CCX Location Measurement Interval can be changed only when measurement mode is enabled.
Step 4 Click Save.
Related Topics
Configuring 802.11b/g/n RRM Thresholds
To configure a 802.11b/g/n RRM threshold controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11b/g/n > RRM Thresholds
.
Step 4 Make any necessary changes to Coverage Thresholds, Load Thresholds, Other Thresholds, and Noise/Interference/Rogue Monitoring Channels. When the Coverage Thresholds Min SNR Level (dB) field is adjusted, the value of the Signal Strength (dB) automatically reflects this change. The Signal Strength (dB) field provides information regarding what the target range of coverage thresholds is when adjusting the SNR value.
Step 5 Click
Save
.
Related Topics
Configuring 802.11b/g/n RRM Intervals
To configure 802.11a/n or 802.11b/g/n RRM intervals for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > RRM Intervals
or
802.11b/g/n > RRM Intervals
.
Note The default for the following four RRM interval parameters is 300 seconds.
Step 4 Enter at which interval you want strength measurements taken for each access point.
Step 5 Enter at which interval you want noise and interference measurements taken for each access point.
Step 6 Enter at which interval you want load measurements taken for each access point.
Step 7 Enter at which interval you want coverage measurements taken for each access point.
Step 8 Click
Save
.
Related Topics
Configuring 802.11b/g/n RRM Transmit Power Control
The controller dynamically controls access point transmit power based on real-time wireless LAN conditions. Normally, power can be kept low to gain extra capacity and reduce interference. The controller attempts to balance the transmit power of an access point according to how the access points are seen by their third strongest neighbor.
The transmit power control (TPC) algorithm both increases and decreases the power of an access point in response to changes in the RF environment. In most instances, TPC seeks to lower the power of an access point to reduce interference, but in the case of a sudden change in the RF coverage—for example, if an access point fails or becomes disabled—TPC can also increase power on surrounding access points. This feature is different from Coverage Hole Detection. Coverage hole detection is primarily concerned with clients, while TPC is tasked with providing enough RF power to achieve desired coverage levels while avoiding channel interference between access points.
To configure 802.11b/g/n RRM TPC, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11b/g/n-RRM > TPC
.
Step 4 Configure the following TPC parameters:
-
Template Applied—The name of the template applied to this controller.
-
Dynamic Assignment—At the Dynamic Assignment drop-down list, choose one of three modes:
–
Automatic
—The transmit power is periodically updated for all access points that permit this operation.
–
On Demand
—Transmit power is updated when the Assign Now button is selected.
–
Disabled
—No dynamic transmit power assignments occur, and values are set to their global default.
-
Maximum Power Assignment—Indicates the maximum power assigned.
– Range: -10 to 30 dB
– Default: 30 dB
-
Minimum Power Assignment—Indicates the minimum power assigned.
– Range: -10 to 30 dB
– Default: 30 dB
-
Dynamic Tx Power Control—Determine if you want to enable Dynamic Tx Power Control.
-
Transmitted Power Threshold—Enter a transmitted power threshold between -50 and -80.
-
Control Interval—In seconds (read-only).
Step 5 Click
Save
.
Related Topics
Configuring 802.11b/g/n RRM DCA
To configure 802.11a/n or 802.11b/g/n RRM DCA channels for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11b/g/n-RRM > DCA
.
Step 4 Select the check box(es) for the applicable DCA channel(s). The selected channels are listed in the Selected DCA channels text box.
Step 5 Enable or disable event-driven Radio Resource Management (RRM). Event Driven RRM is used when a CleanAir-enabled access point detects a significant level of interference, follow these steps:
– Event Driven RRM—Enable or Disable spectrum event-driven RRM. By default, Event Driven RRM is enabled.
– Sensitivity Threshold—If Event Driven RRM is enabled, this text box displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity
Step 6 Click
Save
.
Related Topics
Configuring 802.11b/g/n RRM Radio Grouping
To configure 802.11a/n or 802.11b/g/n RRM Radio Grouping for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11b/g/n > RRM > RF Grouping
.
Step 4 Choose a grouping mode from the drop-down list. The following parameters appear:
-
Automatic
—Allows you to activate the automatic RRM Grouping Algorithm. This is the default mode.
-
Off
—Allows you to deactivate the automatic grouping.
-
Leader
—Allows you to assign members to the group.
Step 5 Choose a group update interval (secs) from the drop-down list. When grouping is on, this interval (in seconds) represents the period with which the grouping algorithm is run by the Group Leader. Grouping algorithm also runs when the group contents changes and the automatic grouping is enabled. A dynamic grouping can be started upon request from the system administrator. The default value is 600 seconds.
Step 6 In the Group Members group box, click
Add >
. The selected controller moves from the Available Controllers to the RF Group Members list.
The RF Group Members group box appears only when the grouping mode is set to Leader. The maximum number of controllers that can be added to a RF Group is 20.
Step 7 Click
Save
.
Related Topics
Configuring 802.11b/g/n Media Parameters
To configure the media parameters for 802.11b/g/n, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11b/g/n > Media Parameters
.
Step 4 In the Voice tab, configure the following parameters:
-
Admission Control (ACM)—Select the check box to enable admission control.
For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, Call Admission Control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.
-
CAC Method—If Admission Control (ACM) is enabled, specify the CAC method as either load-based or static.
Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.
In load-based CAC, the access point periodically measures and updates the utilization of the RF channel, channel interference, and the additional calls that the access point can admit. The access point admits a new call only if the channel has enough unused bandwidth to support that call. By doing so, load-based CAC prevents over-subscription of the channel and maintains QoS under all conditions of WLAN loading and interference.
-
Maximum Bandwidth Allowed—Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled. The valid range is 5 to 85.
-
Reserved Roaming Bandwidth—Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled. The valid range is 0 to 25.
