Cisco Prime Infrastructure 3.0 User Guide

Creating Features and Technologies Templates

Features and Technologies templates are templates that are based on device configuration and that focus on specific features or technologies in a device’s configuration.

When you add a device to Prime Infrastructure, Prime Infrastructure gathers the device configuration for the model you added. Prime Infrastructure does not support every configurable option for all device types. If Prime Infrastructure does not have a Features and Technologies template for the specific feature or parameter that you want to configure, create a CLI template.

Features and Technologies templates simplify the deployment of configuration changes. For example, you can create an SNMP Features and Technologies template and then quickly apply it to devices you specify. You can also add this SNMP template to a composite template. Then later, when you update the SNMP template, the composite template in which the SNMP template is contained automatically has your latest changes.

To create a Features and Technologies template, follow these steps:

Step 1 Choose Configuration > Templates > Features and Technologies .

Step 2 In the Features and Technologies menu on the left, choose a template type to create.

Step 3 Complete the fields for that template.

If you are creating a feature template that applies only to a particular device type, the Device Type field lists only the applicable device type, and you cannot change the selection. Specifying a device type helps you to prevent a mismatch; that is, you cannot create a configuration and apply the configuration to a wrong device.

Step 4 Click Save as New Template. After you save the template, apply it to your devices.

Step 5 To verify the status of a template deployment, choose Administration > Dashboard > Jobs Dashboard .

Step 6 To modify the deployment parameters for any subsequent configuration template deployments, select a configuration job, then click Edit Schedule .

Related Topics

• Creating Composite Templates
• Creating CLI Configuration Templates
• Creating Features and Technologies Templates

Example: Creating an ACL Template

To create an ACL template, follow these steps:

Step 1 Choose Configuration > Templates > Features and Technologies > Security > ACL .

Step 2 Enter the mandatory fields.

Step 3 In the Template Detail, click Add Row .

Step 4 Enter the ACL details, then click Save as New Template .

Step 5 Click the arrow to expand the ACL, then click Add Row to provide additional details about the ACL such as the action, source IP address, and wildcard mask.

Step 6 Click Save .

Step 7 After you save the template, you can specify devices, values, and scheduling information to tailor your deployment.

Related Topics

• Creating Features and Technologies Templates

Creating CLI Templates

CLI templates are a set of re-usable device configuration commands with the ability to parameterize select elements of the configuration as well as add control logic statements. This template is used to generate a device deployable configuration by replacing the parameterized elements (variables) with actual values and evaluating the control logic statements.

To view the list of system CLI templates, choose Configuration > Templates > Features and Technologies > CLI Templates > System Templates - CLI . You cannot delete a System Template, but you can modify and save it as a new template. In this page, you can import or export any template. You cannot import a template under the system defined folder. The Undeploy button is disabled in this page since the CLI templates do not have an option undeploy them.

Prerequisites for Creating CLI Templates

Before you create a CLI template, you must:

• Have expert knowledge and understanding of the CLI and be able to write the CLI in Apache VTL. For more information about Apache Velocity Template Language, see http://velocity.apache.org/engine/devel/vtl-reference-guide.html .
• Understand to what devices the CLI you create can be applied.
• Understand the data types supported by Prime Infrastructure.
• Understand and be able to manually label configurations in the template.
• To know how to use variables and data types, see the Variables and Data Types.

Creating CLI Configuration Templates

Use templates to define device parameters and settings, which you can later to a specified number of devices based on device type.

Before You Begin

Make sure that you have satisfied the prerequisites (see Prerequisites for Creating CLI Templates).

Step 1 Choose Configuration > Templates > Features and Technologies .

Step 2 Expand the CLI Templates folder, then click CLI.

Step 3 Enter the required information.

a. In the OS Version field, you can specify an OS image version so that you can filter out devices older than the one that you specified.

a. In the Template Detail section, click the Manage Variables icon (above the CLI Content field).

This allows you to specify a variable for which you will define a value when you apply the template.

b. Click Add Row and enter the parameters for the new variable (see the Variables and Data Types), then click Save .

c. Enter the CLI information. In the CLI field, you must enter code using Apache VTL (see http://velocity.apache.org/engine/devel/vtl-reference-guide.html) . For more information about different CLI command formats, see:

– Adding Multi-line Commands

– Adding Enable Mode Commands

– Adding Interactive Commands

d. (Optional) To change the variables, click the Manage Variables icon, and then make your changes (see the Variables and Data Types). Click Form View (a read-only view) to view the variables.

Step 4 Click Save As New Template , specify the folder in which you want to save the template, then click Save .

To duplicate a CLI template, expand the System Templates - CLI , hover your mouse cursor over the quick view picker icon next to CLI, and then click Duplicate .

Variables and Data Types

You can use variables as placeholders to store values. The variables have names and data types. Table 20-1 lists data types that you can configure in the Manage Variables page.

Managing Database Variables in CLI Templates

You can use database (DB) variables for the following reasons:

• DB variables are one of the data types in CLI templates. You can use the DB variables to generate device-specific commands.
• DB variables are predefined variables. To view the list of predefined DB variables, see the CLITemplateDbVariablesQuery.properties file in the following folder
  /opt/CSCOlumos/conf/ifm/template/inventoryTagsInTemplate.
• For example, SysObjectID, IPAddress, ProductSeries, ImageVersion are DB variables.When a device is added to Prime Infrastructure, the complete details of the device is collected in the DB variables. That is, the OID of the devices is collected in SysObjeectID, product series in ProductSeries, image versions of the device in ImageVersion, and so on.
• Using the data collected by the DB variables, accurate commands can be generated to the device.
• You can select the DB variable in the Type field (using the Managed Variables page). Expand the name field and fill in the default value field with any of the DB variables which you want to use.
• When a device is discovered and added to Prime Infrastructure, you can use the database values that were gathered during the inventory collection to create CLI templates.

For example, if you want to create a CLI template to shut down all interfaces in a branch, create a CLI template that contains the following commands:

where $interfaceNameList is the database variable type whose value will be retrieved from the database. $interfaceNameList has a default value of IntfName. You need to create the interfaceNameList variable as DB data type (using the managed variable dialog box) and add set the default to IntfName. If you have not specified a default value, you can specify it when you apply the CLI template.

To populate interfaceNameList with the value from the database, you must create a properties file to capture the query string and save it in the /opt/CSCOlumos/conf/ifm/template/inventoryTagsInTemplate folder.

To view the predefined DB variables go to the following path:
cd /opt/CSCOlumos/conf/ifm/template/inventoryTagsInTemplate

After you create and apply the CLI template and the property file, the following CLI is configured on the devices. This output assumes that the device has two interfaces (Gigabitethernet0/1 and Gigabitethernet0/0):

Note While it is possible to create a customized query using Enterprise JavaBeans Query Language (EJB QL), only advanced developers should attempt this. We recommend you use the variables defined in the CLITemplateDbVariablesQuery.properties file only.

Using Validation Expression

The values that you define in the Validation Expression are validated with the associated component value. For example, if you enter a default value and a validation expression value in the design flow, this will be validated during the design flow. That is, if the default value does not match with the entered value in the validation expression, you will encounter a get error at the design flow.

Note The validation expression value works only for the string data type field.

Example:

Choose Configuration > Features and Technologies > CLI Templates > CLI > Manage Variables > Add Row. Choose string data type and then expand the row and configure the regular expression, which will not allow a space in that text box.

Enter the following expression in the validating expression field.

Default value (optional)—ncs

The value should match with regular expression in the validation expression field.)

Result:

Save the template, and then select a device. Try to enter a space in the text field. You will encounter a regular expression error.

Adding Multi-line Commands

To enter multi-line commands in the CLI Content area, use the following syntax:

where:

• <MLTCMD> and </MLTCMD> tags are case-sensitive and must be entered as uppercase.
• The multi-line commands must be inserted between the <MLTCMD> and </MLTCMD> tags.
• Do not start this tag with a space.
• Do not use <MLTCMD> and </MLTCMD> in a single line.

Example 1:

Example 2:

where message is a multi-line input variable.

Restrictions for Using Multi-line Banner Commands

You can use “ banner file xyz ”' format as shown in the following example:

Adding Enable Mode Commands

Use this syntax to add enable mode commands to your CLI templates:

Adding Interactive Commands

An interactive command contains the input that must be entered following the execution of a command.

To enter an interactive command in the CLI Content area, use the following syntax:

where <IQ> and <R> tag are case-sensitive and must be entered as uppercase.

For example:

Combining Interactive Enable Mode Commands

Use this syntax to combine interactive Enable Mode commands:

For example:

Adding Interactive Multiline Commands

This is an example of an interactive command that contains multiple lines:

Creating CLI Configuration Templates from Copied Code

A quick way to create CLI configuration templates is to copy code from a command line configuration session, CLI script, or other stored set of configuration commands. Prime Infrastructure lets you turn all the CLI parameters in the copied CLI into template variables.

To create a CLI template variable from copied code:

Step 1 Choose Configuration > Templates > Features and Technologies .

Step 2 Expand the CLI Template folder, then click CLI.

Step 3 In the CLI template, paste the copied code into the CLI Content field.

Step 4 Select the text that is to be the variable name and click Manage Variables (the icon above the CLI Content field).

You can use this same procedure to edit an existing variable created from copied code.

Step 5 Fill out the required information, then click Save > Add .

Step 6 To view the new variable, click Form View .

Exporting a CLI Configuration Template

If you have CLI templates in any other Prime Infrastructure server, you can export them as an XML file and import them into your current Prime Infrastructure server.

Step 1 Choose Configuration > Templates > Features and Technologies .

Step 2 Expand the CLI Template folder, then click System Templates - CLI .

Step 3 Select the template(s) that you want to export.

Step 4 Click the Export icon at the top right of the CLI template page.

Importing a CLI Configuration Template

Step 1 Choose Configuration > Templates > Features and Technologies .

Step 2 Expand the CLI Template folder, then hover your mouse cursor over the quick view picker icon next to CLI.

Step 3 Click Show All Templates .

Step 4 Click the Import icon at the top right of the CLI template page.

Step 5 Click Select Templates to navigate to your file, then click OK .

Exporting CLI Variables

You can export the CLI variables into a CSV file while deploying a CLI configuration template. You can use the CSV file to make necessary changes in the variable configuration and import it into Prime Infrastructure at a later time.

Step 1 Choose Configuration > Templates > Features and Technologies > CLI Templates .

Step 2 Click System Templates - CLI.

Step 3 Select the template whose variables you want to export.

Step 4 Click Deploy .

Step 5 Select devices in Device Selection area.

Step 6 Click the Export icon at the top right of the Value Assignment area.

Step 7 Click OK .

Exporting the variables without any data will export a blank file.

Importing CLI Variables

Step 1 Choose Configuration > Templates > Features and Technologies > CLI Templates .

Step 2 Click System Templates - CLI.

Step 3 Select the template whose variables you want to import.

Step 4 Click the Import icon at the top right of the CLI template page.

Step 5 Click OK .

Example: Updating Passwords Using a CLI Template

You might want to update the password for network devices on a regular basis, once every six months. To make the changes in a rolling fashion, you plan to perform the operation once for two regions every three months.

In this example, there are four custom dynamic groups, one for each region based on the cities in every region: North Region, South Region, East Region, and West Region. You must update the enable password for all of the devices in the north and south region. After this is complete, you plan to set another job to occur for the West and East region devices to occur three months later.

Before You Begin

The devices in these regions must have an assigned location attribute.

Step 1 If the four groups, North Region, South Region, East Region, and West Region, have not been created:

a. Choose Inventory > Device Management > Network Devices , then hover your mouse cursor over User Defined and click Add SubGroup .

b. In the Create Sub-Group area, enter:

– Group Name: North Region

– Group Description: List of devices in the north region

– Filter: Location > Contains > SJC-N

To determine the location of a device, choose Inventory > Device Management > Network Devices > (gear icon) > Columns > Location .

The devices for the new group appear under Device Work Center > User Defined > North.

c. Do the same for south, east, and west regions.

Step 2 To deploy the password template:

a. Choose Configuration > Templates > Features and Technologies > CLI Templates > System Templates-CLI .

b. Select the Enable Password-IOS template and click Deploy .

c. In the Device Selection area, open the User Defined groups and select the North Region and South Region groups.

d. In the Value Selection area, enter and confirm the new enable password, then click Apply .

e. In the Schedule area, enter a name for the job, the date and time to apply the new template (or click Now ), then click OK .

Step 3 After the job has run, choose Administration > Jobs to view the status of the job (see Monitoring Jobs).

Tagging Templates

You can label a set of templates by providing an intuitive name to tag the templates. After you create a tagged template, the template is listed under the My Tags folder. Tagging a configuration template helps you:

• Search a template using the tag name in the search field
• Use the tagged template as a reference to configure more devices

Tagging a New Configuration Template

To tag a new configuration template and publish the tagged template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies .

Step 2 Expand the Features and Technologies folder, choose an appropriate subfolder, and then choose a template type.

Step 3 Complete the required fields, enter a tag name in the Tags field, then click Save as New Template.

Tagging an Existing Template

To tag an existing template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies .

Step 2 In the Features and Technologies menu on the left, expand the My Templates folder and choose the template that you want to update.

Step 3 Click the Tag icon, enter a tag name in the Tag as text box, then click Save.

Associating a Tag With Multiple Templates

You can tag a new tag name or associate an existing tag with multiple templates.

Step 1 Choose Configuration > Templates > Features & Technologies .

Step 2 Click the Tag icon on the navigation toolbar of the Templates column.

Step 3 Enter a tag name in the Tag as field.

Step 4 In the My Templates folder, click the templates that are to be associated with the tag.

To associate all of the templates in the folder with the tag, select the check box next to the My Templates folder.

Step 5 Click Apply.

Interface Roles

Interface roles allow you to define policies to specific interfaces on multiple devices without having to manually define the names of each interface. Interface roles can refer to any of the actual interfaces on the device, including physical interfaces, subinterfaces, and virtual interfaces such as loopback interfaces.

If you create an all-Ethernets interface role, you can define identical advanced settings for every Ethernet interface on the device with a single definition. You add this interface role to a configuration template, then deploy the template to the selected devices to configure the Ethernet interfaces.

Interface roles are especially useful when applying policies to new devices. As long as the devices that you are adding share the same interface naming scheme as existing devices, you can quickly deploy the necessary configuration template containing the interface role to the new devices.

Creating Interface Roles

An interface role allows you to dynamically select a group of interfaces without having to manually define the interfaces on each device. For example, you can use interface roles to define the zones in a zone-based firewall configuration template. You might define an interface role with a naming pattern of DMZ*. When you include this interface role in a template, the configuration is applied to all interfaces whose name begins with “DMZ” on the selected devices. As a result, you can assign a policy that enables anti-spoof checking on all DMZ interfaces to all relevant device interfaces with a single action.

Step 1 Choose Configuration > Templates > Shared Policy Objects.

Step 2 In the Shared Policy Objects pane, choose Shared > Interface Role.

Step 3 From the Interface Role page, click Add Object.

Step 4 From the Add Interface Role page, create matching rules for the interface role.

When you define the zone-based template, for example, all of the interfaces on the device that match the specified rules will become members of the security zone represented by this interface role. You can match interfaces according to their name, description, type, and speed.

Step 5 Click OK to save the configurations.

Creating Network Objects

Network objects are logical collections of IP addresses or subnets that represent networks. Network objects make it easier to manage policies.

There are separate objects for IPv4 and IPv6 addresses; the IPv4 object is called “networks/hosts,” and the IPv6 object is called “network/hosts-IPv6.” Except for the address notation, these objects are functionally identical, and in many instances the name network/host applies to either type of object. Note that specific policies require the selection of one type of object over the other, depending on the type of address expected in the policy.

You can create shared policy objects to be used in the following configuration templates:

• Zone-based firewall templates—See Creating a Zone-Based Firewall
• Application Visibility—See Configuring Application Visibility

Step 1 Choose Configuration > Templates > Shared Policy Objects > Shared > IPv4 Network Object.

Step 2 From the Network Object page, click Add Object and add a group of IP addresses or subnets.

Step 3 Click OK to save the configurations.

