Cisco Systems 102053 802.11a Cardbus radio module User Manual AP1200 Installation and Configu

Cisco Systems Inc 802.11a Cardbus radio module AP1200 Installation and Configu

Contents

CRN 27004 Question 6 AP user manual

Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000800 553-NETS (6387)Fax: 408 526-4100Cisco Aironet 1200 Series Access PointInstallation and Configuration GuideCisco IOS Release 12.2(8)JAFebruary 2003Text Part Number: OL-3446-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCOOR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Cisco Aironet 1200 Series Access Point Installation and Configuration GuideCopyright © 2003, Cisco Systems, Inc.All rights reserved.CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Breakthrough, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0301R)
iiiCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01CONTENTSPreface xviiAudience xviiPurpose xviiOrganization xviiConventions xixRelated Publications xxiObtaining Documentation xxiWorld Wide Web xxiDocumentation CD-ROM xxiOrdering Documentation xxiiDocumentation Feedback xxiiObtaining Technical Assistance xxiiCisco.com xxiiTechnical Assistance Center xxiiiCisco TAC Web Site xxiiiCisco TAC Escalation Center xxivCHAPTER1Overview 1-1Features 1-2Hardware Features 1-2Dual-Radio Operation 1-2Ethernet Port 1-2Console Port 1-2Status Indicators 1-3Power Sources 1-3UL 2043 Certification 1-4Anti-Theft Features 1-4Software Features 1-4Management Options 1-5Roaming Client Devices 1-5Network Configuration Examples 1-6Root Unit on a Wired LAN 1-6Repeater Unit that Extends Wireless Range 1-7Central Unit in an All-Wireless Network 1-8
ContentsivCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01CHAPTER2Installing the Access Point 2-1Safety Information 2-2FCC Safety Compliance Statement 2-2General Safety Guidelines 2-2Warnings 2-2Unpacking the Access Point 2-3Package Contents 2-3Basic Installation Guidelines 2-3Installation Above Suspended Ceilings 2-3Before Beginning the Installation 2-4Installation Summary 2-5Connecting the 2.4-GHz Antennas 2-5Connecting the Ethernet and Power Cables 2-5Connecting to an Ethernet Network with an Inline Power Source 2-7Connecting to an Ethernet Network with Local Power 2-7Powering Up the Access Point 2-8CHAPTER3Configuring the Access Point for the First Time 3-1Before You Start 3-2Resetting the Access Point to Default Settings 3-2Obtaining and Assigning an IP Address 3-3Connecting to the Access Point Locally 3-3Assigning Basic Settings 3-4Default Settings on the Express Setup Page 3-7Protecting Your Wireless LAN 3-8Using the IP Setup Utility 3-8Obtaining and Installing IPSU 3-9Using IPSU to Find the Access Point’s IP Address 3-9Using IPSU to Set the Access Point’s IP Address and SSID 3-10Assigning an IP Address Using the CLI 3-11Using a Telnet Session to Access the CLI 3-12CHAPTER4Using the Web-Browser Interface 4-1Using the Web-Browser Interface for the First Time 4-2Using the Management Pages in the Web-Browser Interface 4-2Using Action Buttons 4-4
ContentsvCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Character Restrictions in Entry Fields 4-5Using Online Help 4-5CHAPTER5Using the Command-Line Interface 5-1IOS Command Modes 5-2Getting Help 5-3Abbreviating Commands 5-3Using no and default Forms of Commands 5-3Understanding CLI Messages 5-4Using Command History 5-4Changing the Command History Buffer Size 5-4Recalling Commands 5-5Disabling the Command History Feature 5-5Using Editing Features 5-5Enabling and Disabling Editing Features 5-6Editing Commands Through Keystrokes 5-6Editing Command Lines that Wrap 5-7Searching and Filtering Output of show and more Commands 5-8Accessing the CLI 5-8Opening the CLI with Telnet 5-8Opening the CLI with Secure Shell 5-9CHAPTER6Administering the Access Point 6-1Preventing Unauthorized Access to Your Access Point 6-2Protecting Access to Privileged EXEC Commands 6-2Default Password and Privilege Level Configuration 6-2Setting or Changing a Static Enable Password 6-3Protecting Enable and Enable Secret Passwords with Encryption 6-4Configuring Username and Password Pairs 6-5Configuring Multiple Privilege Levels 6-6Setting the Privilege Level for a Command 6-6Logging Into and Exiting a Privilege Level 6-7Controlling Access Point Access with RADIUS 6-7Default RADIUS Configuration 6-8Configuring RADIUS Login Authentication 6-8Defining AAA Server Groups 6-9Configuring RADIUS Authorization for User Privileged Access and Network Services 6-11Displaying the RADIUS Configuration 6-12
ContentsviCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Controlling Access Point Access with TACACS+ 6-12Default TACACS+ Configuration 6-13Configuring TACACS+ Login Authentication 6-13Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 6-14Displaying the TACACS+ Configuration 6-15Configuring the Access Point for Local Authentication and Authorization 6-15Configuring the Access Point for Secure Shell 6-16Understanding SSH 6-16Configuring SSH 6-17Managing the System Time and Date 6-17Understanding the System Clock 6-17Understanding Network Time Protocol 6-18Configuring NTP 6-19Default NTP Configuration 6-20Configuring NTP Authentication 6-20Configuring NTP Associations 6-22Configuring NTP Broadcast Service 6-23Configuring NTP Access Restrictions 6-24Configuring the Source IP Address for NTP Packets 6-26Displaying the NTP Configuration 6-27Configuring Time and Date Manually 6-27Setting the System Clock 6-28Displaying the Time and Date Configuration 6-28Configuring the Time Zone 6-29Configuring Summer Time (Daylight Saving Time) 6-30Configuring a System Name and Prompt 6-32Default System Name and Prompt Configuration 6-32Configuring a System Name 6-32Understanding DNS 6-33Default DNS Configuration 6-33Setting Up DNS 6-33Displaying the DNS Configuration 6-34Creating a Banner 6-34Default Banner Configuration 6-35Configuring a Message-of-the-Day Login Banner 6-35Configuring a Login Banner 6-36
ContentsviiCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01CHAPTER7Configuring Radio Settings 7-1Disabling and Enabling the Radio Interface 7-2Configuring the Role in Radio Network 7-2Configuring Radio Data Rates 7-4Configuring Radio Transmit Power 7-5Limiting the Power Level for Associated Client Devices 7-6Configuring Radio Channel Settings 7-7Enabling and Disabling World-Mode 7-9Disabling and Enabling Short Radio Preambles 7-9Configuring Transmit and Receive Antennas 7-10Disabling and Enabling Aironet Extensions 7-11Configuring the Ethernet Encapsulation Transformation Method 7-12Enabling and Disabling Reliable Multicast to Workgroup Bridges 7-12Enabling and Disabling Public Secure Packet Forwarding 7-13Configuring Protected Ports 7-14Configuring the Beacon Period and the DTIM 7-15Configure RTS Threshold and Retries 7-15Configuring the Maximum Data Retries 7-16Configuring the Fragmentation Threshold 7-16CHAPTER8Configuring Multiple SSIDs 8-1Understanding Multiple SSIDs 8-2Configuring Multiple SSIDs 8-2Default SSID Configuration 8-3Creating an SSID 8-3Using a RADIUS Server to Restrict SSIDs 8-4CHAPTER9Configuring WEP and WEP Features 9-1Understanding WEP 9-2Configuring WEP and WEP Features 9-2Creating WEP Keys 9-3Enabling and Disabling WEP and Enabling TKIP and MIC 9-3Enabling and Disabling Broadcast Key Rotation 9-4
ContentsviiiCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01CHAPTER10 Configuring Authentication Types 10-1Understanding Authentication Types 10-2Open Authentication to the Access Point 10-2Shared Key Authentication to the Access Point 10-2EAP Authentication to the Network 10-3MAC Address Authentication to the Network 10-5Combining MAC-Based, EAP, and Open Authentication 10-5Configuring Authentication Types 10-6Default Authentication Settings 10-6Assigning Authentication Types to an SSID 10-6Configuring Authentication Holdoffs, Timeouts, and Intervals 10-8Matching Access Point and Client Device Authentication Types 10-9CHAPTER11 Configuring RADIUS and TACACS+ Servers 11-1Configuring and Enabling RADIUS 11-2Understanding RADIUS 11-2RADIUS Operation 11-3Configuring RADIUS 11-4Default RADIUS Configuration 11-4Identifying the RADIUS Server Host 11-4Configuring RADIUS Login Authentication 11-7Defining AAA Server Groups 11-9Configuring RADIUS Authorization for User Privileged Access and Network Services 11-11Starting RADIUS Accounting 11-12Configuring Settings for All RADIUS Servers 11-13Configuring the Access Point to Use Vendor-Specific RADIUS Attributes 11-13Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication 11-14Displaying the RADIUS Configuration 11-15Configuring and Enabling TACACS+ 11-16Understanding TACACS+ 11-16TACACS+ Operation 11-17Configuring TACACS+ 11-17Default TACACS+ Configuration 11-18Identifying the TACACS+ Server Host and Setting the Authentication Key 11-18Configuring TACACS+ Login Authentication 11-19Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 11-20Starting TACACS+ Accounting 11-21Displaying the TACACS+ Configuration 11-22
ContentsixCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01CHAPTER12 Configuring VLANs 12-1Understanding VLANs 12-2Related Documents 12-3Incorporating Wireless Devices into VLANs 12-4Configuring VLANs 12-4Configuring a VLAN 12-4Using a RADIUS Server to Assign Users to VLANs 12-6Viewing VLANs Configured on the Access Point 12-6VLAN Configuration Example 12-7CHAPTER13 Configuring QoS 13-1Understanding QoS for Wireless LANs 13-2QoS for Wireless LANs Versus QoS on Wired LANs 13-2Impact of QoS on a Wireless LAN 13-2Precedence of QoS Settings 13-3Configuring QoS 13-3Configuration Guidelines 13-4Configuring QoS Using the Web-Browser Interface 13-4Adjusting Radio Traffic Class Definitions 13-8Disabling IGMP Snooping Helper 13-10QoS Configuration Examples 13-10Giving Priority to Voice Traffic 13-10Giving Priority to Video Traffic 13-12CHAPTER14 Configuring Proxy Mobile IP 14-1Understanding Proxy Mobile IP 14-2Overview 14-2Components of a Proxy Mobile IP Network 14-2How Proxy Mobile IP Works 14-3Agent Discovery 14-3Subnet Map Exchange 14-4Registration 14-5Tunneling 14-5Proxy Mobile IP Security 14-6Configuring Proxy Mobile IP 14-6Configuration Guidelines 14-6Configuring Proxy Mobile IP on Your Wired LAN 14-7Configuring Proxy Mobile IP on Your Access Point 14-7
ContentsxCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01CHAPTER15 Configuring Filters 15-1Understanding Filters 15-2Configuring Filters Using the CLI 15-2Configuring Filters Using the Web-Browser Interface 15-2Configuring and Enabling MAC Address Filters 15-3Creating a MAC Address Filter 15-3Configuring and Enabling IP Filters 15-5Creating an IP Filter 15-6Configuring and Enabling Ethertype Filters 15-8Creating an Ethertype Filter 15-9CHAPTER16 Configuring CDP 16-1Understanding CDP 16-2Configuring CDP 16-2Default CDP Configuration 16-2Configuring the CDP Characteristics 16-2Disabling and Enabling CDP 16-3Disabling and Enabling CDP on an Interface 16-4Monitoring and Maintaining CDP 16-4CHAPTER17 Configuring SNMP 17-1Understanding SNMP 17-2SNMP Versions 17-2SNMP Manager Functions 17-3SNMP Agent Functions 17-3SNMP Community Strings 17-3Using SNMP to Access MIB Variables 17-4Configuring SNMP 17-4Default SNMP Configuration 17-5Disabling the SNMP Agent 17-5Configuring Community Strings 17-5Configuring Trap Managers and Enabling Traps 17-7Setting the Agent Contact and Location Information 17-9Using the snmp-server view Command 17-9SNMP Examples 17-9Displaying SNMP Status 17-10
ContentsxiCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01CHAPTER18 Configuring Repeater and Standby Access Points 18-1Understanding Repeater Access Points 18-2Configuring a Repeater Access Point 18-3Default Configuration 18-4Guidelines for Repeaters 18-4Setting Up a Repeater 18-4Verifying Repeater Operation 18-5Setting Up a Repeater As a LEAP Client 18-6Understanding Hot Standby 18-7Configuring a Hot Standby Access Point 18-7CHAPTER19 Managing Firmware and Configurations 19-1Working with the Flash File System 19-2Displaying Available File Systems 19-2Setting the Default File System 19-3Displaying Information About Files on a File System 19-3Changing Directories and Displaying the Working Directory 19-4Creating and Removing Directories 19-4Copying Files 19-5Deleting Files 19-5Creating, Displaying, and Extracting tar Files 19-6Creating a tar File 19-6Displaying the Contents of a tar File 19-6Extracting a tar File 19-7Displaying the Contents of a File 19-8Working with Configuration Files 19-8Guidelines for Creating and Using Configuration Files 19-9Configuration File Types and Location 19-9Creating a Configuration File by Using a Text Editor 19-10Copying Configuration Files by Using TFTP 19-10Preparing to Download or Upload a Configuration File by Using TFTP 19-10Downloading the Configuration File by Using TFTP 19-11Uploading the Configuration File by Using TFTP 19-11Copying Configuration Files by Using FTP 19-12Preparing to Download or Upload a Configuration File by Using FTP 19-13Downloading a Configuration File by Using FTP 19-13Uploading a Configuration File by Using FTP 19-14Copying Configuration Files by Using RCP 19-15Preparing to Download or Upload a Configuration File by Using RCP 19-16
ContentsxiiCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Downloading a Configuration File by Using RCP 19-16Uploading a Configuration File by Using RCP 19-17Clearing Configuration Information 19-18Deleting a Stored Configuration File 19-18Working with Software Images 19-18Image Location on the Access Point 19-19tar File Format of Images on a Server or Cisco.com 19-19Copying Image Files by Using TFTP 19-20Preparing to Download or Upload an Image File by Using TFTP 19-20Downloading an Image File by Using TFTP 19-21Uploading an Image File by Using TFTP 19-22Copying Image Files by Using FTP 19-23Preparing to Download or Upload an Image File by Using FTP 19-23Downloading an Image File by Using FTP 19-24Uploading an Image File by Using FTP 19-26Copying Image Files by Using RCP 19-27Preparing to Download or Upload an Image File by Using RCP 19-27Downloading an Image File by Using RCP 19-29Uploading an Image File by Using RCP 19-31Reloading the Image Using the Web Browser Interface 19-32Browser HTTP Interface 19-32Browser TFTP Interface 19-33CHAPTER20 Configuring System Message Logging 20-1Understanding System Message Logging 20-2Configuring System Message Logging 20-2System Log Message Format 20-2Default System Message Logging Configuration 20-3Disabling and Enabling Message Logging 20-4Setting the Message Display Destination Device 20-5Enabling and Disabling Timestamps on Log Messages 20-6Enabling and Disabling Sequence Numbers in Log Messages 20-6Defining the Message Severity Level 20-7Limiting Syslog Messages Sent to the History Table and to SNMP 20-8Setting a Logging Rate Limit 20-9Configuring UNIX Syslog Servers 20-10Logging Messages to a UNIX Syslog Daemon 20-10Configuring the UNIX System Logging Facility 20-10Displaying the Logging Configuration 20-12
ContentsxiiiCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01CHAPTER21 Troubleshooting 21-1Checking the Top Panel Indicators 21-2Checking Basic Settings 21-4SSID 21-4WEP Keys 21-4Security Settings 21-5Resetting to the Default Configuration 21-5Using the MODE Button 21-5Using the Web Browser Interface 21-6Reloading the Access Point Image 21-6Using the MODE button 21-6Web Browser Interface 21-7Browser HTTP Interface 21-7Browser TFTP Interface 21-8Obtaining the Access Point Image File 21-8Obtaining the TFTP Server Software 21-9Activating and Configuring the TFTP Server 21-9CHAPTER22 2.4-GHz Radio Upgrade 22-1Upgrade Overview 22-2Unpacking the Radio 22-2Opening the Access Cover 22-3Removing a Blank Spacer Card 22-4Removing a 2.4-GHz Radio 22-5Installing a 2.4-GHz Radio 22-7CHAPTER23 5-GHz Radio Module Upgrade 23-1Upgrade Overview 23-2Unpacking the Radio Module 23-2Removing the 5-GHz Radio Access Cover 23-2Removing a 5-GHz Radio Module 23-3Installing a 5-GHz Radio Module 23-5APPENDIXATranslated Safety Warnings A-1Dipole Antenna Installation Warning A-2Explosive Device Proximity Warning A-3Lightning Activity Warning A-4
ContentsxivCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Installation Warning A-5Circuit Breaker (15A) Warning A-5APPENDIXBDeclarations of Conformity and Regulatory Information B-1Manufacturers Federal Communication Commission Declaration of Conformity Statement B-2Department of Communications—Canada B-3Canadian Compliance Statement B-3European Community, Switzerland, Norway, Iceland, and Liechtenstein B-4Declaration of Conformity with Regard to the R&TTE Directive 1999/5/EC B-4Declaration of Conformity for RF Exposure B-6Guidelines for Operating Cisco Aironet Access Points in Japan B-6Japanese Translation B-6English Translation B-7APPENDIXCChannels and Antenna Settings C-1Channels C-2IEEE 802.11a C-2IEEE 802.11b C-3Maximum Power Levels C-4IEEE 802.11a C-4IEEE 802.11b C-4APPENDIXDMounting Instructions D-1Overview D-2Mounting on a Horizontal or Vertical Surface D-3Mounting on a Suspended Ceiling D-4Attaching the Access Point to the Mounting Bracket D-5Securing the Access Point to the Mounting Bracket D-5APPENDIXEProtocol Filters E-1APPENDIXFSupported MIBs F-1MIB List F-1Using FTP to Access the MIB Files F-2
ContentsxvCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01APPENDIXGAccess Point Specifications G-1APPENDIXHError and Event Messages H-1APPENDIXIConsole Cable Pinouts I-1Overview I-2Console Port Signals and Pinouts I-2GLOSSARYINDEX
ContentsxviCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01
xviiCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01PrefaceAudienceThis guide is for the networking professional who installs and manages the Cisco Aironet 1200 Series Access Point, hereafter referred to as the access point. To use this guide, you should have experience working with the Cisco IOS and be familiar with the concepts and terminology of wireless local area networks.PurposeThis guide provides the information you need to install and configure your access point. This guide provides procedures for using the IOS commands that have been created or changed for use with the access point. It does not provide detailed information about these commands. For detailed information about these commands, refer to the Cisco Aironet 1200 Series Access Point Command Reference for this release. For information about the standard IOS Release 12.2 commands, refer to the IOS documentation set available from the Cisco.com home page at Service and Support > TechnicalDocuments. On the Cisco Product Documentation home page, select Release 12.2 from the Cisco IOS Software drop-down list.This guide also includes an overview of the access point web-based interface (APWI), which contains all the funtionality of the command-line interface (CLI). This guide does not provide field-level descriptions of the APWI windows nor does it provide the procedures for configuring the access point from from the APWI. For all APWI window descriptions and procedures, refer to the access point online help, which is available from the Help buttons on the APWI pages.OrganizationThis guide is organized into these chapters:Chapter 1, “Overview,” lists the software and hardware features of the access point and describes the access point’s role in your network.Chapter 2, “Installing the Access Point,” describes installing your access point on a desktop, wall, or ceiling, and provides safety warnings and general guidelines.Chapter 3, “Configuring the Access Point for the First Time,” describes how to configure basic settings on a new access point.
xviiiCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01PrefaceOrganizationChapter 4, “Using the Web-Browser Interface,” describes how to use the web-browser interface to configure the access point.Chapter 5, “Using the Command-Line Interface,” describes how to use the command-line interface (CLI) to configure the access point.Chapter 6, “Administering the Access Point,” describes how to perform one-time operations to administer your access point, such as preventing unauthorized access to the access point, setting the system date and time, and setting the system name and prompt.Chapter 7, “Configuring Radio Settings,” describes how to configure settings for the access point radio such as the role in the radio network, data rates, transmit power, channel settings, and others.Chapter 8, “Configuring Multiple SSIDs,” describes how to configure and manage multiple service set identifiers (SSIDs) on your access point. You can configure up to 16 SSIDs on your access point and assign different configuration settings to each SSID.Chapter 9, “Configuring WEP and WEP Features,” describes how to configure Wired Equivalent Privacy (WEP), Message Integrity Check (MIC), Temporal Key Integrity Protocol (TKIP), and broadcast key rotation to protect your wireless LAN.Chapter 10, “Configuring Authentication Types,” describes how to configure authentication types on the access point. Client devices use these authentication methods to join your network.Chapter 11, “Configuring RADIUS and TACACS+ Servers,” describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+), which provide detailed accounting information and flexible administrative control over authentication and authorization processes. Chapter 12, “Configuring VLANs,” describes how to configure your access point to interoperate with the VLANs set up on your wired LAN. Chapter 13, “Configuring QoS,” describes how to configure quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic at the expense of others.Chapter 14, “Configuring Proxy Mobile IP,” describes how to configure your access point’s proxy mobile IP feature. When you enable proxy mobile IP on your access point and on your wired network, the access point helps client devices from other networks remain connected to their home networks.Chapter 15, “Configuring Filters,” describes how to configure and manage MAC address, IP, and Ethertype filters on the access point using the web-browser interface.Chapter 16, “Configuring CDP,” describes how to configure Cisco Discovery Protocol (CDP) on your access point. CDP is a device-discovery protocol that runs on all Cisco network equipment.Chapter 17, “Configuring SNMP,” describes how to configure the Simple Network Management Protocol (SNMP) on your access point. Chapter 18, “Configuring Repeater and Standby Access Points,” descibes how to configure your access point as a hot standby unit or as a repeater unit. Chapter 19, “Managing Firmware and Configurations,” describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images.Chapter 20, “Configuring System Message Logging,” describes how to configure system message logging on your access point.Chapter 21, “Troubleshooting,” provides troubleshooting procedures for basic problems with the access point.Chapter 22, “2.4-GHz Radio Upgrade,” provides instructions for upgrading the access point 2.4-GHz radio.
xixCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01PrefaceConventionsChapter 23, “5-GHz Radio Module Upgrade,” provides instructions for upgrading the access point 5-GHz radio.Appendix A, “Translated Safety Warnings,” provides translations of the safety warnings that appear in this publication.Appendix B, “Declarations of Conformity and Regulatory Information,” provides declarations of conformity and regulatory information for the access point.Appendix C, “Channels and Antenna Settings,” lists the access point radio channels and the maximum power levels supported by the world’s regulatory domains.Appendix D, “Mounting Instructions,” describes how to mount the access point on a desktop, wall, or ceiling.Appendix E, “Protocol Filters,” lists some of the protocols that you can filter on the access point. Appendix F, “Supported MIBs,” lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release.Appendix G, “Access Point Specifications,” lists technical specifications for the access point.Appendix H, “Error and Event Messages,” lists the CLI error and event messages and provides an explanation and recommended action for each message.Appendix I, “Console Cable Pinouts,” identifies the pinouts for the serial console cable that connects to the access point’s serial console port. ConventionsThis publication uses these conventions to convey instructions and information:Command descriptions use these conventions:•Commands and keywords are in boldface text.•Arguments for which you supply values are in italic.•Square brackets ([ ]) mean optional elements.•Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.•Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element.Interactive examples use these conventions:•Terminal sessions and system displays are in screen font.•Information you enter is in boldface screen font.•Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).Notes, cautions, and timesavers use these conventions and symbols:Tip Means the following will help you solve a problem. The tips information might not be troubleshooting or even an action, but could be useful information.Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in this manual.
xxCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01PrefaceConventionsCaution Means reader be careful. In this situation, you might do something that could result equipment damage or loss of data.WarningThis warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. (To see translations of the warnings that appear in this publication, refer to the appendix “Translated Safety Warnings.”)WaarschuwingDit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico’s en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. (Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het aanhangsel “Translated Safety Warnings” (Vertalingen van veiligheidsvoorschriften) raadplegen.)VaroitusTämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. (Tässä julkaisussa esiintyvien varoitusten käännökset löydät liitteestä "Translated Safety Warnings" (käännetyt turvallisuutta koskevat varoitukset).)AttentionCe symbole d’avertissement indique un danger. Vous vous trouvez dans une situation pouvant entraîner des blessures. Avant d’accéder à cet équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures courantes de prévention des accidents. Pour obtenir les traductions des mises en garde figurant dans cette publication, veuillez consulter l’annexe intitulée « Translated Safety Warnings » (Traduction des avis de sécurité).WarnungDieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. (Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Anhang mit dem Titel “Translated Safety Warnings” (Übersetzung der Warnhinweise).)AvvertenzaQuesto simbolo di avvertenza indica un pericolo. Si è in una situazione che può causare infortuni. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione delle avvertenze riportate in questa pubblicazione si trova nell’appendice, “Translated Safety Warnings” (Traduzione delle avvertenze di sicurezza).AdvarselDette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du være oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. (Hvis du vil se oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i vedlegget "Translated Safety Warnings" [Oversatte sikkerhetsadvarsler].)
xxiCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01PrefaceRelated PublicationsRelated PublicationsThese documents provide complete information about the access point:•Release Notes for 1200 Series Access Points•Cisco Aironet 1200 Series Access Point Command ReferenceClick this link to browse to the Cisco Aironet documentation home page:http://www.cisco.com/univercd/cc/td/doc/product/wireless/index.htmTo browse to the 1200 series access point documentation, select Aironet 1200 Series Wireless LAN Products > Cisco Aironet 1200 Series Access Points.Obtaining DocumentationCisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.Cisco.comYou can access the most current Cisco documentation on the World Wide Web at this URL:http://www.cisco.com/univercd/home/home.htmYou can access the Cisco website at this URL:http://www.cisco.comInternational Cisco web sites can be accessed from this URL:http://www.cisco.com/public/countries_languages.shtmlAvisoEste símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos fisicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. (Para ver as traduções dos avisos que constam desta publicação, consulte o apêndice “Translated Safety Warnings” - “Traduções dos Avisos de Segurança”).¡Advertencia!Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. (Para ver traducciones de las advertencias que aparecen en esta publicación, consultar el apéndice titulado “Translated Safety Warnings.”)Varning!Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. (Se förklaringar av de varningar som förekommer i denna publikation i appendix "Translated Safety Warnings" [Översatta säkerhetsvarningar].)
xxiiCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01PrefaceObtaining DocumentationDocumentation CD-ROMCisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which might have shipped with your product. The Documentation CD-ROM is updated monthly and might be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store:http://www.cisco.com/go/subscriptionOrdering DocumentationYou can find instructions for ordering documentation at this URL:http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htmYou can order Cisco documentation in these ways:•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:http://www.cisco.com/en/US/partner/ordering/index.shtml•Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number DOC-CONDOCCD=) through the online Subscription Store:http://www.cisco.com/go/subscription•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387). Documentation FeedbackYou can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.You can email your comments to bug-doc@cisco.com.You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:Cisco SystemsAttn: Customer Document Ordering170 West Tasman DriveSan Jose, CA 95134-9883We appreciate your comments.
xxiiiCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01PrefaceObtaining Technical AssistanceObtaining Technical AssistanceCisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities. Cisco.comCisco.com offers a suite of interactive, networked services that let you access Cisco information,networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.com provides a broad range of features and services to help you with these tasks:•Streamline business processes and improve productivity •Resolve technical issues with online support•Download and test software packages•Order Cisco learning materials and merchandise•Register for online skill assessment, training, and certification programsTo obtain customized information and service, you can self-register on Cisco.com at this URL:http://www.cisco.comTechnical Assistance CenterThe Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.We categorize Cisco TAC inquiries according to urgency:•Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.•Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.•Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.•Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.Cisco TAC WebsiteYou can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL:http://www.cisco.com/tac
xxivCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01PrefaceObtaining Additional Publications and InformationAll customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:http://tools.cisco.com/RPF/register/register.doIf you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:http://www.cisco.com/en/US/support/index.htmlIf you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.Cisco TAC Escalation CenterThe Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:http://www.cisco.com/warp/public/687/Directory/DirTAC.shtmlBefore calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.Obtaining Additional Publications and InformationInformation about Cisco products, technologies, and network solutions is available from various online and printed sources.•The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:http://www.cisco.com/en/US/products/products_catalog_links_launch.html•Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:http://www.ciscopress.com•Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest information about the field of networking. You can access Packet magazine at this URL:http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html•iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers with the latest information about the networking industry. You can access iQ Magazine at this URL:http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=true&kbns=1.html
xxvCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01PrefaceObtaining Additional Publications and Information•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL:http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html•Training—Cisco offers world-class networking training, with current offerings in network training listed at this URL:http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html
xxviCisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01PrefaceObtaining Additional Publications and Information
CHAPTER1-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-011OverviewCisco Aironet 1200 Series Access Points (hereafter called access points) provide a secure, affordable, and easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class features required by networking professionals. With a management system based on Cisco IOS software, the 1200 series is a Wi-Fi certified, 802.11b-compliant and 802.11a-compliant wireless LAN transceiver. The 1200 series access point can contain two radios: a 2.4-GHz radio in an internal mini-PCI slot and a 5-GHz radio module in an external, modified cardbus slot. The access point supports one radio of each type, but it does not support two 2.4-GHz or two 5-GHz radios. You can configure the radios separately, using different settings on each radio.The access point serves as the connection point between wireless and wired networks or as the center point of a stand-alone wireless network. In large installations, wireless users within radio range of an access point can roam throughout a facility while maintaining seamless, uninterrupted access to the network.You can configure and monitor the access point using the command-line interface (CLI), the browser-based management system, or Simple Network Management Protocol (SNMP). This chapter provides information on the following topics:•Features, page 1-2•Management Options, page 1-5•Roaming Client Devices, page 1-5•Network Configuration Examples, page 1-6
1-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 1 OverviewFeaturesFeaturesThis section describes access point features. Refer to Appendix G, “Access Point Specifications,” for a list of access point specifications.Hardware FeaturesKey hardware features of the 1200 series access point include:•Dual-Radio Operation, page 1-2•Ethernet Port, page 1-2•Console Port, page 1-2•Status Indicators, page 1-3•Power Sources, page 1-3•UL 2043 Certification, page 1-4•Anti-Theft Features, page 1-4Dual-Radio OperationThe 1200 series access point can be initially configured from the factory for single- or dual-radio operation. You can also upgrade an access point configured for single-radio operation to support dual-radio operation using a 5-GHz radio module or a 2.4-GHz mini-PCI radio card. The 2.4-GHz mini-PCI radio card connects to an internal mini-PCI slot. The 5-GHz radio module connects to the access point’s modified card bus connector. The module incorporates an Unlicensed National Information Infrastructure (UNII) radio transceiver operating in two of the UNII 5-GHz frequency bands and supporting up to 8 channels. The module contains dual integrated omnidirectional antennas and directional patch antennas for diversity operation. The 2.4-GHz radio is called Radio 0 and the 5-GHz radio is called Radio 1.Ethernet PortThe auto-sensing Ethernet port accepts an RJ-45 connector, linking the access point to your 10BASE-T or 100BASE-T Ethernet LAN. The access point can receive power through the Ethernet cable from a power injector, switch, or power patch panel. The Ethernet MAC address is printed on the label on the back of the access point.Console PortThe console port provides access to the access point’s command-line interface (CLI) using a terminal emulator program. Use an RJ-45 to DB-9 serial cable to connect your computer’s COM port to the access point’s serial console port. (Refer to Appendix I, “Console Cable Pinouts,” for a description of the console port pinouts.) Assign the following port settings to a terminal emulator to open the management system pages: 9600 baud, 8 data bits, No parity, 1 stop bit and no flow control.
1-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 1 OverviewFeaturesStatus IndicatorsThe three indicators on the top of the access point report Ethernet activity, association status, and radio activity.•The Ethernet indicator signals Ethernet traffic on the wired LAN, or Ethernet infrastructure. This indicator is normally green when an Ethernet cable is connected and blinks green when a packet is received or transmitted over the Ethernet infrastructure. The indicator is off when the Ethernet cable is not connected. •The status indicator signals operational status. Green indicates that the access point is associated with at least one wireless client. Blinking green indicates that the access point is operating normally but is not associated with any wireless devices. •The radio indicator signals wireless traffic over the radio interface. The light is normally off, but it blinks green whenever a packet is received or transmitted over the access point radio.Figure 1-1 shows the three status indicators.Figure 1-1 Access Point IndicatorsPower SourcesThe access point can receive power from an external power module or through inline power using the Ethernet cable. Using inline power, you do not need to run a separate power cord to the access point. The access point supports the following power sources:•Power supply (input 100–240 VAC, 50–60 Hz, output 48 VDC, 0.2A minimum)•Inline power from:–Cisco Aironet Power Injector for 1100 and 1200 series access points–A switch capable of providing inline power, such as Cisco Catalyst 3500XL, 3550, 4500, or 6500 switchesRadioStatusEthernet86704
1-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 1 OverviewFeatures–An inline power patch panel, such as the Cisco Catalyst Inline Power Patch PanelNote The Catalyst 3550-24 PWR switch supports power for access points configured with both 2.4-GHz and 5-GHz radios. Other switches and patch panels might not provide enough power for the 5-GHz radio.UL 2043 CertificationCaution The 1200 series power injectors are not tested to UL 2043 and should not be placed in a building’senvironmental air space, such as above suspended ceilings. The access point is encased in a durable metal case having adequate fire resistance and low smoke-producing characteristics suitable for operation in a building's environmental air space, such as above suspended ceilings, in accordance with Section 300-22(c) of the NEC, and with Sections 2-128, 12-010(3) and 12-100 of the Canadian Electrical Code, Part 1, C22.1.Anti-Theft FeaturesThere are two methods of securing the access point to help prevent theft:•Security cable keyhole—You can use the security cable slot to secure the access point using a standard security cable, such as those used on laptop computers.•Security hasp—When you mount the access point on a wall or ceiling using the mounting bracket and the security hasp, you can lock the access point to the bracket with a padlock. Compatible padlocks are Master Lock models 120T and 121T or equivalent.Software FeaturesIn addition to all the standard access point features, 1200 series access points also offer these software features:•World mode—Use this feature to communicate the access point’s regulatory setting information, including maximum transmit power and available channels, to world mode-enabled clients. Clients using world mode can be used in countries with different regulatory settings and automatically conform to local regulations. World mode is supported only on the 2.4-GHz radio.•Repeater mode—Configure the access point as a wireless repeater to extend the coverage area of your wireless network. •Standby mode—Configure the access point as a standby unit that monitors another access point and assumes its role in the network if the monitored access point fails.•Multiple SSIDs—Create up to 16 SSIDs on your access point and assign any combination of these settings to each SSID: –Broadcast SSID mode for guests on your network–Client authentication methods–Maximum number of client associations–VLAN identifier–Proxy Mobile IP
1-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 1 OverviewManagement Options–RADIUS accounting list identifier–A separate SSID for infrastructure devices such as repeaters and workgroup bridges•VLANs—Assign VLANs to the SSIDs on your access point (one VLAN per SSID) to differentiate policies and services among users.•QoS—Use this feature to support quality of service for prioritizing traffic from the Ethernet to the access point. The access point also supports the voice-prioritization schemes used by 802.11b wireless phones such as Spectralink's Netlink™ and Symbol’s Netvision™.•Proxy Mobile IP—Use this feature to configure the access point to provide proxy Mobile IP service for clients that do not have mobile IP software installed.•RADIUS Accounting—Enable accounting on the access point to send accounting data about wireless client devices to a RADIUS server on your network.•TACACS+ adminstrator authentication—Enable TACACS+ for server-based, detailed accounting information and flexible administrative control over authentication and authorization processes. It provides secure, centralized validation of administrators attempting to gain access to your access point. •Enhanced security—Enable three advanced security features to protect against sophisticated attacks on your wireless network's WEP keys: Message Integrity Check (MIC), WEP key hashing, and broadcast WEP key rotation.•Enhanced authentication services—Set up repeater access points to authenticate to your network like other wireless client devices. After you provide a network username and password for the repeater, it authenticates to your network using LEAP, Cisco's wireless authentication method, and receives and uses dynamic WEP keys. Management OptionsYou can use the access point management system through the following interfaces:•The IOS command-line interface (CLI), which you use through a Telnet session. Most of the examples in this manual are taken from the CLI. Chapter 5, “Using the Command-Line Interface,”provides a detailed description of the CLI.•A web-browser interface, which you use through a web browser. Chapter 4, “Using the Web-Browser Interface,” provides a detailed description of the web-browser interface.•Simple Network Management Protocol (SNMP). Chapter 17, “Configuring SNMP,” explains how to configure your access point for SNMP management.Roaming Client DevicesIf you have more than one access point in your wireless LAN, wireless client devices can roam seamlessly from one access point to another. The roaming functionality is based on signal quality, not proximity. When a client’s signal quality drops, it roams to another access point. Wireless LAN users are sometimes concerned when a client device stays associated to a distant access point instead of roaming to a closer access point. However, if a client’s signal to a distant access point remains strong and the signal quality is high, the client will not roam to a closer access point. Checking constantly for closer access points would be inefficient, and the extra radio traffic would slow throughput on the wireless LAN.
1-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 1 OverviewNetwork Configuration ExamplesNetwork Configuration ExamplesThis section describes the access point’s role in three common wireless network configurations. The access point’s default configuration is as a root unit connected to a wired LAN or as the central unit in an all-wireless network. The repeater role requires a specific configuration.Root Unit on a Wired LANAn access point connected directly to a wired LAN provides a connection point for wireless users. If more than one access point is connected to the LAN, users can roam from one area of a facility to another without losing their connection to the network. As users move out of range of one access point, they automatically connect to the network (associate) through another access point. The roaming process is seamless and transparent to the user. Figure 1-2 shows access points acting as root units on a wired LAN.Figure 1-2 Access Points as Root Units on a Wired LANAccess Point(Root Unit)Access Point(Root Unit)65999Wired LAN
1-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 1 OverviewNetwork Configuration ExamplesRepeater Unit that Extends Wireless RangeAn access point can be configured as a stand-alone repeater to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. The repeater forwards traffic between wireless users and the wired LAN by sending packets to either another repeater or to an access point connected to the wired LAN. The data is sent through the route that provides the best performance for the client. Figure 1-3 shows an access point acting as a repeater. Consult the “Configuring a Repeater Access Point” section on page 18-3 for instructions on setting up an access point as a repeater.Note Non-Cisco client devices might have difficulty communicating with repeater access points.Figure 1-3 Access Point as RepeaterAccess Point(Root Unit)Access Point(Repeater)66000Wired LAN
1-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 1 OverviewNetwork Configuration ExamplesCentral Unit in an All-Wireless NetworkIn an all-wireless network, an access point acts as a stand-alone root unit. The access point is not attached to a wired LAN; it functions as a hub linking all stations together. The access point serves as the focal point for communications, increasing the communication range of wireless users. Figure 1-4shows an access point in an all-wireless network.Figure 1-4 Access Point as Central Unit in All-Wireless NetworkAccess Point(Root Unit)65998
CHAPTER2-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-012Installing the Access PointThis chapter describes the setup of the access point and includes the following sections:•Safety Information, page 2-2•Warnings, page 2-2•Unpacking the Access Point, page 2-3•Basic Installation Guidelines, page 2-3•Before Beginning the Installation, page 2-4•Installation Summary, page 2-5•Connecting the 2.4-GHz Antennas, page 2-5•Connecting the Ethernet and Power Cables, page 2-5
2-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 2 Installing the Access PointSafety InformationSafety InformationFollow the guidelines in this section to ensure proper operation and safe use of the access point.FCC Safety Compliance StatementThe FCC with its action in ET Docket 96-8 has adopted a safety standard for human exposure to radio frequency (RF) electromagnetic energy emitted by FCC certified equipment. When used with approved Cisco Aironet antennas, Cisco Aironet products meet the uncontrolled environmental limits found in OET-65 and ANSI C95.1, 1991. Proper installation of this radio according to the instructions found in this manual will result in user exposure that is substantially below the FCC recommended limits.General Safety Guidelines•Do not touch or move antenna(s) while the unit is transmitting or receiving.•Do not hold any component containing a radio so that the antenna is very close to or touching any exposed parts of the body, especially the face or eyes, while transmitting.•The use of wireless devices in hazardous locations is limited to the constraints posed by the local codes, the national codes, and the safety directors of such environments.WarningsTranslated versions of the following safety warnings are provided in Appendix A, “Translated Safety Warnings.”WarningIn order to comply with FCC radio frequency (RF) exposure limits, dipole antennas should be located at a minimum of 7.9 inches (20 cm) or more from the body of all persons.WarningDo not operate your wireless network device near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such use.WarningDo not work on the system or connect or disconnect cables during periods of lightning activity.WarningRead the installation instructions before you connect the system to its power source.WarningThis product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that a fuse or circuit breaker no larger than 120 VAC, 15A U.S. (240 VAC, 10A international) is used on the phase conductors (all current-carrying conductors).
2-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 2 Installing the Access PointUnpacking the Access PointUnpacking the Access PointFollow these steps to unpack the access point:Step 1 Open the shipping container and carefully remove the contents. Step 2 Return all packing materials to the shipping container and save it.Step 3 Ensure that all items listed in the “Package Contents” section are included in the shipment. Check each item for damage. If any item is damaged or missing, notify your authorized Cisco sales representative. Package ContentsEach access point package contains the following items:•Cisco Aironet 1200 Series Access Point•Cisco Aironet 1200 Series Power Module (Universal power supply)•Quick Start Guide: Cisco Aironet 1200 Series Access Point•Cisco product registration and Cisco documentation feedback cardsBasic Installation GuidelinesBecause the access point is a radio device, it is susceptible to common causes of interference that can reduce throughput and range. Follow these basic guidelines to ensure the best possible performance:•Install the access point in an area where large steel structures such as shelving units, bookcases, and filing cabinets do not block the radio signals to and from the access point.•Install the access point away from microwave ovens. Microwave ovens operate on the same frequency as the access point and can cause signal interference.Installation Above Suspended CeilingsThe access point uses a metal enclosure having adequate fire resistance and low smoke-producing characteristics suitable for operation in a building’s environmental air space in accordance with Section 300-22(c) of the NEC, such as above suspended ceilings. For mounting instructions, refer to Appendix D, “Mounting Instructions.”Caution Cisco Aironet power injectors are not tested to UL 2043 and should not be placed in a building’senvironmental air space, such as above suspended ceilings. Note If you plan to mount the access point in environmental air space and will upgrade to a 5-GHz radio, Cisco recommends that you mount the access point horizontally with its antennas pointing down. Doing so will result in the access point complying with regulatory requirements for environmental air space after the 5-GHz radio is installed.
2-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 2 Installing the Access PointBefore Beginning the InstallationBefore Beginning the InstallationBefore you begin the installation process, please refer to Figure 2-1 and Figure 2-2 to become familiar with the access point’s layout, connectors, and 5-GHz module location.Figure 2-1 Access Point Layout and ConnectorsFigure 2-2 5-GHz Radio Module12.4-GHz antenna connectors 5Mode button248 VDC power port 6Status LEDs3Ethernet port (RJ-45) 7Mounting bracket4Console port (RJ-45)1 2 3 4 67 156584715-GHz radio module mounting screws 3Access point25-GHz radio module antenna (patch position)746311 1 2 3
2-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 2 Installing the Access PointInstallation SummaryInstallation SummaryWhile installing the access point, you must perform the following operations:•If your access point has a 2.4-GHz radio, connect a single antenna or dual diversity antennas (refer to the “Connecting the Ethernet and Power Cables” section on page 2-5).•Connect Ethernet and power cables (refer to the “Connecting the Ethernet and Power Cables”section on page 2-5).•Configure basic settings (refer to Chapter 3, “Configuring the Access Point for the First Time”).•Configure security and other access point options. •Use the mounting kit to install the access point on a convenient flat horizontal or vertical surface, such as a desktop, book shelf, file cabinet, wall, or ceiling. For additional information on mounting, refer to Appendix D, “Mounting Instructions.”Connecting the 2.4-GHz AntennasThe access point supports a single antenna or dual diversity antennas. Two R-TNC antenna connectors are provided on the back of the unit for the 2.4-GHz radio. If you are using a Cisco Aironet 2 dBi antenna, follow the steps below:Step 1 Attach an antenna to the Right/Primary 2.4-GHz (R-TNC) antenna connector on the back of the access point and tighten hand tight. If you are using two antennas for diversity coverage, attach the second antenna to the Left 2.4-GHz (R-TNC) antenna connector.Step 2 Orient the antenna depending on how you intend to mount the access point.•On a table or desk, orient the antenna straight up.•On a vertical surface, such as a wall, orient the antenna straight up.•On a ceiling, orient the antenna straight down.If you are using another Cisco Aironet antenna, refer to the instructions that came with your antenna.
2-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 2 Installing the Access PointConnecting the Ethernet and Power CablesConnecting the Ethernet and Power CablesThe access point receives power through the Ethernet cable or an external power module. Figure 2-3shows the power options for the access point. Figure 2-3 Access Point Power OptionsThe access point power options are listed below:•A switch with inline power, such as a Cisco Catalyst 3500XL, 3550-24 PWR, 4000, or 6500 switch•An inline power patch panel, such as a Cisco Catalyst Inline Power Patch Panel•A power injector •A power module (Universal power supply)Note Currently, the Catalyst 3550-24 PWR switch supports power for both the 2.4-GHz radio and the 5-GHz radio. Other switches and power patch panels might not provide enough power for the 5-GHz radio.Note If you use in-line power from a switch or patch panel, do not connect the power module to the access point. Using two power sources on the access point might cause the switch or patch panel to shut down the port to which the access point is connected.PowercordUniversalpower supplySYSTRPSDUPLXMODESPEEDUTILSTAT123456789101112131415161718192021222324 232410Base-T/100Base-TX100Base-FXCatalyst 2950SERIESSYSTRPSDUPLXMODESPEEDUTILSTAT12345678910111213141516 1718192021222324232410Base-T/100Base-TX 100Base-FXCatalyst2950SERIESSYSTRPSDUPLXMODESPEEDUTILSTAT123456789101112131415161718192021222324232410Base-T/100Base-TX 100Base-FXCatalyst 2950SERIESSYSTRPSDUPLXMODESPEEDUTILSTATTOAP/ BRIDGETONETWORKSwitch withinline powerPower injectorAccess PointSwitch(without inline power)Switch(without inline power)Inline PowerPatch PanelOption 1 Option 2 Option 3Option 474164
2-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 2 Installing the Access PointConnecting the Ethernet and Power CablesConnecting to an Ethernet Network with an Inline Power SourceCaution The Cisco Aironet Power Injector for the 1100 and 1200 series is designed for use with 1100 series or 1200 series access points only. Using the power injector with other Ethernet-ready devices can damage the equipment.Caution The Cisco Aironet Power Injector for the 1100 and 1200 series is not tested to UL 2043 and should not be placed in a building's environmental air space, such as above suspended ceilings.Follow these steps to connect the access point to the Ethernet LAN when you have an inline power source:Step 1 Connect the Ethernet cable to the RJ-45 Ethernet connector labeled Ethernet on the access point. Step 2 Connect the other end of the Ethernet cable to one of the following:•A switch with inline power, such as a Cisco Catalyst 3500XL, 3550-24 PWR, 4000, or 6500 switch.•An inline power switch panel, such as a Cisco Catalyst Inline Power Patch Panel.•The end of a Cisco Aironet power injector labeled To AP/Bridge. Connect the other end labeled To Network to the 10/100 Ethernet LAN.Note If you use a power supply or power injector to power the access point, you must use the power supply included with your access point and the Cisco Aironet Power Injector for the 1100 and 1200 series access points.Connecting to an Ethernet Network with Local PowerFollow these steps to connect the access point to an Ethernet LAN when you are using a local power source:Step 1 Connect the Ethernet cable to the RJ-45 Ethernet connector labeled Ethernet on the access point. Step 2 Plug the other end of the Ethernet cable into an unpowered Ethernet port on your network.Step 3 Connect the power module’s output connector to the 48-VDC power port labeled 48VDC on the access point.Step 4 Plug the other end of the power module into an approved 100- to 240-VAC outlet.
2-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 2 Installing the Access PointConnecting the Ethernet and Power CablesPowering Up the Access PointWhen power is applied to the access point, it begins a routine power-up sequence that you can monitor by observing the three LEDs on top of the access point. After you observe all three LEDs turning green to indicate the starting of the IOS operating system, the Status LED blinks green signifying that IOS is operational. When in an operational status, the Ethernet LED is steady green when no traffic is being passed and dark during periods when traffic is being passed. The sequence takes about 1 minute to complete. Refer to Chapter 21, “Troubleshooting,” for LED descriptions.When the sequence is complete, you are ready to obtain the access point’s IP address and perform an initial configuration. Refer to Chapter 3, “Configuring the Access Point for the First Time,” for instructions on assigning basic settings to the access point.
CHAPTER3-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-013Configuring the Access Point for the First TimeThis chapter describes how to configure basic settings on your access point for the first time. The contents of this chapter are similar to the instructions in the quick start guide that shipped with your access point. You can configure all the settings described in this chapter using the CLI, but it might be simplest to browse to the access point’s web-browser interface to complete the initial configuration and then use the CLI to enter additional settings for a more detailed configuration. This chapter contains these sections:•Before You Start, page 3-2•Obtaining and Assigning an IP Address, page 3-3•Connecting to the Access Point Locally, page 3-3•Assigning Basic Settings, page 3-4•Protecting Your Wireless LAN, page 3-8•Using the IP Setup Utility, page 3-8•Assigning an IP Address Using the CLI, page 3-11•Using a Telnet Session to Access the CLI, page 3-12
3-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 3 Configuring the Access Point for the First TimeBefore You StartBefore You StartBefore you install the access point, make sure you are using a computer connected to the same network as the access point, and obtain the following information from your network administrator:•A system name for the access point•The case-sensitive wireless service set identifier (SSID) for your radio network•If not connected to a DHCP server, a unique IP address for your access point (such as 172.17.255.115)•If the access point is not on the same subnet as your PC, a default gateway address and subnet mask•A Simple Network Management Protocol (SNMP) community name and the SNMP file attribute (if SNMP is in use)•If you use IPSU to find or assign the access point IP address, the MAC address from the label on the bottom of the access point (such as 00164625854c)Resetting the Access Point to Default SettingsIf you need to start over during the initial setup process, follow these steps to reset the access point to factory default settings using the access point MODE button:Step 1 Disconnect power (the power jack for external power or the Ethernet cable for in-line power) from the access point.Step 2 Press and hold the MODE button while you reconnect power to the access point.Step 3 Hold the MODE button until the Status LED turns amber (approximately 1 to 2 seconds), and release the button. All access point settings return to factory defaults.Follow these steps to return to default settings using the web-browser interface:Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).Step 2 Enter the access point’s IP address in the browser address line and press Enter. An Enter Network Password window appears.Step 3 Enter your username in the User Name field. The default username is Cisco.Step 4 Enter the access point password in the Password field and press Enter. The default password is Cisco.The Summary Status page appears.Step 5 Click System Software and the System Software screen appears.Step 6 Click System Configuration and the System Configuration screen appears.Step 7 Click the Reset to Defaults button.Note If the access point is configured with a static IP address, the IP address does not change.
