Cisco Aironet 1200 Series Access Point Installation and Configuration Guide Cisco IOS Release 12.2(8)JA February 2003 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xvii Audience Purpose xvii xvii Organization xvii Conventions xix Related Publications xxi Obtaining Documentation xxi World Wide Web xxi Documentation CD-ROM xxi Ordering Documentation xxii Documentation Feedback xxii Obtaining Technical Assistance xxii Cisco.
Contents CHAPTER 2 Installing the Access Point 2-1 Safety Information 2-2 FCC Safety Compliance Statement General Safety Guidelines 2-2 Warnings 2-2 2-2 Unpacking the Access Point 2-3 Package Contents 2-3 Basic Installation Guidelines 2-3 Installation Above Suspended Ceilings Before Beginning the Installation Installation Summary 2-3 2-4 2-5 Connecting the 2.
Contents Character Restrictions in Entry Fields Using Online Help CHAPTER 5 4-5 Using the Command-Line Interface IOS Command Modes Getting Help 4-5 5-1 5-2 5-3 Abbreviating Commands 5-3 Using no and default Forms of Commands Understanding CLI Messages 5-3 5-4 Using Command History 5-4 Changing the Command History Buffer Size 5-4 Recalling Commands 5-5 Disabling the Command History Feature 5-5 Using Editing Features 5-5 Enabling and Disabling Editing Features 5-6 Editing Commands Through Keyst
Contents Controlling Access Point Access with TACACS+ 6-12 Default TACACS+ Configuration 6-13 Configuring TACACS+ Login Authentication 6-13 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Displaying the TACACS+ Configuration 6-15 Configuring the Access Point for Local Authentication and Authorization Configuring the Access Point for Secure Shell Understanding SSH 6-16 Configuring SSH 6-17 6-14 6-15 6-16 Managing the System Time and Date 6-17 Understanding the System Cl
Contents CHAPTER 7 Configuring Radio Settings 7-1 Disabling and Enabling the Radio Interface Configuring the Role in Radio Network Configuring Radio Data Rates 7-2 7-2 7-4 Configuring Radio Transmit Power 7-5 Limiting the Power Level for Associated Client Devices Configuring Radio Channel Settings 7-6 7-7 Enabling and Disabling World-Mode 7-9 Disabling and Enabling Short Radio Preambles Configuring Transmit and Receive Antennas 7-9 7-10 Disabling and Enabling Aironet Extensions 7-11 Config
Contents CHAPTER 10 Configuring Authentication Types 10-1 Understanding Authentication Types 10-2 Open Authentication to the Access Point 10-2 Shared Key Authentication to the Access Point 10-2 EAP Authentication to the Network 10-3 MAC Address Authentication to the Network 10-5 Combining MAC-Based, EAP, and Open Authentication 10-5 Configuring Authentication Types 10-6 Default Authentication Settings 10-6 Assigning Authentication Types to an SSID 10-6 Configuring Authentication Holdoffs, Timeouts, a
Contents CHAPTER 12 Configuring VLANs 12-1 Understanding VLANs 12-2 Related Documents 12-3 Incorporating Wireless Devices into VLANs 12-4 Configuring VLANs 12-4 Configuring a VLAN 12-4 Using a RADIUS Server to Assign Users to VLANs 12-6 Viewing VLANs Configured on the Access Point 12-6 VLAN Configuration Example CHAPTER 13 Configuring QoS 12-7 13-1 Understanding QoS for Wireless LANs 13-2 QoS for Wireless LANs Versus QoS on Wired LANs Impact of QoS on a Wireless LAN 13-2 Precedence of QoS Setti
Contents CHAPTER 15 Configuring Filters 15-1 Understanding Filters 15-2 Configuring Filters Using the CLI 15-2 Configuring Filters Using the Web-Browser Interface 15-2 Configuring and Enabling MAC Address Filters 15-3 Creating a MAC Address Filter 15-3 Configuring and Enabling IP Filters 15-5 Creating an IP Filter 15-6 Configuring and Enabling Ethertype Filters 15-8 Creating an Ethertype Filter 15-9 CHAPTER 16 Configuring CDP 16-1 Understanding CDP 16-2 Configuring CDP 16-2 Default CDP Confi
Contents CHAPTER 18 Configuring Repeater and Standby Access Points Understanding Repeater Access Points 18-2 Configuring a Repeater Access Point 18-3 Default Configuration 18-4 Guidelines for Repeaters 18-4 Setting Up a Repeater 18-4 Verifying Repeater Operation 18-5 Setting Up a Repeater As a LEAP Client Understanding Hot Standby CHAPTER 19 18-1 18-6 18-7 Configuring a Hot Standby Access Point 18-7 Managing Firmware and Configurations 19-1 Working with the Flash File System 19-2 Displaying A
Contents Downloading a Configuration File by Using RCP 19-16 Uploading a Configuration File by Using RCP 19-17 Clearing Configuration Information 19-18 Deleting a Stored Configuration File 19-18 Working with Software Images 19-18 Image Location on the Access Point 19-19 tar File Format of Images on a Server or Cisco.
Contents CHAPTER 21 Troubleshooting 21-1 Checking the Top Panel Indicators 21-2 Checking Basic Settings 21-4 SSID 21-4 WEP Keys 21-4 Security Settings 21-5 Resetting to the Default Configuration Using the MODE Button 21-5 Using the Web Browser Interface 21-5 21-6 Reloading the Access Point Image 21-6 Using the MODE button 21-6 Web Browser Interface 21-7 Browser HTTP Interface 21-7 Browser TFTP Interface 21-8 Obtaining the Access Point Image File 21-8 Obtaining the TFTP Server Software 21-9 Activat
Contents Installation Warning A-5 Circuit Breaker (15A) Warning APPENDIX A-5 Declarations of Conformity and Regulatory Information B B-1 Manufacturers Federal Communication Commission Declaration of Conformity Statement B-2 Department of Communications—Canada B-3 Canadian Compliance Statement B-3 European Community, Switzerland, Norway, Iceland, and Liechtenstein B-4 Declaration of Conformity with Regard to the R&TTE Directive 1999/5/EC Declaration of Conformity for RF Exposure B-6 Guidelines f
Contents APPENDIX G Access Point Specifications APPENDIX H Error and Event Messages APPENDIX I Console Cable Pinouts Overview G-1 H-1 I-1 I-2 Console Port Signals and Pinouts I-2 GLOSSARY INDEX Cisco Aironet 1200 Series Access Point Installation and Configuration Guide OL-3446-01 xv
Contents Cisco Aironet 1200 Series Access Point Installation and Configuration Guide xvi OL-3446-01
Preface Audience This guide is for the networking professional who installs and manages the Cisco Aironet 1200 Series Access Point, hereafter referred to as the access point. To use this guide, you should have experience working with the Cisco IOS and be familiar with the concepts and terminology of wireless local area networks. Purpose This guide provides the information you need to install and configure your access point.
Preface Organization Chapter 4, “Using the Web-Browser Interface,” describes how to use the web-browser interface to configure the access point. Chapter 5, “Using the Command-Line Interface,” describes how to use the command-line interface (CLI) to configure the access point.
Preface Conventions Chapter 23, “5-GHz Radio Module Upgrade,” provides instructions for upgrading the access point 5-GHz radio. Appendix A, “Translated Safety Warnings,” provides translations of the safety warnings that appear in this publication. Appendix B, “Declarations of Conformity and Regulatory Information,” provides declarations of conformity and regulatory information for the access point.
Preface Conventions Caution Warning Waarschuwing Means reader be careful. In this situation, you might do something that could result equipment damage or loss of data. This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents.
Preface Related Publications Aviso Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos fisicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. (Para ver as traduções dos avisos que constam desta publicação, consulte o apêndice “Translated Safety Warnings” - “Traduções dos Avisos de Segurança”).
Preface Obtaining Documentation Documentation CD-ROM Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which might have shipped with your product. The Documentation CD-ROM is updated monthly and might be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription. Registered Cisco.
Preface Obtaining Technical Assistance Obtaining Technical Assistance Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities. Cisco.com Cisco.
Preface Obtaining Additional Publications and Information All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register: http://tools.cisco.com/RPF/register/register.do If you are a Cisco.
Preface Obtaining Additional Publications and Information • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.
Preface Obtaining Additional Publications and Information Cisco Aironet 1200 Series Access Point Installation and Configuration Guide xxvi OL-3446-01
C H A P T E R 1 Overview Cisco Aironet 1200 Series Access Points (hereafter called access points) provide a secure, affordable, and easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class features required by networking professionals. With a management system based on Cisco IOS software, the 1200 series is a Wi-Fi certified, 802.11b-compliant and 802.11a-compliant wireless LAN transceiver. The 1200 series access point can contain two radios: a 2.
Chapter 1 Overview Features Features This section describes access point features. Refer to Appendix G, “Access Point Specifications,” for a list of access point specifications.
Chapter 1 Overview Features Status Indicators The three indicators on the top of the access point report Ethernet activity, association status, and radio activity. • The Ethernet indicator signals Ethernet traffic on the wired LAN, or Ethernet infrastructure. This indicator is normally green when an Ethernet cable is connected and blinks green when a packet is received or transmitted over the Ethernet infrastructure. The indicator is off when the Ethernet cable is not connected.
Chapter 1 Overview Features – An inline power patch panel, such as the Cisco Catalyst Inline Power Patch Panel Note The Catalyst 3550-24 PWR switch supports power for access points configured with both 2.4-GHz and 5-GHz radios. Other switches and patch panels might not provide enough power for the 5-GHz radio. UL 2043 Certification Caution The 1200 series power injectors are not tested to UL 2043 and should not be placed in a building’s environmental air space, such as above suspended ceilings.
Chapter 1 Overview Management Options – RADIUS accounting list identifier – A separate SSID for infrastructure devices such as repeaters and workgroup bridges • VLANs—Assign VLANs to the SSIDs on your access point (one VLAN per SSID) to differentiate policies and services among users. • QoS—Use this feature to support quality of service for prioritizing traffic from the Ethernet to the access point. The access point also supports the voice-prioritization schemes used by 802.
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section describes the access point’s role in three common wireless network configurations. The access point’s default configuration is as a root unit connected to a wired LAN or as the central unit in an all-wireless network. The repeater role requires a specific configuration. Root Unit on a Wired LAN An access point connected directly to a wired LAN provides a connection point for wireless users.
Chapter 1 Overview Network Configuration Examples Repeater Unit that Extends Wireless Range An access point can be configured as a stand-alone repeater to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. The repeater forwards traffic between wireless users and the wired LAN by sending packets to either another repeater or to an access point connected to the wired LAN. The data is sent through the route that provides the best performance for the client.
Chapter 1 Overview Network Configuration Examples Central Unit in an All-Wireless Network In an all-wireless network, an access point acts as a stand-alone root unit. The access point is not attached to a wired LAN; it functions as a hub linking all stations together. The access point serves as the focal point for communications, increasing the communication range of wireless users. Figure 1-4 shows an access point in an all-wireless network.
C H A P T E R 2 Installing the Access Point This chapter describes the setup of the access point and includes the following sections: • Safety Information, page 2-2 • Warnings, page 2-2 • Unpacking the Access Point, page 2-3 • Basic Installation Guidelines, page 2-3 • Before Beginning the Installation, page 2-4 • Installation Summary, page 2-5 • Connecting the 2.
Chapter 2 Installing the Access Point Safety Information Safety Information Follow the guidelines in this section to ensure proper operation and safe use of the access point. FCC Safety Compliance Statement The FCC with its action in ET Docket 96-8 has adopted a safety standard for human exposure to radio frequency (RF) electromagnetic energy emitted by FCC certified equipment.
Chapter 2 Installing the Access Point Unpacking the Access Point Unpacking the Access Point Follow these steps to unpack the access point: Step 1 Open the shipping container and carefully remove the contents. Step 2 Return all packing materials to the shipping container and save it. Step 3 Ensure that all items listed in the “Package Contents” section are included in the shipment. Check each item for damage. If any item is damaged or missing, notify your authorized Cisco sales representative.
Chapter 2 Installing the Access Point Before Beginning the Installation Before Beginning the Installation Before you begin the installation process, please refer to Figure 2-1 and Figure 2-2 to become familiar with the access point’s layout, connectors, and 5-GHz module location. Figure 2-1 2 3 4 5 6 65847 1 Access Point Layout and Connectors 7 1 1 2.
Chapter 2 Installing the Access Point Installation Summary Installation Summary While installing the access point, you must perform the following operations: • If your access point has a 2.4-GHz radio, connect a single antenna or dual diversity antennas (refer to the “Connecting the Ethernet and Power Cables” section on page 2-5). • Connect Ethernet and power cables (refer to the “Connecting the Ethernet and Power Cables” section on page 2-5).
