Welcome to the Product Guide! Product Guide Cisco SWAN 2.2: Last Updated April 1, 2005 The Product Guide describes the Cisco SWAN products. Refer to the OVERVIEWS section to see a big picture view of Cisco SWAN products and features. See the SOLUTIONS section to look through real-world network and applicationspecific solutions to real-world problems. Go to the TASKS section to find detailed instructions on how to install, configure, use, and troubleshoot Cisco SWAN products and supported 802.
Obtaining Additional Publications and Information Cisco SWAN Release Notes Cisco WCS Release Notes 4/1/05 OL-7426-02 Product Guide
Legal Information Legal Information This section includes the following legal information: • Products • End User License Agreement • Limited Warranty • General Terms Applicable to the Limited Warranty Statement and End User License Agreement • Additional Open Source Terms • Trademarks and Service Marks The following describes the Cisco Systems, Inc. standard Product Warranty for End Customers.
addresses, port(s), seat(s), server(s) or site(s), as set forth in the applicable Purchase Order which has been accepted by Cisco and for which Customer has paid to Cisco the required license fee.
and other proprietary notices are included on the Software. Except as expressly authorized in this Agreement, Customer shall not make any copies or duplicates of any Software without the prior written permission of Cisco. Open Source Content. Customer acknowledges that the Software contains open source or publicly available content under separate license and copyright requirements which are located either in an attachment to this license, the Software README file or the Documentation.
case of resale by a Cisco reseller, commencing not more than ninety (90) days after original shipment by Cisco), and continuing for a period of one (1) year, the Hardware will be free from defects in material and workmanship under normal use. The date of shipment of a Product by Cisco is set forth on the packaging material in which the Product is shipped. This limited warranty extends only to the original user of the Product.
WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, SATISFACTORY QUALITY, NON-INTERFERENCE, ACCURACY OF INFORMATIONAL CONTENT, OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW AND ARE EXPRESSLY DISCLAIMED BY CISCO, ITS SUPPLIERS AND LICENSORS. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE EXPRESS WARRANTY PERIOD.
version 2 is available upon written request to the Cisco Legal Department, 300 E. Tasman Drive, San Jose, California 95134. SSH Source Code Statement. © 1995 - 2004 SAFENET, Inc. This software is protected by international copyright laws. All rights reserved. SafeNet is a registered trademark of SAFENET, Inc., in the United States and in certain other jurisdictions. SAFENET and the SAFENET logo are trademarks of SAFENET, Inc., and may be registered in certain jurisdictions.
Obtaining Documentation Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.
Documentation Feedback Documentation Feedback You can send comments about technical documentation to bug-doc@cisco.com. You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments.
Obtaining Technical Assistance Obtaining Technical Assistance For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Definitions of Service Request Severity Definitions of Service Request Severity To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. • Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
FCC Statements for Cisco 1000 Series Lightweight Access Points FCC Statements for Cisco 1000 Series Lightweight Access Points This section includes the following FCC statements for Cisco 1000 Series lightweight access points: • Class A Statement • RF Radiation Hazard Warning • Non-Modification Statement • Deployment Statement Class A Statement Class A Statement This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules.
Industry Canada Required User Information for Cisco 1000 Series Lightweight Access Points Industry Canada Required User Information for Cisco 1000 Series Lightweight Access Points This device has been designed to operate with antennae having maximum gains of 7.8 dBi (2.4 GHz) and 7.4 dBi (5 GHz). Antennae having higher gains is strictly prohibited per regulations of Industry Canada. The required antenna impedance is 50 ohms.
FCC Statements for Cisco 4100 Series Wireless LAN Controllers FCC Statements for Cisco 4100 Series Wireless LAN Controllers This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
FCC Statements for Cisco 2000 Series Wireless LAN Controllers FCC Statements for Cisco 2000 Series Wireless LAN Controllers This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
Safety Considerations Safety Considerations • The AIR-WLC4112-K9, AIR-WLC4124-K9, and AIR-WLC4136-K9 Cisco 4100 Series Wireless LAN Controllers contain Class 1 Lasers (Laser Klasse 1) according to EN 60825-1+A1+A2. • The Cisco 1000 Series lightweight access points with or without external antenna ports are only intended for installation in Environment A as defined in IEEE 802.3af.
Notes: Notes 4/1/05 OL-7426-02 Notes
Table of Contents Table of Contents Welcome to the Product Guide! Legal Information Products iii End User License Agreement iii Limited Warranty v Disclaimer of Warranty vi General Terms Applicable to the Limited Warranty Statement and End User License Agreement vii Additional Open Source Terms vii Trademarks and Service Marks viii Obtaining Documentation Cisco.
Inter-Cisco Wireless LAN Controller (Layer 2) Roaming 11 Inter-Subnet (Layer 3) Roaming 12 Special Case: Voice Over IP Telephone Roaming 12 About Client Location 12 About External DHCP Servers 12 Per-WLAN Assignment 13 Per-Interface Assignment 13 Security Considerations 13 About Controller Mobility Groups 13 About Cisco SWAN Wired Connections 15 Between Cisco Wireless LAN Controllers and Cisco 1000 Series Lightweight Access Points 15 Between Cisco 4100 Series Wireless LAN Controllers and Other Network Dev
About Cisco 1000 Series Lightweight Access Point Power Requirements 43 About Cisco 1000 Series Lightweight Access Point External Power Supply 44 About Cisco 1000 Series Lightweight Access Point Mounting Options 44 About Cisco 1000 Series Lightweight Access Point Physical Security 44 About Cisco 1000 Series Lightweight Access Point Monitor Mode 45 About Rogue Access Points Rogue AP Location, Tagging and Containment 46 About the Cisco Wireless Control System About the Cisco Wireless Control System 49 About
Changing the Web Title 74 Changing the Web Message 75 Changing the Logo 75 Creating a Custom URL Redirect 76 Verifying your Web Auth Changes 77 Sample Customized Web Auth Login Page 77 Configuring Identity Networking for Operating System 2.
Transferring Files To and From a Cisco Wireless LAN Controller 110 Updating the Operating System Software 111 Using the Startup Wizard 113 Adding SSL to the Web User Interface 114 Locally Generated Certificate 114 Externally Generated Certificate 115 Adding SSL to the 802.
Pinging a Network Device from a Cisco Wireless LAN Controller 173 Viewing Current Cisco Wireless LAN Controller Status and Configurations 173 Viewing Cisco WCS Statistics Reports 173 Updating OS Software from Cisco WCS 174 Managing Cisco WCS and Database 175 Installing Cisco WCS 176 Updating Windows Cisco WCS 176 Updating Linux Cisco WCS 178 Reinitializing the Windows Cisco WCS Database 180 Reinitializing the Linux Cisco WCS Database 180 Administering Cisco WCS Users and Passwords 180 Adding User Accounts 1
OVERVIEWS OVERVIEWS Refer to the following for information about the Product Guide and other high-level subjects: • About the Cisco Structured Wireless-Aware Network - About the Cisco Structured Wireless-Aware Network - Single-Cisco Wireless LAN Controller Wireless LAN Controller Deployments - Multiple-Cisco Wireless LAN Controller Deployments - Operating System Software - Operating System Security - Cisco SWAN Wired Security - Layer 2 and Layer 3 LWAPP Operation - Radio Resource Managem
• Web User Interface • Command Line Interface 3/11/05 OL-7426-02 OVERVIEWS
About the Cisco Structured Wireless-Aware Network About the Cisco Structured Wireless-Aware Network The Cisco Structured Wireless-Aware Network is designed to provide 802.11 wireless networking solutions for enterprises and service providers. The Cisco SWAN simplifies deploying and managing large-scale wireless LANs and enables a unique best-in-class security infrastructure.
Figure - Cisco SWAN Components The Product Guide uses unique software to provide WLAN access for wireless clients and to simultaneously provide an active wireless access control system that protects your wired and wireless infrastructure from negligent and malicious wireless attacks. The Cisco SWAN uses the following components: • Cisco Wireless LAN Controllers: - Cisco 2000 Series Wireless LAN Controllers - Cisco 4100 Series Wireless LAN Controllers • Cisco 1000 Series IEEE 802.
• Layer 2 and Layer 3 LWAPP Operation • Radio Resource Management (RRM) - Master Cisco Wireless LAN Controller - Primary, Secondary, and Tertiary Cisco Wireless LAN Controllers - Client Roaming - External DHCP Servers - Controller Mobility Group - Cisco SWAN Wired Connections - Cisco SWAN WLANs - Transferring Files - Power Over Ethernet • Cisco Wireless LAN Controllers • Cisco 1000 Series IEEE 802.
Controller GigE connections is active and the other is passive. Upon a network failure, the active connection becomes passive, and the passive connection becomes active. Figure - Typical Cisco Wireless LAN Controller Deployment Multiple-Cisco Wireless LAN Controller Deployments Multiple-Cisco Wireless LAN Controller Deployments Each Cisco Wireless LAN Controller can support Cisco 1000 Series lightweight access points across multiple floors and buildings simultaneously.
Figure - Typical Multiple-Cisco Wireless LAN Controller Deployment About the Operating System Software Operating System Software The Operating System Software controls Cisco Wireless LAN Controllers and Cisco 1000 Series lightweight access points. It includes full Operating System Security and Radio Resource Management (RRM) functions.
- WEP (Wired Equivalent Privacy) keys, with or without Pre-Shared key Passphrase. • RSN with or without Pre-Shared key. • Cranite FIPS140-2 compliant passthrough. • Fortress FIPS140-2 compliant passthrough. • Optional MAC Filtering.
For information about Cisco SWAN wireless security, refer to Operating System Security. Layer 2 and Layer 3 LWAPP Operation Layer 2 and Layer 3 LWAPP Operation The LWAPP communications between Cisco Wireless LAN Controllers and Cisco 1000 Series lightweight access points can be conducted at ISO Data Link Layer 2 or Network Layer 3, when the connections are made in Appliance Mode.
• As new clients associate, they are load balanced across grouped Cisco 1000 Series lightweight access points reporting to each Cisco Wireless LAN Controller. This is particularly important when many clients converge in one spot (such as a conference room or auditorium), because Radio Resource Management (RRM) can automatically force some subscribers to associate with nearby APs, allowing higher throughput for all clients.
Tertiary Cisco Wireless LAN Controllers to the Cisco 1000 Series lightweight access point, and reboot the Cisco 1000 Series lightweight access point so it reassociates with its Primary, Secondary, or Tertiary Cisco Wireless LAN Controller. Note: Cisco 1000 Series lightweight access points without a Primary, Secondary, and Tertiary Cisco Wireless LAN Controllers assigned always search for a Master Cisco Wireless LAN Controller first upon reboot.