3-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 3 Configuring the Access Point for the First TimeObtaining and Assigning an IP AddressObtaining and Assigning an IP AddressTo browse to the access point’s Express Setup page, you must either obtain or assign the access point’sIP address using one of the following methods:•Connect to the access point console port and assign a static IP address. Follow the steps in the “Connecting to the Access Point Locally” section on page 3-3 to connect to the console port. •Use a DHCP server (if available) to automatically assign an IP address. You can find out the DHCP-assigned IP address using one of the following methods:–Connect to the access point console port and use the show ip interface brief command to display the IP address. Follow the steps in the “Connecting to the Access Point Locally” section on page 3-3 to connect to the console port.–Provide your organization’s network administrator with your access point’s Media Access Control (MAC) address. Your network administrator will query the DHCP server using the MAC address to identify the IP address. The access point’s MAC address is on label attached to the bottom of the access point.–Use the Cisco IP Setup Utility (IPSU) to identify the assigned address. You can also use IPSU to assign an IP address to the access point if it did not receive an IP address from the DHCP server. IPSU runs on most Microsoft Windows operating systems: Windows 9x, 2000, Me, NT, and XP.You can download IPSU from the Software Center on Cisco.com. Click this link to browse to the Software Center:http://www.cisco.com/public/sw-center/sw-wireless.shtml
3-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 3 Configuring the Access Point for the First TimeConnecting to the Access Point LocallyConnecting to the Access Point LocallyIf you need to configure the access point locally (without connecting the access point to a wired LAN), you can connect a PC to its console port using a DB-9 to RJ-45 serial cable. Follow these steps to open the CLI by connecting to the access point console port:Step 1 Connect a nine-pin, female DB-9 to RJ-45 serial cable to the RJ-45 serial port on the access point and to the COM port on a computer. Figure 3-1 shows the serial port connection.Figure 3-1 Connecting the Serial CableNote The Cisco part number for the DB-9 to RJ-45 serial cable is AIR-CONCAB1200. Browse to http://www.cisco.com/go/marketplace to order a serial cable.Step 2 Set up a terminal emulator to communicate with the access point. Use the following settings for the terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control.Assigning Basic SettingsAfter you determine or assign the access point’s IP address, you can browse to the access point’s Express Setup page and perform an initial configuration:Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).Step 2 Enter the access point’s IP address in the browser address line and press Enter. An Enter Network Password screen appears.Step 3 Press Tab to bypass the Username field and advance to the Password field.Step 4 Enter the case-sensitive password Cisco and press Enter. The Summary Status page appears. Figure 3-2shows the Summary Status page.RJ-45 serialconnectorDB-9 to RJ-45serial cable74005
3-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 3 Configuring the Access Point for the First TimeAssigning Basic SettingsFigure 3-2 Summary Status PageStep 5 Click Express Setup. The Express Setup screen appears. Figure 3-3 shows the Express Setup page.
3-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 3 Configuring the Access Point for the First TimeAssigning Basic SettingsFigure 3-3 Express Setup PageStep 6 Enter the configuration settings you obtained from your system administrator. The configurable settings include:•System Name— The system name, while not an essential setting, helps identify the access point on your network. The system name appears in the titles of the management system pages.•Configuration Server Protocol—Click on the button that matches the network’s method of IP address assignment.–DHCP—IP addresses are automatically assigned by your network’s DHCP server.–Static IP—The access point uses a static IP address that you enter in the IP address field.•IP Address—Use this setting to assign or change the access point’s IP address. If DHCP is enabled for your network, leave this field blank. Note If the access point’s IP address changes while you are configuring the access point using the web-browser interface or a Telnet session over the wired LAN, you lose your connection to the access point. If you lose your connection, reconnect to the access point using its new IP address. Follow the steps in the “Resetting the Access Point to Default Settings” section on page 3-2 if you need to start over.•IP Subnet Mask—Enter the IP subnet mask provided by your network administrator so the IP address can be recognized on the LAN. If DHCP is enabled, leave this field blank. •Default Gateway—Enter the default gateway IP address provided by your network administrator. If DHCP is enabled, leave this field blank. •Radio Service Set ID (SSID)—Enter the case-sensitive SSID (32 alphanumeric characters maximum) provided by your network administrator. The SSID is a unique identifier that client devices use to associate with the access point.
3-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 3 Configuring the Access Point for the First TimeAssigning Basic Settings•Broadcast SSID in Beacon—Use this setting to allow devices that do not specify an SSID to associate with the access point.–Ye s —This is the default setting; it allows devices that do not specify an SSID to associate with the access point.–No—Devices must specify an SSID to associate with the access point. With No selected, the SSID used by the client devices must match exactly the access point’s SSID.•Role in Radio Network—Click on the button that describes the role of the access point on your network. Select Access Point (Root) if your access point is connected to the wired LAN. Select Repeater (Non-Root) if it is not connected to the wired LAN.•Optimize Radio Network for—Use this setting to select either preconfigured settings for the access point radio or customized settings for the access point radio.–Throughput—Maximizes the data volume handled by the access point but might reduce its range.–Range—Maximizes the access point’s range but might reduce throughput.–Custom—The access point uses settings you enter on the Network Interfaces: Radio-802.11b Settings page. Clicking Custom takes you to the Network Interfaces: Radio-802.11b Settings page.•Aironet Extensions—Enable this setting if there are only Cisco Aironet devices on your wireless LAN.•SNMP Community—If your network is using SNMP, enter the SNMP Community name provided by your network administrator and select the attributes of the SNMP data (also provided by your network administrator). Step 7 Click Apply to save your settings. If you changed the IP address, you lose your connection to the access point. Browse to the new IP address to reconnect to the access point.Your access point is now running but probably requires additional configuring to conform to your network’s operational and security requirements. Consult the chapters in this manual for the information you need to complete the configuration. Note You can restore the access point to its factory defaults by unplugging the power jack and plugging it back in while holding down the Mode button for a few seconds, or until the Status LED turns amber.Default Settings on the Express Setup PageTable 3-1 lists the default settings for the settings on the Express Setup page. Table 3-1 Default Settings on the Express Setup PageSetting DefaultSystem Name apConfiguration Server Protocol DHCP
3-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 3 Configuring the Access Point for the First TimeProtecting Your Wireless LANProtecting Your Wireless LANAfter you assign basic settings to your access point, you must configure security settings to prevent unauthorized access to your network. Because it is a radio device, the access point can communicate beyond the physical boundaries of your building. Configure some combination of these security features to protect your network from intruders:•Unique SSIDs that are not broadcast in the access point beacon (see Chapter 8, “Configuring Multiple SSIDs.”)•WEP and additional WEP features, such as TKIP and broadcast key rotation (see Chapter 9, “Configuring WEP and WEP Features.”)•Dynamic WEP and client authentication (see Chapter 10, “Configuring Authentication Types.”)Using the IP Setup UtilityIPSU enables you to find the access point’s IP address when it has been assigned by a DHCP server. You can also use IPSU to set the access point’s IP address and SSID if they have not been changed from the default settings. This section explains how to install the utility, how to use it to find the access point’s IP address, and how to use it to set the IP address and the SSID.Note IPSU can be used only on the following operating systems: Windows 95, 98, NT, 2000, ME, or XP. IP Address Assigned by DHCP by default; if DHCP is disabled, the default setting is 10.0.0.1IP Subnet Mask Assigned by DHCP by default; if DHCP is disabled, the default setting is 255.255.255.224Default Gateway Assigned by DHCP by default; if DHCP is disabled, the default setting is 0.0.0.0Radio Service Set ID (SSID) tsunamiBroadcast SSID in Beacon Yes1Role in Radio Network Access point (root)Optimize Radio Network for ThroughputAironet Extensions EnableSNMP Community defaultCommunity1. When you assign multiple SSIDs, this setting no longer appears.Table 3-1 Default Settings on the Express Setup Page (continued)Setting Default
3-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 3 Configuring the Access Point for the First TimeUsing the IP Setup UtilityTip Another simple way to find the access point’s IP address is to look on the Status screen in the Aironet Client Utility on a client device associated to the access point.Obtaining and Installing IPSUIPSU is available on the Cisco web site. Follow these steps to obtain and install IPSU:Step 1 Use your Internet browser to access the Cisco Software Center at the following URL:http://www.cisco.com/public/sw-center/sw-wireless.shtmlStep 2 Click Cisco Aironet Wireless LAN Client Adapters.Step 3 Scroll down to the Windows Utility section.Step 4 Click Cisco Aironet Client Utility (ACU) for Windows.Step 5 Click the file IPSUvxxxxx.exe. The vxxxxxx identifies the software package version number.Step 6 Read and accept the terms and conditions of the Software License Agreement.Step 7 Download and save the file to a temporary directory on your hard drive and then exit the Internet browser. Step 8 Double-click IPSUvxxxxxx.exe in the temporary directory to expand the file.Step 9 Double-click Setup.exe and follow the steps provided by the installation wizard to install IPSU.The IPSU icon appears on your computer desktop.
3-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 3 Configuring the Access Point for the First TimeUsing the IP Setup UtilityUsing IPSU to Find the Access Point’s IP AddressIf your access point receives an IP address from a DHCP server, you can use IPSU to find its IP address. Because IPSU sends a reverse-ARP request based on the access point MAC address, you must run IPSU from a computer on the same subnet as the access point. Follow these steps to find the access point’s IP address:Step 1 Double-click the IPSU icon on your computer desktop to start the utility. The IPSU screen appears (see Figure 3-4).Figure 3-4 IPSU Get IP Address ScreenStep 2 When the utility window opens, make sure the Get IP addr radio button in the Function box is selected.Step 3 Enter the access point’s MAC address in the Device MAC ID field. The access point’s MAC address is printed on the label on the bottom of the unit. It should contain six pairs of hexadecimal digits. Your access point’s MAC address might look like the following example:000164xxxxxxNote The MAC address field is not case-sensitive.Step 4 Click Get IP Address.Step 5 When the access point’s IP address appears in the IP Address field, write it down. If IPSU reports that the IP address is 10.0.0.1, the default IP address, then the access point did not receive a DHCP-assigned IP address. To change the access point IP address from the default value using IPSU, refer to the “Using IPSU to Set the Access Point’s IP Address and SSID” section on page 3-10.
3-11Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 3 Configuring the Access Point for the First TimeUsing the IP Setup UtilityUsing IPSU to Set the Access Point’s IP Address and SSIDIf you want to change the default IP address (10.0.0.1) of the access point, you can use IPSU. You can also set the access point’s SSID at the same time.Note IPSU can change the access point’s IP address and SSID only from their default settings. After the IP address and SSID have been changed, IPSU cannot change them again.Note The computer you use to assign an IP address to the access point must have an IP address in the same subnet as the access point (10.0.0.x).Follow these steps to assign an IP address and an SSID to the access point:Step 1 Double-click the IPSU icon on your computer desktop to start the utility. Step 2 Click the Set Parameters radio button in the Function box (see Figure 3-5).Figure 3-5 IPSU Set Parameters ScreenStep 3 Enter the access point’s MAC address in the Device MAC ID field. The access point’s MAC address is printed on the label on the bottom of the unit. It should contain six pairs of hexadecimal digits. Your access point’s MAC address might look like this example:004096xxxxxxNote The MAC address field is not case-sensitive.Step 4 Enter the IP address you want to assign to the access point in the IP Address field.Step 5 Enter the SSID you want to assign to the access point in the SSID field.Note You cannot set the SSID without also setting the IP address. However, you can set the IP address without setting the SSID.
3-12Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 3 Configuring the Access Point for the First TimeAssigning an IP Address Using the CLIStep 6 Click Set Parameters to change the access point’s IP address and SSID settings.Step 7 Click Exit to exit IPSU. Assigning an IP Address Using the CLIWhen you connect the access point to the wired LAN, the access point links to the network using a bridge virtual interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the access point’s Ethernet and radio ports, the network uses the BVI.When you assign an IP address to the access point using the CLI, you must assign the address to the BVI. Beginning in privileged EXEC mode, follow these steps to assign an IP address to the access point’sBVI:Using a Telnet Session to Access the CLIFollow these steps to browse to access the CLI using a Telnet session. These steps are for a PC running Microsoft Windows with a Telnet terminal application. Check your PC operating instructions for detailed instructions for your operating system.Step 1 Select Start > Programs > Accessories > Telnet.If Telnet is not listed in your Accessories menu, select Start > Run, type Telnet in the entry field, and press Enter.Step 2 When the Telnet window appears, click Connect and select Remote System.Note In Windows 2000, the Telnet window does not contain drop-down menus. To start the Telnet session in Windows 2000, type open followed by the access point’s IP address.Step 3 In the Host Name field, type the access point’s IP address and click Connect.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface bvi1 Enter interface configuration mode for the BVI.Step 3 ip address addressmaskAssign an IP address and address mask to the BVI. Note If you are connected to the access point using a Telnet session, you lose your connection to the access point when you assign a new IP address to the BVI. If you need to continue configuring the access point using Telnet, use the new IP address to open another Telnet session to the access point.
CHAPTER4-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-014Using the Web-Browser InterfaceThis chapter describes the web-browser interface that you can use to configure the access point. It contains these sections:•Using the Web-Browser Interface for the First Time, page 4-2•Using the Management Pages in the Web-Browser Interface, page 4-2•Using Online Help, page 4-5The web-browser interface contains management pages that you use to change access point settings, upgrade firmware, and monitor and configure other wireless devices on the network.Note The access point web-browser interface is fully compatible with Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).
4-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 4 Using the Web-Browser InterfaceUsing the Web-Browser Interface for the First TimeUsing the Web-Browser Interface for the First TimeUse the access point’s IP address to browse to the management system. See the “Obtaining and Assigning an IP Address” section on page 3-3 for instructions on assigning an IP address to the access point. Follow these steps to begin using the web-browser interface:Step 1 Start the browser.Step 2 Enter the access point’s IP address in the browser Location field (Netscape Communicator) or Addressfield (Internet Explorer) and press Enter. The Summary Status page appears.Using the Management Pages in the Web-Browser InterfaceThe system management pages use consistent techniques to present and save configuration information. A navigation bar is on the left side of the page, and configuration action buttons appear at the bottom. You use the navigation bar to browse to other management pages, and you use the configuration action buttons to save or cancel changes to the configuration. Note It’s important to remember that clicking your browser’s Back button returns you to the previous page without saving any changes you have made. Clicking Cancel cancels any changes you made on the page and keeps you on that page. Changes are only applied when you click Apply.Figure 4-1 shows the web-browser interface home page.
4-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 4 Using the Web-Browser InterfaceUsing the Management Pages in the Web-Browser InterfaceFigure 4-1 Web-Browser Interface Home Page
4-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 4 Using the Web-Browser InterfaceUsing the Management Pages in the Web-Browser InterfaceUsing Action ButtonsTable 4-1 lists the page links and buttons that appear on most management pages.Table 4-1 Common Buttons on Management PagesButton/Link DescriptionNavigation LinksHome Displays access point status page with information on the number of radio devices associated to the access point, the status of the Ethernet and radio interfaces, and a list of recent access point activity.Express Setup Displays the Express Setup page that includes basic settings such as system name, IP address, and SSID.Network Map Displays a list of infrastructure devices on your wireless LAN.Association Displays a list of all devices on your wireless LAN, listing their system names, network roles, and parent-client relationships.Network Interfaces Displays status and statistics for the Ethernet and radio interfaces and provides links to configuration pages for each interface.Security Displays a summary of security settings and provides links to security configuration pages.Services Displays status for several access point features and links to configuration pages for Telnet/SSH, CDP, domain name server, filters, proxy Mobile IP, QoS, SNMP, SNTP, and VLANs.System Software Displays the version number of the firmware that the access point is running and provides links to configuration pages for upgrading and managing firmware.Event Log Displays the access point event log and provides links to configuration pages where you can select events to be included in traps, set event severity levels, and set notification methods.Configuration Action ButtonsApply Saves changes made on the page and remains on the page.Refresh Updates status information or statistics displayed on a page.Cancel Discards changes to the page and remains on the page.Back Discards any changes made to the page and returns to the previous page.
4-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 4 Using the Web-Browser InterfaceUsing Online HelpCharacter Restrictions in Entry FieldsBecause the 1200 series access point uses Cisco IOS software, there are certain characters that you cannot use in the entry fields on the web-browser interface. Table 4-2 lists the illegal characters and the fields in which you cannot use them.Using Online HelpClick the help icon at the top of any page in the web-browser interface to display online help. Figure 4-2shows the print and help icons.Figure 4-2 Print and Help IconsWhen a help page appears in a new browser window, use the Select a topic drop-down menu to display the help index or instructions for common configuration tasks, such as configuring VLANs. Table 4-2 Illegal Characters for Web-Browser Interface Entry FieldsEntry Field Type Illegal CharactersPassword entry fields ?“$[+All other entry fields ?“$[+You also cannot use these three characters as the first character in an entry field:!#;
4-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 4 Using the Web-Browser InterfaceUsing Online Help
CHAPTER5-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-015Using the Command-Line InterfaceThis chapter describes the IOS command-line interface (CLI) that you can use to configure your access point. It contains these sections:•IOS Command Modes, page 5-2•Getting Help, page 5-3•Abbreviating Commands, page 5-3•Using no and default Forms of Commands, page 5-3•Understanding CLI Messages, page 5-4•Using Command History, page 5-4•Using Editing Features, page 5-5•Searching and Filtering Output of show and more Commands, page 5-8•Accessing the CLI, page 5-8
5-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 5 Using the Command-Line InterfaceIOS Command ModesIOS Command ModesThe Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.When you start a session on the access point, you begin in user mode, often called user EXEC mode.Only a limited subset of the commands are available in user EXEC mode. For example, most of the user EXEC commands are one-time commands, such as show commands, which show the current configuration status, and clear commands, which clear counters or interfaces. The user EXEC commands are not saved when the access point reboots.To have access to all commands, you must enter privileged EXEC mode. Normally, you must enter a password to enter privileged EXEC mode. From this mode, you must enter privileged EXEC mode before you can enter the global configuration mode. Using the configuration modes (global, interface, and line), you can make changes to the running configuration. If you save the configuration, these commands are stored and used when the access point reboots. To access the various configuration modes, you must start at global configuration mode. From global configuration mode, you can enter interface configuration mode and line configuration mode.Table 5-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the host name ap.Table 5-1 Command Mode SummaryMode Access Method Prompt Exit Method About This ModeUser EXEC Begin a session with your access point.ap> Enter logout or quit. Use this mode to:•Change terminal settings•Perform basic tests•Display system informationPrivileged EXEC While in user EXEC mode, enter the enable command.ap# Enter disable to exit. Use this mode to verify commands. Use a password to protect access to this mode.Global configuration While in privileged EXEC mode, enter the configurecommand.ap(config)# To exit to privileged EXEC mode, enter exit or end, or press Ctrl-Z.Use this mode to configure parameters that apply to the entire access point.Interface configurationWhile in global configuration mode, enter the interfacecommand (with a specific interface).ap(config-if)# To exit to global configuration mode, enter exit. To return to privileged EXEC mode, press Ctrl-Z or enter end.Use this mode to configure parameters for the Ethernet and radio interfaces. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
5-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 5 Using the Command-Line InterfaceGetting HelpGetting HelpYou can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 5-2.Abbreviating CommandsYou have to enter only enough characters for the access point to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command:ap# show confUsing no and default Forms of CommandsMost configuration commands also have a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface. Use the command without the keyword no to re-enable a disabled feature or to enable a feature that is disabled by default. Ta b l e 5 - 2 H e l p S u m m a r yCommand Purposehelp Obtains a brief description of the help system in any command mode.abbreviated-command-entry?Obtains a list of commands that begin with a particular character string.For example:ap# di?dir disable disconnect abbreviated-command-entry<Ta b> Completes a partial command name. For example:ap# sh conf<tab>ap# show configuration?Lists all commands available for a particular command mode. For example: ap> ?command ? Lists the associated keywords for a command. For example:ap> show ?command keyword ?Lists the associated arguments for a keyword.For example:ap(config)# cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet
5-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 5 Using the Command-Line InterfaceUnderstanding CLI MessagesConfiguration commands can also have a default form. The default form of a command returns the command setting to its default. Most commands are disabled by default, so the default form is the same as the no form. However, some commands are enabled by default and have variables set to certain default values. In these cases, the default command enables the command and sets variables to their default values.Understanding CLI MessagesTable 5-3 lists some error messages that you might encounter while using the CLI to configure your access point.Using Command HistoryThe IOS provides a history or record of commands that you have entered. This feature is particularly useful for recalling long or complex commands or entries, including access lists. You can customize the command history feature to suit your needs as described in these sections:•Changing the Command History Buffer Size, page 5-4•Recalling Commands, page 5-5•Disabling the Command History Feature, page 5-5Changing the Command History Buffer SizeBy default, the access point records ten command lines in its history buffer. Beginning in privileged EXEC mode, enter this command to change the number of command lines that the access point records during the current terminal session: ap# terminal history [sizenumber-of-lines]Table 5-3 Common CLI Error MessagesError Message Meaning How to Get Help% Ambiguous command: "show con"You did not enter enough characters for your access point to recognize the command.Re-enter the command followed by a question mark (?)with a space between the command and the question mark.The possible keywords that you can enter with the command are displayed.% Incomplete command. You did not enter all the keywords or values required by this command.Re-enter the command followed by a question mark (?)with a space between the command and the question mark.The possible keywords that you can enter with the command are displayed.% Invalid input detected at ‘^’ marker.You entered the command incorrectly. The caret (^) marks the point of the error.Enter a question mark (?) to display all the commands that are available in this command mode.The possible keywords that you can enter with the command are displayed.
5-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 5 Using the Command-Line InterfaceUsing Editing FeaturesThe range is from 0 to 256.Beginning in line configuration mode, enter this command to configure the number of command lines the access point records for all sessions on a particular line:ap(config-line)# history [sizenumber-of-lines]The range is from 0 to 256.Recalling CommandsTo recall commands from the history buffer, perform one of the actions listed in Table 5-4:Disabling the Command History FeatureThe command history feature is automatically enabled. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command.Using Editing FeaturesThis section describes the editing features that can help you manipulate the command line. It contains these sections:•Enabling and Disabling Editing Features, page 5-6•Editing Commands Through Keystrokes, page 5-6•Editing Command Lines that Wrap, page 5-7Table 5-4 Recalling CommandsAction11. The arrow keys function only on ANSI-compatible terminals such as VT100s.ResultPress Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands.Press Ctrl-N or the down arrow key. Return to more recent commands in the history buffer after recalling commands with Ctrl-P or the up arrow key. Repeat the key sequence to recall successively more recent commands. show history While in privileged EXEC mode, list the last several commands that you just entered. The number of commands that are displayed is determined by the setting of the terminal history global configuration command and history line configuration command.
5-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 5 Using the Command-Line InterfaceUsing Editing FeaturesEnabling and Disabling Editing FeaturesAlthough enhanced editing mode is automatically enabled, you can disable it.To re-enable the enhanced editing mode for the current terminal session, enter this command in privileged EXEC mode: ap# terminal editingTo reconfigure a specific line to have enhanced editing mode, enter this command in line configuration mode: ap(config-line)# editingTo globally disable enhanced editing mode, enter this command in line configuration mode: ap(config-line)# no editingEditing Commands Through KeystrokesTable 5-5 shows the keystrokes that you need to edit command lines.Table 5-5 Editing Commands Through KeystrokesCapability Keystroke1PurposeMove around the command line to make changes or corrections.Ctrl-B or the left arrow keyMove the cursor back one character. Ctrl-F or the right arrow keyMove the cursor forward one character. Ctrl-A Move the cursor to the beginning of the command line.Ctrl-E Move the cursor to the end of the command line.Esc B Move the cursor back one word.Esc F Move the cursor forward one word.Ctrl-T Transpose the character to the left of the cursor with the character located at the cursor.Recall commands from the buffer and paste them in the command line. The access point provides a buffer with the last ten items that you deleted.Ctrl-Y Recall the most recent entry in the buffer.Esc Y Recall the next buffer entry.The buffer contains only the last 10 items that you have deleted or cut. If you press Esc Y more than ten times, you cycle to the first buffer entry.Delete entries if you make a mistake or change your mind.Delete or Backspace Erase the character to the left of the cursor.Ctrl-D Delete the character at the cursor.Ctrl-K Delete all characters from the cursor to the end of the command line.Ctrl-U or Ctrl-X Delete all characters from the cursor to the beginning of the command line.Ctrl-W Delete the word to the left of the cursor.Esc D Delete from the cursor to the end of the word.
5-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 5 Using the Command-Line InterfaceUsing Editing FeaturesEditing Command Lines that WrapYou can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command. To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You can also press Ctrl-A to immediately move to the beginning of the line.Note The arrow keys function only on ANSI-compatible terminals such as VT100s.In this example, the access-list global configuration command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line, the line is again shifted ten spaces to the left. ap(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1ap(config)# $ 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.25ap(config)# $t tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eqap(config)# $108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq 45Capitalize or lowercase words or capitalize a set of letters.Esc C Capitalize at the cursor.Esc L Change the word at the cursor to lowercase.Esc U Capitalize letters from the cursor to the end of the word.Designate a particular keystroke as an executable command, perhaps as a shortcut.Ctrl-V or Esc QScroll down a line or screen on displays that are longer than the terminal screen can display.Note The More prompt appears for output that has more lines than can be displayed on the terminal screen, including show command output. You can use the Return and Space bar keystrokes whenever you see the Moreprompt. Return Scroll down one line.Space Scroll down one screen.Redisplay the current command line if the access point suddenly sends a message to your screen.Ctrl-L or Ctrl-R Redisplay the current command line.1. The arrow keys function only on ANSI-compatible terminals such as VT100s.Table 5-5 Editing Commands Through Keystrokes (continued)Capability Keystroke1Purpose
5-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 5 Using the Command-Line InterfaceSearching and Filtering Output of show and more CommandsAfter you complete the entry, press Ctrl-A to check the complete syntax before pressing the Return key to execute the command. The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right:ap(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$The software assumes you have a terminal screen that is 80 columns wide. If you have a width other than that, use the terminal width privileged EXEC command to set the width of your terminal.Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands Through Keystrokes” section on page 5-6.Searching and Filtering Output of show and more CommandsYou can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see.To use this functionality, enter a show or more command followed by the pipe character (|), one of the keywords begin,include, or exclude, and an expression that you want to search for or filter out:command | {begin | include | exclude}regular-expressionExpressions are case sensitive. For example, if you enter | exclude output, the lines that contain outputare not displayed, but the lines that contain Output are displayed.This example shows how to include in the output display only lines where the expression protocolappears:ap# show interfaces | include protocolVlan1 is up, line protocol is upVlan10 is up, line protocol is downGigabitEthernet0/1 is up, line protocol is downGigabitEthernet0/2 is up, line protocol is up Accessing the CLIYou can open the access point’s CLI using Telnet or Secure Shell (SSH). Opening the CLI with TelnetFollow these steps to open the CLI with Telnet. These steps are for a PC running Microsoft Windows with a Telnet terminal application. Check your PC operating instructions for detailed instructions for your operating system.Step 1 Select Start > Programs > Accessories > Telnet.If Telnet is not listed in your Accessories menu, select Start > Run, type Telnet in the entry field, and press Enter.Step 2 When the Telnet window appears, click Connect and select Remote System.
5-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 5 Using the Command-Line InterfaceAccessing the CLINote In Windows 2000, the Telnet window does not contain drop-down menus. To start the Telnet session in Windows 2000, type open followed by the access point’s IP address.Step 3 In the Host Name field, type the access point’s IP address and click Connect.Step 4 At the username and password prompts, enter your administrator username and password. The default username is Cisco, and the default password is Cisco. The default enable password is also Cisco.Usernames and passwords are case-sensitive.Opening the CLI with Secure ShellSecure Shell Protocol is a protocol that provides a secure, remote connection to networking devices set up to use it. Secure Shell (SSH) is a software package that provides secure login sessions by encrypting the entire session. SSH features strong cryptographic authentication, strong encryption, and integrity protection. For detailed information on SSH, visit the homepage of SSH Communications Security, Ltd. at this URL: http://www.ssh.com/SSH provides more security for remote connections than Telnet by providing strong encryption when a device is authenticated. See the “Configuring the Access Point for Secure Shell” section on page 6-16for detailed instructions on setting up the access point for SSH access.
5-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 5 Using the Command-Line InterfaceAccessing the CLI
CHAPTER6-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-016Administering the Access PointThis chapter describes how to administer your access point. This chapter contains these sections:•Preventing Unauthorized Access to Your Access Point, page 6-2•Protecting Access to Privileged EXEC Commands, page 6-2•Controlling Access Point Access with RADIUS, page 6-7•Controlling Access Point Access with TACACS+, page 6-12•Configuring the Access Point for Local Authentication and Authorization, page 6-15•Configuring the Access Point for Secure Shell, page 6-16•Managing the System Time and Date, page 6-17•Configuring a System Name and Prompt, page 6-32•Creating a Banner, page 6-34
6-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointPreventing Unauthorized Access to Your Access PointPreventing Unauthorized Access to Your Access PointYou can prevent unauthorized users from reconfiguring your access point and viewing configuration information. Typically, you want network administrators to have access to the access point while you restrict access to users who connect through a terminal or workstation from within the local network.To prevent unauthorized access to your access point, you should configure one of these security features:•Username and password pairs, which are locally stored on the access point. These pairs authenticate each user before that user can access the access point. You can also assign a specific privilege level (read only or read/write) to each username and password pair. For more information, see the “Configuring Username and Password Pairs” section on page 6-5. The default username is Cisco,and the default password is Cisco. Usernames and passwords are case-sensitive.•Username and password pairs stored centrally in a database on a security server. For more information, see the “Controlling Access Point Access with RADIUS” section on page 6-7.Protecting Access to Privileged EXEC CommandsA simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can issue after they have logged into a network device.Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.2.This section describes how to control access to the configuration file and privileged EXEC commands. It contains this configuration information:•Default Password and Privilege Level Configuration, page 6-2•Setting or Changing a Static Enable Password, page 6-3•Protecting Enable and Enable Secret Passwords with Encryption, page 6-4•Configuring Username and Password Pairs, page 6-5•Configuring Multiple Privilege Levels, page 6-6Default Password and Privilege Level ConfigurationTable 6-1 shows the default password and privilege level configuration.Table 6-1 Default Password and Privilege LevelsFeature Default SettingUsername and password Default username is Cisco and the default password is Cisco.Enable password and privilege level Default password is Cisco. The default is level 15 (privileged EXEC level). The password is encrypted in the configuration file.
6-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointProtecting Access to Privileged EXEC CommandsSetting or Changing a Static Enable PasswordThe enable password controls access to the privileged EXEC mode. Note The no enable password global configuration command removes the enable password, but you should use extreme care when using this command. If you remove the enable password, you are locked out of the EXEC mode.Beginning in privileged EXEC mode, follow these steps to set or change a static enable password:This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access):AP(config)# enable password l1u2c3k4y5Enable secret password and privilege level The default enable password is Cisco. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file.Line password Default password is Cisco. The password is encrypted in the configuration file.Table 6-1 Default Password and Privilege Levels (continued)Feature Default SettingCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.The default password is Cisco.For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. It can contain the question mark (?) character if you precede the question mark with the key combination Crtl-V when you create the password; for example, to create the password abc?123, do this:1. Enter abc.2. Enter Crtl-V.3. Enter ?123.When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-V; you can simply enter abc?123 at the password prompt. Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.The enable password is not encrypted and can be read in the access point configuration file.
6-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointProtecting Access to Privileged EXEC CommandsProtecting Enable and Enable Secret Passwords with EncryptionTo provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands. Both commands accomplish the same thing; that is, you can establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level you specify.We recommend that you use the enable secret command because it uses an improved encryption algorithm.If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 enable password [level level] {password | encryption-type encrypted-password}orenable secret [level level] {password | encryption-type encrypted-password}Define a new password or change an existing password for access to privileged EXEC mode.orDefine a secret password, which is saved using a nonreversible encryption method.•(Optional) For level, the range is from 0 to 15. Level 1 is normal user EXEC mode privileges. The default level is 15 (privileged EXEC mode privileges).•For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined. •(Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy from another access point configuration.Note If you specify an encryption type and then enter a clear text password, you can not re-enter privileged EXEC mode. You cannot recover a lost encrypted password by any method.Step 3 service password-encryption (Optional) Encrypt the password when the password is defined or when the configuration is written.Encryption prevents the password from being readable in the configuration file.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointProtecting Access to Privileged EXEC CommandsIf both the enable and enable secret passwords are defined, users must enter the enable secret password.Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels. For more information, see the “Configuring Multiple Privilege Levels” section on page 6-6.If you enable password encryption, it applies to all passwords including username passwords, authentication key passwords, the privileged command password, and console and virtual terminal line passwords.To remove a password and level, use the no enable password [level level] or no enable secret [levellevel] global configuration command. To disable password encryption, use the no service password-encryption global configuration command.This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2:AP(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8Configuring Username and Password PairsYou can configure username and password pairs, which are locally stored on the access point. These pairs are assigned to lines or interfaces and authenticate each user before that user can access the access point. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 username name [privilege level]{password encryption-type password}Enter the username, privilege level, and password for each user.•For name, specify the user ID as one word. Spaces and quotation marks are not allowed.•(Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15. Level 15 gives privileged EXEC mode access. Level 1 gives user EXEC mode access.•For encryption-type, enter 0 to specify that an unencrypted password will follow. Enter 7 to specify that a hidden password will follow.•For password, specify the password the user must enter to gain access to the access point. The password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.Step 3 login local Enable local password checking at login time. Authentication is based on the username specified in Step 2.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointProtecting Access to Privileged EXEC CommandsTo disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command.Note You must have at least one username configured and you must have login local set to open a Telnet session to the access point. If you enter no username for the only username, you can be locked out of the access point.Configuring Multiple Privilege LevelsBy default, the IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to a more restricted group of users.This section includes this configuration information:•Setting the Privilege Level for a Command, page 6-6•Logging Into and Exiting a Privilege Level, page 6-7Setting the Privilege Level for a CommandBeginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 privilege mode level level command Set the privilege level for a command.•For mode, enter configure for global configuration mode, exec for EXEC mode, interface for interface configuration mode, or line for line configuration mode.•For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password.•For command, specify the command to which you want to restrict access.Step 3 enable password level level password Specify the enable password for the privilege level.•For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. •For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined.
6-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointControlling Access Point Access with RADIUSWhen you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip route command to level 15, the showcommands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.To return to the default privilege for a given command, use the no privilege mode level level commandglobal configuration command.This example shows how to set the configure command to privilege level 14 and define SecretPswd14as the password users must enter to use level 14 commands:AP(config)# privilege exec level 14 configureAP(config)# enable password level 14 SecretPswd14Logging Into and Exiting a Privilege LevelBeginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level:Controlling Access Point Access with RADIUS This section describes how to control administrator access to the access point using Remote Authentication Dial-In User Service (RADIUS). For complete instructions on configuring the access point to support RADIUS, see Chapter 11, “Configuring RADIUS and TACACS+ Servers.”RADIUS provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands.Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.2.Step 4 end Return to privileged EXEC mode.Step 5 show running-configorshow privilegeVerify your entries.The first command displays the password and access level configuration. The second command displays the privilege level configuration.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeCommand PurposeStep 1 enable level Log in to a specified privilege level.For level, the range is 0 to 15.Step 2 disable level Exit to a specified privilege level.For level, the range is 0 to 15.
6-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointControlling Access Point Access with RADIUSThese sections describe RADIUS configuration:•Default RADIUS Configuration, page 6-8•Configuring RADIUS Login Authentication, page 6-8 (required)•Defining AAA Server Groups, page 6-9 (optional)•Configuring RADIUS Authorization for User Privileged Access and Network Services, page 6-11(optional)•Displaying the RADIUS Configuration, page 6-12Default RADIUS ConfigurationRADIUS and AAA are disabled by default.To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the access point through the CLI.Configuring RADIUS Login AuthenticationTo configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined.A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.
6-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointControlling Access Point Access with RADIUSTo disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name}method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.Defining AAA Server GroupsYou can configure the access point to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts. Step 3 aaa authentication login {default | list-name}method1 [method2...]Create a login authentication method list.•To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.•For list-name, specify a character string to name the list you are creating. •For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails.Select one of these methods:•local—Use the local username database for authentication. You must enter username information in the database. Use the usernamepassword global configuration command.•radius—Use RADIUS authentication. You must configure the RADIUS server before you can use this authentication method. For more information, see the “Identifying the RADIUS Server Host”section on page 11-4.Step 4 line [console | tty | vty]line-number[ending-line-number]Enter line configuration mode, and configure the lines to which you want to apply the authentication list.Step 5 login authentication {default | list-name}Apply the authentication list to a line or set of lines.•If you specify default, use the default list created with the aaa authentication login command.•For list-name, specify the list created with the aaa authentication login command.Step 6 end Return to privileged EXEC mode.Step 7 show running-config Verify your entries.Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
6-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointControlling Access Point Access with RADIUSServer groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. If you configure two different host entries on the same RADIUS server for the same service (such as accounting), the second configured host entry acts as a fail-over backup to the first one.You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords.Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.Step 3 radius-server host {hostname | ip-address} [auth-port port-number][acct-port port-number] [timeoutseconds] [retransmit retries] [keystring]Specify the IP address or host name of the remote RADIUS server host.•(Optional) For auth-port port-number, specify the UDP destination port for authentication requests.•(Optional) For acct-port port-number, specify the UDP destination port for accounting requests.•(Optional) For timeout seconds, specify the time interval that the access point waits for the RADIUS server to reply before retransmitting. The range is 1 to 1000. This setting overrides the radius-server timeout global configuration command setting. If no timeout is set with the radius-server host command, the setting of the radius-server timeout command is used.•(Optional) For retransmit retries, specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly. The range is 1 to 1000. If no retransmit value is set with the radius-server host command, the setting of the radius-server retransmit global configuration command is used.•(Optional) For key string, specify the authentication and encryption key used between the access point and the RADIUS daemon running on the RADIUS server. Note The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.To configure the access point to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different. The access point software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host.
6-11Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointControlling Access Point Access with RADIUSTo remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.In this example, the access point is configured to recognize two different RADIUS group servers (group1and group2). Group1 has two different host entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry.AP(config)# aaa new-modelAP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646AP(config)# aaa group server radius group1AP(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001AP(config-sg-radius)# exitAP(config)# aaa group server radius group2AP(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001AP(config-sg-radius)# exitConfiguring RADIUS Authorization for User Privileged Access and Network ServicesAAA authorization limits the services available to a user. When AAA authorization is enabled, the access point uses information retrieved from the user’s profile, which is in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it.You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user’s network access to privileged EXEC mode. The aaa authorization exec radius local command sets these authorization parameters:•Use RADIUS for privileged EXEC access authorization if authentication was performed by using RADIUS.•Use the local database if authentication was not performed by using RADIUS.Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured.Step 4 aaa group server radius group-name Define the AAA server-group with a group name.This command puts the access point in a server group configuration mode.Step 5 server ip-address Associate a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group.Each server in the group must be previously defined in Step 2.Step 6 end Return to privileged EXEC mode.Step 7 show running-config Verify your entries.Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 6-8.Command Purpose
6-12Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointControlling Access Point Access with TACACS+Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: To disable authorization, use the no aaa authorization {network | exec}method1 global configuration command. Displaying the RADIUS ConfigurationTo display the RADIUS configuration, use the show running-config privileged EXEC command.Controlling Access Point Access with TACACS+ This section describes how to control administrator access to the access point using Terminal Access Controller Access Control System Plus (TACACS+). For complete instructions on configuring the access point to support TACACS+, see Chapter 11, “Configuring RADIUS and TACACS+ Servers.”TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands.Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.2.These sections describe TACACS+ configuration:•Default TACACS+ Configuration, page 6-13•Configuring TACACS+ Login Authentication, page 6-13•Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 6-14•Displaying the TACACS+ Configuration, page 6-15Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa authorization network radius Configure the access point for user RADIUS authorization for all network-related service requests.Step 3 aaa authorization exec radius Configure the access point for user RADIUS authorization to determine if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-13Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointControlling Access Point Access with TACACS+Default TACACS+ ConfigurationTACACS+ and AAA are disabled by default.To prevent a lapse in security, you cannot configure TACACS+ through a network management application.When enabled, TACACS+ can authenticate administrators accessing the access point through the CLI.Configuring TACACS+ Login AuthenticationTo configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.
6-14Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointControlling Access Point Access with TACACS+To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name}method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.Configuring TACACS+ Authorization for Privileged EXEC Access and Network ServicesAAA authorization limits the services available to a user. When AAA authorization is enabled, the access point uses information retrieved from the user’s profile, which is located either in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it.You can use the aaa authorization global configuration command with the tacacs+ keyword to set parameters that restrict a user’s network access to privileged EXEC mode. The aaa authorization exec tacacs+ local command sets these authorization parameters:Step 3 aaa authentication login {default | list-name}method1 [method2...]Create a login authentication method list.•To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.•For list-name, specify a character string to name the list you are creating. •For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails.Select one of these methods:•local—Use the local username database for authentication. You must enter username information into the database. Use the usernamepassword global configuration command.•tacacs+—Use TACACS+ authentication. You must configure the TACACS+ server before you can use this authentication method.Step 4 line [console | tty | vty]line-number[ending-line-number]Enter line configuration mode, and configure the lines to which you want to apply the authentication list.Step 5 login authentication {default | list-name}Apply the authentication list to a line or set of lines.•If you specify default, use the default list created with the aaa authentication login command.•For list-name, specify the list created with the aaa authentication login command.Step 6 end Return to privileged EXEC mode.Step 7 show running-config Verify your entries.Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
6-15Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointConfiguring the Access Point for Local Authentication and Authorization•Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+.•Use the local database if authentication was not performed by using TACACS+.Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured.Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for privileged EXEC access and network services: To disable authorization, use the no aaa authorization {network | exec}method1 global configuration command. Displaying the TACACS+ ConfigurationTo display TACACS+ server statistics, use the show tacacs privileged EXEC command.Configuring the Access Point for Local Authentication and AuthorizationYou can configure AAA to operate without a server by setting the access point to implement AAA in local mode. The access point then handles authentication and authorization. No accounting is available in this configuration.Beginning in privileged EXEC mode, follow these steps to configure the access point for local AAA:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa authorization network tacacs+ Configure the access point for user TACACS+ authorization for all network-related service requests.Step 3 aaa authorization exec tacacs+ Configure the access point for user TACACS+ authorization to determine if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.
6-16Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointConfiguring the Access Point for Secure ShellTo disable AAA, use the no aaa new-model global configuration command. To disable authorization, use the no aaa authorization {network | exec}method1 global configuration command. Configuring the Access Point for Secure ShellThis section describes how to configure the Secure Shell (SSH) feature. Note For complete syntax and usage information for the commands used in this section, refer to the “Secure Shell Commands” section in the Cisco IOS Security Command Reference for Release 12.2.Understanding SSH SSH is a protocol that provides a secure, remote connection to a Layer 2 or a Layer 3 device. There are two versions of SSH: SSH version 1 and SSH version 2. This software release supports only SSH version 1.Step 3 aaa authentication login default local Set the login authentication to use the local username database. The default keyword applies the local user database authentication to all interfaces.Step 4 aaa authorization exec local Configure user AAA authorization to determine if the user is allowed to run an EXEC shell by checking the local database.Step 5 aaa authorization network local Configure user AAA authorization for all network-related service requests.Step 6 username name [privilege level]{password encryption-type password}Enter the local database, and establish a username-based authentication system.Repeat this command for each user.•For name, specify the user ID as one word. Spaces and quotation marks are not allowed.•(Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15. Level 15 gives privileged EXEC mode access. Level 0 gives user EXEC mode access.•For encryption-type, enter 0 to specify that an unencrypted password follows. Enter 7 to specify that a hidden password follows.•For password, specify the password the user must enter to gain access to the access point. The password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.Step 7 end Return to privileged EXEC mode.Step 8 show running-config Verify your entries.Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
6-17Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateSSH provides more security for remote connections than Telnet by providing strong encryption when a device is authenticated. The SSH feature has an SSH server and an SSH integrated client. The client supports these user authentication methods:•RADIUS (for more information, see the “Controlling Access Point Access with RADIUS” section on page 6-7)•Local authentication and authorization (for more information, see the “Configuring the Access Point for Local Authentication and Authorization” section on page 6-15)For more information about SSH, refer to the “Configuring Secure Shell” section in the Cisco IOS Security Configuration Guide for Release 12.2.Note The SSH feature in this software release does not support IP Security (IPSec). Configuring SSHBefore configuring SSH, download the crypto software image from Cisco.com. For more information, refer to the release notes for this release.For information about configuring SSH and displaying SSH settings, refer to the “Configuring Secure Shell” section in the Cisco IOS Security Configuration Guide for Release 12.2.Managing the System Time and DateYou can manage the system time and date on your access point automatically, using the Network Time Protocol (NTP), or manually, by setting the time and date on the access point.Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.This section contains this configuration information:•Understanding the System Clock, page 6-17•Understanding Network Time Protocol, page 6-18•Configuring NTP, page 6-19•Configuring Time and Date Manually, page 6-27Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time. The system clock can then be set from these sources:•Network Time Protocol•Manual configurationThe system clock can provide time to these services:
6-18Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and Date•User show commands•Logging and debugging messagesThe system clock determines time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time is correctly displayed for the local time zone.The system clock keeps track of whether the time is authoritative or not (that is, whether it has been set by a time source considered to be authoritative). If it is not authoritative, the time is available only for display purposes and is not redistributed. For configuration information, see the “Configuring Time and Date Manually” section on page 6-27.Understanding Network Time ProtocolThe NTP is designed to time-synchronize a network of devices. NTP runs over User Datagram Protocol (UDP), which runs over IP. NTP is documented in RFC 1305. An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two devices to within a millisecond of one another.NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server receives its time through NTP from a stratum 1 time server, and so on. A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP speakers.NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized. NTP also compares the time reported by several devices and does not synchronize to a device whose time is significantly different than the others, even if its stratum is lower.The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP address of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, in that case, information flow is one-way only.The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access-list-based restriction scheme and an encrypted authentication mechanism.Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet. Figure 6-1 shows a typical network example using NTP.If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as though it is synchronized through NTP, when in fact it has determined the time by using other means. Other devices then synchronize to that device through NTP.When multiple sources of time are available, NTP is always considered to be more authoritative. NTP time overrides the time set by any other method.Several manufacturers include NTP software for their host systems, and a publicly available version for systems running UNIX and its various derivatives is also available. This software allows host systems to be time-synchronized as well.
6-19Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateFigure 6-1 Typical NTP Network ConfigurationConfiguring NTPCisco Aironet 1100 Series Access Points do not have a hardware-supported clock, and they cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. These access points also have no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available.This section contains this configuration information:•Default NTP Configuration, page 6-20•Configuring NTP Authentication, page 6-20•Configuring NTP Associations, page 6-22•Configuring NTP Broadcast Service, page 6-23•Configuring NTP Access Restrictions, page 6-24•Configuring the Source IP Address for NTP Packets, page 6-26•Displaying the NTP Configuration, page 6-27Catalyst 3550switchCatalyst 3550switchCatalyst 3550switchCatalyst 3550switchThese switches are configured inNTP server mode (server association)with the Catalyst 6500 series switch.Catalyst 6500series switch(NTP master)This switch is configured as an NTPpeer to the upstream and downstreamCatalyst 3550 switches.Catalyst 3550switchWorkstationsWorkstationsLocalworkgroupservers43269
6-20Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateDefault NTP ConfigurationTable 6-2 shows the default NTP configuration.NTP is disabled by default.Configuring NTP AuthenticationThis procedure must be coordinated with the administrator of the NTP server; the information you configure in this procedure must be matched by the servers used by the access point to synchronize its time to the NTP server.Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes:Table 6-2 Default NTP ConfigurationFeature Default SettingNTP authentication Disabled. No authentication key is specified.NTP peer or server associations None configured.NTP broadcast service Disabled; no interface sends or receives NTP broadcast packets.NTP access restrictions No access control is specified.NTP packet source IP address The source address is determined by the outgoing interface.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 ntp authenticate Enable the NTP authentication feature, which is disabled by default. Step 3 ntp authentication-key number md5 value Define the authentication keys. By default, none are defined.•For number, specify a key number. The range is 1 to 4294967295.•md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5).•For value, enter an arbitrary string of up to eight characters for the key.The access point does not synchronize to a device unless both have one of these authentication keys, and the key number is specified by the ntp trusted-key key-number command.
6-21Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateTo disable NTP authentication, use the no ntp authenticate global configuration command. To remove an authentication key, use the no ntp authentication-key number global configuration command. To disable authentication of the identity of a device, use the no ntp trusted-key key-number global configuration command.This example shows how to configure the access point to synchronize only to devices providing authentication key 42 in the device’s NTP packets:AP(config)# ntp authenticateAP(config)# ntp authentication-key 42 md5 aNiceKeyAP(config)# ntp trusted-key 42Step 4 ntp trusted-key key-number Specify one or more key numbers (defined in Step 3) that a peer NTP device must provide in its NTP packets for this access point to synchronize to it.By default, no trusted keys are defined.For key-number, specify the key defined in Step 3.This command provides protection against accidentally synchronizing the access point to a device that is not trusted.Step 5 end Return to privileged EXEC mode.Step 6 show running-config Verify your entries.Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
6-22Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateConfiguring NTP AssociationsAn NTP association can be a peer association (this access point can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this access point synchronizes to the other device, and not the other way around). Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device:You need to configure only one end of an association; the other device can automatically establish the association. If you are using the default NTP version (version 3) and NTP synchronization does not occur, try using NTP version 2. Many NTP servers on the Internet run version 2.To remove a peer or server association, use the no ntp peer ip-address or the no ntp server ip-addressglobal configuration command.This example shows how to configure the access point to synchronize its system clock with the clock of the peer at IP address 172.16.22.44 using NTP version 2:AP(config)# ntp server 172.16.22.44 version 2Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 ntp peer ip-address [version number][key keyid] [source interface] [prefer]or ntp server ip-address [version number][key keyid] [source interface] [prefer]Configure the access point system clock to synchronize a peer or to be synchronized by a peer (peer association).orConfigure the access point system clock to be synchronized by a time server (server association).No peer or server associations are defined by default.•For ip-address in a peer association, specify either the IP address of the peer providing, or being provided, the clock synchronization. For a server association, specify the IP address of the time server providing the clock synchronization.•(Optional) For number, specify the NTP version number. The range is 1 to 3. By default, version 3 is selected.•(Optional) For keyid, enter the authentication key defined with the ntp authentication-key global configuration command.•(Optional) For interface, specify the interface from which to pick the IP source address. By default, the source IP address is taken from the outgoing interface.•(Optional) Enter the prefer keyword to make this peer or server the preferred one that provides synchronization. This keyword reduces switching back and forth between peers and servers.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-23Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateConfiguring NTP Broadcast ServiceThe communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, the information flow is one-way only.The access point can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The access point can send NTP broadcast packets to a peer so that the peer can synchronize to it. The access point can also receive NTP broadcast packets to synchronize its own clock. This section provides procedures for both sending and receiving NTP broadcast packets.Beginning in privileged EXEC mode, follow these steps to configure the access point to send NTP broadcast packets to peers so that they can synchronize their clock to the access point:To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command.This example shows how to configure an interface to send NTP version 2 packets:AP(config)# interface gigabitethernet0/1AP(config-if)# ntp broadcast version 2Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface interface-id Enter interface configuration mode, and specify the interface to send NTP broadcast packets.Step 3 ntp broadcast [version number] [key keyid][destination-address]Enable the interface to send NTP broadcast packets to a peer.By default, this feature is disabled on all interfaces.•(Optional) For number, specify the NTP version number. The range is 1 to 3. If you do not specify a version, version 3 is used.•(Optional) For keyid, specify the authentication key to use when sending packets to the peer.•(Optional) For destination-address, specify the IP address of the peer that is synchronizing its clock to this access point.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Step 7 Configure the connected peers to receive NTP broadcast packets as described in the next procedure.