Chapter 2 Installing the Access Point Connecting the Ethernet and Power Cables Connecting the Ethernet and Power Cables The access point receives power through the Ethernet cable or an external power module. Figure 2-3 shows the power options for the access point.
Chapter 2 Installing the Access Point Connecting the Ethernet and Power Cables Connecting to an Ethernet Network with an Inline Power Source Caution The Cisco Aironet Power Injector for the 1100 and 1200 series is designed for use with 1100 series or 1200 series access points only. Using the power injector with other Ethernet-ready devices can damage the equipment.
Chapter 2 Installing the Access Point Connecting the Ethernet and Power Cables Powering Up the Access Point When power is applied to the access point, it begins a routine power-up sequence that you can monitor by observing the three LEDs on top of the access point. After you observe all three LEDs turning green to indicate the starting of the IOS operating system, the Status LED blinks green signifying that IOS is operational.
C H A P T E R 3 Configuring the Access Point for the First Time This chapter describes how to configure basic settings on your access point for the first time. The contents of this chapter are similar to the instructions in the quick start guide that shipped with your access point.
Chapter 3 Configuring the Access Point for the First Time Before You Start Before You Start Before you install the access point, make sure you are using a computer connected to the same network as the access point, and obtain the following information from your network administrator: • A system name for the access point • The case-sensitive wireless service set identifier (SSID) for your radio network • If not connected to a DHCP server, a unique IP address for your access point (such as 172.17.255.
Chapter 3 Configuring the Access Point for the First Time Obtaining and Assigning an IP Address Obtaining and Assigning an IP Address To browse to the access point’s Express Setup page, you must either obtain or assign the access point’s IP address using one of the following methods: • Connect to the access point console port and assign a static IP address. Follow the steps in the “Connecting to the Access Point Locally” section on page 3-3 to connect to the console port.
Chapter 3 Configuring the Access Point for the First Time Connecting to the Access Point Locally Connecting to the Access Point Locally If you need to configure the access point locally (without connecting the access point to a wired LAN), you can connect a PC to its console port using a DB-9 to RJ-45 serial cable.
Chapter 3 Configuring the Access Point for the First Time Assigning Basic Settings Figure 3-2 Step 5 Summary Status Page Click Express Setup. The Express Setup screen appears. Figure 3-3 shows the Express Setup page.
Chapter 3 Configuring the Access Point for the First Time Assigning Basic Settings Figure 3-3 Step 6 Express Setup Page Enter the configuration settings you obtained from your system administrator. The configurable settings include: • System Name— The system name, while not an essential setting, helps identify the access point on your network. The system name appears in the titles of the management system pages.
Chapter 3 Configuring the Access Point for the First Time Assigning Basic Settings • Broadcast SSID in Beacon—Use this setting to allow devices that do not specify an SSID to associate with the access point. – Yes—This is the default setting; it allows devices that do not specify an SSID to associate with the access point. – No—Devices must specify an SSID to associate with the access point. With No selected, the SSID used by the client devices must match exactly the access point’s SSID.
Chapter 3 Configuring the Access Point for the First Time Protecting Your Wireless LAN Table 3-1 Default Settings on the Express Setup Page (continued) Setting Default IP Address Assigned by DHCP by default; if DHCP is disabled, the default setting is 10.0.0.1 IP Subnet Mask Assigned by DHCP by default; if DHCP is disabled, the default setting is 255.255.255.224 Default Gateway Assigned by DHCP by default; if DHCP is disabled, the default setting is 0.0.0.
Chapter 3 Configuring the Access Point for the First Time Using the IP Setup Utility Tip Another simple way to find the access point’s IP address is to look on the Status screen in the Aironet Client Utility on a client device associated to the access point. Obtaining and Installing IPSU IPSU is available on the Cisco web site. Follow these steps to obtain and install IPSU: Step 1 Use your Internet browser to access the Cisco Software Center at the following URL: http://www.cisco.
Chapter 3 Configuring the Access Point for the First Time Using the IP Setup Utility Using IPSU to Find the Access Point’s IP Address If your access point receives an IP address from a DHCP server, you can use IPSU to find its IP address. Because IPSU sends a reverse-ARP request based on the access point MAC address, you must run IPSU from a computer on the same subnet as the access point.
Chapter 3 Configuring the Access Point for the First Time Using the IP Setup Utility Using IPSU to Set the Access Point’s IP Address and SSID If you want to change the default IP address (10.0.0.1) of the access point, you can use IPSU. You can also set the access point’s SSID at the same time. Note IPSU can change the access point’s IP address and SSID only from their default settings. After the IP address and SSID have been changed, IPSU cannot change them again.
Chapter 3 Configuring the Access Point for the First Time Assigning an IP Address Using the CLI Step 6 Click Set Parameters to change the access point’s IP address and SSID settings. Step 7 Click Exit to exit IPSU. Assigning an IP Address Using the CLI When you connect the access point to the wired LAN, the access point links to the network using a bridge virtual interface (BVI) that it creates automatically.
C H A P T E R 4 Using the Web-Browser Interface This chapter describes the web-browser interface that you can use to configure the access point.
Chapter 4 Using the Web-Browser Interface Using the Web-Browser Interface for the First Time Using the Web-Browser Interface for the First Time Use the access point’s IP address to browse to the management system. See the “Obtaining and Assigning an IP Address” section on page 3-3 for instructions on assigning an IP address to the access point. Follow these steps to begin using the web-browser interface: Step 1 Start the browser.
Chapter 4 Using the Web-Browser Interface Using the Management Pages in the Web-Browser Interface Figure 4-1 Web-Browser Interface Home Page Cisco Aironet 1200 Series Access Point Installation and Configuration Guide OL-3446-01 4-3
Chapter 4 Using the Web-Browser Interface Using the Management Pages in the Web-Browser Interface Using Action Buttons Table 4-1 lists the page links and buttons that appear on most management pages. Table 4-1 Common Buttons on Management Pages Button/Link Description Navigation Links Home Displays access point status page with information on the number of radio devices associated to the access point, the status of the Ethernet and radio interfaces, and a list of recent access point activity.
Chapter 4 Using the Web-Browser Interface Using Online Help Character Restrictions in Entry Fields Because the 1200 series access point uses Cisco IOS software, there are certain characters that you cannot use in the entry fields on the web-browser interface. Table 4-2 lists the illegal characters and the fields in which you cannot use them.
Chapter 4 Using the Web-Browser Interface Using Online Help Cisco Aironet 1200 Series Access Point Installation and Configuration Guide 4-6 OL-3446-01
C H A P T E R 5 Using the Command-Line Interface This chapter describes the IOS command-line interface (CLI) that you can use to configure your access point.
Chapter 5 Using the Command-Line Interface IOS Command Modes IOS Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode. When you start a session on the access point, you begin in user mode, often called user EXEC mode. Only a limited subset of the commands are available in user EXEC mode.
Chapter 5 Using the Command-Line Interface Getting Help Getting Help You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 5-2. Table 5-2 Help Summary Command Purpose help Obtains a brief description of the help system in any command mode. abbreviated-command-entry? Obtains a list of commands that begin with a particular character string.
Chapter 5 Using the Command-Line Interface Understanding CLI Messages Configuration commands can also have a default form. The default form of a command returns the command setting to its default. Most commands are disabled by default, so the default form is the same as the no form. However, some commands are enabled by default and have variables set to certain default values. In these cases, the default command enables the command and sets variables to their default values.
Chapter 5 Using the Command-Line Interface Using Editing Features The range is from 0 to 256. Beginning in line configuration mode, enter this command to configure the number of command lines the access point records for all sessions on a particular line: ap(config-line)# history [size number-of-lines] The range is from 0 to 256.
Chapter 5 Using the Command-Line Interface Using Editing Features Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled, you can disable it.
Chapter 5 Using the Command-Line Interface Using Editing Features Table 5-5 Editing Commands Through Keystrokes (continued) Capability Keystroke1 Purpose Capitalize or lowercase words or capitalize a set of letters. Esc C Capitalize at the cursor. Esc L Change the word at the cursor to lowercase. Esc U Capitalize letters from the cursor to the end of the word. Designate a particular keystroke as Ctrl-V or Esc Q an executable command, perhaps as a shortcut.
Chapter 5 Using the Command-Line Interface Searching and Filtering Output of show and more Commands After you complete the entry, press Ctrl-A to check the complete syntax before pressing the Return key to execute the command. The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right: ap(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$ The software assumes you have a terminal screen that is 80 columns wide.
Chapter 5 Using the Command-Line Interface Accessing the CLI Note In Windows 2000, the Telnet window does not contain drop-down menus. To start the Telnet session in Windows 2000, type open followed by the access point’s IP address. Step 3 In the Host Name field, type the access point’s IP address and click Connect. Step 4 At the username and password prompts, enter your administrator username and password. The default username is Cisco, and the default password is Cisco.
Chapter 5 Using the Command-Line Interface Accessing the CLI Cisco Aironet 1200 Series Access Point Installation and Configuration Guide 5-10 OL-3446-01
C H A P T E R 6 Administering the Access Point This chapter describes how to administer your access point.
Chapter 6 Administering the Access Point Preventing Unauthorized Access to Your Access Point Preventing Unauthorized Access to Your Access Point You can prevent unauthorized users from reconfiguring your access point and viewing configuration information. Typically, you want network administrators to have access to the access point while you restrict access to users who connect through a terminal or workstation from within the local network.
Chapter 6 Administering the Access Point Protecting Access to Privileged EXEC Commands Table 6-1 Default Password and Privilege Levels (continued) Feature Default Setting Enable secret password and privilege level The default enable password is Cisco. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file. Line password Default password is Cisco. The password is encrypted in the configuration file.
Chapter 6 Administering the Access Point Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 6 Administering the Access Point Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 6 Administering the Access Point Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. You must have at least one username configured and you must have login local set to open a Telnet session to the access point.
Chapter 6 Administering the Access Point Controlling Access Point Access with RADIUS Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. or show privilege The first command displays the password and access level configuration. The second command displays the privilege level configuration. copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 6 Administering the Access Point Controlling Access Point Access with RADIUS These sections describe RADIUS configuration: • Default RADIUS Configuration, page 6-8 • Configuring RADIUS Login Authentication, page 6-8 (required) • Defining AAA Server Groups, page 6-9 (optional) • Configuring RADIUS Authorization for User Privileged Access and Network Services, page 6-11 (optional) • Displaying the RADIUS Configuration, page 6-12 Default RADIUS Configuration RADIUS and AAA are disabled by
Chapter 6 Administering the Access Point Controlling Access Point Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 6 Administering the Access Point Controlling Access Point Access with RADIUS Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 6 Administering the Access Point Controlling Access Point Access with RADIUS Step 4 Command Purpose aaa group server radius group-name Define the AAA server-group with a group name. This command puts the access point in a server group configuration mode. Step 5 server ip-address Associate a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2.
Chapter 6 Administering the Access Point Controlling Access Point Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the access point for user RADIUS authorization for all network-related service requests.
Chapter 6 Administering the Access Point Controlling Access Point Access with TACACS+ Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application.When enabled, TACACS+ can authenticate administrators accessing the access point through the CLI.
Chapter 6 Administering the Access Point Controlling Access Point Access with TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 6 Administering the Access Point Configuring the Access Point for Local Authentication and Authorization Note • Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+. • Use the local database if authentication was not performed by using TACACS+. Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured.
Chapter 6 Administering the Access Point Configuring the Access Point for Secure Shell Command Purpose Step 3 aaa authentication login default local Set the login authentication to use the local username database. The default keyword applies the local user database authentication to all interfaces. Step 4 aaa authorization exec local Configure user AAA authorization to determine if the user is allowed to run an EXEC shell by checking the local database.
Chapter 6 Administering the Access Point Managing the System Time and Date SSH provides more security for remote connections than Telnet by providing strong encryption when a device is authenticated. The SSH feature has an SSH server and an SSH integrated client.
Chapter 6 Administering the Access Point Managing the System Time and Date • User show commands • Logging and debugging messages The system clock determines time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time is correctly displayed for the local time zone.
Chapter 6 Administering the Access Point Managing the System Time and Date Figure 6-1 Typical NTP Network Configuration Catalyst 6500 series switch (NTP master) Local workgroup servers Catalyst 3550 switch Catalyst 3550 switch Catalyst 3550 switch These switches are configured in NTP server mode (server association) with the Catalyst 6500 series switch. Catalyst 3550 switch This switch is configured as an NTP peer to the upstream and downstream Catalyst 3550 switches.
Chapter 6 Administering the Access Point Managing the System Time and Date Default NTP Configuration Table 6-2 shows the default NTP configuration. Table 6-2 Default NTP Configuration Feature Default Setting NTP authentication Disabled. No authentication key is specified. NTP peer or server associations None configured. NTP broadcast service Disabled; no interface sends or receives NTP broadcast packets. NTP access restrictions No access control is specified.
