Cisco Prime Infrastructure 1.2 User Guide

802.3x Flow Control Mode

Enable or disable flow control mode.

802.3 Bridging

Enable or disable 802.3 bridging.

Note This 802.3 bridging option is not available for 5500 and 2106 series controllers.

Web Radius Authentication

choose the desired Web RADIUS authentication. You can choose to use PAP, CHAP, or MD5-CHAP for authentication between the controller and the client during the user credential exchange.

AP Primary Discovery Timeout

Specify the number of seconds for the AP Primary Discovery Timeout. The default is 120 seconds, and the valid range is 30 to 3600.

Back-up Primary Controller IP Address

Specify the Back-up primary and secondary controller details (controller IP address and controller name).

Back-up Primary Controller Name

Back-up Secondary Controller IP Address

Back-up Secondary Controller Name

CAPWAP Transport Mode

Specify Layer 2 or Layer 3 transport mode. When set to Layer 3, the lightweight access point uses IP addresses to communicate with the access points; these IP addresses are collected from a mandatory DHCP server. When set to Layer 2, the lightweight access point uses proprietary code to communicate with the access points.

Note Controllers through Version 5.2 use LWAPP and the new controller version uses CAPWAP.

Broadcast Forwarding

Choose to enable or disable broadcast forwarding. The default is disabled.

LAG Mode

Choose Enable or Disable from the LAG Mode drop-down list. Link aggregation allows you to reduce the number of IP addresses needed to configure the ports on your controller by grouping all the physical ports and creating a link aggregation group (LAG).

If LAG is enabled on a controller, any dynamic interfaces that you have created are deleted to prevent configuration inconsistencies in the interface database. When you make changes to the LAG configuration, the controller has to be rebooted for the changes to take effect.

Interfaces cannot be created with the Dynamic AP Manager flag set. Also, you cannot create more than one LAG on a controller.

Peer to Peer Blocking MOde

Choose to enable or disable peer-to-peer blocking mode. If you choose Disable, any same-subnet clients communicate through the controller. If you choose Enable, any same-subnet clients communicate through a higher-level router.

Over-the-Air Provisioning AP Mode

From the Over Air AP Provision Mode drop-down list, choose enable or disable.

AP Fallback

From the AP Fallback drop-down list, choose enable or disable. Enabling fallback causes an access point that lost a primary controller connection to automatically return to service when the primary controller returns.

When a controller fails, the backup controller configured for the access point suddenly receives a number of discovery and join requests. This might cause the controller to reach a saturation point and reject some of the access points. By assigning priority to an access point, you have some control over which access points are rejected. In a failover situation when the backup controller is saturated, the higher priority access points can join the backup controller if the lower priority access points are disjoined. Choose enable from the AP Failover Priority drop-down list if you want to allow this capability.

AP Failover Priority

Apple Talk Bridging

Choose to enable or disable AppleTalk bridging.

This AppleTalk bridging option is not available on 5500 series controllers.

Fast SSID Change

Choose to enable or disable the Fast SSID Change option. If the option is enabled, the client connects instantly to the controller between SSIDs without having much loss of connectivity. Normally, each client is connected to a particular WLAN identified by the SSID. If the client moves out of reach of the connected access point, the client has to reconnect to the controller using a different access point. This normal process consumes some time as the DHCP (Dynamic Host Configuration Protocol) server has to assign an IP address to the client.

Because the master controller is normally not used in a deployed network, the master controller setting is automatically disabled upon reboot or operating system code upgrade. You might want to enable the controller as the master controller from the Master Controller Mode drop-down list.

Master Controller Mode

Choose to enable or disable access to the controller management interface from wireless clients. Because of IPsec operation, management via wireless is only available to operators logging in across WPA or Static WEP.

Wireless Management

Wireless management is not available to clients attempting to log in via an IPsec WLAN.

Symmetric Tunneling Mode

Choose to enable or disable symmetric tunneling mode. With symmetric mobility tunneling, the controller provides inter-subnet mobility for clients roaming from one access point to another within a wireless LAN. The client traffic on the wired network is directly routed by the foreign controller. If a router has Reverse Path Forwarding (RPF) enabled (which provides additional checks on incoming packets), the communication is blocked. Symmetric mobility tunneling allows the client traffic to reach the controller designated as the anchor, even with RPF enabled.

All controllers in a mobility group should have the same symmetric tunneling mode.

For symmetric tunneling to take effect, you must reboot.

ACL Counters

Use the ACL Counters drop-down list to enable or disable ACL counters. The values per ACL rule can be viewed for each controller.

Default Mobility Domain Name

Enter the operator-defined RF mobility group name in the Default Mobility Domain Name text box.

Mobility Anchor Group Keep Alive Interval

At the Mobility Anchor Group Keep Alive Interval, determine the delay between tries for clients attempting to join another access point. With this guest tunneling N+1 redundancy feature, the time it takes for a client to join another access point following a controller failure is decreased because a failure is quickly identified, the clients are moved away from the problem controller, and the clients are anchored to another controller.

When you hover your mouse cursor over the field, the valid range of values appear.

Mobility ANchor Group Keep Alive Retries

At the Mobility Anchor Group Keep Alive Retries, specify the number of queries to anchor before the client declares it unreachable.

RF Network Name

Enter the RF network group name between 8 and 19 characters. Radio Resource Management (RRM) neighbor packets are distributed among access points within an RF network group. The Cisco access points only accept RRM neighbor packets sent with this RF network name. The RRM neighbor packets sent with different RF network names are dropped.

User Idle Timeout

Specify the time out for idle clients. The factory default is 300 seconds. When the timeout expires, the client loses authentication, briefly disassociates from the access point, reassociates, and re-authenticates.