Creating a Security Rule Parameter Map

To create and use a set of parameter map objects in the firewall rules, do the following:

Step 1 Choose Configuration > Templates > Shared Policy Objects.

Step 2 In the Shared Policy Objects pane, choose Shared > Security Rule Parameter Map.

Step 3 From the Security Rule Parameter Map page, click Add Object.

Step 4 Specify a name and description for the parameter map that is being created.

Step 5 From the parameters list, select the parameters you want to apply and provide a value for each of them.

Step 6 To specify Device Level Override, choose Device Level Override > Add Device.

Step 7 Select the device you wish to add, and click OK.

Step 8 Click OK to save the configurations.

Creating a Security Service Group

To create and use a set of parameter map objects in the firewall rules, do the following:

Step 1 Choose Configuration > Templates > Shared Policy Objects.

Step 2 In the Shared Policy Objects pane, choose Shared > Security Service.

Step 3 From the Security Service page, click Add Object.

Step 4 Specify a name and description for the service that is being created.

Step 5 Select the service data from the available list. If you select TCP or UDP, provide a list of port numbers or port ranges (separated by comma).

Step 6 To specify Device Level Override, choose Device Level Override > Add Device.

Step 7 Select the device you wish to add, and click OK.

Step 8 Click OK to save the configurations.

Creating a Security Zone

Step 1 Choose Configuration > Templates > Shared Policy Objects.

Step 2 In the Shared Policy Objects pane, choose Shared > Security Zone.

Step 3 From the Security Zone page, click Add Object.

Step 4 Specify a name and description for the security zone that is being created.

Step 5 Specify a set of rules that defines the interfaces that must be attached to the zone.

Step 6 To specify Device Level Override, choose Device Level Override > Add Device.

Step 7 Select the device you wish to add, and click OK.

Step 8 Click OK to save the configurations.

Creating Controller Configuration Groups

To create a configuration group, follow these steps:

Step 1 Choose Configuration > Templates > Controller Configuration Groups .

Step 2 From the Select a command drop-down list, choose Add Config Group , then click Go .

Step 3 Enter the new configuration group name. It must be unique across all groups.

• If Enable Background Audit is selected, the network and controller audits occur for this configuration group.
• If Enable Enforcement is selected, the templates are automatically applied during the audit if any discrepancies are found.

Step 4 Other templates created in Prime Infrastructure can be assigned to a configuration group. The same WLAN template can be assigned to more than one configuration group. Choose from the following:

• Select and add later—Click to add a template at a later time.
• Copy templates from a controller—Click to copy templates from another controller. Choose a controller from a list of current controllers to copy its applied template to the new configuration group. Only the templates are copied.

Note The order of the templates is important when dealing with radio templates. For example, if the template list includes radio templates that require the radio network to be disabled prior to applying the radio parameters, the template to disable the radio network must be added to the template first.

Step 5 Click Save . The Configuration Groups page appears.

After you create a configuration group, Prime Infrastructure allows you to choose and configure multiple controllers by choosing the template that you want to push to the group of controllers.

• General—Allows you to enable mobility group.

To enable the Background Audit option, set template-based audit in Administration > System > Audit Settings .

• Controllers—For details, see Adding or Removing Controllers from Configuration Groups.
• Country/DCA—For details, see Configuring Multiple Country Codes.
• Templates—Allows you to select the configuration templates that you have already created.
• Apply/Schedule—For details, see Applying or Scheduling Configuration Groups.
• Audit—For details, see Auditing Configuration Groups.
• Reboot—For details, see Rebooting Configuration Groups.
• Report—Allows you to view the most recent report for this group.

Adding or Removing Controllers from Configuration Groups

To add or remove controllers from a configuration group, follow these steps:

Step 1 Choose Configuration > Templates > Controller Configuration Groups .

Step 2 Click a group name in the Group Name column, then click the Audit tab.

The columns in the table display the IP address of the controller, the configuration group name the controller belongs to, and the mobility group name of the controller.

Step 3 Click to highlight the row of the controller that you want to add to the group, then click Add .

Step 4 To remove a controller from the group, highlight the controller in the Group Controllers area and click Remove .

Step 5 Click the Apply/Schedule tab, click Apply to add or remove the controllers to the configuration groups, then click Save Selection .

Configuring Multiple Country Codes

You can configure one or more countries on a controller. After countries are configured on a controller, the corresponding 802.11a/n DCA channels are available for selection. At least one DCA channel must be selected for the 802.11a/n network. When the country codes are changed, the DCA channels are automatically changed in coordination.

Note 802.11a/n and 802.11b/n networks for controllers and access points must be disabled before configuring a country on a controller. To disable 802.11a/n or 802.11b/n networks, choose Configure > Controllers, select the desired controller that you want to disable, choose 802.11a/n or 802.11b/g/n from the left sidebar menu, and then choose Parameters. The Network Status is the first check box.

To add multiple controllers that are defined in a configuration group and then set the DCA channels, follow these steps:

Step 1 Choose Configuration > Templates > Controller Configuration Groups .

Step 2 From the Select a command drop-down list, choose Add Config Groups , then click Go .

Step 3 Create a configuration group by entering the group name and mobility group name.

Step 4 Click Save , then click the Controllers tab.

Step 5 Highlight the controllers that you want to add, and click Add . The controller is added to the Group Controllers page.

Step 6 Click the Country/DCA tab. The Country/DCA page appears. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation amongst a set of managed devices connected to the controller.

Step 7 Select the Update Country/DCA check box to display a list of countries from which to choose.

Step 8 Those DCA channels that are currently configured on the controller for the same mobility group are displayed in the Select Country Codes page. The corresponding 802.11a/n and 802.11b/n allowable channels for the chosen country is displayed as well. You can add or delete any channels in the list by selecting or deselecting the channel and clicking Save Selection .

A minimum of 1 and a maximum of 20 countries can be configured for a controller.

Applying or Scheduling Configuration Groups

The scheduling function allows you to schedule a start day and time for provisioning.

To apply the mobility groups, mobility members, and templates to all of the controllers in a configuration group, follow these steps:

Step 1 Choose Configuration > Templates > Controller Configuration Groups .

Step 2 Click a group name in the Group Name column, then choose the Apply/Schedule tab.

Step 3 Click Apply to start the provisioning of mobility groups, mobility members, and templates to all of the controllers in the configuration group. After you apply, you can leave this page or log out of Prime Infrastructure. The process continues, and you can return later to this page to view a report.

Note Do not perform any other configuration group functions during the provisioning process.

A report is generated and appears in the Recent Apply Report page. It shows which mobility groups, mobility members, or templates were successfully applied to each of the controllers.

Step 4 Enter a starting date in the text box or use the calendar icon to choose a start date.

Step 5 Choose the starting time using the hours and minutes drop-down lists.

Step 6 Click Schedule to start the provisioning at the scheduled time.

Auditing Configuration Groups

The Configuration Groups Audit page allows you to verify if the configuration complies of the controller with the group templates and mobility group. During the audit, you can leave this window or log out of Prime Infrastructure. The process continues, and you can return to this page later to view a report.

Do not perform any other configuration group functions during the audit verification.

To perform a configuration group audit, follow these steps:

Step 1 Choose Configuration > Templates > Controller Configuration Groups .

Step 2 Click a group name in the Group Name column, then click the Audit tab.

Step 3 Click to highlight a controller on the Controllers tab, choose >> (Add) , and Save Selection .

Step 4 Click to highlight a template on the Templates tab, choose >> (Add) , and Save Selection .

Step 5 Click Audit to begin the auditing process.

A report is generated and the current configuration on each controller is compared with that in the configuration group templates. The report displays the audit status, the number of templates in sync, and the number of templates out of sync.

This audit does not enforce Prime Infrastructure configuration to the device. It only identifies the discrepancies.

Step 6 Click Details to view the Controller Audit report details.

Step 7 Double-click a line item to open the Attribute Differences page. This page displays the attribute, its value in Prime Infrastructure, and its value in the controller.

Step 8 Click Retain Prime Infrastructure Value to push all attributes in the Attribute Differences page to the device.

Step 9 Click Close to return to the Controller Audit Report page.

Rebooting Configuration Groups

Step 1 Choose Configuration > Templates > Controller Configuration Groups .

Step 2 Click a group name in the Group Name column, then click the Reboot tab.

Step 3 Select the Cascade Reboot check box if you want to reboot one controller at a time, waiting for that controller to come up before rebooting the next controller.

Step 4 Click Reboot to reboot all controllers in the configuration group at the same time. During the reboot, you can leave this page or log out of Prime Infrastructure. The process continues, and you can return later to this page and view a report.

The Recent Reboot Report page shows when each controller was rebooted and what the controller status is after the reboot. If Prime Infrastructure is unable to reboot the controller, a failure is shown.

Retrieving Configuration Group Reports

To display all recently applied reports under a specified group name, follow these steps:

Step 1 Choose Configuration > Templates > Controller Configuration Groups .

Step 2 Click a group name in the Group Name column, then click the Report tab. The Recent Apply Report page displays all recently applied reports including the apply status, the date and time the apply was initiated, and the number of templates. The following information is provided for each individual IP address:

• Apply Status—Indicates success, partial success, failure, or not initiated.
• Successful Templates—Indicates the number of successful templates associated with the applicable IP address.
• Failures—Indicates the number of failures with the provisioning of mobility group, mobility members, and templates to the applicable controller.
• Details—Click Details to view the individual failures and associated error messages.

Step 3 To view the scheduled task reports, click the click here link at the bottom of the page.

Creating Lightweight AP Configuration Templates

To create a template for a lightweight access point, follow these steps:

Step 1 Choose Configuration > Templates > Lightweight Access Points .

Step 2 From the Select a command drop-down list, choose Add Template , then click Go .

Step 3 Enter a name and description for the template and click Save . If you are updating an already existing template, click the applicable template in the Template Name column.

Step 4 Click each of the tabs and complete the required fields. For information about the field descriptions, see the Cisco Prime Infrastructure 3.0 Reference Guide .

Creating Autonomous AP Configuration Templates

To create a template for an autonomous access point, follow these steps:

Step 1 Choose Configuration > Templates > Autonomous Access Points .

Step 2 From the Select a command drop-down list, choose Add Template , then click Go . If you are updating an already existing template, click the applicable template in the Template Name column.

Step 3 Enter a name for the template and the applicable CLI commands.

Note Do not include any show commands in the CLI commands text box. The show commands are not supported.

Creating Controller WLAN Configuration Policy Templates

Use the Policy Configuration Templates page to configure device-based policies on a controller. You can configure policies for a user or a device on the network.

The maximum number of policies that you can configure is 64. Policies are not applied on WLANs and AP groups if AAA override is configured on the controller.

Step 1 Choose Configuration > Templates > Features and Technologies.

Step 2 From the left sidebar menu, choose Features and Technologies > Controller > WLANs > Policy Configuration . The Policy Configuration Template page displays.

Step 3 Complete the following fields:

• Name—Name of the policy template
• Description—Description of the policy template.
• Tags—Search keywords applicable to this template.
• Device Type (validation criteria)—The device product family, series or type used to validate the template (CUWN, for Cisco Unified Wireless Network, is the default).
• Policy Name—Name of the policy.
• Policy Role—The user type or the user group the user belongs to. For example, student, employee.
• EAP Type—EAP authentication method used by the client. The available types are as follows:

– LEAP

– EAP-FAST

– EAP-TLS

– PEAP

• Device Type—Choose the device type to which this policy applies (e.g., Apple Laptop).
• VLAN ID—VLAN associated with the policy.
• IPv4 ACL—Choose an IPv4 ACL for the policy from the list
• QoS—Choose the policy’s Quality of Service level from the list. You can choose one of the follows:

– Platinum (Voice)—Assures a high QoS for Voice over Wireless.

– Gold (Video)—Supports the high-quality video applications.

– Silver (Best Effort)—Supports the normal bandwidth for clients.

– Bronze (Background)— Provides the lowest bandwidth for guest services.

• Session Timeout—Maximum amount of time, in seconds, before a client is forced to re-authenticate. The default value is 0 seconds.
• Sleeping Client Timeout—Maximum amount of time, in hours, before a guest client is forced to re-authenticate. The default value is 12 hours. The range is from 1 to 720 hours.

Step 4 When you are finished, click Save as new template .

Creating Autonomous AP Migration Templates

To make a transition from an autonomous solution to a unified architecture, autonomous access points must be converted to lightweight access points.

After an access point has been converted to lightweight, the previous status or configuration of the access point is not retained.

To create an autonomous AP migration template, follow these steps:

Step 1 Choose Configuration > Autonomous AP Migration .

Step 2 From the Select a command drop-down list, choose Add Template , then click Go . If you are updating an already existing template, click the applicable template in the Template Name column.

Step 3 Complete the required fields. For information about the field descriptions, see the Cisco Prime Infrastructure 3.0 Reference Guide .

Step 4 To view the migration analysis summary, choose Monitor > Tools > Autonomous AP Migration Analysis .

Controller Templates

The controller templates provides access to all Cisco Prime Infrastructure templates from a single page. You can add and apply controller templates, view templates, or make modifications to the existing templates. This section also includes steps for applying and deleting controller templates and creating or changing access point templates.

To access the controller templates, choose Configuration > Templates > Features & Technologies > Controller .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• Creating AP Configuration Templates
• Creating System Templates
• About WLAN Templates
• Creating Security - Access Control Templates
• Creating Security - CPU Access Control List Templates
• Creating Security - Rogue Templates
• Creating 802.11 Templates
• Creating 802.11a/n Radio Templates
• Creating 802.11b/g/n Radio Templates
• Creating Mesh Settings Templates
• Creating Management Templates
• Creating CLI Templates
• Creating Location Configuration Templates
• Creating IPv6 Templates
• Creating Proxy Mobile IPv6 Templates
• Creating mDNS Templates
• Creating AVC Profiles Templates
• Creating NetFlow Templates

Adding Controller Templates

To add a new controller template:

Step 1 Choose Configuration > Features & Technologies > Controller .

Step 2 Select the template you want to add.

Step 3 Enter the template name.

Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.

Step 4 Provide a description of the template.

Step 5 Click Save .

Related Topics

• Deleting Controller Templates
• Applying Controller Templates

Deleting Controller Templates

To delete a controller template:

Step 1 Choose Configuration > Features & Technologies > My Templates .

Step 2 Select the template(s) you want to delete, then click Delete .

Step 3 Click OK to confirm the deletion. If this template is applied to controllers, the Remove Template Confirmation page opens and lists all controllers to which this template is currently applied.

Step 4 Select the check box of each controller from which you want to remove the template.

Step 5 Click OK to confirm the deletion or Cancel to close this page without deleting the template.

Related Topics

• Adding Controller Templates
• Applying Controller Templates

Applying Controller Templates

You can apply a controller template directly to a controller or to controllers in a selected configuration group.

To apply a controller template, follow these steps:

Step 1 Choose Configuration > Features & Technologies > Controller .

Step 2 From the left sidebar menu, choose the category of templates to apply.

Step 3 Click the template name for the template that you want to apply to the controller.

Step 4 Click Apply to Controllers to open the Apply to Controllers page.

Step 5 Select the check box for each controller to which you want to apply the template.

To select all controllers, select the check box that appears at the left most corner of the controllers table.

Select the Ignore errors on Apply template to Controllers check box to ignore errors and apply all commands in the template to the controller. If this check box is not selected, any errors encountered while applying a command in the template to a controller causes the rest of the commands to be not applied.

Step 6 Choose between applying the template directly to a controller or to all controllers in a selected configuration group.

To apply the template directly to a controller (or controllers), follow these steps:

a. Select the Apply to controllers selected directly radio button. The Apply to Controllers page lists the IP address for each available controller along with the controller name and the configuration group name (if applicable).

b. Select the check box for each controller to which you want to apply the template.

Select the Ignore errors on Apply template to Controllers check box to ignore errors and apply all commands in the template to the controller. If this check box is not selected, any errors encountered while applying a command in the template to a controller causes the rest of the commands to be not applied.

To apply the template to all controllers in a selected configuration group, follow these steps:

a. Select the Apply to controllers in the selected Config Groups radio button. The Apply to Controllers page lists the name of each configuration group along with the mobility group name and the number of controllers included.

b. Select the check box for each configuration group to which you want to apply the template.

