configuring the access point for the first timeconfiguring the access point for the first time

7/29/2019 Configuring the Access Point for the First TimeConfiguring the Access Point for the First Time

1/373

Corporate Headquarters

Cisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 526-4100

Cisco IOS Software Configuration Guide

for Cisco Aironet Access Points

Cisco IOS Release 12.2(13)JA

October 2003

Text Part Number: OL-4526-01
http://www.cisco.com/http://www.cisco.com/


2/373

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSEOR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of Calif ornia, Berkeley (UCB) as part of UCBs public

domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

Copyright 2003 Cisco Systems, Inc.

All rights reserved.

CCIP, CCSP, the Cisco Arrow logo, the Cisco PoweredNetwork mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.;

Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA,

CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo,Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net

Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar,Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,

ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered

trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship

between Cisco and any other company. (0304R)


3/373

iii


OL-4526-01

C O N T E N T S

Preface xv

Audience xv

Purpose xv

Organization xv

Conventions xvii

Related Publications xix

Obtaining Documentation xix

Cisco.com xix

Documentation CD-ROM xxOrdering Documentation xx

Documentation Feedback xx

Obtaining Technical Assistance xx

Cisco TAC Website xxi

Opening a TAC Case xxi

TAC Case Priority Definitions xxi

Obtaining Additional Publications and Information xxii

CHAPTER 1 Overview 1-1Features 1-2

Management Options 1-3

Roaming Client Devices 1-4

Network Configuration Examples 1-4

Root Unit on a Wired LAN 1-4

Repeater Unit that Extends Wireless Range 1-6

Central Unit in an All-Wireless Network 1-7

CHAPTER 2 Configuring the Access Point for the First Time 2-1Before You Start 2-2

Resetting the Access Point to Default Settings 2-2

Obtaining and Assigning an IP Address 2-3

Connecting to the 350 Series Access Point Locally 2-3


http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-


4/373

Contents

iv


OL-4526-01

Assigning Basic Settings 2-6

Default Settings on the Express Setup Page 2-10

Protecting Your Wireless LAN 2-10

Using the IP Setup Utility 2-11

Obtaining and Installing IPSU 2-11

Using IPSU to Find the Access Points IP Address 2-11

Using IPSU to Set the Access Points IP Address and SSID 2-12

Assigning an IP Address Using the CLI 2-14

Using a Telnet Session to Access the CLI 2-14

CHAPTER3 Using the Web-Browser Interface 3-1

Using the Web-Browser Interface for the First Time 3-2

Using the Management Pages in the Web-Browser Interface 3-2

Using Action Buttons 3-4

Character Restrictions in Entry Fields 3-5

Using Online Help 3-5

CHAPTER4 Using the Command-Line Interface 4-1

Cisco IOS Command Modes 4-2

Getting Help 4-3

Abbreviating Commands 4-3

Using no and default Forms of Commands 4-3Understanding CLI Messages 4-4

Using Command History 4-4

Changing the Command History Buffer Size 4-4

Recalling Commands 4-5

Disabling the Command History Feature 4-5

Using Editing Features 4-5

Enabling and Disabling Editing Features 4-6

Editing Commands Through Keystrokes 4-6

Editing Command Lines that Wrap 4-7

Searching and Filtering Output of show and more Commands 4-8

Accessing the CLI 4-8

Opening the CLI with Telnet 4-8

Opening the CLI with Secure Shell 4-9


5/373

Contents

v


OL-4526-01

CHAPTER 5 Administering the Access Point 5-1

Preventing Unauthorized Access to Your Access Point 5-2

Protecting Access to Privileged EXEC Commands 5-2

Default Password and Privilege Level Configuration 5-2Setting or Changing a Static Enable Password 5-3

Protecting Enable and Enable Secret Passwords with Encryption 5-4

Configuring Username and Password Pairs 5-5

Configuring Multiple Privilege Levels 5-6

Setting the Privilege Level for a Command 5-6

Logging Into and Exiting a Privilege Level 5-7

Controlling Access Point Access with RADIUS 5-7

Default RADIUS Configuration 5-8

Configuring RADIUS Login Authentication 5-8

Defining AAA Server Groups 5-9

Configuring RADIUS Authorization for User Privileged Access and Network Services 5-11

Displaying the RADIUS Configuration 5-12

Controlling Access Point Access with TACACS+ 5-12

Default TACACS+ Configuration 5-13

Configuring TACACS+ Login Authentication 5-13

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 5-14

Displaying the TACACS+ Configuration 5-15

Configuring the Access Point for Wireless Network Management 5-15

Configuring the Access Point for Local Authentication and Authorization 5-16

Configuring the Access Point to Provide DHCP Service 5-17

Setting up the DHCP Server 5-17

Monitoring and Maintaining the DHCP Server Access Point 5-18

Show Commands 5-18

Clear Commands 5-19

Debug Command 5-19

Configuring the Access Point for Secure Shell 5-19

Understanding SSH 5-19

Configuring SSH 5-20Configuring Client ARP Caching 5-20

Understanding Client ARP Caching 5-20

Optional ARP Caching 5-20

Configuring ARP Caching 5-21

Managing the System Time and Date 5-21

Understanding the System Clock 5-21


6/373

Contents

vi


OL-4526-01

Understanding Network Time Protocol 5-22

Configuring NTP 5-23

Default NTP Configuration 5-24

Configuring NTP Authentication 5-24

Configuring NTP Associations 5-26

Configuring NTP Broadcast Service 5-27

Configuring NTP Access Restrictions 5-28

Configuring the Source IP Address for NTP Packets 5-30

Displaying the NTP Configuration 5-31

Configuring Time and Date Manually 5-31

Setting the System Clock 5-32

Displaying the Time and Date Configuration 5-32

Configuring the Time Zone 5-33

Configuring Summer Time (Daylight Saving Time) 5-34Configuring a System Name and Prompt 5-36