Specify the timeout in seconds for the address resolution protocol. The factory default is 300 seconds.

ARP Timeout

Global TCP Adjust MSS

Select the Global TCP Adjust MMS check box to start checking the TCP packets originating from the client, for the TCP SYN/ TCP ACK packets and MSS value and reset it to the configured value on the upstream and downstream side.

Disable local access

Out of Box

Web Auth Proxy Redirect Mode

Choose enable or disable Web Auth Proxy Redirect Mode if a manual proxy configuration is configured on the browser of the client; all web traffic going out from the client is destined for the PROXY IP and PORT configured on the browser.

Web Auth Proxy Redirect Port

Enter the Web Auth Proxy Redirect Port. The default ports are 8080 and 3128. The range is 0 to 65535.

AP Retransmit Count

Enter the AP Retransmit Count and Intervals. The AP Retransmit Count default value is 5 and the range is from 3 to 8. The AP Retransmit Interval default value is 3. The range is 2 to 5.

AP Retransmit Interval

CDP on controller

Choose enable or disable CDP on the controller.

Note This configuration cannot be applied on WiSM2 controllers.

Global CDP on APs

Choose to enable or disable CDP on the access points.

Refresh Interval

Enter the time in seconds at which CDP messages are generated. The default is 60.

Hold Time

Enter the time in seconds before the CDP neighbor entry expires. The default is 180.

CDP Advertisement Version

Enter which version of the CDP protocol to use. The default is v1.

Enternet Interface Slot

Select the slots of Ethernet interfaces for which you want to enable CDP.

Note CDP for Ethernet Interfaces fields are supported for Controller Version 7.0.110.2 and later.

Radio Interface Slot

Select the slots of Radio interfaces for which you want to enable CDP.

Note CDP for Radio Interfaces fields are supported for Controller Version 7.0.110.2 and later.

Guest LAN

Select to mark the interface as wired.

Quarantine

Netmask

Enter the net mask address of the interface.

LAG Mode

Primary Port Number

Enter the port currently used by the interface.

Secondary Port Number

Enter a secondary port to be used by the interface when the primary port is down. When the primary port is reactivated, the Cisco 4400 Series Wireless LAN controller transfers the interfaces back to the primary port.

Note Primary and secondary port numbers are present only in the Cisco 4400 Series Wireless LAN controllers.

AP Management

Primary DHCP Server

Enter the IP addresses of the primary and secondary DHCP servers.

Secondary DHCP Server

ACL Name

Choose a name from the list of defined names.

From the Add Format Type drop-down list in the Add Interface Format Type group box, choose either Device Info or File. If you choose device info, you must configure the device-specific fields for each controller. If you choose File, you must configure CSV device-specific fields (Interface Name, VLAN Identifier, Quarantine VLAN Identifier, IP Address, and Gateway) for all the managed controllers specified in the CSV file (see Table 21-4). If you choose Device Info, continue to Step 12.

209.165.200.224

dyn-1

1

2

209.165.200.228

209.165.200.229

209.165.200.225

interface-1

4

2

209.165.200.230

209.165.200.231

209.165.200.226

interface-2

5

3

209.165.200.232

209.165.200.233

209.165.200.227

dyna-2

2

3

209.165.200.234

209.165.200.235

Wired Lan

Check the box to indicate whether or not this WLAN is a wired LAN.

Note Specify if you want guest users to have wired guest access from an Ethernet connection designated and configured for guest access. Wired guest access ports might be available in a guest office or specific ports in a conference room and accounts are added to the network using the Lobby Ambassador portal. (The Egress or Ingress interface configurations are applicable for Wired LAN only.

Use the Type drop-down list to select the type of the wired LAN.

•Guest LAN—Indicates that this wired LAN is a Guest LAN. If you select the Guest LAN option, you need to select an Ingress interface which has not already been assigned to any Guest LAN.

•Remote LAN—Indicates that this wired LAN is a Remote LAN.

Profile Name

Enter a name in the Profile Name text box that identifies the WLAN or the guest LAN. Do not use any spaces in the name entered.

SSID

Enter the name of the WLAN SSID. An SSID is not required for a guest LAN.

WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in the beacons and probes.

Status

Select the Enable check box for the Status field.

Security Policies

Modifications you make in the Security tab appear after you save the template.

Radio Policy

Set the WLAN policy to apply to All (802.11a/b/g/n), 802.11a only, 802.11g only, 802.11b/g only, or 802.11a/g only.

Interface/Interface Group

Choose the available names of interfaces created by the Controller > Interfaces module.

From the Egress Interface drop-down list, choose the Egress interface that you created in the "Creating an Egress Interface" section. This provides a path out of the controller for wired guest client traffic.

From the Ingress Interface drop-down list, choose the Ingress interface that you created in the "Creating an Ingress Interface" section. The provides a path between the wired guest client and the controller by way of the Layer 2 access switch.

Multicast VLAN

Select the Enable check box to enable the multicast VLAN feature.

From the Multicast VLAN Interface drop-down list, choose the appropriate interface name. This list is automatically populated when you enable the multicast VLAN feature

Broadcast SSID

Click to activate SSID broadcasts for this WLAN.

None

No Layer 2 security selected.

•FT Enable—Select the check box to enable Fast Transition (FT) between access points.

Note Fast transition is not supported with FlexConnect mode.

Over the DS—Select the check box to enable or disable the fast transition over a distributed system.

Reassociation Timeout—Time in seconds after which fast transition reassociation times out. The default is 20 seconds, and the valid range is 1 to 100.