Chapter 6 Administering the Access Point Managing the System Time and Date Step 4 Command Purpose ntp trusted-key key-number Specify one or more key numbers (defined in Step 3) that a peer NTP device must provide in its NTP packets for this access point to synchronize to it. By default, no trusted keys are defined. For key-number, specify the key defined in Step 3. This command provides protection against accidentally synchronizing the access point to a device that is not trusted.
Chapter 6 Administering the Access Point Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this access point can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this access point synchronizes to the other device, and not the other way around).
Chapter 6 Administering the Access Point Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead.
Chapter 6 Administering the Access Point Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the access point to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to receive NTP broadcast packets. Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets.
Chapter 6 Administering the Access Point Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp access-group {query-only | serve-only | serve | peer} access-list-number Create an access group, and apply a basic IP access list.
Chapter 6 Administering the Access Point Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. To remove access control to the access point NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.
Chapter 6 Administering the Access Point Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure a specific interface from which the IP source address is to be taken: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp source type number Specify the interface type and number from which the IP source address is taken. By default, the source address is determined by the outgoing interface.
Chapter 6 Administering the Access Point Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Step 1 Command Purpose clock set hh:mm:ss day month year Manually set the system clock using one of these formats.
Chapter 6 Administering the Access Point Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. The access point keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.
Chapter 6 Administering the Access Point Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 6 Administering the Access Point Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 6 Administering the Access Point Configuring a System Name and Prompt Configuring a System Name and Prompt You configure the system name on the access point to identify it. By default, the system name and prompt are ap. If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol (>) is appended.
Chapter 6 Administering the Access Point Configuring a System Name and Prompt Understanding DNS The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can map host names to IP addresses. When you configure DNS on your access point, you can substitute the host name for the IP address with all IP commands, such as ping, telnet, connect, and related Telnet support operations.
Chapter 6 Administering the Access Point Creating a Banner Step 3 Step 4 Command Purpose ip name-server server-address1 [server-address2 ... server-address6] Specify the address of one or more name servers to use for name and address resolution. ip domain-lookup (Optional) Enable DNS-based host name-to-address translation on your access point. This feature is enabled by default. You can specify up to six name servers. Separate each server address with a space.
Chapter 6 Administering the Access Point Creating a Banner This section contains this configuration information: • Default Banner Configuration, page 6-35 • Configuring a Message-of-the-Day Login Banner, page 6-35 • Configuring a Login Banner, page 6-36 Default Banner Configuration The MOTD and login banners are not configured. Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs into the access point.
Chapter 6 Administering the Access Point Creating a Banner User Access Verification Password: Configuring a Login Banner You can configure a login banner to appear on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
C H A P T E R 7 Configuring Radio Settings This chapter describes how to configure radio settings for your access point.
Chapter 7 Configuring Radio Settings Disabling and Enabling the Radio Interface Disabling and Enabling the Radio Interface The access point radios are enabled by default. Beginning in privileged EXEC mode, follow these steps to disable the access point radio: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Chapter 7 Configuring Radio Settings Configuring the Role in Radio Network Figure 7-1 Root and Repeater Access Points Access Point (Root Unit) Wired LAN 66000 Access Point (Repeater) See Chapter 18, “Configuring Repeater and Standby Access Points,” for detailed instructions on setting up repeaters. You can also configure a fallback role for the access point radio. The access point automatically assumes the fallback role when its Ethernet port is disabled or disconnected from the wired LAN.
Chapter 7 Configuring Radio Settings Configuring Radio Data Rates Command Purpose Step 3 station role Set the access point role. repeater | root • Set the role to repeater or root. [ fallback { shutdown | repeater } ] • (Optional) Select the radio’s fallback role. If the access point’s Ethernet port is disabled or disconnected from the wired LAN, the access point can either shut down its radio port or become a repeater access point associated to a nearby root access point.
Chapter 7 Configuring Radio Settings Configuring Radio Transmit Power Step 3 Command Purpose speed Set each data rate to basic or enabled, or enter range to optimize access point range or throughput to optimize throughput. These options are available for the 2.4-GHz radio: {[1.0] [11.0] [2.0] [5.5] [basic-1.0] [basic-11.0] [basic-2.0] [basic-5.5] | range | throughput} These options are available for the 5-GHz radio: {[6.0] [9.0] [12.0] [18.0] [24.0] [36.0] [48.0] [54.0] [basic-6.0] [basic-9.
Chapter 7 Configuring Radio Settings Configuring Radio Transmit Power Step 3 Command Purpose power local Set the transmit power to one of the power levels allowed in your regulatory domain. All settings are in mW. These options are available for the 2.4-GHz radio: Note { 1 | 5 | 20 | 30 | 50 | 100 | maximum } The settings allowed in your regulatory domain might differ from the settings listed here.
Chapter 7 Configuring Radio Settings Configuring Radio Channel Settings Configuring Radio Channel Settings The default channel setting for the access point radios is least congested; at startup, the access point scans for and selects the least-congested channel. For most consistent performance after a site survey, however, we recomend that you assign a static channel setting for each access point. The channel settings on your access point correspond to the frequencies available in your regulatory domain.
Chapter 7 Configuring Radio Settings Configuring Radio Channel Settings Step 3 Command Purpose channel frequency | least-congested Set the default channel for the access point radio. To search for the least-congested channel on startup, enter least-congested. These are the available frequencies (in MHz) for the 2.
Chapter 7 Configuring Radio Settings Enabling and Disabling World-Mode Enabling and Disabling World-Mode When you enable world mode, the access point adds channel carrier set information to its beacon. Client devices with world mode enabled receive the carrier set information and adjust their settings automatically. For example, a client device used primarily in Japan could rely on world mode to adjust its channel and power settings automatically when it travels to Italy and joins a network there.
Chapter 7 Configuring Radio Settings Configuring Transmit and Receive Antennas Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Short preambles are enabled by default. Use the preamble-short command to enable short preambles if they are disabled. Configuring Transmit and Receive Antennas You can select the antenna the access point uses to receive and transmit data.
Chapter 7 Configuring Radio Settings Disabling and Enabling Aironet Extensions Disabling and Enabling Aironet Extensions By default, the access point uses Cisco Aironet 802.11 extensions to detect the capabilities of Cisco Aironet client devices and to support features that require specific interaction between the access point and associated client devices.
Chapter 7 Configuring Radio Settings Configuring the Ethernet Encapsulation Transformation Method Configuring the Ethernet Encapsulation Transformation Method When the access point receives data packets that are not 802.3 packets, the access point must format the packets to 802.3 using an encapsulation transformation method. These are the two transformation methods: • 802.1H—This method provides optimum performance for Cisco Aironet wireless products. This is the default setting.
Chapter 7 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding Note This feature is best suited for use with stationary workgroup bridges. Mobile workgroup bridges might encounter spots in the access point's coverage area where they do not receive multicast packets and lose communication with the access point even though they are still associated to it. A Cisco Aironet Workgroup Bridge provides a wireless LAN connection for up to eight Ethernet-enabled devices.
Chapter 7 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding PSPF is disabled by default. Beginning in privileged EXEC mode, follow these steps to enable PSPF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Step 3 bridge-group group port-protected Enable PSPF.
Chapter 7 Configuring Radio Settings Configuring the Beacon Period and the DTIM Configuring the Beacon Period and the DTIM The beacon period is the amount of time between access point beacons in Kilomicroseconds. One Kµsec equals 1,024 microseconds. The Data Beacon Rate, always a multiple of the beacon period, determines how often the beacon contains a delivery traffic indication message (DTIM). The DTIM tells power-save client devices that a packet is waiting for them.
Chapter 7 Configuring Radio Settings Configuring the Maximum Data Retries Configuring the Maximum Data Retries The maximum data retries setting determines the number of attempts the access point makes to send a packet before giving up and dropping the packet. The default setting is 32. Beginning in privileged EXEC mode, follow these steps to configure the maximum data retries: Command Purpose Step 1 configure terminal Enter global configuration mode.
C H A P T E R 8 Configuring Multiple SSIDs This chapter describes how to configure and manage multiple service set identifiers (SSIDs) on the access point.
Chapter 8 Configuring Multiple SSIDs Understanding Multiple SSIDs Understanding Multiple SSIDs The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple access points on a network or sub-network can use the same SSIDs. SSIDs are case sensitive and can contain up to 32 alphanumeric characters. Do not include spaces in your SSIDs.
Chapter 8 Configuring Multiple SSIDs Configuring Multiple SSIDs Default SSID Configuration Table 8-1 shows the default SSID configuration: Table 8-1 Default SSID Configuration Feature Default Setting SSID tsunami Guest Mode SSID tsunami (The access point broadcasts this SSID in its beacon and allows client devices with no SSID to associate.
Chapter 8 Configuring Multiple SSIDs Configuring Multiple SSIDs Command Purpose Step 8 infrastructure-ssid [optional] (Optional) Designate the SSID as the SSID that other access points and workgroup bridges use to associate to this access point. If you do not designate an SSID as the infrastructure SSID, infrastructure devices can associate to the access point using any SSID.
Chapter 8 Configuring Multiple SSIDs Configuring Multiple SSIDs c. If the RADIUS server does not return any SSIDs (no list) for the client, then the administrator has not configured the list, and the client is allowed to associate and attempt to authenticate. The allowed list of SSIDs from the RADIUS server are in the form of Cisco VSAs.
Chapter 8 Configuring Multiple SSIDs Configuring Multiple SSIDs Cisco Aironet 1200 Series Access Point Installation and Configuration Guide 8-6 OL-3446-01
C H A P T E R 9 Configuring WEP and WEP Features This chapter describes how to configure Wired Equivalent Privacy (WEP), Message Integrity Check (MIC), Temporal Key Integrity Protocol (TKIP), and broadcast key rotation.
Chapter 9 Configuring WEP and WEP Features Understanding WEP Understanding WEP Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of an access point can receive the access point's radio transmissions. Because WEP is the first line of defense against intruders, Cisco recommends that you use full encryption on your wireless network.
Chapter 9 Configuring WEP and WEP Features Configuring WEP and WEP Features Creating WEP Keys Beginning in privileged EXEC mode, follow these steps to create a WEP key and set the key properties: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Chapter 9 Configuring WEP and WEP Features Configuring WEP and WEP Features Step 3 Command Purpose encryption [vlan vlan-id] mode wep {optional [key-hash] | mandatory [mic] [key-hash]} Enable WEP, MIC, and TKIP. • (Optional) Select the VLAN for which you want to enable WEP and WEP features. • Set the WEP level and enable TKIP and MIC. If you enter optional, client devices can associate to the access point with or without WEP enabled.
C H A P T E R 10 Configuring Authentication Types This chapter describes how to configure authentication types on the access point.
Chapter 10 Configuring Authentication Types Understanding Authentication Types Understanding Authentication Types This section describes the authentication types that you can configure on the access point. The authentication types are tied to the SSIDs that you configure for the access point. If you want to serve different types of client devices with the same access point, you can configure multiple SSIDs.
Chapter 10 Configuring Authentication Types Understanding Authentication Types access point allows the requesting device to authenticate. Both the unencrypted challenge and the encrypted challenge can be monitored, however, which leaves the access point open to attack from an intruder who calculates the WEP key by comparing the unencrypted and encrypted text strings. Because of this weakness, shared key authentication can be less secure than open authentication.
Chapter 10 Configuring Authentication Types Understanding Authentication Types When you enable EAP on your access points and client devices, authentication to the network occurs in the sequence shown in Figure 10-3: Figure 10-3 Sequence for EAP Authentication Wired LAN Client device Access point or bridge Server 1. Authentication request 3. Username (relay to server) (relay to client) 4. Authentication challenge 5. Authentication response (relay to server) (relay to client) 6.
Chapter 10 Configuring Authentication Types Understanding Authentication Types MAC Address Authentication to the Network The access point relays the wireless client device’s MAC address to a RADIUS server on your network, and the server checks the address against a list of allowed MAC addresses. Intruders can create counterfeit MAC addresses, so MAC-based authentication is less secure than EAP authentication.
Chapter 10 Configuring Authentication Types Configuring Authentication Types Configuring Authentication Types This section describes how to configure authentication types. You attach configuration types to the access point’s SSIDs. See Chapter 8, “Configuring Multiple SSIDs,” for details on setting up multiple SSIDs.
Chapter 10 Configuring Authentication Types Configuring Authentication Types Command Step 4 Purpose authentication open (Optional) Set the authentication type to open for this SSID. [mac-address list-name [alternate]] Open authentication allows any device to authenticate and then [eap list-name] attempt to communicate with the access point. • (Optional) Set the SSID’s authentication type to open with MAC address authentication.
Chapter 10 Configuring Authentication Types Configuring Authentication Types Step 6 Command Purpose authentication network-eap list-name [mac-address list-name] (Optional) Set the authentication type for the SSID to Network-EAP. Using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key.