Default System Name and Prompt Configuration 5-36

Configuring a System Name 5-36

Understanding DNS 5-37

Default DNS Configuration 5-37

Setting Up DNS 5-37

Displaying the DNS Configuration 5-38

Creating a Banner 5-38

Default Banner Configuration 5-39

Configuring a Message-of-the-Day Login Banner 5-39

Configuring a Login Banner 5-40

CHAPTER6 Configuring Radio Settings 6-1

Disabling and Enabling the Radio Interface 6-2

Configuring the Role in Radio Network 6-2

Configuring Radio Data Rates 6-4

Configuring Radio Transmit Power 6-6

Limiting the Power Level for Associated Client Devices 6-7

Configuring Radio Channel Settings 6-8

Enabling and Disabling World-Mode 6-10

Disabling and Enabling Short Radio Preambles 6-10

Configuring Transmit and Receive Antennas 6-11

Disabling and Enabling Aironet Extensions 6-12

Configuring the Ethernet Encapsulation Transformation Method 6-13


7/373

Contents

vii


OL-4526-01

Enabling and Disabling Reliable Multicast to Workgroup Bridges 6-13

Enabling and Disabling Public Secure Packet Forwarding 6-14

Configuring Protected Ports 6-15

Configuring the Beacon Period and the DTIM 6-16

Configure RTS Threshold and Retries 6-16

Configuring the Maximum Data Retries 6-17

Configuring the Fragmentation Threshold 6-17

Enabling Short Slot Time for 802.11g Radios 6-18

Performing a Carrier Busy Test 6-18

CHAPTER 7 Configuring Multiple SSIDs 7-1

Understanding Multiple SSIDs 7-2

Configuring Multiple SSIDs 7-2Default SSID Configuration 7-3

Creating an SSID 7-3

Using Spaces in SSIDs 7-4

Using a RADIUS Server to Restrict SSIDs 7-5

CHAPTER 8 Configuring an Access Point as aLocal Authenticator 8-1

Understanding Local Authentication 8-2

Configuring a Local Authenticator 8-2

Guidelines for Local Authenticators 8-3

Configuration Overview 8-3

Configuring the Local Authenticator Access Point 8-3

Configuring Other Access Points to Use the Local Authenticator 8-6

Unblocking Locked Usernames 8-7

Viewing Local Authenticator Statistics 8-7

Using Debug Messages 8-7

CHAPTER 9 Configuring Cipher Suites and WEP 9-1

Understanding Cipher Suites and WEP 9-2

Configuring Cipher Suites and WEP 9-3

Creating WEP Keys 9-3

WEP Key Restrictions 9-4

Example WEP Key Setup 9-5


8/373

Contents

viii


OL-4526-01

Enabling Cipher Suites and WEP 9-6

Matching Cipher Suites with WPA and CCKM 9-7

Enabling and Disabling Broadcast Key Rotation 9-7

CHAPTER10 Configuring Authentication Types 10-1

Understanding Authentication Types 10-2

Open Authentication to the Access Point 10-2

Shared Key Authentication to the Access Point 10-3

EAP Authentication to the Network 10-3

MAC Address Authentication to the Network 10-5

Combining MAC-Based, EAP, and Open Authentication 10-5

Using CCKM for Authenticated Clients 10-6

Using WPA Key Management 10-6

Software and Firmware Requirements for WPA, CCKM, CKIP, and WPA-TKIP 10-8

Configuring Authentication Types 10-9

Default Authentication Settings 10-9

Assigning Authentication Types to an SSID 10-9

Configuring WPA Migration Mode 10-13

Configuring Additional WPA Settings 10-14

Configuring Authentication Holdoffs, Timeouts, and Intervals 10-15

Matching Access Point and Client Device Authentication Types 10-16

CHAPTER11 Configuring Fast Reassociation 11-1Understanding Fast Reassociation 11-2

Configuring Fast Reassociation 11-4

Requirements for Fast Reassociation 11-4

Guidelines for Fast Reassociation 11-4

Configuration Overview 11-4

Configuring Access Points as Potential WDS Access Points 11-5

CLI Configuration Example 11-8

Configuring Access Points to use the WDS Access Point 11-9


Configuring the Authentication Server to Support Fast Reassociation 11-10

Viewing WDS Information 11-17

Using Debug Messages 11-18


9/373

Contents

ix


OL-4526-01

CHAPTER 12 Configuring RADIUS and TACACS+ Servers 12-1

Configuring and Enabling RADIUS 12-2

Understanding RADIUS 12-2

RADIUS Operation 12-3

Configuring RADIUS 12-4

Default RADIUS Configuration 12-4

Identifying the RADIUS Server Host 12-4

Configuring RADIUS Login Authentication 12-7

Defining AAA Server Groups 12-9

Configuring RADIUS Authorization for User Privileged Access and Network Services 12-11