Configuration groups which have no controllers cannot be selected to apply the templates.

Step 7 You can perform the following additional operations:

• If you select the Save Config to Flash after apply check box, the save config to Flash command is executed after the template is applied successfully.
• If you select the Reboot Controller after apply check box, the controller reboots after the template is successfully applied.

This configuration results can be viewed in the Template Results page by enabling the View Save Config / Reboot Results option.

Step 8 Click Save .

You can apply some templates directly from the Template List page. Select the check box(es) of the template(s) that you want to apply, choose Apply Templates from the Select a command drop-down list, and click Go to open the Apply to Controllers page. Select the check box(es) of the controllers to which you want to apply this template, and click OK .

Related Topics

• Adding Controller Templates
• Applying Controller Templates

Creating System Templates

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System. You can create the following controller system template:

• AP 802.1X Supplicant Credentials
• AP Timers
• AP Username Password
• DHCP
• Dynamic Interface
• General-System
• Global CDP Configuration
• Interface Groups
• Network Time Protocol
• QoS Profiles
• SNMP Community
• Traffic Stream Metrics QoS
• User Roles
• Vlan Group

Related Topics

• Controller > System > General
• Creating General - System Templates
• Creating SNMP Community Controller Templates
• Creating User Roles Controller Templates
• Creating AP Username Password Controller Templates
• Creating DHCP Templates
• Creating Dynamic Interface Templates
• Creating a Traffic Stream Metrics QoS Template

Creating AP 802.1X Supplicant Credentials

You can configure 802.1X authentication between lightweight access points and the switch. The access point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous PAC provisioning. You can set global authentication settings that all access points inherit as they join the controller. All access points that are currently joined to the controller and any that join in the future are included.

If desired, you can override the global authentication settings and assign unique authentication settings for a specific access point.

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > AP 802.1X Supplicant Credentials.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create the template.

Step 3 Complete the required fields, then and click Save as New Template.

Related Topics

• Controller > System > AP 802.1X Supplicant Credentials
• Applying Controller Templates

Configuring AP Timers Template

Some advanced timer configuration for FlexConnect and local mode is available for the controller on Prime Infrastructure.

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > AP 802.1X Supplicant Credentials.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.

Step 3 Complete the required fields, then and click Save as New Template.

Related Topics

• Controller > System > AP Timers
• Applying Controller Templates

Creating AP Username Password Controller Templates

Create or modify a template for setting an access point username and password. All access points inherit the password as they join the controller and these credentials are used to log into the access point via the console or Telnet/SSH.

The AP Username Password page enables you to set a global password that all access points inherit as they join a controller. When you are adding an access point, you can also choose to accept this global username and password or override it on a per-access point basis. See the to see where the global password is displayed and how it can be overridden on a per-access point basis.

Also, in controller software Release 5.0, after an access point joins the controller, the access point enables console port security and you are prompted for your username and password whenever you log into the access point console port. When you log in, you are in non-privileged mode and you must enter the enable password to use the privileged mode.

To create an AP username password controller template:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > AP Username Password.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create a
General - System template.

Step 3 Complete the required fields, then and click Save as New Template.

Related Topics

• Controller > System > AP Username Password
• Creating AP Configuration Templates
• Applying Controller Templates

Creating DHCP Templates

You can enable or disable DHCP proxy on a global basis rather than on a WLAN basis. When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from the client to the configured servers. At least one DHCP server must be configured on either the interface associated with the WLAN or on the WLAN itself. DHCP proxy is enabled by default.

To create DHCP templates:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > DHCP Templates.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.

Step 3 Complete the required fields, then and click Save as New Template.

Related Topics

• Controller > System > DHCP
• Applying Controller Templates

Creating Dynamic Interface Templates

If you change the interface fields, the WLANs are temporarily disabled, therefore you might lose connectivity for some clients. Any changes to the interface fields are saved only after you successfully apply them to the controller(s).

If you remove an interface here, it is removed only from this template and not from the controllers. Primary and secondary port numbers are present only in the Cisco 4400 Series Wireless LAN controllers.

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > Dynamic Interface Templates.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.

Step 3 Complete the required fields, then and click Save as New Template.

Related Topics

• Controllers > System > Dynamic Interface
• Applying Controller Templates
• Applying a Dynamic Interface Template to Controllers

Applying a Dynamic Interface Template to Controllers

Changing the Interface fields causes the WLANs to be temporarily disabled and might result in loss of connectivity for some clients.

Interfaces removed from this page are removed only from this template and not from controllers.

To apply a Dynamic Interface template to a controller, follow these steps:

Step 1 In the Dynamic Interface controller template page, click Apply to Controllers .

Step 2 Use the Manage Interfaces options to configure device-specific fields:

• Add—Click Add to open the Add Interface dialog box. Enter an interface name, VLAN identifier, IP address, and gateway. When all fields are entered, click Done .
• Edit—Click Edit to make changes to current interfaces.
• Remove—Click Remove to delete a current interface.

Step 3 Select a check box for each controller to which you want to apply this template.

Step 4 Click Apply . Interface field changes or configurations made on this page are saved only when applied successfully to the controller(s).

Related Topics

• Creating Dynamic Interface Templates

Creating General - System Templates

To add a general-system template or make changes to an existing general template:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > General - System.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.

Step 3 Complete the required fields, then and click Save as New Template.

Related Topics

• Controller > System > General
• Applying Controller Templates

Creating a Global CDP Configuration Template

Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. CDP is enabled on the Ethernet and radio ports of the bridge by default.

CDP for Ethernet Interfaces fields are supported for Controller Release 7.0.110.2 and later.

The Global Interface CDP configuration is applied only to the APs for which the CDP is enabled at AP level.

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > Global CDP Configuration.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.

Complete the required fields, then and click Save as New Template.

Related Topics

• Controller > System > Global CDP Configuration
• Applying Controller Templates

Creating an Interface Group Template

The interface group template page allows you to select list of interfaces and form a group. You cannot create interfaces using this page.

The Interface Groups feature is supported by controller software release 7.0.116.0 and later.

To configure an interface group template:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > Interface Group.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.

Step 3 Complete the required fields, then and click Save as New Template.

Related Topics

• Applying Controller Templates

Creating an Network Time Protocol Template

NTP is used to synchronize computer clocks on the Internet.

To add an NTP template or make modifications to an existing NTP template:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > Network Time Protocol.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.

Step 3 Complete the required fields, then and click Save as New Template.

Related Topic

• Applying Controller Templates

Creating QoS Profiles Templates

The Air QoS configurations are applicable for controller Release 7.0 and earlier.

To modify the quality of service (QoS) profiles:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > QoS Profiles.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
QoS profiles template.

Step 3 Complete the required fields, then and click Save as New Template.

Related Topics

• Controller > System > QoS Profiles Template
• Applying Controller Templates

Creating SNMP Community Controller Templates

Create or modify a template for configuring SNMP communities on controllers. Communities can have read-only or read-write privileges using SNMP v1, v2, or v3.

When setting up SNMP communities on the WLC (Wireless LAN Controller), you are given an option to specify IP address and subnet. The default is 0.0.0.0 for both, which allows open SNMP access to any host using the specified community string. If you specify something other than the default of 0.0.0.0, the SNMP access is limited to the settings specified for IP address and Subnet Mask. A subnet of 255.255.255.255 limits to the specific host ID specified in the IP address.

If the Access Mode option is configured as Read Only, then Prime Infrastructure has only read access to the controller after applying this template.

To create a new template with SNMP community information for a controller:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > SNMP Community.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create SNMP community template.

Step 3 Complete the required fields, then and click Save as New Template.

The template appears in the Template List page. In the Template List page, you can apply this template to controllers. If a template is applied successfully and the Update Discover Community option is enabled, then the applied community name is updated in Prime Infrastructure database for that applied controller. Also, Prime Infrastructure uses that community name for further communication with the controller.

Related Topics

• Controller > System > SNMP Community
• Applying Controller Templates

Creating a Traffic Stream Metrics QoS Template

Traffic stream metrics are a series of statistics about VoIP over your wireless LAN and informs you of the QoS of the wireless LAN. These statistics are different than the end-to-end statistics provided by VoIP systems. End-to-end statistics provide information on packet loss and latency covering all the links comprising the call path. However, traffic stream metrics are statistics for only the WLAN segment of the call. Because of this, system administrators can quickly determine whether audio problems are being caused by the WLAN or by other network elements participating in a call. By observing which access points have impaired QoS, system administrators can quickly determine the physical area where the problem is occurring. This is important when lack of radio coverage or excessive interference is the root problem.

Four QoS values (packet latency, packet jitter, packet loss, and roaming time), which can affect the audio quality of voice calls, are monitored. All the wireless LAN components participate in this process. Access points and clients measure the metrics, access points collect the measurements and then send them to the controller. The access points update the controller with traffic stream metric information every 90 seconds, and 10 minutes of data is stored at one time. Prime Infrastructure queries the controller for the metrics and displays them in the Traffic Stream Metrics QoS Status. These metrics are compared to threshold values to determine their status level and if any of the statistics are displaying a status level of fair (yellow) or degraded (red), the administrator investigates the QoS of the wireless LAN.

For the access points to collect measurement values, traffic stream metrics must be enabled on the controller.

To configure a Traffic Stream Metrics QoS template:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > Traffic Stream Metrics QoS.

The Traffic Stream Metrics QoS Controller Configuration page shows several QoS values. An administrator can monitor voice and video quality of the following:

• Upstream delay
• Upstream packet loss rate
• Roaming time
• Downstream packet loss rate
• Downstream delay

Packet Loss Rate (PLR) affects the intelligibility of voice. Packet delay can affect both the intelligibility and conversational quality of the connection. Excessive roaming time produces undesired gaps in audio.

There are three levels of measurement:

• Normal: Normal QoS (green)
• Fair: Fair QoS (yellow)
• Degraded: Degraded QoS (red)

System administrators should employ some judgment when setting the green, yellow, and red alarm levels. Some factors to consider are:

• Environmental factors including interference and radio coverage which can affect PLR.
• End-user expectations and system administrator requirements for audio quality on mobile devices (lower audio quality can permit greater PLR).
• Different codec types used by the phones have different tolerance for packet loss.
• Not all calls are mobile-to-mobile; therefore, some have less stringent PLR requirements for the wireless LAN.

Related Topics

• Controller > System > Traffic Stream Metrics QoS
• Applying Controller Templates

Creating User Roles Controller Templates

This section describes how to create or modify a template for configuring user roles. User roles determine how much bandwidth the network can use. Four QoS levels (Platinum, Bronze, Gold, and Silver) are available for the bandwidth distribution to Guest Users. Guest Users are associated with predefined roles (Contractor, Customer, Partner, Vendor, Visitor, Other) with respective bandwidth configured by the Admin. These roles can be applied when adding a new Guest User.

To add a new template with User Roles information for a controller:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > System > User Roles.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create user Roles template.

Step 3 Complete the required fields, then and click Save as New Template.

Related Topics

• Controller > System > User Roles
• Applying Controller Templates
• Creating Guest User Templates

About WLAN Templates

WLAN templates allow you to define various WLAN profiles for application to different controllers.

You can configure multiple WLANs with the same SSID. This feature enables you to assign different Layer 2 security policies within the same wireless LAN. Unlike previous release where profile name was used as the unique identifier, the template name is now the unique identifier with software release 5.1.

These restrictions apply when configuring multiple WLANs with the same SSID:

• WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in the beacons and probes. These are the available Layer 2 security policies:

– None (open WLAN)

– Static WEP or 802.1

– CKIP

– WPA/WPA2

• Broadcast SSID must be enabled on the WLANs that share an SSID so that the access points can generate probe responses for these WLANs.
• FlexConnect access points do not support multiple SSIDs.

Related Topics

• About WLAN Templates
• Creating WLAN AP Groups Templates

Creating WLAN Configuration Templates

To add a WLAN configuration template or make modifications to an existing WLAN template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > WLANs > WLAN Configuration.

Step 2 Hover your mouse cursor over the tool tip next to the template type and click New.

Step 3 Complete the required fields in the General, Security, QoS, Advanced, HotSpot, Policy Mappings tabs, and then click Save as New Template.

Related Topic

• Controller > WLANs > WLAN Configuration

Client Profiling

When a client tries to associate with a WLAN, it is possible to determine the client type from the information received in the process. The controller acts as the collector of the information and sends the ISE with the required data in an optimal form.

Follow these guidelines when configuring client profiling:

By default, client profiling will be disabled on all WLANs.

• Client profiling is supported on access points that are in Local mode and FlexConnect mode.
• Profiling is not supported for clients in the following scenarios:

– Clients associating with FlexConnect mode APs in Standalone mode.

– Clients associating with FlexConnect mode APs when local authentication is done with local switching is enabled.

• Both DHCP Proxy and DHCP Bridging mode on the controller are supported.
• Accounting Server configuration on the WLAN must be pointing at an ISE running 1.1 MnR or later releases. Cisco ACS does not support client profiling.
• The type of DHCP server used does not affect client profiling.
• If the DHCP_REQUEST packet contains a string that is found in the Profiled Devices list of the ISE, then the client will be profiled automatically.
• The client is identified based on the MAC address sent in the Accounting request packet.
• Only MAC address should be sent as calling station ID in accounting packets when profiling is enabled.
• With profiling enabled for local switching FlexConnect mode APs, only VLAN override is supported as an AAA override attribute.

Related Topics

• Client Profiling
• Controller >WLANs > WLAN Configuration > Advanced

Configuring Client Profiling

To configure client profiling, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > WLANs > WLAN Configuration.

Step 2 Click the Advanced tab.

Step 3 Select the DHCP Profiling check box to enable DHCP profiling.

Step 4 Select the HTTP Profiling check box to enable HTTP profiling.

HTTP client profiling is supported since controller Version 7.3.1.31.

Step 5 Click Save .

Related Topics

• Client Profiling
• Creating WLAN Configuration Templates

Configuring Mobile Concierge (802.11u)

Mobile Concierge is a solution that enables 802.1X capable clients to interwork with external networks. The Mobile Concierge feature provides service availability information to clients and can help them to associate available networks.

The services offered by the network can be broadly classified into two protocols:

• 802.11u MSAP
• 802.11u HotSpot 2.0

The following guidelines and limitations apply to Mobile Concierge:

• Mobile Concierge is not supported on FlexConnect Access Points.
• 802.11u configuration upload is not supported. If you perform a configuration upgrade and upload a configuration on the controller, the HotSpot configuration on the WLANs is lost.

To configure Mobile Concierge (802.11u) Groups:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > WLANs > WLAN Configuration.

Step 2 Click the Hot Spot tab.

Step 3 On the General tab, configure the following fields:

• Select the 802.11u Status check box to enable 802.11u on the WLAN.
• Select the Internet Access check box to enable this WLAN to provide Internet services.
• From the Network Type drop-down list, choose the network type that best describes the 802.11u you want to configure on this WLAN. The following options are available:

– Private Network

– Private Network with Guest Access

– Chargeable Public Network

– Free Public Network

– Emergency Services Only Network

– Personal Device Network

– Test or Experimental

– Wildcard

• Choose the authentication type that you want to configure for the 802.11u parameters on this network:

– Not configured

– Acceptance of Terms and Conditions

– Online Enrollment

– HTTP/HTTPS Redirection

• In the HESSID field, enter the Homogeneous Extended Service Set Identifier value. The HESSID is a 6-octet MAC address that identifies the homogeneous ESS.

Step 4 On the Others tab, configure the following fields:

• In the OUI List group box, enter the following details:

– OUI name

– Is Beacon

– OUI Index

Click Add to add the OUI (Organizationally Unique Identifier) entry to this WLAN.

• In the Domain List group box, enter the following details:

– Domain Name—The domain name operating in the 802.11 access network.

– Domain Index—Choose the domain index from the drop-down list.

Click Add to add the domain entry to this WLAN.

Step 5 On the Realm tab, configure the following fields:

• In the OUI List section, enter the following details:

– Realm Name—The realm name.

– Realm Index—The realm index.

Click Add to add the domain entry to this WLAN.