Chapter 10 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Step 5 Command Purpose dot1x reauth-period seconds [server] Enter the interval in seconds that the access point waits before forcing an authenticated client to reauthenticate. • (Optional) Enter the server keyword to configure the access point to use the rauthentication period specified by the authentication server.
Chapter 10 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 10-2 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting If using ACU to configure card Enable Host Based EAP and Use Dynamic WEP Keys in ACU and select Enable network access control using IEEE 802.
Chapter 10 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 10-2 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting If using ACU to configure card Enable Host Based EAP and Use Dynamic WEP Keys in ACU and select Enable network access control using IEEE 802.
Chapter 10 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Cisco Aironet 1200 Series Access Point Installation and Configuration Guide 10-12 OL-3446-01
C H A P T E R 11 Configuring RADIUS and TACACS+ Servers This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+), which provide detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS and TACACS+ are facilitated through AAA and can be enabled only through AAA commands.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Configuring and Enabling RADIUS This section describes how to configure and enable RADIUS. These sections describe RADIUS configuration: • Understanding RADIUS, page 11-2 • RADIUS Operation, page 11-3 • Configuring RADIUS, page 11-4 • Displaying the RADIUS Configuration, page 11-15 Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS RADIUS Operation When a wireless user attempts to log in and authenticate to an access point whose access is controlled by a RADIUS server, authentication to the network occurs in the steps shown in Figure 11-1: Figure 11-1 Sequence for EAP Authentication Wired LAN Access point or bridge Client device Server 1. Authentication request 3. Username (relay to server) (relay to client) 4. Authentication challenge 5.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Configuring RADIUS This section describes how to configure your access point to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS • Retransmission value You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: AP(config)# radius-server host host1 Note You also need to configure some settings on the RADIUS server. These settings include the IP address of the access point and the key string to be shared by both the server and the access point.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Defining AAA Server Groups You can configure the access point to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the access point for user RADIUS authorization for all network-related service requests.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the access point and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the access point and all RADIUS servers.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and the asterisk (*) for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} non-standard Specify the IP address or host name of the remote RADIUS server host and identify that it is using a vendor-proprietary implementation of RADIUS.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Configuring and Enabling TACACS+ This section contains this configuration information: • Understanding TACACS+, page 11-16 • TACACS+ Operation, page 11-17 • Configuring TACACS+, page 11-17 • Displaying the TACACS+ Configuration, page 11-22 Understanding TACACS+ TACACS+ is a security application that provides centralized validation of users attempting to gain access to your access point.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ TACACS+ Operation When an administrator attempts a simple ASCII login by authenticating to an access point using TACACS+, this process occurs: 1. When the connection is established, the access point contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the administrator. The administrator enters a username, and the access point then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ This section contains this configuration information: • Default TACACS+ Configuration, page 11-18 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 11-18 • Configuring TACACS+ Login Authentication, page 11-19 • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 11-20 • Starting TACACS+ Accounting, page 11-21 Default TACACS+ Configuration TACACS+ an
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Step 5 Command Purpose server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 end Return to privileged EXEC mode. Step 7 show tacacs Verify your entries.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ The aaa authorization exec tacacs+ local command sets these authorization parameters: Note • Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+. • Use the local database if authentication was not performed by using TACACS+. Authorization is bypassed for authenticated administrators who log in through the CLI even if authorization has been configured.
Chapter 11 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global configuration command. Displaying the TACACS+ Configuration To display TACACS+ server statistics, use the show tacacs privileged EXEC command.
C H A P T E R 12 Configuring VLANs This chapter describes how to configure your access point to operate with the VLANs set up on your wired LAN.
Chapter 12 Configuring VLANs Understanding VLANs Understanding VLANs A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other teams.
Chapter 12 Configuring VLANs Understanding VLANs Figure 12-1 LAN and VLAN Segmentation with Wireless Devices Traditional LAN segmentation VLAN segmentation VLAN 1 VLAN 2 VLAN 3 LAN 1 Catalyst VLAN switch Shared hub Floor 3 LAN 2 Catalyst VLAN switch Shared hub Floor 2 LAN 3 SSID 0 SSID 0 Floor 1 SSID 0 Catalyst VLAN switch Trunk SSID 1 = VLAN1 SSID 2 = VLAN2 port SSID 3 = VLAN3 SSID 1 SSID 2 SSID 3 81652 Shared hub Related Documents These documents provide more detailed information pe
Chapter 12 Configuring VLANs Configuring VLANs Incorporating Wireless Devices into VLANs The basic wireless components of a VLAN consist of an access point and a client associated to it using wireless technology. The access point is physically connected through a trunk port to the network VLAN switch on which the VLAN is configured. The physical connection to the VLAN switch is through the access point’s Ethernet port.
Chapter 12 Configuring VLANs Configuring VLANs You can configure up to 16 SSIDs on the access point, so you can support up to 16 VLANs that are configured on your LAN. Beginning in privileged EXEC mode, follow these steps to assign an SSID to a VLAN and enable the VLAN on the access point radio and Ethernet ports: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio0 Enter interface configuration mode for the radio interface.
Chapter 12 Configuring VLANs Configuring VLANs ap1200(config)# interface fastEthernet0.1 ap1200(config-subif)# encapsulation dot1q 1 native ap1200(config-subif)# exit ap1200(config)# end Using a RADIUS Server to Assign Users to VLANs You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. The VLAN-mapping process consists of these steps: 1.
Chapter 12 Configuring VLANs VLAN Configuration Example VLAN Configuration Example This example shows how to use VLANs to manage wireless devices on a college campus. In this example, three levels of access are available through VLANs configured on the wired network: • Management access—Highest level of access; users can access all internal drives and files, departmental databases, top-level financial information, and other sensitive information.
Chapter 12 Configuring VLANs VLAN Configuration Example Table 12-2 shows the commands needed to configure the three VLANs in this example.
Chapter 12 Configuring VLANs VLAN Configuration Example Table 12-3 shows the results of the configuration commands in Table 12-2. Use the show running command to display the running configuration on the access point. Table 12-3 Results of Example Configuration Commands VLAN 1 Interfaces VLAN 2 Interfaces VLAN 3 Interfaces interface Dot11Radio0.
Chapter 12 Configuring VLANs VLAN Configuration Example Cisco Aironet 1200 Series Access Point Installation and Configuration Guide 12-10 OL-3446-01
C H A P T E R 13 Configuring QoS This chapter describes how to configure quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 13 Configuring QoS Understanding QoS for Wireless LANs Understanding QoS for Wireless LANs Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 13 Configuring QoS Configuring QoS Figure 13-1 Upstream and Downstream Traffic Flow Radio downstream Ethernet downstream Client device Radio upstream Access point Ethernet upstream 81732 Wired LAN • The radio downstream flow is traffic transmitted out the access point radio to a wireless client device. This traffic is the main focus for QoS on a wireless LAN. • The radio upstream flow is traffic transmitted out the wireless client device to the access point.
Chapter 13 Configuring QoS Configuring QoS Configuration Guidelines Before configuring QoS on your access point, you should be aware of this information: • The most important guideline in QoS deployment is to be familiar with the traffic on your wireless LAN. If you know the applications used by wireless client devices, the applications’ sensitivity to delay, and the amount of traffic associated with the applications, you can configure QoS to improve performance.
Chapter 13 Configuring QoS Configuring QoS Figure 13-2 QoS Policies Page Step 3 With selected in the Create/Edit Policy field, type a name for the QoS policy in the Policy Name entry field. The name can contain up to 25 alphanumeric characters. Do not include spaces in the policy name.
Chapter 13 Configuring QoS Configuring QoS Step 4 Step 5 If the packets that you need to prioritize contain IP precedence information in the IP header TOS field, select an IP precedence classification from the IP Precedence drop-down menu.
Chapter 13 Configuring QoS Configuring QoS • Class Selector 1 • Class Selector 2 • Class Selector 3 • Class Selector 4 • Class Selector 5 • Class Selector 6 • Class Selector 7 • Expedited Forwarding Step 8 Use the Apply Class of Service drop-down menu to select the class of service that the access point will apply to packets of the type that you selected from the IP DSCP menu. The access point matches your IP DSCP selection with your class of service selection.
Chapter 13 Configuring QoS Configuring QoS Step 19 Click the Apply button at the bottom of the page to apply the policies to the access point ports. Step 20 If you want the access point to give priority to all voice packets regardless of VLAN, click the Advanced tab. Figure 13-3 shows the QoS Policies - Advanced page. Figure 13-3 QoS Policies - Advanced Page Select Enable and click Apply to give top priority to all voice packets.
Chapter 13 Configuring QoS Configuring QoS Table 13-1 Default QoS Radio Traffic Class Definitions Class of Service Min Contention Window Max Contention Window Fixed Slot Time Best Effort 5 10 2 Background 6 10 3 Spare 5 10 3 Excellent Effort 5 10 2 Controlled Load 4 10 2 Video <100ms Latency 4 8 2 Voice <100ms Latency 2 8 2 Network Control 3 8 2 Figure 13-4 shows the Radio Traffic Classes page.
Chapter 13 Configuring QoS QoS Configuration Examples Disabling IGMP Snooping Helper When Internet Group Membership Protocol (IGMP) snooping is enabled on a switch and a client roams from one access point to another, the client’s multicast session is dropped. When the access point’s IGMP snooping helper is enabled, the access point sends a general IGMP query to the network infrastructure on behalf of the client every time the client associates or reassociates to the access point.
Chapter 13 Configuring QoS QoS Configuration Examples Figure 13-5 QoS Policies Page for Voice Example The network administrator also enables the QoS element for wireless phones setting on the QoS Policies - Advanced page. This setting gives priority to all voice traffic regardless of VLAN.
Chapter 13 Configuring QoS QoS Configuration Examples Giving Priority to Video Traffic This section demonstrates how you could apply a QoS policy to a VLAN on your network dedicated to video traffic. In this example, the network administrator creates a policy named video_policy that applies video class of service to video traffic. The user applies the video_policy to the incoming and outgoing radio ports and to the outgoing Ethernet port for VLAN 87.
C H A P T E R 14 Configuring Proxy Mobile IP This chapter describes how to configure your access point’s proxy Mobile IP feature.
Chapter 14 Configuring Proxy Mobile IP Understanding Proxy Mobile IP Understanding Proxy Mobile IP These sections explain how access points conduct proxy Mobile IP: • Overview, page 14-2 • Components of a Proxy Mobile IP Network, page 14-2 • How Proxy Mobile IP Works, page 14-3 • Proxy Mobile IP Security, page 14-6 Overview The access point’s proxy Mobile IP feature works in conjunction with the Mobile IP feature in IOS.
Chapter 14 Configuring Proxy Mobile IP Understanding Proxy Mobile IP • An authoritative access point on your network supporting proxy Mobile IP. The authoritative access point uses a subnet map to keep track of the home agent information for all visiting client devices. • A home agent. The home agent is a router on the visiting client’s home network that serves as the anchor point for communication with the access point and the visiting client.
Chapter 14 Configuring Proxy Mobile IP Understanding Proxy Mobile IP The IRDP advertisements carry Mobile IP extensions that specify whether an agent is a home agent, foreign agent, or both; its care-of address; the types of services it provides, such as reverse tunneling and generic routing encapsulation (GRE); and the allowed registration lifetime or roaming period for visiting client devices. Rather than waiting for agent advertisements, an access point can send out an agent solicitation.
Chapter 14 Configuring Proxy Mobile IP Understanding Proxy Mobile IP When a client device associates to an access point and the access point determines that the client is visiting from another network, the access point performs a longest-match lookup on its subnet map table and obtains the home agent address for the visiting client. When the access point has the home agent address, it can proceed to the registration step.
Chapter 14 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Typically, the visiting client sends packets as it normally would. The access point intercepts these packets and sends them to the foreign agent, which routes them to their final destination, the correspondent node. Proxy Mobile IP Security Mobile IP uses a strong authentication scheme to protect communications to and from visiting clients.
Chapter 14 Configuring Proxy Mobile IP Configuring Proxy Mobile IP • To use proxy Mobile IP with DHCP-enabled client devices, you must disable Media Sense on the client devices. You can find instructions for disabling Media Sense in Microsoft Knowledge Base Article Q239924. Click this URL to browse to this article: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q239924& • Proxy Mobile IP does not support VLANs.
Chapter 14 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Command Purpose Step 7 exit Return to global config mode. Step 8 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio port. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Step 9 ip proxy-mobile Enable proxy Mobile IP on the radio port. Step 10 ssid ssid Enter an SSID for which you want to enable proxy Mobile IP.
C H A P T E R 15 Configuring Filters This chapter describes how to configure and manage MAC address, IP, and Ethertype filters on the access point using the web-browser interface.