To enable Over the DS or Reassociation Timeout, you should enable fast transition.

802.1X

WEP 802.1X data encryption type (Note 1):

•40/64 bit key

•104 bit key

•152 bit key

Static WEP

Static WEP encryption fields:

Key sizes: Not set, 40/64, 104, and 152 bit key sizes.

Key Index: 1 to 4 (Note 2).

Encryption Key: Encryption key required.

Key Format: ASCII or HEX.

Allowed Shared Key Authentication—Select the check box to enable shared key authentication.

Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and the Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.

Static WEP-802.1X

Use this setting to enable both Static WEP and 802.1X policies. If this option is selected, static WEP and 802.1X fields are displayed at the bottom of the page.

Static WEP encryption fields:

Key sizes: Not set, 40/64, 104, and 152 bit key sizes.

Key index: 1 to 4 (Note 2).

Encryption Key: Enter encryption key.

Key Format: ASCII or HEX.

Allowed Shared Key Authentication—Select the check box to enable.

802.1 Data Encryption: 40/64 bit key, 104 bit key, 152 bit key.

CKIP

Cisco Key Integrity Protocol (CKIP). A Cisco access point advertises support for CKIP in beacon and probe response packets. CKIP can be configured only when Aironet IE is enabled on the WLAN.

Note CKIP is not supported on 10xx APs.

When selected, these CKIP fields are displayed.

Key size: Not set, 40, or 104.

Key Index: 1 to 4

Encryption Key: Specify encryption key.

Key Format: ASCII or HEX.

Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.

MMH Mode—Select the check box to enable.

Key Permutation—Select the check box to enable

MAC Filtering

Check to filter clients by MAC address.

Note The ability to join a controller without specification within a MAC filter list is only supported on mesh access points.

Note For releases prior to 4.1.82.0, mesh access points do not join the controller unless they are defined in the MAC filter list.

You might want to disable the MAC filter list to allow newly added access points to join the controller. Before enabling the MAC filter list again, you should enter the MAC addresses of the new access points.

Authentication Key Management

Choose the desired type of authentication key management. The choices are 802.1X, CCKM, or PSK.

Note If you choose PSK, you must enter the shared key and type (ASCII or hexadecimal).

Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.

Layer 3 Security

Choose between None and VPN Pass Through. The page fields change according to the selection you make. If you choose VPN pass through, you must enter the VPN gateway address.

Note The VPN passthrough option is not available for the 2106 or 5500 series controllers.

Web Policy

You can modify the default static WEP (web authentication) or assign specific web authentication (login, logout, login failure) pages and the server source.

1. To change the static WEP to passthrough, select the Web Policy check box and choose the Passthrough option from the drop-down list. This option allows users to access the network without entering a username or password.

An Email Input check box appears. Select this check box if you want users to be prompted for their e-mail address when attempting to connect to the network.

2. Choose the WebAuth on MAC Filter Failure option so that when clients fail on MAC filter, they are automatically switched to webAuth.

Note The WebAuth on Mac Filter Failure option works only when the Layer 2 Mac Filtering option is enabled.

3. To specify custom web authentication pages, unselect the Global WebAuth Configuration Enable check box.

When the Web Auth Type drop-down list appears, choose one of the following options to define the web login page for the wireless guest users:

Default Internal—Displays the default web login page for the controller. This is the default value.

Customized Web Auth—Displays custom web login, login failure, and logout pages. When the customized option is selected, three separate drop-down lists for login, login failure, and logout page selection appear. You do not need to define a customized page for all three of the options. Choose None from the appropriate drop-down list if you do not want to display a customized page for that option.

These optional login, login failure, and logout pages are downloaded to the controller as webauth.tar files.

External—Redirects users to an external server for authentication. If you choose this option, you must also enter the URL of the external server in the URL text box.

Note External web auth is not supported for 2106 and 5500 series controllers.

You can select specific RADIUS or LDAP servers to provide external authentication in the Security > AAA page. To do so, continue with Step 4.

Note The RADIUS and LDAP servers must be already configured to have selectable options in the Security > AAA page. You can configure these servers in the RADIUS Authentication Servers page and TACACS+ Authentication Servers page.

If you selected External as the Web Authentication Type in Step 2, choose Security > AAA, and choose up to three RADIUS and LDAP servers using the drop-down lists.

Repeat this process if a second (anchor) controller is being used in the network.

Radius Server Overwrite

Check to send the client authentication request through the dynamic interface which is set on the WLAN. When you enable the Radius Server Overwrite Interface option, the WLC sources all radius traffic for a WLAN using the dynamic interface configured on that WLAN.

Note You cannot enable Radius Server Overwrite Interface when Diagnostic Channel is enabled.

Note The Radius Server Overwrite Interface option is supported in controller Version 7.0.x and later.

Select the Enable check boxes, then use the drop-down lists in the RADIUS and LDAP servers section to choose authentication and accounting servers. This selects the default RADIUS server for the specified WLAN and overrides the RADIUS server that is configured for the network. If all three RADIUS servers are configured for a particular WLAN, server 1 has the highest priority, and so on.

If no LDAP servers are chosen here, Prime Infrastructure uses the default LDAP server order from the database.

Interim Update

Select t to enable interim update for RADIUS Server Accounting. If you have selected this check box, specify the Interim Interval value. The range is 180 to 3600 seconds, and the default value is 0.

Note The Interim Interval can be entered only when Interim Update is enabled.

Local EAP Authentication

Select the Local EAP Authentication check box if you have an EAP profile already configured that you want to enable. Local EAP is an authentication method that allows users and wireless clients to locally authenticate. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down.