Step 6 On the Service Advertisement tab, configure the following fields:

• Select the MSAP Enable check box to enable service advertisements.
• If you enabled MSAP in the previous step, you must provide a server index. Enter the server index for this WLAN. The server index field uniquely identifies an MSAP server instance serving a venue that is reachable through the BSSID.

MSAP (Mobility Services Advertisement Protocol) is designed to be used primarily by mobile devices that are configured with a set of policies for establishing network services. These services are available for devices that offer higher-layer services, or network services that are enabled through service providers. Service advertisements use MSAP to provide services to mobile devices prior to association to a Wi-Fi access network. This information is conveyed in a service advertisement. A single-mode or dual-mode mobile device queries the network for service advertisements before association. The device's network discovery and the selection function may use the service advertisements in its decision to join the network.

Step 7 On the HotSpot 2.0 tab, configure the following fields:

• Choose the Enable option from the HotSpot2 Enable drop-down list.
• In the WAM Metrics group box, specify the following:

– WAN Link Status—The link status. The valid range is 1 to 3.

– WAN SIM Link Status—The symmetric link status. For example, you can configure the uplink and downlink to have different speeds or same speeds.

– Down Link Speed—The downlink speed. The maximum value is 4,194,304 kbps.

– Up Link Speed—The uplink speed. The maximum value is 4,194,304 kbps.

• In the Operator Name List group box, specify the following:

– Operator Name—Specify the name of the 802.11 operator.

– Operator Index—Select an operator index. The range is from 1 to 32.

– Language Code—An ISO-14962-1997 encoded string defining the language. This string is a three character language code.

Click Add to add the operator details. The operator details are displayed in a tabular form.

• In the Port Config List, specify the following:

– IP Protocol—The IP protocol that you want to enable. The following options are ESP, FTP, ICMP, and IKEV2.

– Port No—The port number that is enabled on this WLAN.

– Status—The status of the port.

Step 8 Click Save .

Related Topics

• About WLAN Templates
• Controller > WLANs > WLAN Configuration

Creating WLAN AP Groups Templates

Site-specific VLANs or AP groups limit the broadcast domains to a minimum by segmenting a WLAN into different broadcast domains. Benefits include more effective management of load balancing and bandwidth allocation.

To configure WLAN AP Groups, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > WLANs > AP Groups.

The WLAN > AP Groups page appears, and the number of controllers and virtual domains that the template is applied to automatically populates. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

Step 2 If you want to add a new template, choose Add Template from the Select a command drop-down list, and click Go . To modify an existing template, click the template name. The AP Groups template page appears.

This page displays a summary of the AP groups configured on your network. In this page, you can add, remove, edit, or view details of an AP group. Click in the Edit column to edit its access point(s). Select the check box in the WLAN Profile Name column, and click Remove to delete WLAN profiles.

The maximum characters that you can enter in the Description text box is 256.

Related Topics

• About WLAN Templates

Adding Access Point Groups

• AP Groups (for controllers Release 5.2 and later) are referred to as AP Group VLANs for controllers prior to 5.2.
• To display all available WLAN profile names, delete the current WLAN profile name from the text box. When the current WLAN profile name is deleted from the text box, all available WLAN profiles appear in the drop-down list.
• Each access point is limited to 16 WLAN profiles. Each access point broadcasts all WLAN profiles unless the WLAN override feature is enabled. The WLAN override feature allows you to disable any of the 16 WLAN profiles per access point.
• The WLAN override feature applies only to older controllers that do not support the 512 WLAN feature (can support up to 512 WLAN profiles).

You can create or modify a template for dividing the WLAN profiles into AP groups.

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > WLANs > AP Groups.

Step 2 Choose Add Template from the Select a command drop-down list, and click Go .

Step 3 Enter a name and group description for the access point group. The group description is optional.

Step 4 If you want to add a WLAN profile, click the WLAN Profiles tab and configure the following fields:

a. Click Add .

b. Type a WLAN profile name or choose one from the WLAN Profile Name drop-down list.

c. Enter an interface/interface group or choose one from the Interface/Interface Group drop-down list.

To display all available interfaces, delete the current interface from the Interface text box. When the current interface is deleted from the Interface text box, all available interfaces appear in the drop-down list.

d. Select the NAC Override check box, if applicable. The NAC override feature is disabled by default.

e. Specify the policy configuration parameters by clicking the Add/Edit link.

– Policy Name—Name of the policy.

– Policy Priority—Configure policy priority between 1 and 16. No two policies can have same priority. Only 16 Policy mappings are allowed per WLAN. Selected policy template for the mapping will be applied first if it does not exist on the controller.

f. When access points and WLAN profiles are added, click Save .

Step 5 If you want to add a RF profile, click the RF Profiles tab, and configure the following fields:

• 802.11a—Drop-down list from which you can choose an RF profile for APs with 802.11a radios.
• 802.11b—Drop-down list from which you can choose an RF profile for APs with 802.11b radios.
• When RF profiles are added, click Save .

Related Topics

• About WLAN Templates
• Creating RF Profiles Templates (802.11)

Deleting Access Point Groups

To delete an access point group, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies.

Step 2 Choose Controller > WLANs > AP Groups from the left sidebar menu.

Step 3 Click Remove .

Related Topics

• About WLAN Templates
• Creating WLAN AP Groups Templates
• Adding Access Point Groups

Creating Policy Configuration Templates

The Policy Configuration Templates page enables you to configure the device-based policies on the controller. You can configure policies for a user or a device on the network. The maximum number of policies that you can configure is 64. Policies are not applied on WLANs and AP groups if AAA override is configured on the controller.

To configure Policy Configuration templates:

Step 1 Choose Configuration > Templates > Features &Technologies > Controller > WLANs > Policy Configuration .

Step 2 If you want to add a new template, choose Add Template from the Select a command drop-down list, and click Go .

Step 3 Configure the required fields.

Step 4 Click Save as New Template.

Creating FlexConnect Templates

FlexConnect enables you to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office. There is no deployment restriction on the number of FlexConnect access points per location, but you can organize and group the access points per floor and limit them to 25 or so per building, because it is likely the branch offices share the same configuration.

Related Topics

• Creating FlexConnect AP Groups Templates
• Adding FlexConnect Users to FlexConnect AP Groups Templates

Creating FlexConnect AP Groups Templates

To set up a FlexConnect AP group, follow these steps:

Step 1 Choose Configuration > Features & Technologies > Controller .

Step 2 Choose FlexConnect > FlexConnect AP Groups from the left sidebar menu.

Step 3 Hover the mouse on FlexConnect AP Groups and select Show All Templates. It displays the primary and secondary RADIUS, as well as the number of controllers and virtual domains that the template is applied to, which automatically populates. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names. To modify an existing template, click the template name.

Step 4 If you want to add a new template, hover the mouse on FlexConnect AP Groups and select New or select FlexConnect AP Groups. The General tab of the FlexConnect AP Groups page appears.

Step 5 The Template Name shows the group name assigned to the FlexConnect access point group.

Step 6 Choose the primary RADIUS authentication servers for each group. You can also configure local RADIUS servers on the flexconnect group (at a site-level) which are not present on the controller. The FlexConnect groups support up to 100 RADIUS servers per group.

Step 7 Choose the secondary RADIUS authentication servers for each group. You can also configure local RADIUS servers on the flexconnect group (at a site-level) which are not present on the controller. The FlexConnect groups support up to 100 RADIUS servers per group.

Step 8 If you want to add an access point to the group, click the FlexConnect AP tab.

Step 9 An access point Ethernet MAC address cannot exist in more than one FlexConnect group on the same controller. If more than one group is applied to the same controller, select the Ethernet MAC check box to unselect an access point from one of the groups. You should save this change or apply it to controllers.

Step 10 Click Add AP . Select the applicable check boxes and click Add.

Step 11 Click the Local Authentication tab to enable local authentication for a FlexConnect group. Ensure that the Primary RADIUS Server and Secondary RADIUS Server fields are set to None on the General tab to perform this action.

Step 12 Select the FlexConnect Local Authentication check box to enable local authentication for this FlexConnect group. Enabling this potion enables EAP-TLS Authentication.

Step 13 Select the EAP-TLS Authentication check box to enable EAP-TLS certificate download.

Step 14 To allow a FlexConnect access point to authenticate clients using LEAP, select the LEAP Authentication check box. Otherwise, to allow a FlexConnect access point to authenticate clients using EAP-FAST, select the EAP-FAST Authentication check box.

Step 15 Perform one of the following, depending on how you want Protected Access Credentials (PACs) to be provisioned:

• To use manual PAC provisioning, enter the key used to encrypt and decrypt PACs in the EAP-FAST Key and Confirm EAP-FAST Key text boxes. The key must be 32 hexadecimal characters.
• To allow PACs to be sent automatically to clients that do not have one during PAC provisioning, select the Auto key generation check box.

The following EAP-FAST options are available only if you select the EAP-FAST check box in Step 14.

Step 16 In the EAP-FAST Key text box, enter the authority identifier of the EAP-FAST server. The identifier must be 32 hexadecimal characters.

Step 17 In the EAP-FAST Authority ID text box, enter the authority identifier of the EAP-FAST server in text format. You can enter up to 32 hexadecimal characters.

Step 18 In the EAP-FAST Authority Info text box, enter the authority information of the EAP-FAST server.

Step 19 In the EAP-FAST PAC Timeout text box, specify a PAC timeout value by entering the number of seconds for the PAC to remain viable in the edit box. The valid range is 2 to 4095 seconds.

Step 20 To allow a FlexConnect access point to authenticate clients using PEAP, select the PEAP Authentication check box.

Step 21 Click the Image Upgrade tab and configure the following:

• FlexConnect AP Upgrade—Select the check box if you want to upgrade the FlexConnect access points.
• Slave Maximum Retry Count—Enter the maximum retries for the slave to undertake to start the download from the master in the FlexConnect group. This option is available only if you select the FlexConnect AP Upgrade check box.
• You are allowed to add an access point as a master access point only if the FlexConnect AP Upgrade check box is enabled on the General tab. Click Add Master to add an access point as master AP.

Step 22 Click the ACL Mapping tab.

• Click VLAN-ACL Mapping tab to view, add, edit, or remove a VLAN ACL mapping.
• Click the WLAN-ACL Mapping tab to view, add, edit, or remove a WLAN ACL mapping. You can add up to a maximum of 16 WebAuth ACLs.
• Click the Local Split to view, add, edit, or remove a Local Split ACL mapping. Only the FlexConnect central switching WLANs are displayed in the WLAN Profile Name drop-down list.
• Click the Policies tab to view, add, edit, or remove a WebPolicy ACL mapping. You can add up to a maximum of 16 Web-Policy ACLs.
• Click Save.

Step 23 Click the Central DHCP tab to view, add, edit, or remove a Central DHCP processing.

a. Click the Add Row icon.

b. From the WLAN Profile Name drop-down list, choose a WLAN profile. Only the FlexConnect local switching WLANs are displayed in the WLAN Profile Name drop-down list.

c. From the Central DHCP drop-down list, choose Enable or Disable. When you enable this feature, the DHCP packets received from AP are centrally switched to the controller and then forwarded to the corresponding VLAN based on the AP and the SSID.

d. From the Override DNS drop-down list, choose Enable or Disable. You can enable or disable the overriding of the DNS server address on the interface assigned to the locally switched WLAN. When you override DNS in centrally switched WLANs, the clients get their DNS server IP address from the AP, not from the controller.

e. From the NAT-PAT drop-down list, choose Enable or Disable. You can enable or disable Network Address Translation (NAT) and Port Address Translation (PAT) on locally switched WLANs. You must enable Central DHCP Processing to enable NAT and PAT.

f. Click Save .

Step 24 Click the WLAN-VLAN Mapping tab to view, add, edit, or remove the WLAN-VLAN mapping.

a. Click the Add Row icon.

b. From the WLAN Profile Name drop-down list, choose a WLAN profile. Only the FlexConnect local switching WLANs are displayed in the WLAN Profile Name drop-down list.

c. Enter the VLAN ID within the specified range.

d. Click Save.

Step 25 Click the WLAN-AVC Mapping tab to view, add, edit, or remove the WLAN-AVC mapping.

a. Click the Add Row icon.

b. From the WLAN Profile Name drop-down list, choose a WLAN profile. Only the FlexConnect local switching WLANs are displayed in the WLAN Profile Name drop-down list.

c. From the Application Visibility drop-down list, choose Enable, Disable or Wlan-specific. When Wlan-specific is chosen, the Flex AVC Profile will be disabled.

d. From the Flex AVC Profile drop-down list, choose the specific AVC profile.

e. Click Save.

Step 26 Click Save .

Related Topic

• Controller > FlexConnect > FlexConnect AP Groups

Adding FlexConnect Users to FlexConnect AP Groups Templates

You can click the Users configured in the group link that appears when the FlexConnect Local Authentication check box is enabled to view the list of FlexConnect users. You can create FlexConnect users only after you save the FlexConnect AP Group.Maximum 100 FlexConnect users are supported in controller Release 5.2.x.x and later. If controller Release 5.2.0.0, and earlier supports only 20 FlexConnect users.

To delete a FlexConnect User, choose a user from the FlexConnect Users list, and then click Delete .

To configure a FlexConnect user, follow these steps:

Step 1 Choose Configuration > Features & Technologies > Controller > FlexConnect > FlexConnect AP Groups .

Step 2 Hover the mouse on FlexConnect AP Groups and select Show All Templates.

Step 3 Click the Local Authentication tab and select the FlexConnect Local Authentication check box to enable local authentication for this FlexConnect group.

Step 4 Click the Users configured in the group link. The FlexConnect Users page appears.

Step 5 If you want to add a new user, choose Add User from the Select a command drop-down list, and click Go . The Add User page appears.

Step 6 In the User Name text box, enter the FlexConnect username.

Step 7 In the Password text box, enter the password.

Step 8 Reenter the password in the Confirm Password text box.

Step 9 Click Save .

Related Topics

• Creating FlexConnect AP Groups Templates
• Creating FlexConnect Templates
• Controller > FlexConnect > FlexConnect AP Groups

Creating General Security Controller Templates

To add a new template with general security information for a controller, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security .

Step 2 Select the template you want to add.

Step 3 Complete the following fields:

• Template Name—Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
• Maximum Local Database Entries (on next reboot)—Enter the maximum number of allowed database entries. This amount becomes effective on the next reboot.

Step 4 Click Save .

The template appears in the Template List page. In the Template List page, you can apply this template to controllers.

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Creating File Encryption Templates

To add and configure a File Encryption template or make modifications to an existing file encryption template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > File Encryption .

Step 2 Choose Add Template from the Select a command drop-down list, and click Go to add a new template. To modify an existing template, click the template name. The File Encryption template page appears.

Step 3 Check if you want to enable file encryption.

Step 4 Enter an encryption key text string of exactly 16 ASCII characters.

Step 5 Re-enter the encryption key.

Step 6 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

RADIUS Authentication Templates

You can add a RADIUS authentication template or make modifications to an existing template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.

Related Topics

• Creating RADIUS Authentication Templates

Creating RADIUS Authentication Templates

To configure a RADIUS Authentication template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA > RADIUS Auth Servers .

Step 2 From the Shared Secret Format drop-down list, choose either ASCII or hex .

Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.

Step 3 Enter the RADIUS shared secret used by your specified server.

Step 4 Check the Key Wrap check box if you want to enable key wrap. If this check box is enabled, the authentication request is sent to RADIUS servers that have key encryption key (KEK) and message authenticator code keys (MACK) configured. Complete the following fields:

• Shared Secret Format: Enter ASCII or hexadecimal.

Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in the event a discovered template is applied to another device.

• KEK Shared Secret.
• MACK Shared Secret.

Each time the controller is notified with the shared secret, the existing shared secret is overwritten with the new shared secret.

Step 5 Check the Admin Status check box to enable administration privileges.

Step 6 Check the Support for RFC 3576 check box to t to enable support for RFC 3576.

RFC 3576 is an extension to the Remote Authentication Dial In User Service (RADIUS) protocol. It allows dynamic changes to a user session and includes support for disconnecting users and changing authorizations applicable to a user session. With these authorizations, support is provided for Disconnect and Change-of-Authorization (CoA) messages. Disconnect messages immediately terminate a user session, whereas CoA messages modify session authorization attributes such as data filters.