Chapter 15 Configuring Filters Understanding Filters Understanding Filters Protocol filters (IP protocol, IP port, and Ethertype) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports. You can set up individual protocol filters or sets of filters. You can filter protocols for wireless client devices, users on the wired LAN, or both.
Chapter 15 Configuring Filters Configuring Filters Using the Web-Browser Interface Configuring and Enabling MAC Address Filters MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify.
Chapter 15 Configuring Filters Configuring Filters Using the Web-Browser Interface Creating a MAC Address Filter Follow these steps to create a MAC address filter: Step 1 Follow the link path to the MAC Address Filters page. Step 2 If you are creating a new MAC address filter, make sure (the default) is selected in the Create/Edit Filter Index menu. To edit a filter, select the filter number from the Create/Edit Filter Index menu.
Chapter 15 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 15-2 Apply Filters Page Step 12 Select the filter number from one of the MAC drop-down menus. You can apply the filter to either or both the Ethernet and radio ports, and to either or both incoming and outgoing packets. Step 13 Click Apply. The filter is enabled on the selected ports. If clients are not filtered immediately, click Reload on the System Configuration page to restart the access point.
Chapter 15 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 15-3 IP Filters Page Follow this link path to reach the IP Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the IP Filters tab at the top of the page. Creating an IP Filter Follow these steps to create an IP filter: Step 1 Follow the link path to the IP Filters page.
Chapter 15 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 4 Select Forward all or Block all as the filter’s default action from the Default Action menu. The filter’s default action must be the opposite of the action for at least one of the addresses in the filter. For example, if you create a filter containing an IP address, an IP protocol, and an IP port and you select Block as the action for all of them, you must choose Forward All as the filter’s default action.
Chapter 15 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 15-4 Apply Filters Page Step 17 Select the filter name from one of the IP drop-down menus. You can apply the filter to either or both the Ethernet and radio ports, and to either or both incoming and outgoing packets. Step 18 Click Apply. The filter is enabled on the selected ports.
Chapter 15 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 15-5 Ethertype Filters Page Follow this link path to reach the Ethertype Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the Ethertype Filters tab at the top of the page. Creating an Ethertype Filter Follow these steps to create an Ethertype filter: Step 1 Follow the link path to the Ethertype Filters page.
Chapter 15 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 8 Select Forward All or Block All from the Default Action menu. The filter’s default action must be the opposite of the action for at least one of the Ethertypes in the filter. For example, if you enter several Ethertypes and you select Block as the action for all of them, you must choose Forward All as the filter’s default action. Step 9 Click Apply.
C H A P T E R 16 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet 1200 Series Access Point Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Chapter 16 Configuring CDP Understanding CDP Understanding CDP Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. Information in CDP packets is used in network management software such as CiscoWorks2000. CDP is enabled on the access point’s Ethernet port by default.
Chapter 16 Configuring CDP Configuring CDP Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cdp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is from 10 to 255 seconds; the default is 180 seconds. Step 3 cdp timer seconds (Optional) Set the transmission frequency of CDP updates in seconds. The range is from 5 to 254; the default is 60 seconds.
Chapter 16 Configuring CDP Monitoring and Maintaining CDP This example shows how to enable CDP. AP# configure terminal AP(config)# cdp run AP(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 16 Configuring CDP Monitoring and Maintaining CDP Command Description show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent. show cdp entry entry-name [protocol | version] Display information about a specific neighbor. You can enter an asterisk (*) to display all CDP neighbors, or you can enter the name of the neighbor about which you want information.
Chapter 16 Configuring CDP Monitoring and Maintaining CDP Interface: GigabitEthernet0/1, Holdtime : 141 sec Port ID (outgoing port): FastEthernet0/10 Version : Cisco Internetwork Operating System Software IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.1)XP, MAINTENANCE IN TERIM SOFTWARE Copyright (c) 1986-1999 by cisco Systems, Inc.
Chapter 16 Configuring CDP Monitoring and Maintaining CDP Perdido2 Perdido2 Gig 0/6 Gig 0/5 125 125 R S I R S I WS-C3550-1Gig WS-C3550-1Gig 0/6 0/5 AP# show cdp traffic CDP counters : Total packets output: 50882, Input: 52510 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 CDP version 1 advertisements output: 0, Input: 0 CDP version 2 advertisements output: 50882, Input: 52510 Cisco Aironet 1200 Series Access Point Installation and Configuration Guide
Chapter 16 Configuring CDP Monitoring and Maintaining CDP Cisco Aironet 1200 Series Access Point Installation and Configuration Guide 16-8 OL-3446-01
C H A P T E R 17 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet 1200 Series Access Point Command Reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Chapter 17 Configuring SNMP Understanding SNMP Understanding SNMP SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. The SNMP manager can be part of a network management system (NMS) such as CiscoWorks. The agent and management information base (MIB) reside on the access point. To configure SNMP on the access point, you define the relationship between the manager and the agent.
Chapter 17 Configuring SNMP Understanding SNMP You must configure the SNMP agent to use the version of SNMP supported by the management station. An agent can communicate with multiple managers; therefore, you can configure the software to support communications with one management station using the SNMPv1 protocol and another using the SNMPv2 protocol. SNMP Manager Functions The SNMP manager uses information in the MIB to perform the operations described in Table 17-1.
Chapter 17 Configuring SNMP Configuring SNMP • Read-write—Gives read and write access to authorized management stations to all objects in the MIB, but does not allow access to the community strings • Read-write-all—Gives read and write access to authorized management stations to all objects in the MIB, including the community strings Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.
Chapter 17 Configuring SNMP Configuring SNMP Default SNMP Configuration Table 17-2 shows the default SNMP configuration.
Chapter 17 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the access point: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [ro | rw] [access-list-number] Configure the community string.
Chapter 17 Configuring SNMP Configuring SNMP Configuring Trap Managers and Enabling Traps A trap manager is a management station that receives and processes traps. Traps are system alerts that the access point generates when certain events occur. By default, no trap manager is defined, and no traps are issued. Access points running this IOS release can have an unlimited number of trap managers. Community strings can be any length. Table 17-3 describes the supported access point traps (notification types).
Chapter 17 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the access point to send traps to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c}} community-string notification-type • For host-addr, specify the name or address of the host (the targeted recipient).
Chapter 17 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server contact text Set the system contact string. For example: snmp-server contact Dial System Operator at beeper 21555.
Chapter 17 Configuring SNMP Displaying SNMP Status This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public. AP(config)# snmp-server community comaccess ro 4 AP(config)# snmp-server enable traps snmp authentication AP(config)# snmp-server host cisco.
C H A P T E R 18 Configuring Repeater and Standby Access Points This chapter descibes how to configure your access point as a hot standby unit or as a repeater unit.
Chapter 18 Configuring Repeater and Standby Access Points Understanding Repeater Access Points Understanding Repeater Access Points A repeater access point is not connected to the wired LAN; it is placed within radio range of an access point connected to the wired LAN to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. You can configure either the 2.4-GHz radio or the 5-GHz radio as a repeater.
Chapter 18 Configuring Repeater and Standby Access Points Configuring a Repeater Access Point Figure 18-1 Access Point as a Repeater Access Point (Root Unit) Wired LAN 66000 Access Point (Repeater) Configuring a Repeater Access Point This section provides instructions for setting up an access point as a repeater and includes these sections: • Default Configuration, page 18-4 • Guidelines for Repeaters, page 18-4 • Setting Up a Repeater, page 18-4 • Verifying Repeater Operation, page 18-5 • Se
Chapter 18 Configuring Repeater and Standby Access Points Configuring a Repeater Access Point Default Configuration Access points are configured as root units by default. Table 18-1 shows the default values for settings that control the access point’s role in the wireless LAN.
Chapter 18 Configuring Repeater and Standby Access Points Configuring a Repeater Access Point Step 8 Command Purpose parent {1-4} mac-address [timeout] (Optional) Enter the MAC address for the access point to which the repeater should associate. • You can enter MAC addresses for up to four parent access points. The repeater attempts to associate to MAC address 1 first; if that access point does not respond, the repeater tries the next access point in its parent list.
Chapter 18 Configuring Repeater and Standby Access Points Configuring a Repeater Access Point Setting Up a Repeater As a LEAP Client You can set up a repeater access point to authenticate to your network like other wireless client devices. After you provide a network username and password for the repeater access point, it authenticates to your network using LEAP, Cisco's wireless authentication method, and receives and uses dynamic WEP keys.
Chapter 18 Configuring Repeater and Standby Access Points Understanding Hot Standby Understanding Hot Standby Hot Standby mode designates an access point as a backup for another access point. The standby access point is placed near the access point it monitors, configured exactly the same as the monitored access point. The standby access point associates with the monitored access point as a client and queries the monitored access point regularly through both the Ethernet and the radio ports.
Chapter 18 Configuring Repeater and Standby Access Points Configuring a Hot Standby Access Point Step 3 Command Purpose interface dot11radio 0 Enter interface configuration mode for the radio interface. Note Hot Standby mode is available only for the 2.4-GHz radio. Step 4 ssid ssid-string Create the SSID that the standby access point uses to associate to the monitored access point; in the next step designate this SSID as an infrastructure SSID.
C H A P T E R 19 Managing Firmware and Configurations This chapter describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet 1200 Series Access Point Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Chapter 19 Managing Firmware and Configurations Working with the Flash File System Working with the Flash File System The Flash file system on your access point provides several commands to help you manage software image and configuration files. The Flash file system is a single Flash device on which you can store files. This Flash device is called flash:.
Chapter 19 Managing Firmware and Configurations Working with the Flash File System Table 19-1 show file systems Field Descriptions (continued) Field Value Type Type of file system. flash—The file system is for a Flash memory device. network—The file system is for a network device. nvram—The file system is for a nonvolatile RAM (NVRAM) device. opaque—The file system is a locally generated pseudo file system (for example, the system) or a download interface, such as brimux.
Chapter 19 Managing Firmware and Configurations Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table 19-2: Table 19-2 Commands for Displaying Information About Files Command Description dir [/all] [filesystem:][filename] Display a list of files on a file system. show file systems Display more information about each of the files on a file system.
Chapter 19 Managing Firmware and Configurations Working with the Flash File System Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Chapter 19 Managing Firmware and Configurations Working with the Flash File System Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Chapter 19 Managing Firmware and Configurations Working with the Flash File System For source-url, specify the source URL alias for the local or network file system. These options are supported: • For the local Flash file system, the syntax is flash: • For the File Transfer Protocol (FTP), the syntax is ftp:[[//username[:password]@location]/directory]/tar-filename.tar • For the Remote Copy Protocol (RCP), the syntax is rcp:[[//username@location]/directory]/tar-filename.
Chapter 19 Managing Firmware and Configurations Working with Configuration Files This example shows how to extract the contents of a tar file located on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local Flash file system. The remaining files in the saved.tar file are ignored. ap# archive tar /xtract tftp://172.20.10.30/saved.
Chapter 19 Managing Firmware and Configurations Working with Configuration Files This section includes this information: • Guidelines for Creating and Using Configuration Files, page 19-9 • Configuration File Types and Location, page 19-9 • Creating a Configuration File by Using a Text Editor, page 19-10 • Copying Configuration Files by Using TFTP, page 19-10 • Copying Configuration Files by Using FTP, page 19-12 • Copying Configuration Files by Using RCP, page 19-15 • Clearing Configuration
Chapter 19 Managing Firmware and Configurations Working with Configuration Files Creating a Configuration File by Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from an access point to a server.
Chapter 19 Managing Firmware and Configurations Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read. • Before uploading the configuration file, you might need to create an empty file on the TFTP server.
Chapter 19 Managing Firmware and Configurations Working with Configuration Files Use one of these privileged EXEC commands: • copy system:running-config tftp:[[[//location]/directory]/filename] • copy nvram:startup-config tftp:[[[//location]/directory]/filename] The file is uploaded to the TFTP server. This example shows how to upload a configuration file from an access point to a TFTP server: ap# copy system:running-config tftp://172.16.2.155/tokyo-confg Write file tokyo-confg on host 172.16.2.
Chapter 19 Managing Firmware and Configurations Working with Configuration Files Preparing to Download or Upload a Configuration File by Using FTP Before you begin downloading or uploading a configuration file by using FTP, perform these tasks: • Ensure that the access point has a route to the FTP server. The access point and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command.
Chapter 19 Managing Firmware and Configurations Working with Configuration Files Connected to 172.16.101.101 Loading 1112 byte file host1-confg:![OK] ap# %SYS-5-CONFIG: Configured from host1-config by ftp from 172.16.101.101 This example shows how to specify a remote username of netadmin1. The software copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to the access point startup configuration.
