Field Reference
This section provides field descriptions for various screens.
This chapter is incomplete. It will contain GUI descriptions for complicated screens that require additional explanation. We will cross-reference from the task procedures in various parts of the User Guide to this section.
Configuration Templates Field Descriptions
The following sections contain field descriptions for pages found in Design > Configuration Templates > Features and Technologies:
•
Controller Templates Field Descriptions
Controller Templates Field Descriptions
The following sections contain field descriptions for pages found in Design > Configuration Templates > Features and Technologies > Controller.
System > General Template
Table 21-1 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > System > General page.
Table 21-1 Controller > System > General Template Field Descriptions
|
|
802.3x Flow Control Mode |
Enable or disable flow control mode. |
802.3 Bridging |
Enable or disable 802.3 bridging. Note This 802.3 bridging option is not available for 5500 and 2106 series controllers. |
Web Radius Authentication |
choose the desired Web RADIUS authentication. You can choose to use PAP, CHAP, or MD5-CHAP for authentication between the controller and the client during the user credential exchange. |
AP Primary Discovery Timeout |
Specify the number of seconds for the AP Primary Discovery Timeout. The default is 120 seconds, and the valid range is 30 to 3600. |
Back-up Primary Controller IP Address |
Specify the Back-up primary and secondary controller details (controller IP address and controller name). |
Back-up Primary Controller Name |
Back-up Secondary Controller IP Address |
Back-up Secondary Controller Name |
CAPWAP Transport Mode |
Specify Layer 2 or Layer 3 transport mode. When set to Layer 3, the lightweight access point uses IP addresses to communicate with the access points; these IP addresses are collected from a mandatory DHCP server. When set to Layer 2, the lightweight access point uses proprietary code to communicate with the access points. Note Controllers through Version 5.2 use LWAPP and the new controller version uses CAPWAP. |
Broadcast Forwarding |
Choose to enable or disable broadcast forwarding. The default is disabled. |
LAG Mode |
Choose Enable or Disable from the LAG Mode drop-down list. Link aggregation allows you to reduce the number of IP addresses needed to configure the ports on your controller by grouping all the physical ports and creating a link aggregation group (LAG). If LAG is enabled on a controller, any dynamic interfaces that you have created are deleted to prevent configuration inconsistencies in the interface database. When you make changes to the LAG configuration, the controller has to be rebooted for the changes to take effect. Interfaces cannot be created with the Dynamic AP Manager flag set. Also, you cannot create more than one LAG on a controller. |
Peer to Peer Blocking MOde |
Choose to enable or disable peer-to-peer blocking mode. If you choose Disable, any same-subnet clients communicate through the controller. If you choose Enable, any same-subnet clients communicate through a higher-level router. |
Over-the-Air Provisioning AP Mode |
From the Over Air AP Provision Mode drop-down list, choose enable or disable. |
AP Fallback |
From the AP Fallback drop-down list, choose enable or disable. Enabling fallback causes an access point that lost a primary controller connection to automatically return to service when the primary controller returns. When a controller fails, the backup controller configured for the access point suddenly receives a number of discovery and join requests. This might cause the controller to reach a saturation point and reject some of the access points. By assigning priority to an access point, you have some control over which access points are rejected. In a failover situation when the backup controller is saturated, the higher priority access points can join the backup controller if the lower priority access points are disjoined. Choose enable from the AP Failover Priority drop-down list if you want to allow this capability. |
AP Failover Priority |
Apple Talk Bridging |
Choose to enable or disable AppleTalk bridging. This AppleTalk bridging option is not available on 5500 series controllers. |
Fast SSID Change |
Choose to enable or disable the Fast SSID Change option. If the option is enabled, the client connects instantly to the controller between SSIDs without having much loss of connectivity. Normally, each client is connected to a particular WLAN identified by the SSID. If the client moves out of reach of the connected access point, the client has to reconnect to the controller using a different access point. This normal process consumes some time as the DHCP (Dynamic Host Configuration Protocol) server has to assign an IP address to the client. Because the master controller is normally not used in a deployed network, the master controller setting is automatically disabled upon reboot or operating system code upgrade. You might want to enable the controller as the master controller from the Master Controller Mode drop-down list. |
Master Controller Mode |
Choose to enable or disable access to the controller management interface from wireless clients. Because of IPsec operation, management via wireless is only available to operators logging in across WPA or Static WEP. |
Wireless Management |
Wireless management is not available to clients attempting to log in via an IPsec WLAN. |
Symmetric Tunneling Mode |
Choose to enable or disable symmetric tunneling mode. With symmetric mobility tunneling, the controller provides inter-subnet mobility for clients roaming from one access point to another within a wireless LAN. The client traffic on the wired network is directly routed by the foreign controller. If a router has Reverse Path Forwarding (RPF) enabled (which provides additional checks on incoming packets), the communication is blocked. Symmetric mobility tunneling allows the client traffic to reach the controller designated as the anchor, even with RPF enabled. All controllers in a mobility group should have the same symmetric tunneling mode. For symmetric tunneling to take effect, you must reboot. |
ACL Counters |
Use the ACL Counters drop-down list to enable or disable ACL counters. The values per ACL rule can be viewed for each controller. |
Default Mobility Domain Name |
Enter the operator-defined RF mobility group name in the Default Mobility Domain Name text box. |
Mobility Anchor Group Keep Alive Interval |
At the Mobility Anchor Group Keep Alive Interval, determine the delay between tries for clients attempting to join another access point. With this guest tunneling N+1 redundancy feature, the time it takes for a client to join another access point following a controller failure is decreased because a failure is quickly identified, the clients are moved away from the problem controller, and the clients are anchored to another controller. When you hover your mouse cursor over the field, the valid range of values appear. |
Mobility ANchor Group Keep Alive Retries |
At the Mobility Anchor Group Keep Alive Retries, specify the number of queries to anchor before the client declares it unreachable. |
RF Network Name |
Enter the RF network group name between 8 and 19 characters. Radio Resource Management (RRM) neighbor packets are distributed among access points within an RF network group. The Cisco access points only accept RRM neighbor packets sent with this RF network name. The RRM neighbor packets sent with different RF network names are dropped. |
User Idle Timeout |
Specify the time out for idle clients. The factory default is 300 seconds. When the timeout expires, the client loses authentication, briefly disassociates from the access point, reassociates, and re-authenticates. Specify the timeout in seconds for the address resolution protocol. The factory default is 300 seconds. |
ARP Timeout |
|
Global TCP Adjust MSS |
Select the Global TCP Adjust MMS check box to start checking the TCP packets originating from the client, for the TCP SYN/ TCP ACK packets and MSS value and reset it to the configured value on the upstream and downstream side. |
Disable local access |
|
Out of Box |
|
Web Auth Proxy Redirect Mode |
Choose enable or disable Web Auth Proxy Redirect Mode if a manual proxy configuration is configured on the browser of the client; all web traffic going out from the client is destined for the PROXY IP and PORT configured on the browser. |
Web Auth Proxy Redirect Port |
Enter the Web Auth Proxy Redirect Port. The default ports are 8080 and 3128. The range is 0 to 65535. |
AP Retransmit Count |
Enter the AP Retransmit Count and Intervals. The AP Retransmit Count default value is 5 and the range is from 3 to 8. The AP Retransmit Interval default value is 3. The range is 2 to 5. |
AP Retransmit Interval |
System > Global CDP Configuration Template
Table 21-2 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > System > Global CDP Configuration page.