6-24Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateBeginning in privileged EXEC mode, follow these steps to configure the access point to receive NTP broadcast packets from connected peers:To disable an interface from receiving NTP broadcast packets, use the no ntp broadcast client interface configuration command. To change the estimated round-trip delay to the default, use the no ntp broadcastdelay global configuration command.This example shows how to configure an interface to receive NTP broadcast packets:AP(config)# interface gigabitethernet0/1AP(config-if)# ntp broadcast clientConfiguring NTP Access RestrictionsYou can control NTP access on two levels as described in these sections:•Creating an Access Group and Assigning a Basic IP Access List, page 6-25•Disabling NTP Services on a Specific Interface, page 6-26Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface interface-id Enter interface configuration mode, and specify the interface to receive NTP broadcast packets.Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets.By default, no interfaces receive NTP broadcast packets.Step 4 exit Return to global configuration mode.Step 5 ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the access point and the NTP broadcast server.The default is 3000 microseconds; the range is 1 to 999999.Step 6 end Return to privileged EXEC mode.Step 7 show running-config Verify your entries.Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-25Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateCreating an Access Group and Assigning a Basic IP Access ListBeginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists:The access group keywords are scanned in this order, from least restrictive to most restrictive: 1. peer—Allows time requests and NTP control queries and allows the access point to synchronize itself to a device whose address passes the access list criteria.2. serve—Allows time requests and NTP control queries, but does not allow the access point to synchronize itself to a device whose address passes the access list criteria.3. serve-only—Allows only time requests from a device whose address passes the access list criteria.4. query-only—Allows only NTP control queries from a device whose address passes the access list criteria.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 ntp access-group {query-only | serve-only | serve | peer}access-list-numberCreate an access group, and apply a basic IP access list.The keywords have these meanings:•query-only—Allows only NTP control queries.•serve-only—Allows only time requests.•serve—Allows time requests and NTP control queries, but does not allow the access point to synchronize to the remote device.•peer—Allows time requests and NTP control queries and allows the access point to synchronize to the remote device.For access-list-number, enter a standard IP access list number from 1 to 99. Step 3 access-list access-list-number permit source [source-wildcard]Create the access list.•For access-list-number, enter the number specified in Step 2.•Enter the permit keyword to permit access if the conditions are matched.•For source, enter the IP address of the device that is permitted access to the access point.•(Optional) For source-wildcard, enter the wildcard bits to be applied to the source.Note When creating an access list, remember that, by default, the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-26Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateIf the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted.To remove access control to the access point NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.This example shows how to configure the access point to allow itself to synchronize to a peer from access list 99. However, the access point restricts access to allow only time requests from access list 42:AP# configure terminalAP(config)# ntp access-group peer 99AP(config)# ntp access-group serve-only 42AP(config)# access-list 99 permit 172.20.130.5AP(config)# access list 42 permit 172.20.130.6Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface:To re-enable receipt of NTP packets on an interface, use the no ntp disable interface configuration command.Configuring the Source IP Address for NTP PacketsWhen the access point sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the ntp source global configuration command when you want to use a particular source IP address for all NTP packets. The address is taken from the specified interface. This command is useful if the address on an interface cannot be used as the destination for reply packets.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface interface-id Enter interface configuration mode, and specify the interface to disable.Step 3 ntp disable Disable NTP packets from being received on the interface.By default, all interfaces receive NTP packets.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-27Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateBeginning in privileged EXEC mode, follow these steps to configure a specific interface from which the IP source address is to be taken:The specified interface is used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the source keyword in the ntp peer or ntp server global configuration command as described in the “Configuring NTP Associations” section on page 6-22.Displaying the NTP ConfigurationYou can use two privileged EXEC commands to display NTP information: •show ntp associations [detail]•show ntp statusFor detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.Configuring Time and Date ManuallyIf no other source of time is available, you can manually configure the time and date after the system is restarted. The time remains accurate until the next system restart. We recommend that you use manual configuration only as a last resort. If you have an outside source to which the access point can synchronize, you do not need to manually set the system clock. This section contains this configuration information:•Setting the System Clock, page 6-28•Displaying the Time and Date Configuration, page 6-28•Configuring the Time Zone, page 6-29•Configuring Summer Time (Daylight Saving Time), page 6-30Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 ntp source type number Specify the interface type and number from which the IP source address is taken.By default, the source address is determined by the outgoing interface.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-28Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateSetting the System ClockIf you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock.Beginning in privileged EXEC mode, follow these steps to set the system clock:This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001:AP# clock set 13:32:00 23 July 2001Displaying the Time and Date ConfigurationTo display the time and date configuration, use the show clock [detail] privileged EXEC command.The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes. Until the clock is authoritative and the authoritative flag is set, the flag prevents peers from synchronizing to the clock when the peers’ time is invalid.The symbol that precedes the show clock display has this meaning: •*—Time is not authoritative.•(blank)—Time is authoritative.•.—Time is authoritative, but NTP is not synchronized.Command PurposeStep 1 clock set hh:mm:ss day month yearor clock set hh:mm:ss month day yearManually set the system clock using one of these formats.•For hh:mm:ss, specify the time in hours (24-hour format), minutes, and seconds. The time specified is relative to the configured time zone.•For day, specify the day by date in the month.•For month, specify the month by name.•For year, specify the year (no abbreviation).Step 2 show running-config Verify your entries.Step 3 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-29Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateConfiguring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone:The minutes-offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC. For example, the time zone for some sections of Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30.To set the time to UTC, use the no clock timezone global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 clock timezone zone hours-offset[minutes-offset]Set the time zone.The access point keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.•For zone, enter the name of the time zone to be displayed when standard time is in effect. The default is UTC.•For hours-offset, enter the hours offset from UTC.•(Optional) For minutes-offset, enter the minutes offset from UTC.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-30Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateConfiguring Summer Time (Daylight Saving Time)Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year:The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the southern hemisphere.This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00:AP(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 clock summer-time zone recurring[week day month hh:mm week day month hh:mm [offset]]Configure summer time to start and end on the specified days every year. Summer time is disabled by default. If you specify clock summer-timezone recurring without parameters, the summer time rules default to the United States rules.•For zone, specify the name of the time zone (for example, PDT) to be displayed when summer time is in effect.•(Optional) For week, specify the week of the month (1 to 5 or last).•(Optional) For day, specify the day of the week (Sunday, Monday...).•(Optional) For month, specify the month (January, February...).•(Optional) For hh:mm, specify the time (24-hour format) in hours and minutes.•(Optional) For offset, specify the number of minutes to add during summer time. The default is 60.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-31Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointManaging the System Time and DateBeginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events):The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the southern hemisphere.To disable summer time, use the no clock summer-time global configuration command.This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April 26, 2001, at 02:00:AP(config)# clock summer-time pdt date 12 October 2000 2:00 26 April 2001 2:00Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 clock summer-time zone date [month date year hh:mm month date year hh:mm[offset]]orclock summer-time zone date [datemonth year hh:mm date month year hh:mm [offset]]Configure summer time to start on the first date and end on the second date.Summer time is disabled by default.•For zone, specify the name of the time zone (for example, PDT) to be displayed when summer time is in effect.•(Optional) For week, specify the week of the month (1 to 5 or last).•(Optional) For day, specify the day of the week (Sunday, Monday...).•(Optional) For month, specify the month (January, February...).•(Optional) For hh:mm, specify the time (24-hour format) in hours and minutes.•(Optional) For offset, specify the number of minutes to add during summer time. The default is 60.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-32Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointConfiguring a System Name and PromptConfiguring a System Name and PromptYou configure the system name on the access point to identify it. By default, the system name and prompt are ap.If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol (>) is appended. The prompt is updated whenever the system name changes, unless you manually configure the prompt by using the prompt global configuration command.Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command Reference for Release 12.1.This section contains this configuration information:•Default System Name and Prompt Configuration, page 6-32•Configuring a System Name, page 6-32•Understanding DNS, page 6-33Default System Name and Prompt ConfigurationThe default access point system name and prompt is ap.Configuring a System NameBeginning in privileged EXEC mode, follow these steps to manually configure a system name:When you set the system name, it is also used as the system prompt. To return to the default host name, use the no hostname global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 hostname name Manually configure a system name.The default setting is ap.The name must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphens. Names can be up to 63 characters.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-33Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointConfiguring a System Name and PromptUnderstanding DNSThe DNS protocol controls the Domain Name System (DNS), a distributed database with which you can map host names to IP addresses. When you configure DNS on your access point, you can substitute the host name for the IP address with all IP commands, such as ping,telnet,connect, and related Telnet support operations.IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, such as the File Transfer Protocol (FTP) system, is identified as ftp.cisco.com.To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the host names, specify the name server that is present on your network, and enable the DNS.This section contains this configuration information:•Default DNS Configuration, page 6-33•Setting Up DNS, page 6-33•Displaying the DNS Configuration, page 6-34Default DNS ConfigurationTable 6-3 shows the default DNS configuration.Setting Up DNSBeginning in privileged EXEC mode, follow these steps to set up your access point to use the DNS:Table 6-3 Default DNS ConfigurationFeature Default SettingDNS enable state Disabled.DNS default domain name None configured.DNS servers No name server addresses are configured.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 ip domain-name name Define a default domain name that the software uses to complete unqualified host names (names without a dotted-decimal domain name).Do not include the initial period that separates an unqualified name from the domain name.At boot time, no domain name is configured; however, if the access point configuration comes from a BOOTP or Dynamic Host Configuration Protocol (DHCP) server, then the default domain name might be set by the BOOTP or DHCP server (if the servers were configured with this information).
6-34Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointCreating a BannerIf you use the access point IP address as its host name, the IP address is used and no DNS query occurs. If you configure a host name that contains no periods (.), a period followed by the default domain name is appended to the host name before the DNS query is made to map the name to an IP address. The default domain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the host name, the IOS software looks up the IP address without appending any default domain name to the host name.To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command. To disable DNS on the access point, use the no ip domain-lookup global configuration command.Displaying the DNS ConfigurationTo display the DNS configuration information, use the show running-config privileged EXEC command.Creating a BannerYou can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner appears on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns).The login banner also appears on all connected terminals. It appears after the MOTD banner and before the login prompts. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.Step 3 ip name-server server-address1[server-address2 ... server-address6]Specify the address of one or more name servers to use for name and address resolution.You can specify up to six name servers. Separate each server address with a space. The first server specified is the primary server. The access point sends DNS queries to the primary server first. If that query fails, the backup servers are queried.Step 4 ip domain-lookup (Optional) Enable DNS-based host name-to-address translation on your access point. This feature is enabled by default. If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS).Step 5 end Return to privileged EXEC mode.Step 6 show running-config Verify your entries.Step 7 copy running-config startup-config(Optional) Save your entries in the configuration file.Command Purpose
6-35Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointCreating a BannerThis section contains this configuration information:•Default Banner Configuration, page 6-35•Configuring a Message-of-the-Day Login Banner, page 6-35•Configuring a Login Banner, page 6-36Default Banner ConfigurationThe MOTD and login banners are not configured.Configuring a Message-of-the-Day Login BannerYou can create a single or multiline message banner that appears on the screen when someone logs into the access point. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner:To delete the MOTD banner, use the no banner motd global configuration command.This example shows how to configure a MOTD banner for the access point using the pound sign (#) symbol as the beginning and ending delimiter:AP(config)# banner motd #This is a secure site. Only authorized users are allowed.For access, contact technical support.#AP(config)#This example shows the banner displayed from the previous configuration:Unix> telnet 172.2.5.4Trying 172.2.5.4...Connected to 172.2.5.4.Escape character is '^]'.This is a secure site. Only authorized users are allowed.For access, contact technical support.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 banner motd c message c Specify the message of the day.For c, enter the delimiting character of your choice, such as a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.For message, enter a banner message up to 255 characters. You cannot use the delimiting character in the message.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
6-36Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 6 Administering the Access PointCreating a BannerUser Access VerificationPassword:Configuring a Login BannerYou can configure a login banner to appear on all connected terminals. This banner appears after the MOTD banner and before the login prompt.Beginning in privileged EXEC mode, follow these steps to configure a login banner:To delete the login banner, use the no banner login global configuration command.This example shows how to configure a login banner for the access point using the dollar sign ($) symbol as the beginning and ending delimiter:AP(config)# banner login $Access for authorized users only. Please enter your username and password.$AP(config)#Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 banner login c message c Specify the login message.For c, enter the delimiting character of your choice, such as a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.For message, enter a login message up to 255 characters. You cannot use the delimiting character in the message.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
CHAPTER7-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-017Configuring Radio SettingsThis chapter describes how to configure radio settings for your access point. This chapter includes these sections:•Disabling and Enabling the Radio Interface, page 7-2•Configuring the Role in Radio Network, page 7-2•Configuring Radio Data Rates, page 7-4•Configuring Radio Transmit Power, page 7-5•Configuring Radio Channel Settings, page 7-7•Enabling and Disabling World-Mode, page 7-9•Disabling and Enabling Short Radio Preambles, page 7-9•Configuring Transmit and Receive Antennas, page 7-10•Disabling and Enabling Aironet Extensions, page 7-11•Configuring the Ethernet Encapsulation Transformation Method, page 7-12•Enabling and Disabling Reliable Multicast to Workgroup Bridges, page 7-12•Enabling and Disabling Public Secure Packet Forwarding, page 7-13•Configuring the Beacon Period and the DTIM, page 7-15•Configure RTS Threshold and Retries, page 7-15•Configuring the Maximum Data Retries, page 7-16•Configuring the Fragmentation Threshold, page 7-16
7-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsDisabling and Enabling the Radio InterfaceDisabling and Enabling the Radio InterfaceThe access point radios are enabled by default. Beginning in privileged EXEC mode, follow these steps to disable the access point radio:Use the no form of the shutdown command to enable the radio port. Configuring the Role in Radio NetworkYou can configure your access point as a root device that is connected to the wired LAN or as a repeater (non-root) device that is not connected to the wired LAN. Figure 7-1 shows a root access point and a repeater access point.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 shutdown Disable the radio port.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
7-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsConfiguring the Role in Radio NetworkFigure 7-1 Root and Repeater Access PointsSee Chapter 18, “Configuring Repeater and Standby Access Points,” for detailed instructions on setting up repeaters.You can also configure a fallback role for the access point radio. The access point automatically assumes the fallback role when its Ethernet port is disabled or disconnected from the wired LAN. There are two possible fallback roles:•Repeater—When the Ethernet port is disabled, the access point becomes a repeater and associates to a nearby root access point.•Shutdown—The access point shuts down its radio and disassociates all client devices.Beginning in privileged EXEC mode, follow these steps to set the access point’s radio network role and fallback role:Access Point(Root Unit)Access Point(Repeater)66000Wired LANCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
7-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsConfiguring Radio Data RatesConfiguring Radio Data RatesYou use the data rate settings to choose the data rates the access point uses for data transmission. The rates are expressed in megabits per second. The access point always attempts to transmit at the highest data rate set to Basic, also called Require on the browser-based interface. If there are obstacles or interference, the access point steps down to the highest rate that allows data transmission. You can set each data rate (1, 2, 5.5, and 11 megabits per second) to one of three states: •Basic (this is the default state for all data rates)—Allows transmission at this rate for all packets, both unicast and multicast. At least one of the access point's data rates must be set to Basic. •Enabled—The access point transmits only unicast packets at this rate; multicast packets are sent at one of the data rates set to Basic. •Disabled—The access point does not transmit data at this rate. Note At least one data rate must be set to basic.You can use the Data Rate settings to set up an access point to serve client devices operating at specific data rates. For example, to set up the 2.4-GHz radio for 11 megabits per second (Mbps) service only, set the 11-Mbps rate to Basic and set the other data rates to Enabled. To set up the access point to serve only client devices operating at 1 and 2 Mbps, set 1 and 2 to Basic and set the rest of the data rates to Enabled. To set up the 5-GHz radio for 54 Mbps service only, set the 54-Mbps rate to Basic and set the other data rates to Enabled.You can also configure the access point to set the data rates automatically to optimize either range or throughput. When you enter range for the data rate setting, the access point sets the 1 Mbps rate to basic and the other rates to enabled. When you enter throughput for the data rate setting, the access point sets all four data rates to basic.Beginning in privileged EXEC mode, follow these steps to configure the radio data rates:Step 3 station rolerepeater |root [fallback { shutdown | repeater } ]Set the access point role.•Set the role to repeater or root.•(Optional) Select the radio’s fallback role. If the access point’s Ethernet port is disabled or disconnected from the wired LAN, the access point can either shut down its radio port or become a repeater access point associated to a nearby root access point.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
7-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsConfiguring Radio Transmit PowerUse the no form of the speed command to disable data rates. When you use the no form of the command, all data rates are disabled except the rates you name in the command. This example shows how to disable data rate 1.0:ap1200# configure terminalap1200(config)# interface dot11radio 0ap1200(config-if)# no speed basic-2.0 basic-5.5 basic-11.0ap1200(config-if)# endData rate 1 is disabled, and the rest of the rates are set to basic.This example shows how to set up the access point for 11-Mbps service only:ap1200# configure terminalap1200(config)# interface dot11radio 0ap1200(config-if)# no speed basic-11.0ap1200(config-if)# endData rate 11 is set to basic, and the rest of the data rates are set to disabled.Configuring Radio Transmit PowerBeginning in privileged EXEC mode, follow these steps to set the transmit power on your access point radio:Step 3 speedThese options are available for the 2.4-GHz radio:{[1.0] [11.0] [2.0] [5.5] [basic-1.0][basic-11.0] [basic-2.0] [basic-5.5] | range | throughput}These options are available for the 5-GHz radio:{[6.0] [9.0] [12.0] [18.0] [24.0][36.0] [48.0] [54.0] [basic-6.0][basic-9.0] [basic-12.0] [basic-18.0][basic-24.0] [basic-36.0][basic-48.0] [basic-54.0] |range | throughput}Set each data rate to basic or enabled, or enter range to optimize access point range or throughput to optimize throughput.•(Optional) Enter 1.0,2.0,5.5, and 11.0 to set these data rates to enabled on the 2.4-GHz radio. Enter 6.0,9.0,12.0,18.0,24.0,36.0,48.0, and 54.0 to set these data rates to enabled on the 5-GHz radio.•(Optional) Enter basic-1.0,basic-2.0, basic-5.5,andbasic-11.0 to set these data rates to basic on the 2.4-GHz radio. Enter basic-6.0,basic-9.0,basic-12.0,basic-18.0,basic-24.0,basic-36.0,basic-48.0, and basic-54.0 to set these data rates to basic on the 5-GHz radio.•(Optional) Enter range or throughput to automatically optimize radio range or throughput. When you enter range, The access point sets the lowest data rate to basic and the other rates to enabled. When you enter throughput, the access point sets all data rates to basic.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
7-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsConfiguring Radio Transmit PowerUse the no form of the power command to return the power setting to maximum, the default setting. Limiting the Power Level for Associated Client DevicesYou can also limit the power level on client devices that associate to the access point. When a client device associates to the access point, the access point sends the maximum power level setting to the client.Beginning in privileged EXEC mode, follow these steps to specify a maximum allowed power setting on all client devices that associate to the access point:Use the no form of the client power command to disable the maximum power level for associated clients. Note Aironet extensions must be enabled to limit the power level on associated client devices. Aironet extensions are enabled by default.Step 3 power local These options are available for the 2.4-GHz radio:{1 | 5 | 20 | 30 | 50 | 100 | maximum }These options are available for the 5-GHz radio:{5 | 10 | 20 | 40 | maximum }Set the transmit power to one of the power levels allowed in your regulatory domain. All settings are in mW.Note The settings allowed in your regulatory domain might differ from the settings listed here.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 power clientThese options are available for 2.4-GHz clients:{1 | 5 | 20 | 30 | 50 | 100 | maximum}These options are available for 5-GHz clients:{5 | 10 | 20 | 40 | maximum }Set the maximum power level allowed on client devices that associate to the access point. All settings are in mW.Note The settings allowed in your regulatory domain might differ from the settings listed here.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
7-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsConfiguring Radio Channel SettingsConfiguring Radio Channel SettingsThe default channel setting for the access point radios is least congested; at startup, the access point scans for and selects the least-congested channel. For most consistent performance after a site survey, however, we recomend that you assign a static channel setting for each access point. The channel settings on your access point correspond to the frequencies available in your regulatory domain. See Appendix C, “Channels and Antenna Settings,” for the frequencies allowed in your domain.Each 2.4-GHz channel covers 22 MHz. The bandwidth for channels 1, 6, and 11 does not overlap, so you can set up multiple access points in the same vicinity without causing interference. The 5-GHz radio operates on eight channels from 5180 to 5320 MHz. Each channel covers 20 MHz, and the bandwidth for the channels overlaps slightly. For best performance, use channels that are not adjacent (44 and 46, for example) for radios that are close to each other.Note Too many access points in the same vicinity creates radio congestion that can reduce throughput. A careful site survey can determine the best placement of access points for maximum radio coverage and throughput. Beginning in privileged EXEC mode, follow these steps to set the access point’s radio channel:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
7-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsConfiguring Radio Channel SettingsStep 3 channelfrequency | least-congestedSet the default channel for the access point radio. To search for the least-congested channel on startup, enter least-congested.These are the available frequencies (in MHz) for the 2.4-GHz radio:•channel 1—2412 (Americas, EMEA, Japan, and China)•channel 2—2417 (Americas, EMEA, Japan, and China)•channel 3—2422 (Americas, EMEA, Japan, Israel, and China)•channel 4—2427 (Americas, EMEA, Japan, Israel, and China)•channel 5—2432 (Americas, EMEA, Japan, Israel, and China)•channel 6—2437 (Americas, EMEA, Japan, Israel, and China)•channel 7—2442 (Americas, EMEA, Japan, Israel, and China)•channel 8—2447 (Americas, EMEA, Japan, Israel, and China)•channel 9—2452 (Americas, EMEA, Japan, Israel, and China)•channel 10—2457 (Americas, EMEA, Japan, and China)•channel 11—2462 (Americas, EMEA, Japan, and China)•channel 12—2467 (EMEA and Japan only)•channel 13—2472 (EMEA and Japan only)•channel 14—2484 (Japan only)These are the available frequencies (in MHz) for the 5-GHz radio:•channel 34—5170 (Japan only)•channel 36—5180 (Americas and Singapore)•channel 38—5190 (Japan only)•channel 40—5200 (Americas and Singapore)•channel 42—5210 (Japan only)•channel 44—5220 (Americas and Singapore)•channel 46—5230 (Japan only)•channel 48—5240 (Americas and Singapore)•channel 52—5260 (Americas and Taiwan)•channel 56—5280 (Americas and Taiwan)•channel 60—5300 (Americas and Taiwan)•channel 64—5320 (Americas and Taiwan)Note The frequencies allowed in your regulatory domain might differ from the frequencies listed here.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config(Optional) Save your entries in the configuration file.Command Purpose
7-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsEnabling and Disabling World-ModeEnabling and Disabling World-ModeWhen you enable world mode, the access point adds channel carrier set information to its beacon. Client devices with world mode enabled receive the carrier set information and adjust their settings automatically. For example, a client device used primarily in Japan could rely on world mode to adjust its channel and power settings automatically when it travels to Italy and joins a network there. World mode is disabled by default.World mode is not supported on the 5-GHz radio.Beginning in privileged EXEC mode, follow these steps to enable world mode:Use the no form of the command to disable world mode. Note Aironet extensions must be enabled for world mode operation. Aironet extensions are enabled by default.Disabling and Enabling Short Radio PreamblesThe radio preamble (sometimes called a header) is a section of data at the head of a packet that contains information that the access point and client devices need when sending and receiving packets. You can set the radio preamble to long or short:•Short—A short preamble improves throughput performance. Cisco Aironet Wireless LAN Client Adapters support short preambles. Early models of Cisco Aironet's Wireless LAN Adapter (PC4800 and PC4800A) require long preambles.•Long—A long preamble ensures compatibility between the access point and all early models of Cisco Aironet Wireless LAN Adapters (PC4800 and PC4800A). If these client devices do not associate to your access points, you should use short preambles.You cannot configure short or long radio preambles on the 5-GHz radio.Beginning in privileged EXEC mode, follow these steps to disable short radio preambles:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the 2.4-GHz radio interface. Step 3 world-mode Enable world mode.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the 2.4-GHz radio interface.Step 3 no preamble-short Disable short preambles and enable long preambles.
7-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsConfiguring Transmit and Receive AntennasShort preambles are enabled by default. Use the preamble-short command to enable short preambles if they are disabled. Configuring Transmit and Receive AntennasYou can select the antenna the access point uses to receive and transmit data. There are three options for both the receive and the transmit antenna:•Diversity—This default setting tells the access point to use the antenna that receives the best signal. If your access point has two fixed (non-removeable) antennas, you should use this setting for both receive and transmit.•Right—If your access point has removeable antennas and you install a high-gain antenna on the access point's right connector, you should use this setting for both receive and transmit. When you look at the access point's back panel, the right antenna is on the right.•Left—If your access point has removeable antennas and you install a high-gain antenna on the access point's left connector, you should use this setting for both receive and transmit. When you look at the access point's back panel, the left antenna is on the left.Beginning in privileged EXEC mode, follow these steps to select the antennas the access point uses to receive and transmit data:Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 antenna receive{diversity | left | right}Set the receive antenna to diversity, left, or right.Note For best performance, leave the receive antenna setting at the default setting, diversity.Step 4 antenna transmit{diversity | left | right}Set the transmit antenna to diversity, left, or right.Note For best performance, leave the transmit antenna setting at the default setting, diversity.Step 5 end Return to privileged EXEC mode.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
7-11Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsDisabling and Enabling Aironet ExtensionsDisabling and Enabling Aironet ExtensionsBy default, the access point uses Cisco Aironet 802.11 extensions to detect the capabilities of Cisco Aironet client devices and to support features that require specific interaction between the access point and associated client devices. Aironet extensions must be enabled to support these features:•Load balancing—The access point uses Aironet extensions to direct client devices to an access point that provides the best connection to the network based on factors such as number of users, bit error rates, and signal strength.•Message Integrity Check (MIC)—MIC is an additional WEP security feature that prevents attacks on encrypted packets called bit-flip attacks. The MIC, implemented on both the access point and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof.•Temporal Key Integrity Protocol (TKIP)—TKIP, also known as WEP key hashing, is an additional WEP security feature that defends against an attack on WEP in which the intruder uses an unencrypted segment called the initialization vector (IV) in encrypted packets to calculate the WEP key. •Repeater mode—Aironet extensions must be enabled on repeater access points and on the root access points to which they associate.•World mode—Client devices with world mode enabled receive carrier set information from the access point and adjust their settings automatically. •Limiting the power level on associated client devices—When a client device associates to the access point, the access point sends the maximum allowed power level setting to the client.Disabling Aironet extensions disables the features listed above, but it sometimes improves the ability of non-Cisco client devices to associate to the access point. Aironet extensions are enabled by default. Beginning in privileged EXEC mode, follow these steps to disable Aironet extensions:Use the dot11 extension aironet command to enable Aironet extensions if they are disabled. Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 no dot11 extension aironet Disable Aironet extensions.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
7-12Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsConfiguring the Ethernet Encapsulation Transformation MethodConfiguring the Ethernet Encapsulation Transformation MethodWhen the access point receives data packets that are not 802.3 packets, the access point must format the packets to 802.3 using an encapsulation transformation method. These are the two transformation methods:•802.1H—This method provides optimum performance for Cisco Aironet wireless products. This is the default setting.•RFC1042—Use this setting to ensure interoperability with non-Cisco Aironet wireless equipment. RFC1042 does not provide the interoperability advantages of 802.1H but is used by other manufacturers of wireless equipment. Beginning in privileged EXEC mode, follow these steps to configure the encapsulation transformation method:Enabling and Disabling Reliable Multicast to Workgroup BridgesReliable multicast messages from the access point to workgroup bridges allow approximately 20 Cisco Aironet Workgroup Bridges to associate to the access point. The default setting, disabled, allows more than 20 workgroup bridges to associate to the access point.Access points and bridges normally treat workgroup bridges not as client devices but as infrastructure devices, like access points or bridges. Treating a workgroup bridge as an infrastructure device means that the access point reliably delivers multicast packets, including Address Resolution Protocol (ARP) packets, to the workgroup bridge. The performance cost of reliable multicast delivery—duplication of each multicast packet sent to each workgroup bridge—limits the number of infrastructure devices, including workgroup bridges, that can associate to the access point. To increase beyond 20 the number of workgroup bridges that can associate to the access point, the access point must reduce the delivery reliability of multicast packets to workgroup bridges. With reduced reliability, the access point cannot confirm whether multicast packets reach the intended workgroup bridge, so workgroup bridges at the edge of the access point's coverage area might lose IP connectivity. When you treat workgroup bridges as client devices, you increase performance but reduce reliability.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 payload-encapsulationsnap | dot1hSet the encapsulation transformation method to RFC1042 (snap) or 802.1h (dot1h, the default setting).Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
7-13Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsEnabling and Disabling Public Secure Packet ForwardingNote This feature is best suited for use with stationary workgroup bridges. Mobile workgroup bridges might encounter spots in the access point's coverage area where they do not receive multicast packets and lose communication with the access point even though they are still associated to it. A Cisco Aironet Workgroup Bridge provides a wireless LAN connection for up to eight Ethernet-enabled devices. This feature is not supported on the 5-GHz radio.Beginning in privileged EXEC mode, follow these steps to configure the encapsulation transformation method:Use the no form of the command to disable reliable multicast messages to workgroup bridges.Enabling and Disabling Public Secure Packet ForwardingPublic Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN. This feature is useful for public wireless networks like those installed in airports or on college campuses. Note To prevent communication between clients associated to different access points, you must set up protected ports on the switch to which your access points are connected. See the “Configuring Protected Ports” section on page 7-14 for instructions on setting up protected ports.To enable and disable PSPF using IOS commands on your access point, you use bridge groups. You can find a detailed explanation of bridge groups and instructions for implementing them in this document:•Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.2. Click this link to browse to the Configuring Transparent Bridging chapter: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_c/bcfpart1/bcftb.htmYou can also enable and disable PSPF using the web-browser interface. The PSPF setting is on the Radio Settings pages.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the 2.4-GHz radio interface.Step 3 infrastructure-client Enable reliable multicast messages to workgroup bridges.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
7-14Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsEnabling and Disabling Public Secure Packet ForwardingPSPF is disabled by default. Beginning in privileged EXEC mode, follow these steps to enable PSPF:Use the no form of the command to disable PSPF.Configuring Protected PortsTo prevent communication between client devices associated to different access points on your wireless LAN, you must set up protected ports on the switch to which your access points are connected. Follow these steps to set up protected ports on your switch:Beginning in privileged EXEC mode, follow these steps to define a port on your switch as a protected port:To disable protected port, use the no switchport protected interface configuration command.For detailed information on protected ports and port blocking, refer to the “Configuring Port-Based Traffic Control” chapter in the Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(12c)EA1. Click this link to browse to that guide:http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_book09186a008011591c.htmlCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 bridge-group group port-protected Enable PSPF.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface interface-id Enter interface configuration mode, and enter the type and number of the switchport interface to configure, such as gigabitethernet0/1.Step 3 switchport protected Configure the interface to be a protected port.Step 4 end Return to privileged EXEC mode.Step 5 show interfaces interface-id switchportVerify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
7-15Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsConfiguring the Beacon Period and the DTIMConfiguring the Beacon Period and the DTIMThe beacon period is the amount of time between access point beacons in Kilomicroseconds. One Kµsec equals 1,024 microseconds. The Data Beacon Rate, always a multiple of the beacon period, determines how often the beacon contains a delivery traffic indication message (DTIM). The DTIM tells power-save client devices that a packet is waiting for them. For example, if the beacon period is set at 100, its default setting, and the data beacon rate is set at 2, its default setting, then the access point sends a beacon containing a DTIM every 200 Kµsecs. One Kµsec equals 1,024 microseconds.The default beacon period is 100, and the default DTIM is 2. Beginning in privileged EXEC mode, follow these steps to configure the beacon period and the DTIM:Configure RTS Threshold and RetriesThe RTS threshold determines the packet size at which the access point issues a request to send (RTS) before sending the packet. A low RTS Threshold setting can be useful in areas where many client devices are associating with the access point, or in areas where the clients are far apart and can detect only the access point and not each other. You can enter a setting ranging from 0 to 2339 bytes.Maximum RTS Retries is the maximum number of times the access point issues an RTS before stopping the attempt to send the packet over the radio. Enter a value from 1 to 128.The default RTS threshold is 2312, and the default maximum RTS retries setting is 32. Beginning in privileged EXEC mode, follow these steps to configure the RTS threshold and maximum RTS retries:Use the no form of the command to reset the RTS settings to defaults.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 beacon period value Set the beacon period. Enter a value in Kilomicroseconds.Step 4 beacon dtim-period value Set the DTIM. Enter a value in Kilomicroseconds.Step 5 end Return to privileged EXEC mode.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 rts threshold value Set the RTS threshold. Enter an RTS threshold from 0 to 2339.Step 4 rts retries value Set the maximum RTS retries. Enter a setting from 1 to 128.Step 5 end Return to privileged EXEC mode.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
7-16Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 7 Configuring Radio SettingsConfiguring the Maximum Data RetriesConfiguring the Maximum Data RetriesThe maximum data retries setting determines the number of attempts the access point makes to send a packet before giving up and dropping the packet. The default setting is 32. Beginning in privileged EXEC mode, follow these steps to configure the maximum data retries:Use the no form of the command to reset the setting to defaults.Configuring the Fragmentation ThresholdThe fragmentation threshold determines the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference.The default setting is 2338 bytes. Beginning in privileged EXEC mode, follow these steps to configure the fragmentation threshold:Use the no form of the command to reset the setting to defaults.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 packet retries value Set the maximum data retries. Enter a setting from 1 to 128.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 fragment-threshold value Set the fragmentation threshold. Enter a setting from 256 to 2338 bytes for the 2.4-GHz radio. Enter a setting from 256 to 2346 bytes for the 5-GHz radio. Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
CHAPTER8-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-018Configuring Multiple SSIDsThis chapter describes how to configure and manage multiple service set identifiers (SSIDs) on the access point. This chapter contains these sections:•Understanding Multiple SSIDs, page 8-2•Configuring Multiple SSIDs, page 8-2
8-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 8 Configuring Multiple SSIDsUnderstanding Multiple SSIDsUnderstanding Multiple SSIDsThe SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple access points on a network or sub-network can use the same SSIDs. SSIDs are case sensitive and can contain up to 32 alphanumeric characters. Do not include spaces in your SSIDs.You can configure up to 16 SSIDs on your 1200 series access point and assign different configuration settings to each SSID. All the SSIDs are active at the same time; that is, client devices can associate to the access point using any of the SSIDs. These are the settings you can assign to each SSID:•VLAN•Client authentication methodNote For detailed information on client authentication types, see Chapter 10, “Configuring Authentication Types.”•Maximum number of client associations using the SSID•Proxy mobile IP•RADIUS accounting for traffic using the SSID •Guest mode•Repeater mode, including authentication username and passwordIf you want the access point to allow associations from client devices that do not specify an SSID in their configurations, you can set up a guest SSID. The access point includes the guest SSID in its beacon. The access point’s default SSID, tsunami, is set to guest mode. However, to keep your network secure, you should disable the guest mode SSID on most access points.If your access point will be a repeater or will be a root access point that acts as a parent for a repeater, you can set up an SSID for use in repeater mode. You can assign an authentication username and password to the repeater-mode SSID to allow the repeater to authenticate to your network like a client device.If your network uses VLANs, you can assign an SSID to a VLAN, and client devices using the SSID are grouped in that VLAN.Configuring Multiple SSIDsThese sections contain configuration information for multiple SSIDs:•Default SSID Configuration, page 8-3•Creating an SSID, page 8-3•Using a RADIUS Server to Restrict SSIDs, page 8-4
8-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 8 Configuring Multiple SSIDsConfiguring Multiple SSIDsDefault SSID ConfigurationTable 8-1 shows the default SSID configuration:Creating an SSIDBeginning in privileged EXEC mode, follow these steps to create an SSID:Table 8-1 Default SSID ConfigurationFeature Default SettingSSID tsunamiGuest Mode SSID tsunami (The access point broadcasts this SSID in its beacon and allows client devices with no SSID to associate.)Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive.Note Do not include spaces in your SSIDs.Step 4 authentication client username usernamepassword password(Optional) Set an authentication username and password that the access point uses to authenticate to the network when in repeater mode. Set the username and password on the SSID that the repeater access point uses to associate to a root access point, or with another repeater.Step 5 accounting list-name (Optional) Enable RADIUS accounting for this SSID. For list-name, specify the accounting method list. Click this link for more information on method lists: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfacct.htm#xtocid2Step 6 vlan vlan-id (Optional) Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN.Step 7 guest-mode (Optional) Designate the SSID as your access point’sguest-mode SSID. The access point includes the SSID in its beacon and allows associations from client devices that do not specify an SSID.
8-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 8 Configuring Multiple SSIDsConfiguring Multiple SSIDsNote You use the ssid command’s authentication options to configure an authentication type for each SSID. See Chapter 10, “Configuring Authentication Types,” for instructions on configuring authentication types.Use the no form of the command to disable the SSID or to disable SSID features.This example shows how to:•Name an SSID•Configure the SSID for RADIUS accounting•Set the maximum number of client devices that can associate using this SSID to 15•Assign the SSID to a VLANap1200# configure terminalap1200(config)# configure interface dot11radio 0ap1200(config-if)# ssid batmanap1200(config-ssid)# accounting accounting-method-listap1200(config-ssid)# max-associations 15ap1200(config-ssid)# vlan 3762ap1200(config-ssid)# endUsing a RADIUS Server to Restrict SSIDsTo prevent client devices from associating to the access point using an unauthorized SSID, you can create a list of authorized SSIDs that clients must use on your RADIUS authentication server. The SSID authorization process consists of these steps:1. A client device associates to the access point using any SSID configured on the access point. 2. The client begins RADIUS authentication.3. The RADIUS server returns a list of SSIDs that the client is allowed to use. The access point checks the list for a match of the SSID used by the client. There are three possible outcomes:a. If the SSID that the client used to associate to the access point matches an entry in the allowed list returned by the RADIUS server, the client is allowed network access after completing all authentication requirements. b. If the access point does not find a match for the client in the allowed list of SSIDs, the access point disassociates the client. Step 8 infrastructure-ssid [optional] (Optional) Designate the SSID as the SSID that other access points and workgroup bridges use to associate to this access point. If you do not designate an SSID as the infrastructure SSID, infrastructure devices can associate to the access point using any SSID. If you designate an SSID as the infrastructure SSID, infrastructure devices must associate to the access point using that SSID unless you also enter the optional keyword.Step 9 end Return to privileged EXEC mode.Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
8-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 8 Configuring Multiple SSIDsConfiguring Multiple SSIDsc. If the RADIUS server does not return any SSIDs (no list) for the client, then the administrator has not configured the list, and the client is allowed to associate and attempt to authenticate. The allowed list of SSIDs from the RADIUS server are in the form of Cisco VSAs. The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the access point and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named cisco-avpair. The Radius server is allowed to have zero or more SSID VSAs per client. In this example, the following AV pair adds the SSID batman to the list of allowed SSIDs for a user:cisco-avpair= ”ssid=batman”For instructions on configuring the access point to recognize and use VSAs, see the “Configuring the Access Point to Use Vendor-Specific RADIUS Attributes” section on page 11-13.
8-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 8 Configuring Multiple SSIDsConfiguring Multiple SSIDs
CHAPTER9-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-019Configuring WEP and WEP FeaturesThis chapter describes how to configure Wired Equivalent Privacy (WEP), Message Integrity Check (MIC), Temporal Key Integrity Protocol (TKIP), and broadcast key rotation. This chapter contains these sections:•Understanding WEP, page 9-2•Configuring WEP and WEP Features, page 9-2
9-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 9 Configuring WEP and WEP FeaturesUnderstanding WEPUnderstanding WEPJust as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of an access point can receive the access point's radio transmissions. Because WEP is the first line of defense against intruders, Cisco recommends that you use full encryption on your wireless network.WEP encryption scrambles the communication between the access point and client devices to keep the communication private. Both the access point and client devices use the same WEP key to encrypt and unencrypt radio signals. WEP keys encrypt both unicast and multicast messages. Unicast messages are addressed to just one device on the network. Multicast messages are addressed to multiple devices on the network. Extensible Authentication Protocol (EAP) authentication provides dynamic WEP keys to wireless users. Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder passively receives enough packets encrypted by the same WEP key, the intruder can perform a calculation to learn the key and use it to join your network. Because they change frequently, dynamic WEP keys prevent intruders from performing the calculation and learning the key. See Chapter 10, “Configuring Authentication Types,” for detailed information on EAP and other authentication types.Three additional security features defend your wireless network's WEP keys:•Message Integrity Check (MIC)—MIC prevents attacks on encrypted packets called bit-flip attacks.During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC, implemented on both the access point and all associated client devices, adds a few bytes to each packet to make the packets tamper proof. •TKIP (Temporal Key Integrity Protocol, also known as WEP key hashing)—This feature defends against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies on to determine the WEP key by exploiting IVs. •Broadcast key rotation—EAP authentication provides dynamic unicast WEP keys for client devices but uses static broadcast keys. When you enable broadcast WEP key rotation, the access point provides a dynamic broadcast WEP key and changes it at the interval you select. Broadcast key rotation is an excellent alternative to TKIP if your wireless LAN supports wireless client devices that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco client devices. Configuring WEP and WEP FeaturesThese sections describe how to configure WEP and additional WEP features such as MIC, TKIP, and broadcast key rotation:•Creating WEP Keys, page 9-3•Enabling and Disabling WEP and Enabling TKIP and MIC, page 9-3•Enabling and Disabling Broadcast Key Rotation, page 9-4WEP, TKIP, MIC, and broadcast key rotation are disabled by default.
9-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 9 Configuring WEP and WEP FeaturesConfiguring WEP and WEP FeaturesCreating WEP KeysBeginning in privileged EXEC mode, follow these steps to create a WEP key and set the key properties:This example shows how to create a 128-bit WEP key in slot 1 for VLAN 22 and sets the key as the transmit key:ap1200# configure terminalap1200(config)# configure interface dot11radio 0ap1200(config-if)# encryption vlan 22 key 1 size 128 12345678901234567890123456 transmit-keyap1200(config-ssid)# endEnabling and Disabling WEP and Enabling TKIP and MICBeginning in privileged EXEC mode, follow these steps to enable WEP, TKIP, and MIC:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 encryption[vlan vlan-id]key 1-4size {40 | 128 } encryption-key[transmit-key]Create a WEP key and set up its properties.•(Optional) Select the VLAN for which you want to create a key.•Name the key slot in which this WEP key resides. You can assign up to 4 WEP keys for each VLAN.•Enter the key and set the size of the key, either 40-bit or 128-bit. 40-bit keys contain 10 hexadecimal digits; 128-bit keys contain 26 hexadecimal digits. •(Optional) Set this key as the transmit key. The key in slot 1 is the transmit key by default, but you can set any key as the transmit key.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
9-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 9 Configuring WEP and WEP FeaturesConfiguring WEP and WEP FeaturesUse the no form of the encryption command to disable WEP or to disable WEP features.This example sets WEP to mandatory for VLAN 22 and enables MIC and TKIP.ap1200# configure terminalap1200(config)# configure interface dot11radio 0ap1200(config-if)# encryption vlan 22 mode wep mandatory mic key-hashap1200(config-ssid)# endEnabling and Disabling Broadcast Key RotationBroadcast key rotation is disabled by default. Beginning in privileged EXEC mode, follow these steps to enable broadcast key rotation:Use the no form of the encryption command to disable broadcast key rotation.This example enables broadcast key rotation on VLAN 22 and sets the rotation interval to 300 seconds:ap1200# configure terminalap1200(config)# configure interface dot11radio 0ap1200(config-if)# broadcast-key vlan 22 change 300ap1200(config-ssid)# endStep 3 encryption[vlan vlan-id]mode wep {optional [key-hash] | mandatory [mic] [key-hash]}Enable WEP, MIC, and TKIP.•(Optional) Select the VLAN for which you want to enable WEP and WEP features.•Set the WEP level and enable TKIP and MIC. If you enter optional, client devices can associate to the access point with or without WEP enabled. You can enable TKIP with WEP set to optional but you cannot enable MIC. If you enter mandatory, client devices must have WEP enabled to associate to the access point. You can enable both TKIP and MIC with WEP set to mandatory.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 broadcast-keychange seconds[vlan vlan-id]Enable broadcast key rotation.•Enter the number of seconds between each rotation of the broadcast key. •(Optional) Enter a VLAN for which you want to enable broadcast key rotation.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
CHAPTER10-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-0110Configuring Authentication TypesThis chapter describes how to configure authentication types on the access point. This chapter contains these sections:•Understanding Authentication Types, page 10-2•Configuring Authentication Types, page 10-6•Matching Access Point and Client Device Authentication Types, page 10-9
10-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 10 Configuring Authentication TypesUnderstanding Authentication TypesUnderstanding Authentication TypesThis section describes the authentication types that you can configure on the access point. The authentication types are tied to the SSIDs that you configure for the access point. If you want to serve different types of client devices with the same access point, you can configure multiple SSIDs. See Chapter 8, “Configuring Multiple SSIDs,” for complete instructions on configuring multiple SSIDs.Before a wireless client device can communicate on your network through the access point, it must authenticate to the access point using open or shared-key authentication. For maximum security, client devices should also authenticate to your network using MAC-address or EAP authentication, authentication types that rely on an authentication server on your network.The access point uses four authentication mechanisms or types and can use more than one at the same time. These sections explain each authentication type:•Open Authentication to the Access Point, page 10-2•Shared Key Authentication to the Access Point, page 10-2•EAP Authentication to the Network, page 10-3•MAC Address Authentication to the Network, page 10-5•Combining MAC-Based, EAP, and Open Authentication, page 10-5Open Authentication to the Access PointOpen authentication allows any device to authenticate and then attempt to communicate with the access point. Using open authentication, any wireless device can authenticate with the access point, but the device can communicate only if its WEP keys match the access point’s. Devices not using WEP do not attempt to authenticate with an access point that is using WEP. Open authentication does not rely on a RADIUS server on your network. Figure 10-1 shows the authentication sequence between a device trying to authenticate and an access point using open authentication. In this example, the device’s WEP key does not match the access point’skey, so it can authenticate but not pass data.Figure 10-1 Sequence for Open AuthenticationShared Key Authentication to the Access PointCisco provides shared key authentication to comply with the IEEE 802.11b standard. However, because of shared key’s security flaws, we recommend that you avoid using it.During shared key authentication, the access point sends an unencrypted challenge text string to any device attempting to communicate with the access point. The device requesting authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the Access pointor bridgewith WEP key = 123Client devicewith WEP key = 3211. Authentication request2. Authentication response54583
10-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 10 Configuring Authentication TypesUnderstanding Authentication Typesaccess point allows the requesting device to authenticate. Both the unencrypted challenge and the encrypted challenge can be monitored, however, which leaves the access point open to attack from an intruder who calculates the WEP key by comparing the unencrypted and encrypted text strings. Because of this weakness, shared key authentication can be less secure than open authentication. Like open authentication, shared key authentication does not rely on a RADIUS server on your network.Figure 10-2 shows the authentication sequence between a device trying to authenticate and an access point using shared key authentication. In this example the device’s WEP key matches the access point’skey, so it can authenticate and communicate.Figure 10-2 Sequence for Shared Key AuthenticationEAP Authentication to the NetworkThis authentication type provides the highest level of security for your wireless network. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key. The RADIUS server sends the WEP key to the access point, which uses it for all unicast data signals that it sends to or receives from the client. The access point also encrypts its broadcast WEP key (entered in the access point’s WEP key slot 1) with the client’s unicast key and sends it to the client. Access pointor bridgewith WEP key = 123Client devicewith WEP key = 1231. Authentication request2. Unencrypted challenge3. Encrypted challenge response4. Authentication response54584
10-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 10 Configuring Authentication TypesUnderstanding Authentication TypesWhen you enable EAP on your access points and client devices, authentication to the network occurs in the sequence shown in Figure 10-3:Figure 10-3 Sequence for EAP AuthenticationIn Steps 1 through 9 in Figure 10-3, a wireless client device and a RADIUS server on the wired LAN use 802.1x and EAP to perform a mutual authentication through the access point. The RADIUS server sends an authentication challenge to the client. The client uses a one-way encryption of the user-supplied password to generate a response to the challenge and sends that response to the RADIUS server. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the client. When the RADIUS server authenticates the client, the process repeats in reverse, and the client authenticates the RADIUS server.When mutual authentication is complete, the RADIUS server and the client determine a WEP key that is unique to the client and provides the client with the appropriate level of network access, thereby approximating the level of security in a wired switched segment to an individual desktop. The client loads this key and prepares to use it for the logon session. During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over the wired LAN to the access point. The access point encrypts its broadcast key with the session key and sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The client and access point activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session.There is more than one type of EAP authentication, but the access point behaves the same way for each type: it relays authentication messages from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID”section on page 10-6 for instructions on setting up EAP on the access point.Note If you use EAP authentication, you can select open or shared key authentication, but you don’t have to. EAP authentication controls authentication both to your access point and to your network. Access pointor bridgeWired LANClientdevice Server1. Authentication request2. Identity request3. Username(relay to client)(relay to server)4. Authentication challenge5. Authentication response(relay to client)(relay to server)6. Authentication success7. Authentication challenge(relay to client)(relay to server)8. Authentication response9. Successful authentication (relay to server)65583
10-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 10 Configuring Authentication TypesUnderstanding Authentication TypesMAC Address Authentication to the NetworkThe access point relays the wireless client device’s MAC address to a RADIUS server on your network, and the server checks the address against a list of allowed MAC addresses. Intruders can create counterfeit MAC addresses, so MAC-based authentication is less secure than EAP authentication. However, MAC-based authentication provides an alternate authentication method for client devices that do not have EAP capability. See the “Assigning Authentication Types to an SSID” section on page 10-6for instructions on enabling MAC-based authentication.Tip If you don’t have a RADIUS server on your network, you can create a list of allowed MAC addresses on the access point’s Advanced Security: MAC Address Authentication page. Devices with MAC addresses not on the list are not allowed to authenticate. When you create the list of allowed MAC addresses, use lower case for all letters in the addresses that you enter.Figure 10-4 shows the authentication sequence for MAC-based authentication.Figure 10-4 Sequence for MAC-Based AuthenticationCombining MAC-Based, EAP, and Open AuthenticationYou can set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication. When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication. See the “Assigning Authentication Types to an SSID” section on page 10-6for instructions on setting up this combination of authentications.Access pointor bridgeWired LANClientdevice Server1. Authentication request2. Authentication success3. Association request4. Association response(block traffic from client)5. Authentication request6. Success7. Access point or bridge unblockstraffic from client65584
10-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 10 Configuring Authentication TypesConfiguring Authentication TypesConfiguring Authentication TypesThis section describes how to configure authentication types. You attach configuration types to the access point’s SSIDs. See Chapter 8, “Configuring Multiple SSIDs,” for details on setting up multiple SSIDs. This section contains these topics:•Default Authentication Settings, page 10-6•Assigning Authentication Types to an SSID, page 10-6•Configuring Authentication Holdoffs, Timeouts, and Intervals, page 10-8Default Authentication SettingsThe default SSID on the access point is tsunami. Table 10-1 shows the default authentication settings for the default SSID:Assigning Authentication Types to an SSIDBeginning in privileged EXEC mode, follow these steps to configure authentication types for SSIDs:Table 10-1 Default Authentication ConfigurationFeature Default SettingSSID tsunamiGuest Mode SSID tsunami (The access point broadcasts this SSID in its beacon and allows client devices with no SSID to associate.)Authentication type assigned to tsunami openCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive.Note Do not include spaces in SSIDs.
10-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 10 Configuring Authentication TypesConfiguring Authentication TypesStep 4 authentication open [mac-address list-name [alternate]][eap list-name](Optional) Set the authentication type to open for this SSID. Open authentication allows any device to authenticate and then attempt to communicate with the access point. •(Optional) Set the SSID’s authentication type to open with MAC address authentication. The access point forces all client devices to perform MAC-address authentication before they are allowed to join the network. For list-name,specify the authentication method list. Click this link for more information on method lists: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm#xtocid2Use the alternate keyword to allow client devices to join the network using either MAC or EAP authentication; clients that successfully complete either authentication are allowed to join the network.•(Optional) Set the SSID’s authentication type to open with EAP authentication. The access point forces all client devices to perform EAP authentication before they are allowed to join the network. For list-name, specify the authentication method list. Note An access point configured for EAP authentication forces all client devices that associate to perform EAP authentication. Client devices that do not use EAP cannot use the access point.Step 5 authentication shared[mac-address list-name][eap list-name](Optional) Set the authentication type for the SSID to shared key.Note Because of shared key's security flaws, Cisco recommends that you avoid using it.Note You can assign shared key athentication to only one SSID.•(Optional) Set the SSID’s authentication type to shared key with MAC address authentication. For list-name, specify the authentication method list. •(Optional) Set the SSID’s authentication type to shared key with EAP authentication. For list-name, specify the authentication method list.Command Purpose
10-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 10 Configuring Authentication TypesConfiguring Authentication TypesUse the no form of the SSID commands to disable the SSID or to disable SSID features.This example sets the authentication type for the SSID batman to open with a combination of MAC-address and EAP authentication. Client devices using the batman SSID first attempt MAC-address authentication using a server named adam. If MAC authentication succeeds, they join the network, but if it fails, they attempt EAP authentication using the same server.ap1200# configure terminalap1200(config)# configure interface dot11radio 0ap1200(config-if)# ssid batmanap1200(config-ssid)# authentication open mac adam alternate eap adamap1200(config-ssid)# endConfiguring Authentication Holdoffs, Timeouts, and IntervalsBeginning in privileged EXEC mode, follow these steps to configure holdoff times, reauthentication periods, and authentication timeouts for client devices authenticating through your access point:Step 6 authentication network-eaplist-name[mac-address list-name](Optional) Set the authentication type for the SSID to Network-EAP. Using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key. However, the access point does not force all client devices to perform EAP authentication. •(Optional) Set the SSID’s authentication type to Network-EAP with MAC address authentication. All client devices that associate to the access point are required to perform MAC-address authentication. For list-name, specify the authentication method list. Step 7 end Return to privileged EXEC mode.Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 dot11 holdoff-time seconds Enter the number of seconds a client device must wait before it can reattempt to authenticate following a failed authentication. Enter a value from 1 to 65555 seconds.Step 3 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 4 dot1x client-timeout seconds Enter the number of seconds the access point should wait for a reply from a client attempting to authenticate before the authentication fails. Enter a value from 1 to 65555 seconds.