Step 7 Check Network User to enable network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.

Step 8 Check Management User to enable management authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the management user.

Step 9 In the Retransmit Timeout text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.

Step 10 If you enable IP Sec the IP security mechanism, additional IP security fields are added to the page, and Steps 13 to 19 are required. If you disable it, click Save and skip Steps 13 to 19.

Step 11 Use the drop-down list to choose the IP security authentication protocol to be used. The available options are:

• HMAC-SHA1
• HMAC-MD5
• None

Message Authentication Codes (MAC) are used between two parties that share a secret key to validate information transmitted between them. HMAC (Hash MAC) is a mechanism based on cryptographic hash functions and can be used in combination with any iterated cryptographic hash function. HMAC-MD5 and HMAC-SHA1 are two constructs of the HMAC using the MD5 hash function and the SHA1 hash function. HMAC also uses a secret key for calculation and verification of the message authentication values.

Step 12 Set the IP security encryption mechanism to use. The options are as follows:

• DES —Data Encryption Standard is a method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.
• Triple DES —Data Encryption Standard that applies three keys in succession.
• AES 128 CBC —Advanced Encryption Standard uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in Cipher Clock Chaining (CBC) mode.
• None —No IP security encryption mechanism.

Step 13 From the IKE phase 1 drop-down list choose either aggressive or main to set the IKE protocol. IKE phase 1 is used to negotiate how IKE is protected. Aggressive mode passes more information in fewer packets, with the benefit of a slightly faster connection, at the cost of transmitting the identities of the security gateways in the clear.

Step 14 Enter the timeout interval (in seconds) in the Lifetime field to define when the session expires.

Step 15 Set the IKE Diffie Hellman group. The options are group 1 (768 bits), group 2 (1024 bits), or group 5 (1536 bits).

Diffie-Hellman techniques are used by two devices to generate a symmetric key where you can publicly exchange values and generate the same symmetric key.

Although all three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1 and Group 2 based keys might occur slightly faster because of their smaller prime number size.

Step 16 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• RADIUS Authentication Templates
• Controller > Security > AAA > RADIUS Auth Servers

Creating RADIUS Accounting Templates

To add and configure a RADIUS Accounting template or modify and existing template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA > RADIUS Acct Servers .

Step 2 Use the Shared Secret Format drop-down list to choose either ASCII or hexadecimal .

Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.

Step 3 Enter the RADIUS shared secret used by your specified server.

Step 4 Re-enter the shared secret.

Step 5 Click if you want to establish administrative privileges for the server.

Step 6 Click if you want to enable the network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.

Step 7 Specify the time in seconds after which the RADIUS authentication request times out and a retransmission by the controller occurs. You can specify a value between 2 and 30 seconds.

Step 8 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Creating RADIUS Fallback Templates

To add and configure a RADIUS Fallback template or modify an existing template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA > RADIUS Fallback .

Step 2 From the RADIUS Fallback Mode drop-down list, choose one of the following:

• Off —Disables fallback.
• Passive —You must enter a time interval.
• Active —You must enter a username and time interval.

Step 3 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

LDAP Server Templates

This section explains how to configure a Lightweight Directory Access Protocol (LDAP) server as a backend database, similar to a RADIUS or local user database. An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user. For example, local EAP might use an LDAP server as its backend database to retrieve user credentials.

Related Topics

• Creating LDAP Server Templates

Creating LDAP Server Templates

To add an LDAP server template or make modifications to an existing LDAP server template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA > LDAP Servers .

Step 2 Enter the port number of the controller to which the access point is connected.

Step 3 From the Bind Type drop-down list, choose one of the following:

• Authenticated —Enter a bind username and password.
• Anonymous .

Step 4 In the Server User Base DN text box, enter the distinguished name of the subtree in the LDAP server that contains a list of all the users.

Step 5 In the Server User Attribute text box, enter the attribute that contains the username in the LDAP server.

Step 6 In the Server User Type text box, enter the ObjectType attribute that identifies the user.

Step 7 In the Retransmit Timeout text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.

Step 8 Check the Admin Status check box if you want the LDAP server to have administrative privileges.

Step 9 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• LDAP Server Templates

TACACS+ Server Templates

This page allows you to add a TACACS+ server or make modifications to an existing TACACS+ server template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.

Related Topics

• Creating TACACS+ Server Templates

Creating TACACS+ Server Templates

To configure a TACACS+ Server template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA > TACACS+ Servers .

Step 2 Select one or more server types by selecting their respective check boxes. The following server types are available:

• authentication —Server for user authentication/authorization.
• authorization —Server for user authorization only.
• accounting —Server for RADIUS user accounting.

Step 3 Enter the IP address of the server.

Step 4 Enter the port number of the server. The default is 49.

Step 5 From the drop-down list, choose either ASCII or hex .

Regardless of which format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. Set the key format again in the template in the event a discovered template is applied to another device.

Step 6 Enter the TACACS+ shared secret used by your specified server in the Shared Secret text box.

Step 7 Reenter the shared secret in the Confirm Shared Secret text box.

Step 8 Select the Admin Status check box if you want the TACACS+ server to have administrative privileges.

Step 9 In the Retransmit Timeout text box, enter the time, in seconds, after which the TACACS+ authentication request times out and a retransmission is attempted by the controller.

Step 10 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• TACACS+ Server Templates
• Controller > Security > AAA > TACACS+ Servers

Local EAP General Templates

This page allows you to specify a timeout value for local EAP. You can then add or make changes to an existing local EAP general template.

If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.

Related Topics

• Creating Local EAP General Templates

Creating Local EAP General Templates

To add an Local EAP template or make modifications to an existing template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Local EAP > General - Local EAP .

The Local EAP General page appears.

Step 2 In the Local Auth Active Timeout text box, enter the time (in seconds) that the controller attempts to authenticate wireless clients using local EAP after any pair of configured RADIUS servers fail. The valid range is 1 to 3600 seconds, and the default setting is 1000 seconds.

The following values should be adjusted if you are using EAP-FAST, manual password entry, one-time password, or 7920/7921 phones:

• Local EAP Identify Request Timeout =1
• Local EAP Identity Request Maximum Retries=20
• Local EAP Dynamic WEP Key Index=0
• Local EAP Request Timeout=20
• Local EAP Request Maximum Retries=2

You must increase the 802.1x timeout values on the controller (default=2 seconds) for the client to obtain the PAC using automatic provisioning. The recommended and default timeout on the Cisco ACS server is 20 seconds.

Roaming fails if these values are not set the same across multiple controllers.

Step 3 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• Local EAP General Templates
• Controller > Security > Local EAP > General - Local EAP

Local EAP Profile Templates

Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, thereby removing dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users.

The LDAP backend database supports only these local EAP methods:

• EAP-TLS.
• EAP-FAST with certificates.

LEAP and EAP-FAST with PACs are not supported for use with the LDAP backend database.

Related Topic

• Creating Local EAP Profile Templates

Creating Local EAP Profile Templates

To add Local EAP Profile template or make modifications to an existing template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Local EAP > Local EAP Profiles .

Step 2 Choose one of the following desired authentication type:

• LEAP —This authentication type leverages Cisco Key Integrity Protocol (CKIP) and MMH message integrity check (MIC) for data protection. A username and password are used to perform mutual authentication with the RADIUS server through the access point.
• EAP-FAST —This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1X EAP mutual authentication. A username, password, and PAC (protected access credential) are used to perform mutual authentication with the RADIUS server through the access point.
• TLS —This authentication type uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. It requires a client certificate for authentication.
• PEAP —This authentication type is based on EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data.

Step 3 Choose the certificate for authentication from the Certificate Issuer drop-down list to determine whether Cisco or another vendor issued the certificate for authentication. Only EAP-FAST and TLS require a certificate.

Step 4 Check the Check Against CA Certificates check box if you want the incoming certificate from the client to be validated against the certificate authority (CA) certificates on the controller.

Step 5 Check the Verify Certificate CN Identity check box if you want the incoming certificate to be validated against the common name of the CA certificate.

Step 6 Check the Check Against Date Validity check box if you want the controller to verify that the incoming device certificate is still valid and has not expired,.

Step 7 Check the Local Certificate Required check box if a local certificate is required.

Step 8 Check the Client Certificate Required check box if a client certificate is required.

Step 9 Click Save .

Step 10 To enable local EAP, follow these steps:

a. Choose WLAN > WLAN Configuration from the left sidebar menu.

b. Click the profile name of the desired WLAN.

c. Choose the Security > AAA Servers tab to access the AAA Servers page.

d. Select the Local EAP Authentication check box to enable local EAP for this WLAN.

Step 11 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• Local EAP Profile Templates
• Controller > Security > Local EAP > Local EAP Profiles

EAP-FAST Templates

This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1X EAP mutual authentication. A username, password, and PAC are used to perform mutual authentication with the RADIUS server through the access point.

Related Topics

• Creating an EAP-FAST Template

Creating an EAP-FAST Template

To add an EAP-FAST template or make modifications to an existing template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Local EAP > EAP-FAST Parameters .

Step 2 In the Time to Live for the PAC text box, enter the number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days.

Step 3 In the Authority ID text box, enter the authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal characters, but you must enter an even number of characters.

Step 4 In the Authority Info text box, enter the authority identifier of the local EAP-FAST server in text format.

Step 5 In the Server Key and Confirm Server Key text boxes, enter the key (in hexadecimal characters) used to encrypt and decrypt PACs.

Step 6 If you want to enable anonymous provisioning, select the Anonymous Provision check box.

This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If you disable this feature, PACs must be manually provisioned.

Step 7 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• EAP-FAST Templates

Creating Network User Priority Templates

You can specify the order that LDAP and local databases use to retrieve user credential information. This page allows you to add or make modifications to an existing network user credential retrieval priority template.

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Local EAP > Network Users Priority .

Step 2 Use the left and right arrow keys to include or exclude network user credentials in the right page.

Step 3 Use the up and down keys to determine the order credentials are tried.

Step 4 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Local Network Users Templates

With this template, you can store the credentials (username and password) of all the local network users. These credentials are then used to authenticate the users. For example, local EAP might use the local user database as its back end database to retrieve user credentials. This page allows you to add or make modifications to an existing local network user template. You must create a local net user and define a password when logging in as a web authentication client.

Related Topics

• Creating Local Network Users Templates

Creating Local Network Users Templates

To configure a Local Network Users template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA > Local Net Users .

Step 2 Click Import CSV to import from a file, then click Browse to navigate to the file. Then continue to Step 6. If you disable the import, continue to Step 3.

Only CSV file formats are supported.

Prime Infrastructure reads data from the second row onwards. The first row in the file is treated as the header and the data is not read by Prime Infrastructure. The header can either be blank or filled.

Step 3 Enter the following details:

• Username
• Password
• Profile
• Description.

The Profile column if left blank (or filled in with any profile ) means a client on any profile can use this account.

Step 4 Use the drop-down list to choose the SSID which this local user is applied to or choose the any SSID option.

Step 5 Enter a user-defined description of this interface.

Step 6 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• Local Network Users Templates

Guest User Templates

The purpose of a guest user account is to provide a user account for a limited amount of time. A Lobby Ambassador is able to configure a specific time frame for the guest user account to be active. After the specified time period, the guest user account automatically expires. Choose Configuration > Templates > Features & Technologies > CLI Templates > System Templates - CLI > Guest Users to access the Guest Users template page.

Related Topics

• Creating Guest User Templates

Creating Guest User Templates

To add an guest user template or make modifications to an existing template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > CLI Templates > System Templates - CLI > Guest Users .

Step 2 Enter a guest username in the User Name text box. The maximum size is 24 characters.

Step 3 Enter a password for this username in the Password text box.

Step 4 From the Advanced tab choose the guest user to connect to from the Profile drop-down list

Step 5 Choose a user role for the guest user from the drop-down list. User roles are predefined by the administrator and are associated with the access of the guest.

User Role is used to manage the amount of bandwidth allocated to specific users within the network.

Step 6 Choose one of the following radio buttons to specify the lifetime of the guest account:

• Limited— The period of time that the guest user account is active using the hours and minutes drop-down lists. The default value for Limited is one day (8 hours).
• Unlimited Lifetime —no expiration date for the guest account.

Step 7 Choose the area (indoor, outdoor), controller list, or config group to which the guest user traffic is limited from the Apply to drop-down list.

If you choose the controller list option, a list of controller IP addresses appears.

Step 8 Modify the default guest user description on the General tab if necessary. This is not mandatory.

Step 9 Modify the Disclaimer text on the General tab, if necessary. If you want the supplied text to be the default, select the Make this Disclaimer default check box. This is not mandatory.

Step 10 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• Guest User Templates

User Login Policies Templates

You can set the maximum number of concurrent logins that each single user can have.

Related Topics

• Creating User Login Policies Templates

Creating User Login Policies Templates

To add a user login template or make modifications to an existing template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > User Login Policies .

Step 2 Enter the maximum number of concurrent logins each single user can have.

Step 3 Click Save as New Template .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• User Login Policies Templates

Creating a MAC Filter Template

To add a MAC filter template or make modifications to an existing template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA > MAC Filtering or choose Security > MAC Filtering .

Step 2 Click Import CSV to import a file containing access point MAC addresses.

Step 3 Enter the desired file path or click Browse to import the file.

The import file must be a CSV file with MAC address, profile name, interface, and description (such as 00:11:22:33:44:55, Profile1, management, test filter). If you disable the Import from File check box, continue to Choose the profile name to which this MAC filter is applied or choose the Any Profile option. ..

The client MAC address appears.

Step 4 Choose the profile name to which this MAC filter is applied or choose the Any Profile option.

Step 5 Use the drop-down list to choose from the available interface names.

Step 6 Enter a user-defined description of this interface.

Step 7 Click Save as New Template .

You cannot use MAC address in the broadcast range.

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Access Point or MSE Authorization Templates

These templates are devised for Cisco 11xx/12xx series access points converted from Cisco IOS to lightweight access points or for 1030 access points connecting in bridge mode. See the Cisco Mobility Services Engine Configuration Guide for further information.

Related Topics

• Creating an Access Point or MSE Authorization Templates

Creating an Access Point or MSE Authorization Templates

To add a MSE authorization template or make modifications to an existing template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA > AP or MSE Authorization.

Step 2 Click Import CSV to import a file containing access point MAC addresses.

You can only import a CSV file. The file format parallels the fields in the GUI and therefore includes access point base radio MAC, Type, Certificate Type (MIC or SSC), and key hash (such as 00:00:00:00:00:00, AP, SSC, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx). No other file formats are not supported.

Step 3 Enter the desired file path or click Browse to import the file.

Step 4 Click Save As New Template .

You cannot use MAC address in the broadcast range.

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• Access Point or MSE Authorization Templates

Creating a Manually Disabled Client Template

This page allows you to add a manually disable client template or make modifications to an existing disabled client template.

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Manually Disable Clients .

Step 2 Enter the MAC address of the client you want to disable.

Step 3 Enter a description of the client you are setting to disabled.

Step 4 Click Save as New Template .

You cannot use a MAC address in the broadcast range.

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Creating Client Exclusion Policies Templates

To add a client exclusion policies template or modify an existing client exclusion policies template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless Protection Policies > Client Exclusion Policies .

Step 2 Complete the following fields:

• Template Name —Enter a name for the client exclusion policy.
• Excessive 802.11 Association Failures —Enable to exclude clients with excessive 802.11 association failures.
• Excessive 802.11 Authentication Failures —Enable to exclude clients with excessive 802.11 authentication failures.
• Excessive 802.1X Authentication Failure s—Enable to exclude clients with excessive 802.1X authentication failures.
• Excessive 802.11 Web Authentication Failures —Enable to exclude clients with excessive 802.11 web authentication failures.
• IP Theft or Reuse —Enable to exclude clients exhibiting IP theft or reuse symptoms.

Step 3 Click Save as New Template .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Access Point Authentication and MFP Templates

Management Frame Protection (MFP) provides for the authentication of 802.11 management frames by the wireless network infrastructure. Management frames can be protected to detect adversaries who are invoking denial of service attacks, flooding the network with associations and probes, interjecting as rogue access points, and affecting the network performance by attacking the QoS and radio measurement frames.