Discover with a 0.0.0.0 client IP Address or a 169.254.*.* client auto-IP Address, or when the operator-set session timeout is exceeded. Note that the Cisco 1030 remote edge lightweight access points at a remote location must be on the same subnet to support roaming.
Per-WLAN Assignment Per-WLAN Assignment All Cisco SWAN WLANs can be configured to use the same or different DHCP Servers, or no DHCP Server. This allows operators considerable flexibility in configuring their Wireless LANs, as further described in the Cisco SWAN WLANs section. Note that Cisco SWAN WLANs that support Management over Wireless must allow the management (device servicing) clients to obtain an IP Address from a DHCP Server.
lightweight access points as Rogue Access Points. Likewise, the Cisco Wireless LAN Controllers in the XYZ Controller Mobility Group do not recognize or communicate with the Cisco Wireless LAN Controllers in the ABC Controller Mobility Group. This feature ensures Controller Mobility Group isolation across the network.
About Cisco SWAN Wired Connections Cisco SWAN Wired Connections The Cisco SWAN components communicate with each other using industry-standard Ethernet cables and connectors. The following sections contain details of the Cisco SWAN wired connections.
If Management over Wireless is enabled across the Cisco SWAN, the Network operator can manage the System across the enabled WLAN using CLI and Telnet (Command Line Interface), http/https (Web User Interface), and SNMP (Cisco Wireless Control System). To configure the Cisco SWAN WLANs, refer to Configuring WLANs. About Access Control Lists Access Control Lists The Operating System allows you to define up to 64 Access Control Lists (ACLs), similar to standard firewall Access Control Lists.
About File Transfers Transferring Files The Network operator can upload and download Operating System code, configuration, and certificate files to and from a Cisco 2000 Series Wireless LAN Controller and/or Cisco 4100 Series Wireless LAN Controller using CLI, Web User Interface, or Cisco Wireless Control System (Cisco WCS) commands. • To use CLI commands, refer to Transferring Files To and From a Cisco Wireless LAN Controller. • To use the Web User Interface, go to Using the Web User Interface.
• Control of AP fall back behavior to optimize pico cell use. • Heat map support for directional antennas. • Specific control over blacklisting events • Ability to configure and view basic LWAPP configuration elements using the AP’s CLI.
About Cisco Wireless LAN Controllers Cisco Wireless LAN Controllers Cisco 4100 Series Wireless LAN Controllers are enterprise-class high-performance wireless switching platforms that support 802.11a and 802.11b/802.11g protocols. They operate under control of the Operating System, which includes the Radio Resource Management (RRM), resulting in Cisco 2000 Series Wireless LAN Controllers that can automatically adjust to real-time changes in the 802.11 RF environment.
About Cisco 2000 Series Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controllers The Cisco 2000 Series Wireless LAN Controller is part of the Cisco SWAN. The Cisco 2000 Series Wireless LAN Controller controls up to six Cisco 1000 Series lightweight access points, making it ideal for smaller enterprise and low-density applications.
associated Cisco 1000 Series lightweight access points with information about their relative positions, IP Addresses, and MAC addresses. This information allows all Cisco Wireless LAN Controllers within each Controller Mobility Group to constantly monitor and dynamically adjust the RF environment, maximizing performance, minimizing interference, and distributing the client load.
• VPN/Enhanced Security Module • Cisco SWAN Wired Connections • Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points • Cisco 1030 IEEE 802.
• AIR-VPN-4100 - VPN/Enhanced Security Module: Supports VPN, L2TP, IPSec and other processor-intensive security options. This is a factory-orderable and field-installable option for all Cisco 4100 Series Wireless LAN Controllers. Appliance Mode Appliance Mode All Cisco Wireless LAN Controllers operate in Appliance Mode. In Appliance Mode: • The Cisco 2000 Series Wireless LAN Controller communicates with up to six Cisco 1000 Series lightweight access points.
Series lightweight access point communications, regardless of the number of physical Distribution System ports.
Refer to the Configuring the Cisco Wireless LAN Controllers section for configuration instructions. About the AP-Manager Interface AP-Manager Interface The logical AP-Manager Interface controls Layer 3 communications between Cisco Wireless LAN Controllers and Cisco 1000 Series lightweight access points. The AP-Manager Interface is assigned to one physical port (Cisco SWAN Wired Connections), and can be on the same subnet and physical port as the Management Interface.
Each Operator-Defined Interface must be configured for the following: • VLAN number. • Fixed IP Address, IP netmask, and default gateway. • Physical port assignment. • Primary and Secondary DHCP Servers. • Access Control List, if required. Refer to the Configuring the Cisco Wireless LAN Controllers section for configuration instructions.
• Whether or not DHCP Protocol is activated. • IP Address and IP netmask. Refer to the Configuring the Cisco Wireless LAN Controllers section for configuration instructions. About the Startup Wizard Startup Wizard When a Cisco Wireless LAN Controller is powered up with a new factory Operating System software load or after being reset to factory defaults, the bootup script runs the Startup Wizard, which prompts the installer for initial configuration.
Knowing which memory you are modifying is important when you are: • Using the Startup Wizard • Clearing Configurations • Saving Configurations • Resetting the Cisco Wireless LAN Controller • Logging Out of the CLI Cisco Wireless LAN Controller Failover Protection Cisco Wireless LAN Controller Failover Protection The Cisco 2000 Series Wireless LAN Controller can associate with up to six Cisco 1000 Series lightweight access points.
are momentarily dropped while the dropped Cisco 1000 Series lightweight access point associates with an unused port on another Cisco Wireless LAN Controller, allowing the client device to immediately reassociate and reauthenticate. Cisco Wireless LAN Controller Automatic Time Setting Cisco Wireless LAN Controller Automatic Time Setting Each Cisco Wireless LAN Controller can have its time manually set or can be configured to obtain the current time from one or more Network Time Protocol (NTP) servers.
Figure - Physical Network Connections to the Cisco 2000 Series Wireless LAN Controller Cisco 4100 Series Wireless LAN Controllers Cisco 4100 Series Wireless LAN Controllers Cisco 4100 Series Wireless LAN Controllers can communicate with the network through one or two physical ports, and the logical Management Interface can be assigned to the one or two physical ports.
Figure - Physical Network Connections to the Cisco 4100 Series Wireless LAN Controller VPN/Enhanced Security Module VPN/Enhanced Security Module All Cisco 4100 Series Wireless LAN Controllers can be equipped with an optional VPN/Enhanced Security Module (AS-Switch-ESM), which slides into the rear panel of the Cisco 4100 Series Wireless LAN Controller.
Figure - Cisco 4100 Series Wireless LAN Controller VPN/Enhanced Security Module Location 3/11/05 OL-7426-02 VPN/Enhanced Security Module
About Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points The Cisco 1000 Series lightweight access point is a part of the innovative Product Guide. When associated with an Cisco Wireless LAN Controllers as described below, the Cisco 1000 Series lightweight access point provides advanced 802.11a and/or 802.11b/g Access Point functions in a single aesthetically pleasing plenum-rated enclosure.
• Cisco 1000 Series Lightweight Access Point Connectors • Cisco 1000 Series Lightweight Access Point Power Requirements • Cisco 1000 Series Lightweight Access Point External Power Supply • Cisco 1000 Series Lightweight Access Point Mounting Options • Cisco 1000 Series Lightweight Access Point Physical Security • Cisco 1000 Series Lightweight Access Point Monitor Mode • Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Point Deployment Guide About Cisco 1030 IEEE 802.
Note that the Cisco 1030 remote edge lightweight access point must have a DHCP server available on its local subnet, so it can obtain an IP address upon reboot. Also note that the Cisco 1030 remote edge lightweight access points at each remote location must be on the same subnet to allow client roaming. Refer to the following for more information on Cisco 1000 Series lightweight access points: • Cisco 1000 Series IEEE 802.
About Cisco 1000 Series Lightweight Access Point Models Cisco 1000 Series Lightweight Access Point Models The Cisco 1000 Series lightweight access point includes one 802.11a and one 802.11b/g radio. The Cisco 1000 Series lightweight access point is available in the following configurations: • AIR-AP1010-A-K9, AIR-AP1010-C-K9, AIR-AP1010-E-K9, AIR-AP1010-J-K9, AIR-AP1010-N-K9, and AIR-AP1010-S-K9 - AP1010 Cisco 1000 Series lightweight access point with one 802.11a and one 802.
The following sections contain more information about Cisco 1000 Series lightweight access point internal and external antennas: • External Antenna Connectors • Antenna Sectorization • 802.11a Internal Antenna Patterns • 802.
Figure - Cisco 1000 Series Lightweight Access Point 802.11a OMNI (Dual Internal) Azimuth Antenna Gain Pattern Figure - Cisco 1000 Series Lightweight Access Point 802.
Figure - Cisco 1000 Series Lightweight Access Point 802.11a Sectorized (Single Internal) Azimuth Antenna Gain Pattern Figure - Cisco 1000 Series Lightweight Access Point 802.
802.11b/g Internal Antenna Patterns 802.11b/g Internal Antenna Patterns The Cisco 1000 Series lightweight access points contain one 802.11b/g radio which drives two fully enclosed high-gain antennas which can provide a large 360-degree coverage area. The two internal antennas can be used at the same time to provide a 360-degree omnidirectional coverage area, or either antenna can be disabled to provide a 180-degrees sectorized coverage area. The 802.
Figure - Cisco 1000 Series Lightweight Access Point 802.11b/g Sectorized (Single Internal) Azimuth Antenna Gain Pattern Figure - Cisco 1000 Series Lightweight Access Point 802.11b/g Sectorized (Single Internal) Elevation Antenna Gain Pattern About Cisco 1000 Series Lightweight Access Point LEDs Cisco 1000 Series Lightweight Access Point LEDs Each Cisco 1000 Series lightweight access point is equipped with four LEDs across the top of the case. They can be viewed from nearly any angle.
About Cisco 1000 Series Lightweight Access Point Connectors Cisco 1000 Series Lightweight Access Point Connectors The AIR-AP1020-A-K9, AIR-AP1020-E-K9, AIR-AP1020-J-K9, AIR-AP1030-A-K9, AIR-AP1030-E-K9, and AIR-AP1030-J-K9 Cisco 1000 Series lightweight access points have the following external connectors: • One RJ-45 Ethernet jack, used for connecting the Cisco 1000 Series lightweight access point to the network.