Chapter 19 Managing Firmware and Configurations Working with Configuration Files Building configuration...[OK] Connected to 172.16.101.101 ap# This example shows how to store a startup configuration file on a server by using FTP to copy the file: ap# configure terminal ap(config)# ip ftp username netadmin2 ap(config)# ip ftp password mypass ap(config)# end ap# copy nvram:startup-config ftp: Remote host[]? 172.16.101.101 Name of configuration file to write [ap2-confg]? Write file ap2-confg on host 172.16.
Chapter 19 Managing Firmware and Configurations Working with Configuration Files Preparing to Download or Upload a Configuration File by Using RCP Before you begin downloading or uploading a configuration file by using RCP, perform these tasks: • Ensure that the workstation acting as the RCP server supports the remote shell (rsh). • Ensure that the access point has a route to the RCP server.
Chapter 19 Managing Firmware and Configurations Working with Configuration Files Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 copy rcp:[[[//[username@]location]/directory]/filename] system:running-config Using RCP, copy the configuration file from a network server to the running configuration or to the startup configuration file.
Chapter 19 Managing Firmware and Configurations Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 copy system:running-config rcp:[[[//[username@]location]/directory]/filename] Using RCP, copy the configuration file from an access point running or startup configuration file to a network server.
Chapter 19 Managing Firmware and Configurations Working with Software Images The protocol you use depends on which type of server you are using. The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP. These improvements are possible because FTP and RCP are built on and use the Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which is connection-oriented.
Chapter 19 Managing Firmware and Configurations Working with Software Images Copying Image Files by Using TFTP You can download an access point image from a TFTP server or upload the image from the access point to a TFTP server. You download an access point image file from a server to upgrade the access point software. You can overwrite the current image with the new one.
Chapter 19 Managing Firmware and Configurations Working with Software Images Downloading an Image File by Using TFTP You can download a new image file and replace the current image or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories. Beginning in privileged EXEC mode, follow Steps 1 through 3 to download a new image from a TFTP server and overwrite the existing image. Step 1 Command Purpose .
Chapter 19 Managing Firmware and Configurations Working with Software Images The download algorithm verifies that the image is appropriate for the access point model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the Flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Chapter 19 Managing Firmware and Configurations Working with Software Images Copying Image Files by Using FTP You can download an access point image from an FTP server or upload the image from the access point to an FTP server. You download an access point image file from a server to upgrade the access point software. You can overwrite the current image with the new one or keep the current image after a download. You upload an access point image file to a server for backup purposes.
Chapter 19 Managing Firmware and Configurations Working with Software Images • If you are accessing the access point through a Telnet session and you do not have a valid username, make sure that the current FTP username is the one that you want to use for the FTP download. You can enter the show users privileged EXEC command to view the valid username. If you do not want to use this username, create a new FTP username by using the ip ftp username username global configuration command.
Chapter 19 Managing Firmware and Configurations Working with Software Images Command Step 7 Step 8 Purpose archive download-sw /overwrite /reload Download the image file from the FTP server to the access ftp:[[//username[:password]@location]/directory] point, and overwrite the current image. /image-name.tar • The /overwrite option overwrites the software image in Flash with the downloaded image.
Chapter 19 Managing Firmware and Configurations Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough space to install the new image and keep the running image, the download process stops, and an error message is displayed. The algorithm installs the downloaded image onto the system board Flash device (flash:).
Chapter 19 Managing Firmware and Configurations Working with Software Images Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw Upload the currently running access point image to the FTP ftp:[[//[username[:password]@]location]/directory]/ server. image-name.tar • For //username:password, specify the username and password. These must be associated with an account on the FTP server.
Chapter 19 Managing Firmware and Configurations Working with Software Images RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the access point to a server by using RCP, the Cisco IOS software sends the first valid username in this list: • The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.
Chapter 19 Managing Firmware and Configurations Working with Software Images Downloading an Image File by Using RCP You can download a new image file and replace or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories. Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image. To keep the current image, skip Step 6.
Chapter 19 Managing Firmware and Configurations Working with Software Images Step 6 Step 7 Command Purpose archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the access point, and overwrite the current image. archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Note • The /overwrite option overwrites the software image in Flash with the downloaded image.
Chapter 19 Managing Firmware and Configurations Working with Software Images Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option. If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed.
Chapter 19 Managing Firmware and Configurations Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running access point image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, an account must be defined on the network server for the remote username.
Chapter 19 Managing Firmware and Configurations Working with Software Images Step 7 Click the Upload button. For additional information, click the Help icon on the Software Upgrade screen. Browser TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the access point image file. Follow the instructions below to use a TFTP server: Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).
Chapter 19 Managing Firmware and Configurations Working with Software Images Cisco Aironet 1200 Series Access Point Installation and Configuration Guide 19-34 OL-3446-01
C H A P T E R 20 Configuring System Message Logging This chapter describes how to configure system message logging on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Chapter 20 Configuring System Message Logging Understanding System Message Logging Understanding System Message Logging By default, access points send the output from system messages and debug privileged EXEC commands to a logging process. The logging process controls the distribution of logging messages to various destinations, such as the logging buffer, terminal lines, or a UNIX syslog server, depending on your configuration. The process also sends messages to the console.
Chapter 20 Configuring System Message Logging Configuring System Message Logging Table 20-1 describes the elements of syslog messages. Table 20-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 20-6. Date and time of the message or event.
Chapter 20 Configuring System Message Logging Configuring System Message Logging Table 20-2 Default System Message Logging Configuration (continued) Feature Default Setting Timestamps Disabled Synchronous logging Disabled Logging server Disabled Syslog server IP address None configured Server facility Local7 (see Table 20-4 on page 20-11) Server severity Informational (and numerically lower levels; see Table 20-3 on page 20-8) Disabling and Enabling Message Logging Message logging is enabl
Chapter 20 Configuring System Message Logging Configuring System Message Logging Setting the Message Display Destination Device If message logging is enabled, you can send messages to specific locations in addition to the console. Beginning in privileged EXEC mode, use one or more of the following commands to specify the locations that receive messages: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 20 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Timestamps on Log Messages By default, log messages are not timestamped. Beginning in privileged EXEC mode, follow these steps to enable timestamping of log messages: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log timestamps.
Chapter 20 Configuring System Message Logging Configuring System Message Logging This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 20-3.
Chapter 20 Configuring System Message Logging Configuring System Message Logging Table 20-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 20 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults: Command Step 1 Step 2 Purpose configure terminal logging history level Enter global configuration mode. 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 20-3 on page 20-8 for a list of level keywords.
Chapter 20 Configuring System Message Logging Configuring System Message Logging Configuring UNIX Syslog Servers The next sections describe how to configure the 4.3 BSD UNIX server syslog daemon and define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server.
Chapter 20 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging trap level Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 20-3 on page 20-8 for level keywords. Step 4 logging facility facility-type Configure the syslog facility. See Table 20-4 on page 20-11 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode.
Chapter 20 Configuring System Message Logging Displaying the Logging Configuration Displaying the Logging Configuration To display the current logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2. To display the logging history file, use the show logging history privileged EXEC command.
C H A P T E R 21 Troubleshooting This chapter provides troubleshooting procedures for basic problems with the access point. For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at the following URL (select Top Issues and then select Wireless Technologies): http://www.cisco.
Chapter 21 Troubleshooting Checking the Top Panel Indicators Checking the Top Panel Indicators If your access point is not communicating, check the three LED indicators on the top panel. You can use them to quickly assess the unit’s status. Figure 21-1 shows the indicators.
Chapter 21 Troubleshooting Checking the Top Panel Indicators Table 21-1 Top Panel Indicator Signals Message type Ethernet indicator Status indicator Radio indicator Meaning Boot loader status Green – Green DRAM memory test. – Amber Red Board initialization test – Blinking green Blinking green Flash memory test. Amber Green – Ethernet initialization test. Green Green Green Starting IOS. – Green – At least one wireless client device is associated with the unit.
Chapter 21 Troubleshooting Checking Basic Settings Checking Basic Settings Mismatched basic settings are the most common causes of lost connectivity with wireless clients. If the access point does not communicate with client devices, check the following areas. SSID Wireless clients attempting to associate with the access point must use the same SSID as the access point. If a client device’s SSID does not match the SSID of an access point in radio range, the client device will not associate.
Chapter 21 Troubleshooting Resetting to the Default Configuration Using the MODE Button Follow these steps to delete the current configuration and return all access point settings to the factory defaults using the MODE button: Step 1 Disconnect power (the power jack for external power or the Ethernet cable for in-line power) from the access point. Step 2 Press and hold the MODE button while you reconnect power to the access point.
Chapter 21 Troubleshooting Reloading the Access Point Image Reloading the Access Point Image If your access point has a firmware failure, you must reload the complete access point image file using the Web browser interface or by pressing and holding the MODE button for around 30 seconds. You can use the browser interface if the access point firmware is still fully operational and you want to upgrade the firmware image.
Chapter 21 Troubleshooting Reloading the Access Point Image Web Browser Interface You can also use the Web browser interface to reload the access point image file. The Web broswer interface supports loading the image file using HTTP or TFTP interfaces. Note Your access point configuration is not changed when using the browser to reload the image file. Browser HTTP Interface The HTTP interface enables you to browse to the access point image file on your PC and download the image to the access point.
Chapter 21 Troubleshooting Reloading the Access Point Image Step 8 Enter the file name for the access point image file in the Upload New System Image Tar File field. If the file is located in a subdirectory of the TFTP server root directory, include the relative path of the TFTP server root directory with the filename. If the file is located in the TFTP root directory, enter only the filename. Step 9 Click the Upload button.
Chapter 21 Troubleshooting Reloading the Access Point Image Obtaining the TFTP Server Software The TFTP server software (self-extracting and installing file) can be obtained from the Cisco.com software center using the following URL: http://www.cisco.com/public/sw-center/sw-web.shtml Download the file to a temporary directory on your PC hard drive. To install the TFTP server, double-click the downloaded file and follow the installer program instructions.
Chapter 21 Troubleshooting Reloading the Access Point Image Cisco Aironet 1200 Series Access Point Installation and Configuration Guide 21-10 OL-3446-01
C H A P T E R 22 2.4-GHz Radio Upgrade This chapter provides upgrade instructions for the 2.4-GHz radio module and includes the following sections: • Upgrade Overview, page 22-2 • Opening the Access Cover, page 22-3 • Removing a Blank Spacer Card, page 22-4 • Removing a 2.4-GHz Radio, page 22-5 • Installing a 2.
Chapter 22 2.4-GHz Radio Upgrade Upgrade Overview Upgrade Overview This section provides instructions for upgrading the access point 2.4-GHz radio. The following operations summarize the upgrade procedure: Caution Note • Remove all cables and power connections from the access point. • Follow standard electrostatic discharge (ESD) procedures. • Place the access point on an ESD-protected work surface. • Open the access point’s 2.4-GHz radio access cover. • For an access point without the 2.
Chapter 22 2.4-GHz Radio Upgrade Opening the Access Cover Opening the Access Cover To open the 2.4-GHz radio access cover, follow the steps below: Step 1 Remove all cables and power connections from the access point. Step 2 Remove all static-generating items from the work area, such as plastic material, styrofoam cups, and other similar items. Step 3 Place the access point and the new 2.4-GHz radio (in its antistatic bag) on an antistatic work surface.
Chapter 22 2.4-GHz Radio Upgrade Removing a Blank Spacer Card Removing a Blank Spacer Card When your access point is not factory-configured with a 2.4-GHz radio, it contains a blank spacer card in the internal mini-PCI connector. You must remove the blank spacer card prior to installing a new 2.4-GHz radio card. Caution Handle all components carefully and observe all ESD precautions. The internal access point components and the 2.4-GHz radio can be damaged by ESD from improper handling.
Chapter 22 2.4-GHz Radio Upgrade Removing a 2.4-GHz Radio Step 3 Remove the antenna wires from the blank spacer card. Caution Step 4 To avoid damaging the antenna wire assemblies, handle them by their connectors. Remove the blank spacer card from the mini-PCI connector. For instructions on installing the radio card, go to the “Installing a 2.4-GHz Radio” section. Removing a 2.4-GHz Radio To remove a 2.
Chapter 22 2.4-GHz Radio Upgrade Removing a 2.4-GHz Radio Step 2 Remove the 2.4-GHz radio card from the mini-PCI connector by performing the following operations: a. Push the card-retaining clips (on each side of card) away from the card (see Figure 22-3). When released, the radio card springs up (see Figure 22-4). Figure 22-3 Location of Retaining Clips on 2.4-GHz Radio Card 1 1 74253 MAIN AUX 1 Step 3 Card-retaining clips b.
Chapter 22 2.4-GHz Radio Upgrade Installing a 2.4-GHz Radio Installing a 2.4-GHz Radio To install a new 2.4-GHz radio card into the access point, follow the steps below. Caution The internal access point components and the 2.4-GHz radio can be damaged by ESD from improper handling. Step 1 Carefully remove the Cisco Aironet 2.4-GHz radio card from its anti-static bag. Step 2 Grasp the radio card only on the edges, being careful not to touch components on the board or the gold connector pins.