Starting RADIUS Accounting 12-12

Selecting the CSID Format 12-13

Configuring Settings for All RADIUS Servers 12-13

Configuring the Access Point to Use Vendor-Specific RADIUS Attributes 12-14

Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication 12-15

Configuring WISPr RADIUS Attributes 12-16

Displaying the RADIUS Configuration 12-17

RADIUS Attributes Sent by the Access Point 12-18

Configuring and Enabling TACACS+ 12-20

Understanding TACACS+ 12-20

TACACS+ Operation 12-21

Configuring TACACS+ 12-22

Default TACACS+ Configuration 12-22

Identifying the TACACS+ Server Host and Setting the Authentication Key 12-23

Configuring TACACS+ Login Authentication 12-24

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 12-25

Starting TACACS+ Accounting 12-26

Displaying the TACACS+ Configuration 12-26

CHAPTER 13 Configuring VLANs 13-1

Understanding VLANs 13-2

Related Documents 13-3

Incorporating Wireless Devices into VLANs 13-4

Configuring VLANs 13-4

Configuring a VLAN 13-4

Using a RADIUS Server to Assign Users to VLANs 13-6

Viewing VLANs Configured on the Access Point 13-6

VLAN Configuration Example 13-7


10/373

Contents

x


OL-4526-01

CHAPTER14 Configuring QoS 14-1

Understanding QoS for Wireless LANs 14-2

QoS for Wireless LANs Versus QoS on Wired LANs 14-2

Impact of QoS on a Wireless LAN 14-2

Precedence of QoS Settings 14-3

Configuring QoS 14-4

Configuration Guidelines 14-4

Configuring QoS Using the Web-Browser Interface 14-4

Adjusting Radio Access Categories 14-8

Disabling IGMP Snooping Helper 14-10

Disabling AVVID Priority Mapping 14-10

QoS Configuration Examples 14-10

Giving Priority to Voice Traffic 14-10

Giving Priority to Video Traffic 14-12

CHAPTER15 Configuring Proxy Mobile IP 15-1

Understanding Proxy Mobile IP 15-2

Overview 15-2

Components of a Proxy Mobile IP Network 15-2

How Proxy Mobile IP Works 15-3

Agent Discovery 15-3

Subnet Map Exchange 15-4

Registration 15-5Tunneling 15-5

Proxy Mobile IP Security 15-6

Configuring Proxy Mobile IP 15-6

Configuration Guidelines 15-7

Configuring Proxy Mobile IP on Your Wired LAN 15-7

Configuring Proxy Mobile IP on Your Access Point 15-8

CHAPTER16 Configuring Filters 16-1

Understanding Filters 16-2Configuring Filters Using the CLI 16-2

Configuring Filters Using the Web-Browser Interface 16-2

Configuring and Enabling MAC Address Filters 16-3

Creating a MAC Address Filter 16-4

Using MAC Address ACLs to Block or Allow Client Association to the Access Point 16-6



11/373

Contents

xi


OL-4526-01

Configuring and Enabling IP Filters 16-8

Creating an IP Filter 16-9

Configuring and Enabling Ethertype Filters 16-11

Creating an Ethertype Filter 16-12

CHAPTER 17 Configuring CDP 17-1

Understanding CDP 17-2

Configuring CDP 17-2

Default CDP Configuration 17-2

Configuring the CDP Characteristics 17-2

Disabling and Enabling CDP 17-3

Disabling and Enabling CDP on an Interface 17-4

Monitoring and Maintaining CDP 17-4

CHAPTER 18 Configuring SNMP 18-1

Understanding SNMP 18-2

SNMP Versions 18-2

SNMP Manager Functions 18-3

SNMP Agent Functions 18-3

SNMP Community Strings 18-3

Using SNMP to Access MIB Variables 18-4

Configuring SNMP 18-4

Default SNMP Configuration 18-5

Enabling the SNMP Agent 18-5

Configuring Community Strings 18-5

Configuring Trap Managers and Enabling Traps 18-7

Setting the Agent Contact and Location Information 18-9

Using the snmp-server view Command 18-9

SNMP Examples 18-9

Displaying SNMP Status 18-10

CHAPTER

19 Configuring Repeater and Standby Access Points 19-1Understanding Repeater Access Points 19-2

Configuring a Repeater Access Point 19-3

Default Configuration 19-4

Guidelines for Repeaters 19-4

Setting Up a Repeater 19-4

Verifying Repeater Operation 19-5


12/373

Contents

xii


OL-4526-01

Setting Up a Repeater As a LEAP Client 19-6

Setting Up a Repeater As a WPA Client 19-7

Understanding Hot Standby 19-8

Configuring a Hot Standby Access Point 19-8

Verifying Standby Operation 19-10

CHAPTER20 Managing Firmware and Configurations 20-1

Working with the Flash File System 20-2

Displaying Available File Systems 20-2

Setting the Default File System 20-3

Displaying Information About Files on a File System 20-3

Changing Directories and Displaying the Working Directory 20-4

Creating and Removing Directories 20-4

Copying Files 20-5

Deleting Files 20-5

Creating, Displaying, and Extracting tar Files 20-6

Creating a tar File 20-6

Displaying the Contents of a tar File 20-6

Extracting a tar File 20-7

Displaying the Contents of a File 20-8

Working with Configuration Files 20-8

Guidelines for Creating and Using Configuration Files 20-9

Configuration File Types and Location 20-9Creating a Configuration File by Using a Text Editor 20-10