Allow AAA Override

When you enable AAA Override, and a client has conflicting AAA and controller WLAN authentication fields, client authentication is performed by the AAA server. As part of this authentication, the operating system moves clients from the default Cisco WLAN Solution to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system also uses QoS and ACL provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as identity networking.)

For instance, if the corporate WLAN primarily uses a management interface assigned to VLAN 2, and if AAA override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.

When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is only performed by the AAA server if the controller WLANs do not contain any client-specific authentication parameters.

The AAA override values might come from a RADIUS server, for example.

Quality of Service (QoS)

Choose Platinum (voice), Gold (video), Silver (best effort), or Bronze (background). Services such as VoIP should be set to gold while non-discriminating services such as text messaging can be set to bronze.

WMM Policy

Choose Disabled, Allowed (so clients can communicate with the WLAN), or Required to make it mandatory for clients to have WMM enabled for communication.

7920 AP CAC

Select to enable support on Cisco 7920 phones.

If you want WLAN to support older versions of the software on 7920 phones, select the 7920 Client CAC check box to enable it. The CAC limit is set on the access point for newer versions of software.

FlexConnect Local Switching

Click to enable FlexConnect local switching. For more information on FlexConnect, see the "Configuring FlexConnect" section. If you enable it, the FlexConnect access point handles client authentication and switches client data packets locally.

FlexConnect local switching is only applicable to the Cisco 1130/1240/1250 series access points. It is not supported with L2TP or PPTP authentications, and it is not applicable to WLAN IDs 9-16.

FlexConnect Local Auth

Select to enable FlexConnect local authentication.

Local authentication is useful where you cannot maintain the criteria a remote office setup of minimum bandwidth of 128 kbps with the roundtrip latency no greater than 100 ms and the maximum transmission unit (MTU) no smaller than 500 bytes. In local switching, the authentication capabilities are present in the access point itself. Thus local authentication reduces the latency requirements of the branch office.

Note Local authentication can only be enabled on the WLAN of a FlexConnect AP that is in local switching mode.

Local authentication is not supported in the following scenarios:

•Guest Authentication cannot be performed on a FlexConnect local authentication enabled WLAN.

•RRM information is not available at the controller for the FlexConnect local authentication enabled WLAN.

•Local radius is not supported.

•Once the client has been authenticated, roaming is supported after the WLC and the other FlexConnects in the group are updated with the client information.

Learn Client IP Address

When you enable hybrid-REAP local switching, the Learn Client IP Address check box is enabled by default. However, if the client is configured with Fortress Layer 2 encryption, the controller cannot learn the client IP address, and the controller periodically drops the client. Disable this option so that the controller maintains the client connection without waiting to learn the client IP address. The ability to disable this option is supported only with hybrid-REAP local switching; it is not supported with hybrid-REAP central switching.

Diagnostic Channel

Choose to enable the diagnostic channel feature or leave it disabled. The diagnostic channel feature allows you to troubleshoot problems regarding client communication with a WLAN. When initiated by a client having difficulties, the diagnostic channel provides the most robust communication methods with the fewest obstacles to communication.

Aironet IE

Select to enable support for Aironet information elements (IEs) for this WLAN. If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request.

IPv6

Select the IPv6 check box. You can configure IPv6 bridging and IPv4 web auth on the same WLAN.

Session Timeout

Check to set the maximum time a client session can continue before requiring reauthorization.

Coverage Hole Detection

Choose to enable or disable coverage hold detection (CHD) on this WLAN. By default, CHD is enabled on all WLANs on the controller. If you disable CHD on a WLAN, a coverage hole alert is still sent to the controller, but no other processing is done to mitigate the coverage hole. This feature is useful for guest WLANs where highly mobile guests are connected to your network for short periods of time.

Override Interface ACL

The Override Interface drop-down lists provides a list of defined access control lists (ACLs). (See the "Configuring a FlexConnect Access Control List" section on page 4-59 for steps on defining ACLs.) Upon choosing an ACL from the list, the WLAN associates the ACL to the WLAN. Selecting an ACL is optional, and the default for this field is None

Peer to Peer Blocking

You can configure peer-to-peer blocking per WLAN rather than applying the status to all WLANs. From the Peer to Peer Blocking drop-down list, choose one of the following:

•Disable—Peer-to-peer blocking is disabled, and traffic is bridged locally whenever possible.

•Drop—The packet is discarded.

•Forward Up Stream—The packet is forwarded on the upstream VLAN, and the decision is made about what to do with the packet.

Note For locally switched clients, the Forward Up Stream is same as Drop from 7.2.x version of controllers.

If FlexConnect local switching is enabled for the WLAN, which prevents traffic from passing through the controller, this drop-down list is dimmed.

Note Peer-to-peer blocking does not apply to multicast traffic.

Wi-Fi Direct Clients Policy

Choose one of the following options:

•Disabled—Disables the Wi-Fi Direct Clients Policy for the WLAN and deauthenticates all Wi-Fi Direct capable clients. The default is Disabled.

•Allow—Allows the Wi-Fi Direct clients to associate with an infrastructure WLAN.

•Not-Allow—Disallows the Wi-Fi Direct clients from associating with an infrastructure WLAN.

Note Wi-Fi Direct Client Policy is applicable to WLANs that have APs in local mode only.

Note The Wi-Fi Direct Clients Policy is applicable for controller Version 7.2.x. and later.

Client Exclusion

Select the check box if you want to enable automatic client exclusion. If you enable client exclusion, you must also set the Timeout Value in seconds for disabled client machines. Client machines are excluded by MAC address, and their status can be observed. A timeout setting of 0 indicates that administrative control is required to reenable the client.