-
Expedited Bandwidth—Select the check box to enable expedited bandwidth as an extension of CAC for emergency calls.
You must have an expedited bandwidth that is CCXv5 compliant so that a TSPEC request is given higher priority.
-
SIP CAC—Select the check box to enable SIP CAC.
SIP CAC should be used only for phones that support status code 17 and do not support TSPEC-based admission control.
-
SIP Codec—Specify the codec name you want to use on this radio. The available options are G.711, G.729, and User Defined.
-
SIP Call Bandwidth—Specify the bandwidth in kilobits per second that you want to assign per SIP call on the network. This field can be configured only when the SIP Codec selected is User Defined.
-
SIP Sample Interval—Specify the sample interval in milliseconds that the codec must operate in.
-
Max Voice Calls per Radio—Indicates the maximum number of voice calls that can be made per Radio. You cannot set the value of Max Voice Calls per Radio. This is automatically calculated based on the selected CAC method, Max BW allowed, and Roaming Bandwidth.
-
Max Roaming Reserved Calls per Radio—Indicates the maximum number roaming calls that can be reserved per Radio. The Max Voice Calls per Radio and Max Roaming Reserved Calls per Radio options are available only if the CAC Method is specified as Static and SIP CAC is enabled.
-
Metric Collection—Select the check box to enable metric collection.
Traffic stream metrics are a series of statistics about VoIP over your wireless LAN which inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.
Step 5 In the
Video
tab, configure the following parameters:
-
Admission Control (ACM)—Select the check box to enable admission control.
-
Maximum Bandwidth—Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled. For controller versions 6.0.188.0 and earlier, the valid range is 0 to 100. For controller versions 6.0.188.1 and later, the valid range is 5 to 85.
-
Reserved Roaming Bandwidth—Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled. The valid range is 0 to 25.
-
Unicast Video Redirect—Select the
Unicast Video Redirect
check box to enable all non-media stream packets in video queue are redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.
-
Client Minimum Phy Rate—Specify the physical data rate required for the client to join a media stream from the Client Minimum Phy Rate drop-down list.
-
Multicast Direct Enable—Select the
Multicast Direct Enable
check box to set the Media Direct for any WLAN with Media Direct enabled on a WLAN on this radio.
-
Maximum Number of Streams per Radio—Specify the maximum number of streams per Radio to be allowed.
-
Maximum Number of Streams per Client—Specify the maximum number of streams per Client to be allowed.
-
Best Effort QOS Admission—Select the
Best Effort QOS Admission
check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used. If disabled and maximum video bandwidth has been used, then any new client request is rejected.
Step 6 On the
General
tab, configure the following field:
-
Maximum Media Bandwidth (0 to 85%)—Specify the percentage of maximum of bandwidth allowed. This option is only available when CAC is enabled.
Step 7 Click
Save
.
Related Topics
Configuring 802.11b/g/n EDCA Parameters
The EDCA parameters (EDCA profile and Streaming MAC Enable settings) for 802.11a/n and 802.11b/g/n can be configured either by individual controller or through a controller template to improve voice QoS support.
To configure 802.11a/n or 802.11b/g/n EDCA parameters for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > EDCA Parameters
or
802.11b/g/n > EDCA Parameters
.
Step 4 Choose the EDCA Profile from the drop-down list.
Profiles include Wi-Fi Multimedia (WMM), Spectralink Voice Priority (SVP), Voice Optimized, and Voice & Video Optimized. WMM is the default EDCA profile. You must shut down radio interface before configuring EDCA Parameters.
Step 5 Select the
Enable Streaming MAC
check box to enable this feature.
Only enable Streaming MAC if all clients on the network are WMM compliant.
Related Topics
Configuring 802.11b/g/n Roaming Parameters
To configure 802.11a/n or 802.11b/g/n EDCA parameters for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > Roaming Parameters
or
802.11b/g/n > Roaming Parameters
.
Step 4 From the Mode drop-down list, choose
Default values
or
Custom values
.
-
Default values—The default values (read-only) are automatically displayed in the text boxes.
-
Custom values—Activates the text boxes to enable editing of the roaming parameters.
Step 5 In the Minimum RSSI text box, enter a value for the minimum Received Signal Strength Indicator (RSSI) required for the client to associate to an access point.
-
Range: -80 to -90 dBm
-
Default: -85 dBm
Note If the client average received signal power dips below this threshold, reliable communication is typically impossible; clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.
Step 6 In the Hysteresis text box, enter a value to indicate how strong the signal strength of a neighboring access point must be in order for the client to roam to it.
This field is intended to reduce the amount of “ping ponging” between access points if the client is physically located on or near the border between two access points.
-
Range: 2 to 4 dB
-
Default: 3 dB
Step 7 In the Adaptive Scan Threshold text box, enter the RSSI value, from a client associated access point, below which the client must be able to roam to a neighboring access point within the specified transition time.
This field provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.
-
Range: -70 to -77 dB
-
Default: -72 dB
Step 8 In the Transition Time text box, enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client associated access point is below the scan threshold.
The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.
-
Range: 1 to 10 seconds
-
Default: 5 seconds
Step 9 Click
Save
.
Related Topics
Configuring 802.11b/g/n High Throughput (802.11n) Parameters
To configure 802.11a/n or 802.11b/g/n high throughput parameters, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11a/n > High Throughput
or
802.11b/g/n > High Throughput
.
Step 4 Select the
802.11n Network Status Enabled
check box to enable high throughput.
Step 5 In the MCS (Data Rate) Settings, choose which level of data rate you want supported. MCS is modulation coding schemes which are similar to 802.11a data rate. As a default, 20 MHz and short guarded interval is used.
When you select the Supported check box, the chosen numbers appear in the Selected MCS Indexes page.
Step 6 Click
Save
.