Copying Configuration Files by Using TFTP 20-10

Preparing to Download or Upload a Configuration File by Using TFTP 20-10

Downloading the Configuration File by Using TFTP 20-11

Uploading the Configuration File by Using TFTP 20-11

Copying Configuration Files by Using FTP 20-12

Preparing to Download or Upload a Configuration File by Using FTP 20-13

Downloading a Configuration File by Using FTP 20-13

Uploading a Configuration File by Using FTP 20-14

Copying Configuration Files by Using RCP 20-15

Preparing to Download or Upload a Configuration File by Using RCP 20-16

Downloading a Configuration File by Using RCP 20-16

Uploading a Configuration File by Using RCP 20-17

Clearing Configuration Information 20-18

Deleting a Stored Configuration File 20-18

Working with Software Images 20-18


13/373

Contents

xiii


OL-4526-01

Image Location on the Access Point 20-19

tar File Format of Images on a Server or Cisco.com 20-19

Copying Image Files by Using TFTP 20-20

Preparing to Download or Upload an Image File by Using TFTP 20-20

Downloading an Image File by Using TFTP 20-21

Uploading an Image File by Using TFTP 20-22

Copying Image Files by Using FTP 20-23

Preparing to Download or Upload an Image File by Using FTP 20-23

Downloading an Image File by Using FTP 20-24

Uploading an Image File by Using FTP 20-26

Copying Image Files by Using RCP 20-27

Preparing to Download or Upload an Image File by Using RCP 20-27

Downloading an Image File by Using RCP 20-29

Uploading an Image File by Using RCP 20-31Reloading the Image Using the Web Browser Interface 20-32

Browser HTTP Interface 20-32

Browser TFTP Interface 20-33

CHAPTER 21 Configuring System Message Logging 21-1

Understanding System Message Logging 21-2

Configuring System Message Logging 21-2

System Log Message Format 21-2

Default System Message Logging Configuration 21-3

Disabling and Enabling Message Logging 21-4

Setting the Message Display Destination Device 21-5

Enabling and Disabling Timestamps on Log Messages 21-6

Enabling and Disabling Sequence Numbers in Log Messages 21-6

Defining the Message Severity Level 21-7

Limiting Syslog Messages Sent to the History Table and to SNMP 21-8

Setting a Logging Rate Limit 21-9

Configuring UNIX Syslog Servers 21-10

Logging Messages to a UNIX Syslog Daemon 21-10

Configuring the UNIX System Logging Facility 21-10

Displaying the Logging Configuration 21-12


14/373

Contents

xiv


OL-4526-01

CHAPTER22 Troubleshooting 22-1

Checking the Top Panel Indicators 22-2

Checking Basic Settings 22-5

SSID 22-5WEP Keys 22-5

Security Settings 22-5

Resetting to the Default Configuration 22-5

Using the MODE Button 22-6

Using the Web Browser Interface 22-6

Reloading the Access Point Image 22-7

Using the MODE button 22-7

Web Browser Interface 22-8

Browser HTTP Interface 22-8

Browser TFTP Interface 22-8

Obtaining the Access Point Image File 22-9

Obtaining TFTP Server Software 22-9

Channels and Antenna Settings A-1

Channels A-2

IEEE 802.11b (2.4-GHz Band) A-2

IEEE 802.11g (2.4-GHz Band) A-3

IEEE 802.11a (5-GHz Band) A-4

Maximum Power Levels and Antenna Gains A-5IEEE 802.11b (2.4-GHz Band) A-5

IEEE 802.11g (2.4-GHz Band) A-6

IEEE 802.11a (5-GHz Band) A-7

Protocol Filters B-1

Supported MIBs C-1

MIB List C-1

Using FTP to Access the MIB Files C-2

Error and Event Messages D-1

GLOSSARY

INDEX
http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/


15/373

xv


OL-4526-01

Preface

AudienceThis guide is for the networking professional who installs and manages Cisco Aironet Access Points. To

use this guide, you should have experience working with the Cisco IOS software and be familiar with

the concepts and terminology of wireless local area networks.

PurposeThis guide provides the information you need to install and configure your access point. This guide

provides procedures for using the Cisco IOS software commands that have been created or changed for

use with the access point. It does not provide detailed information about these commands. For detailed

information about these commands, refer to the Cisco IOS Command Reference for Cisco Aironet Access

Points and Bridges for this release. For information about the standard Cisco IOS software commands,

refer to the Cisco IOS software documentation set available from the Cisco.com home page at Service

and Support > Technical Documents. On the Cisco Product Documentation home page, select Release

12.2 from the Cisco IOS Software drop-down list.This guide also includes an overview of the access point web-based interface (APWI), which contains

all the funtionality of the command-line interface (CLI). This guide does not provide field-level

descriptions of the APWI windows nor does it provide the procedures for configuring the access point

from from the APWI. For all APWI window descriptions and procedures, refer to the access point online

help, which is available from the Help buttons on the APWI pages.

OrganizationThis guide is organized into these chapters:

Chapter 1, Overview, lists the software and hardware features of the access point and describes theaccess points role in your network.

Chapter 2, Configuring the Access Point for the First Time,describes how to configure basic settings

on a new access point.

Chapter 3, Using the Web-Browser Interface, describes how to use the web-browser interface to

configure the access point.

Chapter 4, Using the Command-Line Interface, describes how to use the command-line interface

(CLI) to configure the access point.