Note that the Cisco 1000 Series lightweight access point can receive power over the CAT-5 cable from network equipment. Refer to Power Over Ethernet for more information about this option. The Cisco 1000 Series lightweight access point can be powered from an optional factory-supplied external AC-to-48 VDC power adapter.
Figure - Typical Cisco 1000 Series Lightweight Access Point External Power Supply For more information about the Cisco 1000 Series lightweight access point specifications and capacities, refer to Specifications, available in the Cisco SWAN Marketing Literature.
About Cisco 1000 Series Lightweight Access Point Monitor Mode Cisco 1000 Series Lightweight Access Point Monitor Mode The Cisco 1000 Series lightweight access points and Cisco Wireless LAN Controllers are capable of performing Rogue AP detection and containment while providing regular service. The Rogue AP detection is performed across all 801.11 channels, regardless of the Country Code selected. (Refer to Cisco SWAN Supported Country Codes for more details).
About Rogue Access Points Rogue Access Points Because they are inexpensive and readily available, employees are plugging unauthorized rogue access points (Rogue APs) into existing LANs and building ad hoc wireless networks without IT department knowledge or consent. These Rogue APs can be a serious breach of network security, because they can be plugged into a network port behind the corporate firewall.
To facilitate automated Rogue AP detection in a crowded RF space, Cisco 1000 Series lightweight access points can be configured to operate in Cisco 1000 Series Lightweight Access Point Monitor Mode, allowing monitoring without creating unnecessary interference.
About the Cisco Wireless Control System Cisco Wireless Control System The Cisco Wireless Control System (Cisco WCS) is the Cisco Structured Wireless-Aware Network network management tool that adds to the capabilities of the Web User Interface and the Command Line Interface, moving from individual Cisco Wireless LAN Controllers to a network of Cisco Wireless LAN Controllers. The Cisco Wireless Control System runs on Windows 2000, Windows 2003, and Red Hat Enterprise Linux ES Server workstations.
Cisco WCS Base Software Cisco WCS Location Software Global and Individual AP Security Policies Yes Yes Monitors and Configures Cisco Wireless LAN Controllers Yes Yes • Windows 2000 or Windows 2003 Yes Yes • Red Hat Enterprise Linux ES Server Yes Yes Features Supported Workstations: The Cisco Wireless Control System runs on Windows 2000 or 2003 and Red Hat Enterprise Linux ES Server workstations.
- Network, Cisco Wireless LAN Controller, and managed Cisco 1000 Series lightweight access point configuration is streamlined using customer-defined templates. - Network, Cisco Wireless LAN Controller, and managed Cisco 1000 Series lightweight access point status and alarm monitoring. - Automated and manual data client monitoring and control functions.
built-in Cisco Wireless LAN Controller configuration upload function that speeds up database creation while eliminating errors. Cisco Wireless LAN Controller Autodiscovery is limited to the Controller Mobility Group subnets defined by the Network operator.
About the Web User Interface Web User Interface The Web User Interface is built into each Cisco Wireless LAN Controller. The Web User Interface allows up to five users to simultaneously browse into the built-in Cisco Wireless LAN Controller http/https (http + SSL) Web server, configure parameters, and monitor operational status for the Cisco Wireless LAN Controller and its associated access points.
About the Command Line Interface Command Line Interface The Cisco Command Line Interface (CLI) is built into the Cisco Wireless LAN Controllers, and is one of the Operating System user interfaces described in About the Cisco Structured Wireless-Aware Network. The CLI allows operators to use a VT-100 emulator to locally or remotely configure, monitor and control individual Cisco Wireless LAN Controllers, and to access extensive debugging capabilities.
Notes: Notes 3/11/05 OL-7426-02 Notes
SOLUTIONS SOLUTIONS • Operating System Security • Converting a Cisco SWAN from Layer 2 to Layer 3 Mode • Converting a Cisco SWAN from Layer 3 to Layer 2 Mode • Configuring a Firewall for Cisco WCS • Configuring the System for SpectraLink NetLink Telephones • Management over Wireless • Configuring a WLAN for a DHCP Server • Customizing the Web Auth Login Screen • Configuring Identity Networking for Operating System 2.2 4/1/05 OL-7426-02 © 2005 All Rights Reserved.
Operating System Security Operating System Security Operating System Security includes the following sections: • Overview • Layer 1 Solutions • Layer 2 Solutions • Layer 3 Solutions • Single Point of Configuration Policy Manager Solutions • Rogue Access Point Solutions • Integrated Security Solutions • Simple, Cost-Effective Solutions Overview Overview The industry-leading Operating System Security solution bundles potentially complicated Layer 1, Layer 2 and Layer 3 802.
Layer 3 Solutions Layer 3 Solutions The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as VPNs (virtual private networks), L2TP (Layer Two Tunneling Protocol), and IPSec (IP security) protocols. The Cisco SWAN L2TP implementation includes IPsec, and the IPSec implementation includes IKE (internet key exchange), DH (Diffie-Hellman) groups, and three optional levels of encryption: DES (ANSI X.3.92 data encryption standard), 3DES (ANSI X9.
Series lightweight access points Discourage Rogue AP clients by sending the clients deauthenticate and disassociate messages whenever they associate with the Rogue AP). Integrated Security Solutions Integrated Security Solutions • Operating System Security is built around a robust 802.1X AAA (authorization, authentication and accounting) engine, which allows operators to rapidly configure and enforce a variety of security policies across the Cisco SWAN.
Converting a Cisco SWAN from Layer 2 to Layer 3 Mode Converting a Cisco SWAN from Layer 2 to Layer 3 Mode When you wish to convert a Cisco SWAN from Layer 2 to Layer 3 Mode, use one of the following procedures: • Using the Web User Interface • Using the Cisco WCS User Interface Using the Web User Interface Using the Web User Interface When you wish to convert a Cisco SWAN from Layer 2 to Layer 3 LWAPP Transport Mode using the Web User Interface, complete the following steps: CAUTION: This procedur
If you do not complete this step, the Cisco 1000 Series lightweight access points may fail to associate with the Cisco Wireless LAN Controller after completing the conversion. 5. Change the LWAPP Transport Mode from Layer 2 to Layer 3: A. Select CONTROLLER/General to navigate to the General page, and change Layer 2 LWAPP Transport Mode to Layer 3. B. Click Apply to send the changes to the Cisco Wireless LAN Controller and the associated Cisco 1000 Series lightweight access points.
starts reporting its status to the Cisco Wireless LAN Controller. Note that this can take a few minutes for each Cisco 1000 Series lightweight access point. You have completed the LWAPP Transport Mode conversion from Layer 2 to Layer 3. The ap-manager interface now controls all communications between Cisco Wireless LAN Controllers and Cisco 1000 Series lightweight access points on different subnets. Continue with the Product Guide.
6. A. Select CONFIGURE/Controllers to navigate to the All Controllers page, and select the Cisco Wireless LAN Controller by IP address to have Cisco WCS display the > Controller General page. B. From the > Controller General page, select System/Networking to display the > Networking Setups page. C. On the > Networking Setups page, change Layer 2 LWAPP Transport Mode to Layer 3 and click Save. D.
9. After the Cisco Wireless LAN Controller has rebooted, verify that the LWAPP Transport Mode is now Layer 3: A. Select CONFIGURE/Controllers to navigate to the All Controllers page, and select the desired Cisco Wireless LAN Controller by IP address to have Cisco WCS display the > Controller General page. B. From the > Controller General page, select System/Networking to display the > Networking Setups page. C.
Converting a Cisco SWAN from Layer 3 to Layer 2 Mode Converting a Cisco SWAN from Layer 3 to Layer 2 Mode When you wish to convert Cisco SWAN from Layer 3 to Layer 2 Mode, perform one of the following tasks: • Using the Web User Interface • Using the Cisco WCS User Interface Using the Web User Interface Using the Web User Interface When you wish to convert a Cisco SWAN from Layer 3 to Layer 2 LWAPP Transport Mode using the Web User Interface, complete the following steps: CAUTION: This procedure w
CAUTION: This step is very important! If you change the Cisco SWAN From Layer 3 to Layer 2 while the Cisco Wireless LAN Controllers and Cisco 1000 Series lightweight access points are on different subnets, they will be UNABLE TO COMMUNICATE with each other after the conversion to Layer 2 mode. 2. 3. 4. Change the LWAPP Transport Mode from Layer 3 to Layer 2: A.
Configuring a Firewall for Cisco WCS Configuring a Firewall for Cisco WCS When a Cisco WCS Server and a Cisco WCS User Interface are on different sides of a firewall, they cannot communicate unless the following ports on the firewall are opened to two-way traffic: • 80 (TCP) • 1299 (TCP) • 4000 (TCP) • 5009 (TCP) • 5010 (TCP) • 6789 (RMI) Open these ports to configure your firewall to allow communications between a Cisco WCS Server and a Cisco WCS User Interface.
Configuring the System for SpectraLink NetLink Telephones Configuring the System for SpectraLink NetLink Telephones SpectraLink NetLink Telephones require an extra Operating System configuration step to optimize integration with Operating System.
• When the Short Preamble Enabled box is checked, the Operating System is set to the default, Short Preamble Enabled; if this is the case, continue with this procedure. If this parameter indicates that Short Preamble is Disabled (box is unchecked), this Cisco Wireless LAN Controller is already optimized for SpectraLink NetLink Telephones; if desired, continue with the Product Guide. • Enable long preambles by unchecking the Short Preamble Enabled box.
• The Cisco Wireless LAN Controller reboots. This will take some time, during which Cisco WCS loses its connection to the Cisco Wireless LAN Controller. Note: You can use a CLI session to view the Cisco Wireless LAN Controller reboot process. When you can log into the Cisco Wireless LAN Controller CLI, continue with this procedure.
Using Management over Wireless Management over Wireless The Cisco SWAN Management over Wireless feature allows Cisco SWAN operators to monitor and configure their local Cisco Wireless LAN Controller using a wireless client. This feature is supported for all management tasks except uploads to and downloads from (transfers to and from) the Cisco Wireless LAN Controller.
Configuring a WLAN for a DHCP Server Configuring a WLAN for a DHCP Server Using the Command Line Interface Using the Command Line Interface 1. In the CLI, use the show wlan command to verify whether you have a valid DHCP server assigned to the WLAN. If you have no DHCP server assigned to the WLAN, continue with Step 2. Otherwise, continue with Step 4. 2.