Related Topics
Configuring 802.11b/g/n CleanAir Parameters
To configure 802.11b/g/n CleanAir parameters, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
802.11b/g/n > CleanAir
to view the following information.
-
CleanAir—Select the check box to enable CleanAir functionality on the 802.11b/g/n network, or unselect to prevent the controller from detecting spectrum interference. The default value is selected.
-
Reporting Configuration—Use the parameters in this section to configure the interferer devices you want to include for your reports.
– Report—Select the
report interferers
check box to enable CleanAir system to report and detect sources of interference, or unselect it to prevent the controller from reporting interferers. The default value is selected.
– Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferences to Detect text box and any that do not need to be detected appear in the Interferers to Ignore text box. Use the > and < buttons to move interference sources between these two text boxes. By default, all interference sources are detected.
– Select the
Persistent Device Propagation
check box to enable propagation of information about persistent devices that can be detected by CleanAir. Persistent device propagation enables designating information about interference types and propagating this information to the neighboring access points. Persistent interferers are present at a location and interfere with the WLAN operations even if they are not detectable at all times.
-
Alarm Configuration—This group box enables you to configure triggering of air quality alarms.
– Air Quality Alarm—Select the
Air Quality Alarm
check box to enable the triggering of air quality alarms, or unselect the text box to disable this feature. The default value is selected.
– Air Quality Alarm Threshold—If you selected the Air Quality Alarm check box, enter a value between 1 and 100 (inclusive) in the Air Quality Alarm Threshold text box to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered. A value of 1 represents the worst air quality, and 100 represents the best. The default value is 35.
– Air Quality Unclassified category Alarm—Select
Air Quality Unclassified category Alarm
check box to enable the alarms to be generated for unclassified interference category. Cisco CleanAir can detect and monitor unclassified interferences. Unclassified interference are interference that are detected but do not correspond to any of the known interference types.
The Unclassified category alarm is generated when the unclassified severity goes above the configured threshold value for unclassified severity or when the air quality index goes below the configured threshold value for Air Quality Index.
– Air Quality Unclassified Category Severity Threshold—If you selected the Air Quality Unclassified category Alarm check box, enter a value between 1 and 99 (inclusive) in the Air Quality Unclassified Severity Threshold text box to specify the threshold at which you want the unclassified category alarm to be triggered. The default is 20.
– Interferers For Security Alarm—Select the
Interferers For Security Alarm
check box to trigger interferer alarms when the controller detects specified device types, or unselect it to disable this feature. The default value is selected.
– Make sure that any sources of interference that need to trigger interferer alarms appear in the Interferers Selected for Security Alarms text box and any that do not need to trigger interferer alarms appear in the Interferers Ignored for Security Alarms text box. Use the
>
and
<
buttons to move interference sources between these two text boxes. By default, all interference sources trigger interferer alarms.
-
Event Driven RRM—To trigger spectrum event-driven Radio Resource Management (RRM) to run when a CleanAir-enabled access point detects a significant level of interference, use the following parameters:
– Event Driven RRM—Displays the current status of spectrum event-driven RRM.
– Sensitivity Threshold—If Event Driven RRM is enabled, this text box displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Allocation (DCA) run and changes the channel of the affected access point radio if possible to improve network performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.
Step 4 Click Save.
Related Topics
Configuring Mesh Parameters
To configure Mesh parameters for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Mesh > Mesh Settings
.
Step 4 View or edit the following mesh parameters:
-
RootAP to MeshAP Range —By default, this value is 12,000 feet. You can enter a value between 150 and 132,000 feet. Enter the optimum distance (in feet) that exists between the root access point and the mesh access point. This global field applies to all access points when they join the controller and all existing access points in the network.
-
Client Access on Backhaul Link—Enabling this feature lets mesh access points associate with 802.11a wireless clients over the 802.11a backhaul. This is in addition to the existing communication on the 802.11a backhaul between the root and mesh access points. This feature is applicable only to the access points with two radios. Changing Backhaul Client Access reboots all the mesh access points. See the “Client Access on 1524SB Dual Backhaul” in the Related Topics for more information.
-
Mesh DCA Channels— Enabling this option lets the backhaul channel to deselect on the controller using the DCA channel list. Any change to the channels in the Controller DCA list is pushed to the associated access points. This option is only applicable for 1524SB mesh access points. See the “Backhaul Channel Deselection in PI” in the Related Topics for more information.
-
Background Scanning—Select the
Background Scanning
check box to enable background scanning or unselect it to disable the feature. The default value is disabled. Background scanning allows Cisco Aironet 1510 Access Points to actively and continuously monitor neighboring channels for more optimal paths and parents.
-
Global Public Safety— Enabling this option indicates that 4.9 Ghz can be used on backhaul link by selecting channel on the 802.11a backhaul radio. 4.9Ghz considered to be public safety band and is limited to some service providers. This setting applies at the controller level.
-
Security Mode—Choose
EAP
(Extensible Authentication Protocol) or
PSK
(Pre-Shared Key) from the Security Mode drop-down list. Changing Security reboots all mesh access points.
Step 5 Click
Save
.
Related Topics
Client Access on 1524SB Dual Backhaul
The 1524 Serial Backhaul (SB) access point consists of three radio slots.
-
Radio in slot-0 operates in 2.4 GHz frequency band and is used for client access.
-
Radios in slot-1 and slot-2 operate in 5.8 GHz band and are primarily used for backhaul.
The two 802.11a backhaul radios use the same MAC address. There might be instances where the same WLAN maps to the same BSSID in more than one slot.
By default, client access is disabled over both the backhaul radios.
The guidelines must be followed to enable or disable a radio slot:
-
You can enable client access on slot-1 even if client access on slot-2 is disabled.
-
You can enable client access on slot-2 only when client access on slot-1 is enabled.
-
If you disable client access on slot-1, then client access on slot-2 is automatically disabled.