10-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 10 Configuring Authentication TypesMatching Access Point and Client Device Authentication TypesUse the no form of these commands to reset the values to default settings. Matching Access Point and Client Device Authentication Types To use the authentication types described in this section, the access point authentication settings must match the authentication settings on the client adapters that associate to the access point. Refer to the Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide for Windows for instructions on setting authentication types on wireless client adapters. Refer to Chapter 9, “Configuring WEP and WEP Features,” for instructions on configuring WEP on the access point. Table 10-2 lists the client and access point settings required for each authentication type.Step 5 dot1x reauth-period seconds [server]Enter the interval in seconds that the access point waits before forcing an authenticated client to reauthenticate.•(Optional) Enter the server keyword to configure the access point to use the rauthentication period specified by the authentication server. If you use this option, configure your authentication server with RADIUS attribute 27, Session-Timeout. This attribute sets the maximum number of seconds of service to be provided to the client before termination of the session or prompt. The server sends this attribute to the access point when a client device performs EAP authentication.Step 6 end Return to privileged EXEC mode.Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeTable 10-2 Client and Access Point Security SettingsSecurity Feature Client Setting Access Point SettingStatic WEP with open authenticationCreate a WEP key and enable Use Static WEP Keys and Open AuthenticationSet up and enable WEP and enable Open AuthenticationStatic WEP with shared key authenticationCreate a WEP key and enable Use Static WEP Keys and Shared Key AuthenticationSet up and enable WEP and enable Shared Key AuthenticationLEAP authentication Enable LEAP Set up and enable WEP and enable Network-EAP
10-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 10 Configuring Authentication TypesMatching Access Point and Client Device Authentication TypesEAP-TLS authenticationIf using ACU to configure cardEnable Host Based EAP and Use Dynamic WEP Keys in ACU and select Enable network access control using IEEE 802.1X and Smart Card or Other Certificate as the EAP Type in Windows 2000 (with Service Pack 3) or Windows XPSet up and enable WEP and enable EAP and Open authenticationIf using Windows XP to configure cardSelect Enable network access control using IEEE 802.1X and Smart Card or other Certificate as the EAP TypeSet up and enable WEP and enable EAP and Open AuthenticationEAP-MD5 authenticationIf using ACU to configure cardCreate a WEP key, enable Host Based EAP, and enable Use Static WEP Keys in ACU and select Enable network access control using IEEE 802.1X and MD5-Challenge as the EAP Type in Windows 2000 (with Service Pack 3) or Windows XPSet up and enable WEP and enable EAP and Open authenticationIf using Windows XP to configure cardSelect Enable network access control using IEEE 802.1X and MD5-Challenge as the EAP TypeSet up and enable WEP and enable EAP and Open AuthenticationPEAP authenticationIf using ACU to configure cardEnable Host Based EAP and Use Dynamic WEP Keys in ACU and select Enable network access control using IEEE 802.1X and PEAP as the EAP Type in Windows 2000 (with Service Pack 3) or Windows XPSet up and enable WEP and enable EAP and Open authenticationIf using Windows XP to configure cardSelect Enable network access control using IEEE 802.1X and PEAP as the EAP TypeSet up and enable WEP and enable Require EAP and Open AuthenticationTable 10-2 Client and Access Point Security Settings (continued)Security Feature Client Setting Access Point Setting
10-11Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 10 Configuring Authentication TypesMatching Access Point and Client Device Authentication TypesEAP-SIM authenticationIf using ACU to configure cardEnable Host Based EAP and Use Dynamic WEP Keys in ACU and select Enable network access control using IEEE 802.1X and SIM Authentication as the EAP Type in Windows 2000 (with Service Pack 3) or Windows XPSet up and enable WEP with full encryption and enable EAP and Open authenticationIf using Windows XP to configure cardSelect Enable network access control using IEEE 802.1X and SIM Authentication as the EAP TypeSet up and enable WEP with full encryption and enable Require EAP and Open AuthenticationTable 10-2 Client and Access Point Security Settings (continued)Security Feature Client Setting Access Point Setting
10-12Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 10 Configuring Authentication TypesMatching Access Point and Client Device Authentication Types
CHAPTER11-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-0111Configuring RADIUS and TACACS+ ServersThis chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+), which provide detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS and TACACS+ are facilitated through AAA and can be enabled only through AAA commands.Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Security Command Reference for Release 12.2.This chapter contains these sections:•Configuring and Enabling RADIUS, page 11-2•Configuring and Enabling TACACS+, page 11-16
11-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSConfiguring and Enabling RADIUSThis section describes how to configure and enable RADIUS. These sections describe RADIUS configuration:•Understanding RADIUS, page 11-2•RADIUS Operation, page 11-3•Configuring RADIUS, page 11-4•Displaying the RADIUS Configuration, page 11-15Understanding RADIUSRADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco devices and send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access Control Server version 3.0), Livingston, Merit, Microsoft, or another software provider. For more information, refer to the RADIUS server documentation.Use RADIUS in these network environments, which require access security:•Networks with multiple-vendor access servers, each supporting RADIUS. For example, access servers from several vendors use a single RADIUS server-based security database. In an IP-based network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS server that is customized to work with the Kerberos security system.•Turnkey network security environments in which applications support the RADIUS protocol, such as an access environment that uses a smart card access control system. In one case, RADIUS has been used with Enigma’s security cards to validate users and to grant access to network resources.•Networks already using RADIUS. You can add a Cisco access point containing a RADIUS client to the network. •Networks that require resource accounting. You can use RADIUS accounting independently of RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and end of services, showing the amount of resources (such as time, packets, bytes, and so forth) used during the session. An Internet service provider might use a freeware-based version of RADIUS access control and accounting software to meet special security and billing needs.RADIUS is not suitable in these network security situations:•Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA), NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or X.25 PAD connections.•Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication.•Networks using a variety of services. RADIUS generally binds a user to one service model.
11-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSRADIUS OperationWhen a wireless user attempts to log in and authenticate to an access point whose access is controlled by a RADIUS server, authentication to the network occurs in the steps shown in Figure 11-1:Figure 11-1 Sequence for EAP AuthenticationIn Steps 1 through 9 in Figure 11-1, a wireless client device and a RADIUS server on the wired LAN use 802.1x and EAP to perform a mutual authentication through the access point. The RADIUS server sends an authentication challenge to the client. The client uses a one-way encryption of the user-supplied password to generate a response to the challenge and sends that response to the RADIUS server. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the client. When the RADIUS server authenticates the client, the process repeats in reverse, and the client authenticates the RADIUS server.When mutual authentication is complete, the RADIUS server and the client determine a WEP key that is unique to the client and provides the client with the appropriate level of network access, thereby approximating the level of security in a wired switched segment to an individual desktop. The client loads this key and prepares to use it for the logon session. During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over the wired LAN to the access point. The access point encrypts its broadcast key with the session key and sends the encrypted broadcast key to the client, which uses the session key to decrypt it. The client and access point activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session.There is more than one type of EAP authentication, but the access point behaves the same way for each type: it relays authentication messages from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID”section on page 10-6 for instructions on setting up client authentication using a RADIUS server.Access pointor bridgeWired LANClientdevice Server1. Authentication request2. Identity request3. Username(relay to client)(relay to server)4. Authentication challenge5. Authentication response(relay to client)(relay to server)6. Authentication success7. Authentication challenge(relay to client)(relay to server)8. Authentication response9. Successful authentication (relay to server)65583
11-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSConfiguring RADIUSThis section describes how to configure your access point to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting. A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.You should have access to and should configure a RADIUS server before configuring RADIUS features on your access point.This section contains this configuration information:•Default RADIUS Configuration, page 11-4•Identifying the RADIUS Server Host, page 11-4 (required)•Configuring RADIUS Login Authentication, page 11-7 (required)•Defining AAA Server Groups, page 11-9 (optional)•Configuring RADIUS Authorization for User Privileged Access and Network Services, page 11-11(optional)•Starting RADIUS Accounting, page 11-12 (optional)•Configuring Settings for All RADIUS Servers, page 11-13 (optional)•Configuring the Access Point to Use Vendor-Specific RADIUS Attributes, page 11-13 (optional)•Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication, page 11-14(optional)Note The RADIUS server CLI commands are disabled until you enter the aaa new-model command.Default RADIUS ConfigurationRADIUS and AAA are disabled by default.To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the access point through the CLI.Identifying the RADIUS Server Host Access point-to-RADIUS-server communication involves several components:•Host name or IP address•Authentication destination port•Accounting destination port•Key string•Timeout period
11-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUS•Retransmission valueYou identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—such as accounting—the second host entry configured acts as a fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the access point tries the second host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the order that they are configured.)A RADIUS server and the access point use a shared secret text string to encrypt passwords and exchange responses. To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the access point. The timeout, retransmission, and encryption key values can be configured globally per server for all RADIUS servers or in some combination of global and per-server settings. To apply these settings globally to all RADIUS servers communicating with the access point, use the three unique global configuration commands: radius-server timeout, radius-server retransmit, and radius-server key. To apply these values on a specific RADIUS server, use the radius-server host global configuration command.Note If you configure both global and per-server functions (timeout, retransmission, and key commands) on the access point, the per-server timer, retransmission, and key value commands override global timer, retransmission, and key value commands. For information on configuring these setting on all RADIUS servers, see the “Configuring Settings for All RADIUS Servers” section on page 11-13.You can configure the access point to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 11-9.Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.
11-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSTo remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting:AP(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1AP(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2Step 3 radius-server host {hostname | ip-address} [auth-port port-number][acct-port port-number] [timeoutseconds] [retransmit retries] [keystring]Specify the IP address or host name of the remote RADIUS server host.•(Optional) For auth-port port-number, specify the UDP destination port for authentication requests.•(Optional) For acct-port port-number, specify the UDP destination port for accounting requests.•(Optional) For timeout seconds, specify the time interval that the access point waits for the RADIUS server to reply before retransmitting. The range is 1 to 1000. This setting overrides the radius-server timeout global configuration command setting. If no timeout is set with the radius-server host command, the setting of the radius-server timeout command is used.•(Optional) For retransmit retries, specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly. The range is 1 to 1000. If no retransmit value is set with the radius-server host command, the setting of the radius-server retransmit global configuration command is used.•(Optional) For key string, specify the authentication and encryption key used between the access point and the RADIUS daemon running on the RADIUS server. Note The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.To configure the access point to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different. The access point software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
11-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSThis example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting:AP(config)# radius-server host host1Note You also need to configure some settings on the RADIUS server. These settings include the IP address of the access point and the key string to be shared by both the server and the access point. For more information, refer to the RADIUS server documentation.Configuring RADIUS Login AuthenticationTo configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined.A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.
11-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSTo disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name}method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.Step 3 aaa authentication login {default | list-name}method1 [method2...]Create a login authentication method list.•To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces. For more information on list names, click this link: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm#xtocid2•For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails.Select one of these methods:•line—Use the line password for authentication. You must define a line password before you can use this authentication method. Use the password password line configuration command.•local—Use the local username database for authentication. You must enter username information in the database. Use the usernamepassword global configuration command.•radius—Use RADIUS authentication. You must configure the RADIUS server before you can use this authentication method. For more information, see the “Identifying the RADIUS Server Host”section on page 11-4.Step 4 line [console | tty | vty]line-number[ending-line-number]Enter line configuration mode, and configure the lines to which you want to apply the authentication list.Step 5 login authentication {default | list-name}Apply the authentication list to a line or set of lines.•If you specify default, use the default list created with the aaa authentication login command.•For list-name, specify the list created with the aaa authentication login command.Step 6 radius-server attribute 32 include-in-access-req format %hConfigure the access point to send its system name in the NAS_ID attribute for authentication.Step 7 end Return to privileged EXEC mode.Step 8 show running-config Verify your entries.Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
11-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSDefining AAA Server GroupsYou can configure the access point to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts. Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. If you configure two different host entries on the same RADIUS server for the same service (such as accounting), the second configured host entry acts as a fail-over backup to the first one.You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords.Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.
11-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSStep 3 radius-server host {hostname | ip-address} [auth-port port-number][acct-port port-number] [timeoutseconds] [retransmit retries] [keystring]Specify the IP address or host name of the remote RADIUS server host.•(Optional) For auth-port port-number, specify the UDP destination port for authentication requests.•(Optional) For acct-port port-number, specify the UDP destination port for accounting requests.•(Optional) For timeout seconds, specify the time interval that the access point waits for the RADIUS server to reply before retransmitting. The range is 1 to 1000. This setting overrides the radius-server timeout global configuration command setting. If no timeout is set with the radius-server host command, the setting of the radius-server timeout command is used.•(Optional) For retransmit retries, specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly. The range is 1 to 1000. If no retransmit value is set with the radius-server host command, the setting of the radius-server retransmit global configuration command is used.•(Optional) For key string, specify the authentication and encryption key used between the access point and the RADIUS daemon running on the RADIUS server. Note The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.To configure the access point to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different. The access point software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host.Step 4 aaa group server radius group-name Define the AAA server-group with a group name.This command puts the access point in a server group configuration mode.Step 5 server ip-address Associate a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group.Each server in the group must be previously defined in Step 2.Step 6 end Return to privileged EXEC mode.Step 7 show running-config Verify your entries.Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 11-7.Command Purpose
11-11Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSTo remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.In this example, the access point is configured to recognize two different RADIUS group servers (group1and group2). Group1 has two different host entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry.AP(config)# aaa new-modelAP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646AP(config)# aaa group server radius group1AP(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001AP(config-sg-radius)# exitAP(config)# aaa group server radius group2AP(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001AP(config-sg-radius)# exitConfiguring RADIUS Authorization for User Privileged Access and Network ServicesAAA authorization limits the services available to a user. When AAA authorization is enabled, the access point uses information retrieved from the user’s profile, which is in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it.Note This section describes setting up authorization for access point adminsitrators, not for wireless client devices.You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user’s network access to privileged EXEC mode. The aaa authorization exec radius local command sets these authorization parameters:•Use RADIUS for privileged EXEC access authorization if authentication was performed by using RADIUS.•Use the local database if authentication was not performed by using RADIUS.Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured.
11-12Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSBeginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: To disable authorization, use the no aaa authorization {network | exec}method1 global configuration command. Starting RADIUS AccountingThe AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the access point reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing.Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:To disable accounting, use the no aaa accounting {network | exec} {start-stop}method1... global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa authorization network radius Configure the access point for user RADIUS authorization for all network-related service requests.Step 3 aaa authorization exec radius Configure the access point for user RADIUS authorization to determine if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa accounting network start-stop radiusEnable RADIUS accounting for all network-related service requests. Step 3 ip radius source-interface bvi1 Configure the access point to send its BVI IP address in the NAS_IP_ADDRESS attribute for accounting records.Step 4 aaa accounting update periodic minutes Enter an accounting update interval in minutes. Step 5 end Return to privileged EXEC mode.Step 6 show running-config Verify your entries.Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
11-13Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSConfiguring Settings for All RADIUS ServersBeginning in privileged EXEC mode, follow these steps to configure global communication settings between the access point and all RADIUS servers:To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these commands.Configuring the Access Point to Use Vendor-Specific RADIUS AttributesThe Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the access point and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco’s vendor ID is 9, and the supported option has vendor type 1, which is named cisco-avpair. The value is a string with this format:protocol : attribute sep value *Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 radius-server key string Specify the shared secret text string used between the access point and all RADIUS servers.Note The key is a text string that must match the encryption key used on the RADIUS server. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.Step 3 radius-server retransmit retries Specify the number of times the access point sends each RADIUS request to the server before giving up. The default is 3; the range 1 to 1000.Step 4 radius-server timeout seconds Specify the number of seconds an access point waits for a reply to a RADIUS request before resending the request. The default is 5 seconds; the range is 1 to 1000.Step 5 radius-server deadtime minutes Use this command to cause the Cisco IOS software to mark as “dead” any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as dead is skipped by additional requests for the duration of minutes that you specify, or unless there are no servers not marked dead.Note If you set up more than one RADIUS server, you must configure the RADIUS server deadtime for optimal performance.Step 6 radius-server attribute 32 include-in-access-req format %hConfigure the access point to send its system name in the NAS_ID attribute for authentication.Step 7 end Return to privileged EXEC mode.Step 8 show running-config Verify your settings.Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
11-14Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSProtocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and the asterisk (*) for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example, the following AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment):cisco-avpair= ”ip:addr-pool=first“The following example shows how to provide a user logging in from an access point with immediate access to privileged EXEC commands:cisco-avpair= ”shell:priv-lvl=15“ Other vendors have their own unique vendor IDs, options, and associated VSAs. For more information about vendor IDs and VSAs, refer to RFC 2138, “Remote Authentication Dial-In User Service (RADIUS).”Beginning in privileged EXEC mode, follow these steps to configure the access point to recognize and use VSAs:For a complete list of RADIUS attributes or more information about VSA 26, refer to the “RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide for Release 12.2.Configuring the Access Point for Vendor-Proprietary RADIUS Server CommunicationAlthough an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the access point and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the access point. You specify the RADIUS host and secret text string by using the radius-server global configuration commands.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 radius-server vsa send [accounting | authentication]Enable the access point to recognize and use VSAs as defined by RADIUS IETF attribute 26.•(Optional) Use the accounting keyword to limit the set of recognized vendor-specific attributes to only accounting attributes.•(Optional) Use the authentication keyword to limit the set of recognized vendor-specific attributes to only authentication attributes.If you enter this command without keywords, both accounting and authentication vendor-specific attributes are used.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your settings.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
11-15Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling RADIUSBeginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string:To delete the vendor-proprietary RADIUS host, use the no radius-server host {hostname | ip-address}non-standard global configuration command. To disable the key, use the no radius-server key global configuration command.This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad124 between the access point and the server:AP(config)# radius-server host 172.20.30.15 nonstandardAP(config)# radius-server key rad124Displaying the RADIUS ConfigurationTo display the RADIUS configuration, use the show running-config privileged EXEC command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 radius-server host {hostname | ip-address} non-standard Specify the IP address or host name of the remote RADIUS server host and identify that it is using a vendor-proprietary implementation of RADIUS.Step 3 radius-server key string Specify the shared secret text string used between the access point and the vendor-proprietary RADIUS server. The access point and the RADIUS server use this text string to encrypt passwords and exchange responses.Note The key is a text string that must match the encryption key used on the RADIUS server. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your settings.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
11-16Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling TACACS+Configuring and Enabling TACACS+This section contains this configuration information:•Understanding TACACS+, page 11-16•TACACS+ Operation, page 11-17•Configuring TACACS+, page 11-17•Displaying the TACACS+ Configuration, page 11-22Understanding TACACS+TACACS+ is a security application that provides centralized validation of users attempting to gain access to your access point. Unlike RADIUS, TACACS+ does not authenticate client devices associated to the access point. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation. You should have access to and should configure a TACACS+ server before configuring TACACS+ features on your access point.TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. TACACS+, administered through the AAA security services, can provide these services:•Authentication—Provides complete control of authentication of administrators through login and password dialog, challenge and response, and messaging support.The authentication facility can conduct a dialog with the administrator (for example, after a username and password are provided, to challenge a user with several questions, such as home address, mother’s maiden name, service type, and social security number). The TACACS+ authentication service can also send messages to administrator screens. For example, a message could notify administrators that their passwords must be changed because of the company’spassword aging policy.•Authorization—Provides fine-grained control over administrator capabilities for the duration of the administrator’s session, including but not limited to setting autocommands, access control, session duration, or protocol support. You can also enforce restrictions on the commands that an administrator can execute with the TACACS+ authorization feature.•Accounting—Collects and sends information used for billing, auditing, and reporting to the TACACS+ daemon. Network managers can use the accounting facility to track administrator activity for a security audit or to provide information for user billing. Accounting records include administrator identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. The TACACS+ protocol provides authentication between the access point and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between the access point and the TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your access point.
11-17Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling TACACS+TACACS+ OperationWhen an administrator attempts a simple ASCII login by authenticating to an access point using TACACS+, this process occurs:1. When the connection is established, the access point contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the administrator. The administrator enters a username, and the access point then contacts the TACACS+ daemon to obtain a password prompt. The access point displays the password prompt to the administrator, the administrator enters a password, and the password is then sent to the TACACS+ daemon.TACACS+ allows a conversation to be held between the daemon and the administrator until the daemon receives enough information to authenticate the administrator. The daemon prompts for a username and password combination, but can include other items, such as the user’s mother’smaiden name. 2. The access point eventually receives one of these responses from the TACACS+ daemon: –ACCEPT—The administrator is authenticated and service can begin. If the access point is configured to require authorization, authorization begins at this time.–REJECT—The administrator is not authenticated. The administrator can be denied access or is prompted to retry the login sequence, depending on the TACACS+ daemon.–ERROR—An error occurred at some time during authentication with the daemon or in the network connection between the daemon and the access point. If an ERROR response is received, the access point typically tries to use an alternative method for authenticating the administrator.–CONTINUE—The administrator is prompted for additional authentication information.After authentication, the administrator undergoes an additional authorization phase if authorization has been enabled on the access point. Administrators must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization. 3. If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response contains data in the form of attributes that direct the EXEC or NETWORK session for that administrator, determining the services that the administrator can access:–Telnet, rlogin, or privileged EXEC services–Connection parameters, including the host or client IP address, access list, and administrator timeoutsConfiguring TACACS+This section describes how to configure your access point to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication. You can optionally define method lists for TACACS+ authorization and accounting. A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on an administrator. You can use method lists to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep accounts on administrators; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.
11-18Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling TACACS+This section contains this configuration information:•Default TACACS+ Configuration, page 11-18•Identifying the TACACS+ Server Host and Setting the Authentication Key, page 11-18•Configuring TACACS+ Login Authentication, page 11-19•Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 11-20•Starting TACACS+ Accounting, page 11-21Default TACACS+ ConfigurationTACACS+ and AAA are disabled by default.To prevent a lapse in security, you cannot configure TACACS+ through a network management application. When enabled, TACACS+ can authenticate administrators accessing the access point through the CLI.Identifying the TACACS+ Server Host and Setting the Authentication KeyYou can configure the access point to use a single server or AAA server groups to group existing server hosts for authentication. You can group servers to select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list and contains the list of IP addresses of the selected server hosts.Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 tacacs-server host hostname [port integer] [timeout integer] [key string]Identify the IP host or hosts maintaining a TACACS+ server. Enter this command multiple times to create a list of preferred hosts. The software searches for hosts in the order in which you specify them.•For hostname, specify the name or IP address of the host.•(Optional) For port integer, specify a server port number. The default is port 49. The range is 1 to 65535.•(Optional) For timeout integer, specify a time in seconds the access point waits for a response from the daemon before it times out and declares an error. The default is 5 seconds. The range is 1 to 1000 seconds.•(Optional) For key string, specify the encryption key for encrypting and decrypting all traffic between the access point and the TACACS+ daemon. You must configure the same key on the TACACS+ daemon for encryption to be successful.Step 3 aaa new-model Enable AAA.Step 4 aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name.This command puts the access point in a server group subconfiguration mode.
11-19Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling TACACS+To remove the specified TACACS+ server name or address, use the no tacacs-server host hostnameglobal configuration command. To remove a server group from the configuration list, use the no aaa group server tacacs+ group-name global configuration command. To remove the IP address of a TACACS+ server, use the no server ip-address server group subconfiguration command.Configuring TACACS+ Login AuthenticationTo configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.A method list describes the sequence and authentication methods to be queried to authenticate an administrator. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the administrator access—the authentication process stops, and no other authentication methods are attempted.Beginning in privileged EXEC mode, follow these steps to configure login authentication:Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group.Each server in the group must be previously defined in Step 2.Step 6 end Return to privileged EXEC mode.Step 7 show tacacs Verify your entries.Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.
11-20Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling TACACS+To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name}method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.Configuring TACACS+ Authorization for Privileged EXEC Access and Network ServicesAAA authorization limits the services available to an administrator. When AAA authorization is enabled, the access point uses information retrieved from the administrator’s profile, which is located either in the local user database or on the security server, to configure the administrator’s session. The administrator is granted access to a requested service only if the information in the administrator profile allows it.You can use the aaa authorization global configuration command with the tacacs+ keyword to set parameters that restrict an administrator’s network access to privileged EXEC mode. Step 3 aaa authentication login {default | list-name}method1 [method2...]Create a login authentication method list.•To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.•For list-name, specify a character string to name the list you are creating. •For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails.Select one of these methods:•line—Use the line password for authentication. You must define a line password before you can use this authentication method. Use the password password line configuration command.•local—Use the local username database for authentication. You must enter username information into the database. Use the usernamepassword global configuration command.•tacacs+—Uses TACACS+ authentication. You must configure the TACACS+ server before you can use this authentication method.Step 4 line [console | tty | vty]line-number[ending-line-number]Enter line configuration mode, and configure the lines to which you want to apply the authentication list.Step 5 login authentication {default | list-name}Apply the authentication list to a line or set of lines.•If you specify default, use the default list created with the aaa authentication login command.•For list-name, specify the list created with the aaa authentication login command.Step 6 end Return to privileged EXEC mode.Step 7 show running-config Verify your entries.Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
11-21Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling TACACS+The aaa authorization exec tacacs+ local command sets these authorization parameters:•Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+.•Use the local database if authentication was not performed by using TACACS+.Note Authorization is bypassed for authenticated administrators who log in through the CLI even if authorization has been configured.Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for privileged EXEC access and network services: To disable authorization, use the no aaa authorization {network | exec}method1 global configuration command. Starting TACACS+ AccountingThe AAA accounting feature tracks the services that administrators are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the access point reports administrator activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing.Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa authorization network tacacs+ Configure the access point for administrator TACACS+ authorization for all network-related service requests.Step 3 aaa authorization exec tacacs+ Configure the access point for administrator TACACS+ authorization to determine if the administrator has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa accounting network start-stop tacacs+Enable TACACS+ accounting for all network-related service requests. Step 3 aaa accounting exec start-stop tacacs+ Enable TACACS+ accounting to send a start-record accounting notice at the beginning of a privileged EXEC process and a stop-record at the end.Step 4 end Return to privileged EXEC mode.
11-22Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 11 Configuring RADIUS and TACACS+ ServersConfiguring and Enabling TACACS+To disable accounting, use the no aaa accounting {network | exec} {start-stop}method1... global configuration command.Displaying the TACACS+ ConfigurationTo display TACACS+ server statistics, use the show tacacs privileged EXEC command.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
CHAPTER12-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-0112Configuring VLANsThis chapter describes how to configure your access point to operate with the VLANs set up on your wired LAN. These sections describe how to configure your access point to support VLANs:•Understanding VLANs, page 12-2•Configuring VLANs, page 12-4•VLAN Configuration Example, page 12-7
12-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 12 Configuring VLANsUnderstanding VLANsUnderstanding VLANsA VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other teams. You use VLANs to reconfigure the network through software rather than physically unplugging and moving devices or wires.A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A VLAN consists of a number of end systems, either hosts or network equipment (such as bridges and routers), connected by a single bridging domain. The bridging domain is supported on various pieces of network equipment such as LAN switches that operate bridging protocols between them with a separate group for each VLAN.VLANs provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address scalability, security, and network management. You should consider several key issues when designing and building switched LAN networks:•LAN segmentation•Security•Broadcast control•Performance•Network management•Communication between VLANsYou extend VLANs into a wireless LAN by adding IEEE 802.11Q tag awareness to the access point. Frames destined for different VLANs are transmitted by the access point wirelessly on different SSIDs with different WEP keys. Only the clients associated with that VLAN receive those packets. Conversely, packets coming from a client associated with a certain VLAN are 802.11Q tagged before they are forwarded onto the wired network.Figure 12-1 shows the difference between traditional physical LAN segmentation and logical VLAN segmentation with wireless devices connected.
12-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 12 Configuring VLANsUnderstanding VLANsFigure 12-1 LAN and VLAN Segmentation with Wireless DevicesRelated DocumentsThese documents provide more detailed information pertaining to VLAN design and configuration:•Cisco IOS Switching Services Configuration Guide. Click this link to browse to this document:http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_c/index.htm•Cisco Internetwork Design Guide. Click this link to browse to this document:http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/index.htm•Cisco Internetworking Technology Handbook. Click this link to browse to this document:http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/index.htm•Cisco Internetworking Troubleshooting Guide. Click this link to browse to this document:http://www.cisco.com/univercd/cc/td/doc/cisintwk/itg_v1/index.htmCatalystVLAN switchVLAN 1VLAN segmentationTraditional LAN segmentationVLAN 2 VLAN 3LAN 1Shared hubShared hubSharedhubSSID 0 SSID 0 SSID 0 SSID 1 SSID 2 SSID 3Floor 3Floor 2Floor 1 TrunkportSSID 1 = VLAN1SSID 2 = VLAN2SSID 3 = VLAN3LAN 2LAN 381652CatalystVLAN switchCatalystVLAN switch
12-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 12 Configuring VLANsConfiguring VLANsIncorporating Wireless Devices into VLANsThe basic wireless components of a VLAN consist of an access point and a client associated to it using wireless technology. The access point is physically connected through a trunk port to the network VLAN switch on which the VLAN is configured. The physical connection to the VLAN switch is through the access point’s Ethernet port.In fundamental terms, the key to configuring an access point to connect to a specific VLAN is by configuring its SSID to recognize that VLAN. Since VLANs are identified by a VLAN ID, it follows that if the SSID on an access point is configured to recognize a specific VLAN ID, a connection to the VLAN is established. When this connection is made, associated wireless client devices having the same SSID can access the VLAN through the access point. The VLAN processes data to and from the clients the same way that it processes data to and from wired connections. You can configure up to 16 SSIDs on your access point, so you can support up to 16 VLANs.You can use the VLAN feature to deploy wireless devices with greater efficiency and flexibility. For example, one access point can now handle the specific requirements of multiple users having widely varied network access and permissions. Without VLAN capability, multiple access points would have to be employed to serve classes of users based on the access and permissions they were assigned.These are two common strategies for deploying wireless VLANs:•Segmentation by user groups: You can segment your wireless LAN user community and enforce a different security policy for each user group. For example, you can create three wired and wireless VLANs in an enterprise environment for full-time and part-time employees and also provide guest access.•Segmentation by device types: You can segment your wireless LAN to allow different devices with different security capabilities to join the network. For example, some wireless users might have handheld devices that support only static WEP, and some wireless users might have more sophisticated devices using dynamic WEP. You can group and isolate these devices into separate VLANs.Configuring VLANsThese sections describe how to configure VLANs on your access point:•Configuring a VLAN, page 12-4•Using a RADIUS Server to Assign Users to VLANs, page 12-6•Viewing VLANs Configured on the Access Point, page 12-6Configuring a VLANConfiguring your access point to support VLANs is a three-step process:1. Assign SSIDs to VLANs.2. Assign authentication settings to SSIDs.3. Enable the VLAN on the radio and Ethernet ports.This section describes how to assign SSIDs to VLANs and how to enable a VLAN on the access point radio and Ethernet ports. For detailed instructions on assigning authentication types to SSIDs, see Chapter 10, “Configuring Authentication Types.” For instructions on assigning other settings to SSIDs, see Chapter 8, “Configuring Multiple SSIDs.”
12-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 12 Configuring VLANsConfiguring VLANsYou can configure up to 16 SSIDs on the access point, so you can support up to 16 VLANs that are configured on your LAN. Beginning in privileged EXEC mode, follow these steps to assign an SSID to a VLAN and enable the VLAN on the access point radio and Ethernet ports:This example shows how to:•Name an SSID•Assign the SSID to a VLAN•Enable the VLAN on the radio and Ethernet ports as the native VLANap1200# configure terminalap1200(config)# interface dot11radio0ap1200(config-if)# ssid batmanap1200(config-ssid)# vlan 1ap1200(config-ssid)# exitap1200(config)# interface dot11radio0.1ap1200(config-subif)# encapsulation dot1q 1 nativeap1200(config-subif)# exitCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio0 Enter interface configuration mode for the radio interface.Step 3 ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive.Note You use the ssid command’s authentication options to configure an authentication type for each SSID. See Chapter 10, “Configuring Authentication Types,” for instructions on configuring authentication types.Step 4 vlan vlan-id (Optional) Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN. Enter a VLAN ID from 1 to 4095.Step 5 exit Return to interface configuration mode for the radio interface.Step 6 interface dot11radio0.x Enter interface configuration mode for the radio VLAN sub interface.Step 7 encapsulation dot1q vlan-id[native]Enable a VLAN on the radio interface. (Optional) Designate the VLAN as the native VLAN. On many networks, the native VLAN is VLAN 1.Step 8 exit Return to global configuration mode.Step 9 interface fastEthernet0.x Enter interface configuration mode for the Ethernet VLAN subinterface.Step 10 encapsulation dot1q vlan-id[native]Enable a VLAN on the Ethernet interface. (Optional) Designate the VLAN as the native VLAN. On many networks, the native VLAN is VLAN 1.Step 11 end Return to privileged EXEC mode.Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file.
12-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 12 Configuring VLANsConfiguring VLANsap1200(config)# interface fastEthernet0.1ap1200(config-subif)# encapsulation dot1q 1 nativeap1200(config-subif)# exitap1200(config)# endUsing a RADIUS Server to Assign Users to VLANsYou can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network.The VLAN-mapping process consists of these steps:1. A client device associates to the access point using any SSID configured on the access point. 2. The client begins RADIUS authentication.3. When the client authenticates sucessfully, the RADIUS server maps the client to a specific VLAN, regardless of the VLAN mapping defined for the SSID the client is using on the access point. If the server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified by the SSID mapped locally on the access point.These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship.•IETF 64 (Tunnel Type): Set this attribute to VLAN•IETF 65 (Tunnel Medium Type): Set this attribute to 802•IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-idViewing VLANs Configured on the Access PointIn privileged EXEC mode, use the show vlan command to view the VLANs that the access point supports. This is sample output from a show vlan command:Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation) vLAN Trunk Interfaces: Dot11Radio0FastEthernet0Virtual-Dot11Radio0 This is configured as native Vlan for the following interface(s) :Dot11Radio0FastEthernet0Virtual-Dot11Radio0 Protocols Configured: Address: Received: Transmitted: Bridging Bridge Group 1 201688 0 Bridging Bridge Group 1 201688 0 Bridging Bridge Group 1 201688 0Virtual LAN ID: 2 (IEEE 802.1Q Encapsulation) vLAN Trunk Interfaces: Dot11Radio0.2FastEthernet0.2Virtual-Dot11Radio0.2 Protocols Configured: Address: Received: Transmitted:
12-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 12 Configuring VLANsVLAN Configuration ExampleVLAN Configuration ExampleThis example shows how to use VLANs to manage wireless devices on a college campus. In this example, three levels of access are available through VLANs configured on the wired network:•Management access—Highest level of access; users can access all internal drives and files, departmental databases, top-level financial information, and other sensitive information. Management users are required to authenticate using Cisco LEAP.•Faculty access—Medium level of access; users can access school’s Intranet and Internet, access internal files, access student databases, and view internal information such as human resources, payroll, and other faculty-related material. Faculty users are required to authenticate using Cisco LEAP.•Student access—Lowest level of access; users can access school’s Intranet and the Internet, obtain class schedules, view grades, make appointments, and perform other student-related activities. Students are allowed to join the network using static WEP.In this scenario, a minimum of three VLAN connections are required, one for each level of access. Because the access point can handle up to 16 SSIDs, you can use the basic design shown in Table 12-1.Managers configure their wireless client adapters to use SSID boss, faculty members configure their clients to use SSID teach, and students configure their wireless client adapters to use SSID learn. When these clients associate to the access point, they automatically belong to the correct VLAN.You would complete these steps to support the VLANs in this example:1. Configure or confirm the configuration of these VLANs on one of the switches on your LAN.2. On the access point, assign an SSID to each VLAN.3. Assign authentication types to each SSID.4. Configure VLAN 1, the Management VLAN, on both the fastethernet and dot11radio interfaces on the access point. You should make this VLAN the native VLAN.5. Configure VLANs 2 and 3 on both the fastethernet and dot11radio interfaces on the access point. 6. Configure the client devices.Table 12-1 Access Level SSID and VLAN AssignmentLevel of Access SSID VLAN IDManagement boss 01Faculty teach 02Student learn 03
12-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 12 Configuring VLANsVLAN Configuration ExampleTable 12-2 shows the commands needed to configure the three VLANs in this example.Table 12-2 Configuration Commands for VLAN ExampleConfiguring VLAN 1 Configuring VLAN 2 Configuring VLAN 3ap1200# configure terminalap1200(config)# interface dot11radio 0ap1200(config-if)# ssid bossap1200(config-ssid)# vlan 01ap1200(config-ssid)# endap1200# configure terminalap1200(config)# interfacedot11radio 0ap1200(config-if)# ssid teachap1200(config-ssid)# vlan 02ap1200(config-ssid)# endap1200# configure terminalap1200(config)# interfacedot11radio 0ap1200(config-if)# ssid learnap1200(config-ssid)# vlan 03ap1200(config-ssid)# endap1200 configure terminalap1200(config) interfaceFastEthernet0.1ap1200(config-subif)encapsulation dot1Q 1 nativeap1200(config-subif) exitap1200(config) interfaceFastEthernet0.2ap1200(config-subif) encapsulationdot1Q 2ap1200(config-subif) bridge-group 2ap1200(config-subif) exitap1200(config) interfaceFastEthernet0.3ap1200(config-subif) encapsulationdot1Q 3ap1200(config-subif) bridge-group 3ap1200(config-subif) exitap1200(config)# interfaceDot11Radio0.1ap1200(config-subif)#encapsulation dot1Q 1 nativeap1200(config-subif)# exitNote You do not need to configure a bridge group on the subinterface that you set up as the native VLAN. This bridge group is moved to the native subinterface automatically to maintain the link to bridge virtual interface (BVI) 1, which represents both the radio and Ethernet interfaces.ap1200(config) interfaceDot11Radio0.2ap1200(config-subif) encapsulationdot1Q 2ap1200(config-subif) bridge-group 2ap1200(config-subif) exitap1200(config) interfaceDot11Radio0.3ap1200(config-subif) encapsulationdot1Q 3ap1200(config-subif) bridge-group 3ap1200(config-subif) exit
12-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 12 Configuring VLANsVLAN Configuration ExampleTable 12-3 shows the results of the configuration commands in Table 12-2. Use the show runningcommand to display the running configuration on the access point.Notice that when you configure a bridge group on the radio interface, these commands are set automatically:bridge-group 2 subscriber-loop-controlbridge-group 2 block-unknown-sourceno bridge-group 2 source-learningno bridge-group 2 unicast-floodingbridge-group 2 spanning-disabledWhen you configure a bridge group on the FastEthernet interface, these commands are set automatically:no bridge-group 2 source-learningbridge-group 2 spanning-disabledTable 12-3 Results of Example Configuration CommandsVLAN 1 Interfaces VLAN 2 Interfaces VLAN 3 Interfacesinterface Dot11Radio0.1encapsulation dot1Q 1 nativeno ip route-cacheno cdp enablebridge-group 1bridge-group 1 subscriber-loop-controlbridge-group 1 block-unknown-sourceno bridge-group 1 source-learningno bridge-group 1 unicast-floodingbridge-group 1 spanning-disabledinterface Dot11Radio0.2encapsulation dot1Q 2no ip route-cacheno cdp enablebridge-group 2bridge-group 2 subscriber-loop-controlbridge-group 2 block-unknown-sourceno bridge-group 2 source-learningno bridge-group 2 unicast-floodingbridge-group 2 spanning-disabledinterface Dot11Radio0.3encapsulation dot1Q 3no ip route-cachebridge-group 3bridge-group 3 subscriber-loop-controlbridge-group 3 block-unknown-sourceno bridge-group 3 source-learningno bridge-group 3 unicast-floodingbridge-group 3 spanning-disabledinterface FastEthernet0.1encapsulation dot1Q 1 nativeno ip route-cachebridge-group 1no bridge-group 1 source-learningbridge-group 1 spanning-disabledinterface FastEthernet0.2encapsulation dot1Q 2no ip route-cachebridge-group 2no bridge-group 2 source-learningbridge-group 2 spanning-disabledinterface FastEthernet0.3encapsulation dot1Q 3no ip route-cachebridge-group 3no bridge-group 3 source-learningbridge-group 3 spanning-disabled
12-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 12 Configuring VLANsVLAN Configuration Example
CHAPTER13-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-0113Configuring QoSThis chapter describes how to configure quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet 1200 Series Access Point Command Reference for this release.This chapter consists of these sections:•Understanding QoS for Wireless LANs, page 13-2•Configuring QoS, page 13-3•QoS Configuration Examples, page 13-10
13-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 13 Configuring QoSUnderstanding QoS for Wireless LANsUnderstanding QoS for Wireless LANsTypically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.When you configure QoS on the access point, you can select specific network traffic, prioritize it, and use congestion-management and congestion-avoidance techniques to provide preferential treatment. Implementing QoS in your wireless LAN makes network performance more predictable and bandwidth utilization more effective.When you configure QoS, you create QoS policies and apply the policies to the VLANs configured on your access point. If you do not use VLANs on your network, you can apply your QoS policies to the access point’s Ethernet and radio ports.QoS for Wireless LANs Versus QoS on Wired LANsThe QoS implementation for wireless LANs differs from QoS implementations on other Cisco devices. With QoS enabled, access points perform the following:•They do not classify packets; they prioritize packets based on DSCP value, client type (such as a wireless phone), or the priority value in the 802.1q or 802.1p tag.•They do not match packets using ACL; they use only MQC class-map for matching clauses.•They do not construct internal DSCP values; they only support mapping by assigning IP DSCP, Precedence, or Protocol values to Layer 2 COS values.•They carry out EDCF like queuing on the radio egress port only.•They do only FIFO queueing on the Ethernet egress port.•They support only 802.1Q/P tagged packets. Access points do not support ISL.•They support only MQC policy-map set cos action.•They prioritize the traffic from voice clients (such as Symbol phones) over traffic from other clients when the QoS Element for Wireless Phones feature is enabled.•They support Spectralink phones using the class-map IP protocol clause with the protocol value set to 119.To contrast the wireless LAN QoS implementation with the QoS implementation on other Cisco network devices, see the Cisco IOS Quality of Service Solutions Configuration Guide at this URL:http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/index.htmImpact of QoS on a Wireless LANWireless LAN QoS features are a subset of the proposed 802.11e draft. QoS on wireless LANs provides prioritization of traffic from the access point over the WLAN based on traffic classification.Just as in other media, you might not notice the effects of QoS on a lightly loaded wireless LAN. The benefits of QoS become more obvious as the load on the wireless LAN increases, keeping the latency, jitter, and loss for selected traffic types within an acceptable range. QoS on the wireless LAN focuses on downstream prioritization from the access point. Figure 13-1 shows the upstream and downstream traffic flow.
13-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 13 Configuring QoSConfiguring QoSFigure 13-1 Upstream and Downstream Traffic Flow•The radio downstream flow is traffic transmitted out the access point radio to a wireless client device. This traffic is the main focus for QoS on a wireless LAN.•The radio upstream flow is traffic transmitted out the wireless client device to the access point. QoS for wireless LANs does not affect this traffic.•The Ethernet downstream flow is traffic sent from a switch or a router to the Ethernet port on the access point. If QoS is enabled on the switch or router, the switch or router might prioritize and rate-limit traffic to the access point.•The Ethernet upstream flow is traffic sent from the access point Ethernet port to a switch or router on the wired LAN. The access point does not prioritize traffic that it sends to the wired LAN based on traffic classification.Precedence of QoS SettingsWhen you enable QoS, the access point queues packets based on the Layer 2 class of service value for each packet. The access point applies QoS policies in this order:1. Packets already classified—When the access point receives packets from a QoS-enabled switch or router that has already classified the packets with non-zero 802.1Q/P user_priority values, the access point uses that classification and does not apply other QoS policy rules to the packets. An existing classification takes precedence over all other policies on the access point.2. QoS Element for Wireless Phones setting—If you enable the QoS Element for Wireless Phonessetting, traffic from voice clients takes priority over other traffic regardless of other policy settings. The QoS Element for Wireless Phones setting takes precedence over other policies, second only to previously assigned packet classifications.3. Policies you create on the access point—QoS Policies that you create and apply to VLANs or to the access point interfaces are third in precedence after previously classified packets and the QoS Element for Wireless Phones setting.4. Default classification for all packets on VLAN—If you set a default classification for all packets on a VLAN, that policy is fourth in the precedence list.Configuring QoSQoS is disabled by default. This section describes how to configure QoS on your access point. It contains this configuration information:•Configuration Guidelines, page 13-4•Configuring QoS Using the Web-Browser Interface, page 13-4•Adjusting Radio Traffic Class Definitions, page 13-8RadiodownstreamEthernetdownstreamWiredLANEthernetupstreamRadioupstreamClientdeviceAccesspoint81732
13-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 13 Configuring QoSConfiguring QoSConfiguration GuidelinesBefore configuring QoS on your access point, you should be aware of this information:•The most important guideline in QoS deployment is to be familiar with the traffic on your wireless LAN. If you know the applications used by wireless client devices, the applications’ sensitivity to delay, and the amount of traffic associated with the applications, you can configure QoS to improve performance.•QoS does not create additional bandwidth for your wireless LAN; it helps control the allocation of bandwidth. If you have plenty of bandwidth on your wireless LAN, you might not need to configure QoS.Configuring QoS Using the Web-Browser InterfaceThis section describes configuring QoS using the web-browser interface. For a list of IOS commands for configuring QoS using the CLI, consult the Cisco Aironet 1100 Series Access Point Command Reference. Follow these steps to browse to the command reference: 1. Click this link to browse to the Cisco Aironet documentation home page:http://www.cisco.com/univercd/cc/td/doc/product/wireless/index.htm2. Follow this path to the product, document, and chapter:Aironet 1100 Series Wireless LAN Products > Cisco Aironet 1100 Series Access Points > Cisco Aironet 1100 Series Access Point Command Reference Follow these steps to configure QoS:Step 1 If you use VLANs on your wireless LAN, make sure the necessary VLANs are configured on your access point before configuring QoS.Step 2 Click Services in the task menu on the left side of any page in the web-browser interface. When the list of Services expands, click QoS. The QoS Policies page appears. Figure 13-2 shows the QoS Policies page.
13-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 13 Configuring QoSConfiguring QoSFigure 13-2 QoS Policies PageStep 3 With <NEW> selected in the Create/Edit Policy field, type a name for the QoS policy in the Policy Name entry field. The name can contain up to 25 alphanumeric characters. Do not include spaces in the policy name.
13-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 13 Configuring QoSConfiguring QoSStep 4 If the packets that you need to prioritize contain IP precedence information in the IP header TOS field, select an IP precedence classification from the IP Precedence drop-down menu. Menu selections include:•Routine (0)•Priority (1)•Immediate (2)•Flash (3)•Flash Override (4)•Critic/CCP (5)•Internet Control (6)•Network Control (7)Step 5 Use the Apply Class of Service drop-down menu to select the class of service that the access point will apply to packets of the type that you selected from the IP Precedence menu. The access point matches your IP Precedence selection with your class of service selection. Settings in the Apply Class of Service menu include:•Best Effort (0)•Background (1)•Spare (2)•Excellent (3)•Control Lead (4)•Video <100ms Latency (5)•Voice <100ms Latency (6)•Network Control (7)Step 6 Click the Add button beside the Class of Service menu for IP Precedence. The classification appears in the Classifications field. To delete a classification, select it and click the Delete button beside the Classifications field.Step 7 If the packets that you need to prioritize contain IP DSCP precedence information in the IP header TOS field, select an IP DSCP classification from the IP DSCP drop-down menu. Menu selections include:•Best Effort•Assured Forwarding — Class 1 Low•Assured Forwarding — Class 1 Medium•Assured Forwarding — Class 1 High•Assured Forwarding — Class 2 Low•Assured Forwarding — Class 2 Medium•Assured Forwarding — Class 2 High•Assured Forwarding — Class 3 Low•Assured Forwarding — Class 3 Medium•Assured Forwarding — Class 3 High•Assured Forwarding — Class 4 Low•Assured Forwarding — Class 4 Medium•Assured Forwarding — Class 4 High
13-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 13 Configuring QoSConfiguring QoS•Class Selector 1•Class Selector 2•Class Selector 3•Class Selector 4•Class Selector 5•Class Selector 6•Class Selector 7•Expedited ForwardingStep 8 Use the Apply Class of Service drop-down menu to select the class of service that the access point will apply to packets of the type that you selected from the IP DSCP menu. The access point matches your IP DSCP selection with your class of service selection.Step 9 Click the Add button beside the Class of Service menu for IP DSCP. The classification appears in the Classifications field. Step 10 If you need to prioritize the packets from Spectralink phones (IP Protocol 119) on your wireless LAN, use the Apply Class of Service drop-down menu to select the class of service that the access point will apply to Spectralink phone packets. The access point matches Spectralink phone packets with your class of service selection.Step 11 Click the Add button beside the Class of Service menu for IP Protocol 119. The classification appears in the Classifications field. Step 12 If you need to assign a priority to filtered packets, use the Filter drop-down menu to select a Filter to include in the policy. (If no filters are defined on the access point, a link to the Apply Filters page appears instead of the Filter drop-down menu.) For example, you could assign a high priority to a MAC address filter that includes the MAC addresses of IP phones.Note The access list you use in QoS does not affect the access point’s packet forwarding decisions.Step 13 Use the Apply Class of Service drop-down menu to select the class of service that the access point will apply to packets that match the filter that you selected from the Filter menu. The access point matches your filter selection with your class of service selection.Step 14 Click the Add button beside the Class of Service menu for Filter. The classification appears in the Classifications field.Step 15 If you want to set a default classification for all packets on a VLAN, use the Apply Class of Service drop-down menu to select the class of service that the access point will apply to all packets on a VLAN. The access point matches all packets with your class of service selection.Step 16 Click the Add button beside the Class of Service menu for Default classification for packets on the VLAN. The classification appears in the Classifications field. Step 17 When you finish adding classifications to the policy, click the Apply button under the Apply Class of Service drop-down menus. To cancel the policy and reset all fields to defaults, click the Cancel button under the Apply Class of Service drop-down menus. To delete the entire policy, click the Delete button under the Apply Class of Service drop-down menus. Step 18 Use the Apply Policies to Interface/VLANs drop-down menus to apply policies to the access point Ethernet and radio ports. If VLANs are configured on the access point, drop-down menus for each VLAN’s virtual ports appear in this section. If VLANs are not configured on the access point, drop-down menus for each interface appear.
13-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 13 Configuring QoSConfiguring QoSStep 19 Click the Apply button at the bottom of the page to apply the policies to the access point ports.Step 20 If you want the access point to give priority to all voice packets regardless of VLAN, click the Advancedtab. Figure 13-3 shows the QoS Policies - Advanced page.Figure 13-3 QoS Policies - Advanced PageSelect Enable and click Apply to give top priority to all voice packets.Adjusting Radio Traffic Class DefinitionsThe access point uses the radio traffic class definitions to calculate backoff times for each packet. As a rule, high-priority packets have short backoff times.The default values in the Min and Max Contention Window fields and in the Slot Time fields are based on settings recommended in IEEE Draft Standard 802.11e. For detailed information on these values, consult that standard.We strongly recommend that you use the default settings on the Radio Traffic Classes page. Changing these values can lead to unexpected blockages of traffic on your wireless LAN, and the blockages might be difficult to diagnose. If you change these values and find that you need to reset them to defaults, use the default settings listed in Table 13-1.The values listed in Table 13-1 are to the power of 2. The access point computes Contention Window values with this equation:CW = 2 ** X minus 1where X is the value from Table 13-1.
13-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 13 Configuring QoSConfiguring QoSFigure 13-4 shows the Radio Traffic Classes page.Figure 13-4 Radio Traffic Classes PageTable 13-1 Default QoS Radio Traffic Class DefinitionsClass of Service Min Contention Window Max Contention Window Fixed Slot TimeBest Effort 5 10 2Background 6 10 3Spare 5 10 3Excellent Effort 5 10 2Controlled Load 4 10 2Video <100ms Latency 4 8 2Voice <100ms Latency 2 8 2Network Control 3 8 2
13-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 13 Configuring QoSQoS Configuration ExamplesDisabling IGMP Snooping HelperWhen Internet Group Membership Protocol (IGMP) snooping is enabled on a switch and a client roams from one access point to another, the client’s multicast session is dropped. When the access point’sIGMP snooping helper is enabled, the access point sends a general IGMP query to the network infrastructure on behalf of the client every time the client associates or reassociates to the access point. By doing so, the multicast stream is maintained for the client as it roams.The IGMP snooping helper is enabled by default. To disable it, browse to the QoS Policies - Advanced page, select Disable, and click Apply.Figure 13-3 shows the QoS Policies - Advanced page.QoS Configuration ExamplesThese sections describe two common uses for QoS:•Giving Priority to Voice Traffic, page 13-10•Giving Priority to Video Traffic, page 13-12Giving Priority to Voice TrafficThis section demonstrates how you can apply a QoS policy to your wireless network’s voice VLAN to give priority to wireless phone traffic.In this example, the network administrator creates a policy named voice_policy that applies voice class of service to traffic from Spectralink phones (protocol 119 packets). The user applies the voice_policy to the incoming and outgoing radio ports and to the outgoing Ethernet port for VLAN 77. Figure 13-5shows the administrator’s QoS Policies page.