Note When session timeout is not set, it implies that an excluded client remains and does not timeout from the excluded state. It does not imply that the exclusion feature is disabled.

Passive Client

Enter the maximum number of clients to be associated in a WLAN in the Maximum Clients text box. The valid range is from 0 to 7000. The default value is 0.

Note A value of 0 allows unlimited number of clients to be associated with a WLAN.

Static IP Tunneling

Enable dynamic anchoring of static IP clients by selecting the Static IP Tunneling check box.

Media Session Snooping

This feature enables access points to detect the establishment, termination, and failure of voice calls and then report them to the controller and Prime Infrastructure. It can be enabled or disabled per WLAN.

When media session snooping is enabled, the access point radios that advertise this WLAN snoop for Session Initiation Protocol (SIP) voice packets. Any packets destined to or originating from port number 5060 are considered for further inspection. The access point tracks whether Wi-Fi Multimedia (WMM) and non-WMM clients are establishing a call, already on an active call, or in the process of ending a call and then notify the controller of any major call events.

KTS based CAC

Select the KTS based CAC check box to enable KTS based CAC support per WLAN.

WLC supports TSPEC based CAC and SIP based CAC. But there are certain phones that work with different protocols for CAC, which are based on the KTS (Key Telephone System). For supporting CAC with KTS-based SIP clients, WLC should understand and process the bandwidth request message from those clients to allocate the required bandwidth on the AP radio, in addition to handling and sending certain other messages, as part of this protocol.

Note The KTS CAC configuration is only supported by Cisco 5508, 7500, WISM2, and 2500 controllers that run controller software Release 7.2.x. This feature is not supported by Cisco 4400 series controllers.

NAC State

Choose SNMP NAC or Radius NAC. SIP errors that are discovered generate traps that appear on the client troubleshooting and alarms screens. The controller can integrate with the NAC appliance in out-of-band mode, where the NAC appliance remains in the data path only until clients have been analyzed and cleaned. Out-of-band mode reduces the traffic load on the NAC appliance and enables centralized NAC processing. See the "NAC Integration" section for more information.

Scan Defer Priority

Off-Channel Scanning Defer is essential to the operation of RRM, which gathers information about alternate channel choices such as noise and interference. Additionally, Off-Channel Scanning Defer is responsible for rogue detection. Devices that need to defer Off-Channel Scanning Defer should use the same WLAN as often as possible. If there are many of these devices (and the possibility exists that Off-Channel Defer scanning could be completely disabled by the use of this feature), you should implement an alternative to local AP Off-Channel Scanning Defer, such as monitor access points, or other access points in the same location that do not have this WLAN assigned.

Assignment of a QoS policy (bronze, silver, gold, and platinum) to a WLAN affects how packets are marked on the downlink connection from the access point regardless of how they were received on the uplink from the client. UP=1,2 is the lowest priority, and UP=0,3 is the next higher priority. The marking results of each QoS policy are as follows:

•Bronze marks all downlink traffic to UP= 1.

•Silver marks all downlink traffic to UP= 0.

•Gold marks all downlink traffic to UP=4.

•Platinum marks all downlink traffic to UP=6.

Set the Scan Defer Priority by clicking the priority argument and Set the time in milliseconds in the Scan Defer Interval text box. Valid values are 0 through 60000. The default value is 100 milliseconds.

DTIM Period

In 802.11a/n and 802.11b/g/n networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data.

Normally, the DTIM value is set to 1 (transmit broadcast and multicast frames after every beacon) or 2 (transmit after every other beacon). For instance, if the beacon period of the 802.11a/n or 802.11b/g/n network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames 10 times per second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames 5 times per second. Either of these settings might be suitable for applications, including VoIP, that expect frequent broadcast and multicast frames.

However, the DTIM value can be set as high as 255 (transmit broadcast and multicast frames after every 255th beacon) if all 802.11a/n or 802.11b/g/n clients have power save enabled. Because the clients have to listen only when the DTIM period is reached, they can be set to listen for broadcasts and multicasts less frequently, resulting in longer battery life. For instance, if the beacon period is 100 ms and the DTIM value is set to 100, the access point transmits buffered broadcast and multicast frames once every 10 seconds, allowing the power-saving clients to sleep longer before they have to wake up and listen for broadcasts and multicasts, resulting in longer battery life.

Many applications cannot tolerate a long time between broadcast and multicast messages, resulting in poor protocol and application performance. We recommend a low DTIM value for 802.11a/n and 802.11b/g/n networks that support such clients.

Under DTIM Period, enter a value between 1 and 255 (inclusive) in the 802.11a/n and 802.11b/g/n fields. The default value is 1 (transmit broadcast and multicast frames after every beacon).

DHCP Server

Select the check box to override DHCP server,. Another field appears where you can enter the IP address of your DHCP server. For some WLAN configurations, this is required. Three valid configurations are as follows:

•DHCP Required and a valid DHCP server IP address - All WLAN clients obtain an IP address from the DHCP server.

•DHCP is not required and a valid DHCP server IP address - All WLAN clients obtain an IP address from the DHCP server or use a static IP address.

•DHCP not required and DHCP server IP address 0.0.0.0 - All WLAN clients are forced to use a static IP address. All DHCP requests are dropped.

You cannot choose to require a DHCP address assignment and then enter a DHCP server IP address.

MFP Signature Generation

Select to enable signature generation for the 802.11 management frames transmitted by an access point associated with this WLAN. Signature generation makes sure that changes to the transmitted management frames by an intruder are detected and reported.

MFP Client Protection

Choose Enabled, Disabled, or Required for configuration of individual WLANs of a controller. If infrastructure MFP is not enabled, this drop-down list is unavailable.