-
All the Mesh Access Points reboot whenever the client access is enabled or disabled.
The Universal Client Access feature allows client access over both the slot-1 and slot-2 radios. You can configure client access over backhaul radio from either one of the following:
-
The Controller command-line interface (CLI)
-
The Controller Graphical User Interface (GUI)
-
Prime Infrastructure GUI. See the “Configuring Client Access in PI” in the Related Topics for more information.
Related Topics
Configuring Client Access in PI
To configure client access on the two backhaul radios, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Mesh > Mesh Settings
.
Step 4 Select the
Client Access on Backhaul Link
check box.
Step 5 Select the
Extended Backhaul Client Access
check box.
Step 6 Click
Save
.
A warning message is displayed:
Enabling client access on both backhaul slots will use same BSSIDs on both the slots. Changing Backhaul Client Access will reboot all Mesh APs.
Step 7 Click
OK
.
The Universal Client access is configured on both the radios.
Related Topics
Backhaul Channel Deselection in PI
To configure backhaul channel deselection, follow these steps:
Step 1 Configure the Mesh DCA channels flag on the controllers. See the “Configuring Mesh DCA Channel Flag on Controllers Using PI” for more information.
Step 2 Change the channel list using configuration groups. See the “Changing the Channel List Using Configuration Groups” for more information.
Related Topics
Configuring Mesh DCA Channel Flag on Controllers Using PI
You can configure the Mesh DCA Channel flag to push each channel change on one or more controllers to all the associated 1524SB access points. To configure this feature, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Mesh > Mesh Settings
.
Step 4 Select the
Mesh DCA Channels
check box to enable channel selection. This option is unselected by default.
Now the channel changes in the controllers are pushed to the associated 1524SB access points.
Changing the Channel List Using Configuration Groups
You can use controller configuration groups to configure backhaul channel deselection. You can create a configuration group and add the required controllers to the group and use the Country/DCA tab to select or deselect channels for the controllers in that group.
To configure backhaul channel deselection using configuration groups, follow these steps:
Step 1 Choose
Configuration > Controller Configuration Groups
.
Step 2 Select a configuration group to view its configuration group details.
Step 3 From the Configuration Group detail page, click the
Country/DCA
tab.
Step 4 Select or unselect the Update Country/DCA check box.
Related Topics
Configuring Port Parameters
To configure Port parameters for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then select
Device Type > Wireless Controller
.
Step 2 Click an applicable device.
Step 3 From the left sidebar menu, choose
Ports > Port Settings
.
Step 4 Click the applicable Port Number to open the Port Settings Details page. The following parameters are displayed:
– Port Number—Read-only.
– Admin Status—Choose Enabled or Disabled from the drop-down list.
– Physical Mode— Auto Negotiate (Read-only)
– Physical Status— Full Duplex 1000 Mbps (Read-only).
– STP Mode—Choose 802.1D, Fast, or Off.
– Link Traps—Choose Enabled or Disabled.
– Power Over Ethernet
– Multicast Application Mode—Select Enabled or Disabled.
– Port Mode SFP Type— Read-only
-
Spanning Tree Protocol Parameters:
– Priority—The numerical priority number of the ideal switch.
– Path Cost—A value (typically based on hop count, media bandwidth, or other measures) assigned by the network administrator and used to determine the most favorable path through an internetwork environment (lower the cost, better the path).
Step 5 Click
Save.
Related Topics
Configuring Controller Management Parameters
The following management parameters of the controllers can be configured:
-
Trap Receivers
-
Trap Control
-
Telnet and SSH
-
Multiple Syslog servers
-
Web Admin
-
Local Management Users
-
Authentication Priority
Related Topics
Configuring Trap Receivers
The trap receiver parameter can be configured for individual wireless controllers. This parameter can be added / deleted from the wireless controller. A trap receiver can be added by creating a template under Configuration > Features & Technologies.
Related Topics
Configuring Trap Receivers for an Individual Controller
To configure trap receivers for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Management > Trap Receiver
.
Step 4 The following parameters are displayed for current trap receivers:
-
Community Name— Name of the trap receiver.
-
IP Address—The IP address of the server.
-
Admin Status—Status must be enabled for the SNMP traps to be sent to the receiver.
Step 5 Click a receiver Name to access its details.
Step 6 Select the
Admin Status
check box to enable the trap receiver. Unselect the check box to disable the trap receiver.
Step 7 Click
Save
.
Deleting a Receiver
To delete a receiver / receivers, follow these steps:
Step 1 Select the applicable receiver / receivers check-box.
Step 2 From the Select a command drop-down list, choose Delete Receivers.
Step 3 Click Go.
Step 4 Click OK in the confirmation message.
Related Topics
Configuring Trap Control Parameters
To configure trap control parameters for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Management > Trap Control
.
Step 4 The following traps can be enabled for this controller:
– SNMP Authentication—The SNMPv2 entity has received a protocol message that is not properly authenticated. When a user who is configured in SNMP V3 mode tries to access the controller with an incorrect password, the authentication fails and a failure message is displayed. However, no trap logs are generated for the authentication failure.
– Link (Port) Up/Down—Link changes status from up or down.
– Multiple Users—Two users login with the same login ID.
– Spanning Tree—Spanning Tree traps. See the STP specifications for descriptions of individual parameters.
– Rogue AP—Whenever a rogue AP is detected this trap is sent with its MAC address; For a rogue AP that was detected earlier and it no longer exists, this trap is sent.
– Config Save—Notification sent when the controller configuration is modified.
– RFID Limit Reached Threshold— The maximum permissible value for RFID limit.
– 802.11 Association—The associate notification is sent when the client sends an association frame.
– 802.11 Disassociation—The disassociate notification is sent when the client sends a disassociation frame.
– 802.11 Deauthentication—The deauthenticate notification is sent when the client sends a deauthentication frame.