When enabled, the access point protects the management frames it transmits by adding a message integrity check information element (MIC IE) to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, causing any receiving access point configured to detect MFP frames to report the discrepancy. An access point must be a member of a WDS to transmit MFP frames.

When MFP detection is enabled, the access point validates every management frame that it receives from other access points in the network. It ensures that the MIC IE is present (when the originator is configured to transmit MFP frames) and matches the content of the management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID belonging to an access point that is configured to transmit MFP frames, it reports the discrepancy to the network management system.

Related Topics

• Creating Access Point Authentication and MFP Templates

Creating Access Point Authentication and MFP Templates

To add or make modifications for the access point authentication and management frame protection (MFP) template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless Protection Policies > AP Authentication and MFP .

Step 2 From the Protection Type drop-down list, choose one of the following authentication policies:

• None —No access point authentication policy.
• AP Authentication —Apply authentication policy.
• MFP —Apply management frame protection.

Alarm trigger threshold appears only when AP authentication is selected as a protection type. Set the number of hits from an alien access point to ignore before raising an alarm.

The valid range is from 1 to 255. The default value is 255.

Step 3 Click Save as New Template .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• Access Point Authentication and MFP Templates

Web Authentication Templates

With web authentication, guests are automatically redirected to a web authentication page when they launch their browsers. Guests gain access to the WLAN through this web portal. Wireless LAN administrators using this authentication mechanism should have the option of providing unencrypted or encrypted guest access. Guest users can then log into the wireless network using a valid username and password, which is encrypted with SSL. Web authentication accounts might be created locally or managed by a RADIUS server. The Cisco Wireless LAN controllers can be configured to support a web authentication client. You can use this template to replace the Web authentication page provided on the controller.

Related Topics

• Creating a Web Authentication Template

Creating a Web Authentication Template

To add or make modifications to an existing web authentication template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA > Web Auth Configuration .

Step 2 Choose one of the following web authentication type from the drop-down list.

• default internal — You can still alter the page title, message, and redirect URL, as well as whether the logo appears. Continue to Step 5.
• customized web authentication —Click Save and apply this template to the controller. You are prompted to download the web authentication bundle.

Before you can choose customized web authentication, you must first download the bundle by going to Config > Controller and choose Download Customized Web Authentication from the Select a command drop-down list, and click Go .

• external —you need to enter the URL you want to redirect to after a successful authentication. For example, if the value entered for this text box is http://www.example.com, the user is directed to the company home page

Step 3 Select the Logo Display check box if you want your company logo displayed.

Step 4 Enter the title you want displayed on the Web Authentication page.

Step 5 Enter the message you want displayed on the Web Authentication page.

Step 6 Provide the URL where the user is redirected after a successful authentication. For example, if the value entered for this text box is http://www.example.com, the user would be directed to the company home page.

Step 7 Click Save as New Template .

Related Topics

• Web Authentication Templates
• Customized Web Authentication Pages

Customized Web Authentication Pages

You can download a customized Web Authentication page to the controller. With a customized web page, you can establish a username and password for user web access.

When downloading customized web authentication, you must follow these strict guidelines:

• Provide a username.
• Provide a password.
• Retain a redirect URL as a hidden input item after extracting from the original URL.
• Extract the action URL and set aside from the original URL.
• Include scripts to decode the return status code.

Related Topics

• Downloading Customized Web Authentication Pages

Downloading Customized Web Authentication Pages

Before downloading, follow these steps:

Step 1 Download the sample login.html bundle file from the server. The following figure displays .html file. The login page is presented to web users the first time they access the WLAN if web authentication is turned on.

Figure 20-1 Login.html

Step 2 Edit the login.html file and save it as a .tar or .zip file.

You can change the text of the Submit button to read Accept terms and conditions and Submit.

Step 3 Make sure you have a Trivial File Transfer Protocol (TFTP) server available for the download. Keep these guidelines in mind when setting up a TFTP server:

• If you are downloading through the service port, the TFTP server must be on the same subnet as the service port because the service port is not routable. However, if you want to put the TFTP server on a different network while the management port is down, add a static route if the subnet where the service port resides has a gateway (config route add IP address of TFTP server ).
• If you are downloading through the distribution system network port, the TFTP server can be on the same or a different subnet because the distribution system port is routable.
• A third-party TFTP server cannot run on the same computer as Prime Infrastructure because the built-in TFTP server of Prime Infrastructure and third-party TFTP server use the same communication port.

Step 4 Download the .tar or .zip file to the controller(s).

The controller allows you to download up to 1 MB of a .tar file containing the pages and image files required for the Web authentication display. The 1 MB limit includes the total size of uncompressed files in the bundle.

You can now continue with the download.

Step 5 Copy the file to the default directory on your TFTP server.

Step 6 Choose Configuration > Network > Network Devices > Wireless Controller .

Step 7 Click on a Device Name. If you select more than one device, the customized Web authentication page is downloaded to multiple controllers.

Step 8 From the left sidebar menu, choose System > Commands .

Step 9 From the Upload/Download Commands drop-down list, choose Download Customized Web Auth, and click Go .

Step 10 The IP address of the controller to receive the bundle and the current status are displayed.

Step 11 Choose local machine from the File is Located On field. If you know the filename and path relative to the root directory of the server, you can also select TFTP server.

For a local machine download, either .zip or .tar file options exists, but Prime Infrastructure does the conversion of .zip to .tar automatically. If you chose a TFTP server download, only .tar files would be specified.

Step 12 Enter the maximum number of times the controller should attempt to download the file in the Maximum Retries field.

Step 13 Enter the maximum amount of time in seconds before the controller times out while attempting to download the file in the Timeout field.

Step 14 The files are uploaded to the c:\tftp directory. Specify the local filename in that directory or click Browse to navigate to it.

Step 15 Click OK .

If the transfer times out, you can simply choose the TFTP server option in the File Is Located On field, and the server filename is populated for you. The local machine option initiates a two-step operation. First, the local file is copied from the workstation of the administrator to the built-in TFTP server of Prime Infrastructure. Then the controller retrieves that file. For later operations, the file is already in the TFTP directory of Prime Infrastructure server, and the download web page now automatically populates the filename.

Step 16 Click the Click here to download a sample tar file link to get an option to open or save the login.tar file.

Step 17 After completing the download, you are directed to the new page and able to authenticate.

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• Creating a Web Authentication Template

Creating External Web Auth Server Templates

To create or modify an External Web Auth Server template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > External Web Auth Server or choose Security > External Web Auth Server .

Step 2 Enter the server address of the external web auth server.

Step 3 Click Save as New Template .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Creating a Security Password Policy Template

To add or make modifications to an existing password policy template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Password Policy .

Step 2 You can enable or disable the following settings:

• Password must contain characters from at least 3 different classes such as uppercase letters, lowercase letters, digits, and special characters.
• No character can be repeated more than 3 times consecutively.
• Password cannot be the default words like cisco or admin.

Password cannot be “cisco”, “ocsic”, “admin”, “nimda’ or any variant obtained by changing the capitalization of letters, or by substituting ‘1” “|” or “!” for i, or substituting “0” for “o”, or substituting “$” for “s”.

• Password cannot contain username or reverse of username.

Step 3 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Creating an Access Control List Template

An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller). ACLs can be applied to data traffic to and from wireless clients or to all traffic destined for the controller Central Processing Unit (CPU) and can now support reusable grouped IP addresses and reusable protocols. After ACLs are configured in the template, they can be applied to the management interface, the AP-manager interface, or any of the dynamic interfaces for client data traffic; to the Network Processing Unit (NPU) interface for traffic to the controller CPU; or to a WAN.

You can create or modify an ACL template by protocol, direction, and the source or destination of the traffic.

You can now create new mappings from the defined IP address groups and protocol groups. You can also automatically generate rules from the rule mappings you created. These rules are generated with contiguous sequence. That is, if rules 1 through 4 are already defined and you add up to 29 rules.

Existing ACL templates are duplicated into a new ACL template. This duplication clones all the ACL rules and mappings defined in the source ACL template.

This release of Prime Infrastructure provides support to IPv6 ACLs.

Related Topics

• Adding or Modifying an ACL Template
• Creating an ACL IP Groups Template
• Creating an ACL Protocol Groups Template

Adding or Modifying an ACL Template

To add or modify an existing ACL template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Access Control Lists .

Step 2 Complete the following fields:

• Access Control List Name—User-defined name of the template.
• ACL Type—Choose either IPv4 or IPv6 . IPv6 ACL is supported from controller Release 7.2.x.

Step 3 Choose IP Groups from the left sidebar menu to create reusable grouped IP addresses and protocols.

Step 4 Choose Add IP Group from the Select a command drop-down list and click Go to define a new IP address group.

One IP address group can have a maximum of 128 IP address and netmask combinations. To view or modify an existing IP address group, click the URL of the IP address group. The IP address group page opens.For the IP address of any, an any group is predefined.

Step 5 Edit the following current IP group fields if required in the ACL IP Groups details page:

• IP Group Name
• IP Address
• Netmask OR CIDR Notation

Enter the Netmask or CIDR Notation and then click Add . The list of IP addresses or Netmasks appears in the List of IP Address/Netmasks text box.

CIDR or Classless InterDomain Routing a protocol which allows the assignment of Class C IP addresses in multiple contiguous blocks. CIDR notation allows you to add a large number of clients that exist in a subnet range by configuring a single client object.

Netmask allows you to set the subnet mask in dotted-decimal notation rather than the CIDR notation for the IP address property.

• BroadCast/Network
• List of IP Addresses/Netmasks

Use the Move Up and Move Down buttons to rearrange the order of the list items. Use the Delete button to delete any IP address or Netmask.

Step 6 Choose Access Control > Protocol Groups from the left sidebar menu to define an additional protocol that is not a standard predefined one.

The protocol groups with their source and destination port and DSCP are displayed.

Step 7 Choose Add Protocol Group from the Select a command drop-down list, and click Go to create a new protocol group. To view or modify an existing protocol group, click the URL of the group.

The Protocol Groups page appears.

Step 8 Enter a name for a new rule. ACLs are not required to have rules defined. When a packet matches all the parameters of a rule, the action for this rule is exercised.

Step 9 Choose one of the following protocols from the drop-down list:

• Any—All protocols
• TCP—Transmission Control Protocol
• UDP—User Datagram Protocol
• ICMP—Internet Control Message Protocol
• ESP—IP Encapsulating Security Payload
• AH—Authentication Header
• GRE—Generic Routing Encapsulation
• IP—Internet Protocol
• Eth Over IP—Ethernet over Internet Protocol
• Other Port OSPF—Open Shortest Path First
• Other—Any other IANA protocol (http://www.iana.org/)

Some protocol choices (such as TCP or UDP) cause additional Source Port and Dest Port GUI elements to appear.

• Source Port—Specify the source of the packets to which this ACL applies. The choices are Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other, and Port Range.
• Dest Port—Specify the destination of the packets to which this ACL applies. The choices are Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other, and Port Range.

Step 10 Choose any or specific from the DSCP (Differentiated Services Code Point) drop-down list. If you choose specific, enter the DSCP (range of 0 to 255).

DSCP is a packet header code that can be used to define the quality of service across the Internet.

Step 11 Click Save .

Step 12 Choose the ACL template to which you want to map the new groups to define a new mapping. All ACL mappings appear on the top of the page, and all ACL rules appear on the bottom.

Step 13 Choose Add Rule Mappings from the Select a command drop-down list. The Add Rule Mapping page appears.

Step 14 Configure the following fields:

• Source IP Group—Predefined groups for IPv4 and IPv6.
• Destination IP Group—Predefined groups for IPv4 and IPv6.
• Protocol Group—Protocol group to use for the ACL.
• Direction—Any, Inbound (from client) or Outbound (to client).
• Action—Deny or Permit. The default filter is to deny all access unless a rule explicitly permits it.

Step 15 Click Add . The new mappings populate the bottom table.

Step 16 Click Save .

Step 17 Choose the mappings for which you want to generate rules, and click Generate . This automatically creates the rules.

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Creating a FlexConnect Access Control List Template

You can create or modify a FlexConnect ACL template for configuring the type of traffic that is allowed by protocol, and the source or destination of the traffic. The FlexConnect ACLs do not support IPv6 addresses.

Creating and Applying a FlexConnect Access Control List

To configure and apply an Access Control List template to a Controller, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > FlexConnect ACLs .

Step 2 Enter a name for the new FlexConnect ACL.

Step 3 Click Save as New Template .

A FlexConnect ACL template is created. You can now create new mappings from the defined IP address groups and protocol groups. To define a new mapping, choose the ACL template to which you want to map the new groups. All FlexConnect ACL mappings appear on the top of the page, and all FlexConnect ACL rules appear in the bottom.

Step 4 Click Add Rule Mappings , then configure the following fields in the FlexConnect ACL IP Protocol Map page:

• Source IP Group—Predefined groups for IPv4 and IPv6.
• Destination IP Group—Predefined groups for IPv4 and IPv6.
• Protocol Group—Protocol group to use for the ACL.
• Action—Deny or Permit. The default filter is to deny all access unless a rule explicitly permits it.

Step 5 Click Add . The new mappings populate the bottom table.

Step 6 Click Save .

Step 7 Choose the mappings for which you want to generate rules, and click Generate . This automatically creates the rules.

Step 8 From the Select a command drop-down list in the FlexConnect ACL page, choose Apply Templates .

The Apply to Controllers page appears.

Step 9 Select Save Config to Flash after apply check box to save the configuration to Flash after applying the FlexConnect ACL to the controller.

Step 10 Select Reboot Controller after apply to reboot the controller once the FlexConnect ACL is applied. This check box is available only when you select the Save Config to Flash after apply check box.

Step 11 Select one or more controllers and click OK to apply the FlexConnect ACL template.

The FlexConnect ACL that you created appears in Configure > Controller Template Launch Pad > IP Address > Security > Access Control > FlexConnect ACLs .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Deleting a FlexConnect Access Control List

To delete a FlexConnect ACL, follow these steps:

Step 1 Choose Configuration > Network > Network Devices > Controllers .

Step 2 Click a controller Device Name.

Step 3 From the left sidebar menu, choose Security > FlexConnect ACLs .

Step 4 From the FlexConnect ACLs page, select one or more FlexConnect ACLs to delete.

Step 5 From the Select a command drop-down list, choose Delete FlexConnect ACLs .

Step 6 Click Go .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Creating an ACL IP Groups Template

To create reusable grouped IP addresses, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > IP Groups .

Step 2 Configure the following fields:

• Name
• IP Address—For IP Group, enter an IPv4 address format. For IPv6 groups, enter an IPv6 address format.
• Netmask OR CIDR Notation—Enter the Netmask or CIDR Notation and then click Add .

The list of IP addresses or Netmasks appears in the List of IP Addresses/Netmasks text box.

These fields are not applicable for IPv6 groups.

• BroadCast/Network

These fields are not applicable for IPv6 groups.

• Prefix Length—Prefix for IPv6 addresses, ranging from 0 to 128.
• List of IP Addresses/Netmasks—Use the Move Up and Move Down buttons to rearrange the order of the list items. Use the Delete button to delete an IP address or Netmask.

Step 3 Click Save as New Template .

You can create new mappings from the defined IP address groups and protocol groups. To define a new mapping, choose the ACL template to which you want to map the new groups. All ACL mappings appear in the top of the page, and all ACL rules appear in the bottom.

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates
• Creating Controller Configuration Groups
• Creating an ACL Protocol Groups Template

Creating an ACL Protocol Groups Template

To define an additional protocol that is not a standard predefined one, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Protocol Groups .