Customizing the Web Auth Login Screen Customizing the Web Auth Login Screen When a Network operator uses Web Authorization (Web Auth) to authenticate clients, the operator must define Usernames and Passwords for each client, and then the clients must enter a valid Username and Password when prompted. Because the Cisco SWAN operator may want to customize the Web Auth Login screen, the following two sections describe the default operation and how to customize the Web Auth Login screen.
Figure - Default Cisco SWAN Login Screen The client must respond with a Username and Password predefined using the Local Net Users > New Web User Interface page, or using the config netuser add Command Line Interface (CLI) command. Note that the Default Cisco SWAN Login Screen contains Cisco SWAN-specific text and a logo in four customizable areas: • The Cisco SWAN logo in the upper-right corner can be deleted and restored. • The Web Title “Welcome to the Cisco SWAN wireless network”.
Figure - Default Login Successful Screen Note that the Default Login Successful Screen contains a pointer to the operator-defined Virtual Gateway Address URL, redirect https://1.1.1.1/logout.html. This redirect is defined by the Virtual Gateway IP Address parameter (1.1.1.1) entered while Using the Startup Wizard, as the Virtual Gateway Address in the Interfaces Web User Interface page, or using the config interface create Command Line Interface (CLI) command.
To change the Web Title again, enter the config custom-web webtitle command again with a new . Refer to the Sample Customized Web Auth Login Page for an example.
>transfer download start Mode........................................... TFTP Data Type...................................... Code TFTP Server IP................................. xxx.xxx.xxx.xxx TFTP Path...................................... TFTP Filename.....................................
To change the redirect back to the originally requested URL, use the clear redirect-url command: >clear redirecturl Verifying your Web Auth Changes Verifying your Web Auth Changes Use the show custom-web command to verify your Web Auth operation changes: Default State >show custom-web Cisco Logo................................. Enabled CustomLogo..................................... Disabled Custom Title................................... Disabled Custom Message.................................
Username and Password. Custom Redirect URL............................ http://www.AcompanyBC.com External Web Authentication Mode............... Disabled External Web Authentication URL................ Disabled When a client attempts to connect to a URL, the following customized Web Auth screen appears: Figure - Sample Customized Login Screen After a successful Web Authorization, the client is redirected to the http://www.AcompanyBC.com URL.
Configuring Identity Networking for Operating System 2.2 Configuring Identity Networking for Operating System 2.2 This document explains the Identity Networking feature of Operating System 2.2, how it is configured and the expected behavior for various security policies. In previous Operating System releases, each WLAN had a static policy that would be applied to all mobile clients associated with the SSID.
• Type - 26 for Vendor-Specific • Length - 10 • Vendor-Id - 14179 • Vendor type - 2 • Vendor length - 4 • Value - Three octets: - 0 - Silver (Best Effort) - 1 - Gold (Video) - 2 - Platinum (Voice) - 3 - Bronze (Background) ACL-Name ACL-Name This attribute indicates the ACL name to be applied to the client. A summary of the ACL-Name Attribute format is shown below. The fields are transmitted from left to right.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Interface Name... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+- • Type - 26 for Vendor-Specific • Length - >7 • Vendor-Id - 14179 • Vendor type - 5 • Vendor length - >0 • Value - A string that includes the name of the interface the client is to be assigned to. Note: This Attribute only works when MAC Filtering is enabled, or if 802.1X or WPA is used as the security policy.
Reference [RFC2868] defines RADIUS tunnel attributes used for authentication and authorization, and [RFC2867] defines tunnel attributes used for accounting. Where the IEEE 802.1X Authenticator supports tunneling, a compulsory tunnel may be set up for the Supplicant as a result of the authentication. In particular, it may be desirable to allow a port to be placed into a particular Virtual LAN (VLAN), defined in [IEEE8021Q], based on the result of the authentication.
TASKS TASKS You can perform the following tasks using the Cisco Structured Wireless-Aware Network (Cisco SWAN): Deployment and Quick Start Guides • The Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Point Deployment Guide helps you determine the number of Cisco 1000 Series IEEE 802.11a/b/g lightweight access points a site needs, where to place the Cisco 1000 Series IEEE 802.11a/b/g lightweight access points, and to perform a minimal site survey, if necessary.
• Reinitializing the Linux Cisco WCS Database describes how to reinitialize the Cisco WCS database on Linux Cisco WCS workstations. • Transferring Files To and From a Cisco Wireless LAN Controller describes uploading and downloading files from a Cisco Wireless LAN Controller. • Viewing Network Status helps you monitor the Cisco SWAN network status. Troubleshooting • Troubleshooting Tips contains information you can use to troubleshoot the Cisco SWAN.
Using the Cisco SWAN CLI Using the Cisco SWAN CLI The Command Line Interface allows operators to configure any Cisco Wireless LAN Controller and its associated Cisco 1000 Series lightweight access points using the Command Line Interface.
2. Verify that your terminal emulation (HyperTerminal, ProComm, minicom, tip, or other) interface is configured with the following parameters: - 9600 baud - 8 data bits - 1 stop bit - no parity - no hardware flow control 3. In your terminal emulation program, open a session with the Cisco Wireless LAN Controller. 4. Press . The CLI returns a login prompt. 5. Enter a valid login and password to enter the CLI. (The default login and password are admin and admin, respectively.
• You may use either a terminal emulation program or a DOS shell for the Telnet session. Note: By default, Telnet sessions are not allowed. You will need to enable Telnet sessions using your serial connection, and using the Cisco SWAN CLI or Web User Interface. Your computer may connect to the Cisco Wireless LAN Controller through the network using one of a variety of paths as shown in the following illustration. 1.
Note: If you have recently cleared the volatile RAM configurations using Clearing Configurations and you save the configuration from the volatile RAM to the NVRAM, you will have to reconfigure the Cisco Wireless LAN Controller after reboot using the Startup Wizard. CLI Tree Structure CLI Tree Structure The Command Line Interface tree structure is organized around five levels: Root Level Level 2 Level 3 Level 4 Level 5 Following are some examples of CLI commands and their position in the tree structure.
• Type ‘exit’ to go down a level. • Enter to return to the root level. • From the root level, you can enter the whole command name. For instance, you can enter: >config prompt “Ent1” to change the system prompt to Ent1 >. • To save your changes from active working RAM to non-volatile RAM (NVRAM) so they are retained upon reboot, use the save config command at the CLI root level.
Configuring Cisco Wireless LAN Controllers Configuring the Cisco Wireless LAN Controllers This section assumes that the Cisco Wireless LAN Controller is already installed, initially configured, and connected as described in the Cisco 2000 Series Wireless LAN Controller Quick Start Guide or Cisco 4100 Series Wireless LAN Controller Quick Start Guide.
- Distribution System physical port (1000BASE-T, 1000BASE-SX, or 10/100BASE-T). Note that each 1000BASE-SX interface provides a 100/1000 Mbps wired connection to a network through an 850nM (SX) fiber-optic link using an LC physical connector. - Distribution System port VLAN assignment (optional). - Distribution System port Web and Secure Web mode settings, enabled or disabled. - Distribution System port Spanning Tree Protocol: enabled/disabled, 802.
• If necessary, set the Cisco Wireless LAN Controller country code by entering: >config country Where = - US (United States of America), which allows 802.11b and 802.11g operation and 802.11a Low, Medium, and High bands. - USL (US Low), which allows 802.11b and 802.11g operation and 802.11a Low and Medium bands. (Used for legacy 802.11a interface cards that do not support 802.11a High band.) - AU (Australia), which allows 802.11a and 802.11b/g.
• Be sure these protocols are configured to agree with your wireless network plan and to comply with the Country Code entered in the previous step using the following commands: >config >config >config >config • 802.11a 802.11a 802.11b 802.11b enable network disable network enable network disable network Use the show sysinfo command to verify that the Cisco Wireless LAN Controller has stored your input. Continue with the next parameter.
• Note that the Cisco 4100 Series Wireless LAN Controller also has a Service-Port Interface, but that Interface can only be applied to the front-panel Service Port.
• Use the show interface detailed ap-manager command to view the current AP-Manager Interface settings. • To change any of the parameters, disable all WLANs.
• And then use the following: >config interface create >config interface address [optional gateway] >config interface vlan >config interface port >config interface dhcp
Use the show interface detailed virtual command to verify that the Cisco Wireless LAN Controller has correctly stored your inputs. Note that this Interface cannot be deleted. Continue with the next section.
>config spanningtree switch forwarddelay <4-30> where <4-30> seconds = STP forward delay for this Cisco Wireless LAN Controller (default forward delay = 15 seconds). • If required, configure the Cisco Wireless LAN Controller STP hello time using the following command: >config spanningtree switch hellotime <1-10> where <1-10> seconds = STP hello time for this Cisco Wireless LAN Controller (default hello time = 2 seconds).
• If you are modifying enabled WLANs, be sure they are disabled using the show wlan summary command. If they are not disabled, use the following to disable them: >config wlan disable where = 1 through 16. Leave the WLANs in disabled mode until you have finished configuring them. • If you are deleting WLANs, use the following command: >config wlan delete where = 1 through 16. DHCP Server DHCP Server Each WLAN can be assigned to a DHCP server.
Disable Timeout Disable Timeout Each WLAN can have a variable timeout for excluded, or disabled clients. Clients who fail to authenticate three times when attempting to associate are automatically excluded, or disabled, from further association attempts. After the exclusion timeout period expires, the client is allowed to retry authentication until it associates or fails authentication and is excluded again. • Use the show wlan command to check the current WLAN Disable (Excluded) Timeout.
• If you want to change the 802.1X encryption for an Cisco 1000 Series lightweight access point WLAN (not a Third-Party WLAN), use the following command: >config wlan security 802.1X encryption [40/104/128] where = 1 through 16, and [40/104/128] = 40/64, 104/128 (default) or 128/152 encryption bits (default = 104/128). WEP Keys WEP Keys Cisco Wireless LAN Controllers can only control WEP keys across Cisco 1000 Series lightweight access points.
>config wlan security wpa encryption tkip >config wlan security wpa encryption wep [40/104/128] where = 1 through 16, and [40/104/128] = 40/64, 104/128, or 128/156 encryption bits (default = 104). • Use the show wlan command to verify that you have WPA enabled. Layer 3 Security Layer 3 Security Note: WLANs are created in disabled mode; leave them disabled until you have finished configuring them.
IKE Authentication IKE Authentication IPSec IKE (Internet Key Exchange) uses pre-shared key exchanges, x.509 (RSA Signatures) certificates, and XAuth-psk for authentication. • Use the show wlan command to see if IPSec IKE is enabled.