Table 21-2 Controller > System > Global CDP Configuration Template Field Descriptions
|
|
CDP on controller |
Choose enable or disable CDP on the controller. Note This configuration cannot be applied on WiSM2 controllers. |
Global CDP on APs |
Choose to enable or disable CDP on the access points. |
Refresh Interval |
Enter the time in seconds at which CDP messages are generated. The default is 60. |
Hold Time |
Enter the time in seconds before the CDP neighbor entry expires. The default is 180. |
CDP Advertisement Version |
Enter which version of the CDP protocol to use. The default is v1. |
Enternet Interface Slot |
Select the slots of Ethernet interfaces for which you want to enable CDP. Note CDP for Ethernet Interfaces fields are supported for Controller Version 7.0.110.2 and later. |
Radio Interface Slot |
Select the slots of Radio interfaces for which you want to enable CDP. Note CDP for Radio Interfaces fields are supported for Controller Version 7.0.110.2 and later. |
System > Dynamic Interface Template
Table 21-3 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > System > Dynamic Interface page.
Table 21-3 Controller > System > Dynamic Interface Field Descriptions
|
|
|
Guest LAN |
Select to mark the interface as wired. |
Quarantine |
|
Netmask |
Enter the net mask address of the interface. |
|
LAG Mode |
|
Primary Port Number |
Enter the port currently used by the interface. |
Secondary Port Number |
Enter a secondary port to be used by the interface when the primary port is down. When the primary port is reactivated, the Cisco 4400 Series Wireless LAN controller transfers the interfaces back to the primary port. Note Primary and secondary port numbers are present only in the Cisco 4400 Series Wireless LAN controllers. |
AP Management |
|
|
Primary DHCP Server |
Enter the IP addresses of the primary and secondary DHCP servers. |
Secondary DHCP Server |
|
ACL Name |
Choose a name from the list of defined names. From the Add Format Type drop-down list in the Add Interface Format Type group box, choose either Device Info or File. If you choose device info, you must configure the device-specific fields for each controller. If you choose File, you must configure CSV device-specific fields (Interface Name, VLAN Identifier, Quarantine VLAN Identifier, IP Address, and Gateway) for all the managed controllers specified in the CSV file (see Table 21-4). If you choose Device Info, continue to Step 12. |
The sample CSV files are as follows.
Table 21-4 Sample CSV Files
|
|
|
|
|
|
209.165.200.224 |
dyn-1 |
1 |
2 |
209.165.200.228 |
209.165.200.229 |
209.165.200.225 |
interface-1 |
4 |
2 |
209.165.200.230 |
209.165.200.231 |
209.165.200.226 |
interface-2 |
5 |
3 |
209.165.200.232 |
209.165.200.233 |
209.165.200.227 |
dyna-2 |
2 |
3 |
209.165.200.234 |
209.165.200.235 |
The first row of the CSV file is used to describe the columns included. The CSV files can contain the following fields:
•
ip_address
•
interface_name
•
vlan_id
•
quarantine_vlan_id
•
interface_ip_address
•
gateway
If you choose Apply to Controllers, you advance to the Apply To page where you can configure device-specific fields for each controller.
Use the Add and Remove options to configure device specific fields for each controllers. If you click Edit, a dialog box appears with the current parameter input.
Make the necessary changes in the dialog box, then click OK.
Note
If you change the interface fields, the WLANs are temporarily disabled, therefore you might lose connectivity for some clients. Any changes to the interface fields are saved only after you successfully apply them to the controller(s).
Note
If you remove an interface here, it is removed only from this template and not from the controllers.
WLANs > WLAN Configuration Template
The following tables describe the fields on the Design > Configuration Templates> Features and Technologies > Controller > WLANs > WLAN Configuration page.
•
Table 21-5—General Tab
•
Table 21-6—Security Tab
•
Table 21-7—QoS Tab
•
Table 21-8—Advanced Tab
•
Table 21-9—Hot Spot Tab
WLANs > WLAN Configuration > General Tab
Table 21-5 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > WLANs > WLAN Configuration > General page.
Table 21-5 Controller > WLANs > WLAN Configuration > General Tab Field Descriptions
|
|
Wired Lan |
Check the box to indicate whether or not this WLAN is a wired LAN. Note Specify if you want guest users to have wired guest access from an Ethernet connection designated and configured for guest access. Wired guest access ports might be available in a guest office or specific ports in a conference room and accounts are added to the network using the Lobby Ambassador portal. (The Egress or Ingress interface configurations are applicable for Wired LAN only. Use the Type drop-down list to select the type of the wired LAN. • Guest LAN—Indicates that this wired LAN is a Guest LAN. If you select the Guest LAN option, you need to select an Ingress interface which has not already been assigned to any Guest LAN. • Remote LAN—Indicates that this wired LAN is a Remote LAN. |
Profile Name |
Enter a name in the Profile Name text box that identifies the WLAN or the guest LAN. Do not use any spaces in the name entered. |
SSID |
Enter the name of the WLAN SSID. An SSID is not required for a guest LAN. WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in the beacons and probes. |
Status |
Select the Enable check box for the Status field. |
Security Policies |
Modifications you make in the Security tab appear after you save the template. |
Radio Policy |
Set the WLAN policy to apply to All (802.11a/b/g/n), 802.11a only, 802.11g only, 802.11b/g only, or 802.11a/g only. |
Interface/Interface Group |
Choose the available names of interfaces created by the Controller > Interfaces module. |
|
From the Egress Interface drop-down list, choose the Egress interface that you created in the "Creating an Egress Interface" section. This provides a path out of the controller for wired guest client traffic. |
|
From the Ingress Interface drop-down list, choose the Ingress interface that you created in the "Creating an Ingress Interface" section. The provides a path between the wired guest client and the controller by way of the Layer 2 access switch. |
Multicast VLAN |
Select the Enable check box to enable the multicast VLAN feature. From the Multicast VLAN Interface drop-down list, choose the appropriate interface name. This list is automatically populated when you enable the multicast VLAN feature |
Broadcast SSID |
Click to activate SSID broadcasts for this WLAN. |
Related Topics
•
Table 21-6—Security Tab
•
Table 21-7—QoS Tab
•
Table 21-8—Advanced Tab
•
Table 21-9—Hot Spot Tab
WLANs > WLAN Configuration > Security Tab
Table 21-6 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > WLANs > WLAN Configuration > Security page.