– 802.11 Failed Authentication—The authenticate failure notification is sent when the client sends an authentication frame with a status code other than 'successful'.
– 802.11 Failed Association—The associate failure notification is sent when the client sends an association frame with a status code other than 'successful'.
– Excluded—The associate failure notification is sent when a client is excluded.
– 802.11 Authenticated— The authenticate notification is sent when the client sends an authentication frame with a status code 'successful'.
– MaxClients Limit Reached Threshold— The maximum permissible number of clients allowed.
– AP Register—Notification sent when an access point associates or disassociates with the controller.
– AP Interface Up/Down—Notification sent when access point interface (802.11a or 802.11b/g) status goes up or down.
– Load Profile—Notification sent when Load Profile state changes between PASS and FAIL.
– Noise Profile—Notification sent when Noise Profile state changes between PASS and FAIL.
– Interference Profile—Notification sent when Interference Profile state changes between PASS and FAIL.
– Coverage Profile—Notification sent when Coverage Profile state changes between PASS and FAIL.
– Channel Update—Notification sent when access point dynamic channel algorithm is updated.
– Tx Power Update—Notification sent when access point dynamic transmit power algorithm is updated.
– User Auth Failure—This trap is to inform that a client RADIUS Authentication failure has occurred.
– RADIUS Server No Response—This trap is to indicate that no RADIUS server(s) are responding to authentication requests sent by the RADIUS client.
– WEP Decrypt Error—Notification sent when the controller detects a WEP decrypting error.
– Signature Attack— Notification sent when a signature attack is detected in the wireless controller that uses RADIUS Authentication.
Step 5 After selecting the applicable parameters, click
Save
.
Related Topics
Configuring Telnet SSH Parameters
To configure Telnet SSH (Secure Shell) parameters for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Management > Telnet SSH
.
The following parameters can be configured:
-
Session Timeout—Indicates the number of minutes a Telnet session is allowed to remain inactive before being logged off. A zero means there is no timeout. Might be specified as a number from 0 to 160. The factory default is 5.
-
Maximum Sessions—From the drop-down list, choose a value from 0 to 5. This object indicates the number of simultaneous Telnet sessions allowed.
-
Allow New Telnet Sessions—Indicates that new Telnet sessions are not allowed on the DS Port when set to no. The factory default value is no. New Telnet sessions can be allowed or disallowed on the DS (network) port. New Telnet sessions are always allowed on the Service port.
-
Allow New SSH Sessions—Indicates that new Secure Shell Telnet sessions are not allowed when set to no. The factory default value is yes.
Step 4 After configuring the applicable parameters, click
Save.
Related Topics
Configuring Multiple Syslog Servers
For Release 5.0.148.0 controllers or later, you can configure multiple (up to three) syslog servers on the WLAN controller. With each message logged, the controller sends a copy of the message to each configured syslog host, provided the message has severity greater than or equal to the configured syslog filter severity level.
To enable syslogs for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Management > Multiple Syslog
.
The applied template is identified:
Syslog Server Address—Indicates the server address of the applicable syslog.
Step 4 Click
Save.
Deleting a Syslog Server
To delete syslog server(s), follow these steps:
Step 1 Select the syslog server(s) check-box.
Step 2 From the Select a command drop-down list, choose Delete Syslog Servers.
Step 3 Click Go.
Step 4 Click OK in the confirmation message.
Related Topics
Configuring Web Admin
This section provides instructions for enabling the distribution system port as a web port (using HTTP) or as a secure web port (using HTTPS). You can protect communication with the GUI by enabling HTTPS. HTTPS protects HTTP browser sessions by using the Secure Sockets Layer (SSL) protocol. When you enable HTTPS, the controller generates its own local web administration SSL certificate and automatically applies it to the GUI. You can download an externally generated certificate.
To enable WEB admin parameters for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Management > Web Admin
.
The following parameters can be configured:
-
WEB Mode—Choose
Enable
or
Disable
from the drop-down list. When enabled, users can access the controller GUI using
http:ip-address
. The default is Disabled. Web mode is not a secure connection.
-
Secure Web Mode—Choose
Enable
or
Disable
from the drop-down list. When enabled, users can access the controller GUI using
https://ip-address
. The default is Enabled.
-
Certificate Type— The Web Admin certificate must be downloaded.The controller must be rebooted for the new Web Admin certificate to take effect.
-
Download Web Admin Certificate—Click to access the Download Web Admin Certificate to Controller page. See “Downloading Web Auth or Web Admin Certificate to the Controller” for more information.
Downloading Web Auth or Web Admin Certificate to the Controller
To download a Web Auth or Web Admin Certificate to the controller, follow these steps:
Step 1 Click the
Download Web Admin Certificate
or
Download Web Auth Certificate
link.
Step 2 In the File is located on field, specify Local machine or TFTP server. If the certificate is located on the TFTP server, enter the server filename. If it is located on the local machine, click
Browse
and enter the local filename.
Step 3 Enter the TFTP server name in the
Server Name
text box. The default is the Prime Infrastructure server.
Step 4 Enter the server IP address.
Step 5 In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to download the certificate.
Step 6 In the Time Out text box, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate.
Step 7 In the Local File Name text box, enter the directory path of the certificate.
Step 8 In the Server File Name text box, enter the name of the certificate.
Step 9 Enter the password in the Certificate Password text box.
Step 10 Re-enter the above password in the Confirm Password text box.
Step 11 Click
OK
.
Step 12 Click Regenerate Cert to regenerate the certificate.
Related Topics
Configuring Local Management Users
This page lists the names and access privileges of the local management users. You can also delete the local management user.
To access the Local Management Users page, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Management > Local Management Users
.
Step 4 Click a username.
-
User Name (read-only)—Name of the user.
-
Access Level (read-only)—Read Write or Read Only.