IPSec Passthrough IPSec Passthrough IPSec IKE uses IPSec Passthrough to allow IPSec-capable clients to communicate directly with other IPSec equipment. IPSec Passthrough is also known as VPN Passthrough. • Use the show wlan command to see the current IPSec passthrough status.
Platinum QoS, assign the low-bandwidth WLAN to use Bronze QoS, and assign all other traffic between the remaining QoS levels. • Use the show wlan command to verify that you have QoS properly set for each WLAN. • If required, use the following command to configure QoS for each WLAN: >config wlan qos [bronze/silver/gold/platinum] where = 1 through 16. • Use the show wlan command to verify that you have QoS properly set for each WLAN.
>config >config >config >config radius radius radius radius auth auth auth auth
[disable/enable] where = server name or IP Address, = UDP port number, = the RADIUS server's secret. When you have completed these configurations, use the show radius acct statistics, show radius auth statistics and show radius summary commands to verify that the RADIUS links are correctly configured. Continue with Configuring SNMP.Service Port • Service Port The Service port on the Cisco 4100 Series Wireless LAN Controller front panel can be configured with a separate IP Address, subnet mask, and IP assignment protocol from the Distribution System (network) port.
Locally Generated Certificate Locally Generated Certificate Should you desire to have the Operating System generate a new Web Administration SSL certificate, complete the following: • In the CLI, enter: >config certificate generate webadmin Wait a few seconds, and the Cisco Wireless LAN Controller returns: Web Administration certificate has been generated • Verify that the Web Administration certificate is properly loaded: >show certificate summary Web Administration Certificate.................
CAUTION: Each certificate has a variable-length embedded RSA Key. The RSA key can be from 512 bits, which is relatively insecure, through thousands of bits, which is very secure. When you are obtaining a new certificate from a Certificate Authority (such as the Microsoft CA), be sure the RSA key embedded in the certificate is AT LEAST 768 Bits. • Buy or create your own Web Administration SSL key and certificate.
Certificate installed. Please restart the switch (reset system) to use the new certificate. • Verify that the Web Administration certificate is properly loaded: >show certificate summary Web Administration Certificate................. Locally Generated Web Authentication Certificate................. Locally Generated Certificate compatibility mode:................
>transfer upload serverip >transfer upload start Continue with Using the Cisco SWAN CLI. Updating the Operating System Software Updating the Operating System Software When you plan to update the Cisco Wireless LAN Controller (and Cisco 1000 Series lightweight access point) Operating System software, complete the following. Note: You can start the Operating System software update using the Web User Interface, Cisco WCS User Interface, or Management over Wireless.
Are you sure you want to start? (y/n) n Transfer Canceled > • To change the download settings, use the following: >transfer download mode tftp >transfer download datatype code >transfer download serverip >transfer download filename AS_2000_.aes or AS_4100_.aes >transfer download path Note: All TFTP servers require the full pathname. For example in Windows, C:\TFTP-Root.
Refer to the Transferring Files To and From a Cisco Wireless LAN Controller section for other file upload and download instructions. Using the Startup Wizard Using the Startup Wizard When a Cisco Wireless LAN Controller is powered up with a new factory Operating System software load or after being reset to factory defaults, the bootup script runs the Startup Wizard, which prompts the installer for initial Cisco Wireless LAN Controller configuration.
Note: The Cisco Wireless LAN Controller Country Code only operates with Cisco 1000 Series lightweight access points designed for operation in the associated Regulatory Domain. Refer to the Cisco SWAN Supported Country Codes for Cisco Wireless LAN Controller Country Code mapping to Cisco 1000 Series lightweight access point Regulatory Domains. • Independently enable and/or disable the 802.11b, 802.11a, and 802.11g Cisco 1000 Series lightweight access point networks.
Configuration Saved! • Reboot the Cisco Wireless LAN Controller: >reset system Are you sure you would like to reset the system? (y/n) y System will now restart! The Cisco Wireless LAN Controller completes the bootup process as described in Step 4: Connecting and Using the CLI Console in the Cisco 4100 Series Wireless LAN Controller Quick Start Guide.
• To change the download settings, use the following: >transfer download mode tftp >transfer download datatype webauthcert >transfer download serverip >transfer download path >transfer download filename .pem Note: Some TFTP servers require only a forward slash “/” as the , and the TFTP server automatically determines the path to the correct directory. • Enter the password for the .
The Cisco Wireless LAN Controller completes the bootup process as described in Step 4: Connecting and Using the CLI Console in the Cisco 4100 Series Wireless LAN Controller Quick Start Guide. • Be sure that operators using the Web User Interface know that they may securely log into the Cisco Wireless LAN Controller using “https://. Refer to the Transferring Files To and From a Cisco Wireless LAN Controller section for other file upload and download instructions.
Refer to the Transferring Files To and From a Cisco Wireless LAN Controller section for other file upload and download instructions.
• Enter the password included in the .PEM file, so the Operating System can decode the Web Administration SSL key and certificate: >transfer download certpassword >Setting password to • In the CLI, use the transfer download start command to view the updated settings, and answer ‘y’ to the prompt to confirm the current download settings and start the certificate and key download: >transfer download start Mode...........................................
• Use the reset system command, described in Resetting the Cisco Wireless LAN Controller, which will ask you whether you would like to save configuration changes before the system reboots. • Use the logout command, described in Logging Out of the CLI, which asks you whether you would like to save configuration changes before logging out.
The Cisco Wireless LAN Controller reboots. • When you are prompted for a Username, enter recover-config to restore the factory default configurations. The Cisco Wireless LAN Controller reboots and displays the Welcome to the Cisco SWAN Wizard Configuration Tool message. • Enter the initial configuration of the Cisco Wireless LAN Controller as described in Using the Startup Wizard. Continue with Using the Cisco SWAN CLI.
Using the Cisco Wireless Control System Using the Cisco Wireless Control System Refer to the following to start, stop, use, and manage Cisco WCS.
- Locating Clients - Finding Coverage Holes - Pinging a Network Device from a Cisco Wireless LAN Controller • Updating OS Software from Cisco WCS • Managing Cisco WCS and Database - Installing Cisco WCS - Updating Windows Cisco WCS - Updating Linux Cisco WCS - Reinitializing the Windows Cisco WCS Database - Updating Linux Cisco WCS 4/1/05 OL-7426-02 Using the Cisco Wireless Control System
Starting and Stopping Windows Cisco WCS Starting and Stopping Windows Cisco WCS • Starting Cisco WCS as a Windows Application • Starting Cisco WCS as a Windows Service • Stopping the Cisco WCS Windows Application • Stopping the Cisco WCS Windows Service • Checking the Cisco WCS Windows Service Status Starting Cisco WCS as a Windows Application Starting Cisco WCS as a Windows Application When Cisco WCS has been installed as an application, you can start the Cisco WCS application at any time.
The start Cisco WCS script opens a Start Cisco WCS Service DOS window, which displays the following messages: The Nms Server service is starting. . The Nms Server service was started successfully. (in the background) Launching Server Status Window The Start Cisco WCS Service window displays the Cisco WCS Server Status window. You can close the Start Cisco WCS Service DOS window, and view the current Cisco WCS Service status in the Cisco WCS Server Status window.
Note: You can close the Cisco WCS Server Status window at any time, if you wish. When you want to view the current Cisco WCS status, from the Windows START button, select the Programs menu, and select Cisco Wireless Control System 2.2/Check Server Status to view the Cisco WCS Server Status window again. If desired, continue with Starting a Cisco WCS User Interface or Using the Cisco Wireless Control System in the Product Guide.
When the Cisco WCS Service is active, the Cisco WCS Server Status window reports that the Cisco WCS is Up. When the Cisco WCS Service is inactive, the Cisco WCS Server Status window reports that the Cisco WCS is down. Checking if database has started ... • You can close the Start Cisco WCS Service DOS window and the Cisco WCS Server Status window at any time. You have viewed the Cisco WCS service status. If desired, continue with the Product Guide.
Starting and Stopping Linux Cisco WCS Starting and Stopping Linux Cisco WCS • Starting the Linux Cisco WCS Application • Stopping the Linux Cisco WCS Application • Checking the Linux Cisco WCS Status Starting the Linux Cisco WCS Application Starting the Linux Cisco WCS Application Linux Cisco WCS is always installed as an application, and you can start the Linux Cisco WCS application at any time.
running. The Cisco WCS Server Status window typically shows Cisco WCS Server is down. Checking if database has started when the Cisco WCS Server is not running. • To close the Cisco WCS Server Status window, click Close in the Cisco WCS Server Status window or enter in the ./StartACSServer window. You have viewed the Cisco WCS service status. If desired, continue with the Product Guide.
Starting and Stopping the Cisco WCS Web Interface Starting and Stopping the Cisco WCS Web Interface Starting a Cisco WCS User Interface Starting a Cisco WCS User Interface This Cisco WCS interface is used by Cisco WCS operators as described in Cisco WCS User Interface. Starting a Cisco WCS User Interface is a simple task. • If not already done, start Cisco WCS as described in Starting and Stopping Windows Cisco WCS or Starting and Stopping Linux Cisco WCS. • Launch an Internet Explorer 6.
Continue with the Using the Cisco Wireless Control System or Stopping a Cisco WCS User Interface section.
Using Cisco WCS Using Cisco WCS • Checking the Cisco SWAN Network Summary • Adding a Cisco Wireless LAN Controller to Cisco WCS • Creating an RF Calibration Model • Adding a Campus Map to the Cisco WCS Database • Adding a Building to a Campus • Adding a Standalone Building to the Cisco WCS Database • Adding an Outdoor Area to a Campus • Adding Floor Plans to a Campus Building • Adding Floor Plans to a Standalone Building • Adding APs to Floor Plan and Open Area Maps • Monitoring Predi
After you have configured the Cisco WCS database with one or more Cisco Wireless LAN Controllers, the Network Summary page shows that the Cisco Wireless LAN Controllers, Coverage Areas, Most Recent Rogue APs, the Top Five Cisco 1000 Series lightweight access points, and the Top Five Coverage Holes databases are updated, as shown in the following figure. The following figure also shows that there has been one Client connected to the Cisco SWAN over the last 24 hours.
• In the Button Area, select Add Controller. • Click GO to have the Cisco WCS User Interface display the Add Controller page.
• Enter the Cisco Wireless LAN Controller IP Address, Network Mask, and required SNMP settings in the Add Controller data entry fields. Note: Cisco SWAN recommends that you manage each Cisco 4100 Series Wireless LAN Controller via the dedicated front-panel Service Port for highest security. If any Cisco 4100 Series Wireless LAN Controller has its Service port disabled, you will manage the Cisco 4100 Series Wireless LAN Controller through its Management Interface.