Table 21-6 Controller > WLANs > WLAN Configuration > Security Tab Field Descriptions
|
|
|
None |
No Layer 2 security selected. • FT Enable—Select the check box to enable Fast Transition (FT) between access points. Note Fast transition is not supported with FlexConnect mode. Over the DS—Select the check box to enable or disable the fast transition over a distributed system. Reassociation Timeout—Time in seconds after which fast transition reassociation times out. The default is 20 seconds, and the valid range is 1 to 100. To enable Over the DS or Reassociation Timeout, you should enable fast transition. |
802.1X |
WEP 802.1X data encryption type (Note 1): • 40/64 bit key • 104 bit key • 152 bit key |
Static WEP |
Static WEP encryption fields: Key sizes: Not set, 40/64, 104, and 152 bit key sizes. Key Index: 1 to 4 (Note 2). Encryption Key: Encryption key required. Key Format: ASCII or HEX. Allowed Shared Key Authentication—Select the check box to enable shared key authentication. Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and the Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device. |
Static WEP-802.1X |
Use this setting to enable both Static WEP and 802.1X policies. If this option is selected, static WEP and 802.1X fields are displayed at the bottom of the page. Static WEP encryption fields: Key sizes: Not set, 40/64, 104, and 152 bit key sizes. Key index: 1 to 4 (Note 2). Encryption Key: Enter encryption key. Key Format: ASCII or HEX. Allowed Shared Key Authentication—Select the check box to enable. 802.1 Data Encryption: 40/64 bit key, 104 bit key, 152 bit key. |
CKIP |
Cisco Key Integrity Protocol (CKIP). A Cisco access point advertises support for CKIP in beacon and probe response packets. CKIP can be configured only when Aironet IE is enabled on the WLAN. Note CKIP is not supported on 10xx APs. When selected, these CKIP fields are displayed. Key size: Not set, 40, or 104. Key Index: 1 to 4 Encryption Key: Specify encryption key. Key Format: ASCII or HEX. Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device. MMH Mode—Select the check box to enable. Key Permutation—Select the check box to enable |
MAC Filtering |
Check to filter clients by MAC address. Note The ability to join a controller without specification within a MAC filter list is only supported on mesh access points. Note For releases prior to 4.1.82.0, mesh access points do not join the controller unless they are defined in the MAC filter list. You might want to disable the MAC filter list to allow newly added access points to join the controller. Before enabling the MAC filter list again, you should enter the MAC addresses of the new access points. |
Authentication Key Management |
Choose the desired type of authentication key management. The choices are 802.1X, CCKM, or PSK. Note If you choose PSK, you must enter the shared key and type (ASCII or hexadecimal). Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device. |
|
Layer 3 Security |
Choose between None and VPN Pass Through. The page fields change according to the selection you make. If you choose VPN pass through, you must enter the VPN gateway address. Note The VPN passthrough option is not available for the 2106 or 5500 series controllers. |
Web Policy |
You can modify the default static WEP (web authentication) or assign specific web authentication (login, logout, login failure) pages and the server source. 1. To change the static WEP to passthrough, select the Web Policy check box and choose the Passthrough option from the drop-down list. This option allows users to access the network without entering a username or password. An Email Input check box appears. Select this check box if you want users to be prompted for their e-mail address when attempting to connect to the network. 2. Choose the WebAuth on MAC Filter Failure option so that when clients fail on MAC filter, they are automatically switched to webAuth. Note The WebAuth on Mac Filter Failure option works only when the Layer 2 Mac Filtering option is enabled. 3. To specify custom web authentication pages, unselect the Global WebAuth Configuration Enable check box. When the Web Auth Type drop-down list appears, choose one of the following options to define the web login page for the wireless guest users: Default Internal—Displays the default web login page for the controller. This is the default value. Customized Web Auth—Displays custom web login, login failure, and logout pages. When the customized option is selected, three separate drop-down lists for login, login failure, and logout page selection appear. You do not need to define a customized page for all three of the options. Choose None from the appropriate drop-down list if you do not want to display a customized page for that option. These optional login, login failure, and logout pages are downloaded to the controller as webauth.tar files. External—Redirects users to an external server for authentication. If you choose this option, you must also enter the URL of the external server in the URL text box. Note External web auth is not supported for 2106 and 5500 series controllers. You can select specific RADIUS or LDAP servers to provide external authentication in the Security > AAA page. To do so, continue with Step 4. Note The RADIUS and LDAP servers must be already configured to have selectable options in the Security > AAA page. You can configure these servers in the RADIUS Authentication Servers page and TACACS+ Authentication Servers page. If you selected External as the Web Authentication Type in Step 2, choose Security > AAA, and choose up to three RADIUS and LDAP servers using the drop-down lists. Repeat this process if a second (anchor) controller is being used in the network. |
|
Radius Server Overwrite |
Check to send the client authentication request through the dynamic interface which is set on the WLAN. When you enable the Radius Server Overwrite Interface option, the WLC sources all radius traffic for a WLAN using the dynamic interface configured on that WLAN. Note You cannot enable Radius Server Overwrite Interface when Diagnostic Channel is enabled. Note The Radius Server Overwrite Interface option is supported in controller Version 7.0.x and later. Select the Enable check boxes, then use the drop-down lists in the RADIUS and LDAP servers section to choose authentication and accounting servers. This selects the default RADIUS server for the specified WLAN and overrides the RADIUS server that is configured for the network. If all three RADIUS servers are configured for a particular WLAN, server 1 has the highest priority, and so on. If no LDAP servers are chosen here, Prime Infrastructure uses the default LDAP server order from the database. |
Interim Update |
Select t to enable interim update for RADIUS Server Accounting. If you have selected this check box, specify the Interim Interval value. The range is 180 to 3600 seconds, and the default value is 0. Note The Interim Interval can be entered only when Interim Update is enabled. |
Local EAP Authentication |
Select the Local EAP Authentication check box if you have an EAP profile already configured that you want to enable. Local EAP is an authentication method that allows users and wireless clients to locally authenticate. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. |
Allow AAA Override |
When you enable AAA Override, and a client has conflicting AAA and controller WLAN authentication fields, client authentication is performed by the AAA server. As part of this authentication, the operating system moves clients from the default Cisco WLAN Solution to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system also uses QoS and ACL provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as identity networking.) For instance, if the corporate WLAN primarily uses a management interface assigned to VLAN 2, and if AAA override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned. When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is only performed by the AAA server if the controller WLANs do not contain any client-specific authentication parameters. The AAA override values might come from a RADIUS server, for example. |
Related Topics
•
Table 21-5—General Tab
•
Table 21-7—QoS Tab
•
Table 21-8—Advanced Tab
•
Table 21-9—Hot Spot Tab
WLANs > WLAN Configuration > QoS Tab
Table 21-7 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > WLANs > WLAN Configuration > QoS page.