Note The Enabled parameter is the same as the Optional parameter that you choose from the MFP Client Protection drop-down list in the WLC graphical user interface.

Note Client-side MFP is only available for those WLANs configured to support Cisco Compatible Extensions (version 5 or later) clients, and WPA2 must first be configured.

DTIM Period

Enter a value between 1 and 255 beacon intervals in the 802.11a/n DTIM Period group box of the page. The controller sends a DTIM packet on the 802.11a/n radio for this WLAN based on what is entered as an interval.

Note The DTIM configuration is not appropriate for guest LANs.

Client Profiling

Select to enable or disable profiling of all the clients that are associated with the WLAN.

Note Client Profiling is not supported with FlexConnect local authentication.

Note Client Profiling is configurable only when you select the DHCP Address Assignment check box.

PMIP Mobility

Choose the mobility type from the following options:

•None—Configures the WLAN with Simple IP.

•Mixed—Configures the WLAN with Simple IP and PMIPv6.

•PMIPv6—Configures the WLAN with only PMIPv6.

802.11u Status

Select to enable 802.11u on the WLAN.

•From the drop-down list, In the HESSID field, enter the Homogenous Extended Service Set Identifier value. The HESSID is a 6-octet MAC address that identifies the homogeneous ESS.

Internet Access

Select to enable this WLAN to provide Internet services.

Network Type

Choose one of the following network types that best describes the 802.11u you want to configure on this WLAN:

•Private Network

•Private Network with Guest Access

•Chargeable Public Network

•Free Public Network

•Emergency Services Only Network

•Personal Device Network

•Test or Experimental

•Wildcard

Network Auth Type

Choose the authentication type that you want to configure for the 802.11u parameters on this network:

•Not configured

•Acceptance of Terms and Conditions

•Online Enrollment

•HTTP/HTTPS Redirection

OUI List

Enter the following details:

•OUI name

•Is Beacon

•OUI Index

Click Add to add the OUI (Organizationally Unique Identifier) entry to this WLAN.

•In the group box,

Domain List

Enter the following details:

•Domain Name—The domain name operating in the 802.11 access network.

•Domain Index—Select the domain index from the drop-down list.

Click Add to add the domain entry to this WLAN.

OUI List

Enter the following details:

•Realm Name—The realm name.

•Realm Index—The realm index.

Click Add to add the domain entry to this WLAN.

MSAP

Click to enable service advertisements.

Server Index

If you enabled MSAP, you must provide a server index. Enter the server index for this WLAN. The server index field uniquely identifies an MSAP server instance serving a venue that is reachable through the BSSID.

Note MSAP (Mobility Services Advertisement Protocol) is designed to be used primarily by mobile devices that are configured with a set of policies for establishing network services. These services are available for devices that offer higher-layer services, or network services that are enabled through service providers. Service advertisements use MSAP to provide services to mobile devices prior to association to a Wi-Fi access network. This information is conveyed in a service advertisement. A single-mode or dual-mode mobile device queries the network for service advertisements before association. The device's network discovery and the selection function may use the service advertisements in its decision to join the network.

HotSpot2 Enable

Choose to enable HotSpot2.

WAN Link Status

Select the link status.

WAN SIM Link Status

The symmetric link status. For example, you can configure the uplink and downlink to have different speeds or same speeds.

Down Link Speed

The downlink speed. The maximum value is 4,194,304 kbps.

Up Link Speed

The uplink speed. The maximum value is 4,194,304 kbps.

Operator Name List

Specify the following:

•Operator Name—Specify the name of the 802.11 operator.

•Operator Index—Select an operator index. The range is from 1 to 32.

•Language Code—An ISO-14962-1997 encoded string defining the language. This string is a three character language code.

Click Add to add the operator details.

Port Config List

Specify the following:

•IP Protocol—The IP protocol that you want to enable. The following options are ESP, FTP, ICMP, and IKEV2.

•Port No—The port number that is enabled on this WLAN.

•Status—The status of the port.

Primary RADIUS

Choose the primary RADIUS authentication servers for each group. If a RADIUS authentication server is not present on the controller, Prime Infrastructure configured RADIUS server does not apply. A value of 10 indicates that the primary RADIUS server is not configured for this group.

Secondary RADIUS

Note Choose the secondary RADIUS authentication servers for each group. If a RADIUS authentication server is not present on the controller, Prime Infrastructure configured RADIUS server does not apply. A value of 0 indicates that the primary RADIUS server is not configured for this group.

An access point Ethernet MAC address cannot exist in more than one FlexConnect group on the same controller. If more than one group is applied to the same controller, select the Ethernet MAC check box to unselect an access point from one of the groups. You should save this change or apply it to controllers.

Click Add AP. The FlexConnect AP Group page appears.

Click the FlexConnect Configuration tab to enable local authentication for a FlexConnect group.

Note Make sure that the Primary RADIUS Server and Secondary RADIUS Server fields are set to None on the General tab.

FlexConnect Local Authentication

Click to enable local authentication for this FlexConnect group. The default value is unselected.

Note When you attempt to use this feature, a warning message indicates that it is a licensed feature.

Note You can click the Users configured in the group link that appears at the bottom of the page to view the list of FlexConnect users. You can create FlexConnect users only after you save the FlexConnect AP Group.

EAP Type

To allow a FlexConnect access point to authenticate clients using LEAP, select the LEAP check box. Otherwise, to allow a FlexConnect access point to authenticate clients using EAP-FAST, select the EAP-FAST check box.

To use manual PAC provisioning, enter the key used to encrypt and decrypt PACs in the EAP-FAST Key and Confirm EAP-FAST Key text boxes. .