Step 2 Configure the following fields:

• Name—The rule name is provided for the existing rules, or you can now enter a name for a new rule. ACLs are not required to have rules defined. When a packet matches all the fields of a rule, the action for this rule is exercised.
• Protocol—Choose a protocol from the drop-down list:

– Any—All protocols

– TCP—Transmission Control Protocol

– UDP—User Datagram Protocol

– ICMP—Internet Control Message Protocol

– ESP—IP Encapsulating Security Payload

– AH—Authentication Header

– GRE—Generic Routing Encapsulation

– IP—Internet Protocol

– Eth Over IP—Ethernet over Internet Protocol

– Other Port OSPF—Open Shortest Path First

– Other—Any other IANA protocol (http://www.iana.org/)

• Source Port—Can be Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other and Port Range.
• Dest Port—Destination port. If TCP or UDP is selected, can be Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other and Port Range.
• DSCP (Differentiated Services Code Point)—Choose Any or Specific from the drop-down list. If Specific is selected, enter the DSCP (range of 0 through 255).

DSCP is a packet header code that can be used to define the quality of service across the Internet.

Step 3 Click Save as New Template .

Related Topics

• Creating Controller Configuration Groups
• Creating an ACL IP Groups Template
• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Creating a CPU Access Control List (ACL) Template

To add or modify an existing CPU ACL template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > CPU Access Control List .

Step 2 Select the check box to enable CPU ACL. When CPU ACL is enabled and applied on the controller, Prime Infrastructure displays the details of the CPU ACL against that controller.

Step 3 From the ACL Name drop-down list, choose a name from the list of defined names.

Step 4 From the CPU ACL Mode drop-down list, choose which data traffic direction this CPU ACL list controls. The choices are the wired side of the data traffic, the wireless side of the data traffic, or both wired and wireless.

Step 5 Click Save as New Template .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Creating a Rogue Policies Template

To add or modify a rogue policy (for access points and clients) template applied to the controller, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless Protection Policies > Rogue Policies .

Step 2 Choose one of the following from the drop-down list:

• Disable —Disables RLDP on all access points.
• All APs —Enables RLDP on all access points.
• Monitor Mode APs —Enables RLDP only on access points in monitor mode.

Step 3 Set the expiration timeout (in seconds) for rogue access point entries.

Step 4 Enter the time interval in seconds at which the APs should send the rogue detection report to the controller in the Rogue Detection Report Interval text box.

The valid range is 10 seconds to 300 seconds, and the default value is 10 seconds. This feature is applicable to APs that are in monitor mode only.

Step 5 Enter the minimum RSSI value that a rogue should have for the APs to detect and for the rogue entry to be created in the controller in the Rogue Detection Minimum RSSI text box.

The valid range is -70 dBm to -128 dBm, and the default value is -128 dBm. This feature is applicable to all the AP modes.

Step 6 Enter the time interval at which a rogue has to be consistently scanned for by the AP after the first time the rogue is scanned in the Rogue Detection Transient Interval text box.

By entering the transient interval, you can control the time interval at which the AP should scan for rogues. The APs can filter the rogues based on their transient interval values. The valid range is between 120 seconds to 1800 seconds, and the default value is 0. This feature is applicable to APs that are in monitor mode only.

Step 7 Select the Validate rogue clients against AAA check box to enable the AAA validation of rogue clients.

Step 8 Select the Detect and report Adhoc networks check box to enable detection and reporting of rogue clients participating in ad hoc networking.

Step 9 Click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Rogue AP Rules

To configure rogue rules on Prime Infrastructure, follow these steps:

1. Create a Rogue AP rule—See Creating a Rogue AP Rules Template.

2. Create a Rogue AP Rule Group that contains all the rules you want to apply—See Creating a Rogue AP Rule Groups Template.

3. Deploy the Rogue AP Rule Group to the controllers—See Deploying a Rogue AP Rule Groups Template.

Creating a Rogue AP Rules Template

To add or create a new classification rule template for rogue access points, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless Protection Policies > Rogue AP Rules .

Step 2 Configure the following fields:

• Template Name.
• Rule Type—Choose Malicious, Friendly , or Custom from the drop-down list.
• Notify—Choose Global , Local , None , or All from the drop-down list.

– Global—Trap information is sent only to Prime Infrastructure.

– Local—Trap information is sent only to controller.

– None —Trap information is not sent.

– All—Trap information is sent to Prime Infrastructure and controller.

• State—Use the drop-down list to choose from Contain , Alert , or Delete .
• Match Type—Choose Match All Conditions or Match Any Condition from the drop-down list.
• Severity Score (for Custom rule type only)—Specify the severity score. The Custom Rogue AP severity is based on Severity Score Value you specify:

– Critical—80 to 100

– Major—60 to 79

– Minor—1 to 59

• Classification Name (for Custom rule type only).

Step 3 In the Rogue Classification Rule group box of the page, configure the following fields.

• Open Authentication—Select the check box to enable open authentication.
• Match Managed AP SSID—Select the check box to enable the matching of a Managed AP SSID.

Managed SSIDs are the SSIDs configured for the WLAN and known to the system.

• Match User Configured SSID—Select the check box to enable the matching of User Configured SSIDs.

User Configured SSIDs are the SSIDs that are manually added. Enter the User Configured SSIDs (one per line) in the Match User Configured SSID text box.

• Match Wildcard Configured SSID—Select the check box to enable the matching of Wildcard Configured SSIDs. You can use wildcards (*).
• Minimum RSSI—Select the check box to enable the Minimum RSSI threshold limit.

Enter the minimum RSSI threshold level (dBm) in the text box. The detected access point is classified with the Rule Type you specified if it is detected above the indicated RSSI threshold.

• Time Duration—Select the check box to enable the Time Duration limit.

Enter the time duration limit (in seconds) in the text box. If it is viewed for a longer period of time than the specified time limit, the detected access point is classified with the Rule Type you specified.

• Minimum Number Rogue Clients—Select the check box to enable the Minimum Number Rogue Clients limit. Enter the minimum number of rogue clients allowed. If the number of clients associated to the detected access point is greater than or equal to the specified value, the detected access point is classified with the Rule Type you specified.

Step 4 Click Save as New Template .

Related Topics

• Creating a Rogue AP Rule Groups Template
• Deleting Controller Templates
• Applying Controller Templates

Creating a Rogue AP Rule Groups Template

A rogue access point rule group template allows you to combine more than one rogue access point rule to controllers. To view current rogue access point rule group templates or create a new rule group, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless Protection Policies > Rogue AP Rule Groups .

Step 2 Enter a template name.

Step 3 To add a Rogue AP rule, click to highlight the rule in the left column. Click Add to move the rule to the right column.

Rogue access point rules can be added from the Rogue Access Point Rules section.

Step 4 To remove a rogue access point rule, click to highlight the rule in the right column. Click Remove to move the rule to the left column.

Step 5 Use the Move Up/Move Down buttons to specify the order in which the rules apply. Highlight the desired rule and click Move Up or Move Down to move it higher or lower in the current list.

Step 6 Click Save to confirm the rogue access point rule list.

Step 7 Click Deploy to apply the rule group to the controller. See Deploying a Rogue AP Rule Groups Template.

Related Topics

• Creating a Rogue AP Rules Template
• Deploying a Rogue AP Rule Groups Template
• Viewing Deployed Rogue AP Rules

Deploying a Rogue AP Rule Groups Template

After you create and save a rogue AP Rule Group template, you can deploy it to a controller.

Step 1 Navigate to the Rogue AP Rule Group that you previously created. By default, it is saved in Configuration > Templates > Features & Technologies > My Templates > Features & Technologies > Controller > Security > Wireless Protection Policies .

Step 2 Click Deploy to apply the rule group to the controller.

Step 3 Select the controller(s) to which you want to apply the AP Rule Group, then click OK .

Prime Infrastructure creates a job for deploying the rules to the controllers you specified.

Step 4 Choose Administration > Dashboards > Job Dashboard > User Jobs > Config Deploy - Deploy View to view the status of the job.

Related Topics

• Creating a Rogue AP Rules Template
• Creating a Rogue AP Rule Groups Template
• Viewing Deployed Rogue AP Rules

Viewing Deployed Rogue AP Rules

You can view and edit the Rogue AP Rules that you previously deployed.

Step 1 Choose Monitor > Network > Network Devices > Wireless Controllers .

Step 2 Click on a Device Name, then select Security > Wireless Protection Policies > Rogue AP Rules .

Step 3 Click on a Rogue AP Rule name to edit the rule.

Step 4 To view Rogue AP alarms, click the Alarm Summary at the top right of the page, then select Rogue AP . You can also choose Dashboard > Wireless > Security to view Rogue AP information.

Related Topics

• Monitoring Alarms
• Where to Find Alarms

Friendly Access Point Templates

This template allows you to import friendly internal access points. Importing these friendly access points prevents non-lightweight access points from being falsely identified as rogues. Friendly Internal access points were previously referred to as Known APs. The Friendly AP page identifies the MAC address of an access point, status, any comments, and whether or not the alarm is suppressed for this access point.

Creating a Friendly Access Point Template

To view or edit the current list of friendly access points, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless Protection Policies > Friendly AP .

Step 2 To import an access point, click Import CSV . Then enter the file path or click Browse to navigate to the CSV file containing the MAC addresses.

Use a line break to separate MAC addresses. For example, enter the MAC addresses as follows:
00:00:11:22:33:44
00:00:11:22:33:45
00:00:11:22:33:46

Step 3 To manually add an access point, enter the MAC address for the access point.

Step 4 Choose Internal access point from the Status drop-down list.

Step 5 Enter a comment regarding this access point, if necessary.

Step 6 Select the Suppress Alarms check box to suppress all alarms for this access point.

Step 7 Click Save as New Template .

To modify an existing friendly access point, choose Configuration > Network > Network Devices > Controller , and click the controller Device Name, then select Security > Rogue > Friendly Internal , and click the MAC address of an access point. Make the necessary changes to the access point, and click Save .

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Ignored Rogue AP Templates

The Ignored Rogue AP Template page allows you to create or modify a template for importing ignored access points. Access points in the Ignored AP list are not identified as rogues. You create an Ignored Rogue AP Template with a specific MAC address, or a set of MAC addresses in a CSV file. The Ignored Rogue AP Template is not immediately applied to the controller. The next time the controller detects the rogue MAC address and informs Prime Infrastructure about it, Prime Infrastructure deletes the Rogue AP/Adhoc alarm from its database and this MAC address is added to the controller’s Rogue AP Ignore-List.

Creating Ignored Rogue AP Templates

To add or edit the Ignored Rogue access points, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless Protection Policies > Ignored Rogue AP .

Step 2 To import an ignored rogue access point, click Import CSV . Then enter the file path or click Browse to navigate to the CSV file containing the MAC addresses.

Use a line break to separate MAC addresses. For example, enter the MAC addresses as follows:
00:00:11:22:33:44
00:00:11:22:33:45
00:00:11:22:33:46

Step 3 To manually add an ignored rogue access point, unselect the Import from File check box.

Step 4 Enter the MAC address and comment for the rogue access point.

Step 5 Click Save as a New Template .

If you remove the MAC address from the Ignored AP list, the MAC address is removed from the Rogue AP Ignore-List on the controller.

Related Topics

• Adding Controller Templates
• Deleting Controller Templates
• Applying Controller Templates

Creating Load Balancing Templates

To configure load balancing templates, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > 802.11 > Load Balancing .

Step 2 Enter a value between 1 and 20 for the client window size.

The page size becomes part of the following algorithm that determines whether an access point is too heavily loaded to accept more client associations:

load-balancing page + client associations on AP with lightest load = load-balancing threshold

In the group of access points accessible to a client device, each access point has a different number of client associations. The access point with the lowest number of clients has the lightest load. The client page size plus the number of clients on the access point with the lightest load forms the threshold. Access points with more client associations than this threshold is considered busy, and clients can associate only to access points with client counts lower than the threshold.

Step 3 Enter a value between 0 and 10 for the max denial count. The denial count sets the maximum number of association denials during load balancing.

Step 4 Click Save as New Template .

Related Topics

• Creating 802.11 Templates
• Creating Band Selection Templates
• Creating Media Stream for Controller Templates (802.11)

Creating Band Selection Templates

To configure band selection templates, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > 802.11 > Band Select .

Step 2 Enter a value between 1 and 10 for the probe cycle count .

The cycle count sets the number of suppression cycles for a new client. The default cycle count is 2.

Step 3 Enter a value between 1 and 1000 milliseconds for the scan cycle period threshold .

This setting determines the time threshold during which new probe requests from a client come from a new scanning cycle. The default cycle threshold is 200 milliseconds.

Step 4 Enter a value between 10 and 200 seconds for the age out suppression field.

Age-out suppression sets the expiration time for pruning previously known 802.11b/g clients. The default value is 20 seconds. After this time elapses, clients become new and are subject to probe response suppression.

Step 5 Enter a value between 10 and 300 seconds for the age out dual band field.

The age-out period sets the expiration time for pruning previously known dual-band clients. The default value is 60 seconds. After this time elapses, clients become new and are subject to probe response suppression.

Step 6 Enter a value between –20 and –90 dBm for the acceptable client RSSI field.

This field sets the minimum RSSI for a client to respond to a probe. The default value is –80 dBm.

Step 7 Click Save .

Related Topics

• Creating 802.11 Templates
• Creating Load Balancing Templates
• Creating Preferred Call Templates
• Creating Media Stream for Controller Templates (802.11)

Creating Preferred Call Templates

To add or modify preferred call templates, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > 802.11 > Preferred Call.

Step 2 Configure the following Preferred Call parameters:

• Template Name—Enter a template name which is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
• Number Id—Enter a value to identify the preferred number. You can have a maximum of six preferred call numbers. The valid range is from 1 to 6. The default value is 1.
• Preferred Number—Enter the preferred call number.

Step 3 Click Save as New Template .

Related Topics

• Creating 802.11 Templates
• Creating Load Balancing Templates
• Creating Band Selection Templates
• Creating Media Stream for Controller Templates (802.11)

Creating Media Stream for Controller Templates (802.11)

To configure the media stream for a controller template for an 802.11 Radio, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > 802.11 > Mediat Stream .

Step 2 Enter a name for the template.

Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.

Step 3 In the Media Stream Configuration group box, specify the following fields:

• Media Stream Name
• Multicast Destination Start IP —Start IP address of the media stream to be multicast.
• Multicast Destination End IP —End IP address of the media stream to be multicast.
• IPv4 or IPv6 multicast addresses are supported from controller Release 7.2.x.
• Maximum Expected Bandwidth —Maximum bandwidth that a media stream can use.

Step 4 In the R esource Reservation Control (RRC) Parameters group box, specify the following fields:

• Average Packet Size —Average packet size that a media stream can use.
• RRC Periodical Update —Resource Reservation Control calculations that are updated periodically; if disabled, RRC calculations are done only once when a client joins a media stream.
• RRC Priority —Priority of RRC with the highest at 1 and the lowest at 8.
• Traffic Profile Violation —Appears if the stream is dropped or put in the best effort queue if the stream violates the QoS video profile.
• Policy —Appears if the media stream is admitted or denied.

Step 5 Click Save .

Once saved, the template is displayed in the Template List page. In the Template List page, you can apply this template to controllers.

Related Topics

• Creating 802.11 Templates
• Creating Load Balancing Templates
• Creating Band Selection Templates
• Creating Preferred Call Templates
• Creating RF Profiles Templates (802.11)

Creating RF Profiles Templates (802.11)

To configure a RF Profile for a controller template for an 802.11 Radio, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > 802.11 > RF Profiles .

Step 2 Configure the following information:

• General

– Template Name —User-defined name for the template.

– Profile Name —User-defined name for the current profile.

– Description —Description of the template.

– Radio Type —The radio type of the access point. This is a drop-down list from which you can choose an RF profile for APs with 802.11a or 802.11b radios.

• TPC (Transmit Power Control)

– Minimum Power Level Assignment (-10 to 30 dBm) —Indicates the minimum power assigned. Range: -10 to 30 dBm Default: -10 dBm.

– Maximum Power Level Assignment (-10 to 30 dBm) —Indicates the maximum power assigned. Range: -10 to 30 dBm Default: 30 dBm.

– Power Threshold v1(-80 to -50 dBm) —Indicates the transmitted power threshold.

– Power Threshold v2(-80 to -50 dBm) —Indicates the transmitted power threshold.

• Data Rates —Use the Data Rates drop-down lists to specify the rates at which data can be transmitted between the access point and the client. The following data rates are available:

– 802.11a—6, 9, 12, 18, 24, 36, 48, and 54 Mbps.