Table 21-7 Controller > WLANs > WLAN Configuration > QoS Tab Field Descriptions
|
|
Quality of Service (QoS) |
Choose Platinum (voice), Gold (video), Silver (best effort), or Bronze (background). Services such as VoIP should be set to gold while non-discriminating services such as text messaging can be set to bronze. |
WMM Policy |
Choose Disabled, Allowed (so clients can communicate with the WLAN), or Required to make it mandatory for clients to have WMM enabled for communication. |
7920 AP CAC |
Select to enable support on Cisco 7920 phones. If you want WLAN to support older versions of the software on 7920 phones, select the 7920 Client CAC check box to enable it. The CAC limit is set on the access point for newer versions of software. |
Related Topics
•
Table 21-5—General Tab
•
Table 21-6—Security Tab
•
Table 21-8—Advanced Tab
•
Table 21-9—Hot Spot Tab
WLANs > WLAN Configuration > Advanced Tab
Table 21-5 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > WLANs > WLAN Configuration > Advanced page.
Table 21-8 Controller > WLANs > WLAN Configuration > Advanced Tab Field Descriptions
|
|
FlexConnect Local Switching |
Click to enable FlexConnect local switching. For more information on FlexConnect, see the "Configuring FlexConnect" section. If you enable it, the FlexConnect access point handles client authentication and switches client data packets locally. FlexConnect local switching is only applicable to the Cisco 1130/1240/1250 series access points. It is not supported with L2TP or PPTP authentications, and it is not applicable to WLAN IDs 9-16. |
FlexConnect Local Auth |
Select to enable FlexConnect local authentication. Local authentication is useful where you cannot maintain the criteria a remote office setup of minimum bandwidth of 128 kbps with the roundtrip latency no greater than 100 ms and the maximum transmission unit (MTU) no smaller than 500 bytes. In local switching, the authentication capabilities are present in the access point itself. Thus local authentication reduces the latency requirements of the branch office. Note Local authentication can only be enabled on the WLAN of a FlexConnect AP that is in local switching mode. Local authentication is not supported in the following scenarios: • Guest Authentication cannot be performed on a FlexConnect local authentication enabled WLAN. • RRM information is not available at the controller for the FlexConnect local authentication enabled WLAN. • Local radius is not supported. • Once the client has been authenticated, roaming is supported after the WLC and the other FlexConnects in the group are updated with the client information. |
Learn Client IP Address |
When you enable hybrid-REAP local switching, the Learn Client IP Address check box is enabled by default. However, if the client is configured with Fortress Layer 2 encryption, the controller cannot learn the client IP address, and the controller periodically drops the client. Disable this option so that the controller maintains the client connection without waiting to learn the client IP address. The ability to disable this option is supported only with hybrid-REAP local switching; it is not supported with hybrid-REAP central switching. |
Diagnostic Channel |
Choose to enable the diagnostic channel feature or leave it disabled. The diagnostic channel feature allows you to troubleshoot problems regarding client communication with a WLAN. When initiated by a client having difficulties, the diagnostic channel provides the most robust communication methods with the fewest obstacles to communication. |
Aironet IE |
Select to enable support for Aironet information elements (IEs) for this WLAN. If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request. |
IPv6 |
Select the IPv6 check box. You can configure IPv6 bridging and IPv4 web auth on the same WLAN. |
Session Timeout |
Check to set the maximum time a client session can continue before requiring reauthorization. |
Coverage Hole Detection |
Choose to enable or disable coverage hold detection (CHD) on this WLAN. By default, CHD is enabled on all WLANs on the controller. If you disable CHD on a WLAN, a coverage hole alert is still sent to the controller, but no other processing is done to mitigate the coverage hole. This feature is useful for guest WLANs where highly mobile guests are connected to your network for short periods of time. |
Override Interface ACL |
The Override Interface drop-down lists provides a list of defined access control lists (ACLs). (See the "Configuring a FlexConnect Access Control List" section on page 4-59 for steps on defining ACLs.) Upon choosing an ACL from the list, the WLAN associates the ACL to the WLAN. Selecting an ACL is optional, and the default for this field is None |
Peer to Peer Blocking |
You can configure peer-to-peer blocking per WLAN rather than applying the status to all WLANs. From the Peer to Peer Blocking drop-down list, choose one of the following: • Disable—Peer-to-peer blocking is disabled, and traffic is bridged locally whenever possible. • Drop—The packet is discarded. • Forward Up Stream—The packet is forwarded on the upstream VLAN, and the decision is made about what to do with the packet. Note For locally switched clients, the Forward Up Stream is same as Drop from 7.2.x version of controllers. If FlexConnect local switching is enabled for the WLAN, which prevents traffic from passing through the controller, this drop-down list is dimmed. Note Peer-to-peer blocking does not apply to multicast traffic. |
Wi-Fi Direct Clients Policy |
Choose one of the following options: • Disabled—Disables the Wi-Fi Direct Clients Policy for the WLAN and deauthenticates all Wi-Fi Direct capable clients. The default is Disabled. • Allow—Allows the Wi-Fi Direct clients to associate with an infrastructure WLAN. • Not-Allow—Disallows the Wi-Fi Direct clients from associating with an infrastructure WLAN. Note Wi-Fi Direct Client Policy is applicable to WLANs that have APs in local mode only. Note The Wi-Fi Direct Clients Policy is applicable for controller Version 7.2.x. and later. |
Client Exclusion |
Select the check box if you want to enable automatic client exclusion. If you enable client exclusion, you must also set the Timeout Value in seconds for disabled client machines. Client machines are excluded by MAC address, and their status can be observed. A timeout setting of 0 indicates that administrative control is required to reenable the client. Note When session timeout is not set, it implies that an excluded client remains and does not timeout from the excluded state. It does not imply that the exclusion feature is disabled. |
Passive Client |
Enter the maximum number of clients to be associated in a WLAN in the Maximum Clients text box. The valid range is from 0 to 7000. The default value is 0. Note A value of 0 allows unlimited number of clients to be associated with a WLAN. |
Static IP Tunneling |
Enable dynamic anchoring of static IP clients by selecting the Static IP Tunneling check box. |
Media Session Snooping |