Chapter 22 2.4-GHz Radio Upgrade Installing a 2.4-GHz Radio Step 5 Insert the radio card into the access point’s mini-PCI connector by following the steps below: a. Tilt the radio card at approximately 20o to 30o so that its gold pins are aligned with the mini-PCI connector (see Figure 22-4). b. Push the card into the mini-PCI connector until it clicks into place.
C H A P T E R 23 5-GHz Radio Module Upgrade This chapter provides upgrade instructions for the 5-GHz radio module and includes the following sections: • Upgrade Overview, page 23-2 • Removing the 5-GHz Radio Access Cover, page 23-2 • Removing a 5-GHz Radio Module, page 23-3 • Installing a 5-GHz Radio Module, page 23-5 Cisco Aironet 1200 Series Access Point Installation and Configuration Guide OL-3446-01 23-1
Chapter 23 5-GHz Radio Module Upgrade Upgrade Overview Upgrade Overview This section provides instructions for upgrading the access point 5-GHz radio module. The following operations summarize the upgrade procedure: Note 1. Remove all cables and power connections from the access point. 2. Place your access point on a flat surface. 3. For an access point without the 5-GHz radio feature, remove the 5-GHz radio access cover. 4.
Chapter 23 5-GHz Radio Module Upgrade Removing a 5-GHz Radio Module Step 3 Remove the 5-GHz access cover (see Figure 23-1) using the supplied Torx L-wrench. Figure 23-1 5-GHz Radio Access Cover 2 1 74632 1 1 2 Access Cover Screws Access Cover Removing a 5-GHz Radio Module To remove the 5-GHz radio module, follow the instructions below: Step 1 Remove all cables and power connections from the access point.
Chapter 23 5-GHz Radio Module Upgrade Removing a 5-GHz Radio Module Step 4 Insert your fingers into the base of the 5-GHz radio module (closest to the access point) and pull straight out from the access point (see Figure 23-3). 74629 Figure 23-3 Removing the 5-GHz Radio Module Step 5 Fold the antenna down (towards the attached radio card) and insert the module into a static protected bag.
Chapter 23 5-GHz Radio Module Upgrade Installing a 5-GHz Radio Module Installing a 5-GHz Radio Module To install a new 5-GHz radio module into your access point, follow the steps below: Step 1 Before you can install a new 5-GHz radio module, you must remove the access cover or an existing 5-GHz radio module (refer to “Removing the 5-GHz Radio Access Cover” or “Removing a 5-GHz Radio Module”). Step 2 Place the access point on a flat surface so that the unit is upright with the front end facing you.
Chapter 23 5-GHz Radio Module Upgrade Installing a 5-GHz Radio Module Step 5 Tighten the 5-GHz radio module mounting screws (see Figure 23-5) using the supplied Torx L-wrench. Figure 23-5 Location of Mounting Screws 2 1 74630 1 2 2 5-GHz radio module antenna Mounting screws Step 6 Remove the backing paper from the 5-GHz radio product compliance label. Step 7 Carefully attach the label in the space provided below the product compliance label (see Figure 23-6).
Chapter 23 5-GHz Radio Module Upgrade Installing a 5-GHz Radio Module Note If your access point contains an internal 2.4-GHz radio, there will also be a 2.4-GHz radio product compliance label on the back of the unit. The 5-GHz radio module installation is now complete and radio settings are at default values. To configure the 5-GHz radio with your wireless network settings refer to Chapter 7, “Configuring Radio Settings.
Chapter 23 5-GHz Radio Module Upgrade Installing a 5-GHz Radio Module Cisco Aironet 1200 Series Access Point Installation and Configuration Guide 23-8 OL-3446-01
C H A P T E R A Translated Safety Warnings This appendix provides translations of the safety warnings that appear in this publication. These translated warnings apply to other documents in which they appear in English.
Chapter A Translated Safety Warnings Dipole Antenna Installation Warning Dipole Antenna Installation Warning Warning In order to comply with FCC radio frequency (RF) exposure limits, dipole antennas should be located at a minimum of 7.9 inches (20 cm) or more from the body of all persons. Waarschuwing Om te voldoen aan de FCC radiofrequentie (RF) blootstellingslimieten dienen dipoolantennes zich minstens 20 cm of meer van de lichamen van alle personen bevinden.
Chapter A Translated Safety Warnings Explosive Device Proximity Warning Explosive Device Proximity Warning Warning Do not operate your wireless network device near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such use.
Chapter A Translated Safety Warnings Lightning Activity Warning Lightning Activity Warning Warning Waarschuwing Varoitus Do not work on the system or connect or disconnect cables during periods of lightning activity. Tijdens onweer dat gepaard gaat met bliksem, dient u niet aan het systeem te werken of kabels aan te sluiten of te ontkoppelen. Älä työskentele järjestelmän parissa äläkä yhdistä tai irrota kaapeleita ukkosilmalla.
Chapter A Translated Safety Warnings Installation Warning Installation Warning Warning Waarschuwing Varoitus Read the installation instructions before you connect the system to its power source. Raadpleeg de installatie-aanwijzingen voordat u het systeem met de voeding verbindt. Lue asennusohjeet ennen järjestelmän yhdistämistä virtalähteeseen. Attention Avant de brancher le système sur la source d'alimentation, consulter les directives d'installation.
Chapter A Translated Safety Warnings Circuit Breaker (15A) Warning Warnung Dieses Produkt ist darauf angewiesen, daß im Gebäude ein Kurzschluß- bzw. Überstromschutz installiert ist. Stellen Sie sicher, daß eine Sicherung oder ein Unterbrecher von nicht mehr als 240 V Wechselstrom, 10 A (bzw. in den USA 120 V Wechselstrom, 15 A) an den Phasenleitern (allen stromführenden Leitern) verwendet wird.
A P P E N D I X B Declarations of Conformity and Regulatory Information This appendix provides declarations of conformity and regulatory information for the Cisco Aironet 1200 Series Access Points.
Appendix B Manufacturers Federal Communication Commission Declaration of Conformity Statement Declarations of Conformity and Regulatory Information Manufacturers Federal Communication Commission Declaration of Conformity Statement Tested To Comply With FCC Standards FOR HOME OR OFFICE USE Models: AIR-AP1200 with AIR-MP20B-A-K9 and/or AIR-RM20A-A-K9, AIR-AP1210, AIR-AP1220B-A-K9, AIR-AP1230B-A-K9, AIR-AP1220A-A-K9, AIR- AP1230A-A-K9, FCC Certification number: LDK 102042 (AIR-MP20B-A-K9) LDK 102045 (AIR
Appendix B Declarations of Conformity and Regulatory Information Department of Communications—Canada Table B-1 Access Point 2.4-GHz Antennas Cisco Part Number Model Gain AIR-ANT1949 Yagi 13.5 AIR-ANT4121 Omni-directional 12.0 AIR-ANT3549 Patch 8.5 AIR-ANT2012 Spatial diversity 6.5 AIR-ANT1729 Patch 6.0 AIR-ANT2506 Omni-directional 5.1 AIR-ANT3213 Omni-directional 5.0 AIR-ANT1728 Omni-directional 5.0 AIR-ANT3195 Patch 3.0 AIR-ANT5959 Omni-directional 2.
Appendix B Declarations of Conformity and Regulatory Information European Community, Switzerland, Norway, Iceland, and Liechtenstein European Community, Switzerland, Norway, Iceland, and Liechtenstein Declaration of Conformity with Regard to the R&TTE Directive 1999/5/EC English: This equipment is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC.
Appendix B Declarations of Conformity and Regulatory Information European Community, Switzerland, Norway, Iceland, and Liechtenstein The Declaration of Conformity related to this product can be found at the following URL: http://www.ciscofax.com For 11 Mbps, 2.4 GHz access points with 100 mW radios, the following standards were applied: • Radio: EN 300.328-1, EN 300.328-2 • EMC: EN 301.489-1, EN 301.89-17 • Safety: EN 60950 The following CE mark is affixed to the 11 Mbps, 2.
Appendix B Declarations of Conformity and Regulatory Information Declaration of Conformity for RF Exposure Declaration of Conformity for RF Exposure The radio module has been found to be compliant to the requirements set forth in CFR 47 Sections 2.1091, 2.1093, and 15.247 (b) (4) addressing RF Exposure from radio frequency devices as defined in Evaluating Compliance with FCC Guidelines for Human Exposure to Radio Frequency Electromagnetic Fields.
Appendix B Declarations of Conformity and Regulatory Information Guidelines for Operating Cisco Aironet Access Points in Japan English Translation This equipment operates in the same frequency bandwidth as industrial, scientific, and medical devices such as microwave ovens and mobile object identification (RF-ID) systems (licensed premises radio stations and unlicensed specified low-power radio stations) used in factory production lines. 1.
Appendix B Declarations of Conformity and Regulatory Information Guidelines for Operating Cisco Aironet Access Points in Japan Cisco Aironet 1200 Series Access Point Installation and Configuration Guide B-8 OL-3446-01
A P P E N D I X C Channels and Antenna Settings This appendix lists the access point radio channels and the maximum power levels supported by the world’s regulatory domains.
Appendix C Channels and Antenna Settings Channels Channels IEEE 802.11a The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11a 20-MHz-wide channel are listed in Table C-1. Table C-1 Note Channels for IEEE 802.
Appendix C Channels and Antenna Settings Channels IEEE 802.11b The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11b 22-MHz-wide channel are listed in Table C-2. Table C-2 Note Channels for IEEE 802.
Appendix C Channels and Antenna Settings Maximum Power Levels Maximum Power Levels This section lists the maximum radio power levels and antenna gains for each regulatory domain. For additional information on setting radio transmit power, refer to the “Configuring Radio Transmit Power” section on page 7-5. IEEE 802.11a An improper combination of power level and antenna gain can result in equivalent isotropic radiated power (EIRP) above the amount allowed per regulatory domain.
Appendix C Channels and Antenna Settings Maximum Power Levels Table C-4 Maximum Power Levels Per Antenna Gain for IEEE 802.11b (continued) Regulatory Domain EMEA (-E) (100 mW EIRP maximum) Israel (-I) (100 mW EIRP maximum) China (-C) (10 mW EIRP maximum) Japan (-J) (10 mW/MHz EIRP maximum) Antenna Gain (dBi) Maximum Power Level (mW) 0 100 2.2 50 5.2 30 6 30 8.5 5 12 5 13.5 5 21 1 0 100 2.2 50 5.2 30 6 30 8.5 5 12 5 13.5 5 21 1 0 5 2.2 5 5.2 n/a 6 n/a 8.
Appendix C Channels and Antenna Settings Maximum Power Levels Cisco Aironet 1200 Series Access Point Installation and Configuration Guide C-6 OL-3446-01
A P P E N D I X D Mounting Instructions This appendix provides instructions for mounting the access point to suspended ceilings, vertical surfaces, or horizontal surfaces using the access point mounting bracket.
Appendix D Mounting Instructions Overview Overview You can mount the access point on any of the following surfaces: • Horizontal or vertical flat surfaces, such as walls or ceilings • Suspended ceilings The access point ships with a detachable mounting bracket and the necessary mounting hardware. Because it is detachable, you can use the mounting bracket as a template to mark the positions of the mounting holes for your installation.
Appendix D Mounting Instructions Mounting on a Horizontal or Vertical Surface A mounting hardware kit is provided that contains the hardware and fasteners necessary to mount the access point. Refer to the Table D-1 to identify the materials you need to mount your access point, then go to the section containing the specific mounting procedure. Table D-1 Material Needed to Mount Access Point Mounting Method Materials Required In Kit Horizontal or vertical surface Four #8 x 1 in. (25.
Appendix D Mounting Instructions Mounting on a Suspended Ceiling Mounting on a Suspended Ceiling Note To comply with NEC code, a #10-24 grounding lug is provided on the mounting bracket. You should review Figure D-2 before beginning the mounting process.
Appendix D Mounting Instructions Attaching the Access Point to the Mounting Bracket Follow these steps to mount your access point on a suspended ceiling: Step 1 Determine the location where you want to mount the access point. Step 2 Attach two caddy fasteners to the suspended ceiling T-rail. Step 3 Use the mounting bracket to adjust the distance between the caddy fasteners so that they align with the holes in the mounting bracket.
Appendix D Mounting Instructions Securing the Access Point to the Mounting Bracket Cisco Aironet 1200 Series Access Point Installation and Configuration Guide D-6 OL-3446-01
A P P E N D I X E Protocol Filters The tables in this appendix list some of the protocols that you can filter on the access point. The tables include: • Table E-1, Ethertype Protocols • Table E-2, IP Protocols • Table E-3, IP Port Protocols In each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol.