16/373

xvi


OL-4526-01

Preface

Organization

Chapter 5, Administering the Access Point, describes how to perform one-time operations to

administer your access point, such as preventing unauthorized access to the access point, setting the

system date and time, and setting the system name and prompt.

Chapter 6, Configuring Radio Settings, describes how to configure settings for the access point radio

such as the role in the radio network, data rates, transmit power, channel settings, and others.

Chapter 7, Configuring Multiple SSIDs,describes how to configure and manage multiple service setidentifiers (SSIDs) on your access point. You can configure up to 16 SSIDs on your access point and

assign different configuration settings to each SSID.

Chapter 8, Configuring an Access Point as a Local Authenticator, describes how to configure the

access point to act as a local RADIUS server for your wireless LAN. If the WAN connection to your

main RADIUS server fails, the access point acts as a backup server to authenticate wireless devices.

Chapter 9, Configuring Cipher Suites and WEP,describes how to configure the cipher suites required

to use authenticated key management, Wired Equivalent Privacy (WEP), and WEP features including

MIC, CMIC, TKIP, CKIP, and broadcast key rotation.

Chapter 10, Configuring Authentication Types, describes how to configure authentication types on the

access point. Client devices use these authentication methods to join your network.

Chapter 11, Configuring Fast Reassociation,describes how to configure the access point to allow fastreassociation of roaming client devices. Using Cisco Centralized Key Management (CCKM) and an

access point configured as a subnet context manager, client devices can roam from one access point to

another without causing a delay in timing-sensitive applications, such as Voice over IP.

Chapter 12, Configuring RADIUS and TACACS+ Servers,describes how to enable and configure the

Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control

System Plus (TACACS+), which provide detailed accounting information and flexible administrative

control over authentication and authorization processes.

Chapter 13, Configuring VLANs, describes how to configure your access point to interoperate with

the VLANs set up on your wired LAN.

Chapter 14, Configuring QoS, describes how to configure quality of service (QoS) on your access

point. With this feature, you can provide preferential treatment to certain traffic at the expense of others.Chapter 15, Configuring Proxy Mobile IP, describes how to configure your access points proxy

mobile IP feature. When you enable proxy mobile IP on your access point and on your wired network,

the access point helps client devices from other networks remain connected to their home networks.

Chapter 16, Configuring Filters,describes how to configure and manage MAC address, IP, and

Ethertype filters on the access point using the web-browser interface.

Chapter 17, Configuring CDP,describes how to configure Cisco Discovery Protocol (CDP) on your

access point. CDP is a device-discovery protocol that runs on all Cisco network equipment.

Chapter 18, Configuring SNMP,describes how to configure the Simple Network Management

Protocol (SNMP) on your access point.

Chapter 19, Configuring Repeater and Standby Access Points,descibes how to configure your access

point as a hot standby unit or as a repeater unit.

Chapter 20, Managing Firmware and Configurations, describes how to manipulate the Flash file

system, how to copy configuration files, and how to archive (upload and download) software images.

Chapter 21, Configuring System Message Logging, describes how to configure system message

logging on your access point.

Chapter 22, Troubleshooting, provides troubleshooting procedures for basic problems with the access

point.
http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/


17/373

xvii


OL-4526-01

Preface

Conventions

Appendix A, Channels and Antenna Settings, lists the access point radio channels and the maximum

power levels supported by the worlds regulatory domains.

Appendix B, Protocol Filters, lists some of the protocols that you can filter on the access point.

Appendix C, Supported MIBs, lists the Simple Network Management Protocol (SNMP) Management

Information Bases (MIBs) that the access point supports for this software release.

Appendix D, Error and Event Messages, lists the CLI error and event messages and provides an

explanation and recommended action for each message.

ConventionsThis publication uses these conventions to convey instructions and information:

Command descriptions use these conventions:

Commands and keywords are in boldface text.

Arguments for which you supply values are in italic.

Square brackets ([ ]) mean optional elements.

Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.

Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional

element.

Interactive examples use these conventions:

Terminal sessions and system displays are in screen font.

Information you enter is in boldface screen font.

Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).

Notes, cautions, and timesavers use these conventions and symbols:

Tip Means the following will help you solve a problem. The tips information might not be troubleshooting

or even an action, but could be useful information.

Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in

this manual.

Caution Means reader be careful. In this situation, you might do something that could result equipment damage

or loss of data.


18/373

xviii


OL-4526-01

Preface

Conventions

Warning This warning symbol means danger. You are in a situation that could cause bodily injury. Before youwork on any equipment, be aware of the hazards involved with electrical circuitry and be familiarwith standard practices for preventing accidents. (To see translations of the warnings that appear

in this publication, refer to the appendix Translated Safety Warnings.)

Waarschuwing Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kanveroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bijelektrische schakelingen betrokken risicos en dient u op de hoogte te zijn van standaardmaatregelen om ongelukken te voorkomen. (Voor vertalingen van de waarschuwingen die in dezepublicatie verschijnen, kunt u het aanhangsel Translated Safety Warnings (Vertalingen vanveiligheidsvoorschriften) raadplegen.)

Varoitus Tm varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennenkuin tyskentelet minkn laitteiston parissa, ota selv shkkytkentihin liittyvist vaaroista jatavanomaisista onnettomuuksien ehkisykeinoista. (Tss julkaisussa esiintyvien varoitustenknnkset lydt liitteest "Translated Safety Warnings" (knnetyt turvallisuutta koskevat

varoitukset).)