This feature enables access points to detect the establishment, termination, and failure of voice calls and then report them to the controller and Prime Infrastructure. It can be enabled or disabled per WLAN. When media session snooping is enabled, the access point radios that advertise this WLAN snoop for Session Initiation Protocol (SIP) voice packets. Any packets destined to or originating from port number 5060 are considered for further inspection. The access point tracks whether Wi-Fi Multimedia (WMM) and non-WMM clients are establishing a call, already on an active call, or in the process of ending a call and then notify the controller of any major call events. |
KTS based CAC |
Select the KTS based CAC check box to enable KTS based CAC support per WLAN. WLC supports TSPEC based CAC and SIP based CAC. But there are certain phones that work with different protocols for CAC, which are based on the KTS (Key Telephone System). For supporting CAC with KTS-based SIP clients, WLC should understand and process the bandwidth request message from those clients to allocate the required bandwidth on the AP radio, in addition to handling and sending certain other messages, as part of this protocol. Note The KTS CAC configuration is only supported by Cisco 5508, 7500, WISM2, and 2500 controllers that run controller software Release 7.2.x. This feature is not supported by Cisco 4400 series controllers. |
NAC State |
Choose SNMP NAC or Radius NAC. SIP errors that are discovered generate traps that appear on the client troubleshooting and alarms screens. The controller can integrate with the NAC appliance in out-of-band mode, where the NAC appliance remains in the data path only until clients have been analyzed and cleaned. Out-of-band mode reduces the traffic load on the NAC appliance and enables centralized NAC processing. See the "NAC Integration" section for more information. |
Scan Defer Priority |
Off-Channel Scanning Defer is essential to the operation of RRM, which gathers information about alternate channel choices such as noise and interference. Additionally, Off-Channel Scanning Defer is responsible for rogue detection. Devices that need to defer Off-Channel Scanning Defer should use the same WLAN as often as possible. If there are many of these devices (and the possibility exists that Off-Channel Defer scanning could be completely disabled by the use of this feature), you should implement an alternative to local AP Off-Channel Scanning Defer, such as monitor access points, or other access points in the same location that do not have this WLAN assigned. Assignment of a QoS policy (bronze, silver, gold, and platinum) to a WLAN affects how packets are marked on the downlink connection from the access point regardless of how they were received on the uplink from the client. UP=1,2 is the lowest priority, and UP=0,3 is the next higher priority. The marking results of each QoS policy are as follows: • Bronze marks all downlink traffic to UP= 1. • Silver marks all downlink traffic to UP= 0. • Gold marks all downlink traffic to UP=4. • Platinum marks all downlink traffic to UP=6. Set the Scan Defer Priority by clicking the priority argument and Set the time in milliseconds in the Scan Defer Interval text box. Valid values are 0 through 60000. The default value is 100 milliseconds. |
DTIM Period |
In 802.11a/n and 802.11b/g/n networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data. Normally, the DTIM value is set to 1 (transmit broadcast and multicast frames after every beacon) or 2 (transmit after every other beacon). For instance, if the beacon period of the 802.11a/n or 802.11b/g/n network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames 10 times per second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames 5 times per second. Either of these settings might be suitable for applications, including VoIP, that expect frequent broadcast and multicast frames. However, the DTIM value can be set as high as 255 (transmit broadcast and multicast frames after every 255th beacon) if all 802.11a/n or 802.11b/g/n clients have power save enabled. Because the clients have to listen only when the DTIM period is reached, they can be set to listen for broadcasts and multicasts less frequently, resulting in longer battery life. For instance, if the beacon period is 100 ms and the DTIM value is set to 100, the access point transmits buffered broadcast and multicast frames once every 10 seconds, allowing the power-saving clients to sleep longer before they have to wake up and listen for broadcasts and multicasts, resulting in longer battery life. Many applications cannot tolerate a long time between broadcast and multicast messages, resulting in poor protocol and application performance. We recommend a low DTIM value for 802.11a/n and 802.11b/g/n networks that support such clients. Under DTIM Period, enter a value between 1 and 255 (inclusive) in the 802.11a/n and 802.11b/g/n fields. The default value is 1 (transmit broadcast and multicast frames after every beacon). |
DHCP Server |
Select the check box to override DHCP server,. Another field appears where you can enter the IP address of your DHCP server. For some WLAN configurations, this is required. Three valid configurations are as follows: • DHCP Required and a valid DHCP server IP address - All WLAN clients obtain an IP address from the DHCP server. • DHCP is not required and a valid DHCP server IP address - All WLAN clients obtain an IP address from the DHCP server or use a static IP address. • DHCP not required and DHCP server IP address 0.0.0.0 - All WLAN clients are forced to use a static IP address. All DHCP requests are dropped. You cannot choose to require a DHCP address assignment and then enter a DHCP server IP address. |
MFP Signature Generation |
Select to enable signature generation for the 802.11 management frames transmitted by an access point associated with this WLAN. Signature generation makes sure that changes to the transmitted management frames by an intruder are detected and reported. |
MFP Client Protection |
Choose Enabled, Disabled, or Required for configuration of individual WLANs of a controller. If infrastructure MFP is not enabled, this drop-down list is unavailable. Note The Enabled parameter is the same as the Optional parameter that you choose from the MFP Client Protection drop-down list in the WLC graphical user interface. Note Client-side MFP is only available for those WLANs configured to support Cisco Compatible Extensions (version 5 or later) clients, and WPA2 must first be configured. |
DTIM Period |
Enter a value between 1 and 255 beacon intervals in the 802.11a/n DTIM Period group box of the page. The controller sends a DTIM packet on the 802.11a/n radio for this WLAN based on what is entered as an interval. Note The DTIM configuration is not appropriate for guest LANs. |
Client Profiling |
Select to enable or disable profiling of all the clients that are associated with the WLAN. Note Client Profiling is not supported with FlexConnect local authentication. Note Client Profiling is configurable only when you select the DHCP Address Assignment check box. |
PMIP Mobility |
Choose the mobility type from the following options: • None—Configures the WLAN with Simple IP. • Mixed—Configures the WLAN with Simple IP and PMIPv6. • PMIPv6—Configures the WLAN with only PMIPv6. |
Related Topics
•
Table 21-5—General Tab
•
Table 21-6—Security Tab
•
Table 21-7—QoS Tab
•
Table 21-9—Hot Spot Tab
WLANs > WLAN Configuration > Hot Spot Tab
Table 21-5 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > WLANs > WLAN Configuration > Hot Spot page.