13-11Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 13 Configuring QoSQoS Configuration ExamplesFigure 13-5 QoS Policies Page for Voice ExampleThe network administrator also enables the QoS element for wireless phones setting on the QoS Policies - Advanced page. This setting gives priority to all voice traffic regardless of VLAN.
13-12Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 13 Configuring QoSQoS Configuration ExamplesGiving Priority to Video TrafficThis section demonstrates how you could apply a QoS policy to a VLAN on your network dedicated to video traffic.In this example, the network administrator creates a policy named video_policy that applies video class of service to video traffic. The user applies the video_policy to the incoming and outgoing radio ports and to the outgoing Ethernet port for VLAN 87. Figure 13-6 shows the administrator’s QoS Policies page. Figure 13-6 QoS Policies Page for Video Example
CHAPTER14-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-0114Configuring Proxy Mobile IPThis chapter describes how to configure your access point’s proxy Mobile IP feature. This chapter contains these sections:•Understanding Proxy Mobile IP, page 14-2•Configuring Proxy Mobile IP, page 14-6
14-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 14 Configuring Proxy Mobile IPUnderstanding Proxy Mobile IPUnderstanding Proxy Mobile IPThese sections explain how access points conduct proxy Mobile IP:•Overview, page 14-2•Components of a Proxy Mobile IP Network, page 14-2•How Proxy Mobile IP Works, page 14-3•Proxy Mobile IP Security, page 14-6OverviewThe access point’s proxy Mobile IP feature works in conjunction with the Mobile IP feature in IOS. When you enable proxy Mobile IP on your access point and on your wired network, the access point helps client devices from other networks remain connected to their home networks. The visiting client devices do not need special software; the access point provides proxy Mobile IP services on their behalf. Any wireless client can participate.Mobile IP provides users the freedom to roam beyond their home subnets while maintaining their home IP addresses. This enables transparent routing of IP datagrams to mobile users during their movement, so that data sessions can be initiated to them while they roam. For example, a client device with an IP address of 192.95.5.2 could associate to an access point on a network whose IP addresses are in the 209.165.200.x range. The guest client device keeps its 192.95.5.2 IP address, and the access point forwards its packets through a Mobile IP enabled router across the Internet to a router on the client’shome network. Access points with proxy Mobile IP enabled attempt to provide proxy service for any client device that associates and does not perform the following:•Does not issue a DHCP request to get a new IP address.•Does not support a Mobile IP stack. If a device supports a Mobile IP stack, the access point assumes that the device will perform its own Mobile IP functions. You enable proxy Mobile IP for specific SSIDs on the access point, providing support only for clients that use those SSIDs. Proxy Mobile IP does not support VLANs. You can pause proxy Mobile IP support without losing your proxy Mobile IP configuration.Proxy Mobile IP is disabled by default.Note Guest client devices do not receive broadcast and multicast packets.Components of a Proxy Mobile IP NetworkFive devices participate in proxy Mobile IP:•A visiting client device. The visiting client device is any device such as a personal digital assistant or a laptop that can associate to a wireless access point. It does not need any special proxy Mobile IP software. •An access point with proxy Mobile IP enabled. The access point proxies on behalf of the visiting client device, performing all Mobile IP services for the device.
14-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 14 Configuring Proxy Mobile IPUnderstanding Proxy Mobile IP•An authoritative access point on your network supporting proxy Mobile IP. The authoritative access point uses a subnet map to keep track of the home agent information for all visiting client devices.•A home agent. The home agent is a router on the visiting client’s home network that serves as the anchor point for communication with the access point and the visiting client. The home agent tunnels packets from a correspondent node on the Internet to the visiting client device. •A foreign agent. The foreign agent is a router on your network that serves as the point of attachment for the visiting client device when it is on your network, delivering packets from the home agent to the visiting client. Figure 14-1 shows the five participating devices.Figure 14-1 Participating Devices in Proxy Mobile IPHow Proxy Mobile IP WorksThe proxy Mobile IP process has four main phases. These sections describe each phase: •Agent Discovery, page 14-3•Subnet Map Exchange, page 14-4•Registration, page 14-5•Tunneling, page 14-5Agent DiscoveryDuring the agent discovery phase, the home agent and the foreign agent advertise their services on the network by using the ICMP Router Discovery Protocol (IRDP). The access point listens to these advertisements. InternetForeignagentAccess pointsupporting proxymobile IPHomeagentAccess pointsupporting proxymobile IPClient deviceat homeClient devicevisiting foreignnetworkAuthoritativeaccess pointsupporting proxymobile IP81653
14-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 14 Configuring Proxy Mobile IPUnderstanding Proxy Mobile IPThe IRDP advertisements carry Mobile IP extensions that specify whether an agent is a home agent, foreign agent, or both; its care-of address; the types of services it provides, such as reverse tunneling and generic routing encapsulation (GRE); and the allowed registration lifetime or roaming period for visiting client devices. Rather than waiting for agent advertisements, an access point can send out an agent solicitation. This solicitation forces any agents on the network to immediately send an agent advertisement.When an access point determines that a client device is connected to a foreign network, it acquires a care-of address for the visiting client. The care-of address is an IP address of a foreign agent that has an interface on the network being visited by a client device. An access point can share this address among many visiting client devices. When the visiting client associates to an access point, the access point compares the client’s IP address with that of its own IP network information and detects that the client is a visitor from another network. The access point then begins the registration. However, before the access point can begin the registration process on behalf of the visiting client, it needs to know the home agent IP address of the visiting client. It gets the home agent’s IP address by looking it up on a subnet map table.Subnet Map ExchangeEach access point with proxy Mobile IP enabled maintains a subnet map table. The subnet map table consists of a list of home agent IP addresses and their subnet masks. Table 14-1 is an example of a subnet map table.Access points use the subnet map table to determine the IP address of the visiting client’s home agent. When an access point boots up or when proxy Mobile IP is first enabled on an access point, it obtains its own home agent information using the agent discovery mechanism. It sends this information to another access point called an authoritative access point (AAP). The AAP is an access point that is responsible for keeping the latest subnet map table. When the AAP receives the new information, it replies to the access point with a copy of the latest subnet map table. The new access point now has the latest subnet map table locally and it is ready to perform proxy Mobile IP for visiting clients. Having the subnet map table locally helps the access point do a quick lookup for the home agent information. Meanwhile, the AAP adds the new access point to its list of access points and the home agent information to its subnet map table. The AAP then updates all the other access points with this additional piece of information. You can designate up to three AAPs on your wireless LAN. If an access point fails to reach the first AAP, it tries the next configured AAP. The AAPs compare their subnet map tables periodically to make sure they have the same subnet map table. If the AAP detects that there are no more access points for a particular home agent, it sends a deregistration packet on behalf of the broadcast address of the home agent subnet to see if the home agent is still active. If the home agent responds, the AAP keeps the home agent entry in the subnet map table even though there are no access points in the home agent's subnet. This process supports client devices that have already roamed to foreign networks. If the home agent does not respond, the AAP deletes the home agent entry from the subnet map table.Table 14-1 Example of a Subnet Map TableHome Agent Subnet Mask10.10.10.1 255.255.255.010.10.4.2 255.255.255.010.3.4.4 255.255.255.24810.12.1.1 255.255.0.0
14-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 14 Configuring Proxy Mobile IPUnderstanding Proxy Mobile IPWhen a client device associates to an access point and the access point determines that the client is visiting from another network, the access point performs a longest-match lookup on its subnet map table and obtains the home agent address for the visiting client. When the access point has the home agent address, it can proceed to the registration step.RegistrationThe access point is configured with the mobility security association (which includes the shared key) of all potential visiting clients with their corresponding home agents. You can enter the mobility security association information locally on the access point or on a RADIUS server on your network, and access points with proxy Mobile IP enabled can access it there. The access point uses the security association information, the visiting client’s IP address, and the information that it learns from the foreign agent advertisements to form a Mobile IP registration request on behalf of the visiting client. It sends the registration request to the visiting client’s home agent through the foreign agent. The foreign agent checks the validity of the registration request, which includes checking that the requested lifetime does not exceed its limitations and that the requested tunnel encapsulation is available. If the registration request is valid, the foreign agent relays the request to the home agent. The home agent checks the validity of the registration request, which includes authentication of the visiting client. If the registration request is valid, the home agent creates a mobility binding (an association of the visiting client with its care-of address), a tunnel to the care-of address, and a routing entry for forwarding packets to the home address through the tunnel. The home agent then sends a registration reply to the visiting client through the foreign agent (because the registration request was received through the foreign agent). The foreign agent checks the validity of the registration reply, including ensuring that an associated registration request exists in its pending list. If the registration reply is valid, the foreign agent adds the visiting client to its visitor list, establishes a tunnel to the home agent, and creates a routing entry for forwarding packets to the home address. It then relays the registration reply to the visiting client.Finally, the access point checks the validity of the registration reply. If the registration reply specifies that the registration is accepted, the access point is able to confirm that the mobility agents are aware of the visiting client's roaming. Subsequently, the access point intercepts all packets from the visiting client and sends them to the foreign agent. The access point re-registers on behalf of the visiting client before its registration lifetime expires. The home agent and foreign agent update their mobility binding and visitor entry, respectively, during re-registration. A successful Mobile IP registration by the access point on behalf of the visiting client sets up the routing mechanism for transporting packets to and from the visiting client as it roams.TunnelingThe visiting client sends packets using its home IP address, effectively maintaining the appearance that it is always on its home network. Even while the visiting client is roaming on foreign networks, its movements are transparent to correspondent nodes (other devices with which the visiting client communicates). Data packets addressed to the visiting client are routed to its home network, where the home agent intercepts and tunnels them to the care-of address toward the visiting client. Tunneling has two primary functions: encapsulation of the data packet to reach the tunnel endpoint, and decapsulation when the packet is delivered at that endpoint. The tunnel mode that the access point supports is IP Encapsulation within IP Encapsulation.
14-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 14 Configuring Proxy Mobile IPConfiguring Proxy Mobile IPTypically, the visiting client sends packets as it normally would. The access point intercepts these packets and sends them to the foreign agent, which routes them to their final destination, the correspondent node.Proxy Mobile IP SecurityMobile IP uses a strong authentication scheme to protect communications to and from visiting clients. All registration messages between a visiting client and the home agent must contain the Mobile-Home Authentication Extension (MHAE). Proxy Mobile IP also implements this requirement in the registration messages sent by the access point on behalf of the visiting clients to the home agent.The integrity of the registration messages is protected by a shared 128-bit key between the access point (on behalf of the visiting client) and the home agent. You can enter the shared key on the access point or on a RADIUS server. The keyed message digest algorithm 5 (MD5) in prefix+suffix mode is used to compute the authenticator value in the appended MHAE. Mobile IP and proxy Mobile IP also support the hash-based message authentication code (HMAC-MD5). The receiver compares the authenticator value it computes over the message with the value in the extension to verify the authenticity. Optionally, the Mobile-Foreign Authentication Extension and the Foreign-Home Authentication Extension are appended to protect message exchanges between a visiting client and foreign agent and between a foreign agent and home agent, respectively. Replay protection uses the identification field in the registration messages as a timestamp and sequence number. The home agent returns its time stamp to synchronize the visiting client for registration. In proxy Mobile IP, the visiting clients are not synchronized to their home agents because the access point intercepts all home agent messages.Configuring Proxy Mobile IPThese sections describe how to configure proxy Mobile IP:•Configuration Guidelines, page 14-6•Configuring Proxy Mobile IP on Your Wired LAN, page 14-7•Configuring Proxy Mobile IP on Your Access Point, page 14-7Configuration GuidelinesBefore configuring proxy Mobile IP, you should consider these guidelines:•You can enable proxy Mobile IP only on root access points (units connected to the wired LAN). You cannot enable proxy Mobile IP on repeater access points.•Access points participating in proxy Mobile IP should be configured with gateway addresses. You can configure the gateways manually, or the access points can receive gateways through DHCP.•The foreign and home agents must reside on the network gateways where you want to support proxy Mobile IP.•If your authoritative access points receive their IP addresses through DHCP, use the access point host names to specify the AAPs in the proxy Mobile IP configuration.•Proxy Mobile IP does not support broadcast and multicast traffic for visiting clients.
14-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 14 Configuring Proxy Mobile IPConfiguring Proxy Mobile IP•To use proxy Mobile IP with DHCP-enabled client devices, you must disable Media Sense on the client devices. You can find instructions for disabling Media Sense in Microsoft Knowledge Base Article Q239924. Click this URL to browse to this article:http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q239924&•Proxy Mobile IP does not support VLANs.•If you disable proxy Mobile IP on your access point, the entire proxy Mobile IP configuration is cleared. To disable proxy Mobile IP without clearing the configuration, use the ip proxy-mobile pause command.Configuring Proxy Mobile IP on Your Wired LANProxy Mobile IP on access points works in conjunction with Mobile IP configured on your network routers. For instructions on configuring Mobile IP on a router on your network, refer to the Mobile IP chapter in 12.2 T New Features (Early Deployment Releases). Click this link to browse to the Mobile IP chapter:http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/mobileip.htmConfiguring Proxy Mobile IP on Your Access PointBeginning in privileged EXEC mode, follow these steps to configure proxy Mobile IP on your access point:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 ip proxy-mobile enable Enable proxy Mobile IP on the access point.Step 3 ip proxy-mobile aap ip-address[ip-address] [ip-address]Designate the access points that serve as the authoritative access points (the access points with which this access point compares its subnet table).Note You should specify at least two access points as AAPs in case one AAP fails. If you designate only one AAP and it goes offline, you lose all the information in the subnet map table.Step 4 ip proxy-mobile securenode address-start address-endspi spikey { hex | ascii } keyCreate security association settings for an IP address or for a range of IP addresses.•Enter an IP address, or the starting and ending addresses in an IP range.•Enter the security parameter index.•Enter a key for the security parameter. Specify whether the key contains hexadecimal or ASCII characters. If you choose hexadecimal, the key must contain 32 characters. If you choose ASCII, the key can contain up to 16 characters with no minimum length.Step 5 interface fastethernet 0 Enter interface configuration mode for the Ethernet port.Step 6 ip proxy-mobile Enable proxy Mobile IP on the Ethernet port.
14-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 14 Configuring Proxy Mobile IPConfiguring Proxy Mobile IPUse the no form of the ip proxy-mobile commands to disable proxy Mobile IP. Use the ip proxy-mobile pause command to disable proxy Mobile IP without losing your proxy Mobile IP configuration.This example shows how to enable proxy Mobile IP on an access point for the SSID tsunami for IP addresses from 10.91.7.151 to 10.91.7.176:ap1200# configure terminalap1200(config)# ip proxy-mobile enableap1200(config)# ip proxy-mobile aap 192.168.15.22 192.168.15.24 192.168.15.28ap1200(config)# ip proxy-mobile secure node 10.91.7.151 10.91.7.176 spi 102 key ascii 0987654ap1200(config)# interface fastethernet 0ap1200(config-if)# ip proxy-mobileap1200(config-if)# interface dot11radio 0ap1200(config-if)# ip proxy-mobileap1200(config-if)# ssid tsunamiap1200(config-if-ssid)# ip proxy-mobileap1200(config-if-ssid)# exitap1200(config-if)# exitap1200(config)# interface bvi1ap1200(config-if)# ip proxy-mobileap1200(config-if-ssid)# endStep 7 exit Return to global config mode.Step 8 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio port. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 9 ip proxy-mobile Enable proxy Mobile IP on the radio port.Step 10 ssid ssid Enter an SSID for which you want to enable proxy Mobile IP.Note Proxy Mobile IP functionality is not supported on SSIDs where VLAN is also enabled.Step 11 ip proxy-mobile Enable proxy Mobile IP for the SSID.Step 12 exit Return to global config mode.Step 13 interface bvi1 Enter interface configuration mode for the bridge virtual interface (BVI).Step 14 ip proxy-mobile Enable proxy Mobile IP on the BVI.Step 15 end Return to privileged EXEC mode.Step 16 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
CHAPTER15-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-0115Configuring FiltersThis chapter describes how to configure and manage MAC address, IP, and Ethertype filters on the access point using the web-browser interface. This chapter contains these sections:•Understanding Filters, page 15-2•Configuring Filters Using the CLI, page 15-2•Configuring Filters Using the Web-Browser Interface, page 15-2
15-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 15 Configuring FiltersUnderstanding FiltersUnderstanding FiltersProtocol filters (IP protocol, IP port, and Ethertype) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports. You can set up individual protocol filters or sets of filters. You can filter protocols for wireless client devices, users on the wired LAN, or both. For example, an SNMP filter on the access point’s radio port prevents wireless client devices from using SNMP with the access point but does not block SNMP access from the wired LAN.IP address and MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific IP or MAC addresses. You can create a filter that passes traffic to all addresses except those you specify, or you can create a filter that blocks traffic to all addresses except those you specify.You can configure filters using the web-browser interface or by entering commands in the CLI. Tip You can include filters in the access point’s QoS policies. Refer to Chapter 13, “Configuring QoS,” for detailed instructions on setting up QoS policies.Configuring Filters Using the CLITo configure filters using IOS commands, you use access control lists (ACLs) and bridge groups. You can find explanations of these concepts and instructions for implementing them in these documents:•Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.2. Click this link to browse to the “Configuring Transparent Bridging” chapter: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_c/bcfpart1/bcftb.htm•Catalyst 4908G-L3 Cisco IOS Release 12.0(10)W5(18e) Software Feature and Configuration Guide.Click this link to browse to the “Command Reference” chapter: http://www.cisco.com/univercd/cc/td/doc/product/l3sw/4908g_l3/ios_12/10w518e/config/cmd_ref.htmConfiguring Filters Using the Web-Browser InterfaceThis section describes how to configure and enable filters using the web-browser interface. You complete two steps to configure and enable a filter:1. Name and configure the filter using the filter setup pages.2. Enable the filter using the Apply Filters page.These sections describe setting up and enabling three filter types:•Configuring and Enabling MAC Address Filters, page 15-3•Configuring and Enabling IP Filters, page 15-5•Configuring and Enabling Ethertype Filters, page 15-8
15-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 15 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceConfiguring and Enabling MAC Address FiltersMAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify. You can apply the filters you create to either or both the Ethernet and radio ports and to either or both incoming and outgoing packets.Note MAC address filters are powerful, and you can lock yourself out of the access point if you make a mistake setting up the filters. If you accidentally lock yourself out of your access point, use the CLI to disable the filters.Use the MAC Address Filters page to create MAC address filters for the access point. Figure 15-1 shows the MAC Address Filters page.Figure 15-1 MAC Address Filters PageFollow this link path to reach the Address Filters page:1. Click Services in the page navigation bar.2. In the Services page list, click Filters.3. On the Apply Filters page, click the MAC Address Filters tab at the top of the page.
15-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 15 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceCreating a MAC Address FilterFollow these steps to create a MAC address filter:Step 1 Follow the link path to the MAC Address Filters page.Step 2 If you are creating a new MAC address filter, make sure <NEW> (the default) is selected in the Create/Edit Filter Index menu. To edit a filter, select the filter number from the Create/Edit Filter Index menu.Step 3 In the Filter Index field, name the filter with a number from 700 to 799. The number you assign creates an access control list (ACL) for the filter. Step 4 Enter a MAC address in the Add MAC Address field. Enter the address with periods separating the three groups of four characters (0040.9612.34ab, for example).Note To make sure the filter operates properly, use lower case for all the letters in the MAC addresses that you enter.Step 5 Use the Mask entry field to indicate how many bits, from left to right, the filter checks against the MAC address. For example, to require an exact match with the MAC address (to check all bits) enter FFFF.FFFF.FFFF. To check only the first 4 bytes, enter FFFF.FFFF.0000.Step 6 Select Forward or Block from the Action menu. Step 7 Click Add. The MAC address appears in the Filters Classes field. To remove the MAC address from the Filters Classes list, select it and click Delete Class.Step 8 Repeat Step 4 through Step 7 to add addresses to the filter.Step 9 Select Forward All or Block All from the Default Action menu. The filter’s default action must be the opposite of the action for at least one of the addresses in the filter. For example, if you enter several addresses and you select Block as the action for all of them, you must choose Forward All as the filter’s default action.Tip You can create a list of allowed MAC addresses on an authentication server on your network. Consult the “Configuring Authentication Types” section on page 10-6 for instructions on using MAC-based authentication.Step 10 Click Apply. The filter is saved on the access point, but it is not enabled until you apply it on the Apply Filters page.Step 11 Click the Apply Filters tab to return to the Apply Filters page. Figure 15-2 shows the Apply Filters page.
15-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 15 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceFigure 15-2 Apply Filters PageStep 12 Select the filter number from one of the MAC drop-down menus. You can apply the filter to either or both the Ethernet and radio ports, and to either or both incoming and outgoing packets.Step 13 Click Apply. The filter is enabled on the selected ports.If clients are not filtered immediately, click Reload on the System Configuration page to restart the access point. To reach the System Configuration page, click System Software on the task menu and then click System Configuration.Note Client devices with blocked MAC addresses cannot send or receive data through the access point, but they might remain in the Association Table as unauthenticated client devices. Client devices with blocked MAC addresses disappear from the Association Table when the access point stops monitoring them, when the access point reboots, or when the clients associate with another access point. Configuring and Enabling IP FiltersIP filters (IP address, IP protocol, and IP port) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports, and IP address filters allow or prevent the forwarding of unicast and multicast packets either sent from or addressed to specific IP addresses. You can create a filter that passes traffic to all addresses except those you specify, or you can create a filter that blocks traffic to all addresses except those you specify. You can create filters that contain elements of one, two, or all three IP filtering methods. You can apply the filters you create to either or both the Ethernet and radio ports and to either or both incoming and outgoing packets.Use the IP Filters page to create IP filters for the access point. Figure 15-3 shows the IP Filters page.
15-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 15 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceFigure 15-3 IP Filters PageFollow this link path to reach the IP Filters page:1. Click Services in the page navigation bar.2. In the Services page list, click Filters.3. On the Apply Filters page, click the IP Filters tab at the top of the page.Creating an IP FilterFollow these steps to create an IP filter:Step 1 Follow the link path to the IP Filters page.Step 2 If you are creating a new filter, make sure <NEW> (the default) is selected in the Create/Edit Filter Index menu. To edit an existing filter, select the filter name from the Create/Edit Filter Index menu.Step 3 Enter a descriptive name for the new filter in the Filter Name field.
15-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 15 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceStep 4 Select Forward all or Block all as the filter’s default action from the Default Action menu. The filter’sdefault action must be the opposite of the action for at least one of the addresses in the filter. For example, if you create a filter containing an IP address, an IP protocol, and an IP port and you select Block as the action for all of them, you must choose Forward All as the filter’s default action.Step 5 To filter an IP address, enter an address in the IP Address field.Note If you plan to block traffic to all IP addresses except those you specify as allowed, put the address of your own PC in the list of allowed addresses to avoid losing connectivity to the access point.Step 6 Type the mask for the IP address in the Mask field. Enter the mask with periods separating the groups of characters (112.334.556.778, for example). If you enter 255.255.255.255 as the mask, the access point accepts any IP address. If you enter 0.0.0.0, the access point looks for an exact match with the IP address you entered in the IP Address field. The mask you enter in this field behaves the same way that a mask behaves when you enter it in the CLI.Step 7 Select Forward or Block from the Action menu. Step 8 Click Add. The address appears in the Filters Classes field. To remove the address from the Filters Classes list, select it and click Delete Class. Repeat Step 5 through Step 8 to add addresses to the filter.If you do not need to add IP protocol or IP port elements to the filter, skip to Step 15 to save the filter on the access point. Step 9 To filter an IP protocol, select one of the commmon protocols from the IP Protocol drop-down menu, or select the Custom radio button and enter the number of an existing ACL in the Custom field. Enter an ACL number from 0 to 255. See Appendix E, “Protocol Filters,” for a list of IP protocols and their numeric designators.Step 10 Select Forward or Block from the Action menu. Step 11 Click Add. The protocol appears in the Filters Classes field. To remove the protocol from the Filters Classes list, select it and click Delete Class. Repeat Step 9 to Step 11 to add protocols to the filter.If you do not need to add IP port elements to the filter, skip to Step 15 to save the filter on the access point. Step 12 To filter a TCP or UDP port protocol, select one of the commmon port protocols from the TCP Port or UDP Port drop-down menus, or select the Custom radio button and enter the number of an existing protocol in one of the Custom fields. Enter a protocol number from 0 to 65535. See Appendix E, “Protocol Filters,” for a list of IP port protocols and their numeric designators.Step 13 Select Forward or Block from the Action menu. Step 14 Click Add. The protocol appears in the Filters Classes field. To remove the protocol from the Filters Classes list, select it and click Delete Class. Repeat Step 12 to Step 14 to add protocols to the filter.Step 15 When the filter is complete, click Apply. The filter is saved on the access point, but it is not enabled until you apply it on the Apply Filters page.Step 16 Click the Apply Filters tab to return to the Apply Filters page. Figure 15-4 shows the Apply Filters page.
15-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 15 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceFigure 15-4 Apply Filters PageStep 17 Select the filter name from one of the IP drop-down menus. You can apply the filter to either or both the Ethernet and radio ports, and to either or both incoming and outgoing packets.Step 18 Click Apply. The filter is enabled on the selected ports.Configuring and Enabling Ethertype FiltersEthertype filters prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports. You can apply the filters you create to either or both the Ethernet and radio ports and to either or both incoming and outgoing packets.Use the Ethertype Filters page to create Ethertype filters for the access point. Figure 15-5 shows the Ethertype Filters page.
15-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 15 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceFigure 15-5 Ethertype Filters PageFollow this link path to reach the Ethertype Filters page:1. Click Services in the page navigation bar.2. In the Services page list, click Filters.3. On the Apply Filters page, click the Ethertype Filters tab at the top of the page.Creating an Ethertype FilterFollow these steps to create an Ethertype filter:Step 1 Follow the link path to the Ethertype Filters page.Step 2 If you are creating a new filter, make sure <NEW> (the default) is selected in the Create/Edit Filter Index menu. To edit an existing filter, select the filter number from the Create/Edit Filter Index menu.Step 3 In the Filter Index field, name the filter with a number from 200 to 299. The number you assign creates an access control list (ACL) for the filter. Step 4 Enter an Ethertype number in the Add Ethertype field. See Appendix E, “Protocol Filters,” for a list of protocols and their numeric designators.Step 5 Enter the mask for the Ethertype in the Mask field. Step 6 Select Forward or Block from the Action menu. Step 7 Click Add. The Ethertype appears in the Filters Classes field. To remove the Ethertype from the Filters Classes list, select it and click Delete Class. Repeat Step 4 through Step 7 to add Ethertypes to the filter.
15-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 15 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceStep 8 Select Forward All or Block All from the Default Action menu. The filter’s default action must be the opposite of the action for at least one of the Ethertypes in the filter. For example, if you enter several Ethertypes and you select Block as the action for all of them, you must choose Forward All as the filter’sdefault action.Step 9 Click Apply. The filter is saved on the access point, but it is not enabled until you apply it on the Apply Filters page.Step 10 Click the Apply Filters tab to return to the Apply Filters page. Figure 15-6 shows the Apply Filters page.Figure 15-6 Apply Filters PageStep 11 Select the filter number from one of the Ethertype drop-down menus. You can apply the filter to either or both the Ethernet and radio ports, and to either or both incoming and outgoing packets.Step 12 Click Apply. The filter is enabled on the selected ports.
CHAPTER16-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-0116Configuring CDPThis chapter describes how to configure Cisco Discovery Protocol (CDP) on your access point.Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet 1200 Series Access Point Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.This chapter contains these sections:•Understanding CDP, page 16-2•Configuring CDP, page 16-2•Monitoring and Maintaining CDP, page 16-4
16-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 16 Configuring CDPUnderstanding CDPUnderstanding CDPCisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. Information in CDP packets is used in network management software such as CiscoWorks2000.CDP is enabled on the access point’s Ethernet port by default. However, CDP is enabled on the access point’s radio port only when the radio is associated to another wireless infrastructure device, such as an access point or a bridge.Note For best performance on your wireless LAN, disable CDP on all radio interfaces and on sub-interfaces if VLANs are enabled on the access point.Configuring CDPThis section contains CDP configuration information and procedures:•Default CDP Configuration, page 16-2•Configuring the CDP Characteristics, page 16-2•Disabling and Enabling CDP, page 16-3•Disabling and Enabling CDP on an Interface, page 16-4Default CDP ConfigurationTable 16-1 lists the default CDP settings.Configuring the CDP CharacteristicsYou can configure the CDP holdtime (the number of seconds before the access point discards CDP packets) and the CDP timer (the number of seconds between each CDP packets the access point sends).Beginning in Priveleged Exec mode, follow these steps to configure the CDP holdtime and CDP timer.Table 16-1 Default CDP ConfigurationFeature Default SettingCDP global state EnabledCDP interface state EnabledCDP holdtime (packet holdtime in seconds) 180CDP timer (packets sent every x seconds) 60
16-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 16 Configuring CDPConfiguring CDPUse the no form of the CDP commands to return to the default settings.This example shows how to configure and verify CDP characteristics:AP# configure terminalAP(config)# cdp holdtime 120AP(config)# cdp timer 50AP(config)# endAP# show cdpGlobal CDP information:Sending a holdtime value of 120 seconds Sending CDP packets every 50 secondsFor additional CDP show commands, see the “Monitoring and Maintaining CDP” section on page 16-4.Disabling and Enabling CDPCDP is enabled by default. Beginning in Priveleged Exec mode, follow these steps to disable the CDP device discovery capability.Beginning in privileged EXEC mode, follow these steps to enable CDP:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 cdp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it.The range is from 10 to 255 seconds; the default is 180 seconds.Step 3 cdp timer seconds (Optional) Set the transmission frequency of CDP updates in seconds. The range is from 5 to 254; the default is 60 seconds.Step 4 end Return to Privileged Exec mode.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 no cdp run Disable CDP.Step 3 end Return to Privileged Exec mode.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 cdp run Enable CDP after disabling it.Step 3 end Return to privileged EXEC mode.
16-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 16 Configuring CDPMonitoring and Maintaining CDPThis example shows how to enable CDP.AP# configure terminalAP(config)# cdp runAP(config)# endDisabling and Enabling CDP on an InterfaceCDP is enabled by default on all supported interfaces to send and receive CDP information.Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface:Beginning in privileged EXEC mode, follow these steps to enable CDP on an interface:This example shows how to enable CDP on an interface.AP# configure terminalAP(config)# interface xAP(config-if)# cdp enableAP(config-if)# endMonitoring and Maintaining CDPTo monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface interface-id Enter interface configuration mode, and enter the interface on which you are disabling CDP.Step 3 no cdp enable Disable CDP on an interface.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface interface-id Enter interface configuration mode, and enter the interface on which you are enabling CDP.Step 3 cdp enable Enable CDP on an interface after disabling it.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Descriptionclear cdp counters Reset the traffic counters to zero.clear cdp table Delete the CDP table of information about neighbors.
16-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 16 Configuring CDPMonitoring and Maintaining CDPBelow are six examples of output from the CDP show privileged EXEC commands:AP# show cdpGlobal CDP information: Sending CDP packets every 50 seconds Sending a holdtime value of 120 secondsAP# show cdp entry *-------------------------Device ID: APEntry address(es): IP address: 10.1.1.66Platform: cisco WS-C3550-12T, Capabilities: Switch IGMPInterface: GigabitEthernet0/2, Port ID (outgoing port): GigabitEthernet0/2Holdtime : 129 secVersion :Cisco Internetwork Operating System SoftwareIOS (tm) C3550 Software (C3550-I5Q3L2-M), Experimental Version 12.1(20010612:021316) [jang-flamingo 120]Copyright (c) 1986-2001 by cisco Systems, Inc.Compiled Fri 06-Jul-01 18:18 by jangadvertisement version: 2Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF00000000000000024B293A00FF0000VTP Management Domain: ''Duplex: full-------------------------Device ID: idf2-1-lab-l3.cisco.comEntry address(es): IP address: 10.1.1.10Platform: cisco WS-C3524-XL, Capabilities: Trans-Bridge Switchshow cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.show cdp entry entry-name [protocol |version]Display information about a specific neighbor. You can enter an asterisk (*) to display all CDP neighbors, or you can enter the name of the neighbor about which you want information.You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device.show cdp interface [type number] Display information about interfaces where CDP is enabled.You can limit the display to the type of interface or the number of the interface about which you want information (for example, entering gigabitethernet 0/1 displays information only about Gigabit Ethernet port 1).show cdp neighbors [type number][detail]Display information about neighbors, including device type, interface type and number, holdtime settings, capabilities, platform, and port ID. You can limit the display to neighbors on a specific type or number of interface or expand the display to provide more detailed information.show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors.Command Description
16-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 16 Configuring CDPMonitoring and Maintaining CDPInterface: GigabitEthernet0/1, Port ID (outgoing port): FastEthernet0/10Holdtime : 141 secVersion :Cisco Internetwork Operating System SoftwareIOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.1)XP, MAINTENANCE INTERIM SOFTWARECopyright (c) 1986-1999 by cisco Systems, Inc.Compiled Fri 10-Dec-99 11:16 by cchangadvertisement version: 2Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=25, value=00000000FFFFFFFF010101FF000000000000000142EFA400FFVTP Management Domain: '' AP# show cdp entry * protocolProtocol information for talSwitch14 : IP address: 172.20.135.194Protocol information for tstswitch2 : IP address: 172.20.135.204 IP address: 172.20.135.202Protocol information for tstswitch2 : IP address: 172.20.135.204 IP address: 172.20.135.202 AP# show cdp interfaceGigabitEthernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/2 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/3 is administratively down, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/4 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/5 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/6 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/7 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/8 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds AP# show cdp neighborCapability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - RepeaterDevice ID Local Intrfce Holdtme Capability Platform Port ID
16-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 16 Configuring CDPMonitoring and Maintaining CDPPerdido2 Gig 0/6 125 R S I WS-C3550-1Gig 0/6Perdido2 Gig 0/5 125 R S I WS-C3550-1Gig 0/5 AP# show cdp trafficCDP counters : Total packets output: 50882, Input: 52510 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 CDP version 1 advertisements output: 0, Input: 0 CDP version 2 advertisements output: 50882, Input: 52510
16-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 16 Configuring CDPMonitoring and Maintaining CDP
CHAPTER17-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-0117Configuring SNMPThis chapter describes how to configure the Simple Network Management Protocol (SNMP) on your access point.Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet 1200 Series Access Point Command Reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.This chapter consists of these sections:•Understanding SNMP, page 17-2•Configuring SNMP, page 17-4•Displaying SNMP Status, page 17-10
17-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 17 Configuring SNMPUnderstanding SNMPUnderstanding SNMPSNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. The SNMP manager can be part of a network management system (NMS) such as CiscoWorks. The agent and management information base (MIB) reside on the access point. To configure SNMP on the access point, you define the relationship between the manager and the agent.The SNMP agent contains MIB variables whose values the SNMP manager can request or change. A manager can get a value from an agent or store a value into the agent. The agent gathers data from the MIB, the repository for information about device parameters and network data. The agent can also respond to a manager’s requests to get or set data.An agent can send unsolicited traps to the manager. Traps are messages alerting the SNMP manager to a condition on the network. Traps can mean improper user authentication, restarts, link status (up or down), MAC address tracking, closing of a TCP connection, loss of connection to a neighbor, or other significant events.This section includes these concepts:•SNMP Versions, page 17-2•SNMP Manager Functions, page 17-3•SNMP Agent Functions, page 17-3•SNMP Community Strings, page 17-3•Using SNMP to Access MIB Variables, page 17-4SNMP VersionsThis software release supports these SNMP versions:•SNMPv1—The Simple Network Management Protocol, a full Internet standard, defined in RFC 1157.•SNMPv2C, which has these features:–SNMPv2—Version 2 of the Simple Network Management Protocol, a draft Internet standard, defined in RFCs 1902 through 1907.–SNMPv2C—The Community-based Administrative Framework for SNMPv2, an experimental Internet protocol defined in RFC 1901.SNMPv2C replaces the Party-based Administrative and Security Framework of SNMPv2Classic with the Community-based Administrative Framework of SNMPv2C while retaining the bulk retrieval and improved error handling of SNMPv2Classic.Both SNMPv1 and SNMPv2C use a community-based form of security. The community of managers able to access the agent’s MIB is defined by an IP address access control list and password. SNMPv2C includes a bulk retrieval mechanism and more detailed error message reporting to management stations. The bulk retrieval mechanism retrieves tables and large quantities of information, minimizing the number of round-trips required. The SNMPv2C improved error-handling includes expanded error codes that distinguish different kinds of error conditions; these conditions are reported through a single error code in SNMPv1. Error return codes now report the error type.
17-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 17 Configuring SNMPUnderstanding SNMPYou must configure the SNMP agent to use the version of SNMP supported by the management station. An agent can communicate with multiple managers; therefore, you can configure the software to support communications with one management station using the SNMPv1 protocol and another using the SNMPv2 protocol. SNMP Manager FunctionsThe SNMP manager uses information in the MIB to perform the operations described in Table 17-1.SNMP Agent FunctionsThe SNMP agent responds to SNMP manager requests as follows: •Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value.•Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS. The SNMP agent changes the value of the MIB variable to the value requested by the NMS.The SNMP agent also sends unsolicited trap messages to notify an NMS that a significant event has occurred on the agent. Examples of trap conditions include, but are not limited to, when a port or module goes up or down, when spanning-tree topology changes occur, and when authentication failures occur.SNMP Community StringsSNMP community strings authenticate access to MIB objects and function as embedded passwords. In order for the NMS to access the access point, the community string definitions on the NMS must match at least one of the three community string definitions on the access point.A community string can have one of these attributes:•Read-only—Gives read access to authorized management stations to all objects in the MIB except the community strings, but does not allow write accessTable 17-1 SNMP OperationsOperation Descriptionget-request Retrieves a value from a specific variable.get-next-request Retrieves a value from a variable within a table.11. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table.get-bulk-request22. The get-bulk command works only with SNMPv2.Retrieves large blocks of data that would otherwise require the transmission of many small blocks of data, such as multiple rows in a table.get-response Replies to a get-request, get-next-request, and set-request sent by an NMS.set-request Stores a value in a specific variable.trap An unsolicited message sent by an SNMP agent to an SNMP manager when some event has occurred.
17-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 17 Configuring SNMPConfiguring SNMP•Read-write—Gives read and write access to authorized management stations to all objects in the MIB, but does not allow access to the community strings•Read-write-all—Gives read and write access to authorized management stations to all objects in the MIB, including the community stringsUsing SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software. CiscoWorks 2000 software uses the access point MIB variables to set device variables and to poll devices on the network for specific information. The results of a poll can be displayed as a graph and analyzed to troubleshoot internetworking problems, increase network performance, verify the configuration of devices, monitor traffic loads, and more.As shown in Figure 17-1, the SNMP agent gathers data from the MIB. The agent can send traps (notification of certain events) to the SNMP manager, which receives and processes the traps. Traps are messages alerting the SNMP manager to a condition on the network such as improper user authentication, restarts, link status (up or down), MAC address tracking, and so forth. The SNMP agent also responds to MIB-related queries sent by the SNMP manager in get-request,get-next-request, and set-request format. Figure 17-1 SNMP NetworkFor information on supported MIBs and how to access them, see Appendix F, “Supported MIBs.”Configuring SNMPThis section describes how to configure SNMP on your access point. It contains this configuration information:•Default SNMP Configuration, page 17-5•Disabling the SNMP Agent, page 17-5•Configuring Community Strings, page 17-5•Configuring Trap Managers and Enabling Traps, page 17-7•Setting the Agent Contact and Location Information, page 17-9•Using the snmp-server view Command, page 17-9•SNMP Examples, page 17-9get-request, get-next-request,get-bulk, set-requestNetwork deviceget-response, traps 81949SNMP managerNMSMIBSNMP agent
17-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 17 Configuring SNMPConfiguring SNMPDefault SNMP ConfigurationTable 17-2 shows the default SNMP configuration.Disabling the SNMP AgentBeginning in privileged EXEC mode, follow these steps to disable the SNMP agent:No specific IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables SNMPv1 and SNMPv2.Configuring Community StringsYou use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the access point. Optionally, you can specify one or more of these characteristics associated with the string:•An access list of IP addresses of the SNMP managers that are permitted to use the community string to gain access to the agent•A MIB view, which defines the subset of all MIB objects accessible to the given community •Read and write or read-only permission for the MIB objects accessible to the communityTable 17-2 Default SNMP ConfigurationFeature Default SettingSNMP agent EnabledSNMP community strings Read-Only: PublicRead-Write: PrivateRead-Write-all: SecretSNMP trap receiver None configuredSNMP traps None enabledCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 no snmp-server Disable the SNMP agent operation.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
17-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 17 Configuring SNMPConfiguring SNMPBeginning in privileged EXEC mode, follow these steps to configure a community string on the access point:Note To disable access for an SNMP community, set the community string for that community to the null string (do not enter a value for the community string).To remove a specific community string, use the no snmp-server community string global configuration command. This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the access point SNMP agent:AP(config)# snmp-server community comaccess ro 4Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 snmp-server community string [ro |rw][access-list-number]Configure the community string.•For string, specify a string that acts like a password and permits access to the SNMP protocol. You can configure one or more community strings of any length.•(Optional) Specify either read-only (ro) if you want authorized management stations to retrieve MIB objects, or specify read/write (rw) if you want authorized management stations to retrieve and modify MIB objects. By default, the community string permits read-only access to all objects.•(Optional) For access-list-number, enter an IP standard access list numbered from 1 to 99 and 1300 to 1999.Step 3 access-list access-list-number {deny | permit}source [source-wildcard](Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary.•For access-list-number, enter the access list number specified in Step 2.•The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.•For source, enter the IP address of the SNMP managers that are permitted to use the community string to gain access to the agent.•(Optional) For source-wildcard, enter the wildcard bits in dotted decimal notation to be applied to the source. Place ones in the bit positions that you want to ignore.Recall that the access list is always terminated by an implicit deny statement for everything.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
17-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 17 Configuring SNMPConfiguring SNMPConfiguring Trap Managers and Enabling TrapsA trap manager is a management station that receives and processes traps. Traps are system alerts that the access point generates when certain events occur. By default, no trap manager is defined, and no traps are issued. Access points running this IOS release can have an unlimited number of trap managers. Community strings can be any length.Table 17-3 describes the supported access point traps (notification types). You can enable any or all of these traps and configure a trap manager to receive them.Some notification types cannot be controlled with the snmp-server enable global configuration command, such as tty and udp-port. These notification types are always enabled. You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 17-3.Table 17-3 Notification TypesNotification Type Descriptionauthenticate-fail Enable traps for authentication failures.config Enable traps for SNMP configuration changes.deauthenticate Enable traps for client device deauthentications.disassociate Enable traps for client device disassociations.dot11-qos Enable traps for QoS changes.entity Enable traps for SNMP entity changes.rogue-ap Enable traps for rogue access point detections.snmp Enable traps for SNMP events.switch-over Enable traps for switch-overs.syslog Enable syslog traps.wlan-wep Enable WEP traps.
17-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 17 Configuring SNMPConfiguring SNMPBeginning in privileged EXEC mode, follow these steps to configure the access point to send traps to a host:To remove the specified host from receiving traps, use the no snmp-server host host global configuration command. To disable a specific trap type, use the no snmp-server enable trapsnotification-types global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 snmp-server host host-addr {traps | informs} {version {1|2c}} community-string notification-typeSpecify the recipient of the trap message.•For host-addr, specify the name or address of the host (the targeted recipient).•Specify traps (the default) to send SNMP traps to the host. Specify informs to send SNMP informs to the host.•Specify the SNMP version to support. Version 1, the default, is not available with informs.Note Though visible in the command-line help string, the version 3 keyword (SNMPv3) is not supported.•For community-string, specify the string to send with the notification operation. Though you can set this string using the snmp-server host command, we recommend that you define this string by using the snmp-server communitycommand before using the snmp-server hostcommand. •For notification-type, use the keywords listed in Table 17-3 on page 17-7.Step 3 snmp-server enable traps notification-types Enable the access point to send specific traps. For a list of traps, see Table 17-3 on page 17-7.To enable multiple types of traps, you must issue a separate snmp-server enable traps command for each trap type.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
17-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 17 Configuring SNMPConfiguring SNMPSetting the Agent Contact and Location InformationBeginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file:Using the snmp-server view CommandIn global configuration mode, use the snmp-server view command to access Standard IEEE 802.11 MIB objects through IEEE view and the dot11 read-write community string. This example shows how to enable IEEE view and dot11 read-write community string:AP(config)# snmp-server view ieee ieee802dot11 includedAP(config)# snmp-server community dot11 view ieee RWSNMP ExamplesThis example shows how to enable SNMPv1 and SNMPv2C. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public. This configuration does not cause the access point to send any traps.AP(config)# snmp-server community publicThis example shows how to permit any SNMP manager to access all objects with read-only permission using the community string public. The access point also sends config traps to the hosts 192.180.1.111 and 192.180.1.33 using SNMPv1 and to the host 192.180.1.27 using SNMPv2C. The community string public is sent with the traps.AP(config)# snmp-server community publicAP(config)# snmp-server enable traps configAP(config)# snmp-server host 192.180.1.27 version 2c publicAP(config)# snmp-server host 192.180.1.111 version 1 publicAP(config)# snmp-server host 192.180.1.33 publicCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 snmp-server contact text Set the system contact string.For example:snmp-server contact Dial System Operator at beeper 21555.Step 3 snmp-server location text Set the system location string.For example:snmp-server location Building 3/Room 222Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
17-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 17 Configuring SNMPDisplaying SNMP StatusThis example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public.AP(config)# snmp-server community comaccess ro 4AP(config)# snmp-server enable traps snmp authenticationAP(config)# snmp-server host cisco.com version 2c publicThis example shows how to send Entity MIB traps to the host cisco.com. The community string is restricted. The first line enables the access point to send Entity MIB traps in addition to any traps previously enabled. The second line specifies the destination of these traps and overwrites any previous snmp-server host commands for the host cisco.com.AP(config)# snmp-server enable traps entityAP(config)# snmp-server host cisco.com restricted entityThis example shows how to enable the access point to send all traps to the host myhost.cisco.com using the community string public:AP(config)# snmp-server enable trapsAP(config)# snmp-server host myhost.cisco.com publicDisplaying SNMP StatusTo display SNMP input and output statistics, including the number of illegal community string entries, errors, and requested variables, use the show snmp privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
CHAPTER18-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-0118Configuring Repeater and Standby Access PointsThis chapter descibes how to configure your access point as a hot standby unit or as a repeater unit. This chapter contains these sections:•Understanding Repeater Access Points, page 18-2•Configuring a Repeater Access Point, page 18-3•Understanding Hot Standby, page 18-7•Configuring a Hot Standby Access Point, page 18-7
18-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 18 Configuring Repeater and Standby Access PointsUnderstanding Repeater Access PointsUnderstanding Repeater Access PointsA repeater access point is not connected to the wired LAN; it is placed within radio range of an access point connected to the wired LAN to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. You can configure either the 2.4-GHz radio or the 5-GHz radio as a repeater. In access points with two radios, only one radio can be a repeater; the other radio must be configured as a root radio.The repeater forwards traffic between wireless users and the wired LAN by sending packets to either another repeater or to an access point connected to the wired LAN. The data is sent through the route that provides the best performance for the client. When you configure an access point as a repeater, the access point’s Ethernet port does not forward traffic.You can set up a chain of several repeater access points, but throughput for client devices at the end of the repeater chain will be quite low. Because each repeater must receive and then re-transmit each packet on the same channel, throughput is cut in half for each repeater you add to the chain.A repeater access point associates to the access point with which it has the best connectivity. However, you can specify the access point to which the repeater associates. Setting up a static, specific association between a repeater and a root access point improves repeater performance.To set up repeaters, you must enable Aironet extensions on both the parent (root) access point and the repeater access points. Aironet extensions, which are enabled by default, improve the access point's ability to understand the capabilities of Cisco Aironet client devices associated with the access point. Disabling Aironet extensions sometimes improves the interoperability between the access point and non-Cisco client devices. Non-Cisco client devices might have difficulty communicating with repeater access points and the root access point to which repeaters are associated.Figure 18-1 shows an access point acting as a repeater.
18-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 18 Configuring Repeater and Standby Access PointsConfiguring a Repeater Access PointFigure 18-1 Access Point as a RepeaterConfiguring a Repeater Access PointThis section provides instructions for setting up an access point as a repeater and includes these sections:•Default Configuration, page 18-4•Guidelines for Repeaters, page 18-4•Setting Up a Repeater, page 18-4•Verifying Repeater Operation, page 18-5•Setting Up a Repeater As a LEAP Client, page 18-6Access Point(Root Unit)Access Point(Repeater)66000Wired LAN
18-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 18 Configuring Repeater and Standby Access PointsConfiguring a Repeater Access PointDefault ConfigurationAccess points are configured as root units by default. Table 18-1 shows the default values for settings that control the access point’s role in the wireless LAN.Guidelines for RepeatersFollow these guidelines when configuring repeater access points:•Use repeaters to serve client devices that do not require high throughput. Repeaters extend the coverage area of your wireless LAN, but they drastically reduce throughput.•Use repeaters when most if not all client devices that associate with the repeaters are Cisco Aironet clients. Non-Cisco client devices sometimes have trouble communicating with repeater access points.Setting Up a RepeaterBeginning in Privileged Exec mode, follow these steps to configure an access point as a repeater:Table 18-1 Default Settings for Role in Wireless LANFeature Default SettingStation role RootParent noneExtensions AironetCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 ssid ssid-string Create the SSID that the repeater uses to associate to a root access point; in the next step designate this SSID as an infrastructure SSID. If you created an infrastructure SSID on the root access point, create the same SSID on the repeater, also.Step 4 infrastructure-ssid [optional] Designate the SSID as an infrastructure SSID. The repeater uses this SSID to associate to the root access point. Infrastructure devices must associate to the repeater access point using this SSID unless you also enter the optional keyword.Step 5 exit Exit SSID configuration mode and return to radio interface configuration mode.Step 6 station-role repeater Set the access point’s role in the wireless LAN to repeater.Step 7 dot11 extensions aironet If Aironet extensions are disabled, enable Aironet extensions.
18-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 18 Configuring Repeater and Standby Access PointsConfiguring a Repeater Access PointThis example shows how to set up a repeater acess point with three potential parents:AP# configure terminalAP(config)# interface dot11radio 0AP(config-if)# ssid chicagoAP(config-ssid)# infrastructure-ssidAP(config-ssid)# exitAP(config-if)# station-role repeaterAP(config-if)# dot11 extensions aironetAP(config-if)# parent 1 0987.1234.h345 900AP(config-if)# parent 2 7809.b123.c345 900AP(config-if)# parent 3 6543.a456.7421 900AP(config-if)# endVerifying Repeater OperationAfter you set up the repeater, check the LEDs on top of the repeater access point. If your repeater is functioning correctly, the LEDs on the repeater and the root access point to which it is associated behave like this:•The status LED on the root access point is steady green, indicating that at least one client device is associated with it (in this case, the repeater). •The status LED on the repeater access point is steady green when it is associated with the root access point and the repeater has client devices associated to it. The repeater's status LED flashes (steady green for 7/8 of a second and off for 1/8 of a second) when it is associated with the root access point but the repeater has no client devices associated to it. The repeater access point should also appear as associated with the root access point in the root access point's Association Table.Step 8 parent {1-4}mac-address [timeout](Optional) Enter the MAC address for the access point to which the repeater should associate. •You can enter MAC addresses for up to four parent access points. The repeater attempts to associate to MAC address 1 first; if that access point does not respond, the repeater tries the next access point in its parent list. •(Optional) You can also enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list. Enter a timeout value from 0 to 65535 seconds.Step 9 end Return to privileged EXEC mode.Step 10 copy running-config startup-config(Optional) Save your entries in the configuration file.Command Purpose
18-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 18 Configuring Repeater and Standby Access PointsConfiguring a Repeater Access PointSetting Up a Repeater As a LEAP ClientYou can set up a repeater access point to authenticate to your network like other wireless client devices. After you provide a network username and password for the repeater access point, it authenticates to your network using LEAP, Cisco's wireless authentication method, and receives and uses dynamic WEP keys. Setting up a repeater as a LEAP client requires three major steps:1. Create an authentication username and password for the repeater on your authentication server.2. Configure LEAP authentication on the root access point to which the repeater associates. See Chapter 10, “Configuring Authentication Types,” for instructions on setting up authentication on the access point.3. Configure the repeater to act as a LEAP client. Beginning in Privileged Exec mode, follow these instructions to set up the repeater as a LEAP client:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.Step 3 ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters, but they should not include spaces. SSIDs are case-sensitive.Step 4 authentication network-eap list-nameEnable LEAP authentication on the repeater so that LEAP-enabled client devices can authenticate through the repeater. For list-name, specify the name or IP address of the authentication server.Step 5 authentication client username username password passwordConfigure the username and password that the repeater uses when it performs LEAP authentication. This username and password must match the username and password that you set up for the repeater on the authentication server.Step 6 infrastructure ssid [optional] (Optional) Designate the SSID as the SSID that other access points and workgroup bridges use to associate to this access point. If you do not designate an SSID as the infrastructure SSID, infrastructure devices can associate to the access point using any SSID. If you designate an SSID as the infrastructure SSID, infrastructure devices must associate to the access point using that SSID unless you also enter the optional keyword.Step 7 end Return to privileged EXEC mode.Step 8 copy running-config startup-config(Optional) Save your entries in the configuration file.