Attention Ce symbole davertissement indique un danger. Vous vous trouvez dans une situation pouvantentraner des blessures. Avant daccder cet quipement, soyez conscient des dangers poss parles circuits lectriques et familiarisez-vous avec les procdures courantes de prvention desaccidents. Pour obtenir les traductions des mises en garde figurant dans cette publication, veuillezconsulter lannexe intitule Translated Safety Warnings (Traduction des avis de scurit).

Warnung Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einerKrperverletzung fhren knnte. Bevor Sie mit der Arbeit an irgendeinem Gert beginnen, seien Siesich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zurVermeidung von Unfllen bewut. (bersetzungen der in dieser Verffentlichung enthaltenenWarnhinweise finden Sie im Anhang mit dem Titel Translated Safety Warnings (bersetzung der

Warnhinweise).)

Avvertenza Questo simbolo di avvertenza indica un pericolo. Si in una situazione che pu causare infortuni.Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuitielettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzionedelle avvertenze riportate in questa pubblicazione si trova nellappendice, Translated SafetyWarnings (Traduzione delle avvertenze di sicurezza).

Advarsel Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan fre til personskade. Fr duutfrer arbeid p utstyr, m du vre oppmerksom p de faremomentene som elektriske kretserinnebrer, samt gjre deg kjent med vanlig praksis nr det gjelder unng ulykker. (Hvis du vil seoversettelser av de advarslene som finnes i denne publikasjonen, kan du se i vedlegget "TranslatedSafety Warnings" [Oversatte sikkerhetsadvarsler].)

Aviso Este smbolo de aviso indica perigo. Encontra-se numa situao que lhe poder causar danosfisicos. Antes de comear a trabalhar com qualquer equipamento, familiarize-se com os perigosrelacionados com circuitos elctricos, e com quaisquer prticas comuns que possam prevenirpossveis acidentes. (Para ver as tradues dos avisos que constam desta publicao, consulte oapndice Translated Safety Warnings - Tradues dos Avisos de Segurana).


19/373

xix


OL-4526-01

Preface

Related Publications

Related PublicationsThese documents provide complete information about the access point:

Quick Start Guide: Cisco Aironet 350 Series Access Points



Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges

Installation Instructions for Cisco Aironet Power Injectors

Cisco Aironet 802.11g Radio Upgrade Instructions

Release Notes for 350, 1100, and 1200 Series Access Points for Cisco IOS Release 12.2(13)JA

Click this link to browse to the Cisco Aironet documentation home page:

http://www.cisco.com/univercd/cc/td/doc/product/wireless/index.htm

Obtaining DocumentationCisco provides several ways to obtain documentation, technical assistance, and other technical

resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Advertencia! Este smbolo de aviso significa peligro. Existe riesgo para su integridad fsica. Antes de manipularcualquier equipo, considerar los riesgos que entraa la corriente elctrica y familiarizarse con losprocedimientos estndar de prevencin de accidentes. (Para ver traducciones de las advertenciasque aparecen en esta publicacin, consultar el apndice titulado Translated Safety Warnings.)

Varning! Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada.Innan du utfr arbete p ngon utrustning mste du vara medveten om farorna med elkretsar ochknna till vanligt frfarande fr att frebygga skador. (Se frklaringar av de varningar somfrekommer i denna publikation i appendix "Translated Safety Warnings" [versattaskerhetsvarningar].)
http://www.cisco.com/univercd/cc/td/doc/product/wireless/index.htmhttp://www.cisco.com/univercd/home/home.htmhttp://www.cisco.com/http://www.cisco.com/public/countries_languages.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/wireless/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/wireless/index.htmhttp://www.cisco.com/public/countries_languages.shtmlhttp://www.cisco.com/http://www.cisco.com/univercd/home/home.htm


20/373

xx


OL-4526-01

Preface

Documentation Feedback

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM

package, which may have shipped with your product. The Documentation CD-ROM is updated regularly

and may be more current than printed documentation. The CD-ROM package is available as a single unit

or through an annual or quarterly subscription.Registered Cisco.com users can order a single Documentation CD-ROM (product number

DOC-CONDOCCD=) through the Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html

All users can order annual or quarterly subscriptions through the online Subscription Store:

http://www.cisco.com/go/subscription

Click Subscriptions & Promotional Materials in the left navigation bar.

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from

the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by

calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in

North America, by calling 800 553-NETS (6387).

Documentation FeedbackYou can submit e-mail comments about technical documentation to [email protected].

You can submit comments by using the response card (if present) behind the front cover of your

document or by writing to the following address:

Cisco Systems

Attn: Customer Document Ordering

170 West Tasman Drive

San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical AssistanceFor all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco

Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services,

online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for

technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.htmlhttp://www.cisco.com/go/subscriptionhttp://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htmhttp://www.cisco.com/en/US/partner/ordering/index.shtmlhttp://www.cisco.com/en/US/partner/ordering/index.shtmlhttp://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htmhttp://www.cisco.com/go/subscriptionhttp://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.htmlhttp://www.cisco.com/public/countries_languages.shtml


21/373

xxi


OL-4526-01

Preface

Obtaining Technical Assistance

Cisco TAC Website

The Cisco TAC website (http://www.cisco.com/tac) provides online documents and tools for

troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC

website is available 24 hours a day, 365 days a year.