Table 21-9 Controller > WLANs > WLAN Configuration > Hot Spot Tab Field Description s
|
|
|
802.11u Status |
Select to enable 802.11u on the WLAN. • From the drop-down list, In the HESSID field, enter the Homogenous Extended Service Set Identifier value. The HESSID is a 6-octet MAC address that identifies the homogeneous ESS. |
Internet Access |
Select to enable this WLAN to provide Internet services. |
Network Type |
Choose one of the following network types that best describes the 802.11u you want to configure on this WLAN: • Private Network • Private Network with Guest Access • Chargeable Public Network • Free Public Network • Emergency Services Only Network • Personal Device Network • Test or Experimental • Wildcard |
Network Auth Type |
Choose the authentication type that you want to configure for the 802.11u parameters on this network: • Not configured • Acceptance of Terms and Conditions • Online Enrollment • HTTP/HTTPS Redirection |
|
OUI List |
Enter the following details: • OUI name • Is Beacon • OUI Index Click Add to add the OUI (Organizationally Unique Identifier) entry to this WLAN. • In the group box, |
Domain List |
Enter the following details: • Domain Name—The domain name operating in the 802.11 access network. • Domain Index—Select the domain index from the drop-down list. Click Add to add the domain entry to this WLAN. |
|
OUI List |
Enter the following details: • Realm Name—The realm name. • Realm Index—The realm index. Click Add to add the domain entry to this WLAN. |
|
MSAP |
Click to enable service advertisements. |
Server Index |
If you enabled MSAP, you must provide a server index. Enter the server index for this WLAN. The server index field uniquely identifies an MSAP server instance serving a venue that is reachable through the BSSID. Note MSAP (Mobility Services Advertisement Protocol) is designed to be used primarily by mobile devices that are configured with a set of policies for establishing network services. These services are available for devices that offer higher-layer services, or network services that are enabled through service providers. Service advertisements use MSAP to provide services to mobile devices prior to association to a Wi-Fi access network. This information is conveyed in a service advertisement. A single-mode or dual-mode mobile device queries the network for service advertisements before association. The device's network discovery and the selection function may use the service advertisements in its decision to join the network. |
|
HotSpot2 Enable |
Choose to enable HotSpot2. |
WAN Link Status |
Select the link status. |
WAN SIM Link Status |
The symmetric link status. For example, you can configure the uplink and downlink to have different speeds or same speeds. |
Down Link Speed |
The downlink speed. The maximum value is 4,194,304 kbps. |
Up Link Speed |
The uplink speed. The maximum value is 4,194,304 kbps. |
Operator Name List |
Specify the following: • Operator Name—Specify the name of the 802.11 operator. • Operator Index—Select an operator index. The range is from 1 to 32. • Language Code—An ISO-14962-1997 encoded string defining the language. This string is a three character language code. Click Add to add the operator details. |
Port Config List |
Specify the following: • IP Protocol—The IP protocol that you want to enable. The following options are ESP, FTP, ICMP, and IKEV2. • Port No—The port number that is enabled on this WLAN. • Status—The status of the port. |
Related Topics
•
Table 21-5—General Tab
•
Table 21-6—Security Tab
•
Table 21-7—QoS Tab
•
Table 21-8—Advanced Tab
FlexConnect > FlexConnect AP Groups Template
Table 21-1 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > FlexConnect > FlexConnect AP Groups page.
Table 21-10 Controller > FlexConnect > FlexConnect AP Groups Field Description s
|
|
|
Primary RADIUS |
Choose the primary RADIUS authentication servers for each group. If a RADIUS authentication server is not present on the controller, Prime Infrastructure configured RADIUS server does not apply. A value of 10 indicates that the primary RADIUS server is not configured for this group. |
Secondary RADIUS |
Note Choose the secondary RADIUS authentication servers for each group. If a RADIUS authentication server is not present on the controller, Prime Infrastructure configured RADIUS server does not apply. A value of 0 indicates that the primary RADIUS server is not configured for this group. |
|
|
An access point Ethernet MAC address cannot exist in more than one FlexConnect group on the same controller. If more than one group is applied to the same controller, select the Ethernet MAC check box to unselect an access point from one of the groups. You should save this change or apply it to controllers. Click Add AP. The FlexConnect AP Group page appears. |
FlexConnect Configuration
Click the FlexConnect Configuration tab to enable local authentication for a FlexConnect group. Note Make sure that the Primary RADIUS Server and Secondary RADIUS Server fields are set to None on the General tab. |
FlexConnect Local Authentication |
Click to enable local authentication for this FlexConnect group. The default value is unselected. Note When you attempt to use this feature, a warning message indicates that it is a licensed feature. Note You can click the Users configured in the group link that appears at the bottom of the page to view the list of FlexConnect users. You can create FlexConnect users only after you save the FlexConnect AP Group. |
EAP Type |
To allow a FlexConnect access point to authenticate clients using LEAP, select the LEAP check box. Otherwise, to allow a FlexConnect access point to authenticate clients using EAP-FAST, select the EAP-FAST check box. To use manual PAC provisioning, enter the key used to encrypt and decrypt PACs in the EAP-FAST Key and Confirm EAP-FAST Key text boxes. . |
Auto Key Generation |
To allow PACs to be sent automatically to clients that do not have one during PAC provisioning, select the Auto Key Generation check box |
EAP-FAST Key |
Enter the authority identifier of the EAP-FAST server. The identifier must be 32 hexadecimal characters. |
EAP-FAST Authority ID |
Enter the authority identifier of the EAP-FAST server in text format. You can enter up to 32 hexadecimal characters. |
EAP-FAST Authority Info |
Enter the authority information of the EAP-FAST server. |
EAP-FAST Pac Timeout |
Specify a PAC timeout value by entering the number of seconds for the PAC to remain viable in the edit box. The valid range is 2 to 4095 seconds. |
Image Upgrade |
FlexConnect AP Upgrade |
Check to upgrade the FlexConnect access points. |
Slave Maximum Retry Count |
Enter the maximum retries for the slave to undertake to start the download from the master in the FlexConnect group. This option is available only if you select the FlexConnect AP Upgrade check box. Note You are allowed to add an access point as a master access point only if FlexConnect AP Upgrade check box is enabled on the General tab. |
VLAN-ACL Mapping |
|
VLAN ID |
Enter a VLAN ID. The valid VLAN ID range is 1—4094. |
Ingress ACL |
Choose an Ingress ACL. |
Egress ACL |
Choose an Engress ACL. |
WLAN-ACL Mapping |
WLAN ID |
WLAN ID. |
WLAN Profile Name |
Choose a WLAN profile. |
Web-Auth ACL |
Choose a WebAuth ACL. |
Web Policy ACL |
Web-Policy ACL |
Choose a WebPolicy ACL. Note You can add up to a maximum of 16 Web-Policy ACLs. |
Security > AAA > RADIUS Auth Servers Template
Table 21-11 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > Security > AAA > RADIUS Auth Servers page.