18-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 18 Configuring Repeater and Standby Access PointsUnderstanding Hot StandbyUnderstanding Hot StandbyHot Standby mode designates an access point as a backup for another access point. The standby access point is placed near the access point it monitors, configured exactly the same as the monitored access point. The standby access point associates with the monitored access point as a client and queries the monitored access point regularly through both the Ethernet and the radio ports. If the monitored access point fails to respond, the standby access point comes online and takes the monitored access point’s place in the network.Except for the IP address, the standby access point’s settings should be identical to the settings on the monitored access point. If the monitored access point goes offline and the standby access point takes its place in the network, matching settings ensures that client devices can switch easily to the standby access point.Hot standby mode is disabled by default.Note If the monitored access point malfunctions and the standby access point takes its place, repeat the hot standby setup on the standby access point when you repair or replace the monitored access point. The standby access point does not revert to standby mode automatically. Configuring a Hot Standby Access PointWhen you set up the standby access point, you must enter the MAC address of the access point that the standby unit will monitor. Record the MAC address of the monitored access point before you configure the standby access point.The standby access point also must duplicate several key settings on the monitored access point. These settings are:•Primary SSID (as well as additional SSIDs configured on the monitored access point)•Default IP Subnet Mask•Default Gateway•Data rates•WEP settings•Authentication TypesCheck the monitored access point and record these settings before you set up the standby access point. Note Wireless client devices associated to the standby access point lose their connections during the hot standby setup process.Beginning in Privileged Exec mode, follow these steps to enable hot standby mode on an access point:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 iapp standby mac-address Puts the access point into standby mode and specifies the MAC address of the monitored access point.
18-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 18 Configuring Repeater and Standby Access PointsConfiguring a Hot Standby Access PointAfter you enable standby mode, configure the settings that you recorded from the monitored access point to match on the standby access point. Use this command to check the standby configuration:show iapp standby-parmsThis command displays the MAC address of the standby access point, the standby timeout, and the poll-frequency values. If no standby access point is configured, this message appears:no iapp standby mac-addressStep 3 interface dot11radio 0 Enter interface configuration mode for the radio interface.Note Hot Standby mode is available only for the 2.4-GHz radio.Step 4 ssid ssid-string Create the SSID that the standby access point uses to associate to the monitored access point; in the next step designate this SSID as an infrastructure SSID. If you created an infrastructure SSID on the monitored access point, create the same SSID on the repeater, also.Step 5 infrastructure-ssid [optional] Designate the SSID as an infrastructure SSID. The standby uses this SSID to associate to the monitored access point. If the standby access point takes the place of the monitored access point, infrastructure devices must associate to the standby access point using this SSID unless you also enter the optional keyword.Step 6 exit Exit SSID configuration mode and return to radio interface configuration mode.Step 7 iapp standby poll-frequencysecondsSets the number of seconds between queries that the standby access point sends to the monitored access point’s radio and Ethernet ports.Step 8 iapp standby timeout seconds Sets the number of seconds the standby access point waits for a response from the monitored access point before it assumes that the monitored access point has malfunctioned.Step 9 show iapp standby-parms Verify your entries. If the access point is in standby mode, this command displays the standby parameters, including the MAC address of the monitored access point and the poll-frequency and timeout values. If the access point is not in standby mode, no iapp standby mac-address appears.Step 10 end Return to privileged EXEC mode.Step 11 copy running-config startup-config(Optional) Save your entries in the configuration file.Command Purpose
CHAPTER19-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-0119Managing Firmware and ConfigurationsThis chapter describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet 1200 Series Access Point Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.This chapter consists of these sections:•Working with the Flash File System, page 19-2•Working with Configuration Files, page 19-8•Working with Software Images, page 19-18
19-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with the Flash File SystemWorking with the Flash File SystemThe Flash file system on your access point provides several commands to help you manage software image and configuration files.The Flash file system is a single Flash device on which you can store files. This Flash device is calledflash:.This section contains this information:•Displaying Available File Systems, page 19-2•Setting the Default File System, page 19-3•Displaying Information About Files on a File System, page 19-3•Changing Directories and Displaying the Working Directory, page 19-4•Creating and Removing Directories, page 19-4•Copying Files, page 19-5•Deleting Files, page 19-5•Creating, Displaying, and Extracting tar Files, page 19-6•Displaying the Contents of a File, page 19-8Displaying Available File SystemsTo display the available file systems on your access point, use the show file systems privileged EXEC command as shown in this example:ap# show file systemsFile Systems: Size(b) Free(b) Type Flags Prefixes* 16128000 11118592 flash rw flash: 16128000 11118592 unknown rw zflash: 32768 26363 nvram rw nvram: - - network rw tftp: - - opaque rw null: - - opaque rw system: - - opaque ro xmodem: - - opaque ro ymodem: - - network rw rcp: - - network rw ftp:Table 19-1 lists field descriptions for the show file systems command.Table 19-1 show file systems Field DescriptionsField ValueSize(b) Amount of memory in the file system in bytes.Free(b) Amount of free memory in the file system in bytes.
19-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with the Flash File SystemSetting the Default File SystemYou can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command. You can set the default file system to omit the filesystem:argument from related commands. For example, for all privileged EXEC commands that have the optional filesystem: argument, the system uses the file system specified by the cd command.By default, the default file system is flash:.You can display the current default file system as specified by the cd command by using the pwdprivileged EXEC command.Displaying Information About Files on a File SystemYou can view a list of the contents of a file system before manipulating its contents. For example, before copying a new configuration file to Flash memory, you might want to verify that the file system does not already contain a configuration file with the same name. Similarly, before copying a Flash configuration file to another location, you might want to verify its filename for use in another command.Type Type of file system.flash—The file system is for a Flash memory device.network—The file system is for a network device.nvram—The file system is for a nonvolatile RAM (NVRAM) device.opaque—The file system is a locally generated pseudo file system (for example, the system) or a download interface, such as brimux.unknown—The file system is an unknown type.Flags Permission for file system. ro—read-only.rw—read/write.wo—write-only.Prefixes Alias for file system.flash:—Flash file system.ftp:—File Transfer Protocol network server. Used to transfer files to or from the network device.nvram:—Non-volatile RAM memory (NVRAM).null:—Null destination for copies. You can copy a remote file to null to determine its size.rcp:—Remote Copy Protocol (RCP) network server.system:—Contains the system memory, including the running configuration.tftp:—Trivial File Transfer Protocol (TFTP) network server.zflash:—Read-only file decompression file system, which mirrors the contents of the Flash file system.Table 19-1 show file systems Field Descriptions (continued)Field Value
19-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with the Flash File SystemTo display information about files on a file system, use one of the privileged EXEC commands in Table 19-2:Changing Directories and Displaying the Working DirectoryBeginning in privileged EXEC mode, follow these steps to change directories and display the working directory.Creating and Removing DirectoriesBeginning in privileged EXEC mode, follow these steps to create and remove a directory:To delete a directory with all its files and subdirectories, use the delete /force /recursive filesystem:/file-url privileged EXEC command. Table 19-2 Commands for Displaying Information About FilesCommand Descriptiondir [/all] [filesystem:][filename] Display a list of files on a file system.show file systems Display more information about each of the files on a file system.show file information file-url Display information about a specific file.show file descriptors Display a list of open file descriptors. File descriptors are the internal representations of open files. You can use this command to see if another user has a file open.Command PurposeStep 1 dir filesystem:Display the directories on the specified file system.For filesystem:, use flash: for the system board Flash device.Step 2 cd new_configs Change to the directory of interest.The command example shows how to change to the directory named new_configs.Step 3 pwd Display the working directory.Command PurposeStep 1 dir filesystem:Display the directories on the specified file system.For filesystem:, use flash: for the system board Flash device.Step 2 mkdir old_configs Create a new directory.The command example shows how to create the directory named old_configs.Directory names are case sensitive. Directory names are limited to 45 characters between the slashes (/); the name cannot contain control characters, spaces, deletes, slashes, quotes, semicolons, or colons.Step 3 dir filesystem:Verify your entry.
19-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with the Flash File SystemUse the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process. Use the /force and /recursive keywords for deleting old software images that were installed by using the archive download-sw command but are no longer needed.For filesystem, use flash: for the system board Flash device. For file-url, enter the name of the directory to be deleted. All the files in the directory and the directory are removed.Caution When files and directories are deleted, their contents cannot be recovered.Copying FilesTo copy a file from a source to a destination, use the copy [/erase]source-url destination-url privileged EXEC command. For the source and destination URLs, you can use running-config and startup-configkeyword shortcuts. For example, the copy running-config startup-config command saves the currently running configuration file to the NVRAM section of Flash memory to be used as the configuration during system initialization.Network file system URLs include ftp:,rcp:, and tftp: and have the following syntax:•File Transfer Protocol (FTP)—ftp:[[//username [:password]@location]/directory]/filename•Remote Copy Protocol (RCP)—rcp:[[//username@location]/directory]/filename•Trivial File Transfer Protocol (TFTP)—tftp:[[//location]/directory]/filenameLocal writable file systems include flash:.Some invalid combinations of source and destination exist. Specifically, you cannot copy these combinations:•From a running configuration to a running configuration•From a startup configuration to a startup configuration•From a device to the same device (for example, the copy flash: flash: command is invalid)For specific examples of using the copy command with configuration files, see the “Working with Configuration Files” section on page 19-8.To copy software images either by downloading a new version or uploading the existing one, use the archive download-sw or the archive upload-sw privileged EXEC command. For more information, see the “Working with Software Images” section on page 19-18.Deleting FilesWhen you no longer need a file on a Flash memory device, you can permanently delete it. To delete a file or directory from a specified Flash device, use the delete [/force] [/recursive] [filesystem:]/file-urlprivileged EXEC command. Caution When files are deleted, their contents cannot be recovered.
19-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with the Flash File SystemUse the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process. Use the /force and /recursivekeywords for deleting old software images that were installed by using the archive download-swcommand but are no longer needed.If you omit the filesystem: option, the access point uses the default device specified by the cd command. For file-url, you specify the path (directory) and the name of the file to be deleted.This example shows how to delete the file myconfig from the default Flash memory device:ap# delete myconfigCreating, Displaying, and Extracting tar FilesYou can create a tar file and write files into it, list the files in a tar file, and extract the files from a tar file as described in the next sections.Creating a tar FileTo create a tar file and write files into it, use this privileged EXEC command:archive tar /create destination-url flash:/file-urlFor destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create. These options are supported:•For the local Flash file system, the syntax isflash:/file-url•For the File Transfer Protocol (FTP), the syntax is ftp:[[//username[:password]@location]/directory]/tar-filename.tar•For the Remote Copy Protocol (RCP), the syntax is rcp:[[//username@location]/directory]/tar-filename.tar•For the Trivial File Transfer Protocol (TFTP), the syntax is tftp:[[//location]/directory]/tar-filename.tarThe tar-filename.tar is the tar file to be created.For flash:/file-url, specify the location on the local Flash file system from which the new tar file is created. You can also specify an optional list of files or directories within the source directory to write to the new tar file. If none are specified, all files and directories at this level are written to the newly created tar file.This example shows how to create a tar file. This command writes the contents of the new-configsdirectory on the local Flash device to a file named saved.tar on the TFTP server at 172.20.10.30:ap# archive tar /create tftp:172.20.10.30/saved.tar flash:/new-configsDisplaying the Contents of a tar FileTo display the contents of a tar file on the screen, use this privileged EXEC command:archive tar /table source-url
19-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with the Flash File SystemFor source-url, specify the source URL alias for the local or network file system. These options are supported:•For the local Flash file system, the syntax isflash:•For the File Transfer Protocol (FTP), the syntax is ftp:[[//username[:password]@location]/directory]/tar-filename.tar•For the Remote Copy Protocol (RCP), the syntax is rcp:[[//username@location]/directory]/tar-filename.tar•For the Trivial File Transfer Protocol (TFTP), the syntax is tftp:[[//location]/directory]/tar-filename.tarThe tar-filename.tar is the tar file to display.You can also limit the display of the files by specifying an optional list of files or directories after the tar file; then only these files are displayed. If none are specified, all files and directories are displayed.This example shows how to display the contents of the c1200-k9w7-mx.122-8.JA.tar file that is in Flash memory:ap# archive tar /table flash:c1200-k9w7-mx.122-8.JA.tarinfo (219 bytes)c1200-k9w7-mx.122-8.JA/ (directory)c1200-k9w7-mx.122-8.JA/html/ (directory)c1200-k9w7-mx.122-8.JA/html/foo.html (0 bytes)c1200-k9w7-mx.122-8.JA/c1200-k9w7-mx.122-8.JA.bin (610856 bytes)c1200-k9w7-mx.122-8.JA/info (219 bytes)info.ver (219 bytes)This example shows how to display only the c1200-k9w7-mx.122-8.JA/html directory and its contents:ap# archive tar /table flash:c1200-k9w7-mx.122-8.JA/htmlc1200-k9w7-mx.122-8.JA/html/ (directory)c1200-k9w7-mx.122-8.JA/html/foo.html (0 bytes)Extracting a tar FileTo extract a tar file into a directory on the Flash file system, use this privileged EXEC command:archive tar /xtract source-url flash:/file-urlFor source-url, specify the source URL alias for the local or network file system. These options are supported:•For the local Flash file system, the syntax isflash:•For the File Transfer Protocol (FTP), the syntax is ftp:[[//username[:password]@location]/directory]/tar-filename.tar•For the Remote Copy Protocol (RCP), the syntax is rcp:[[//username@location]/directory]/tar-filename.tar•For the Trivial File Transfer Protocol (TFTP), the syntax is tftp:[[//location]/directory]/tar-filename.tarThe tar-filename.tar is the tar file from which to extract files.For flash:/file-url, specify the location on the local Flash file system into which the tar file is extracted. You can also specify an optional list of files or directories within the tar file for extraction. If none are specified, all files and directories are extracted.
19-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Configuration FilesThis example shows how to extract the contents of a tar file located on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local Flash file system. The remaining files in the saved.tar file are ignored.ap# archive tar /xtract tftp://172.20.10.30/saved.tar flash:/new-configsDisplaying the Contents of a FileTo display the contents of any readable file, including a file on a remote file system, use the more [/ascii|/binary | /ebcdic]file-url privileged EXEC command: This example shows how to display the contents of a configuration file on a TFTP server:ap# more tftp://serverA/hampton/savedconfig!! Saved configuration on server!version 11.3service timestamps log datetime localtimeservice linenumberservice udp-small-serversservice pt-vty-logging!<output truncated>Working with Configuration FilesThis section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. To better benefit from these instructions, your access point contains a minimal default running configuration for interacting with the system software. You can copy (download) configuration files from a TFTP, FTP, or RCP server to the running configuration of the access point for various reasons:•To restore a backed-up configuration file.•To use the configuration file for another access point. For example, you might add another access point to your network and want it to have a configuration similar to the original access point. By copying the file to the new access point, you can change the relevant parts rather than recreating the whole file.•To load the same configuration commands on all the access points in your network so that all the access points have similar configurations.You can co py (upload) configuration files from the access point to a file server by using TFTP, FTP, or RCP. You might perform this task to back up a current configuration file to a server before changing its contents so that you can later restore the original configuration file from the server. The protocol you use depends on which type of server you are using. The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP. These improvements are possible because FTP and RCP are built on and use the Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which is connection oriented.
19-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Configuration FilesThis section includes this information:•Guidelines for Creating and Using Configuration Files, page 19-9•Configuration File Types and Location, page 19-9•Creating a Configuration File by Using a Text Editor, page 19-10•Copying Configuration Files by Using TFTP, page 19-10•Copying Configuration Files by Using FTP, page 19-12•Copying Configuration Files by Using RCP, page 19-15•Clearing Configuration Information, page 19-18Guidelines for Creating and Using Configuration FilesCreating configuration files can aid in your access point configuration. Configuration files can contain some or all of the commands needed to configure one or more access points. For example, you might want to download the same configuration file to several access points that have the same hardware configuration.Use these guidelines when creating a configuration file:•If no passwords have been set on the access point, you must set them on each access point by entering the enable secret secret-password global configuration command. Enter a blank line for this command. The password is saved in the configuration file as clear text.•If passwords already exist, you cannot enter the enable secret secret-password global configuration command in the file because the password verification will fail. If you enter a password in the configuration file, the access point mistakenly attempts to execute the passwords as commands as it executes the file.•The copy {ftp: | rcp: | tftp:}system:running-config privileged EXEC command loads the configuration files on the access point as if you were entering the commands at the command line. The access point does not erase the existing running configuration before adding the commands. If a command in the copied configuration file replaces a command in the existing configuration file, the existing command is erased. For example, if the copied configuration file contains a different IP address in a particular command than the existing configuration, the IP address in the copied configuration is used. However, some commands in the existing configuration might not be replaced or negated. In this case, the resulting configuration file is a mixture of the existing configuration file and the copied configuration file, with the copied configuration file having precedence. To restore a configuration file to an exact copy of a file stored on a server, copy the configuration file directly to the startup configuration (by using the copy {ftp: | rcp: | tftp:}nvram:startup-config privileged EXEC command), and reload the access point.Configuration File Types and LocationStartup configuration files are used during system startup to configure the software. Running configuration files contain the current configuration of the software. The two configuration files can be different. For example, you might want to change the configuration for a short time period rather than permanently. In this case, you would change the running configuration but not save the configuration by using the copy running-config startup-config privileged EXEC command.The running configuration is saved in DRAM; the startup configuration is stored in the NVRAM section of Flash memory.
19-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Configuration FilesCreating a Configuration File by Using a Text EditorWhen creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file:Step 1 Copy an existing configuration from an access point to a server.For more information, see the “Downloading the Configuration File by Using TFTP” section on page 19-11, the “Downloading a Configuration File by Using FTP” section on page 19-13, or the “Downloading a Configuration File by Using RCP” section on page 19-16.Step 2 Open the configuration file in a text editor such as vi or emacs on UNIX or Notepad on a PC.Step 3 Extract the portion of the configuration file with the desired commands, and save it in a new file.Step 4 Copy the configuration file to the appropriate server location. For example, copy the file to the TFTP directory on the workstation (usually /tftpboot on a UNIX workstation).Step 5 Make sure the permissions on the file are set to world-read.Copying Configuration Files by Using TFTPYou can configure the access point by using configuration files you create, download from another access point, or download from a TFTP server. You can copy (upload) configuration files to a TFTP server for storage.This section includes this information:•Preparing to Download or Upload a Configuration File by Using TFTP, page 19-10•Downloading the Configuration File by Using TFTP, page 19-11•Uploading the Configuration File by Using TFTP, page 19-11Preparing to Download or Upload a Configuration File by Using TFTPBefore you begin downloading or uploading a configuration file by using TFTP, perform these tasks:•Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line:tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -p -s /tftpbootMake sure that the /etc/services file contains this line:tftp 69/udpNote You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastbootcommand (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). For more information on the TFTP daemon, refer to the documentation for your workstation.•Ensure that the access point has a route to the TFTP server. The access point and the TFTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the TFTP server by using the ping command.
19-11Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Configuration Files•Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation).•For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read.•Before uploading the configuration file, you might need to create an empty file on the TFTP server. To create an empty file, enter the touch filename command, where filename is the name of the file you will use when uploading it to the server.•During upload operations, if you are overwriting an existing file (including an empty file, if you had to create one) on the server, ensure that the permissions on the file are set correctly. Permissions on the file should be world-write.Downloading the Configuration File by Using TFTPTo configure the access point by using a configuration file downloaded from a TFTP server, follow these steps:Step 1 Copy the configuration file to the appropriate TFTP directory on the workstation.Step 2 Verify that the TFTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using TFTP” section on page 19-10.Step 3 Log into the access point through a Telnet session.Step 4 Download the configuration file from the TFTP server to configure the access point. Specify the IP address or host name of the TFTP server and the name of the file to download.Use one of these privileged EXEC commands:•copy tftp:[[[//location]/directory]/filename]system:running-config•copy tftp:[[[//location]/directory]/filename]nvram:startup-configThe configuration file downloads, and the commands are executed as the file is parsed line-by-line.This example shows how to configure the software from the file tokyo-confg at IP address 172.16.2.155:ap# copy tftp://172.16.2.155/tokyo-confg system:running-configConfigure using tokyo-confg from 172.16.2.155? [confirm] yBooting tokyo-confg from 172.16.2.155:!!! [OK - 874/16000 bytes]Uploading the Configuration File by Using TFTPTo upload a configuration file from an access point to a TFTP server for storage, follow these steps:Step 1 Verify that the TFTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using TFTP” section on page 19-10.Step 2 Log into the access point through a Telnet session.Step 3 Upload the access point configuration to the TFTP server. Specify the IP address or host name of the TFTP server and the destination filename.
19-12Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Configuration FilesUse one of these privileged EXEC commands:•copy system:running-config tftp:[[[//location]/directory]/filename]•copy nvram:startup-config tftp:[[[//location]/directory]/filename]The file is uploaded to the TFTP server.This example shows how to upload a configuration file from an access point to a TFTP server:ap# copy system:running-config tftp://172.16.2.155/tokyo-confgWrite file tokyo-confg on host 172.16.2.155? [confirm] y#Writing tokyo-confg!!! [OK]Copying Configuration Files by Using FTPYou can copy configuration files to or from an FTP server.The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the access point to a server by using FTP, the Cisco IOS software sends the first valid username in this list:•The username specified in the copy command if a username is specified.•The username set by the ip ftp username username global configuration command if the command is configured.•Anonymous.The access point sends the first valid password in this list:•The password specified in the copy command if a password is specified.•The password set by the ip ftp password password global configuration command if the command is configured.•The access point forms a password named username@apname.domain. The variable username is the username associated with the current session, apname is the configured host name, and domain is the domain of the access point.The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept your FTP write request.Use the ip ftp username and ip ftp password commands to specify a username and password for all copies. Include the username in the copy command if you want to specify only a username for that copy operation. If the server has a directory structure, the configuration file is written to or copied from the directory associated with the username on the server. For example, if the configuration file resides in the home directory of a user on the server, specify that user's name as the remote username. For more information, refer to the documentation for your FTP server.This section includes this information:•Preparing to Download or Upload a Configuration File by Using FTP, page 19-13•Downloading a Configuration File by Using FTP, page 19-13•Uploading a Configuration File by Using FTP, page 19-14
19-13Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Configuration FilesPreparing to Download or Upload a Configuration File by Using FTPBefore you begin downloading or uploading a configuration file by using FTP, perform these tasks:•Ensure that the access point has a route to the FTP server. The access point and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command.•If you are accessing the access point through a Telnet session and you do not have a valid username, make sure that the current FTP username is the one that you want to use for the FTP download. You can enter the show users privileged EXEC command to view the valid username. If you do not want to use this username, create a new FTP username by using the ip ftp username username global configuration command during all copy operations. The new username is stored in NVRAM. If you are accessing the access point through a Telnet session and you have a valid username, this username is used, and you do not need to set the FTP username. Include the username in the copy command if you want to specify a username for only that copy operation. •When you upload a configuration file to the FTP server, it must be properly configured to accept the write request from the user on the access point.For more information, refer to the documentation for your FTP server.Downloading a Configuration File by Using FTPBeginning in privileged EXEC mode, follow these steps to download a configuration file by using FTP:This example shows how to copy a configuration file named host1-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 and to load and run those commands on the access point:ap# copy ftp://netadmin1:mypass@172.16.101.101/host1-confg system:running-configConfigure using host1-confg from 172.16.101.101? [confirm]Command PurposeStep 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using FTP” section on page 19-13.Step 2 Log into the access point through a Telnet session.Step 3 configure terminal Enter global configuration mode on the access point.This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username.Step 5 ip ftp password password (Optional) Change the default password.Step 6 end Return to privileged EXEC mode. Step 7 copy ftp:[[[//[username[:password]@]location]/directory]/filename]system:running-configor copy ftp:[[[//[username[:password]@]location]/directory]/filename]nvram:startup-configUsing FTP, copy the configuration file from a network server to the running configuration or to the startup configuration file.
19-14Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Configuration FilesConnected to 172.16.101.101Loading 1112 byte file host1-confg:![OK]ap#%SYS-5-CONFIG: Configured from host1-config by ftp from 172.16.101.101This example shows how to specify a remote username of netadmin1. The software copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to the access point startup configuration.ap# configure terminalap(config)# ip ftp username netadmin1ap(config)# ip ftp password mypassap(config)# endap# copy ftp: nvram:startup-configAddress of remote host [255.255.255.255]? 172.16.101.101Name of configuration file[rtr2-confg]? host2-confgConfigure using host2-confg from 172.16.101.101?[confirm]Connected to 172.16.101.101Loading 1112 byte file host2-confg:![OK][OK]ap#%SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by ftp from 172.16.101.101Uploading a Configuration File by Using FTPBeginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP:This example shows how to copy the running configuration file named ap2-confg to the netadmin1directory on the remote host with an IP address of 172.16.101.101: ap# copy system:running-config ftp://netadmin1:mypass@172.16.101.101/ap2-confgWrite file ap2-confg on host 172.16.101.101?[confirm]Command PurposeStep 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using FTP” section on page 19-13.Step 2 Log into the access point through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username.Step 5 ip ftp password password (Optional) Change the default password.Step 6 end Return to privileged EXEC mode. Step 7 copy system:running-config ftp:[[[//[username[:password]@]location]/directory]/filename]or copy nvram:startup-config ftp:[[[//[username[:password]@]location]/directory]/filename]Using FTP, store the access point running or startup configuration file to the specified location.
19-15Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Configuration FilesBuilding configuration...[OK]Connected to 172.16.101.101ap#This example shows how to store a startup configuration file on a server by using FTP to copy the file:ap# configure terminalap(config)# ip ftp username netadmin2ap(config)# ip ftp password mypassap(config)# endap# copy nvram:startup-config ftp:Remote host[]? 172.16.101.101Name of configuration file to write [ap2-confg]?Write file ap2-confg on host 172.16.101.101?[confirm]![OK]Copying Configuration Files by Using RCPThe Remote Copy Protocol (RCP) provides another method of downloading, uploading, and copying configuration files between remote hosts and the access point. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented. To use RCP to copy files, the server from or to which you will be copying files must support RCP. The RCP copy commands rely on the rsh server (or daemon) on the remote system. To copy files by using RCP, you do not need to create a server for file distribution as you do with TFTP. You only need to have access to a server that supports the remote shell (rsh). (Most UNIX systems support rsh.) Because you are copying a file from one place to another, you must have read permission on the source file and write permission on the destination file. If the destination file does not exist, RCP creates it for you.The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the access point to a server, the Cisco IOS software sends the first valid username in this list:•The username specified in the copy command if a username is specified.•The username set by the ip rcmd remote-username username global configuration command if the command is configured.•The remote username associated with the current TTY (terminal) process. For example, if the user is connected to the router through Telnet and was authenticated through the username command, the access point software sends the Telnet username as the remote username. •The access point host name.For a successful RCP copy request, you must define an account on the network server for the remote username. If the server has a directory structure, the configuration file is written to or copied from the directory associated with the remote username on the server. For example, if the configuration file is in the home directory of a user on the server, specify that user's name as the remote username. This section includes this information:•Preparing to Download or Upload a Configuration File by Using RCP, page 19-16•Downloading a Configuration File by Using RCP, page 19-16•Uploading a Configuration File by Using RCP, page 19-17
19-16Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Configuration FilesPreparing to Download or Upload a Configuration File by Using RCPBefore you begin downloading or uploading a configuration file by using RCP, perform these tasks:•Ensure that the workstation acting as the RCP server supports the remote shell (rsh).•Ensure that the access point has a route to the RCP server. The access point and the server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the RCP server by using the ping command.•If you are accessing the access point through a Telnet session and you do not have a valid username, make sure that the current RCP username is the one that you want to use for the RCP download. You can enter the show users privileged EXEC command to view the valid username. If you do not want to use this username, create a new RCP username by using the ip rcmd remote-username usernameglobal configuration command to be used during all copy operations. The new username is stored in NVRAM. If you are accessing the access point through a Telnet session and you have a valid username, this username is used, and you do not need to set the RCP username. Include the username in the copy command if you want to specify a username for only that copy operation. •When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the access point. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server. For example, suppose that the access point contains these configuration lines:hostname ap1ip rcmd remote-username User0If the access point IP address translates to ap1.company.com, the .rhosts file for User0 on the RCP server should contain this line:ap1.company.com ap1For more information, refer to the documentation for your RCP server.Downloading a Configuration File by Using RCPBeginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP:Command PurposeStep 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using RCP” section on page 19-16.Step 2 Log into the access point through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username (see Steps 4 and 5). Step 4 ip rcmd remote-username username (Optional) Specify the remote username.
19-17Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Configuration FilesThis example shows how to copy a configuration file named host1-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 and load and run those commands on the access point:ap# copy rcp://netadmin1@172.16.101.101/host1-confg system:running-configConfigure using host1-confg from 172.16.101.101? [confirm]Connected to 172.16.101.101Loading 1112 byte file host1-confg:![OK]ap#%SYS-5-CONFIG: Configured from host1-config by rcp from 172.16.101.101This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to the startup configuration:ap# configure terminalap(config)# ip rcmd remote-username netadmin1ap(config)# endap# copy rcp: nvram:startup-configAddress of remote host [255.255.255.255]? 172.16.101.101Name of configuration file[rtr2-confg]? host2-confgConfigure using host2-confg from 172.16.101.101?[confirm]Connected to 172.16.101.101Loading 1112 byte file host2-confg:![OK][OK]ap#%SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by rcp from 172.16.101.101Uploading a Configuration File by Using RCPBeginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP:Step 5 end Return to privileged EXEC mode. Step 6 copy rcp:[[[//[username@]location]/directory]/filename]system:running-configor copy rcp:[[[//[username@]location]/directory]/filename]nvram:startup-configUsing RCP, copy the configuration file from a network server to the running configuration or to the startup configuration file. Command PurposeCommand PurposeStep 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using RCP” section on page 19-16.Step 2 Log into the access point through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username (see Steps 4 and 5). Step 4 ip rcmd remote-username username (Optional) Specify the remote username.
19-18Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesThis example shows how to copy the running configuration file named ap2-confg to the netadmin1directory on the remote host with an IP address of 172.16.101.101: ap# copy system:running-config rcp://netadmin1@172.16.101.101/ap2-confgWrite file ap-confg on host 172.16.101.101?[confirm]Building configuration...[OK]Connected to 172.16.101.101ap#This example shows how to store a startup configuration file on a server:ap# configure terminalap(config)# ip rcmd remote-username netadmin2ap(config)# endap# copy nvram:startup-config rcp:Remote host[]? 172.16.101.101Name of configuration file to write [ap2-confg]?Write file ap2-confg on host 172.16.101.101?[confirm]![OK]Clearing Configuration InformationThis section describes how to clear configuration information. Deleting a Stored Configuration FileCaution You cannot restore a file after it has been deleted. To delete a saved configuration from Flash memory, use the delete flash:filename privileged EXEC command. Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the access point prompts for confirmation on destructive file operations. For more information about the file prompt command, refer to the Cisco IOS Command Reference for Release 12.1.Working with Software ImagesThis section describes how to archive (download and upload) software image files, which contain the system software, IOS code, radio firmware, and the web management HTML files.You download an access point image file from a TFTP, FTP, or RCP server to upgrade the access point software. You upload an access point image file to a TFTP, FTP, or RCP server for backup purposes. You can use this uploaded image for future downloads to the same access point or another of the same type.Step 5 end Return to privileged EXEC mode. Step 6 copy system:running-config rcp:[[[//[username@]location]/directory]/filename]or copy nvram:startup-config rcp:[[[//[username@]location]/directory]/filename]Using RCP, copy the configuration file from an access point running or startup configuration file to a network server.Command Purpose
19-19Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesThe protocol you use depends on which type of server you are using. The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP. These improvements are possible because FTP and RCP are built on and use the Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which is connection-oriented.This section includes this information:•Image Location on the Access Point, page 19-19•tar File Format of Images on a Server or Cisco.com, page 19-19•Copying Image Files by Using TFTP, page 19-20•Copying Image Files by Using FTP, page 19-23•Copying Image Files by Using RCP, page 19-27•Reloading the Image Using the Web Browser Interface, page 19-32Note For a list of software images and supported upgrade paths, refer to the release notes for your access point.Image Location on the Access PointThe IOS image is stored in a directory that shows the version number. A subdirectory contains the HTML files needed for web management. The image is stored on the system board Flash memory (flash:). You can use the show version privileged EXEC command to see the software version that is currently running on your access point. In the display, check the line that begins with System image file is...It shows the directory name in Flash memory where the image is stored.You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images you might have stored in Flash memory.tar File Format of Images on a Server or Cisco.comSoftware images located on a server or downloaded from Cisco.com are provided in a tar file format, which contains these files:•info fileThe info file is always at the beginning of the tar file and contains information about the files within it. •IOS image•Web management files needed by the HTTP server on the access point•radio firmware 5000.img file•info.ver fileThe info.ver file is always at the end of the tar file and contains the same information as the info file. Because it is the last file in the tar file, its existence means that all files in the image have been downloaded.Note The tar file sometimes ends with an extension other than .tar.
19-20Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesCopying Image Files by Using TFTPYou can download an access point image from a TFTP server or upload the image from the access point to a TFTP server.You download an access point image file from a server to upgrade the access point software. You can overwrite the current image with the new one.You upload an access point image file to a server for backup purposes; this uploaded image can be used for future downloads to the same or another access point of the same type.This section includes this information:•Preparing to Download or Upload an Image File by Using TFTP, page 19-20•Downloading an Image File by Using TFTP, page 19-21•Uploading an Image File by Using TFTP, page 19-22Preparing to Download or Upload an Image File by Using TFTPBefore you begin downloading or uploading an image file by using TFTP, perform these tasks:•Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line:tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -p -s /tftpbootMake sure that the /etc/services file contains this line:tftp 69/udpNote You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastbootcommand (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). For more information on the TFTP daemon, refer to the documentation for your workstation.•Ensure that the access point has a route to the TFTP server. The access point and the TFTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the TFTP server by using the ping command.•Ensure that the image to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation).•For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read.•Before uploading the image file, you might need to create an empty file on the TFTP server. To create an empty file, enter the touch filename command, where filename is the name of the file you will use when uploading the image to the server.•During upload operations, if you are overwriting an existing file (including an empty file, if you had to create one) on the server, ensure that the permissions on the file are set correctly. Permissions on the file should be world-write.
19-21Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesDownloading an Image File by Using TFTPYou can download a new image file and replace the current image or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories.Beginning in privileged EXEC mode, follow Steps 1 through 3 to download a new image from a TFTP server and overwrite the existing image. Note To avoid an unsuccessful download, use the archive download-sw /safe command, which downloads the image first and does not delete the current running version until the download succeeds.Command PurposeStep 1 . Copy the image to the appropriate TFTP directory on the workstation. Make sure the TFTP server is properly configured; see the “Preparing to Download or Upload an Image File by Using TFTP” section on page 19-20Step 2 Log into the access point through a Telnet session.Step 3 archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-nameDownload the image file from the TFTP server to the access point, and overwrite the current image.•The /overwrite option overwrites the software image in Flash with the downloaded image.•The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.•For //location, specify the IP address of the TFTP server.•For /directory/image-name, specify the directory (optional) and the image to download. Directory and image names are case sensitive.Step 4 archive download-sw /leave-old-sw /reload tftp:[[//location]/directory]/image-nameDownload the image file from the TFTP server to the access point, and keep the current image.•The /leave-old-sw option keeps the old software version after a download.•The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.•For //location, specify the IP address of the TFTP server.•For /directory/image-name, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
19-22Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesThe download algorithm verifies that the image is appropriate for the access point model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the Flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option.If you specify the /leave-old-sw, the existing files are not removed. If there is not enough space to install the new image and keep the current running image, the download process stops, and an error message is displayed.The algorithm installs the downloaded image on the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the system boot path variable is updated to point to the newly installed image.If you kept the old image during the download process (you specified the /leave-old-sw keyword), you can remove it by entering the delete /force /recursive filesystem:/file-url privileged EXEC command. For filesystem, use flash: for the system board Flash device. For file-url, enter the directory name of the old image. All the files in the directory and the directory are removed.Uploading an Image File by Using TFTPYou can upload an image from the access point to a TFTP server. You can later download this image to the access point or to another access point of the same type.Caution For the download and upload algorithms to operate properly, do not rename image directories.Beginning in privileged EXEC mode, follow these steps to upload an image to a TFTP server:The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format. Command PurposeStep 1 Make sure the TFTP server is properly configured; see the “Preparing to Download or Upload an Image File by Using TFTP”section on page 19-20.Step 1 Log into the access point through a Telnet session.Step 2 archive upload-swtftp:[[//location]/directory]/image-name.tarUpload the currently running access point image to the TFTP server. •For //location, specify the IP address of the TFTP server.•For /directory/image-name.tar, specify the directory (optional) and the name of the software image to be uploaded. Directory and image names are case sensitive. The image-name.tar is the name of the software image to be stored on the server.
19-23Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesCopying Image Files by Using FTPYou can download an access point image from an FTP server or upload the image from the access point to an FTP server.You download an access point image file from a server to upgrade the access point software. You can overwrite the current image with the new one or keep the current image after a download.You upload an access point image file to a server for backup purposes. You can use this uploaded image for future downloads to the access point or another access point of the same type.This section includes this information:•Preparing to Download or Upload an Image File by Using FTP, page 19-23•Downloading an Image File by Using FTP, page 19-24•Uploading an Image File by Using FTP, page 19-26Preparing to Download or Upload an Image File by Using FTPYou can copy images files to or from an FTP server.The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the access point to a server by using FTP, the Cisco IOS software sends the first valid username in this list:•The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.•The username set by the ip ftp username username global configuration command if the command is configured.•Anonymous.The access point sends the first valid password in this list:•The password specified in the archive download-sw or archive upload-sw privileged EXEC command if a password is specified.•The password set by the ip ftp password password global configuration command if the command is configured.•The access point forms a password named username@apname.domain. The variable username is the username associated with the current session, apname is the configured host name, and domain is the domain of the access point.The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept the FTP write request from you.Use the ip ftp username and ip ftp password commands to specify a username and password for all copies. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation. If the server has a directory structure, the image file is written to or copied from the directory associated with the username on the server. For example, if the image file resides in the home directory of a user on the server, specify that user's name as the remote username. Before you begin downloading or uploading an image file by using FTP, perform these tasks:•Ensure that the access point has a route to the FTP server. The access point and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Verify connectivity to the FTP server by using the ping command.
19-24Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software Images•If you are accessing the access point through a Telnet session and you do not have a valid username, make sure that the current FTP username is the one that you want to use for the FTP download. You can enter the show users privileged EXEC command to view the valid username. If you do not want to use this username, create a new FTP username by using the ip ftp username username global configuration command. This new name will be used during all archive operations. The new username is stored in NVRAM. If you are accessing the access point through a Telnet session and you have a valid username, this username is used, and you do not need to set the FTP username. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username for that operation only. •When you upload an image file to the FTP server, it must be properly configured to accept the write request from the user on the access point.For more information, refer to the documentation for your FTP server.Downloading an Image File by Using FTPYou can download a new image file and overwrite the current image or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories.Beginning in privileged EXEC mode, follow Steps 1 through 7 to download a new image from an FTP server and overwrite the existing image. To keep the current image, skip Step 7.Command PurposeStep 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload an Image File by Using FTP” section on page 19-23.Step 2 Log into the access point through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username.Step 5 ip ftp password password (Optional) Change the default password.Step 6 end Return to privileged EXEC mode.
19-25Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesNote To avoid an unsuccessful download, use the archive download-sw /safe command, which downloads the image first and does not delete the current running version until the download succeeds.The download algorithm verifies that the image is appropriate for the access point model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the Flash device, whether or not it is the same as the new one, downloads the new image, and then reloads the software.Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option.Step 7 archive download-sw /overwrite /reload ftp:[[//username[:password]@location]/directory]/image-name.tarDownload the image file from the FTP server to the access point, and overwrite the current image.•The /overwrite option overwrites the software image in Flash with the downloaded image.•The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.•For //username[:password], specify the username and password; these must be associated with an account on the FTP server. For more information, see the “Preparing to Download or Upload an Image File by Using FTP” section on page 19-23.•For @location, specify the IP address of the FTP server.•For directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.Step 8 archive download-sw /leave-old-sw /reload ftp:[[//username[:password]@location]/directory]/image-name.tarDownload the image file from the FTP server to the access point, and keep the current image.•The /leave-old-sw option keeps the old software version after a download.•The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.•For //username[:password], specify the username and password. These must be associated with an account on the FTP server. For more information, see the “Preparing to Download or Upload an Image File by Using FTP”section on page 19-23.•For @location, specify the IP address of the FTP server.•For directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.Command Purpose
19-26Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesIf you specify the /leave-old-sw, the existing files are not removed. If there is not enough space to install the new image and keep the running image, the download process stops, and an error message is displayed.The algorithm installs the downloaded image onto the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT path-list is updated to point to the newly installed image. Use the privileged EXEC mode show boot command to display boot attributes, and use the global configuration boot command to change the boot attributes.If you kept the old image during the download process (you specified the /leave-old-sw keyword), you can remove it by entering the delete /force /recursive filesystem:/file-url privileged EXEC command. For filesystem, use flash: for the system board Flash device. For file-url, enter the directory name of the old software image. All the files in the directory and the directory are removed.Uploading an Image File by Using FTPYou can upload an image from the access point to an FTP server. You can later download this image to the same access point or to another access point of the same type.Caution For the download and upload algorithms to operate properly, do not rename image directories.The upload feature is available only if the HTML pages associated with the Cluster Management Suite (CMS) have been installed with the existing image.Beginning in privileged EXEC mode, follow these steps to upload an image to an FTP server:Command PurposeStep 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using FTP” section on page 19-13.Step 2 Log into the access point through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username.Step 5 ip ftp password password (Optional) Change the default password.
19-27Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesThe archive upload-sw command builds an image file on the server by uploading these files in order: info, the IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format. Copying Image Files by Using RCPYou can download an access point image from an RCP server or upload the image from the access point to an RCP server.You download an access point image file from a server to upgrade the access point software. You can overwrite the current image with the new one or keep the current image after a download.You upload an access point image file to a server for backup purposes. You can use this uploaded image for future downloads to the same access point or another of the same type.This section includes this information:•Preparing to Download or Upload an Image File by Using RCP, page 19-27•Downloading an Image File by Using RCP, page 19-29•Uploading an Image File by Using RCP, page 19-31Preparing to Download or Upload an Image File by Using RCPRCP provides another method of downloading and uploading image files between remote hosts and the access point. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented. To use RCP to copy files, the server from or to which you will be copying files must support RCP. The RCP copy commands rely on the rsh server (or daemon) on the remote system. To copy files by using RCP, you do not need to create a server for file distribution as you do with TFTP. You only need to have access to a server that supports the remote shell (rsh). (Most UNIX systems support rsh.) Because you are copying a file from one place to another, you must have read permission on the source file and write permission on the destination file. If the destination file does not exist, RCP creates it for you.Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw ftp:[[//[username[:password]@]location]/directory]/image-name.tarUpload the currently running access point image to the FTP server. •For //username:password, specify the username and password. These must be associated with an account on the FTP server. For more information, see the “Preparing to Download or Upload an Image File by Using FTP”section on page 19-23.•For @location, specify the IP address of the FTP server.•For /directory/image-name.tar, specify the directory (optional) and the name of the software image to be uploaded. Directory and image names are case sensitive. The image-name.tar is the name of the software image to be stored on the server.Command Purpose
19-28Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesRCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the access point to a server by using RCP, the Cisco IOS software sends the first valid username in this list:•The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.•The username set by the ip rcmd remote-username username global configuration command if the command is entered.•The remote username associated with the current TTY (terminal) process. For example, if the user is connected to the router through Telnet and was authenticated through the username command, the access point software sends the Telnet username as the remote username. •The access point host name.For the RCP copy request to execute successfully, an account must be defined on the network server for the remote username. If the server has a directory structure, the image file is written to or copied from the directory associated with the remote username on the server. For example, if the image file resides in the home directory of a user on the server, specify that user’s name as the remote username. Before you begin downloading or uploading an image file by using RCP, do these tasks:•Ensure that the workstation acting as the RCP server supports the remote shell (rsh).•Ensure that the access point has a route to the RCP server. The access point and the server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the RCP server by using the ping command.•If you are accessing the access point through a Telnet session and you do not have a valid username, make sure that the current RCP username is the one that you want to use for the RCP download. You can enter the show users privileged EXEC command to view the valid username. If you do not want to use this username, create a new RCP username by using the ip rcmd remote-username usernameglobal configuration command to be used during all archive operations. The new username is stored in NVRAM. If you are accessing the access point through a Telnet session and you have a valid username, this username is used, and there is no need to set the RCP username. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation. •When you upload an image to the RCP to the server, it must be properly configured to accept the RCP write request from the user on the access point. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server. For example, suppose the access point contains these configuration lines:hostname ap1ip rcmd remote-username User0If the access point IP address translates to ap1.company.com, the .rhosts file for User0 on the RCP server should contain this line:ap1.company.com ap1For more information, refer to the documentation for your RCP server.
19-29Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesDownloading an Image File by Using RCPYou can download a new image file and replace or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories.Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image. To keep the current image, skip Step 6.Command PurposeStep 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload an Image File by Using RCP” section on page 19-27.Step 2 Log into the access point through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username (see Steps 4 and 5). Step 4 ip rcmd remote-username username (Optional) Specify the remote username.Step 5 end Return to privileged EXEC mode.
19-30Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesNote To avoid an unsuccessful download, use the archive download-sw /safe command, which downloads the image first and does not delete the current running version until the download succeeds.The download algorithm verifies that the image is appropriate for the access point model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the Flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.Step 6 archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-name.tar]Download the image file from the RCP server to the access point, and overwrite the current image.•The /overwrite option overwrites the software image in Flash with the downloaded image.•The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.•For //username, specify the username. For the RCP copy request to execute successfully, an account must be defined on the network server for the remote username. For more information, see the “Preparing to Download or Upload an Image File by Using RCP” section on page 19-27.•For @location, specify the IP address of the RCP server.•For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.Step 7 archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-name.tar]Download the image file from the RCP server to the access point, and keep the current image.•The /leave-old-sw option keeps the old software version after a download.•The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.•For //username, specify the username. For the RCP copy request to execute, an account must be defined on the network server for the remote username. For more information, see the “Preparing to Download or Upload an Image File by Using RCP” section on page 19-27.•For @location, specify the IP address of the RCP server.•For /directory]/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.Command Purpose
19-31Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesNote If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option.If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed.The algorithm installs the downloaded image onto the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.If you kept the old software during the download process (you specified the /leave-old-sw keyword), you can remove it by entering the delete /force /recursive filesystem:/file-url privileged EXEC command. For filesystem, use flash: for the system board Flash device. For file-url, enter the directory name of the old software image. All the files in the directory and the directory are removed.Uploading an Image File by Using RCPYou can upload an image from the access point to an RCP server. You can later download this image to the same access point or to another access point of the same type.Caution For the download and upload algorithms to operate properly, do not rename image directories.The upload feature is available only if the HTML pages associated with the Cluster Management Suite (CMS) have been installed with the existing image.Beginning in privileged EXEC mode, follow these steps to upload an image to an RCP server:Command PurposeStep 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload an Image File by Using RCP” section on page 19-27.Step 2 Log into the access point through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username (see Steps 4 and 5). Step 4 ip rcmd remote-username username (Optional) Specify the remote username.
19-32Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesThe archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format. Reloading the Image Using the Web Browser InterfaceYou can also use the Web browser interface to reload the access point image file. The Web broswer interface supports loading the image file using HTTP or TFTP interfaces. Note Your access point configuration is not changed when using the browser to reload the image file.Browser HTTP InterfaceThe HTTP interface allows you to browse to the access point image file on your PC and download the image to the access point. Follow the instructions below to use the HTTP interface:Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).Step 2 Enter the access point’s IP address in the browser address line and press Enter. An Enter Network Password screen appears.Step 3 Enter your username in the User Name field.Step 4 Enter the access point password in the Password field and press Enter. The Summary Status page appears.Step 5 Click the System Software tab and then click Software Upgrade. The HTTP Upgrade screen appears.Step 6 Click the Browse button to locate the image file on your PC.Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-name.tar]Upload the currently running access point image to the RCP server. •For //username, specify the username; for the RCP copy request to execute, an account must be defined on the network server for the remote username. For more information, see the “Preparing to Download or Upload an Image File by Using RCP” section on page 19-27.•For @location, specify the IP address of the RCP server.•For /directory]/image-name.tar, specify the directory (optional) and the name of the software image to be uploaded. Directory and image names are case sensitive.•The image-name.tar is the name of software image to be stored on the server.Command Purpose
19-33Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software ImagesStep 7 Click the Upload button.For additional information, click the Help icon on the Software Upgrade screen. Browser TFTP InterfaceThe TFTP interface allows you to use a TFTP server on a network device to load the access point image file. Follow the instructions below to use a TFTP server:Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).Step 2 Enter the access point’s IP address in the browser address line and press Enter. An Enter Network Password screen appears.Step 3 Enter your username in the User Name field.Step 4 Enter the access point password in the Password field and press Enter. The Summary Status page appears.Step 5 Click the System Software tab and then click Software Upgrade. The HTTP Upgrade screen appears.Step 6 Click the TFTP Upgrade tab.Step 7 Enter the IP address for the TFTP server in the TFTP Server field.Step 8 Enter the file name for the access point image file in the Upload New System Image Tar File field. If the file is located in a subdirectory of the TFTP server root directory, include the relative path of the TFTP server root directory with the filename. If the file is located in the TFTP root directory, enter only the filename.Step 9 Click the Upload button.For additional information click the Help icon on the Software Upgrade screen.
19-34Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 19 Managing Firmware and ConfigurationsWorking with Software Images
CHAPTER20-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-0120Configuring System Message LoggingThis chapter describes how to configure system message logging on your access point.Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.This chapter consists of these sections:•Understanding System Message Logging, page 20-2•Configuring System Message Logging, page 20-2•Displaying the Logging Configuration, page 20-12
20-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 20 Configuring System Message LoggingUnderstanding System Message LoggingUnderstanding System Message LoggingBy default, access points send the output from system messages and debug privileged EXEC commands to a logging process. The logging process controls the distribution of logging messages to various destinations, such as the logging buffer, terminal lines, or a UNIX syslog server, depending on your configuration. The process also sends messages to the console. Note The syslog format is compatible with 4.3 BSD UNIX.When the logging process is disabled, messages are sent only to the console. The messages are sent as they are generated, so message and debug output are interspersed with prompts or output from other commands. Messages are displayed on the console after the process that generated them has finished.You can set the severity level of the messages to control the type of messages displayed on the console and each of the destinations. You can timestamp log messages or set the syslog source address to enhance real-time debugging and management.You can access logged system messages by using the access point command-line interface (CLI) or by saving them to a properly configured syslog server. The access point software saves syslog messages in an internal buffer. You can remotely monitor system messages by accessing the access point through Telnet or by viewing the logs on a syslog server.Configuring System Message LoggingThis section describes how to configure system message logging. It contains this configuration information:•System Log Message Format, page 20-2•Default System Message Logging Configuration, page 20-3•Disabling and Enabling Message Logging, page 20-4•Setting the Message Display Destination Device, page 20-5•Enabling and Disabling Timestamps on Log Messages, page 20-6•Enabling and Disabling Sequence Numbers in Log Messages, page 20-6•Defining the Message Severity Level, page 20-7•Limiting Syslog Messages Sent to the History Table and to SNMP, page 20-8•Setting a Logging Rate Limit, page 20-9•Configuring UNIX Syslog Servers, page 20-10System Log Message FormatSystem log messages can contain up to 80 characters and a percent sign (%), which follows the optional sequence number or timestamp information, if configured. Messages are displayed in this format:seq no:timestamp: %facility-severity-MNEMONIC:descriptionThe part of the message preceding the percent sign depends on the setting of the service sequence-numbers,service timestamps log datetime,service timestamps log datetime [localtime][msec] [show-timezone], or service timestamps log uptime global configuration command.