Deleting the Local Management User
To delete the Local Management User, follow these steps:
Step 1 Select the user(s) check-box.
Step 2 From the Select a command drop-list, choose Delete Local Management Users.
Step 3 Click Go.
Step 4 Click OK in the confirmation message.
Related Topics
Configuring Authentication Priority
Authentication Priority is configured to control the order in which authentication servers are used to authenticate controller management users.
To access the Authentication Priority page, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Management > Authentication Priority
.
Step 4 The local database is searched first. Choose either RADIUS or TACACS+ for the next search. If authentication using the local database fails, the controller uses the next type of server.
Step 5 Click
Save
.
Related Topics
Configuring Location Configurations
Currently WiFi clients are moving towards lesser probing to discover an AP. Smartphones do this to conserve battery power. The applications on a smartphone have difficulty generating probe request but can easily generate data packets and hence trigger enhanced location for the application. Hyperlocation is configured from WLC 8.1MR and Prime Infrastructure 3.0. It is ultra-precise in locating beacons, inventory, and personal mobile devices. Some networks use multiple access points to get location coordinates within 5 to 7 meters of accuracy, but Hyperlocation can track locations to within a single meter.
To configure location configurations for an individual controller, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
Location > Location Configuration
.
The Location Configuration page displays two tabs: General and Advanced.
Step 4 Add or modify the General parameters:
-
RFID Tag Data Collection—Select the check box to enable the collection of data on tags.
Before the location server can collect asset tag data from controllers, you must enable the detection of active RFID tags using the CLI command
config rfid status enable
on the controllers.
-
Location Path Loss Configuration
– Calibrating Client—Select the check box to enable calibration for the client. Controllers send regular S36 or S60 requests (depending on the client capability) by way of the access point to calibrate clients. Packets are transmitted on all channels. All access points gather RSSI data from the client at each location. These additional transmissions and channel changes might degrade contemporaneous voice or video traffic.
– Normal Client—Select the check box to have a non-calibrating client. No S36 requests are transmitted to the client. S36 is compatible with CCXv2 or later whereas S60 is compatible with CCXv4 or later.
-
Measurement Notification Interval (in secs)
– Tags, Clients, and Rogue APs/Clients—Allows you to set the NMSP measurement notification interval for clients, tags, and rogues. Specify how many seconds should elapse before notification of the found element (tags, clients, and rogue access points/clients).
Setting this value on the controller generates an out-of-sync notification which you can view in the Synchronize Servers page. When different measurement intervals exist between a controller and the mobility services engine, the largest interval setting of the two is adopted by the mobility services engine.
Once this controller is synchronized with the mobility services engine, the new value is set on the mobility services engine. Synchronization to the mobility services engine is required if changes are made to measurement notification interval.
-
RSS Expiry Timeout (in secs)
– For Clients—Enter the number of seconds after which RSSI measurements for normal (non-calibrating) clients must be discarded.
– For Calibrating Clients—Enter the number of seconds after which RSSI measurements for calibrating clients must be discarded.
– For Tags—Enter the number of seconds after which RSSI measurements for tags must be discarded.
– For Rogue APs—Enter the number of seconds after which RSSI measurements for rogue access points must be discarded.
Step 5 Add or modify the Advanced parameters:
-
RFID Tag Data Timeout (in secs)—Enter a value (in seconds) to set the RFID tag data timeout setting.
-
Location Path Loss Configuration
– Calibrating Client Multiband—Select the
Enable
check box to send S36 and S60 packets (where applicable) on all channels. Calibrating clients must be enabled in the general tab as well. To use all radios (802.11a/b/g/n) available, you must enable multiband.
-
Hyperlocation Config Parameters
– Hyperlocation— By enabling this option, all the APs associated to that controller which have the Hyperlocation module will be enabled.
– Packet Detection RSSI Minimum—Adjust this value to filter out weak RSSI readings from location calculation.
– Scan Count Threshold for Idle Client Detection—The maximum permissible count of the idle clients detected while scanning.
– NTP Server IP Address—Enter the valid NTP server IP address.This IP address is used by all APs for time synchronization.
Step 6 Click
Save
.
Related Topics
Configuring IPv6
IPv6 can be configured with Neighbor Binding Timer and Router Advertisements (RA) parameters.
Related Topics
Configuring Neighbor Binding Timers
To configure the Neighbor Binding Timers, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
IPv6 > Neighbor Binding Timers
.
Step 4 The applied template will be displayed. Add or modify the following parameters:
-
Down Lifetime Interval— This indicates the maximum time, in seconds. The range is 0 to 86,400 seconds, and the default value is 0.
-
Reachable Lifetime Interval—This indicates the maximum time, in seconds. The range is 0 to 86,400 seconds, and the default value is 0.
-
Stale Lifetime Interval—This indicates the maximum time, in seconds. The range is 0 to 86,400 seconds, and the default value is 0.
Step 5 Click
Save
.
Configuring RA Throttle Policy
The RA Throttle Policy allows you to limit the amount of multicast Router Advertisements (RA) circulating on the wireless network.
To configure RA Throttle Policy, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
IPv6 > RA Throttle Policy
.
Step 4 If you want to enable the RA Throttle Policy, select the
Enable
check box and configure the following parameters:
-
Throttle Period—Duration of the throttle period in seconds. The range is 10 to 86,400 seconds.
-
Max Through—The number of RA that passes through over a period or over an unlimited period. If the No Limit check-box is not enabled, the maximum pass-through number can be specified.
-
Interval Option—Indicates the behavior in case of RA with an interval option.
– Ignore
– Passthrough
– Throttle
-
Allow At-least—Indicates the minimum number of RA not throttled per router.
-
Allow At-most—Indicates the maximum or unlimited number of RA not throttled per router. If the No Limit check-box is not enabled, the maximum number of RA not throttled per router can be specified.
Step 5 Click
Save
.