Auto Key Generation

To allow PACs to be sent automatically to clients that do not have one during PAC provisioning, select the Auto Key Generation check box

EAP-FAST Key

Enter the authority identifier of the EAP-FAST server. The identifier must be 32 hexadecimal characters.

EAP-FAST Authority ID

Enter the authority identifier of the EAP-FAST server in text format. You can enter up to 32 hexadecimal characters.

EAP-FAST Authority Info

Enter the authority information of the EAP-FAST server.

EAP-FAST Pac Timeout

Specify a PAC timeout value by entering the number of seconds for the PAC to remain viable in the edit box. The valid range is 2 to 4095 seconds.

Image Upgrade

FlexConnect AP Upgrade

Check to upgrade the FlexConnect access points.

Slave Maximum Retry Count

Enter the maximum retries for the slave to undertake to start the download from the master in the FlexConnect group. This option is available only if you select the FlexConnect AP Upgrade check box.

Note You are allowed to add an access point as a master access point only if FlexConnect AP Upgrade check box is enabled on the General tab.

VLAN-ACL Mapping

VLAN ID

Enter a VLAN ID. The valid VLAN ID range is 1—4094.

Ingress ACL

Choose an Ingress ACL.

Egress ACL

Choose an Engress ACL.

WLAN-ACL Mapping

WLAN ID

WLAN ID.

WLAN Profile Name

Choose a WLAN profile.

Web-Auth ACL

Choose a WebAuth ACL.

Web Policy ACL

Web-Policy ACL

Choose a WebPolicy ACL.

Note You can add up to a maximum of 16 Web-Policy ACLs.

Server Address

Port Number

Shared Secret Format

Choose either ASCII or hex.

Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.

Shared Secret

Enter the RADIUS shared secret used by your specified server.

Confirm Shared Secret

Reenter the RADIUS shared secret used by your specified server.

Key WRAP

Select the check box if you want to enable key wrap. If this check box is enabled, the authentication request is sent to RADIUS servers that have following key encryption key (KEK) and message authenticator code keys (MACK) configured. When enabled, the following fields appear:

•Shared Secret Format: Enter ASCII or hexadecimal.

Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in the event a discovered template is applied to another device.

•KEK Shared Secret: Enter the KEK shared secret.

•MACK Shared Secret: Enter the MACK shared secret.

Note Each time the controller is notified with the shared secret, the existing shared secret is overwritten with the new shared secret.

Admin Status

Click if you want to enable administration privileges.

Support for RFC 3576

Click if you want to enable support for RFC 3576. RFC 3576 is an extension to the Remote Authentication Dial In User Service (RADIUS) protocol. It allows dynamic changes to a user session and includes support for disconnecting users and changing authorizations applicable to a user session. With these authorizations, support is provided for Disconnect and Change-of-Authorization (CoA) messages. Disconnect messages immediately terminate a user session, whereas CoA messages modify session authorization attributes such as data filters.

Network User

Click if you want to enable network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.

Management User

Click if you want to enable management authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the management user.

Retransmit Timeout

Specify the time in seconds after which the RADIUS authentication request times out and a retransmission is attempted by the controller. You can specify a value between 2 and 30 seconds.

IPSec

If you click to enable the IP security mechanism, additional IP security fields are added to the page, and Steps 13 to 19 are required. If you enable IPSec, complete the following fields.

IPsec Authentication

Choose which IP security authentication protocol to use. The options are HMAC-SHA1, HMAC-MD5, and None.

Message Authentication Codes (MAC) are used between two parties that share a secret key to validate information transmitted between them. HMAC (Hash MAC) is a mechanism based on cryptographic hash functions and can be used in combination with any iterated cryptographic hash function. HMAC-MD5 and HMAC-SHA1 are two constructs of the HMAC using the MD5 hash function and the SHA1 hash function. HMAC also uses a secret key for calculation and verification of the message authentication values

IPsec Encryption

Select the IP security encryption mechanism to use:

•DES—Data Encryption Standard is a method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.

•Triple DES—Data Encryption Standard that applies three keys in succession.

•AES 128 CBC—Advanced Encryption Standard uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in Cipher Clock Chaining (CBC) mode.

•None—No IP security encryption mechanism.

IKE Authentication

The Internet Key Exchange (IKE) authentication is not an editable text box. Internet Key Exchange protocol (IKE) is used as a method of distributing the session keys (encryption and authentication), as well as providing a way for the VPN endpoints to agree on how data should be protected. IKE keeps track of connections by assigning a bundle of security associations (SAs) to each connection

IKE Phase 1

Choose either aggressive or main. This sets the IKE protocol. IKE phase 1 is used to negotiate how IKE is protected. Aggressive mode passes more information in fewer packets, with the benefit of a slightly faster connection, at the cost of transmitting the identities of the security gateways in the clear

Lifetime

Set the timeout interval (in seconds) when the session expires

IKE Diffie Hellman Group

Set the IKE Diffie Hellman group. The options are group 1 (768 bits), group 2 (1024 bits), or group 5 (1536 bits). Diffie-Hellman techniques are used by two devices to generate a symmetric key where you can publicly exchange values and generate the same symmetric key.

Although all three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1 and Group 2 based keys might occur slightly faster because of their smaller prime number size

Server Address

Enter the IP address of the server.

Port Number

Port number of the controller to which the access point is connected.

Bind Type

Choose Authenticated or Anonymous. If you choose Authenticated, you must enter a bind username and password as well. A bind is a socket opening that performs a lookup. Anonymous bind requests are rejected.

Server User Base DN

Enter the distinguished name of the subtree in the LDAP server that contains a list of all the users.