20-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 20 Configuring System Message LoggingConfiguring System Message LoggingTable 20-1 describes the elements of syslog messages.This example shows a partial access point system message:00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down 2*Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)18:47:02: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)*Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Default System Message Logging ConfigurationTable 20-2 shows the default system message logging configuration.Table 20-1 System Log Message ElementsElement Descriptionseq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages”section on page 20-6.timestamp formats:mm/dd hh:mm:ssorhh:mm:ss (short uptime)ord h (long uptime)Date and time of the message or event. This information appears only if the service timestamps log [datetime | log] global configuration command is configured.For more information, see the “Enabling and Disabling Timestamps on Log Messages” section on page 20-6.facility The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.severity Single-digit code from 0 to 7 that is the severity of the message. For a description of the severity levels, see Table 20-3 on page 20-8.MNEMONIC Text string that uniquely describes the message.description Text string containing detailed information about the event being reported.Table 20-2 Default System Message Logging ConfigurationFeature Default SettingSystem message logging to the console EnabledConsole severity Debugging (and numerically lower levels; see Table 20-3 on page 20-8)Logging buffer size 4096 bytesLogging history size 1 message
20-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 20 Configuring System Message LoggingConfiguring System Message LoggingDisabling and Enabling Message LoggingMessage logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.Beginning in privileged EXEC mode, follow these steps to disable message logging:Disabling the logging process can slow down the access point because a process must wait until the messages are written to the console before continuing. When the logging process is disabled, messages are displayed on the console as soon as they are produced, often appearing in the middle of command output.The logging synchronous global configuration command also affects the display of messages to the console. When this command is enabled, messages appear only after you press Return. For more information, see the “Enabling and Disabling Timestamps on Log Messages” section on page 20-6.To re-enable message logging after it has been disabled, use the logging on global configuration command.Timestamps DisabledSynchronous logging DisabledLogging server DisabledSyslog server IP address None configuredServer facility Local7 (see Table 20-4 on page 20-11)Server severity Informational (and numerically lower levels; see Table 20-3 on page 20-8)Table 20-2 Default System Message Logging Configuration (continued)Feature Default SettingCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 no logging on Disable message logging.Step 3 end Return to privileged EXEC mode.Step 4 show running-configorshow loggingVerify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
20-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 20 Configuring System Message LoggingConfiguring System Message LoggingSetting the Message Display Destination DeviceIf message logging is enabled, you can send messages to specific locations in addition to the console. Beginning in privileged EXEC mode, use one or more of the following commands to specify the locations that receive messages:The logging buffered global configuration command copies logging messages to an internal buffer. The buffer is circular, so newer messages overwrite older messages after the buffer is full. To display the messages that are logged in the buffer, use the show logging privileged EXEC command. The first message displayed is the oldest message in the buffer. To clear the contents of the buffer, use the clear logging privileged EXEC command.To disable logging to the console, use the no logging console global configuration command. To disable logging to a file, use the no logging file [severity-level-number | type] global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 logging buffered [size] [level] Log messages to an internal buffer. The default buffer size is 4096. The range is 4096 to 2147483647 bytes. Levels include emergencies 0, alerts 1, critical 2, errors 3, warnings 4, notifications 5, informational 6, and debugging 7.Note Do not make the buffer size too large because the access point could run out of memory for other tasks. Use the show memoryprivileged EXEC command to view the free processor memory on the access point; however, this value is the maximum available, and you should not set the buffer size to this amount.Step 3 logging host Log messages to a UNIX syslog server host.For host, specify the name or IP address of the host to be used as the syslog server.To build a list of syslog servers that receive logging messages, enter this command more than once.For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 20-10.Step 4 end Return to privileged EXEC mode.Step 5 terminal monitor Log messages to a non-console terminal during the current session.Terminal parameter-setting commands are set locally and do not remain in effect after the session has ended. You must perform this step for each session to see the debugging messages.Step 6 show running-config Verify your entries.Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
20-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 20 Configuring System Message LoggingConfiguring System Message LoggingEnabling and Disabling Timestamps on Log MessagesBy default, log messages are not timestamped. Beginning in privileged EXEC mode, follow these steps to enable timestamping of log messages:To disable timestamps for both debug and log messages, use the no service timestamps global configuration command.This example shows part of a logging display with the service timestamps log datetime global configuration command enabled:*Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)This example shows part of a logging display with the service timestamps log uptime global configuration command enabled:00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to upEnabling and Disabling Sequence Numbers in Log MessagesBecause there is a chance that more than one log message can have the same timestamp, you can display messages with sequence numbers so that you can unambiguously refer to a single message. By default, sequence numbers in log messages are not displayed. Beginning in privileged EXEC mode, follow these steps to enable sequence numbers in log messages:To disable sequence numbers, use the no service sequence-numbers global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 service timestamps log uptimeorservice timestamps log datetime [msec] [localtime][show-timezone]Enable log timestamps.The first command enables timestamps on log messages, showing the time since the system was rebooted.The second command enables timestamps on log messages. Depending on the options selected, the timestamp can include the date, time in milliseconds relative to the local time zone, and the time zone name.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 service sequence-numbers Enable sequence numbers.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
20-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 20 Configuring System Message LoggingConfiguring System Message LoggingThis example shows part of a logging display with sequence numbers enabled:000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)Defining the Message Severity LevelYou can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 20-3.Beginning in privileged EXEC mode, follow these steps to define the message severity level:Note Specifying a level causes messages at that level and numerically lower levels to be displayed at the destination.To disable logging to the console, use the no logging console global configuration command. To disable logging to a terminal other than the console, use the no logging monitor global configuration command. To disable logging to syslog servers, use the no logging trap global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 logging console level Limit messages logged to the console.By default, the console receives debugging messages and numerically lower levels (see Table 20-3 on page 20-8).Step 3 logging monitor level Limit messages logged to the terminal lines.By default, the terminal receives debugging messages and numerically lower levels (see Table 20-3 on page 20-8).Step 4 logging trap level Limit messages logged to the syslog servers.By default, syslog servers receive informational messages and numerically lower levels (see Table 20-3 on page 20-8).For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 20-10.Step 5 end Return to privileged EXEC mode.Step 6 show running-configorshow loggingVerify your entries.Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
20-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 20 Configuring System Message LoggingConfiguring System Message LoggingTable 20-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.The software generates four other categories of messages:•Error messages about software or hardware malfunctions, displayed at levels warnings through emergencies. These types of messages mean that the functionality of the access point is affected. •Output from the debug commands, displayed at the debugging level. Debug commands are typically used only by the Technical Assistance Center (TAC).•Interface up or down transitions and system restart messages, displayed at the notifications level. This message is only for information; access point functionality is not affected.•Reload requests and low-process stack messages, displayed at the informational level. This message is only for information; access point functionality is not affected.Limiting Syslog Messages Sent to the History Table and to SNMPIf you have enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the access point history table. You can also change the number of messages that are stored in the history table.Messages are stored in the history table because SNMP traps are not guaranteed to reach their destination. By default, one message of the level warning and numerically lower levels (see Table 20-3 on page 20-8) are stored in the history table even if syslog traps are not enabled.Table 20-3 Message Logging Level KeywordsLevel Keyword Level Description Syslog Definitionemergencies 0 System unstable LOG_EMERGalerts 1 Immediate action needed LOG_ALERTcritical 2 Critical conditions LOG_CRITerrors 3 Error conditions LOG_ERRwarnings 4 Warning conditions LOG_WARNINGnotifications 5 Normal but significant condition LOG_NOTICEinformational 6 Informational messages only LOG_INFOdebugging 7 Debugging messages LOG_DEBUG
20-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 20 Configuring System Message LoggingConfiguring System Message LoggingBeginning in privileged EXEC mode, follow these steps to change the level and history table size defaults:When the history table is full (it contains the maximum number of message entries specified with the logging history size global configuration command), the oldest message entry is deleted from the table to allow the new message entry to be stored.To return the logging of syslog messages to the default level, use the no logging history global configuration command. To return the number of messages in the history table to the default value, use the no logging history size global configuration command.Setting a Logging Rate LimitYou can enable a limit on the number of messages that the access point logs per second. You can enable the limit for all messages or for messages sent to the console, and you can specify that messages of a specific severity are exempt from the limit.Beginning in privileged EXEC mode, follow these steps to enable a logging rate limit:To disable the rate limit, use the no logging rate-limit global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 logging history level11. Table 20-3 lists the level keywords and severity level. For SNMP usage, the severity level values increase by 1. For example, emergenciesequal 1, not 0, and critical equals 3, not 2.Change the default level of syslog messages stored in the history file and sent to the SNMP server.See Table 20-3 on page 20-8 for a list of level keywords.By default, warnings,errors,critical,alerts, and emergencies messages are sent.Step 3 logging history size number Specify the number of syslog messages that can be stored in the history table.The default is to store one message. The range is 1 to 500 messages.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 logging rate-limit seconds[all | console][except severity]Enable a logging rate limit in seconds.•(Optional) Apply the limit to all logging or only to messages logged to the console.•(Optional) Exempt a specific severity from the limit.Step 3 end Return to privileged EXEC mode.Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file.
20-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 20 Configuring System Message LoggingConfiguring System Message LoggingConfiguring UNIX Syslog ServersThe next sections describe how to configure the 4.3 BSD UNIX server syslog daemon and define the UNIX system logging facility.Logging Messages to a UNIX Syslog DaemonBefore you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. Log in as root, and perform these steps:Note Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network. If this is the case with your system, use the UNIX man syslogd command to determine what options must be added to or removed from the syslog command line to enable logging of remote syslog messages.Step 1 Add a line such as the following to the file /etc/syslog.conf:local7.debug /usr/adm/logs/cisco.logThe local7 keyword specifies the logging facility to be used; see Table 20-4 on page 20-11 for information on the facilities. The debug keyword specifies the syslog level; see Table 20-3 on page 20-8for information on the severity levels. The syslog daemon sends messages at this level or at a more severe level to the file specified in the next field. The file must already exist, and the syslog daemon must have permission to write to it.Step 2 Create the log file by entering these commands at the UNIX shell prompt:$touch /usr/adm/log/cisco.log$chmod 666 /usr/adm/log/cisco.logStep 3 Make sure the syslog daemon reads the new changes by entering this command:$kill -HUP `cat /etc/syslog.pid`For more information, see the man syslog.conf and man syslogd commands on your UNIX system.Configuring the UNIX System Logging FacilityWhen sending system log messages to an external device, you can cause the access point to identify its messages as originating from any of the UNIX syslog facilities.Beginning in privileged EXEC mode, follow these steps to configure UNIX system facility message logging:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 logging host Log messages to a UNIX syslog server host by entering its IP address.To build a list of syslog servers that receive logging messages, enter this command more than once.
20-11Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 20 Configuring System Message LoggingConfiguring System Message LoggingTo remove a syslog server, use the no logging host global configuration command, and specify the syslog server IP address. To disable logging to syslog servers, enter the no logging trap global configuration command.Table 20-4 lists the 4.3 BSD UNIX system facilities supported by the Cisco IOS software. For more information about these facilities, consult the operator’s manual for your UNIX operating system.Step 3 logging trap level Limit messages logged to the syslog servers.Be default, syslog servers receive informational messages and lower. See Table 20-3 on page 20-8 for level keywords.Step 4 logging facility facility-type Configure the syslog facility. See Table 20-4 on page 20-11 for facility-type keywords.The default is local7.Step 5 end Return to privileged EXEC mode.Step 6 show running-config Verify your entries.Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeTable 20-4 Logging Facility-Type KeywordsFacility Type Keyword Descriptionauth Authorization systemcron Cron facilitydaemon System daemonkern Kernellocal0-7 Locally defined messageslpr Line printer systemmail Mail systemnews USENET newssys9 System usesys10 System usesys11 System usesys12 System usesys13 System usesys14 System usesyslog System loguser User processuucp UNIX-to-UNIX copy system
20-12Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 20 Configuring System Message LoggingDisplaying the Logging ConfigurationDisplaying the Logging ConfigurationTo display the current logging configuration and the contents of the log buffer, use the show loggingprivileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.To display the logging history file, use the show logging history privileged EXEC command.
CHAPTER21-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-0121TroubleshootingThis chapter provides troubleshooting procedures for basic problems with the access point. For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at the following URL (select Top Issues and then select Wireless Technologies):http://www.cisco.com/tac Sections in this chapter include:•Checking the Top Panel Indicators, page 21-2•Checking Basic Settings, page 21-4•Resetting to the Default Configuration, page 21-4•Reloading the Access Point Image, page 21-6
21-2Cisco Aironet 1200 Series Access Point Installation and Configuration Guide OL-3446-01Chapter 21 TroubleshootingChecking the Top Panel IndicatorsChecking the Top Panel IndicatorsIf your access point is not communicating, check the three LED indicators on the top panel. You can use them to quickly assess the unit’s status. Figure 21-1 shows the indicators. Figure 21-1 Access Point IndicatorsThe indicators signals have the following meanings (for additional details refer to Table 21-1):•The Ethernet indicator signals traffic on the wired LAN, or Ethernet infrastructure. This indicator is normally green when an Ethernet cable is connected, and blinks green when a packet is received or transmitted over the Ethernet infrastructure. The indicator is off when the Ethernet cable is not connected. •The status indicator signals operational status. Steady green indicates that the access point is associated with at least one wireless client. Blinking green indicates that the access point is operating normally but is not associated with any wireless devices.•The radio indicator blinks green to indicate radio traffic activity. The light is normally off, but it blinks green whenever a packet is received or transmitted over the access point’s radio.RadioStatusEthernet86704
21-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 21 Troubleshooting Checking the Top Panel IndicatorsTable 21-1 Top Panel Indicator SignalsMessage type Ethernet indicator Statusindicator Radioindicator MeaningBoot loader status Green – Green DRAM memory test.– Amber Red Board initialization test– Blinking green Blinking green Flash memory test.Amber Green – Ethernet initialization test.Green Green Green Starting IOS.Association status – Green – At least one wireless client device is associated with the unit.– Blinking green – No client devices are associated; check the unit’s SSID and WEP settings.Operating status – Green Blinking green Transmitting/receiving radio packets.Green – – Ethernet link is operational.Blinking green – – Transmitting/receiving Ethernet packets.Boot Loader Errors Red – Red DRAM memory test failure.– Red Red File system failure.Red Red – Ethernet failure during image recovery.Amber Green Amber Boot environment error.Red Green Red No IOS image file.Amber Amber Amber Boot failure.Operation Errors – Green Blinking amber Maximum retries or buffer full occurred on the radio.Blinking amber - – Transmit/receive Ethernet errors. – Blinking amber – General warning.Configuration Reset – Amber – Resetting the configuration options to factory defaults.Failure Red Red Red Firmware failure; try disconnecting and reconnecting unit power.Firmware Upgrade – Red – Loading new firmware image.
21-4Cisco Aironet 1200 Series Access Point Installation and Configuration Guide OL-3446-01Chapter 21 TroubleshootingChecking Basic SettingsChecking Basic SettingsMismatched basic settings are the most common causes of lost connectivity with wireless clients. If the access point does not communicate with client devices, check the following areas.SSIDWireless clients attempting to associate with the access point must use the same SSID as the access point. If a client device’s SSID does not match the SSID of an access point in radio range, the client device will not associate. The access point default SSID is tsunami.WEP KeysThe WEP key you use to transmit data must be set up exactly the same on your access point and any wireless devices with which it associates. For example, if you set WEP Key 3 on your client adapter to 0987654321 and select it as the transmit key, you must also set WEP Key 3 on the access point to exactly the same value. The access point does not need to use Key 3 as its transmit key, however.Refer to Chapter 9, “Configuring WEP and WEP Features,” for instructions on setting the access point’s WEP keys.Security SettingsWireless clients attempting to authenticate with your access point must support the same security options configured in the access point, such as EAP or LEAP, MAC address authentication, Message Integrity Check (MIC), WEP key hashing, and 802.1X protocol versions.If a wireless client is unable to authenticate with your access point, contact the system administrator for proper security settings in the client adapter and for the client adapter driver and firmware versions that are compatible with the access point settings.Note The access point MAC address that appears on the Status page in the Aironet Client Utility (ACU) is the MAC address for the access point radio. The MAC address for the access point Ethernet port is printed on the label on the back of the access point.Resetting to the Default ConfigurationIf you forget the password that allows you to configure the access point, you may need to completely reset the configuration. You can use the MODE button on the access point or the web-browser interface.Note The following steps reset all configuration settings to factory defaults, including passwords, WEP keys, the IP address, and the SSID.
21-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 21 Troubleshooting Resetting to the Default ConfigurationUsing the MODE ButtonFollow these steps to delete the current configuration and return all access point settings to the factory defaults using the MODE button:Step 1 Disconnect power (the power jack for external power or the Ethernet cable for in-line power) from the access point.Step 2 Press and hold the MODE button while you reconnect power to the access point.Step 3 Hold the MODE button until the Status LED turns amber (approximately 1 to 2 seconds), and release the button.Step 4 After the access point reboots, you must reconfigure the access point by using the Web browser interface, the Telnet interface, or IOS commands.Note The access point is configured with the factory default values including the IP address (set to receive an IP address using DHCP).Using the Web Browser InterfaceFollow the steps below to delete the current configuration and return all access point settings to the factory defaults using the web browser interface.Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).Step 2 Enter the access point’s IP address in the browser address line and press Enter. An Enter Network Password screen appears.Step 3 Enter your username in the User Name field.Step 4 Enter the access point password in the Password field and press Enter. The Summary Status page appears.Step 5 Click System Software and the System Software screen appears.Step 6 Click System Configuration and the System Configuration screen appears.Step 7 Click the Reset to Defaults button.Note If the access point is configured with a static IP address, the IP address does not change.Step 8 After the access point reboots, you must reconfigure the access point by using the Web browser interface, the Telnet interface, or IOS commands.
21-6Cisco Aironet 1200 Series Access Point Installation and Configuration Guide OL-3446-01Chapter 21 TroubleshootingReloading the Access Point ImageReloading the Access Point ImageIf your access point has a firmware failure, you must reload the complete access point image file using the Web browser interface or by pressing and holding the MODE button for around 30 seconds. You can use the browser interface if the access point firmware is still fully operational and you want to upgrade the firmware image. However, you can use the MODE button when the access point has a corrupt firmware image. Using the MODE buttonYou can use the MODE button on the access point to reload the access point image file from an active Trivial File Transfer Protocol (TFTP) server on your network or on a PC connected to the access point Ethernet port. Note If your access point experiences a firmware failure or a corrupt firmware image, indicated by three red LED indicators, you must reload the image from a connected TFTP server.Note This process resets all configuration settings to factory defaults, including passwords, WEP keys, the access point IP address, and SSIDs. Follow the steps below to reload the access point image file:Step 1 The PC you intend to use must be configured with a static IP address in the range of 10.0.0.2 to 10.0.0.30.Step 2 Make sure the PC contains the access point image file (c1100-k9w7-tar.default) in the TFTP server folder and the TFTP server is activated. For additional information, refer to the “Obtaining the Access Point Image File” and “Obtaining the TFTP Server Software” sections. Step 3 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.Step 4 Disconnect power (the power jack for external power or the Ethernet cable for in-line power) from the access point.Step 5 Press and hold the MODE button while you reconnect power to the access point.Step 6 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds), and release the MODE button.Step 7 Wait until the access point reboots as indicated by all LEDs turning green followed by the Status LED blinking green.Step 8 After the access point reboots, you must reconfigure the access point by using the Web interface, the Telnet interface, or IOS commands.
21-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 21 Troubleshooting Reloading the Access Point ImageWeb Browser InterfaceYou can also use the Web browser interface to reload the access point image file. The Web broswer interface supports loading the image file using HTTP or TFTP interfaces. Note Your access point configuration is not changed when using the browser to reload the image file.Browser HTTP InterfaceThe HTTP interface enables you to browse to the access point image file on your PC and download the image to the access point. Follow the instructions below to use the HTTP interface:Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).Step 2 Enter the access point’s IP address in the browser address line and press Enter. An Enter Network Password screen appears.Step 3 Enter your username in the User Name field.Step 4 Enter the access point password in the Password field and press Enter. The Summary Status page appears.Step 5 Click the System Software tab and then click Software Upgrade. The HTTP Upgrade screen appears.Step 6 Click the Browse button to locate the image file on your PC.Step 7 Click the Upload button.For additional information, click the Help icon on the Software Upgrade screen. Browser TFTP InterfaceThe TFTP interface allows you to use a TFTP server on a network device to load the access point image file. Follow the instructions below to use a TFTP server:Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).Step 2 Enter the access point’s IP address in the browser address line and press Enter. An Enter Network Password screen appears.Step 3 Enter your username in the User Name field.Step 4 Enter the access point password in the Password field and press Enter. The Summary Status page appears.Step 5 Click the System Software tab and then click Software Upgrade. The HTTP Upgrade screen appears.Step 6 Click the TFTP Upgrade tab.Step 7 Enter the IP address for the TFTP server in the TFTP Server field.
21-8Cisco Aironet 1200 Series Access Point Installation and Configuration Guide OL-3446-01Chapter 21 TroubleshootingReloading the Access Point ImageStep 8 Enter the file name for the access point image file in the Upload New System Image Tar File field. If the file is located in a subdirectory of the TFTP server root directory, include the relative path of the TFTP server root directory with the filename. If the file is located in the TFTP root directory, enter only the filename.Step 9 Click the Upload button.For additional information click the Help icon on the Software Upgrade screen. Obtaining the Access Point Image FileThe access point image file can be obtained from the Cisco.com software center using the following steps:Step 1 Use your Internet browser to access the Cisco Software Center at the following URL:http://www.cisco.com/public/sw-center/sw-wireless.shtmlStep 2 Locate the access point firmware and utilities section and click on the link for the 1100 series access point.Step 3 Double-click the latest firmware image file (c1100-k9w7-tar.122-4.JA).Step 4 Download the access point image file to a directory on your PC hard drive.
21-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 21 Troubleshooting Reloading the Access Point ImageObtaining the TFTP Server SoftwareThe TFTP server software (self-extracting and installing file) can be obtained from the Cisco.com software center using the following URL:http://www.cisco.com/public/sw-center/sw-web.shtmlDownload the file to a temporary directory on your PC hard drive. To install the TFTP server, double-click the downloaded file and follow the installer program instructions.Activating and Configuring the TFTP ServerFollow the steps below to activate the TFTP server and specify the location of the access point image file: Step 1 Double-click the Cisco TFTP Server icon on your PC’s desktop to activate the server program.Step 2 Select Options from the View drop-down menu. The Options screen appears.Step 3 Click the Browse button of the TFTP server root directory field and locate the access point image file.Step 4 Click OK.
21-10Cisco Aironet 1200 Series Access Point Installation and Configuration Guide OL-3446-01Chapter 21 TroubleshootingReloading the Access Point Image
CHAPTER22-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01222.4-GHz Radio UpgradeThis chapter provides upgrade instructions for the 2.4-GHz radio module and includes the following sections:•Upgrade Overview, page 22-2•Opening the Access Cover, page 22-3•Removing a Blank Spacer Card, page 22-4•Removing a 2.4-GHz Radio, page 22-5•Installing a 2.4-GHz Radio, page 22-7
22-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 22 2.4-GHz Radio UpgradeUpgrade OverviewUpgrade OverviewThis section provides instructions for upgrading the access point 2.4-GHz radio. The following operations summarize the upgrade procedure: •Remove all cables and power connections from the access point.•Follow standard electrostatic discharge (ESD) procedures.•Place the access point on an ESD-protected work surface.•Open the access point’s 2.4-GHz radio access cover.•For an access point without the 2.4-GHz radio feature, remove the blank spacer card.•For an access point with the 2.4-GHz radio feature, remove the existing 2.4-GHz card.•Install the new 2.4-GHz radio card.•Close the access point 2.4-GHz radio access cover.Caution ESD can damage the Cisco Aironet radio and the internal components of the access point. It is recommended that the 2.4-GHz radio upgrade procedures be performed by an ESD-trained service technician at an ESD-protected workstation.Note After you install the new radio, all configurable radio settings will be at default values. Refer to Chapter 7, “Configuring Radio Settings,” for complete instructions on configuring the new radio.Unpacking the RadioEach 2.4-GHz radio is shipped with the following items:•Quick start guide•A product registration card•A T-10 tamper-resistant Torx L-wrench•A 2.4-GHz radio product compliance labelIf anything is missing or damaged, contact your Cisco representative for support.
22-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 22 2.4-GHz Radio UpgradeOpening the Access CoverOpening the Access CoverTo open the 2.4-GHz radio access cover, follow the steps below:Step 1 Remove all cables and power connections from the access point.Step 2 Remove all static-generating items from the work area, such as plastic material, styrofoam cups, and other similar items.Step 3 Place the access point and the new 2.4-GHz radio (in its antistatic bag) on an antistatic work surface.Step 4 Discharge any static buildup on your body by touching a grounded surface (antistatic work surface) before proceeding.Step 5 Position the access point so that the bottom cover is facing up.Caution The internal access point components and the 2.4-GHz radio can be damaged by ESD from improper handling. Step 6 Remove the bottom access cover (see Figure 22-1) using the T-10 tamper-resistant Torx L-wrench provided with your Cisco radio card.Figure 22-1 Location of 2.4-GHz Radio Access Cover ScrewIf your access point was not configured with a 2.4-GHz radio, go to the “Removing a Blank Spacer Card”section. If you are replacing an existing 2.4-GHz radio, go to the “Removing a 2.4-GHz Radio” section.1Access Cover Screw174458
22-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 22 2.4-GHz Radio UpgradeRemoving a Blank Spacer CardRemoving a Blank Spacer CardWhen your access point is not factory-configured with a 2.4-GHz radio, it contains a blank spacer card in the internal mini-PCI connector. You must remove the blank spacer card prior to installing a new 2.4-GHz radio card.Caution Handle all components carefully and observe all ESD precautions. The internal access point components and the 2.4-GHz radio can be damaged by ESD from improper handling. To remove the blank spacer card from the mini-PCI connector, following the steps below:Step 1 Push the card-retaining clips (on each side of card) away from the card (see Figure 22-2). When released, the board springs up.Figure 22-2 Location of Retaining Clips on Blank Spacer CardStep 2 Carefully bend the card near the slots in opposite directions to provide enough clearance to remove the antenna wires.1Card-retaining clips 3Antenna connector (black wire)2Antenna connector (white wire)742481 3 12
22-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 22 2.4-GHz Radio UpgradeRemoving a 2.4-GHz RadioStep 3 Remove the antenna wires from the blank spacer card.Caution To avoid damaging the antenna wire assemblies, handle them by their connectors.Step 4 Remove the blank spacer card from the mini-PCI connector.For instructions on installing the radio card, go to the “Installing a 2.4-GHz Radio” section.Removing a 2.4-GHz RadioTo remove a 2.4-GHz radio card from your access point, follow the steps below:Caution The internal access point components and the 2.4-GHz radio can be damaged by ESD from improper handling. Step 1 Use your fingers to carefully remove the antenna wire connectors from the 2.4-GHz radio card.Caution The antenna connectors can be damaged by using a pair of long-nose pliers during the removal process.Caution To avoid damaging the antenna wire assemblies, handle them by their connectors.
22-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 22 2.4-GHz Radio UpgradeRemoving a 2.4-GHz RadioStep 2 Remove the 2.4-GHz radio card from the mini-PCI connector by performing the following operations:a. Push the card-retaining clips (on each side of card) away from the card (see Figure 22-3). When released, the radio card springs up (see Figure 22-4).Figure 22-3 Location of Retaining Clips on 2.4-GHz Radio Cardb. Grasp the radio card only on the edges, being careful not to touch components on the board or the gold connector pins.c. Remove the 2.4-GHz card from the mini-PCI connector.Step 3 Place the removed 2.4GHz radio card into an anti-static bag.For instructions on installing a new radio card, go to the “Installing a 2.4-GHz Radio” section.1Card-retaining clipsMAIN AUX742531 1
22-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 22 2.4-GHz Radio UpgradeInstalling a 2.4-GHz RadioInstalling a 2.4-GHz RadioTo install a new 2.4-GHz radio card into the access point, follow the steps below. Caution The internal access point components and the 2.4-GHz radio can be damaged by ESD from improper handling. Step 1 Carefully remove the Cisco Aironet 2.4-GHz radio card from its anti-static bag.Step 2 Grasp the radio card only on the edges, being careful not to touch components on the board or the gold connector pins.Step 3 Connect the black antenna wire connector to the radio card antenna connector marked by the black label (see Figure 22-4).Caution To avoid damaging the antenna wire assemblies, handle them by their connectors.Figure 22-4 Antenna Connector Labels and Mini-PCI ConnectorStep 4 Connect the white antenna wire connector to the radio card antenna connector marked by the white label (see Figure 22-4).MAIN AUX742513211Antenna connector (black wire) 3Mini-PCI connector2Antenna connector (white wire)
22-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 22 2.4-GHz Radio UpgradeInstalling a 2.4-GHz RadioStep 5 Insert the radio card into the access point’s mini-PCI connector by following the steps below:a. Tilt the radio card at approximately 20o to 30oso that its gold pins are aligned with the mini-PCI connector (see Figure 22-4).b. Push the card into the mini-PCI connector until it clicks into place.Step 6 Carefully push the card down (towards the access point’s motherboard) until the card-retaining clips lock into the notches on the side of the radio card (you will hear a click).Step 7 Carefully position the antenna wires so that the metal connectors do not touch each other.Caution Damage to the radio could occur if the antenna connectors are touching when power is applied. If they are touching, carefully rotate them in opposite directions until they are separated.Step 8 Reinstall the 2.4-GHz radio access cover and use the T-10 tamper-resistant Torx L-wrench to tighten the cover’s retaining screw.Step 9 Remove the backing paper from the 2.4-GHz radio product compliance label.Step 10 Carefully attach the label in the space provided below the access point’s product compliance label as shown in Figure 22-5.Figure 22-5 Location of Product Compliance LabelsNote If your access point contains a 5-GHz radio module, there will also be a 5-GHz radio product compliance label on the back of the unit. The radio card installation is now complete. To configure the radio with your wireless network settings, refer to Chapter 7, “Configuring Radio Settings.”12.4-GHz radio product compliance label 2Access point product compliance label1 274246
CHAPTER23-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01235-GHz Radio Module UpgradeThis chapter provides upgrade instructions for the 5-GHz radio module and includes the following sections:•Upgrade Overview, page 23-2•Removing the 5-GHz Radio Access Cover, page 23-2•Removing a 5-GHz Radio Module, page 23-3•Installing a 5-GHz Radio Module, page 23-5
23-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 23 5-GHz Radio Module UpgradeUpgrade OverviewUpgrade OverviewThis section provides instructions for upgrading the access point 5-GHz radio module. The following operations summarize the upgrade procedure: 1. Remove all cables and power connections from the access point.2. Place your access point on a flat surface.3. For an access point without the 5-GHz radio feature, remove the 5-GHz radio access cover.4. For an access point with the 5-GHz radio feature, remove the existing 5-GHz radio module.5. Install the new 5-GHz radio module.Note After you install the radio module, all configurable radio settings will be at default values. Refer to Chapter 7, “Configuring Radio Settings,” for complete instructions on configuring the new radio.Unpacking the Radio ModuleEach 5-GHz radio module is shipped with the following items:•Quick start guide•A product registration card•A T-10 tamper-resistant Torx L-wrench•A 5-GHz radio product compliance labelIf anything is missing or damaged, contact your Cisco representative for support.Removing the 5-GHz Radio Access CoverTo remove the 5-GHz radio access cover, follow the instructions below:Step 1 Remove all cables and power connections from the access point.Step 2 Place the access point on a flat surface so that the unit is upright with the front end facing you.
23-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 23 5-GHz Radio Module UpgradeRemoving a 5-GHz Radio ModuleStep 3 Remove the 5-GHz access cover (see Figure 23-1) using the supplied Torx L-wrench.Figure 23-1 5-GHz Radio Access CoverRemoving a 5-GHz Radio ModuleTo remove the 5-GHz radio module, follow the instructions below:Step 1 Remove all cables and power connections from the access point.Step 2 Place the access point on a flat surface so that the unit is upright with the front end facing you.Step 3 Unscrew the two mounting screws using the supplied Torx L-wrench (Figure 23-2).Figure 23-2 5-GHz Radio Module Note Do not attempt to remove the mounting screws from the module; they are captured in the module housing.1Access Cover Screws 2 Access Cover1 12746321Mounting screws 3 Access point25-GHz radio module antenna746311 1 2 3
23-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 23 5-GHz Radio Module UpgradeRemoving a 5-GHz Radio ModuleStep 4 Insert your fingers into the base of the 5-GHz radio module (closest to the access point) and pull straight out from the access point (see Figure 23-3).Figure 23-3 Removing the 5-GHz Radio ModuleStep 5 Fold the antenna down (towards the attached radio card) and insert the module into a static protected bag.74629
23-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 23 5-GHz Radio Module UpgradeInstalling a 5-GHz Radio ModuleInstalling a 5-GHz Radio ModuleTo install a new 5-GHz radio module into your access point, follow the steps below:Step 1 Before you can install a new 5-GHz radio module, you must remove the access cover or an existing 5-GHz radio module (refer to “Removing the 5-GHz Radio Access Cover” or “Removing a 5-GHz Radio Module”).Step 2 Place the access point on a flat surface so that the unit is upright with the front end facing you.Step 3 Grasp the new 5-GHz radio module by it’s base (with the antenna pointing up) and insert the card into the access point’s card-bus slot (see Figure 23-4).Figure 23-4 Installing a 5-GHz Radio ModuleStep 4 Push the 5-GHz radio module into the slot until you hear a slight click.1Access point 3Access point card-bus slot25-GHz radio module antenna 45-GHz radio card74604213 4
23-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 23 5-GHz Radio Module UpgradeInstalling a 5-GHz Radio ModuleStep 5 Tighten the 5-GHz radio module mounting screws (see Figure 23-5) using the supplied Torx L-wrench.Figure 23-5 Location of Mounting ScrewsStep 6 Remove the backing paper from the 5-GHz radio product compliance label. Step 7 Carefully attach the label in the space provided below the product compliance label (see Figure 23-6).Figure 23-6 5-GHz Radio Product Compliance Label15-GHz radio module antenna 2Mounting screws2 217463015-GHz radio product compliance label 2Access point product compliance label1 274246
23-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 23 5-GHz Radio Module UpgradeInstalling a 5-GHz Radio ModuleNote If your access point contains an internal 2.4-GHz radio, there will also be a 2.4-GHz radio product compliance label on the back of the unit. The 5-GHz radio module installation is now complete and radio settings are at default values. To configure the 5-GHz radio with your wireless network settings refer to Chapter 7, “Configuring Radio Settings.”
23-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter 23 5-GHz Radio Module UpgradeInstalling a 5-GHz Radio Module
CHAPTERA-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01ATranslated Safety WarningsThis appendix provides translations of the safety warnings that appear in this publication. These translated warnings apply to other documents in which they appear in English. The following safety warnings appear in this appendix:•Dipole Antenna Installation Warning, page A-2•Explosive Device Proximity Warning, page A-3•Lightning Activity Warning, page A-4•Installation Warning, page A-5•Circuit Breaker (15A) Warning, page A-5
A-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter A Translated Safety WarningsDipole Antenna Installation WarningDipole Antenna Installation WarningWarningIn order to comply with FCC radio frequency (RF) exposure limits, dipole antennas should be located at a minimum of 7.9 inches (20 cm) or more from the body of all persons.WaarschuwingOm te voldoen aan de FCC radiofrequentie (RF) blootstellingslimieten dienen dipoolantennes zich minstens 20 cm of meer van de lichamen van alle personen bevinden.VaroitusFCC:n antamien radiotaajuuksille altistumista koskevien rajoitusten mukaan dipoliantennien on sijaittava vähintään 20 cm:n päässä kaikista henkilöistä.AttentionPour se conformer aux limites d’exposition à la fréquence radio préconisées par la FCC (Federal Communications Commission), les antennes dipôles doivent se situer à un minimum de 20 cm de toute personne.WarnungUm die in den FCC-Richtlinien festgelegten Expositionshöchstgrenzen für Radiofrequenzen (RF) nicht zu überschreiten, sollten Dipolantennen mindestens 20 cm (7,9 Zoll) vom Körper aller Person entfernt aufgestellt werden.AvvertenzaPer conformarsi ai limiti FCC di esposizione a radiofrequenza (RF), le antenne a dipolo devono stare ad una distanza minima di 20 cm dal corpo di ogni persona.AdvarselI henhold til eksponeringsgrensene for radiofrekvenser (RF), skal dipole antenner befinne seg på en avstand av minst 20 cm eller mer fra mennesker.AvisoPara estar de acordo com as normas FCC de limites de exposição para freqüência de rádio (RF), as antenas dipolo devem estar distantes no mínimo 20 cm (7,9 pol) do corpo de qualquer pessoa.¡Advertencia!Para cumplir con los límites de exposición de radio frecuencia (RF) de la Comisión Federal de Comunicaciones (FCC) es preciso ubicar las antenas dipolo a un mínimo de 20 cm (7,9 pulgadas) o más del cuerpo de las personas.Varning!För att följa FCC-exponeringsgränserna för radiofrekvens (RF), bör dipolsantenner placeras på minst 20 cm avstånd från alla människor.
A-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter A Translated Safety WarningsExplosive Device Proximity WarningExplosive Device Proximity WarningWarningDo not operate your wireless network device near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such use.WaarschuwingGebruik dit draadloos netwerkapparaat alleen in de buurt van onbeschermde ontstekers of in een omgeving met explosieven indien het apparaat speciaal is aangepast om aan de eisen voor een dergelijk gebruik te voldoen.VaroitusÄlä käytä johdotonta verkkolaitetta suojaamattomien räjäytysnallien läheisyydessä tai räjäytysalueella, jos laitetta ei ole erityisesti muunnettu sopivaksi sellaiseen käyttöön.oen. AttentionNe jamais utiliser un équipement de réseau sans fil à proximité d'un détonateur non blindé ou dans un lieu présentant des risques d'explosion, sauf si l'équipement a été modifié à cet effet.WarnungBenutzen Sie Ihr drahtloses Netzwerkgerät nicht in der Nähe ungeschützter Sprengkapseln oder anderer explosiver Stoffe, es sei denn, Ihr Gerät wurde eigens für diesen Gebrauch modifiziert und bestimmt.AvvertenzaNon utilizzare la periferica di rete senza fili in prossimità di un detonatore non protetto o di esplosivi a meno che la periferica non sia stata modificata a tale proposito.AdvarselIkke bruk den trådløse nettverksenheten nært inntil uisolerte fenghetter eller i et eksplosivt miljø med mindre enheten er modifisert slik at den tåler slik bruk.AvisoNão opere o dispositivo de rede sem fios perto de cápsulas explosivas não protegidas ou num ambiente explosivo, a não ser que o dispositivo tenha sido modificado para se qualificar especialmente para essa utilização.¡Advertencia!No utilizar un aparato de la red sin cable cerca de un detonador que no esté protegido ni tampoco en un entorno explosivo a menos que el aparato haya sido modificado con ese fin.Varning!Använd inte den trådlösa nätverksenheten i närheten av oskyddade tändhattar eller i en explosiv miljö om inte enheten modifierats för att kunna användas i sådana sammanhang.
A-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter A Translated Safety WarningsLightning Activity WarningLightning Activity WarningWarningDo not work on the system or connect or disconnect cables during periods of lightning activity.WaarschuwingTijdens onweer dat gepaard gaat met bliksem, dient u niet aan het systeem te werken of kabels aan te sluiten of te ontkoppelen. VaroitusÄlä työskentele järjestelmän parissa äläkä yhdistä tai irrota kaapeleita ukkosilmalla.AttentionNe pas travailler sur le système ni brancher ou débrancher les câbles pendant un orage.WarnungArbeiten Sie nicht am System und schließen Sie keine Kabel an bzw. trennen Sie keine ab, wenn es gewittert.AvvertenzaNon lavorare sul sistema o collegare oppure scollegare i cavi durante un temporale con fulmini.AdvarselUtfør aldri arbeid på systemet, eller koble kabler til eller fra systemet når det tordner eller lyner.AvisoNão trabalhe no sistema ou ligue e desligue cabos durante períodos de mau tempo (trovoada).¡Advertencia!No operar el sistema ni conectar o desconectar cables durante el transcurso de descargas eléctricas en la atmósfera.Varning!Vid åska skall du aldrig utföra arbete på systemet eller ansluta eller koppla loss kablar.
A-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter A Translated Safety WarningsInstallation WarningInstallation WarningCircuit Breaker (15A) WarningWarningRead the installation instructions before you connect the system to its power source.WaarschuwingRaadpleeg de installatie-aanwijzingen voordat u het systeem met de voeding verbindt.VaroitusLue asennusohjeet ennen järjestelmän yhdistämistä virtalähteeseen.AttentionAvant de brancher le système sur la source d'alimentation, consulter les directives d'installation.WarnungLesen Sie die Installationsanweisungen, bevor Sie das System an die Stromquelle anschließen.AvvertenzaConsultare le istruzioni di installazione prima di collegare il sistema all’alimentatore.AdvarselLes installasjonsinstruksjonene før systemet kobles til strømkilden.AvisoLeia as instruções de instalação antes de ligar o sistema à sua fonte de energia.¡Advertencia!Ver las instrucciones de instalación antes de conectar el sistema a la red de alimentación.Varning!Läs installationsanvisningarna innan du kopplar systemet till dess strömförsörjningsenhet.WarningThis product relies on the building’s installation for short-circuit (overcurrent) protection. Ensure that a fuse or circuit breaker no larger than 120 VAC, 15A U.S. (240 VAC, 10A international) is used on the phase conductors (all current-carrying conductors).WaarschuwingDit produkt is afhankelijk van de installatie van het gebouw voor kortsluit- (overstroom)beveiliging. Controleer of er een zekering of stroomverbreker van niet meer dan 120 Volt wisselstroom, 15 A voor de V.S. (240 Volt wisselstroom, 10 A internationaal) gebruikt wordt op de fasegeleiders (alle geleiders die stroom voeren).VaroitusTämä tuote on riippuvainen rakennukseen asennetusta oikosulkusuojauksesta (ylivirtasuojauksesta). Varmista, että vaihevirtajohtimissa (kaikissa virroitetuissa johtimissa) käytetään Yhdysvalloissa alle 120 voltin, 15 ampeerin ja monissa muissa maissa 240 voltin, 10 ampeerin sulaketta tai suojakytkintä.AttentionPour ce qui est de la protection contre les courts-circuits (surtension), ce produit dépend de l'installation électrique du local. Vérifier qu'un fusible ou qu'un disjoncteur de 120 V alt., 15 A U.S. maximum (240 V alt., 10 A international) est utilisé sur les conducteurs de phase (conducteurs de charge).
A-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Chapter A Translated Safety WarningsCircuit Breaker (15A) WarningWarnungDieses Produkt ist darauf angewiesen, daß im Gebäude ein Kurzschluß- bzw. Überstromschutz installiert ist. Stellen Sie sicher, daß eine Sicherung oder ein Unterbrecher von nicht mehr als 240 V Wechselstrom, 10 A (bzw. in den USA 120 V Wechselstrom, 15 A) an den Phasenleitern (allen stromführenden Leitern) verwendet wird.AvvertenzaQuesto prodotto dipende dall’installazione dell’edificio per quanto riguarda la protezione contro cortocircuiti (sovracorrente). Verificare che un fusibile o interruttore automatico, non superiore a 120 VCA, 15 A U.S. (240 VCA, 10 A internazionale) sia stato usato nei fili di fase (tutti i conduttori portatori di corrente).AdvarselDette produktet er avhengig av bygningens installasjoner av kortslutningsbeskyttelse (overstrøm). Kontroller at det brukes en sikring eller strømbryter som ikke er større enn 120 VAC, 15 A (USA) (240 VAC, 10 A internasjonalt) på faselederne (alle strømførende ledere).AvisoEste produto depende das instalações existentes para protecção contra curto-circuito (sobrecarga). Assegure-se de que um fusível ou disjuntor não superior a 240 VAC, 10A é utilizado nos condutores de fase (todos os condutores de transporte de corrente).¡Advertencia!Este equipo utiliza el sistema de protección contra cortocircuitos (o sobrecorrientes) deló propio edificio. Asegurarse de que se utiliza un fusible o interruptor automático de no más de 240 voltios en corriente alterna (VAC), 10 amperios del estándar internacional (120 VAC, 15 amperios del estándar USA) en los hilos de fase (todos aquéllos portadores de corriente).Varning!Denna produkt är beroende av i byggnaden installerat kortslutningsskydd (överströmsskydd). Kontrollera att säkring eller överspänningsskydd används på fasledarna (samtliga strömförande ledare) för internationellt bruk max. 240 V växelström, 10 A (i USA max. 120 V växelström, 15 A).
B-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01APPENDIXBDeclarations of Conformity and Regulatory InformationThis appendix provides declarations of conformity and regulatory information for the Cisco Aironet 1200 Series Access Points. This appendix contains the following sections:•Manufacturers Federal Communication Commission Declaration of Conformity Statement•Department of Communications—Canada•European Community, Switzerland, Norway, Iceland, and Liechtenstein•Declaration of Conformity for RF Exposure•Guidelines for Operating Cisco Aironet Access Points in Japan
B-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix B Declarations of Conformity and Regulatory InformationManufacturers Federal Communication Commission Declaration of Conformity StatementManufacturers Federal Communication Commission Declaration of Conformity StatementModels: AIR-AP1200 with AIR-MP20B-A-K9 and/or AIR-RM20A-A-K9,AIR-AP1210, AIR-AP1220B-A-K9, AIR-AP1230B-A-K9, AIR-AP1220A-A-K9, AIR- AP1230A-A-K9, FCC Certification number: LDK 102042 (AIR-MP20B-A-K9)LDK 102045 (AIR-RM20A-A-K9)Manufacturer: Cisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAThis device complies with Part 15 rules. Operation is subject to the following two conditions:1. This device may not cause harmful interference, and2. This device must accept any interference received, including interference that may cause undesired operation.This equipment has been tested and found to comply with the limits of a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a residential environment. This equipment generates, uses, and radiates radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference. However, there is no guarantee that interference will not occur. If this equipment does cause interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to correct the interference by one of the following measures:•Reorient or relocate the receiving antenna.•Increase separation between the equipment and receiver.•Connect the equipment to an outlet on a circuit different from which the receiver is connected.•Consult the dealer or an experienced radio/TV technician.Caution The Part 15 radio device operates on a non-interference basis with other devices operating at this frequency when using integrated antennas or those listed in Table B-1. Any changes or modification to the product not expressly approved by Cisco could void the user’s authority to operate this device.Caution Within the 5.15-5.25 GHz band (5 GHz radio channels 34-48) the U-NII devices are restricted to indoor operations to reduce any potential for harmful interference to co-channel Mobile Satellite System (MSS) operations.Tested To ComplyWith FCC StandardsFOR HOME OR OFFICE USE
B-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix B Declarations of Conformity and Regulatory InformationDepartment of Communications—CanadaDepartment of Communications—CanadaCanadian Compliance StatementThis Class B Digital apparatus meets all the requirements of the Canadian Interference-Causing Equipment Regulations.Cet appareil numerique de la classe B respecte les exigences du Reglement sur le material broilleur du Canada.This device complies with Class B Limits of Industry Canada. Operation is subject to the following two conditions:1. This device may not cause harmful interference, and2. This device must accept any interference received, including interference that may cause undesired operation.Cisco Aironet 11-Mbps, 2.4-GHz Access Points are certified to the requirements of RSS-210 for 2.4-GHz spread spectrum devices, and Cisco Aironet 54-Mbps, 5-GHz Access Points are certified to the requirements of RSS-210 for 5-GHz spread spectrum devices.The use of this device in a system operating either partially or completely outdoors may require the user to obtain a license for the system according to the Canadian regulations. For further information, contact your local Industry Canada office.Table B-1 Access Point 2.4-GHz AntennasCisco Part Number Model GainAIR-ANT1949 Yagi 13.5AIR-ANT4121 Omni-directional 12.0AIR-ANT3549 Patch 8.5AIR-ANT2012 Spatial diversity 6.5AIR-ANT1729 Patch 6.0AIR-ANT2506 Omni-directional 5.1AIR-ANT3213 Omni-directional 5.0AIR-ANT1728 Omni-directional 5.0AIR-ANT3195 Patch 3.0AIR-ANT5959 Omni-directional 2.0AIR-ANT4941 Dipole 2.2
B-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix B Declarations of Conformity and Regulatory InformationEuropean Community, Switzerland, Norway, Iceland, and LiechtensteinEuropean Community, Switzerland, Norway, Iceland, and LiechtensteinDeclaration of Conformity with Regard to the R&TTE Directive 1999/5/ECEnglish: This equipment is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC.Deutsch: Dieses Gerät entspricht den grundlegenden Anforderungen und den weiteren entsprecheneden Vorgaben der Richtlinie 1999/5/EU.Dansk: Dette udstyr er i overensstemmelse med de væsentlige krav og andre relevante bestemmelser i Directiv 1999/5/EF.Español: Este equipo cumple con los requisitos esenciales asi como con otras disposiciones de la Directive 1999/5/EC.DzȜȜȘȞĮȢ:ǹȣIJȩȢ Ƞ İȟȠʌȜȚıµȩȢ ıȣµµȠȡijȫȞİIJĮȚ µİ IJȚȢ ȠȣıȚȫįİȚȢ ĮʌĮȚIJȒıİȚȢ țĮȚ IJȚȢ ȜȠȚʌȑȢįȚĮIJȐȟİȚȢ IJȘȢ ȅįȘȖȓĮȢ 1999/5/EȀ.Français: Cet appareil est conforme aux exigencies essentialles et aux autres dispositions pertinantes de la Directive 1999/5/EC.Íslenska: Þessi búnaður samrýmist lögboðnum kröfum og öðrum ákvæðum tilskipunar 1999/5/ESB.Italiano: Questo apparato é conforme ai requisiti essenziali ed agli altri principi sanciti dalla Direttiva 1999/5/EC.Nederlands: Deze apparatuur voldoet aan de belangrijkste eisen en andere voorzieningen van richtlijn 1999/5/EC.Norsk: Dette utstyret er i samsvar med de grunnleggende krav og andre relevante bestemmelser i EU-directiv 1999/5/EC.Português: Este equipamento satisfaz os requisitos essenciais e outras provisões da Directiva 1999/5/EC.Suomalainen: Tämä laite täyttää direktiivin 1999/5/EY oleelliset vaatimukset ja on siinä asetettujen muidenkin ehtojen mukainen.Svenska: Denna utrustning är i överensstämmelse med de väsentliga kraven och andra relevanta bestämmelser i Direktiv 1999/5/EC.