Note: If Cisco WCS does not find a Cisco Wireless LAN Controller at the selected IP Address, the Discovery Status page displays a No response from device, check SNMP. . . message.
Creating an RF Calibration Model Creating an RF Calibration Model When you are using Cisco Wireless Control System with Location Services and want to improve client and rogue AP location accuracy across one or more floors, you can create an RF Calibration Model that uses manually collected RF measurements to calibrate the location algorithm.
• Click GO to have the Cisco WCS User Interface display the Maps > New Campus page. • In the Maps > New Campus page, enter the Campus Name and Campus Contact Information, click Browse to search for and select the Campus graphic name, select Maintain Aspect Ratio (if desired), and enter the Horizontal Span and the Vertical Span of the map in feet. (Note that the Campus Horizontal Span and the Vertical Span should be larger than any building or floor plan to be added to the campus.
• Repeat this section for any remaining Campuses. When you have completed this section, continue with Adding an Outdoor Area to a Campus or Adding a Standalone Building to the Cisco WCS Database. Adding a Building to a Campus Adding a Building to a Campus You can add Buildings to the Cisco WCS database whether or not you have added maps or Campuses as described in Adding a Campus Map to the Cisco WCS Database.
The Cisco WCS User Interface displays the Maps > page. • In the Maps > page Button Area, select New Building. • Click GO to have the Cisco WCS User Interface display the > New Building page.
• In the > New Building page, you can create a virtual Building to organize related Floor Plan maps. To do this: - Enter the Building Name. - Enter the Building Contact Name. - Enter the number of Floors and Basements. - Enter an approximate Building Horizontal Span and Vertical Span (width and depth on the map) in feet. Note that these numbers should be larger than or the same size as any floors that might be added later.
- 4/1/05 OL-7426-02 Click Save to save the Building definition and its Campus location in the Cisco WCS database. Cisco WCS saves the Building name in the Building rectangle on the Campus map. Note that there will be a hyperlink associated with the Building that takes you to the corresponding Map page.
• Repeat this section for any remaining Campus Buildings. When you have completed this section for all Campus Buildings, continue with Adding Floor Plans to a Campus Building. Adding a Standalone Building to the Cisco WCS Database Adding a Standalone Building to the Cisco WCS Database You can add Buildings to the Cisco WCS database whether or not you have added maps or Campuses as described in Adding a Campus Map to the Cisco WCS Database.
• Click GO to have the Cisco WCS User Interface display the Maps > New Building page. • In the Maps > New Building page, you can create a virtual Building to organize related Floor Plan maps. To do this: - Enter the Building Name. - Enter the Building Contact Name. - Enter the number of Floors and Basements. - Enter an approximate Building Horizontal Span and Vertical Span (width and depth on the map) in feet.
• Click OK to save the Building definition to the Cisco WCS database. Repeat this section for any remaining Standalone Buildings. When you have completed this section for all Standalone Buildings, continue with Adding Floor Plans to a Standalone Building. Adding an Outdoor Area to a Campus Adding an Outdoor Area to a Campus You can add Outdoor Areas to a Campus in the Cisco WCS database whether or not you have added Outdoor Area maps to the Cisco WCS database.
• Click GO to have the Cisco WCS User Interface display the > New Outdoor Area page.
• In the > New Outdoor Area page, you can create a manageable Outdoor Area. To do this: - Enter the Outdoor Area Name. - Enter the Outdoor Area Contact Name. - Enter the Outdoor Area Map filename (optional). - Enter an approximate Outdoor Area Horizontal Span and Vertical Span (width and depth on the map) in feet. Note: Alternatively, you can use to resize the bounding area in the upper left corner of the Campus map.
on the Campus map. Note that there will be a hyperlink associated with the Building Name or Outdoor Area. • Repeat this section for any remaining Outdoor Areas. When you have completed this section for all Outdoor Areas, continue with Using the Cisco Wireless Control System.
The Cisco WCS User Interface displays the Maps > page. • In the Maps > page Button Area, move the cursor over an existing Building rectangle to highlight it. Note that when you highlight the Building rectangle, the Building description appears in the Sidebar area. • Left-click on the Building rectangle to have Cisco WCS display the Maps > > page. • In the Button Area, select New Floor Area.
• Click GO to have the Cisco WCS User Interface display the > New Floor page.
• In the > New Floor page, you can add floors to a Building to organize related Floor Plan maps. To do this: - Enter the Floor or Basement Name. - Enter the Floor or Basement Contact Name. - Select the Floor or Basement number. - Enter the Floor-to-Floor Height in feet. - Also, when you are importing a .FPE floor plan map file from the Floor Plan Editor, click Browse to search for and select the desired .FPE Floor or Basement graphic name.
• In the Maps > > page, left-click any of the Floor or Basement images to view the floor plan or basement map as shown in the following figure. Note that you can zoom in and out to view the map at different sizes, and can add APs from this page.
• Repeat this section for any remaining Floors or Basements. Continue with Adding Floor Plans to a Standalone Building or Adding APs to Floor Plan and Open Area Maps. Adding Floor Plans to a Standalone Building Adding Floor Plans to a Standalone Building Once you have added a standalone Building to the Cisco WCS database as described in Adding a Standalone Building to the Cisco WCS Database, you can add individual floor plan maps to the Building.
• In the Main Data Page, select the desired Building. The Cisco WCS User Interface displays the Maps > page. • In the Button Area, select New Floor Area. • Click GO to have the Cisco WCS User Interface display the > New Floor page.
• In the > New Floor page, you can add floors to a Building to organize related Floor Plan maps. To do this: - Enter the Floor or Basement Name. - Enter the Floor or Basement Contact Name. - Select the Floor or Basement number. - Enter the Floor-to-Floor Height in feet. - If you are importing a .FPE floor plan map file from the Floor Plan Editor, check the Import FPE File box. Otherwise, leave this box unchecked. Also, when you are importing a .
Note: You can use to resize the graphic within the Building-sized grid. Leave Maintain Aspect Ratio checked to preserve the original graphic aspect ratio, or uncheck the Maintain Aspect Ratio box to change the graphic aspect ratio. Once again, use to change the graphic aspect ratio. - • Click Save to save the Building definition to the Cisco WCS database. The Cisco WCS User Interface displays the floor plan graphic in the Maps > page.
• Repeat this section for any remaining Floors or Basements. Continue with Adding Floor Plans to a Campus Building or Adding APs to Floor Plan and Open Area Maps. Adding APs to Floor Plan and Outdoor Area Maps Adding APs to Floor Plan and Open Area Maps This procedure assumes that you have added the Floor Plan and/or Outdoor Area maps as described in Adding Floor Plans to a Campus Building, Adding Floor Plans to a Standalone Building and Adding an Outdoor Area to a Campus.
• In the Network Summary page, left-click the desired Floor Plan or Outdoor Area map.
• In the Button Area, select Add Access Points. • Click GO to have the Cisco WCS User Interface display the Add Access Points page. • In the Add Access Points page, check the Cisco 1000 Series lightweight access points to add to the map.
• Click OK to have the Cisco WCS User Interface add the Cisco 1000 Series lightweight access points to the map and display the Position Access Points map similar to the following: 4/1/05 OL-7426-02 Adding APs to Floor Plan and Open Area Maps
Note that the Cisco 1000 Series lightweight access point icons appear in the upper left area of the map. • Left-click and drag the Cisco 1000 Series lightweight access point icons to indicate their physical locations. • Highlight each Cisco 1000 Series lightweight access point icon in turn, and select the Antenna Angle. Note: The Antenna Angle is relative to the Map “X” axis.
• If you have imported a .FPE and a .PNG, .JPG, or .GIF format Coverage Area map, click Save to store the Cisco 1000 Series lightweight access point locations and orientations, and have Cisco WCS compute the second-order RF prediction (or “Heat Map”) for the Coverage Area. Note: In the following example, AP1 is set to 0 degrees, and AP2 and AP3 are set to 90 degrees, so the three Cisco 1000 Series lightweight access points provide maximum coverage for the right wing of the building.
Note: These two displays are popularly known as a “heat maps”, because they shows the relative intensity of the RF signals on the Coverage Area map. Note: Ensure you have the correct Cisco 1000 Series lightweight access point in each location on the map with the correct antenna angle. This will become critical later on when you are Finding Coverage Holes and Detecting and Locating Rogue Access Points.
• For 802.11b/g: A colored overlay appears on the map displaying the coverage patterns for the 802.11b/g Cisco Radios. Received Signal Strength Indicator (RSSI) Color Lookup appears at the top of the map indicating the meaning of the colors. The colors show the signal strength form RED (-35 dBm) through DARK BLUE (-85 dBm). Next to each Cisco 1000 Series lightweight access point is a percentage of failure.
When you select this option, the power level number being used by the Cisco Radio is displayed on the panel next to each Cisco 1000 Series lightweight access point. Power Level (1, highest through 5, lowest) Cisco 1000 Series lightweight access point transmit power level are as follows: • 1 = Maximum power allowed per Country Code setting • 2 = 50% power • 3 = 25% power • 4 = 6.25 to 12.5% power • 5 = 0.195 to 6.
Monitoring Clients From a Floor Map Monitoring Clients From a Floor Map Use MONITOR/Maps, click an item in the Name column, double-click the floor map, from the Display pulldown menu, select Users, click n clients to access this page. This page displays client parameters. Table - Clients Parameter Description Checkbox Click to select, so that a command can be applied. User Name Name of the user. Refer to Monitor Client in the Cisco WCS User Interface Online Help.
Troubleshooting with Cisco WCS Troubleshooting with Cisco WCS • Checking the Cisco SWAN Network Summary • Viewing Current Cisco Wireless LAN Controller Status and Configurations • Viewing Cisco WCS Statistics Reports • Checking the Cisco SWAN Network Summary • Viewing Current Cisco Wireless LAN Controller Status and Configurations • Viewing Cisco WCS Statistics Reports • Detecting and Locating Rogue Access Points • Acknowledging Rogue APs • Locating Clients • Finding Coverage Holes •
In the Rogue AP Alarms page, you can see the severity of the alarms, the Rogue AP MAC addresses, the Rogue AP types, the owners (Cisco WCS operators), the date and time when the rogue APs were first detected, the channel numbers they are broadcasting on, and their SSIDs.