Table 21-11 Controller > Security > AAA > RADIUS Auth Servers Field Descriptions
|
|
Server Address |
|
Port Number |
|
Shared Secret Format |
Choose either ASCII or hex. Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device. |
Shared Secret |
Enter the RADIUS shared secret used by your specified server. |
Confirm Shared Secret |
Reenter the RADIUS shared secret used by your specified server. |
Key WRAP |
Select the check box if you want to enable key wrap. If this check box is enabled, the authentication request is sent to RADIUS servers that have following key encryption key (KEK) and message authenticator code keys (MACK) configured. When enabled, the following fields appear: • Shared Secret Format: Enter ASCII or hexadecimal. Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in the event a discovered template is applied to another device. • KEK Shared Secret: Enter the KEK shared secret. • MACK Shared Secret: Enter the MACK shared secret. Note Each time the controller is notified with the shared secret, the existing shared secret is overwritten with the new shared secret. |
Admin Status |
Click if you want to enable administration privileges. |
Support for RFC 3576 |
Click if you want to enable support for RFC 3576. RFC 3576 is an extension to the Remote Authentication Dial In User Service (RADIUS) protocol. It allows dynamic changes to a user session and includes support for disconnecting users and changing authorizations applicable to a user session. With these authorizations, support is provided for Disconnect and Change-of-Authorization (CoA) messages. Disconnect messages immediately terminate a user session, whereas CoA messages modify session authorization attributes such as data filters. |
Network User |
Click if you want to enable network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user. |
Management User |
Click if you want to enable management authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the management user. |
Retransmit Timeout |
Specify the time in seconds after which the RADIUS authentication request times out and a retransmission is attempted by the controller. You can specify a value between 2 and 30 seconds. |
IPSec |
If you click to enable the IP security mechanism, additional IP security fields are added to the page, and Steps 13 to 19 are required. If you enable IPSec, complete the following fields. |
IPsec Authentication |
Choose which IP security authentication protocol to use. The options are HMAC-SHA1, HMAC-MD5, and None. Message Authentication Codes (MAC) are used between two parties that share a secret key to validate information transmitted between them. HMAC (Hash MAC) is a mechanism based on cryptographic hash functions and can be used in combination with any iterated cryptographic hash function. HMAC-MD5 and HMAC-SHA1 are two constructs of the HMAC using the MD5 hash function and the SHA1 hash function. HMAC also uses a secret key for calculation and verification of the message authentication values |
IPsec Encryption |
Select the IP security encryption mechanism to use: • DES—Data Encryption Standard is a method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. • Triple DES—Data Encryption Standard that applies three keys in succession. • AES 128 CBC—Advanced Encryption Standard uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in Cipher Clock Chaining (CBC) mode. • None—No IP security encryption mechanism. |
IKE Authentication |
The Internet Key Exchange (IKE) authentication is not an editable text box. Internet Key Exchange protocol (IKE) is used as a method of distributing the session keys (encryption and authentication), as well as providing a way for the VPN endpoints to agree on how data should be protected. IKE keeps track of connections by assigning a bundle of security associations (SAs) to each connection |
IKE Phase 1 |
Choose either aggressive or main. This sets the IKE protocol. IKE phase 1 is used to negotiate how IKE is protected. Aggressive mode passes more information in fewer packets, with the benefit of a slightly faster connection, at the cost of transmitting the identities of the security gateways in the clear |
Lifetime |
Set the timeout interval (in seconds) when the session expires |
IKE Diffie Hellman Group |
Set the IKE Diffie Hellman group. The options are group 1 (768 bits), group 2 (1024 bits), or group 5 (1536 bits). Diffie-Hellman techniques are used by two devices to generate a symmetric key where you can publicly exchange values and generate the same symmetric key. Although all three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1 and Group 2 based keys might occur slightly faster because of their smaller prime number size |
Security > AAA > LDAP Servers Template
Table 21-12 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > Security > AAA > LDAP Servers page.
Table 21-12 Controller > Security > AAA > LDAP Servers Field Descriptions
|
|
Server Address |
Enter the IP address of the server. |
Port Number |
Port number of the controller to which the access point is connected. |
Bind Type |
Choose Authenticated or Anonymous. If you choose Authenticated, you must enter a bind username and password as well. A bind is a socket opening that performs a lookup. Anonymous bind requests are rejected. |
Server User Base DN |
Enter the distinguished name of the subtree in the LDAP server that contains a list of all the users. |
Server User Attribute |
Enter the attribute that contains the username in the LDAP server. |
Server User Type |
Enter the ObjectType attribute that identifies the user. |
Retransmit Timeout |
Enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds. |
Admin Status |
Check if you want the LDAP server to have administrative privileges. |
Security > AAA > TACACS+ Servers Template
Table 21-13 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > Security > AAA > TACACS+ Servers page.