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If youhave a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

Using the online TAC Case Open Tool (http://www.cisco.com/tac/caseopen) is the fastest way to open

P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which

you require product information.) After you describe your situation, the TAC Case Open Tool

automatically recommends resources for an immediate solution. If your issue is not resolved using the

recommended resources, your case will be assigned to a Cisco TAC engineer.

For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely

degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers

are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)

EMEA: +32 2 704 55 55

USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions

Priority 1 (P1)Your network is down or there is a critical impact to your business operations. You

and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)Operation of an existing network is severely degraded, or significant aspects of your

business operation are negatively affected by inadequate performance of Cisco products. You and Cisco

will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)Operational performance of your network is impaired, but most business operations

remain functional. You and Cisco will commit resources during normal business hours to restore service

to satisfactory levels.

Priority 4 (P4)You require information or assistance with Cisco product capabilities, installation, or

configuration. There is little or no effect on your business operations.
http://www.cisco.com/tachttp://tools.cisco.com/RPF/register/register.dohttp://www.cisco.com/tac/caseopenhttp://www.cisco.com/warp/public/687/Directory/DirTAC.shtmlhttp://www.cisco.com/warp/public/687/Directory/DirTAC.shtmlhttp://www.cisco.com/tac/caseopenhttp://tools.cisco.com/RPF/register/register.dohttp://www.cisco.com/tac


22/373

xxii


OL-4526-01

Preface

Obtaining Additional Publications and Information

Obtaining Additional Publications and InformationInformation about Cisco products, technologies, and network solutions is available from various online

and printed sources.

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as

ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

Cisco Press publishes a wide range of general networking, training and cer tification titles. Both new

and experienced user will benefit from these publications. For current Cisco Press titles and other

information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco quarterly publication that provides the latest networking trends,

technology breakthroughs, and Cisco products and solutions to help industry professionals get the

most from their networking investment. Included are networking deployment and troubleshooting

tips, configuration examples, customer case studies, tutorials and training, certification information,

and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet

business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and

intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

TrainingCisco offers world-class networking training. Current offerings in network training are

listed at this URL:

http://www.cisco.com/en/US/learning/index.html
http://www.cisco.com/en/US/products/products_catalog_links_launch.htmlhttp://www.ciscopress.com/http://www.cisco.com/packethttp://www.cisco.com/go/iqmagazinehttp://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.htmlhttp://www.cisco.com/en/US/learning/index.htmlhttp://www.cisco.com/en/US/learning/index.htmlhttp://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.htmlhttp://www.cisco.com/go/iqmagazinehttp://www.cisco.com/packethttp://www.ciscopress.com/http://www.cisco.com/en/US/products/products_catalog_links_launch.html


23/373

C H A P T E R

1-1


OL-4526-01

1

Overview

Cisco Aironet Access Points (hereafter called access points) provide a secure, affordable, and

easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class

features required by networking professionals. With a management system based on Cisco IOS software,

Cisco Aironet 350, 1100, and 1200 series access points are Wi-Fi certified, 802.11b-compliant,

802.11g-compliant, and 802.11a-compliant wireless LAN transceivers.

The 350 series access point, which can be upgraded to run Cisco IOS software, uses a single, 802.11b,

2.4-GHz mini-PCI radio. The 1100 series access point uses a single, 802.11b, 2.4-GHz mini-PCI radio

that can be upgraded to an 802.11g, 2.4-GHz radio. The 1200 series access point can contain two radios:

a 2.4-GHz radio in an internal mini-PCI slot and a 5-GHz radio module in an external, modified cardbus

slot. The 1200 series access point supports one radio of each type, but it does not support two 2.4-GHz

or two 5-GHz radios. You can configure the radios separately, using different settings on each radio.

Access points serves as the connection point between wireless and wired networks or as the center point

of a stand-alone wireless network. In large installations, wireless users within radio range of an access

point can roam throughout a facility while maintaining seamless, uninterrupted access to the network.

You can configure and monitor the access point using the command-line interface (CLI), the

browser-based management system, or Simple Network Management Protocol (SNMP).

This chapter provides information on the following topics:

Features, page 1-2

Management Options, page 1-3

Roaming Client Devices, page 1-4

Network Configuration Examples, page 1-4


24/373

1-2


OL-4526-01

Chapter 1 Overview

Features

FeaturesAccess points running Cisco IOS software offer these software features:

World modeUse this feature to communicate the access points regulatory setting information,

including maximum transmit power and available channels, to world mode-enabled clients. Clients

using world mode can be used in countries with different regulatory settings and automaticallyconform to local regulations. World mode is supported only on the 2.4-GHz radio.

Repeater modeConfigure the access point as a wireless repeater to extend the coverage area of

your wireless network.

Standby modeConfigure the access point as a standby unit that monitors another access point and

assumes its role in the network if the monitored access point fails.

Multiple SSIDsCreate up to 16 SSIDs on your access point and assign any combination of these

settings to each SSID:

Broadcast SSID mode for guests on your network

Client authentication methods

Maximum number of client associations

VLAN identifier

Proxy Mobile IP

RADIUS accounting list identifier

A separate SSID for infrastructure devices such as repeaters and workgroup bridges

VLANsAssign VLANs to the SSIDs on your access point (one VLAN per SSID) to differentiate

policies and services among users.

QoSUse this feature to support quality of service for prioritizing traffic from the Ethernet to the

access point. The access point also supports the voice-prioritization schemes used by 802.11b

wireless phones such as Spectralink's Netlink and Symbols Netvision.