– 802.11b/g—1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps

For each data rate, choose one of these options:

– Mandatory —Clients must support this data rate to associate to an access point on the controller.

– Supported —Any associated clients that support this data rate might communicate with the access point using that rate. However, the clients are not required to be able to use this rate to associate.

– Disabled —The clients specify the data rates used for communication.

• Band Selec t—The Band Select feature enables you to balance client distribution among both serving radios when APs are serving hundreds of clients in a dense auditorium or stadium sites. Band Select discovers the client capabilities to verify whether client can associate on both 2.4 GHz and 5Ghz spectrum. Enabling band select on a WLAN, forces AP to do a probe suppression on 2.4GHz that ultimately moves dual band clients to 5Ghz spectrum. In the Band Select group box, specify the following:

– Probe Response

– Cycle Count(1 to 10 Cycles)

– Cycle Threshold(1 to 1000 msecs)

– Suppression Expire(10 to 200 secs)

– Dual Band Expire(10 to 300 secs)

– Client RSSI(-90 to -20 dBm)

• High Density Configurations

– Maximum Clients —Specify the maximum number of clients

• Multicast Configurations

– Multicast Data Rate —From the Multicast Data Rate drop-down list, choose the data rate. The value “auto” indicates that the AP automatically adjusts data rate with client.

• Coverage Hole Detection

– Data RSSI(-90 to -60 dBm) —Enter the minimum receive signal strength indication (RSSI) value for data packets received by the access point. The value that you enter is used to identify coverage holes (or areas of poor coverage) within your network. If the access point receives a packet in the data queue with an RSSI value below the value that you enter here, a potential coverage hole has been detected. The valid range is –90 to –60 dBm, and the default value is –80 dBm. The access point takes data RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.

– Voice RSSI(-90 to -60 dBm) —Enter the minimum receive signal strength indication (RSSI) value for voice packets received by the access point. The value that you enter is used to identify coverage holes within your network. If the access point receives a packet in the voice queue with an RSSI value below the value that you enter here, a potential coverage hole has been detected. The valid range is –90 to –60 dBm, and the default value is –75 dBm. The access point takes voice RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.

– Coverage Exception(1 to 75 Clients) —Enter the minimum number of clients on an access point with an RSSI value at or below the data or voice RSSI threshold. The valid range is 1 to 75, and the default value is 3.

– Coverage Level(0 to 100%) —In the Coverage Exception Level per AP text box, enter the percentage of clients on an access point that are experiencing a low signal level but cannot roam to another access point. The valid range is 0 to 100%, and the default value is 25%.

• Load Balancing

– Window(0 to 20 Clients) —Enter a value between 1 and 20. The window size becomes part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations.

– Denial(1 to 10) —Enter a value between 0 and 10. The denial count sets the maximum number of association denials during load balancing.

Step 3 Click Save .

Related Topics

• Creating 802.11 Templates
• Creating Load Balancing Templates
• Creating Band Selection Templates
• Creating Preferred Call Templates

SIP Snooping

Keep the following guidelines in mind when using SIP Snooping:

• SIPs are available only on the Cisco 5500 Series Controllers and on the 1240, 1130, and 11n access points.
• SIP CAC should only be used for phones that support status code 17 and do not support TSPEC-based admission control.
• SIP CAC will be supported only if SIP snooping is enabled.

Creating SIP Snooping

To configure SIP Snooping for a controller, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > 802.11 > SIP Snooping .

Step 2 Configure the following fields:

• Port Start
• Port End

If single port is to be used, configure both start and end port fields with same number.

Step 3 Click Save as New Template .

Related Topics

• Creating 802.11 Templates
• Creating Load Balancing Templates
• Creating Band Selection Templates
• Creating Preferred Call Templates
• Creating RF Profiles Templates (802.11)

Creating 802.11a/n Radio Templates

You can create or modify a 802.11a/n radio template for a wireless controller and/or apply specific settings to controller(s).

Related Topics

• Creating 802.11a/n Parameters Templates
• Creating 802.11a/n Media Parameters Controller Templates
• Creating 802.11a/n EDCA Parameters Through a Controller Template
• Creating 802.11a/n Roaming Parameters Template
• Creating an 802.11h Template
• Creating 802.11a/n High Throughput Template
• Creating 802.11a/n CleanAir Controller Templates
• Creating 802.11a/n RRM Templates

Creating 802.11a/n Parameters Templates

To add or modify radio templates, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > 802.11a or n or ac > Parameters .

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

Step 2 Select the check box if you want to enable 802.11a/n network status.

Step 3 In the Beacon Period field, enter the amount of time between beacons in kilo-microseconds. The valid range is from 20 to 1000 milliseconds.

Step 4 In the DTIM Period field, enter the number of beacon intervals that might elapse between transmission of beacon frames containing a traffic indicator message (TIM) element whose delivery count text box is 0. This value is transmitted in the DTIM period field of beacon frames. Shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.

Step 5 In the Fragmentation Threshold field, determine the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference.

Step 6 Enter the percentage for 802.11e Maximum Bandwidth.

Step 7 The client and controller negotiate data rates between them. It can range from 6 Mbps to 54 Mbps.

• If the data rate is set to Mandatory, the client must support it to use the network.
• If a data rate is set as Supported by the controller, any associated client that also supports that same rate might communicate with the access point using that rate.
• Each data rate can also be set to Disabled to match client settings.

Step 8 From the Channel List drop-down list in the Noise/Interference/Rogue Monitoring Channels section, choose between all channels , country channels , or DCA channels based on the level of monitoring you want. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation amongst a set of managed devices connected to the controller.

Step 9 Configure the CCX Location Measurement parameters:

• Select the Mode check box to enable the broadcast radio measurement request. When enabled, this enhances the location accuracy of clients.
• When the Mode check box is enabled, you can enter the time in seconds between requests in the Interval field.

Step 10 Click Save as New Template .

Related Topics

• Creating 802.11a/n Media Parameters Controller Templates
• Creating 802.11a/n EDCA Parameters Through a Controller Template
• Creating 802.11a/n Roaming Parameters Template
• Creating an 802.11h Template
• Creating 802.11a/n High Throughput Template
• Creating 802.11a/n CleanAir Controller Templates
• Creating 802.11a/n RRM Templates

Creating 802.11a/n Media Parameters Controller Templates

This page enables you to create or modify a template for configuring 802.11a/n voice fields such as call admission control and traffic stream metrics.

To add a new template with 802.11a/n voice fields information (such as Call Admission Control and traffic stream metrics) for a controller, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > 802.11a or n or ac > Media Parameters .

Step 2 Specify an appropriate name for the template.

Step 3 On the Voice tab, configure the following fields:

• Select the Admission Control (ACM) check box to enable admission control.

For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.

• If Admission Control (ACM) is enabled, choose either load-based or static from the CAC method drop-down list.

Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.

• In the Maximum Bandwidth Allowed field, specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled. For controller versions 6.0.188.0 and earlier, the valid range is 40 to 85. For controller versions 6.0.188.1 and later, the valid range is 5 to 85, and the default is 75.
• In the Reserved Roaming Bandwidth field, specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled. The valid range is 0 to 25, and the default is 6.
• Select the Expedited Bandwidth check box to enable expedited bandwidth as an extension of CAC for emergency calls.

You must have an expedited bandwidth IE that is CCXv5 compliant so that a TSPEC request is given higher priority.

• Select the SIP CAC check box to enable SIP CAC.
• Choose the appropriate option from the SIP Codec drop-down list. The available options are G.711 , G.729 , and User Defined .
• In the SIP Call Bandwidth field, specify the bandwidth in kilobits per second that you want to assign per SIP call on the network. This field can be configured only when the SIP Codec selected is User Defined.
• In the SIP Sample Interval field, specify the sample interval in milliseconds that the Codec must operate in.
• Select the Metric Collection check box to enable metric collection.

Traffic stream metrics are a series of statistics about VoIP over your wireless LAN which inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11a/n interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.

Step 4 On the Video tab, configure the following fields:

• Select the Admission Control (ACM) check box to enable admission control.
• In the Maximum Bandwidth Allowed field, specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.
• In the Reserved Roaming Bandwidth field, specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled. The valid range is 0 to 25.
• From the SIP Codec drop-down list, choose one of the following options to set the CAC method.
• Select the SIP CAC check box to enable Static CAC support. SIP CAC will be supported only if SIP snooping is enabled.
• Select the Unicast Video Redirect check box to enable all non-media stream packets in video queue are redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.
• Specify the physical data rate required for the client to join a media stream from the Client Minimum Phy Rate drop-down list.
• Select the Multicast Direct Enable check box to set the Media Direct for any WLAN with Media Direct enabled on a WLAN on this radio.
• In the Maximum Number of Streams per Radio field, specify the maximum number of streams per radio to be allowed.
• In the Maximum Number of Streams per Client field, specify the maximum number of streams per client to be allowed.
• Select the Best Effort QOS Admission check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used. If disabled and maximum video bandwidth has been used, then any new client request is rejected.
• In the Maximum Retry Percentage field, specify the maximum retry percentage value.

Step 5 On the General tab, specify the following field:

• In the Maximum Media Bandwidth field, specify the percentage of maximum of bandwidth allowed. This option is only available when CAC is enabled.

Step 6 Click Save as New Template .

Related Topics

• Creating 802.11a/n EDCA Parameters Through a Controller Template
• Creating 802.11a/n Parameters Templates
• Creating 802.11a/n Roaming Parameters Template
• Creating an 802.11h Template
• Creating 802.11a/n High Throughput Template
• Creating 802.11a/n CleanAir Controller Templates
• Creating 802.11a/n RRM Templates

Creating 802.11a/n EDCA Parameters Through a Controller Template

Enhanced Distributed Channel Access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality of service (QoS) traffic.

You must shut down radio interface before configuring EDCA Parameters

To add or configure 802.11a/n EDCA parameters through a controller template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > 802.11a or n or ac > EDCA Parameters.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names. .

Step 2 Choose one of the following options from the EDCA Profile drop-down list:

• WMM —Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value. Choose this option when voice or video services are not deployed on your network.
• Spectralink Voice Priority —Enables Spectralink voice priority parameters. Choose this option if Spectralink phones are deployed on your network to improve the quality of calls.
• Voice Optimized —Enables EDCA voice-optimized profile parameters. Choose this option when voice services other than Spectralink are deployed on your network.
• Voice & Video Optimized —Enables EDCA voice- and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.Video services must be deployed with admission control (ACM). Video services without ACM are not supported.

Step 3 Select the Low Latency MAC check box to enable this feature. Enable low latency MAC only if all clients on the network are WMM compliant.

Related Topics

• Creating 802.11a/n Roaming Parameters Template
• Creating 802.11a/n Parameters Templates
• Creating 802.11a/n Media Parameters Controller Templates
• Creating an 802.11h Template
• Creating 802.11a/n High Throughput Template
• Creating 802.11a/n CleanAir Controller Templates
• Creating 802.11a/n RRM Templates

Creating 802.11a/n Roaming Parameters Template

To add or modify an existing roaming parameter template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > 802.11a or n or ac > Roaming Parameters.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

Step 2 Use the Mode drop-down list to choose one of the configurable modes.

• Default values—When this option is chosen, the roaming parameters are unavailable with the default values displayed in the text boxes.
• Custom values—When this option is chosen, the roaming parameters can be edited in the text boxes. To edit the parameters, continue to Step 6.

Step 3 In the Minimum RSSI field, enter a value for the minimum Received Signal Strength Indicator (RSSI) required for the client to associate to an access point. If the average received signal power of the client dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.

Step 4 In the Roaming Hysteresis field, enter a value to indicate how strong the signal strength of a neighboring access point must be for the client to roam to it. This field is intended to reduce the amount of ping between access points if the client is physically located on or near the border between two access points.

Step 5 In the Adaptive Scan Threshold field, enter the RSSI value from the associated access point of the client, below which the client must be able to roam to a neighboring access point within the specified transition time. This field also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.

Step 6 In the Transition Time field, enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the associated access point of the client is below the scan threshold.

The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.

Step 7 Click Save as New Template .

Related Topics

• Creating an 802.11h Template
• Creating 802.11a/n Parameters Templates
• Creating 802.11a/n Media Parameters Controller Templates
• Creating 802.11a/n EDCA Parameters Through a Controller Template
• Creating 802.11a/n High Throughput Template
• Creating 802.11a/n CleanAir Controller Templates
• Creating 802.11a/n RRM Templates

Creating an 802.11h Template

802.11h informs client devices about channel changes and can limit the transmit power of the client device. You can create or modify a template for configuring 802.11h parameters (such as power constraint and channel controller announcement) and apply these settings to multiple controllers.

To add or modify an 802.11h template, follow these steps:

Step 1 Choose Configuration > Templates > Features & Technologies > Controller > 802.11a or n or ac > 802.11h.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

Step 2 Select the Power Constraint check box if you want the access point to stop transmission on the current channel.

Step 3 Select the Channel Announcement check box to enable channel announcement. Channel announcement is a method in which the access point announces when it is switching to a new channel and the new channel number.

Step 4 Click Save as New Template .

Related Topics

• Creating 802.11a/n High Throughput Template
• Creating 802.11a/n Parameters Templates
• Creating 802.11a/n Media Parameters Controller Templates
• Creating 802.11a/n EDCA Parameters Through a Controller Template
• Creating 802.11a/n Roaming Parameters Template
• Creating 802.11a/n CleanAir Controller Templates
• Creating 802.11a/n RRM Templates

Creating 802.11a/n High Throughput Template

To add or modify to an 802.11a/n high throughput template, follow these steps:

Step 1 Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > High Throughput (802.11n or ac).

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

Step 2 Select the 802.11n Network Status check box to enable high throughput.

Step 3 The 802.11ac Network Status check box can be enabled and is supported from WLC version 7.5 onwards.

Step 4 In the MCS (Data Rate) Settings column, choose which level of data rate you want supported. Modulation coding schemes (MCS) are similar to 802.11a data rate. As a default, 20 MHz and short guarded interval is used. When you select the Supported check box, the chosen numbers appear in the Selected MCS Indexes page.

Step 5 Click Save as New Template .

Related Topics

• Creating 802.11a/n CleanAir Controller Templates
• Creating 802.11a/n Parameters Templates
• Creating 802.11a/n Media Parameters Controller Templates
• Creating 802.11a/n EDCA Parameters Through a Controller Template
• Creating 802.11a/n Roaming Parameters Template
• Creating an 802.11h Template
• Creating 802.11a/n RRM Templates

Creating 802.11a/n CleanAir Controller Templates

You can configure the template to enable or disable CleanAir, reporting and alarms in 802.11a/n radio for the controllers. You can also configure the type of interfering devices to include for reporting and alarms.

To add a new template with 802.11a/n CleanAir information for a controller, follow these steps:

Step 1 Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > CleanAir.

Step 2 Configure the following fields:

• Select the CleanAir check box to enable CleanAir functionality on the 802.11 b/g/n network, or unselect to prevent the controller from detecting spectrum interference. If CleanAir is enabled, the Reporting Configuration and Alarm Configuration group boxes appear.
• Reporting Configuration—Use the fields in this group box to configure the interferer devices you want to include for your reports.

– Select the Report Interferers check box to enable CleanAir system to report and detect sources of interference.

Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferences Selected for Reporting box and any that do not need to be detected appear in the Interferences Ignored for Reporting box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources are ignored.

– Select the Persistent Device Propagation check box to enable propagation of information about persistent devices that can be detected by CleanAir. Persistent device propagation enables designating information about interference types and propagating this information to the neighboring access points. Persistent interferers are present at the a location and interfere with the WLAN operations even if they are not detectable at all times.

• Alarm Configuration—This group box enables you to configure triggering of air quality alarms.

– Select the Air Quality Alarm check box to enable the triggering of air quality alarms.

– If you selected the Air Quality Alarm check box, enter a value between 1 and 100 (inclusive) in the Air Quality Alarm Threshold field to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered.

– Select the Air Quality Unclassified category Alarm check box to enable the alarms to be generated for unclassified interference category. CleanAir can detect and monitor unclassified interferences. Unclassified interference are interference that are detected but do not correspond to any of the known interference types.