Related Topics
Configuring RA Guard
RA Guard is a Unified Wireless solution to drop RA from wireless clients. It is configured globally, and by default it is enabled. You can configure IPv6 Router Advertisement parameters.
To configure RA Guard, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 From the left sidebar menu, choose
IPv6 > RA Guard
.
Step 4 If you want to enable the Router Advertisement Guard, select the
Enable
check box.
Step 5 Click
Save
.
Related Topics
Configuring Proxy Mobile IPv6
Proxy Mobile IPv6 is a network-based mobility management protocol that supports a mobile node by acting as the proxy for the mobile node in any IP mobility-related signaling. The mobility entities in the network track the movements of the mobile node and initiate the mobility signaling and set up the required routing state.
The main functional entities are the Local Mobility Anchor (LMA) and Mobile Access Gateway (MAG). The LMA maintains the reachability state of the mobile node and is the topological anchor point for the IP address of the mobile node. The MAG performs the mobility management on behalf of a mobile node. The MAG resides on the access link where the mobile node is anchored. The controller implements the MAG functionality.
Related Topics
Configuring PMIP Global Configurations
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 Choose
PMIP > Global Config
from the left sidebar menu.
Step 4 Configure the following fields:
-
Domain Name—Read-only.
-
MAG Name—Read-only.
-
MAG Interface—Read-only.
-
Maximum Bindings Allowed—Maximum number of binding updates that the controller can send to the MAG. The valid range is between 0 to 7000.
-
Binding Lifetime—Lifetime of the binding entries in the controller. The valid range is between 10 to 65535 seconds. The default value is 65535. The binding lifetime should be a multiple of 4 seconds.
-
Binding Refresh Time—Refresh time of the binding entries in the controller. The valid range is between 4 to 65535 seconds. The default value is 300 seconds. The binding refresh time should be a multiple of 4 seconds.
-
Binding Initial Retry Timeout—Initial timeout between the proxy binding updates (PBUs) when the controller does not receive the proxy binding acknowledgments (PBAs). The valid range is between 100 to 65535 seconds. The default value is 1000 second.
-
Binding Maximum Retry Timeout—Maximum timeout between the proxy binding updates (PBUs) when the controller does not receive the proxy binding acknowledgments (PBAs). The valid range is between 100 to 65535 seconds. The default value is 32000 seconds.
-
Replay Protection Timestamp—Maximum amount of time difference between the timestamp in the received proxy binding acknowledgment and the current time of the day. The valid range is between 1 to 255 milliseconds. The default value is 7 milliseconds.
-
Minimum BRI Retransmit Timeout—Minimum amount of time that the controller waits before retransmitting the BRI message. The valid range is between 500 to 65535 seconds.
-
Maximum BRI Retransmit Timeout—Maximum amount of time that the controller waits before retransmitting the Binding Revocation Indication (BRI) message. The valid range is between 500 to 65535 seconds. The default value is 2000 seconds.
-
BRI Retries—Number of BRI retries.
-
MAG APN— Name of the Access Point Node of MAG.
Step 5 Click Save.
Related Topics
Configuring LMA Configurations
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 Choose
PMIP > LMA Config
from the left sidebar menu.
Step 4 Configure the following fields:
-
LMA Name—Name of the LMA connected to the controller.
-
LMA IP Address—IP address of the LMA connected to the controller.
Step 5 Click Save.
Deleting LMA Configurations
To delete the LMA configurations, follow these steps:
Step 1 Select the applicable LMA config check-box.
Step 2 From the Select a command drop-list, choose Delete PMIP Local Configs.
Step 3 Click Go.
Step 4 Click OK in the confirmation message.
Related Topics
Configuring PMIP Profile
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 Choose
PMIP > PMIP Profile
from the left sidebar menu.
Step 4 Enter the profile name.
Step 5 Click
Add
and then configure the following fields:
-
Network Access Identifier—Name of the Network Access Identifier (NAI) associated with the profile.
-
LMA Name—Name of the LMA to which the profile is associated.
-
Access Point Node—Name of the access point node connected to the controller.
Step 6 Click Save.
Related Topics
Deleting PMIP Profiles
To delete the PMIP profiles, follow these steps:
Step 1 Select the required PMIP profiles check-box.
Step 2 From the Select a command drop-list, choose Delete PMIP Local Configs.
Step 3 Click Go.
Step 4 Click OK in the confirmation message.
Related Topics
Configuring mDNS
Multicast DNS (mDNS) service discovery provides a way to announce and discover services on the local network. mDNS perform DNS queries over IP multicast and supports zero configuration IP networking.
You can configure mDNS so that the controller can learn about the mDNS services and advertise these services to all clients.
There are two tabs in mDNS—Services and Profiles.
-
Services tab—This tab enables you to configure the global mDNS parameters and update the Master Services database.
-
Profiles tab—This tab enables to view the mDNS profiles configured on the controller and create new mDNS profiles. After creating a new profile, you must map the profile to an interface group, an interface, or a WLAN. Clients receive service advertisements only for the services associated with the profile. The controller gives the highest priority to the profiles associated to interface groups, followed by the interface profiles, and then the WLAN profiles. Each client is mapped to a profile based on the order of priority. By default, the controller has an mDNS profile, default-mdns-profile which cannot be deleted.
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 Choose
mDNS > mDNS
from the left sidebar menu.
Step 4 On the Services tab, configure the following parameters:
-
Template Applied—The name of the template applied to this controller.
-
mDNS Global Snooping—Check box that you select to enable snooping of mDNS packets. The controller does not support IPv6 mDNS packets even when you enable mDNS snooping.
-
Query Interval(10-120)—mDNS query interval, in minutes that you can set. This interval is used by WLC to send periodic mDNS query messages to services which do not send service advertisements automatically after they are started. The range is from 10 to 120 minutes. The default value is 15 minutes.