The Alarms > Rogue AP page shows detailed information about the rogue AP alarm, and allows you to modify the Rogue AP alarm with the following commands: - Assign to me. - Unassign. - Delete. - Show the Event History. - Display the Detecting APs (with Radio Band, Location, SSID, Channel Number, WEP state, short or long preamble, RSSI and SNR).
• In the Alarms > Rogue AP page, select Map to have Cisco WCS display the current calculated rogue AP location on the Maps > > page.
Note that Cisco WCS Location (AIR-WCS-WL-1.0-K9 and AIR-WCS-LL-1.0-K9) compares RSSI signal strength from two or more Cisco 1000 Series lightweight access points to find the most probable location of the rogue AP, and places a small “skull-and-crossbones” indicator at its most likely location. Note that Cisco WCS Base (AIR-WCS-LB-1.0-K9 and AIR-WCS-LL-1.
- In the pulldown menu, select Present Map (high/low resolution) to dissociate and then locate the client after reassociation. If you make this choice, Cisco WCS displays a warning message and asks you to confirm that you want to continue. Note that Cisco WCS Location (AIR-WCS-WL-1.0-K9 and AIR-WCS-LL-1.
When Cisco WCS displays the Top 5 Coverage Holes, click the Coverage indicator on the bottom left of the Cisco WCS User Interface page (or click MONITOR/Alarms and then search for Alarm Category Coverage) to have Cisco WCS display the Coverage Hole Alarms page. On the Coverage Hole Alarms page, click MONITOR/Maps and then search for Access Points by Cisco 1000 Series lightweight access point Name (this search tool is case-sensitive).
Figure - Typical Network Summary Page Updating OS Software from Cisco WCS Updating OS Software from Cisco WCS When you plan to update the Cisco Wireless LAN Controller (and Cisco 1000 Series lightweight access point) Operating System software from Cisco WCS, complete the following.
• When you are using the built-in Cisco WCS TFTP server, in the Download Software to Switch page, be sure that TFTP Server on Cisco WCS System checkbox is selected. -- OR -When you are using an external TFTP server, in the Download Software to Switch page, be sure that TFTP Server on Cisco WCS System is deselected. Then add the external TFTP server IP address. • In the Download Software to Switch page, click the Browse button and navigate to the OS code update file named AS_2000_.
• Updating Windows Cisco WCS • Updating Linux Cisco WCS • Reinitializing the Windows Cisco WCS Database • Reinitializing the Linux Cisco WCS Database • Administering Cisco WCS Users and Passwords Installing Cisco WCS Installing Cisco WCS Refer to the Windows Cisco WCS Quick Start Guide or Linux Cisco WCS Quick Start Guide the for instructions on how to install Cisco WCS on a Cisco WCS Server.
• When the Backup Status window opens and displays the Backup Succeeded. You may restart the Cisco WCS Server now. message, click OK. • Uninstall the Cisco Wireless Control System application using the Control Panel/Add or Remove Programs application. • When the JExpress Uninstaller window displays Program uninstalled message, click Finished to close the JExpress Uninstaller window. • If any part of the C:\Program Files\WCS22 folder remains on the hard drive, manually delete the folder and all conten
Updating Linux Cisco WCS Updating Linux Cisco WCS Do the following: • If possible, stop all Cisco WCS User Interfaces (Stopping a Cisco WCS User Interface) to stabilize the database. Create a Backup Directory • If not already done, log in as root. • Using the Linux command line interface, navigate to the default /usr/local/ directory (or any other directory). • Create a backup directory for the Cisco WCS database with no spaces in the name; for instance, mkdir WCS22BAK.
• In the Installer/About to Install window, click Next. • In the Installer window, select the default /usr/local/bin/WCS22 (or any other) directory. Click Install. Note: If you receive the /usr/local/bin/WCS22 exists. Use it anyway? message, click No, navigate to the ./usr/local/bin/WCS22 directory and delete any remaining subdirectories and files (rm -Rf webnms, for example), and continue with the installation. The install script copies the Cisco WCS files to the selected directory and verifies them.
Reinitializing the Windows Cisco WCS Database Reinitializing the Windows Cisco WCS Database You only have to reinitialize the Windows Cisco WCS database when the Cisco WCS database becomes corrupted. CAUTION: If you reinitialize the Cisco WCS database after you have been working in the Cisco WCS application, you will delete all your saved Cisco WCS data! • Navigate to the \WCS22 directory. • Navigate to the \bin subdirectory. • In the \bin subdirectory, double-click the reinitDatabase.bat file.
• To monitor and configure Cisco WCS operations, and perform all system administration tasks including administering Cisco WCS users and passwords, users must be part of the SuperUsers Group. This section describes how to add user accounts and assign them to a User Group, change passwords, and delete user accounts using the Cisco WCS Administration function.
• Close the Cisco Wireless Control System Release 2.2 page. The User Account has been changed and can be used immediately. Deleting User Accounts Deleting User Accounts • If not already done, start Cisco WCS as described in the Starting Cisco WCS as a Windows Application or Starting Cisco WCS as a Windows Service. • If not already done, log into Cisco WCS Administration as a user assigned to the SuperUsers Group as described in Adding User Accounts.
Using the Web User Interface Using the Web User Interface The Web User Interface is described in Web User Interface section. Note that you can use either the Service-Port Interface (recommended) or Management Interface, whose IP Address(es) were set using the Startup Wizard or the Configuring System Parameters section.
When you see the Security Alert, click Yes. Once you have logged into the Web User Interface, use the context-sensitive (F1) online help (included in the Operating System Software section) to configure and monitor the Cisco Wireless LAN Controller.
CAUTION: Each certificate has a variable-length embedded RSA Key. The RSA key can be from 512 bits, which is relatively insecure, through thousands of bits, which is very secure. When you are obtaining a new certificate from a Certificate Authority (such as the Microsoft CA), BE SURE the RSA key embedded in the certificate is AT LEAST 768 Bits.
Troubleshooting Tips Troubleshooting Tips You can use the following sections to troubleshoot your Cisco SWAN: • Using Error Messages • Using Reason and Status Codes in the Trap Log • Using Cisco 1000 Series Lightweight Access Point LEDs Using Error Messages Using Error Messages The Operating System may display any of the error messages described below.
Table - Error Messages and Descriptions (Continued) Error Message Description LRADIF_DOWN Cisco Radio may have a problem or is administratively disabled. LRADIF_LOAD_PROFILE_FAILED Client density may have exceeded system capacity. LRADIF_NOISE_PROFILE_FAILED The non-802.11 noise has exceed configured threshold. LRADIF_INTERFERENCE_PROFILE_FAILED 802.11 interference has exceeded threshold on channel -- check channel assignments.
Table - Error Messages and Descriptions (Continued) Error Message Description AUTHENTICATION_FAILURE Attempted security breech - please investigate. STP_NEWROOT Informational message. STP_TOPOLOGY_CHANGE Informational message. IPSEC_ESP_AUTH_FAILURE Check WLAN IPSec configuration. IPSEC_ESP_REPLAY_FAILURE Check for attempt to spoof IP Address. IPSEC_ESP_POLICY_FAILURE Check for IPSec configuration mismatch between WLAN and client. IPSEC_ESP_INVALID_SPI Informational message.
Table - Error Messages and Descriptions (Continued) Error Message Description CONFIG_SAVED Running configuration has been saved to flash - will be active after reboot. MULTIPLE_USERS Another user with the same username has logged in. FAN_FAILURE Monitor Cisco Wireless LAN Controller temperature to avoid overheating. POWER_SUPPLY_CHANGE Check for power-supply malfunction. COLD_START Cisco Wireless LAN Controller may have been rebooted.
Table - Client Reason Code Descriptions and Meanings (Continued) Client Reason Code Description Meaning 8 disassociationStaHasLeft Operating System moved the client to another Cisco 1000 Series lightweight access point using non-aggressive load balancing 9 staReqAssociationWithoutAuth client not authorized yet, still attempting to associate with an Cisco 1000 Series lightweight access point 99 missingReasonCode client momentarily in an unknown state Client Status Codes Client Status Codes The
Table - Cisco 1000 Series Lightweight Access Point LED Conditions and Status (Continued) LED Conditions Status Power Alarm 2.4 GHz 5 GHz Green ON off Yellow ON on or off Green ON off on or off Amber ON off Red ON off off 4/1/05 OL-7426-02 off Cisco 1000 Series lightweight access point starting up. Stops after Cisco Wireless LAN Controller and DHCP server found. Cisco Wireless LAN Controller found, code upgrade in process. All LEDs blink simultaneously Red FLASHING 802.11a Activity.
Notes: Notes 4/1/05 OL-7426-02 Notes
REFERENCES REFERENCES The following references are available: • Glossary • Cisco SWAN Supported Country Codes • Web User Interface Online Help • Cisco WCS User Interface Online Help • Cisco SWAN CLI Reference • Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Point Deployment Guide • Internal-Antenna AP1010 Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Point Quick Start Guide • External-Antenna AP1020 and AP1030 Cisco 1000 Series IEEE 802.
Glossary Glossary 10BASE-T An IEEE standard (802.3) for operating 10 Mbps Ethernet networks (LANs) with twisted pair cabling and wiring hubs. 100BASE-T An IEEE standard (802.3) for operating 100 Mbps Ethernet networks (LANs) with twisted pair cabling and wiring hubs. 1000BASE-SX An IEEE standard (802.3) for operating 1000 Mbps Ethernet networks (LANs) with fiber-optic cables and wiring hubs. Also known as Gigabit Ethernet (GigE).
802.11i A developing IEEE wireless LAN security standard. A subset of the 802.11i standard, WPA, is being deployed at this time. 802.1X An IEEE authentication framework for 802.11 networks. Allows multiple authentication algorithms, including EAP and RADIUS. Access Point A wireless LAN transceiver or “base station” that can connect a wired LAN to one or many wireless devices. Some access points can also bridge to each other. ACL ACL Access Control List.
Applet An application or utility program that is designed to do a very specific and limited task. Application Software A computer program that is designed to do a general task. For example, word processing, payroll, Internet browsers and graphic design programs would all be considered applications. Association The process used by a client to connect to an access point.
Bridge A product that connects a local area network (LAN) to another local area network that uses the same protocol (for example, wireless, Ethernet or token ring). Wireless bridges are commonly used to link buildings in campuses. Broadband A comparatively fast Internet connection. Services such as ISDN, cable modem, DSL and satellite are all considered broadband as compared to dial-up Internet access.
Crossover Cable A special cable used for networking two computers without the use of a hub. Crossover cables may also be required for connecting a cable or DSL modem to a wireless gateway or access point. Instead of the signals transferring in parallel paths from one plug to another, the signals cross over. For instance, in an eight-wire crossover cable, the signal starts on pin one at one end of the cable and ends up on pin eight at the other end.