Table 21-13 Controller > Security > AAA > TACACS+ Servers Field Descriptions
|
|
Server Type |
Select one or more server types by selecting their respective check boxes. The following server types are available: • authentication—Server for user authentication/authorization. • authorization—Server for user authorization only. • accounting—Server for RADIUS user accounting. |
Server Address |
Enter the IP address of the server. |
Port Number |
Enter the port number of the server. The default is 49. |
Shared Secret Format |
choose either ASCII or hex. Note Regardless of which format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. Set the key format again in the template in the event a discovered template is applied to another device. |
Shared Secret |
Enter the TACACS+ shared secret used by your specified server. |
Confirmed Shared Secret |
Reenter the TACACS+ shared secret used by your specified server. |
Admin Status |
Check if you want the LDAP server to have administrative privileges. |
Retransmit Timeout |
Enter the time, in seconds, after which the TACACS+ authentication request times out and a retransmission is attempted by the controller. |
Security > Local EAP > General - Local EAP Template
Table 21-14 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > Security > Local EAP > General - Local EAP page.
Table 21-14 Controller > Security > Local EAP > General - Local EAP Field Descriptions
|
|
Local Auth Active Timeout |
Enter the amount of time (in seconds) that the controller attempts to authenticate wireless clients using local EAP after any pair of configured RADIUS servers fail. The valid range is 1 to 3600 seconds, and the default setting is 1000 seconds |
Note Enter the values specified below if you are using EAP-FAST, manual password entry, one-time password, or 7920/7921 phones. You must increase the 802.1x timeout values on the controller (default=2 seconds) for the client to obtain the PAC using automatic provisioning. The recommended and default timeout on the Cisco ACS server is 20 seconds. Roaming fails if these values are not set the same across multiple controllers. |
Local EAP Identity Request Timeout |
1 |
Local EAP Identity Request Maximum Retries |
20 |
Local EAP Dynamic WEP Key Index |
0 |
Local EAP Request Timeout |
20 |
Local EAP Request Maximum Retries |
2 |
EAPOL-Key Timeout |
|
EAPOL-Key Max Retries |
|
Max Login Ignore Identity Response |
|
Security > Local EAP > Local EAP Profiles Template
Table 21-15 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > Security > Local EAP > Local EAP Profiles page.
Table 21-15 Controller > Security > Local EAP > Local EAP Profiles Field Descriptions
|
|
EAP Profile Name |
|
Select Profile Methods |
Choose the desired authentication type: • LEAP—This authentication type leverages Cisco Key Integrity Protocol (CKIP) and MMH message integrity check (MIC) for data protection. A username and password are used to perform mutual authentication with the RADIUS server through the access point. • EAP-FAST—This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1X EAP mutual authentication. A username, password, and PAC (protected access credential) are used to perform mutual authentication with the RADIUS server through the access point. • TLS—This authentication type uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. It requires a client certificate for authentication. • PEAP—This authentication type is based on EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. |
Certificate Issuer |
Determine whether Cisco or another vendor issued the certificate for authentication. Only EAP-FAST and TLS require a certificate. |
Check Against CA Certificates |
Check if you want the incoming certificate from the client to be validated against the certificate authority (CA) certificates on the controller. |
Verify Certificate CN Identity |
Check if you want the (CN) in the incoming certificate to be validated against the common name of the CA certificate. |
Check Against Date Validity |
Check if you want the controller to verify that the incoming device certificate is still valid and has not expired. |
Local Certificate Required |
Check if a local certificate is required. |
Client Certificate Required |
Check if a client certificate is required. |
Security > Local EAP > EAP-FAST Parameters Template
Table 21-16 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > Security > Local EAP > EAP-FAST Parameters page.
Table 21-16 Controller > Security > Local EAP > EAP_FAST Parameters Field Descriptions
|
|
Time to Live for the PAC |
Enter the number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days. |
Authority ID |
Enter the authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal characters, but you must enter an even number of characters. |
Authority Info |
Enter the authority identifier of the local EAP-FAST server in text format. |
Server Key and Confirm Server Key |
Enter the key (in hexadecimal characters) used to encrypt and decrypt PACs |
Anonymous Provision |
Check to enable anonymous provisioning. This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If you disable this feature, PACs must be manually provisioned |
Security > Wireless Protection Policies > Rogue Policies Template
Table 21-17 describes the fields on the Design > Configuration Templates> Features and Technologies > Controller > Security > Wireless Protection Policies > Rogue Policies page.
Table 21-17 Controller > Security > Wireless Protection Policies > Rogue Policies Field Descriptions
|
|
Rogue Location Discovery Protocol |
Determine whether or not the Rogue Location Discovery Protocol (RLDP) is connected to the enterprise wired network. Choose one of the following: • Disable—Disables RLDP on all access points. • All APs—Enables RLDP on all access points. • Monitor Mode APs—Enables RLDP only on access points in monitor mode. Note With RLDP, the controller instructs a managed access point to associate with the rogue access point and sends a special packet to the controller. If the controller receives the packet, the rogue access point is connected to the enterprise network. This method works for rogue access points that do not have encryption enabled. |
Expiration TImeout for Rogue AP and Rogue Client Entries |
Enter the expiration timeout (in seconds) for rogue access point entries. |
Rogue Detection Report Interval |
Enter the time interval in seconds at which the APs should send the rogue detection report to the controller. A valid range is 10 seconds to 300 seconds, and the default value is 10 seconds. This feature is applicable to APs that are in monitor mode only. |
Rogue Detection Minimum RSSI |
Enter the minimum RSSI value that a rogue should have for the APs to detect and for the rogue entry to be created in the controller. A valid range is -70 dBm to -128 dBm, and the default value is -128 dBm. This feature is applicable to all the AP modes. There can be many rogues with very weak RSSI values that do not provide any valuable information in the rogue analysis. Therefore, you can use this option to filter the rogues by specifying the minimum RSSI value at which the APs should detect rogues. |
Rogue Detection Transient Interval (Enter 0 to Disable) |
Enter the time interval at which a rogue has to be consistently scanned for by the AP after the first time the rogue is scanned. By entering the transient interval, you can control the time interval at which the AP should scan for rogues. The APs can filter the rogues based on their transient interval values. Valid range is between 120 seconds to 1800 seconds, and the default value is 0. This feature is applicable to APs that are in monitor mode only |
Validate Rogue Clients against AAA |
Check to to enable the AAA validation of rogue clients. |
Detect and Report Adhoc Networks |
Check to enable detection and reporting of rogue clients participating in ad hoc networking. |
Rogue on Wire |
|
Using our SSID |
|
Valid Client on Rogue AP |
|