Server User Attribute

Enter the attribute that contains the username in the LDAP server.

Server User Type

Enter the ObjectType attribute that identifies the user.

Retransmit Timeout

Enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.

Admin Status

Check if you want the LDAP server to have administrative privileges.

Server Type

Select one or more server types by selecting their respective check boxes. The following server types are available:

•authentication—Server for user authentication/authorization.

•authorization—Server for user authorization only.

•accounting—Server for RADIUS user accounting.

Server Address

Enter the IP address of the server.

Port Number

Enter the port number of the server. The default is 49.

Shared Secret Format

choose either ASCII or hex.

Note Regardless of which format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. Set the key format again in the template in the event a discovered template is applied to another device.

Shared Secret

Enter the TACACS+ shared secret used by your specified server.

Confirmed Shared Secret

Reenter the TACACS+ shared secret used by your specified server.

Admin Status

Check if you want the LDAP server to have administrative privileges.

Retransmit Timeout

Enter the time, in seconds, after which the TACACS+ authentication request times out and a retransmission is attempted by the controller.

Local Auth Active Timeout

Enter the amount of time (in seconds) that the controller attempts to authenticate wireless clients using local EAP after any pair of configured RADIUS servers fail. The valid range is 1 to 3600 seconds, and the default setting is 1000 seconds

Note Enter the values specified below if you are using EAP-FAST, manual password entry, one-time password, or 7920/7921 phones. You must increase the 802.1x timeout values on the controller (default=2 seconds) for the client to obtain the PAC using automatic provisioning. The recommended and default timeout on the Cisco ACS server is 20 seconds. Roaming fails if these values are not set the same across multiple controllers.

Local EAP Identity Request Timeout

1

Local EAP Identity Request Maximum Retries

20

Local EAP Dynamic WEP Key Index

0

Local EAP Request Timeout

20

Local EAP Request Maximum Retries

2

EAPOL-Key Timeout

EAPOL-Key Max Retries

Max Login Ignore Identity Response

EAP Profile Name

Select Profile Methods

Choose the desired authentication type:

•LEAP—This authentication type leverages Cisco Key Integrity Protocol (CKIP) and MMH message integrity check (MIC) for data protection. A username and password are used to perform mutual authentication with the RADIUS server through the access point.

•EAP-FAST—This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1X EAP mutual authentication. A username, password, and PAC (protected access credential) are used to perform mutual authentication with the RADIUS server through the access point.

•TLS—This authentication type uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. It requires a client certificate for authentication.

•PEAP—This authentication type is based on EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data.

Certificate Issuer

Determine whether Cisco or another vendor issued the certificate for authentication. Only EAP-FAST and TLS require a certificate.

Check Against CA Certificates

Check if you want the incoming certificate from the client to be validated against the certificate authority (CA) certificates on the controller.

Verify Certificate CN Identity

Check if you want the (CN) in the incoming certificate to be validated against the common name of the CA certificate.

Check Against Date Validity

Check if you want the controller to verify that the incoming device certificate is still valid and has not expired.

Local Certificate Required

Check if a local certificate is required.

Client Certificate Required

Check if a client certificate is required.

Time to Live for the PAC

Enter the number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days.

Authority ID

Enter the authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal characters, but you must enter an even number of characters.

Authority Info

Enter the authority identifier of the local EAP-FAST server in text format.

Server Key and Confirm Server Key

Enter the key (in hexadecimal characters) used to encrypt and decrypt PACs

Anonymous Provision

Check to enable anonymous provisioning. This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If you disable this feature, PACs must be manually provisioned

Rogue Location Discovery Protocol

Determine whether or not the Rogue Location Discovery Protocol (RLDP) is connected to the enterprise wired network. Choose one of the following:

•Disable—Disables RLDP on all access points.

•All APs—Enables RLDP on all access points.

•Monitor Mode APs—Enables RLDP only on access points in monitor mode.

Note With RLDP, the controller instructs a managed access point to associate with the rogue access point and sends a special packet to the controller. If the controller receives the packet, the rogue access point is connected to the enterprise network. This method works for rogue access points that do not have encryption enabled.

Expiration TImeout for Rogue AP and Rogue Client Entries

Enter the expiration timeout (in seconds) for rogue access point entries.

Rogue Detection Report Interval

Enter the time interval in seconds at which the APs should send the rogue detection report to the controller. A valid range is 10 seconds to 300 seconds, and the default value is 10 seconds. This feature is applicable to APs that are in monitor mode only.

Rogue Detection Minimum RSSI

Enter the minimum RSSI value that a rogue should have for the APs to detect and for the rogue entry to be created in the controller. A valid range is -70 dBm to -128 dBm, and the default value is -128 dBm. This feature is applicable to all the AP modes.

There can be many rogues with very weak RSSI values that do not provide any valuable information in the rogue analysis. Therefore, you can use this option to filter the rogues by specifying the minimum RSSI value at which the APs should detect rogues.

Rogue Detection Transient Interval (Enter 0 to Disable)

Enter the time interval at which a rogue has to be consistently scanned for by the AP after the first time the rogue is scanned. By entering the transient interval, you can control the time interval at which the AP should scan for rogues. The APs can filter the rogues based on their transient interval values. Valid range is between 120 seconds to 1800 seconds, and the default value is 0. This feature is applicable to APs that are in monitor mode only

Validate Rogue Clients against AAA

Check to to enable the AAA validation of rogue clients.

Detect and Report Adhoc Networks

Check to enable detection and reporting of rogue clients participating in ad hoc networking.

Rogue on Wire

Using our SSID

Valid Client on Rogue AP