Disable Obsolete reference to the Exclusion List. Diversity Antenna A type of antenna system that uses two antennas to maximize reception and transmission quality and reduce interference. DMZ Demilitarized Zone. A network layer added between the outside network (least secure) and internal network (most secure) in order to add an extra level of security protection. Many companies choose to locate Wireless Controllers, mail servers, Web servers, and remote access servers in the DMZ.
Encryption Key An alphanumeric (letters and/or numbers) series that enables data to be encrypted and then decrypted so it can be safely shared among members of a network. WEP uses an encryption key that automatically encrypts outgoing wireless data. On the receiving side, the same encryption key enables the computer to automatically decrypt the information so it can be read. Enterprise A term that is often applied to large corporations and businesses.
GARP General Attribute Registration Protocol. Gateway In the wireless world, a gateway is an access point with additional software capabilities such as providing NAT and DHCP. Gateways may also provide VPN support, roaming, firewalls, various levels of security, etc. GigE A Gigabit Ethernet IEEE standard (802.3) for operating 1000 Mbps Ethernet networks (LANs) with fiber-optic cables and wiring hubs. See also 1000BASE-SX. GUI Graphical User Interface.
IEEE 802.11 A set of specifications for LANs from The Institute of Electrical and Electronics Engineers (IEEE). Most wired networks conform to 802.3, the specification for CSMA/CD based Ethernet networks or 802.5, the specification for token ring networks. 802.11 defines the standard for wireless LANs encompassing three incompatible (non-interoperable) technologies: Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS) and Infrared. See also 802.11, 802.11a, 802.11b, 802.
Higher-level protocols, such as SPX and NCP, are used for additional error recovery services. Sequenced Packet Exchange, SPX, a transport layer protocol (layer 4 of the OSI Model) used in Novell Netware networks. The SPX layer sits on top of the IPX layer (layer 3) and provides connection-oriented services between two nodes on the network. SPX is used primarily by client/server applications. Whereas the IPX protocol is similar to IP, SPX is similar to TCP.
LEAP Cisco Wireless EAP. EAP used by Cisco equipment to secure wireless networks with WEP-based devices. LWAPP LWAPP The pending IETF (Internet Engineering Task Force) Lightweight Access Point Protocol standard defining communications between Wireless LAN Controllers and “Light” access points. MAC Medium Access Control. This is the function of a network controller that determines who gets to transmit when. Each network adapter must be uniquely identified. Every wireless 802.
OFDM Orthogonal Frequency Division Multiplexing. A multi-carrier modulation technique used for 802.11a and 802.11g transmissions. PC Card A removable, credit-card-sized memory or I/O device that fits into a Type 2 PCMCIA standard slot, PC Cards are used primarily in PCs, portable computers, PDAs and laptops. PC Card peripherals include Wi-Fi cards, memory cards, modems, NICs, hard drives, etc. PCI A high-performance I/O computer bus used internally on most computers. Other bus types include ISA and AGP.
PPP Point-to-Point Protocol. Proxy Server Used in larger companies and organizations to improve network operations and security, a proxy server is able to prevent direct communication between two or more networks. The proxy server forwards allowable data requests to remote servers and/or responds to data requests directly from stored remote server data. QoS QoS Quality of Service. A term that guarantees a specific throughput level.
RTOS Real-time operating system. An operating system that features a guaranteed performance per time unit. Rx Receive. Satellite Broadband A wireless high-speed Internet connection provided by satellites. Some satellite broadband connections are two-way-up and down. Others are one-way, with the satellite providing a high-speed downlink and then using a dial-up telephone connection or other land-based system for the uplink to the Internet.
Static Key An encryption key that has been entered into both access point and client, used for encrypting data communications. Static WEP keys can be cracked, but AES keys are currently safe for wireless transmissions. Subnetwork or Subnet Found in larger networks, these smaller networks are used to simplify addressing between numerous computers. Subnets connect to the central network through a router, hub or gateway.
USB A high-speed bidirectional serial connection between a PC and a peripheral that transmits data at the rate of 12 megabits per second. The new USB 2.0 specification provides a data rate of up to 480 Mbps, compared to standard USB at only 12 Mbps. 1394, FireWire and iLink all provide a bandwidth of up to 400 Mbps. VLAN Virtual LAN. A networking mechanism that makes clients appear as if they are connected to the same network, even if they are physically located on different LAN segments.
• 108-bit, also called 128-bit encryption. • 128-bit, also called 152-bit encryption. Wi-Fi Alliance An organization of wireless equipment and software providers, formerly known as the Wireless Ethernet Compatibility Alliance (WECA), organized to certify 802.11-based products for interoperability and to promote Wi-Fi as the universal brand name for 802.11-based wireless LAN products. While all 802.
Cisco SWAN Supported Country Codes Cisco SWAN Supported Country Codes The Cisco SWAN has been approved or is being approved to operate in the following countries, and fully conforms with current country requirements. Note that some of these entries may change over time; consult www.cisco.com/go/aironet/compliance for current approvals and Regulatory Domain information. AT/ Austria AU/ Australia BE/ Belgium BR/ Brazil CA/ Canada 4/1/05 OL-7426-02 -E 36, 40, 44, 48 60 mW EIRP In 5.15-5.
CY/ Cyprus CZ/ Czech Republic -E 36, 40, 44, 48 52, 56, 60, 64 200 mW EIRP 200 mW EIRP In In 5.15-5.25 5.25-5.35 b/g 1 - 11 100 mW EIRP Both 2.4-2.4835 a 36, 40, 44, 48 52, 56, 60, 64 149, 153, 157, 161 50 mW+6 dBi=200 mW 250 mW+6 dBi=1 W 1 W+6 dBi=4 W In Both Both 5.15-5.25 5.25-5.35 5.725-5.85 b/g 1 - 11 1 W+Restricted Antennas Both 2.4-2.4835 a 36, 40, 44, 48 52, 56, 60, 64 149, 153, 157, 161 200 mW EIRP 200 mW EIRP 1 W EIRP In In Both 5.15-5.25 5.25-5.35 5.725-5.
GB/ United Kingdom GR/ Greece HK/ Hong Kong 4/1/05 OL-7426-02 -E Regulatory Authority 36, 40, 44, 48 52, 56, 60, 64 104, 108, 112, 116, 120, 124, 128, 132, 140 200 mW EIRP 200 mW EIRP 1 W EIRP In In Both 5.15-5.25 5.25-5.35 5.47-5.725 b/g 1 - 11 100 mW EIRP In 2.412-2.472 a 36, 40, 44, 48 52, 56, 60, 64 104, 108, 112, 116, 120, 124, 128, 132, 140 200 mW EIRP 200 mW EIRP 1 W EIRP In In Both 5.15-5.25 5.25-5.35 5.47-5.725 b/g 1 - 11 100 mW EIRP Both 2.4-2.
IE/ Ireland IL/ Israel In 5.15-5.25 5.25-5.35 b/g 1 - 11 1 W EIRP Both 2.4-2.4835 a 36, 40, 44, 48 52, 56, 60, 64 200 mW EIRP 200 mW EIRP 1 W EIRP In In Both 5.15-5.25 5.25-5.35 5.47-5.725 b/g 1 - 11 100 mW EIRP Both 2.4-2.4835 a 36, 40, 44, 48 52, 56, 60, 64 200 mW EIRP 200 mW EIRP In In 5.15-5.25 5.25-5.35 b/g 1 - 13 100 mW EIRP Both 2.4-2.4835 a 36, 40, 44, 48 52, 56, 60, 64 200 mW EIRP 200 mW EIRP In In 5.15-5.25 5.25-5.35 b/g 5 - 13 100 mW EIRP Both 2.4-2.
-J KR/ Republic of Korea LT/ Lithuania LU/ Luxembourg LV/ Latvia MY/ Malaysia NL/ Netherlands 4/1/05 OL-7426-02 -C Regulatory Authority Frequency Range (GHz) a 1-3 1-4 100 mW EIRP 100 mW EIRP Both In 5.03-5.09 5.15-5.25 b 1-14 10 mW/MHz~200mW EIRP Both 2.4-2.497 g 1-13 10 mW/MHz~200mW EIRP Both 2.4-2.497 a 149, 153, 157, 161 150 mW+6 dBi~600 mW Both 5.725-5.825 b/g 1-13 150 mW+6 dBi~600 mW Both 2.4-2.
PH/ Philippines 36, 40, 44, 48 52, 56, 60, 64 104, 108, 112, 116, 120, 124, 128, 132, 140 200 mW EIRP 200 mW EIRP 1 W EIRP In In Both 5.15-5.25 5.25-5.35 5.47-5.725 b/g 1 - 11 100 mW EIRP Both 2.4-2.4835 a 36, 40, 44, 48 52, 56, 60, 64 149, 153, 157, 161 50 mW+6 dBi=200 mW 250 mW+6 dBi=1 W 1 W+6 dBi=4 W In Both Both 5.15-5.25 5.25-5.35 5.725-5.85 b/g 1 - 11 1 W+Restricted Antennas Both 2.4-2.4835 a (tbd) (tbd) (tbd) 5.725-5.875 b (tbd) 100 mW EIRP (tbd) 2.4-2.
SI/ Slovenia SK/ Slovak Republic TH/ Thailand TW/ Taiwan US/ United States of America USE/ United States of America USL/ United States of America LOW 4/1/05 OL-7426-02 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161 200 mW EIRP 200 mW EIRP 1 W EIRP Both Both Both 5.15-5.25 5.25-5.35 5.725-5.85 b/g 1 - 13 200 mW EIRP Both 2.4-2.4835 a 36, 40, 44, 48 52, 56, 60, 64 149, 153, 157, 161 50 mW+6 dBi=200 mW 250 mW+6 dBi=1 W 1 W+6 dBi=4 W In Both Both 5.15-5.25 5.25-5.35 5.725-5.
ZA/ South Africa 4/1/05 OL-7426-02 (TBD) a 36, 40, 44, 48 52, 56, 60, 64 50 mW+6 dBi=200 mW 250 mW+6 dBi=1 W In Both 5.15-5.25 5.25-5.35 b/g 1 - 11 1 W Conducted Output Both 2.4-2.4835 a N/A N/A N/A 5.25-5.35 5.725-5.825 b/g 1-13 1 W EIRP Both 2.4-2.4835 (TBD) Regulatory Authority Frequency Range (GHz) Indoor/ Outdoor Use 802.