Appendix E Table E-1 Protocol Filters Ethertype Protocols Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkeley Trailer Negotiation — 0x1000 LAN Test — 0x0708 X.25 Level3 X.25 0x0805 Banyan — 0x0BAD CDP — 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump/Load — 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk — 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802.2 — 0x00E0 IPX 802.
Appendix E Protocol Filters Table E-2 IP Protocols Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP — 12 CHAOS — 16 User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw —
Appendix E Table E-3 Protocol Filters IP Port Protocols Protocol Additional Identifier ISO Designator TCP port service multiplexer tcpmux 1 echo — 7 discard (9) — 9 systat (11) — 11 daytime (13) — 13 netstat (15) — 15 Quote of the Day qotd quote 17 Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp-data 20 FTP Control (21) ftp 21 Secure Shell (22) ssh 22 Telnet — 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Locati
Appendix E Protocol Filters Table E-3 IP Port Protocols (continued) Protocol Additional Identifier ISO Designator TSAP iso-tsap 102 CSO Name Server cso-ns csnet-ns 105 Remote Telnet rtelnet 107 Postoffice v2 POP2 POP v2 109 Postoffice v3 POP3 POP v3 110 Sun RPC sunrpc 111 tap ident authentication auth 113 sftp — 115 uucp-path — 117 Network News Transfer Protocol Network News readnews nntp 119 USENET News Transfer Protocol Network News readnews nntp 119 Network Time Pro
Appendix E Table E-3 Protocol Filters IP Port Protocols (continued) Protocol Additional Identifier ISO Designator SNMP Unix Multiplexer smux 199 AppleTalk Routing at-rtmp 201 AppleTalk name binding at-nbp 202 AppleTalk echo at-echo 204 AppleTalk Zone Information at-zis 206 NISO Z39.
A P P E N D I X F Supported MIBs This appendix lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release. The Cisco IOS SNMP agent supports both SNMPv1 and SNMPv2.
Appendix F Supported MIBs Using FTP to Access the MIB Files • CISCO-PROCESS-MIB • CISCO-PRODUCTS-MIB • CISCO-SMI-MIB • CISCO-TC-MIB • CISCO-SYSLOG-MIB • ENTITY-MIB • IF-MIB • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-SYS-MIB • OLD-CISCO-SYSTEM-MIB • OLD-CISCO-TS-MIB • RFC1213-MIB • RFC1398-MIB • SNMPv2-MIB • SNMPv2-SMI • SNMPv2-TC Using FTP to Access the MIB Files Follow these steps to obtain each MIB file by using FTP: Step 1 Use FTP to access the server ftp.cisco.com.
A P P E N D I X G Access Point Specifications This appendix provides technical specifications for the Cisco Aironet 1200 Series Access Point. Table G-1 lists the technical specifications for the access point. Table G-1 Access Point Specifications Category Access Point with 2.4-GHz Radio Access Point with 5-GHz Radio Module Size 6.56 in. W x 7.23 in. D x 1.66 in. H 16.67 cm W x 18.36 cm D x 4.22 cm H With the 5-GHz antenna in the patch position: 6.56 in. W x 8.04 in. D x 2.21 in. H 16.67 cm W x 20.
Appendix G Table G-1 Access Point Specifications Access Point Specifications (continued) Category Access Point with 2.4-GHz Radio Access Point with 5-GHz Radio Module Power Output 100, 50, 30, 20, 5, or 1 mW (Depending on the regulatory domain in which the access point is installed) 40 mW (16 dBm) 20 mW (13 dBm) 10 mW (10 dBm) 5 mW (7 dBm) Note These values are based on the FCC peak measurement method as defined in FCC 15.407 (A)(4) Frequency 2.400 to 2.
Appendix G Table G-1 Access Point Specifications Access Point Specifications (continued) Category Access Point with 2.4-GHz Radio Access Point with 5-GHz Radio Module Radio Approvals FCC Part 15.247 Canada RSS-210 Japan Telec 33B EN 300.328 FCC Part 15.407 Canada RSS-210 Japan ARIB STD-T71 EN 301.893 EMI and Susceptibility FCC Part 15.107 and 15.109 Class B ICES-003 Class B (Canada) EN 55022 B AS/NZS 3548 Class B VCCI Class B EN 55024 EN 301.489-1 EN 301.
Appendix G Access Point Specifications Cisco Aironet 1200 Series Access Point Installation and Configuration Guide G-4 OL-3446-01
A P P E N D I X H Error and Event Messages This appendix lists the CLI error and event messages. Table H-1 lists the errors and events and provides an explanation and recommended action for each message. Table H-1 Error and Event Messages Message Explanation Recommended Action Software Auto Upgrade Messages SW_AUTO_UPGRADE-FATAL: Attempt to upgrade software failed, software on Flash may be deleted. Please copy software into Flash. Auto upgrade of the software failed.
Appendix H Table H-1 Error and Event Messages Error and Event Messages (continued) Message Explanation Recommended Action DOT11-6-DISASSOC: Interface [interface], Deauthenticating Station [mac] [char] A station disassociated from an access point. None. DOT11-6-ROAMED: Station A station has roamed to a new access [mac-address] Roamed to [mac-address] point. None. Proxy Mobile IP Subsystem Messages PMIP-3-REG_FAIL: Mobile Node 10.4.1.
Appendix H Table H-1 Error and Event Messages Error and Event Messages (continued) Message Explanation Recommended Action PMIP-6-STOP: Proxy Mobile IP services have stopped Proxy Mobile IP service has stopped. None. PMIP-6-REPEATER_STOP: AP is now Proxy Mobile IP does not run on operating as a repeater, disabling Proxy repeaters or workgroup bridges, and it is Mobile IP services disabled automatically when the access point is in repeater mode. None.
Appendix H Table H-1 Error and Event Messages Error and Event Messages (continued) Message Explanation Recommended Action DOT11-4-CANT_ASSOC: Cannot associate: [chars] The unit could not establish a connection Check the configuration of both the to a parent access point for the displayed parent access point and this unit to reason. make sure the basic settings (SSID, WEP, and others) match.
A P P E N D I X I Console Cable Pinouts This appendix identifies the pinouts for the serial console cable that connects to the access point’s serial console port.
Appendix I Console Cable Pinouts Overview Overview The access point requires a special serial cable that connects the access point serial console port (RJ-45 connector) to your PC’s COM port (DB-9 connector). This cable can be purchased from Cisco (part number AIR-CONCAB1200) or can be built using the pinouts in this appendix.
G L O S S A RY 802.11 The IEEE standard that specifies carrier sense media access control and physical layer specifications for 1- and 2-megabit-per-second (Mbps) wireless LANs operating in the 2.4-GHz band. 802.11a The IEEE standard that specifies carrier sense media access control and physical layer specifications for wireless LANs operating in the 5-GHz frequency band. 802.11b The IEEE standard that specifies carrier sense media access control and physical layer specifications for 5.
Glossary C CCK Complementary code keying. A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 5.5 and 11 Mbps. Cell The area of radio range or coverage in which the wireless devices can communicate with the base station. The size of the cell depends upon the speed of the transmission, the type of antenna used, and the physical environment, as well as other factors.
Glossary E EAP Extensible Authentication Protocol. An optional IEEE 802.1x security feature ideal for organizations with a large user base and access to an EAP-enabled Remote Authentication Dial-In User Service (RADIUS) server. Ethernet The most widely used wired local area network. Ethernet uses carrier sense multiple access (CSMA) to allow computers to share a network and operates at 10, 100, or 1000 Mbps, depending on the physical layer used.
Glossary M MAC Media Access Control address. A unique 48-bit number used in Ethernet data packets to identify an Ethernet device, such as an access point or your client adapter. Modulation Any of several techniques for combining user information with a transmitter’s carrier signal. Multipath The echoes created as a radio signal bounces off of physical objects. Multicast Packet A single data message (packet) sent to multiple addresses.
Glossary Roaming A feature of some Access Points that allows users to move through a facility while maintaining an unbroken connection to the LAN. RP-TNC A connector type unique to Cisco Aironet radios and antennas. Part 15.203 of the FCC rules covering spread spectrum devices limits the types of antennas that may be used with transmission equipment.
Glossary Cisco Aironet 1200 Series Access Point Installation and Configuration Guide GL-6 OL-3446-01
I N D EX authoritative time source, described A 6-18 authorization abbreviating commands 5-3 with RADIUS access point 6-11, 11-11 with TACACS+ security settings 10-9 access point image 21-6 B accounting with RADIUS 6-14, 11-16, 11-20 11-12 with TACACS+ Back button 11-16, 11-21 antenna 4-4 banners configuring connectors gains G-2 login C-5 warnings 6-36 message-of-the-day login A-1 Apply button default configuration 4-4 when displayed attributes, RADIUS 6-35 6-34 basic s
Index enabling and disabling keystroke editing wrapped lines preparing 5-6 5-7 error messages 5-4 filtering command output getting help uploading 5-6 5-8 19-10, 19-13, 19-16 reasons for 19-8 using FTP 19-14 using RCP 19-17 using TFTP 5-3 history 19-11 connections, secure remote changing the buffer size connectors 5-4 G-1, G-2 described 5-4 console port disabling 5-5 crypto software image recalling commands I-2 6-16 5-5 no and default forms of commands terminal emulator se
Index DNS setting the display destination device 6-33 Domain Name System severity levels See DNS 20-7 system message format downloading Ethernet indicator configuration files preparing 20-2 21-2 extended temperature range 2-3 19-10, 19-13, 19-16 reasons for 19-8 using FTP 19-13 using RCP 19-16 using TFTP F fallback role 19-11 7-3 FCC Declaration of Conformity image files FCC Safety Compliance deleting old image preparing 19-22 19-18 2-2 copying 19-5 deleting 19-5 using
Index deleting old image downloading 19-26 preparing the server uploading L 19-24 LEAP authentication 19-23 setting on client and access point 19-26 10-9 LED indicators Ethernet G 21-2 radio traffic status get-bulk-request operation 17-3 get-next-request operation 17-3, 17-4 get-request operation get-response operation 21-2 limiting client power level 7-6 login authentication 17-3, 17-4 with RADIUS 17-3 global configuration mode 21-2 6-8, 11-7 with TACACS+ 5-2 login banners
Index See NTP with usernames no commands PEAP authentication 5-3 setting on client and access point NTP associations pinouts, serial cable authenticating defined ports, protected 6-20 connecting 6-23 injector 6-22 server input 6-22 default configuration 2-5 G-1 G-2 maximum 6-18 C-4 to C-5 on client devices creating an access group source IP address, configuring 7-6 preferential treatment of traffic 6-25 disabling NTP services per interface 6-26 See QoS 6-26 preventing unaut
Index vendor-proprietary vendor-specific repeater 11-14 chain of access points 11-13 configuring restricting access accounting NTP services 11-12 authentication 6-8, 11-7 authorization 6-11, 11-11 communication, global overview multiple UDP ports default configuration 6-24 6-2 passwords and privilege levels RADIUS 11-5, 11-13 communication, per-server TACACS+ 11-4, 11-5 6-12 RFC 11-5 1157, SNMPv1 6-8, 11-4 17-2 6-9, 11-9 1305, NTP displaying the configuration 6-12, 11-15 1
Index described 17-3 disabling 17-5 with shared key authentication, setting on client and access point 10-9 statistics community strings configuring overview CDP 17-5 SNMP input and output 17-3 configuration examples default configuration status indicators 17-9 manager functions 20-8 17-3 location of 6-18 summer time 6-30 See system message logging 17-2, 17-4 17-9 status, displaying 17-10 system clock configuring system contact and location trap manager, configuring daylight savin
Index facilities supported terminal emulator 20-11 system name 3-4 TFTP default configuration 6-32 configuration files manual configuration 6-32 downloading See also DNS 19-11 preparing the server uploading system prompt default setting 19-11 image files 6-32 deleting 19-22 downloading T 19-21 preparing the server TAC uploading 21-1 TFTP server TACACS+ accounting, defined authentication, defined TKIP 11-21 authorization overview enabling 6-13, 11-18 6-15, 11-22 6-14, 11
Index reasons for 19-8 using FTP 19-14 using RCP 19-17 using TFTP 19-11 image files preparing 19-20, 19-23, 19-27 reasons for 19-18 using FTP 19-26 using RCP 19-31 using TFTP 19-22 user EXEC mode 5-2 username-based authentication 6-5 V voltage range G-1 W warnings 2-2, A-1 Web-based interface common buttons 4-4 compatible browsers 4-1 web site Cisco Software Center weight WEP 3-9, 21-8 G-1 9-1 with EAP WEP key 10-3 21-4 Cisco Aironet 1200 Series Access Point Installation
Index Cisco Aironet 1200 Series Access Point Installation and Configuration Guide IN-10 OL-3446-01