B-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix B Declarations of Conformity and Regulatory InformationEuropean Community, Switzerland, Norway, Iceland, and LiechtensteinThe Declaration of Conformity related to this product can be found at the following URL:http://www.ciscofax.comFor 11 Mbps, 2.4 GHz access points with 100 mW radios, the following standards were applied:•Radio: EN 300.328-1, EN 300.328-2•EMC: EN 301.489-1, EN 301.89-17•Safety: EN 60950The following CE mark is affixed to the 11 Mbps, 2.4 GHz access points with 100 mW radios:Note This equipment is intended to be used in all EU and EFTA countries. Outdoor use may be restricted to certain frequencies and/or may require a license for operation. For more details, contact Cisco Corporate Compliance.Note Combinations of power levels and antennas resulting in a radiated power level above 100 mW equivalent isotropic radiated power (EIRP) are considered as not compliant with the above mentioned directive and are not allowed for use within the European community and other countries that have adopted the European R&TTE directive 1999/5/EC or the CEPT recommendation Rec 70.03 or both. For more details on legal combinations of power levels and antennas, refer to the .For 54 Mbps, 5 GHz access points with 40 mW radios, the following standards were applied:•Radio: EN 301.893•EMC: EN 301.489-1, EN 301.489-17•Safety: EN 60950The following CE mark is affixed to the 54 Mbps, 5 GHz access points with 40 mW radios:49325
B-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix B Declarations of Conformity and Regulatory InformationDeclaration of Conformity for RF ExposureDeclaration of Conformity for RF ExposureThe radio module has been found to be compliant to the requirements set forth in CFR 47 Sections 2.1091, 2.1093, and 15.247 (b) (4) addressing RF Exposure from radio frequency devices as defined in Evaluating Compliance with FCC Guidelines for Human Exposure to Radio Frequency Electromagnetic Fields. For antennas, AIR-ANT4121 and AIR-ANT1949, the equipment should be positioned more than 2 m from your body or nearby persons. For all other approved antennas the equipment shoud be installed more than 20 cm from your body or nearby persons.The access point (with 5 GHz integrated antenna) must be installed to maintain a minimum 20 cm(7.9 in) co-located separation distance from other FCC approved indoor/outdoor antennas used with the access point. Any antennas or transmitters not approved by the FCC cannot be co-located with the access point antennas. The access point’s co-located 2.4 GHz (2.2 dBi) and 5 GHz integrated antennas support a minimum separation distance of 10 cm (3.9 in) and are compliant with the applicable FCC RF exposure limit when transmitting simultaneously.Note Dual antennas used for diversity operation are not considered co-located.Guidelines for Operating Cisco Aironet Access Points in JapanThis section provides guidelines for avoiding interference when operating Cisco Aironet access points in Japan. These guidelines are provided in both Japanese and English.Japanese Translation03-5549-650043768
B-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix B Declarations of Conformity and Regulatory InformationGuidelines for Operating Cisco Aironet Access Points in JapanEnglish TranslationThis equipment operates in the same frequency bandwidth as industrial, scientific, and medical devices such as microwave ovens and mobile object identification (RF-ID) systems (licensed premises radio stations and unlicensed specified low-power radio stations) used in factory production lines.1. Before using this equipment, make sure that no premises radio stations or specified low-power radio stations of RF-ID are used in the vicinity.2. If this equipment causes RF interference to a premises radio station of RF-ID, promptly change the frequency or stop using the device; contact the number below and ask for recommendations on avoiding radio interference, such as setting partitions.3. If this equipment causes RF interference to a specified low-power radio station of RF-ID, contact the number below.Contact Number: 03-5549-6500
B-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix B Declarations of Conformity and Regulatory InformationGuidelines for Operating Cisco Aironet Access Points in Japan
C-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01APPENDIXCChannels and Antenna SettingsThis appendix lists the access point radio channels and the maximum power levels supported by the world’s regulatory domains. The following topics are covered in this appendix:•Channels, page C-2•Maximum Power Levels, page C-4
C-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix C Channels and Antenna SettingsChannelsChannelsIEEE 802.11aThe channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11a 20-MHz-wide channel are listed in Table C-1.Note All channel sets are restricted to indoor usage except the Americas (-A), which allows for indoor and outdoor use on channels 52 through 64 in the United States.Table C-1 Channels for IEEE 802.11aChannel IdentifierFrequency in MHzRegulatory DomainsAmericas (-A) Japan (-J) Singapore (-S) Taiwan (-T)34 5170 - X - -36 5180 X - X -38 5190 - X - -40 5200 X - X -42 5210 - X - -44 5220 X - X -46 5230 - X - -48 5240 X - X -52 5260 X - - X56 5280 X - - X60 5300 X - - X64 5320 X - - X149 5745 - - - -153 5765 - - - -157 5785 - - - -161 5805 - - - -
C-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix C Channels and Antenna SettingsChannelsIEEE 802.11bThe channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11b 22-MHz-wide channel are listed in Table C-2.Note Mexico is included in the Americas regulatory domain; however, channels 1 through 8 are for indoor use only while channels 9 through 11 can be used indoors and outdoors. Users are responsible for ensuring that the channel set configuration complies with the regulatory standards of Mexico.Table C-2 Channels for IEEE 802.11bChannel IdentifierFrequency in MHzRegulatory DomainsAmericas (-A) EMEA (-E) Israel (-I) China (-C) Japan (-J)1 2412 X X - X X2 2417 X X - X X32422XXXXX42427XXXXX52432XXXXX62437XXXXX72442XXXXX82447XXXXX92452XXXXX10 2457 X X - X X11 2462 X X - X X12 2467 - X - - X13 2472 - X - - X142484----X
C-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix C Channels and Antenna SettingsMaximum Power LevelsMaximum Power Levels This section lists the maximum radio power levels and antenna gains for each regulatory domain. For additional information on setting radio transmit power, refer to the “Configuring Radio Transmit Power”section on page 7-5.IEEE 802.11aAn improper combination of power level and antenna gain can result in equivalent isotropic radiated power (EIRP) above the amount allowed per regulatory domain. Table C-3 lists the maximum power levels and antenna gains allowed for each IEEE 802.11a regulatory domain.IEEE 802.11bAn improper combination of power level and antenna gain can result in equivalent isotropic radiated power (EIRP) above the amount allowed per regulatory domain. Table C-4 lists the maximum power levels and antenna gains allowed for each IEEE 802.11b regulatory domain.Table C-3 Maximum Power Levels Per Antenna Gain for IEEE 802.11aRegulatory DomainMaximum Power Level (mW) with 6-dBi Antenna GainAmericas (-A)(160 mW EIRP maximum on channels 36-48, 800 mW EIRP maximum on channels 52-64)40Japan (-J)(10 mW/MHz EIRP maximum)40Singapore (-S)(100 mW EIRP maximum)20Taiwan (-T)(800 mW EIRP maximum)40Table C-4 Maximum Power Levels Per Antenna Gain for IEEE 802.11bRegulatory Domain Antenna Gain (dBi) Maximum Power Level (mW)Americas (-A)(4W EIRP maximum)0 100 2.2 100 5.2 100 6 100 8.5 100 12 100 13.5 100
C-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix C Channels and Antenna SettingsMaximum Power LevelsEMEA (-E)(100 mW EIRP maximum)0 1002.2 50 5.2 306308.5 512 513.5 5 21 1 Israel (-I)(100 mW EIRP maximum)0 100 2.2 505.2 30 6 30 8.5 512 513.5 521 1China (-C)(10 mW EIRP maximum)0 52.2 55.2 n/a6 n/a8.5 n/a12 n/a13.5 n/a21 n/aJapan (-J)(10 mW/MHz EIRP maximum)0 50 2.2 305.2 30 6 30 8.5 n/a12 n/a13.5 521 n/aTable C-4 Maximum Power Levels Per Antenna Gain for IEEE 802.11b (continued)Regulatory Domain Antenna Gain (dBi) Maximum Power Level (mW)
C-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix C Channels and Antenna SettingsMaximum Power Levels
D-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01APPENDIXDMounting InstructionsThis appendix provides instructions for mounting the access point to suspended ceilings, vertical surfaces, or horizontal surfaces using the access point mounting bracket.The following sections are included in this chapter:•Overview, page D-2•Mounting on a Horizontal or Vertical Surface, page D-3•Mounting on a Suspended Ceiling, page D-4•Attaching the Access Point to the Mounting Bracket, page D-5•Securing the Access Point to the Mounting Bracket, page D-5
D-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix D Mounting InstructionsOverviewOverviewYou can mount the access point on any of the following surfaces:•Horizontal or vertical flat surfaces, such as walls or ceilings•Suspended ceilingsThe access point ships with a detachable mounting bracket and the necessary mounting hardware. Because it is detachable, you can use the mounting bracket as a template to mark the positions of the mounting holes for your installation. You then install the mounting bracket and attach the access point when you are ready. Refer to Figure D-1 to locate the various mounting holes for the method you intend to use.Note The Cisco Aironet 1200 Series Access Point provides adequate fire resistance and low smoke-producing characteristics suitable for operation in a building's environmental air space in accordance with Section 300-22(C) of the National Electrical Code (NEC), such as above suspended ceilings.Note If you plan to mount the access point in environmental air space and will upgrade to a 5-GHz radio, Cisco recommends that you mount the access point horizontally with its antennas pointing down. Doing so will result in the access point complying with regulatory requirements for environmental air space after the 5-GHz radio is installed.Note When mounting the access point in a building’s environmental air space, you must use Ethernet cable suitable for operation in environmental air space in accordance with Section 300-22(C) of the National Electrical Code (NEC).Figure D-1 Mounting Bracket 1Access point mount 5Locking detent2Cable tie points 6Wall cable access3Ceiling mount holes 7Suspended ceiling cable access4Access point mounts 8Security hasp15467382 3 4658632
D-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix D Mounting InstructionsMounting on a Horizontal or Vertical SurfaceA mounting hardware kit is provided that contains the hardware and fasteners necessary to mount the access point. Refer to the Table D-1 to identify the materials you need to mount your access point, then go to the section containing the specific mounting procedure.Mounting on a Horizontal or Vertical SurfaceFollow these steps to mount the access point on a horizontal or vertical surface.Step 1 Use the mounting bracket as a template to mark the locations of the four mounting holes.Step 2 Drill one of the following sized holes at the locations you marked:•3/16 in. (4.7 mm) if you are using wall anchors•1/8 in. (6.3 mm) if you are not using wall anchorsStep 3 Install the anchors into the wall if you are using them. Otherwise, go to Step 4.Step 4 Secure the mounting bracket to the surface using the #8 fasteners.Note On a vertical surface, mount the bracket with its security hasp facing down.Step 5 Attach the access point to the mounting bracket.Note You can make your installation more secure by mounting it to a stud or major structural member and using the appropriate fasteners.Table D-1 Material Needed to Mount Access PointMounting Method Materials Required In KitHorizontal or vertical surface Four #8 x 1 in. (25.4 mm) screwsFour wall anchors3/16 in. (4.7 mm) or 3/32 in. (2.3 mm) drill bitDrillStandard screwdriverYesYesNoNoNoSuspended ceiling Two caddy fasteners with studsTwo plastic spacersTwo 1/4–20 Keps nuts with built-in washersStandard screwdriverAppropriate wrench or pliersYesYesYesNoNo
D-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix D Mounting InstructionsMounting on a Suspended CeilingMounting on a Suspended CeilingNote To comply with NEC code, a #10-24 grounding lug is provided on the mounting bracket.You should review Figure D-2 before beginning the mounting process.Figure D-2 Mounting Bracket Parts1Suspended ceiling T-rail 4Mounting bracket2Caddy fastener 5Keps nut (contains an attached lock washer)3Plastic spacer1223534574121
D-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix D Mounting InstructionsAttaching the Access Point to the Mounting BracketFollow these steps to mount your access point on a suspended ceiling:Step 1 Determine the location where you want to mount the access point.Step 2 Attach two caddy fasteners to the suspended ceiling T-rail.Step 3 Use the mounting bracket to adjust the distance between the caddy fasteners so that they align with the holes in the mounting bracket.Step 4 Use a standard screwdriver to tighten the caddy fastener studs in place on the suspended ceiling T-rail. Do not overtighten.Step 5 Install a plastic spacer on each caddy fastener stud. The spacer’s legs should contact the suspended ceiling T-rail.Step 6 Attach the mounting bracket to the caddy fastener studs and start a Keps nut on each stud.Step 7 Use a wrench or pliers to tighten the Keps nuts. Do not overtighten.Step 8 Attach the access point to the mounting bracket.Attaching the Access Point to the Mounting BracketFollow these steps to attach the access point to the mounting bracket:Step 1 Line up the three mounting pins on the access point with the large ends of the keyhole-shaped holes on the mounting bracket.Step 2 Insert the access point into the keyhole shaped holes and maintain a slight pressure to hold it in place.Step 3 Slide the access point’s mounting pins into the small ends of the keyhole-shaped holes on the mounting bracket and push the connector end of the access point. You will hear a click when the locking detent contacts the access point and locks it into place.Step 4 Attach and adjust the antenna(s) or antenna cables.Step 5 Connect the Ethernet cable to the access point’s Ethernet port.Step 6 Insert the 1200 series power module cable connector into the access point’s 48 VDC power port (if you are using a local power source).Securing the Access Point to the Mounting BracketThe security hasp on the mounting bracket allows you to lock the access point to the bracket to make it more secure. When the access point is properly installed on the mounting bracket, the holes in the security hasps line up so you can install a padlock.Known compatible padlocks are Master Lock models 120T or 121T.
D-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix D Mounting InstructionsSecuring the Access Point to the Mounting Bracket
E-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01APPENDIXEProtocol FiltersThe tables in this appendix list some of the protocols that you can filter on the access point. The tables include:•Table E-1, Ethertype Protocols•Table E-2, IP Protocols•Table E-3, IP Port ProtocolsIn each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol.
E-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix E Protocol FiltersTable E-1 Ethertype ProtocolsProtocol Additional Identifier ISO DesignatorARP — 0x0806RARP — 0x8035IP — 0x0800Berkeley Trailer Negotiation — 0x1000LAN Test — 0x0708X.25 Level3 X.25 0x0805Banyan — 0x0BADCDP — 0x2000DEC XNS XNS 0x6000DEC MOP Dump/Load — 0x6001DEC MOP MOP 0x6002DEC LAT LAT 0x6004Ethertalk — 0x809BAppletalk ARP AppletalkAARP0x80F3IPX 802.2 — 0x00E0IPX 802.3 — 0x00FFNovell IPX (old) — 0x8137Novell IPX (new) IPX 0x8138EAPOL (old) — 0x8180EAPOL (new) — 0x888ETelxon TXP TXP 0x8729Aironet DDP DDP 0x872DEnet Config Test — 0x9000NetBUI — 0xF0F0
E-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix E Protocol FiltersTable E-2 IP ProtocolsProtocol Additional Identifier ISO Designatordummy — 0Internet Control Message Protocol ICMP 1Internet Group Management Protocol IGMP 2Transmission Control Protocol TCP 6Exterior Gateway Protocol EGP 8PUP — 12CHAOS — 16User Datagram Protocol UDP 17XNS-IDP IDP 22ISO-TP4 TP4 29ISO-CNLP CNLP 80Banyan VINES VINES 83Encapsulation Header encap_hdr 98Spectralink Voice Protocol SVPSpectralink119raw — 255
E-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix E Protocol FiltersTable E-3 IP Port ProtocolsProtocol Additional Identifier ISO DesignatorTCP port service multiplexer tcpmux 1echo — 7discard (9) — 9systat (11) — 11daytime (13) — 13netstat (15) — 15Quote of the Day qotdquote 17Message Send Protocol msp 18ttytst source chargen 19FTP Data ftp-data 20FTP Control (21) ftp 21Secure Shell (22) ssh 22Telnet — 23Simple Mail Transport Protocol SMTPmail25time timserver 37Resource Location Protocol RLP 39IEN 116 Name Server name 42whois nicname 4343Domain Name Server DNS domain53MTP — 57BOOTP Server — 67BOOTP Client — 68TFTP — 69gopher — 70rje netrjs 77finger — 79Hypertext Transport Protocol HTTPwww80ttylink link 87Kerberos v5 Kerberoskrb588supdup — 95hostname hostnames 101
E-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix E Protocol FiltersTSAP iso-tsap 102CSO Name Server cso-nscsnet-ns105Remote Telnet rtelnet 107Postoffice v2 POP2POP v2109Postoffice v3 POP3POP v3110Sun RPC sunrpc 111tap ident authentication auth 113sftp — 115uucp-path — 117Network News Transfer ProtocolNetwork Newsreadnewsnntp119USENET News Transfer ProtocolNetwork Newsreadnewsnntp119Network Time Protocol ntp 123NETBIOS Name Service netbios-ns 137NETBIOS Datagram Service netbios-dgm 138NETBIOS Session Service netbios-ssn 139Interim Mail Access Protocol v2 Interim Mail Access ProtocolIMAP2143Simple Network Management ProtocolSNMP 161SNMP Traps snmp-trap 162ISO CMIP Management Over IP CMIP Management Over IPcmip-manCMOT163ISO CMIP Agent Over IP cmip-agent 164X Display Manager Control Protocolxdmcp 177NeXTStep Window Server NeXTStep 178Border Gateway Protocol BGP 179Prospero — 191Internet Relay Chap IRC 194Table E-3 IP Port Protocols (continued)Protocol Additional Identifier ISO Designator
E-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix E Protocol FiltersSNMP Unix Multiplexer smux 199AppleTalk Routing at-rtmp 201AppleTalk name binding at-nbp 202AppleTalk echo at-echo 204AppleTalk Zone Information at-zis 206NISO Z39.50 database z3950 210IPX — 213Interactive Mail Access Protocol v3imap3 220Unix Listserv ulistserv 372syslog — 514Unix spooler spooler 515talk — 517ntalk — 518route RIP 520timeserver timed 525newdate tempo 526courier RPC 530conference chat 531netnews — 532netwall wall 533UUCP Daemon UUCPuucpd540Kerberos rlogin klogin 543Kerberos rsh kshell 544rfs_server remotefs 556Kerberos kadmin kerberos-adm 749network dictionary webster 765SUP server supfilesrv 871swat for SAMBA swat 901SUP debugging supfiledbg 1127ingreslock — 1524Prospero non-priveleged prospero-np 1525RADIUS — 1812Concurrent Versions System CVS 2401Cisco IAPP — 2887Radio Free Ethernet RFE 5002Table E-3 IP Port Protocols (continued)Protocol Additional Identifier ISO Designator
F-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01APPENDIXFSupported MIBsThis appendix lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release. The Cisco IOS SNMP agent supports both SNMPv1 and SNMPv2. This appendix contains these sections:•MIB List, page F-1•Using FTP to Access the MIB Files, page F-2MIB List•IEEE802dot11-MIB•Q-BRIDGE-MIB•P-BRIDGE-MIB•CISCO-DOT11-IF-MIB•CISCO-WLAN-VLAN-MIB •CISCO-IETF-DOT11-QOS-MIB•CISCO-IETF-DOT11-QOS-EXT-MIB•CISCO-DOT11-ASSOCIATION-MIB•CISCO-L2-DEV-MONITORING-MIB •CISCO-DDP-IAPP-MIB •CISCO-IP-PROTOCOL-FILTER-MIB•CISCO-SYSLOG-EVENT-EXT-MIB•CISCO-TBRIDGE-DEV-IF-MIB•BRIDGE-MIB•CISCO-CDP-MIB•CISCO-CONFIG-COPY-MIB•CISCO-CONFIG-MAN-MIB•CISCO-FLASH-MIB•CISCO-IMAGE-MIB•CISCO-MEMORY-POOL-MIB
F-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix F Supported MIBsUsing FTP to Access the MIB Files•CISCO-PROCESS-MIB•CISCO-PRODUCTS-MIB•CISCO-SMI-MIB•CISCO-TC-MIB•CISCO-SYSLOG-MIB•ENTITY-MIB•IF-MIB•OLD-CISCO-CHASSIS-MIB•OLD-CISCO-SYS-MIB•OLD-CISCO-SYSTEM-MIB•OLD-CISCO-TS-MIB•RFC1213-MIB•RFC1398-MIB •SNMPv2-MIB•SNMPv2-SMI•SNMPv2-TCUsing FTP to Access the MIB FilesFollow these steps to obtain each MIB file by using FTP:Step 1 Use FTP to access the server ftp.cisco.com.Step 2 Log in with the username anonymous.Step 3 Enter your e-mail username when prompted for the password.Step 4 At the ftp> prompt, change directories to /pub/mibs/v1 or /pub/mibs/v2.Step 5 Use the get MIB_filename command to obtain a copy of the MIB file.Note You can also access information about MIBs on the Cisco web site:http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
G-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01APPENDIXGAccess Point SpecificationsThis appendix provides technical specifications for the Cisco Aironet 1200 Series Access Point. Table G-1 lists the technical specifications for the access point.Table G-1 Access Point SpecificationsCategory Access Point with 2.4-GHz Radio Access Point with 5-GHz Radio ModuleSize 6.56 in. W x 7.23 in. D x 1.66 in. H16.67 cm W x 18.36 cm D x 4.22 cm H With the 5-GHz antenna in the patch position:6.56 in. W x 8.04 in. D x 2.21 in. H 16.67 cm W x 20.42 cm D x 5.61Status Indicators Three indicators on the top panel: Ethernet traffic, status, and radio trafficConnectors Back panel (left to right): reverse-TNC antenna connector; power connector (for plug-in AC power module); RJ-45 connector for 10BASE-T or 100BASE-T Ethernet connections; upside down RJ-45 connector for serial connections; reverse-TNC antenna connector.Front Panel: Card Bus connector used for the 5-GHz radio module.Input Voltage 48 VDC nominal. Operational up to 60 VDC. Voltage higher than 60 VDC can damage the unit.Input Current With 2.4 GHz radio:125 mA (typical)With 5-GHz radio:165 mA (typical) With 2.4-GHz and 5-GHz radios225 mA (typical) The access point is capable of drawing 380 mA depending upon the current radios and future radios installed in the unit.Operating Temperature Access point:–4 to 131oF (–20 to 55oC) 1200 series power injector:32 to 104oF (0 to 40oC)Access point (with 2.4-GHz and 5-GHz radio):–4 to 122oF (–20 to 50oC)1200 series power injector:32 to 104oF (0 to 40oC)Storage Temperature –40 to 185oF (–40 to 85oC) –40 to 185oF (–40 to 85oC) Weight Without mounting bracket:1.6 lbs (0.73 kg) with 2.4-GHz radiomoduleWithout mounting bracket:1.87 lbs (0.85 kg) with 5-Ghz radio module1.97 lbs (0.89 kg) with 5-GHz radio module and2.4-GHz radio
G-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix G Access Point SpecificationsPower Output 100, 50, 30, 20, 5, or 1 mW (Depending on the regulatory domain in which the access point is installed)40 mW (16 dBm)20 mW (13 dBm)10 mW (10 dBm)5 mW (7 dBm)Note These values are based on the FCC peak measurement method as defined inFCC 15.407 (A)(4)Frequency 2.400 to 2.497 GHz (Depending on the regulatory domain in which the access point is installed)UNII 1—5.15 to 5.25 GHzUNII 2—5.25 to 5.35 GHz(Depending on the regulatory domain in which the access point is installed)Range Indoor:150 ft at 11 Mbps 350 ft at 1 Mbps Outdoor:800 ft at 11 Mbps 2000 ft at 1 Mbps Indoor:170 ft at 6 Mbps130 ft at 18 Mbps60 ft at 54 MbpsOutdoor:1000 ft at 6 Mbps100 ft at 54 MbpsModulation Direct Sequence Spread Spectrum (DSSS) Orthogonal Frequency Division Multiplex (OFDM)Data rates 1, 2, 5.5, and 11 Mbps 6, 9, 12, 18, 24, 36, 48, and 54 MbpsAntenna A diversity system with two reverse-TNC connectors (Cisco antennas are sold separately). A diversity system consisting of two integrated omnidirectional and two integrated directional antennas.Compliance The 1200 series access point complies with UL 2043 for products installed in a building’senvironmental air handling spaces, such as above suspended ceilings.Caution The 1200 series power injectors are not tested to UL 2043 and should not be placed in a building’s environmental air space, such as above suspended ceilings. Note If you plan to mount the access point in environmental air space using a 5-GHz radio, Cisco recommends that you mount the access point horizontally with its antennas pointing down. Doing so results in the access point complying with regulatory requirements for environmental air space with the 5-GHz radio installed.Safety Designed to meet:•UL 1950 Third Edition•CSA 22.2 No. 950-95•IEC 60950 Second Edition, including Amendments 1-4 with all deviations•EN 60950 Second Edition, including Amendments 1-4Designed to meet:•UL 1950 Third Edition•CSA 22.2 No. 950-95•IEC 60950 Second Edition, including Amendments 1-4 with all deviations•EN 60950 Second Edition, including Amendments 1-4Table G-1 Access Point Specifications (continued)Category Access Point with 2.4-GHz Radio Access Point with 5-GHz Radio Module
G-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix G Access Point SpecificationsRadio Approvals FCC Part 15.247Canada RSS-210Japan Telec 33BEN 300.328FCC Part 15.407Canada RSS-210Japan ARIB STD-T71EN 301.893EMI and Susceptibility FCC Part 15.107 and 15.109 Class BICES-003 Class B (Canada)EN 55022 BAS/NZS 3548 Class BVCCI Class BEN 55024EN 301.489-1EN 301.489-17RF Exposure OET-65CRSS-102ANSI C95.1Table G-1 Access Point Specifications (continued)Category Access Point with 2.4-GHz Radio Access Point with 5-GHz Radio Module
G-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix G Access Point Specifications
H-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01APPENDIXHError and Event MessagesThis appendix lists the CLI error and event messages. Table H-1 lists the errors and events and provides an explanation and recommended action for each message.Table H-1 Error and Event MessagesMessage Explanation Recommended ActionSoftware Auto Upgrade MessagesSW_AUTO_UPGRADE-FATAL: Attempt to upgrade software failed, software on Flash may be deleted. Please copy software into Flash. Auto upgrade of the software failed. The software on the Flash memory might have been deleted. Copy software into the Flash memory. Copy software before rebooting the unit. SW_AUTO_UPGRADE-7-FAILURE: dhcp_client_start_stop failed Auto upgrade of the software failed due to error in starting/stopping DHCP client process.Copy the error message exactly as it appears and report it to your technical support representative. SW_AUTO_UPGRADE-7-FAILURE: Failed to obtain ip addr from dhcp server Auto upgrade of the software failed. Copy the error message exactly as it appears and report it to your technical support representative.SW_AUTO_UPGRADE-7-FAILURE: boot_file_pathent creation failed Auto upgrade of the software failed due to error in creation of pathent (internal data structure).Copy the error message exactly as it appears and report it to your technical support representative.Association Management MessagesDOT11-3-BADSTATE: [mac-address] [chars] [chars] -> [chars]802.11 Association and management uses a table-driven state machine to keep track and transition an Association through various states. A state transition occurs when an Association receives one of many possible events. When this error occurs, it means that an Association received an event that it did not expect while in this state.The system can continue but may lose the Association that generates this error. Copy the message exactly as it appears and report it to your technical service representative.DOT11-6-ASSOC: Interface [interface], Station [char] [mac] AssociatedA station associated to an access point. None.DOT11-6-ADD: Interface [interface], Station [mac] Associated to Parent [mac]A station associated to an access point. None.
H-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix H Error and Event MessagesDOT11-6-DISASSOC: Interface [interface], Deauthenticating Station [mac] [char]A station disassociated from an access point.None.DOT11-6-ROAMED: Station [mac-address] Roamed to [mac-address]A station has roamed to a new access point.None.Proxy Mobile IP Subsystem MessagesPMIP-3-REG_FAIL: Mobile Node 10.4.1.3 mobile ip registration failedWhen a mobile node (MN) moves to a foreign network, the access point registers the MN to its Home Agent. This message indicates that the registration failed.Check for correct configuration of Mobile IP agents and the access point.PMIP-3-REG_AUTH_FAIL: Mobile Node 10.4.1.3 registration failed due to authentication failureWhen a mobile node (MN) moves to a foreign network, the access point registers the MN to its Home Agent. This message indicates that the registration failed because the HA or FA failed to authenticate each other or the MN.Make sure the correct authentication information is configured on the Home Agent, the Foreign Agent, and the access point.PMIP-3-REG_FA_FAIL: Mobile Node 10.4.1.3 registration failed due to Foreign Agent denialWhen a Mobile node (MN) moves to a foreign network, the access point registers the MN to its Home Agent. This message indicates that the registration was denied by the Foreign Agent.Make sure the correct authentication information is configured on the Home Agent, the Foreign Agent, and the access point.PMIP-3-REG_HA_FAIL: Mobile Node 10.4.1.3 registration failed due to Home Agent denialWhen a Mobile node (MN) moves to a foreign network, the access point registers the MN to its Home Agent. This message indicates that the registration was denied by the Home Agent.Make sure the correct authentication information is configured on the Home Agent, the Foreign Agent, and the access point.PMIP-3-AUTH_UNAVAIL: Authentication for 10.4.1.3 unavailableProxy Mobile IP failed to obtain the Mobile Node's authentication information either locally or from a AAA server.Make sure the correct Mobile Node information is configured locally or on the AAA server.PMIP-3-HAFA_UNAVAIL: No response from the Mobile IP Agent to our registration requestsProxy Mobile IP failed to access the Home or Foreign Agent while trying to register the Mobile Node.Make sure the HA or FA is not down or is network inaccessible. Also check that the subnet map information regarding the Home Agent is correct.PMIP-6-HAFA_DOWN: Mobile IP Agent 10.4.1.1 is down or unavailableMobile IP Home or Foreign agent has gone down or is inaccessible to the access point.Make sure there is at least one Home and Foreign Agent configured on that subnet and is accessible to the access point.PMIP-3-AAP_UNAVAIL: Authoritative Access Point is unavailableThe authoritative access point cannot be reached to obtains subnet map table.Make sure all the access points have the same information regarding Authoritative and regular access points.PMIP-6-START: Proxy Mobile IP services has startedProxy Mobile IP service has started. None.Table H-1 Error and Event Messages (continued)Message Explanation Recommended Action
H-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix H Error and Event MessagesPMIP-6-STOP: Proxy Mobile IP services have stoppedProxy Mobile IP service has stopped. None.PMIP-6-REPEATER_STOP: AP is now operating as a repeater, disabling Proxy Mobile IP servicesProxy Mobile IP does not run on repeaters or workgroup bridges, and it is disabled automatically when the access point is in repeater mode.None.Unzip MessagesSOAP-4-UNZIP_OVERFLOW: Failed to unzip Flash:/c1200-k9w7-mx.122-3.6.JA1/html/level15/ap_xxx.htm.gz, exceeds maximum uncompressed html sizeThe HTTP server cannot retrieve a compressed file in response to an HTTP GET request because the size of the file is too large for the buffers used in the uncompression process.Make sure file is a valid HTML page. If so, you'll have to copy an uncompressed version of the file into Flash to retrieve it through HTTP.802.11 Subsystem MessagesDOT11-6-FREQ_INUSE: Radio frequency [int] is in useWhen scanning for an unused frequency, the unit recognized another radio using the displayed frequency.None.DOT11-6-FREQ_USED: Radio frequency [int] selectedAfter scanning for an unused frequency, the unit selected the displayed frequency.None.DOT11-4-VERSION_MISMATCH: Require radio version [hex].[int], found version [hex].[int]When starting the radio, the wrong firmware version was found. The radio will be loaded with the required version.None.DOT11-2-VERSION_INVALID: Unable to find required radio version [hex].[int]When trying to re-flash the radio firmware, the access point recognized that the radio firmware packaged with the IOS firmware had the incorrect version. None.DOT11-4-NO_SSID: No SSIDs configured, radio not startedAll SSIDs were deleted from the configuration. At least one must be configured for the radio to run.Configure at least one SSID on the access point.DOT11-4-FLASHING_RADIO: Flashing the radio firmware ([chars])The radio has been stopped to load new firmware.None.DOT11-2-NO_FIRMWARE: No radio firmware file ([chars]) was foundWhen trying to Flash new firmware into the radio, the file for the radio was not found in the Flash file system.The wrong image has been loaded into the unit. Locate the correct image based on the type of radio used.DOT11-2-BAD_FIRMWARE: Radio firmware file ([chars]) is invalidWhen trying to Flash new firmware into the radio, the file was found to be invalid.Put the correct firmware image file in the place where the unit is looking.DOT11-4-FLASH_RADIO_DONE: Flashing the radio firmware completedThe radio firmware Flash is complete, and the radio will be restarted with the new firmware.None.DOT11-4-LINK_DOWN: Radio parent lost: [chars]The connection to the parent access point was lost for the displayed reason. The unit will try to find a new parent access point.None.Table H-1 Error and Event Messages (continued)Message Explanation Recommended Action
H-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix H Error and Event MessagesDOT11-4-CANT_ASSOC: Cannot associate: [chars]The unit could not establish a connection to a parent access point for the displayed reason.Check the configuration of both the parent access point and this unit to make sure the basic settings (SSID, WEP, and others) match.Inter-Access Point Protocol MessagesDOT11-6-ROAMED: Station [mac-address] Roamed to [mac-address]A station has roamed to a new access point.None.DOT11-6-STANDBY_ACTIVE: Standby to Active, Reason = [chars] ([int])The access point is transitioning from standby mode to active mode.None.DOT11-6-ROGUE_AP: Rogue AP [mac-address] reported. Reason: [chars]A station has reported a potential rogue access point for the stated reason.None.SCHED-3-UNEXPECTEDMESSAGE: Unknown message [hex] received (ptr arg [hex], num arg [hex]).A process can register to be notified when various events occur in the router. This message indicates that a process received a message from another process that it does not know how to handle.Copy the error message exactly as it appears, and report it to your technical support representative.SCHED-3-UNEXPECTEDEVENT: Process received unknown event (maj [hex], min [hex]).A process can register to be notified when various events occur in the router. This message indicates that a process received an event that it did not know how to handle.Copy the error message exactly as it appears, and report it to your technical support representative.Table H-1 Error and Event Messages (continued)Message Explanation Recommended Action
I-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01APPENDIXIConsole Cable PinoutsThis appendix identifies the pinouts for the serial console cable that connects to the access point’s serial console port. The appendix contains the following sections:Overview, page I-2Console Port Signals and Pinouts, page I-2
I-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Appendix I Console Cable PinoutsOverviewOverviewThe access point requires a special serial cable that connects the access point serial console port (RJ-45 connector) to your PC’s COM port (DB-9 connector). This cable can be purchased from Cisco (part number AIR-CONCAB1200) or can be built using the pinouts in this appendix. Console Port Signals and PinoutsUse the console RJ-45 to DB-9 serial cable to connect the access point’s console port to the COM port of your PC running a terminal emulation program.Note Both the Ethernet and console ports use RJ-45 connectors. Be careful to avoid accidently connecting the serial cable to the Ethernet port connector. Table I-1 lists the signals and pinouts for the console RJ-45 to DB-9 serial cable. 1. NC indicates not connected.Table I-1 Signals and Pinouts for a Console RJ-45 to DB-9 Serial CableConsole Port PC COM PortRJ-45 DB-9Pins Signals1Pins Signals1NC --2NC --3 TXD 2 RXD4 GND 5 GND5 GND 5 GND6 RXD 3 TXD7NC --8NC --
GL-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01GLOSSARY802.11 The IEEE standard that specifies carrier sense media access control and physical layer specifications for 1- and 2-megabit-per-second (Mbps) wireless LANs operating in the 2.4-GHz band.802.11a The IEEE standard that specifies carrier sense media access control and physical layer specifications for wireless LANs operating in the 5-GHz frequency band.802.11b The IEEE standard that specifies carrier sense media access control and physical layer specifications for 5.5- and 11-Mbps wireless LANs operating in the 2.4-GHz frequency band.AAccess Point A wireless LAN data transceiver that uses radio waves to connect a wired network with wireless stations.Ad Hoc Network A wireless network composed of stations without Access Points.Antenna Gain The gain of an antenna is a measure of the antenna’s ability to direct or focus radio energy over a region of space. High gain antennas have a more focused radiation pattern in a specific direction.Associated A station is configured properly to allow it to wirelessly communicate with an Access Point.BBeacon A wireless LAN packet that signals the availability and presence of the wireless device. Beacon packets are sent by access points and base stations; however, client radio cards send beacons when operating in computer to computer (Ad Hoc) mode.BOOTP Boot Protocol. A protocol used for the static assignment of IP addresses to devices on the network.BPSK A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 1 Mbps.Broadcast Packet A single data message (packet) sent to all addresses on the same subnet.
GlossaryGL-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01CCCK Complementary code keying. A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 5.5 and 11 Mbps.Cell The area of radio range or coverage in which the wireless devices can communicate with the base station. The size of the cell depends upon the speed of the transmission, the type of antenna used, and the physical environment, as well as other factors.Client A radio device that uses the services of an Access Point to communicate wirelessly with other devices on a local area network.CSMA Carrier sense multiple access. A wireless LAN media access method specified by the IEEE 802.11 specification.DData Rates The range of data transmission rates supported by a device. Data rates are measured in megabits per second (Mbps).dBi A ratio of decibels to an isotropic antenna that is commonly used to measure antenna gain. The greater the dBi value, the higher the gain, and the more acute the angle of coverage.DHCP Dynamic host configuration protocol. A protocol available with many operating systems that automatically issues IP addresses within a specified range to devices on the network. The device retains the assigned address for a specific administrator-defined period.Dipole A type of low-gain (2.2-dBi) antenna consisting of two (often internal) elements.Domain Name The text name that refers to a grouping of networks or network resources based on organization-type or geography; for example: name.com—commercial; name.edu—educational; name.gov—government; ISPname.net—network provider (such as an ISP); name.ar—Argentina; name.au—Australia; and so on.DNS Domain Name System server. A server that translates text names into IP addresses. The server maintains a database of host alphanumeric names and their corresponding IP addresses.DSSS Direct sequence spread spectrum. A type of spread spectrum radio transmission that spreads its signal continuously over a wide frequency band.
GlossaryGL-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01EEAP Extensible Authentication Protocol. An optional IEEE 802.1x security feature ideal for organizations with a large user base and access to an EAP-enabled Remote Authentication Dial-In User Service (RADIUS) server.Ethernet The most widely used wired local area network. Ethernet uses carrier sense multiple access (CSMA) to allow computers to share a network and operates at 10, 100, or 1000 Mbps, depending on the physical layer used.FFile Server A repository for files so that a local area network can share files, mail, and programs.Firmware Software that is programmed on a memory chip.GGateway A device that connects two otherwise incompatible networks together.GHz Gigahertz. One billion cycles per second. A unit of measure for frequency.IIEEE Institute of Electrical and Electronic Engineers. A professional society serving electrical engineers through its publications, conferences, and standards development activities. The body responsible for the Ethernet 802.3 and wireless LAN 802.11 specifications.Infrastructure The wired Ethernet network.IP Address The Internet Protocol (IP) address of a station.IP Subnet Mask The number used to identify the IP subnetwork, indicating whether the IP address can be recognized on the LAN or if it must be reached through a gateway. This number is expressed in a form similar to an IP address; for example: 255.255.255.0.Isotropic An antenna that radiates its signal 360 degrees both vertically and horizontally in a perfect sphere.
GlossaryGL-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01MMAC Media Access Control address. A unique 48-bit number used in Ethernet data packets to identify an Ethernet device, such as an access point or your client adapter.Modulation Any of several techniques for combining user information with a transmitter’scarrier signal.Multipath The echoes created as a radio signal bounces off of physical objects.Multicast Packet A single data message (packet) sent to multiple addresses.OOmni-directional This typically refers to a primarily circular antenna radiation pattern.Orthogonal Frequency Division Multiplex (OFDM)A modulation technique used by IEEE 802.11a-compliant wireless LANs for transmission at 6, 9, 12, 18, 24, 36, 48, and 54 Mbps.PPacket A basic message unit for communication across a network. A packet usually includes routing information, data, and sometimes error detection information.QQuadruple Phase Shift Keying A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 2 Mbps.RRange A linear measure of the distance that a transmitter can send a signal.Receiver Sensitivity A measurement of the weakest signal a receiver can receive and still correctly translate it into data.RF Radio frequency. A generic term for radio-based technology.
GlossaryGL-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01Roaming A feature of some Access Points that allows users to move through a facility while maintaining an unbroken connection to the LAN.RP-TNC A connector type unique to Cisco Aironet radios and antennas. Part 15.203 of the FCC rules covering spread spectrum devices limits the types of antennas that may be used with transmission equipment. In compliance with this rule, Cisco Aironet, like all other wireless LAN providers, equips its radios and antennas with a unique connector to prevent attachment of non-approved antennas to radios.SSpread Spectrum A radio transmission technology that spreads the user information over a much wider bandwidth than otherwise required in order to gain benefits such as improved interference tolerance and unlicensed operation.SSID Service Set Identifier (also referred to as Radio Network Name). A unique identifier used to identify a radio network and which stations must use to be able to communicate with each other or to an access point. The SSID can be any alphanumeric entry up to a maximum of 32 characters.TTransmit Power The power level of radio transmission.UUNII Unlicensed National Information Infrastructure—regulations for UNII devices operating in the 5.15 to 5.35 GHz and 5.725 to 5.825 GHz frequency bands.UNII-1 Regulations for UNII devices operating in the 5.15 to 5.25 GHz frequency band.UNII-2 Regulations for UNII devices operating in the 5.25 to 5.35 GHz frequency band.UNII-3 Regulations for UNII devices operating in the 5.725 to 5.825 GHz frequency band.Unicast Packet A single data message (packet) sent to a specific IP address.WWEP Wired Equivalent Privacy. An optional security mechanism defined within the 802.11 standard designed to make the link integrity of wireless devices equal to that of a cable.Workstation A computing device with an installed client adapter.
GlossaryGL-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01
IN-1Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01INDEXAabbreviating commands 5-3access pointsecurity settings 10-9access point image 21-6accountingwith RADIUS 11-12with TACACS+ 11-16, 11-21antennaconnectors G-2gains C-5warnings A-1Apply button 4-4attributes, RADIUSvendor-proprietary 11-14vendor-specific 11-13authenticationlocal mode with AAA 6-15NTP associations 6-20RADIUSkey 11-5login 6-8, 11-7TACACS+defined 11-16key 11-18login 6-13, 11-19authentication serverEAP 10-4, 11-3authentication typesNetwork-EAP 10-3open 10-2shared key 10-3authoritative time source, described 6-18authorizationwith RADIUS 6-11, 11-11with TACACS+ 6-14, 11-16, 11-20BBack button 4-4bannersconfiguringlogin 6-36message-of-the-day login 6-35default configuration 6-35when displayed 6-34basic settingschecking 21-4broadcast key rotation 9-1CCancel button 4-4CDPdisabling for routing device 16-4enabling and disablingon an interface 16-4monitoring 16-4channels, supported by regulatory domains C-2, C-3Cisco TAC 21-1CiscoWorks 2000 17-4CLIabbreviating commands 5-3command modes 5-2editing features
IndexIN-2Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01enabling and disabling 5-6keystroke editing 5-6wrapped lines 5-7error messages 5-4filtering command output 5-8getting help 5-3historychanging the buffer size 5-4described 5-4disabling 5-5recalling commands 5-5no and default forms of commands 5-3terminal emulator settings 3-4client power level, limiting 7-6clockSee system clockcommand-line interfaceSee CLIcommand modes 5-2commandsabbreviating 5-3no and default 5-3setting privilege levels 6-6community stringsconfiguring 17-5overview 17-3configuration filescreating using a text editor 19-10deleting a stored configuration 19-18downloadingpreparing 19-10, 19-13, 19-16reasons for 19-8using FTP 19-13using RCP 19-16using TFTP 19-11guidelines for creating and using 19-9invalid combinations when copying 19-5system contact and location information 17-9types and location 19-9uploadingpreparing 19-10, 19-13, 19-16reasons for 19-8using FTP 19-14using RCP 19-17using TFTP 19-11connections, secure remote 6-16connectors G-1, G-2console port I-2crypto software image 6-16Ddata rates G-2daylight saving time 6-30declarations of conformity B-1defaultconfiguration, resetting 21-5default commands 5-3default configurationbanners 6-35DNS 6-33NTP 6-20password and privilege level 6-2RADIUS 6-8, 11-4SNMP 17-5system message logging 20-3system name and prompt 6-32TACACS+ 6-13, 11-18directorieschanging 19-4creating and removing 19-4displaying the working 19-4DNSdefault configuration 6-33displaying the configuration 6-34overview 6-33setting up 6-33domain names
IndexIN-3Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01DNS 6-33Domain Name SystemSee DNSdownloadingconfiguration filespreparing 19-10, 19-13, 19-16reasons for 19-8using FTP 19-13using RCP 19-16using TFTP 19-11image filesdeleting old image 19-22preparing 19-20, 19-23, 19-27reasons for 19-18using FTP 19-24using RCP 19-29using TFTP 19-21EEAP authenticationoverview 10-3EAP-MD5 authenticationsetting on client and access point 10-10EAP-SIM authenticationsetting on client and access point 10-11EAP-TLS authenticationsetting on client and access point 10-10editing featuresenabling and disabling 5-6keystrokes used 5-6wrapped lines 5-7EIRP, maximum C-4 to C-5enable password 6-4enable secret password 6-4encrypted software image 6-16encryption for passwords 6-4error messagesduring command entry 5-4setting the display destination device 20-5severity levels 20-7system message format 20-2Ethernet indicator 21-2extended temperature range 2-3Ffallback role 7-3FCC Declaration of Conformity B-2FCC Safety Compliance 2-2filescopying 19-5deleting 19-5displaying the contents of 19-8tarcreating 19-6displaying the contents of 19-6extracting 19-7image file format 19-19file systemdisplaying available file systems 19-2displaying file information 19-3local file system names 19-2network file system names 19-5setting the default 19-3filteringshow and more command output 5-8Flash device, number of 19-2frequencies C-2, C-3frequency range G-2FTPaccessing MIB files F-2configuration filesdownloading 19-13overview 19-12preparing the server 19-13uploading 19-14image files
IndexIN-4Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01deleting old image 19-26downloading 19-24preparing the server 19-23uploading 19-26Gget-bulk-request operation 17-3get-next-request operation 17-3, 17-4get-request operation 17-3, 17-4get-response operation 17-3global configuration mode 5-2Hhelp, for the command line 5-3historychanging the buffer size 5-4described 5-4disabling 5-5recalling commands 5-5history table, level and number of syslog messages 20-8Home button 4-4IIGMP snooping helper 13-10indicators 21-2input power G-1installation guidelines 2-3interface configuration mode 5-2IP address, finding and setting 3-9IPSU 3-8ISO designators for protocols E-1Kkey features 1-2LLEAP authenticationsetting on client and access point 10-9LED indicatorsEthernet 21-2radio traffic 21-2status 21-2limiting client power level 7-6login authenticationwith RADIUS 6-8, 11-7with TACACS+ 6-13, 11-19login banners 6-34log messagesSee system message loggingMMAC 3-10, 3-11management optionsCLI 5-1Message Integrity Check 9-1messagesto users through banners 6-34MIBsaccessing files with FTP F-2location of files F-2overview 17-2SNMP interaction with 17-4MIC 9-1Mode button 21-6modulation G-2monitoringCDP 16-4NNetwork-EAP 10-3Network Time Protocol
IndexIN-5Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01See NTPno commands 5-3NTPassociationsauthenticating 6-20defined 6-18enabling broadcast messages 6-23peer 6-22server 6-22default configuration 6-20displaying the configuration 6-27overview 6-18restricting accesscreating an access group 6-25disabling NTP services per interface 6-26source IP address, configuring 6-26stratum 6-18synchronizing devices 6-22timeservices 6-18synchronizing 6-18OOK button 4-4operating temperature G-1Ppackage contents 2-3password reset 21-5passwordsdefault configuration 6-2encrypting 6-4overview 6-2settingenable 6-3enable secret 6-4with usernames 6-5PEAP authenticationsetting on client and access point 10-10pinouts, serial cable I-2ports, protected 7-14powerconnecting 2-5injector 2-6input G-1output G-2power levelmaximum C-4 to C-5on client devices 7-6preferential treatment of trafficSee QoSpreventing unauthorized access 6-2privileged EXEC mode 5-2privilege levelsexiting 6-7logging into 6-7overview 6-2, 6-6setting a command with 6-6Public Secure Packet Forwarding 7-13QQoSconfiguration guidelines 13-4overview 13-2quality of serviceSee QoSRradioindicator 21-2RADIUSattributes
IndexIN-6Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01vendor-proprietary 11-14vendor-specific 11-13configuringaccounting 11-12authentication 6-8, 11-7authorization 6-11, 11-11communication, global 11-5, 11-13communication, per-server 11-4, 11-5multiple UDP ports 11-5default configuration 6-8, 11-4defining AAA server groups 6-9, 11-9displaying the configuration 6-12, 11-15identifying the server 11-4limiting the services to the user 6-11, 11-11method list, defined 11-4operation of 11-3overview 11-2suggested network environments 11-2tracking services accessed by user 11-12range G-2rate limit, logging 20-9RCPconfiguration filesdownloading 19-16overview 19-15preparing the server 19-16uploading 19-17image filesdeleting old image 19-31downloading 19-29preparing the server 19-27uploading 19-31regulatory B-1domains C-2, C-3reloading access point image 21-6Remote Authentication Dial-In User ServiceSee RADIUSRemote Copy ProtocolSee RCPrepeaterchain of access points 18-2restricting accessNTP services 6-24overview 6-2passwords and privilege levels 6-2RADIUS 6-7, 11-1TACACS+ 6-12RFC1157, SNMPv1 17-21305, NTP 6-181901, SNMPv2C 17-21902 to 1907, SNMPv2 17-2RF exposure B-6roaming 1-5rotation, broadcast key 9-1Ssafety warnings, translated A-1secure remote connections 6-16Secure ShellSee SSHsecurity featuressynchronizing 10-9sequence numbers in log messages 20-6serialcable I-2Cisco cable I-2set-request operation 17-4severity levels, defining in system messages 20-7shared key 10-5show cdp traffic command 16-5Simple Network Management ProtocolSee SNMPsize G-1SNMPaccessing MIB variables with 17-4agent
IndexIN-7Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01described 17-3disabling 17-5community stringsconfiguring 17-5overview 17-3configuration examples 17-9default configuration 17-5limiting system log messages to NMS 20-8manager functions 17-3MIBslocation of F-2overview 17-2, 17-4snmp-server view 17-9status, displaying 17-10system contact and location 17-9trap manager, configuring 17-8trapsdescribed 17-3enabling 17-7overview 17-2, 17-4types of 17-7versions supported 17-2snooping helper, IGMP 13-10software imageslocation in Flash 19-19tar file format, described 19-19SSH 5-9configuring 6-17crypto software image 6-16described 6-16displaying settings 6-17SSH Communications Security, Ltd. 5-9SSIDmultiple SSIDs 8-1troubleshooting 21-4static WEPwith open authentication, setting on client and access point 10-9with shared key authentication, setting on client and access point 10-9statisticsCDP 16-4SNMP input and output 17-10status indicators 21-2, G-1storage temperature G-1stratum, NTP 6-18summer time 6-30switchport protected command 7-14syslogSee system message loggingsystem clockconfiguringdaylight saving time 6-30manually 6-28summer time 6-30time zones 6-29displaying the time and date 6-28overview 6-17See also NTPsystem message loggingdefault configuration 20-3defining error message severity levels 20-7disabling 20-4displaying the configuration 20-12enabling 20-4facility keywords, described 20-11level keywords, described 20-8limiting messages 20-8message format 20-2overview 20-2rate limit 20-9sequence numbers, enabling and disabling 20-6setting the display destination device 20-5timestamps, enabling and disabling 20-6UNIX syslog serversconfiguring the daemon 20-10configuring the logging facility 20-10
IndexIN-8Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01facilities supported 20-11system namedefault configuration 6-32manual configuration 6-32See also DNSsystem promptdefault setting 6-32TTAC 21-1TACACS+accounting, defined 11-16authentication, defined 11-16authorization, defined 11-16configuringaccounting 11-21authentication key 11-18authorization 6-14, 11-20login authentication 6-13, 11-19default configuration 6-13, 11-18displaying the configuration 6-15, 11-22identifying the server 11-18limiting the services to the user 6-14, 11-20operation of 11-17overview 11-16tracking services accessed by user 11-21tar filescreating 19-6displaying the contents of 19-6extracting 19-7image file format 19-19Telnet 3-12temperatureoperating G-1storage G-1Temporal Key Integrity Protocol 9-1Terminal Access Controller Access Control System PlusSee TACACS+terminal emulator 3-4TFTPconfiguration filesdownloading 19-11preparing the server 19-10uploading 19-11image filesdeleting 19-22downloading 19-21preparing the server 19-20uploading 19-22TFTP server 21-6timeSee NTP and system clocktimestamps in log messages 20-6time zones 6-29TKIP 9-1trapsconfiguring managers 17-7defined 17-3enabling 17-7notification types 17-7overview 17-2, 17-4troubleshooting 21-1with CiscoWorks 17-4with system message logging 20-2UUNIX syslog serversdaemon configuration 20-10facilities supported 20-11message logging configuration 20-10unpacking 2-3upgrading software imagesSee downloadinguploadingconfiguration filespreparing 19-10, 19-13, 19-16
IndexIN-9Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01reasons for 19-8using FTP 19-14using RCP 19-17using TFTP 19-11image filespreparing 19-20, 19-23, 19-27reasons for 19-18using FTP 19-26using RCP 19-31using TFTP 19-22user EXEC mode 5-2username-based authentication 6-5Vvoltage range G-1Wwarnings 2-2, A-1Web-based interfacecommon buttons 4-4compatible browsers 4-1web siteCisco Software Center 3-9, 21-8weight G-1WEP 9-1with EAP 10-3WEP key 21-4
IndexIN-10Cisco Aironet 1200 Series Access Point Installation and Configuration GuideOL-3446-01

Navigation menu