-
Master Services—Click
Add Row
and then configure the following fields:
– Master Service Name—Drop-down list from which you can choose the supported services that can be queried. To add a new service, enter or choose the service name, enter the service string, and then choose the service status. The following services are available:
– AirTunes
– AirPrint
– AppleTV
– HP Photosmart Printer1
– HP Photosmart Printer2
– Apple File Sharing Protocol (AFP)
– Scanner
– Printer
– FTP
– iTunes Music Sharing
– iTunes Home Sharing
– iTunes Wireless Device Syncing
– Apple Remote Desktop
– Apple CD/DVD Sharing
– Time Capsule Backup
-
Master Service Name—Name of the mDNS service.
-
Service String—Unique string associated to an mDNS service. For example, _airplay._tcp.local. is the service string associated to AppleTV.
-
Query Status—Check box that you select to enable an mDNS query for a service. Periodic mDNS query messages will be sent by WLC at configured Query Interval for services only when the query status is enabled; otherwise, service should automatically advertised for other services where the query status is disabled (for example AppleTV).
Step 5 On the Profiles tab, configure the following parameters:
-
Profiles—Click
Add Profile
and then configure the following fields:
– Profile Name—Name of the mDNS profile. You can create a maximum of 16 profiles.
– Services—Select the services (using the check boxes) that you want to map to the mDNS profile.
-
You can edit or delete the existing profile by clicking on Edit and Delete respectively.
Step 6 Click
Save
.
Configuring mDNS Policies
By default, the controller creates an access policy, default-mdns-policy which cannot be deleted. This is displayed with the Group Name and Description. Select the policy to view its Service Group details.
Click Save after editing the fields.
Related Topics
Configuring Application Visibility and Control Parameters
Application Visibility and Control (AVC) uses the Network Based Application Recognition (NBAR) deep packet inspection technology to classify applications based on the protocol they use. Using AVC, the controller can detect more than 1400 Layer 4 to Layer 7 protocols. AVC enables you to perform real-time analysis and create policies to reduce network congestion, expensive network link usage, and infrastructure upgrades.
AVC is supported only on the Cisco 2500 and 5500 Series Controllers, and Cisco Flex 7500 and Cisco 8500 Series Controllers.
Configuring AVC Profiles
To configure the AVC profile, follow these steps:
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 Choose
Services > Application Visibility And Control > AVC Profile
from the left sidebar menu.
Step 4 Click the AVC Profile Name that you want to configure.
Step 5 To create AVC rules, click
Add.
Step 6 Configure the following parameters:.
-
Application Name—Name of the application.
-
Application Group Name—Name of the application group to which the application belongs.
-
Action—Drop-down list from which you can choose the following:
– Drop—Drops the upstream and downstream packets corresponding to the chosen application.
– Mark— Marks the upstream and downstream packets corresponding to the chosen application with the DSCP value that you specify in the Differentiated Services Code Point (DSCP) drop-down list. The DSCP value helps you provide differentiated services based on the QoS levels.
– Rate Limit—If you select Rate Limit as an action, you can specify Average Rate Limit per client and Burst data rate limit. The number of rate limit applications is limited to 3.
The default action is to permit all applications.
-
DSCP—Packet header code that is used to define quality of service across the Internet. The DSCP values are mapped to the following QoS levels:
– Platinum (Voice)—Assures a high QoS for Voice over Wireless.
– Gold (Video)—Supports the high-quality video applications.
– Silver (Best Effort)—Supports the normal bandwidth for clients.
– Bronze (Background)— Provides lowest bandwidth for guest services.
– Custom—Specify the DSCP value. The range is from 0 to 63.
-
DSCP Value—This value can be entered only when Custom is chosen from the DSCP drop-down list.
-
Avg. Rate Limit (in Kbps)—If you select Rate Limit as an action, you can specify Average Rate Limit per client which is the average bandwidth limit of that application.
-
Burst Rate Limit (in Kbps)—If you select Rate Limit as an action, you can specify Burst Rate limit which is the peak limit of that application.
Step 7 Click
Save
.
Related Topics
Configuring NetFlow
NetFlow is a protocol that provides valuable information about network users and applications, peak usage times, and traffic routing by collecting IP traffic information from network devices. The NetFlow architecture consists of the following components:
-
Collector—An entity that collects all the IP traffic information from various network elements.
-
Exporter—A network entity that exports the template with the IP traffic information. The controller acts as an exporter.
Configuring NetFlow Monitor
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 Choose
NetFlow > Monitor
from the left sidebar menu.
Step 4 Configure the following parameters:.
-
Monitor Name—Name of the NetFlow monitor. The monitor name can be up to 127 case-sensitive alphanumeric characters. You can configure only one monitor in the controller.
-
Record Name—Name of the NetFlow record. A NetFlow record in the controller contains the following information about the traffic in a given flow:
– Client MAC address
– Client Source IP address
– WLAN ID
– Application ID
– Incoming bytes of data
– Outgoing bytes of data
– Incoming Packets
– Outgoing Packets
– Incoming DSCP
– Outgoing DSCP
– Name of last AP
Step 5 Exporter Name—Name of the exporter. You can configure only one monitor in the controller.
Step 6 Exporter IP—IP address of the collector.
Step 7 Port Number—UDP port through which the NetFlow record is exported from the controller.
Step 8 Click
Save
.
Configuring NetFlow Exporter
Step 1 Choose
Configuration > Network > Network Devices
, then from the Device Groups menu on the left, select
Device Type > Wireless Controller
.
Step 2 Click the device name of the applicable controller.
Step 3 Choose
NetFlow > Exporter
from the left sidebar menu.
Step 4 Configure the following parameters:.
-
Exporter Name—Name of the exporter.
-
Exporter IP —IP address of the exporter.
-
Port Number—The UDP port through which the Netflow record is exported.
Related Topics