Proxy Mobile IPUse this feature to configure the access point to provide proxy Mobile IP servicefor clients that do not have mobile IP software installed.

RADIUS AccountingEnable accounting on the access point to send accounting data about

wireless client devices to a RADIUS server on your network.

TACACS+ adminstrator authenticationEnable TACACS+ for server-based, detailed accounting

information and flexible administrative control over authentication and authorization processes. It

provides secure, centralized validation of administrators attempting to gain access to your access

point.

Enhanced securityEnable three advanced security features to protect against sophisticated attacks

on your wireless network's WEP keys: Message Integrity Check (MIC), WEP key hashing, and

broadcast WEP key rotation.

Enhanced authentication servicesSet up repeater access points to authenticate to your networklike other wireless client devices. After you provide a network username and password for the

repeater, it authenticates to your network using LEAP, Cisco's wireless authentication method, and

receives and uses dynamic WEP keys.


25/373

1-3


OL-4526-01

Chapter 1 Overview

Management Options

Wi-Fi Protected Access (WPA)Wi-Fi Protected Access is a standards-based, interoperable

security enhancement that strongly increases the level of data protection and access control for

existing and future wireless LAN systems. It is derived from and will be forward-compatible with

the upcoming IEEE 802.11i standard. WPA leverages TKIP (Temporal Key Integrity Protocol) for

data protection and 802.1X for authenticated key management.

Fast secured roaming using Cisco Centralized Key Management (CCKM)Using CCKM,authenticated client devices can roam securely from one access point to another without any

perceptible delay during reassociation. An access point on your network provides wireless domain

services (WDS) and creates a cache of security credentials for CCKM-enabled client devices on the

subnet. The WDS access points cache of credentials dramatically reduces the time required for

reassociation when a CCKM-enabled client device roams to a new access point.

Access point as backup or stand-alone authentication serverYou can configure an access point to

act as a local RADIUS server to provide authentication service for small wireless LANs without a

RADIUS server or to provide backup authentication service in case of a WAN link or a server

failure. The access point can authenticate LEAP-enabled wireless client devices and allow them to

join your network.

Rogue access point detectionAccess points running Cisco IOS Release 12.2(11)JA work together

with LEAP-enabled client devices running firmware version 5.02.17 or later to detect rogue accesspoints on your wireless LAN. The access point records a message in the system log when a client

device discovers and reports an access point on the wireless LAN that fails to authenticate the client

using LEAP. When the client successfully authenticates through another access point, it reports the

access point that failed LEAP as a potential rogue device.

Client ARP cachingTo reduce traffic on the wireless LAN, you can configure access points

running Cisco IOS Release 12.2(13)JA to reply to ARP queries on behalf of associated client

devices. In previous releases, the access point forwards ARP queries to all associated client devices,

and the specified client responds with its MAC address. When the access point maintains an ARP

cache, however, it responds to ARP queries on behalf of the client device and does not forward the

queries through its radio port.

CCKM voice clients and WPA clients on the same VLANAccess points running Cisco IOS

Release 12.2(13)JA allow both 802.11b CCKM voice clients and 802.11b WPA clients on the sameVLAN.

WISPr RADIUS attributesThe Wi-Fi Alliances WISPrBest Current Practices for Wireless

Internet Service Provider (WISP) Roaming document lists RADIUS attributes that access points

must send with RADIUS accounting and authentication requests. You can configure access points

running Cisco IOS Release 12.2(13)JA to include these attributes in all RADIUS accounting and

authentication requests.

Support for 802.11g radiosCisco IOS Release 12.2(13)JA supports the 802.11g, 2.4-GHz

mini-PCI radio. You can upgrade the 802.11b, 2.4-GHz radio in 1100 and 1200 series access points

with an 802.11g, 2.4-GHz radio.

Management OptionsYou can use the access point management system through the following interfaces:

The Cisco IOS command-line interface (CLI), which you use through a Telnet session. Most of the

examples in this manual are taken from the CLI. Chapter 4, Using the Command-Line Interface,

provides a detailed description of the CLI.

A web-browser interface, which you use through a web browser. Chapter 3, Using the

Web-Browser Interface, provides a detailed description of the web-browser interface.


26/373

1-4


OL-4526-01

Chapter 1 Overview

Roaming Client Devices

Simple Network Management Protocol (SNMP). Chapter 18, Configuring SNMP, explains how to

configure your access point for SNMP management.

Roaming Client DevicesIf you have more than one access point in your wireless LAN, wireless client devices can roam

seamlessly from one access point to another. The roaming functionality is based on signal quality, not

proximity. When a clients signal quality drops, it roams to another access point.

Wireless LAN users are sometimes concerned when a client device stays associated to a distant access

point instead of roaming to a closer access point. However, if a clients signal to a distant access point

remains strong and the signal quality is high, the client will not roam to a closer access point. Checking

constantly for closer access points would be inefficient, and the extra radio traffic would slow throughput

on the wireless LAN.

Using CCKM and an access point acting as a subnet context manager, client devices can roam from one

access point to another so quickly that there is no perceptible delay in voice or other time-sensitive

applications.

Network Configuration ExamplesThis section describes the access points role in three common wireless network configurations. The

access points default configuration is as a root unit connected to a wired LAN or as the central unit in

an all-wireless network. The repeater role requires a specific configuration.

Root Unit on a Wired LAN

An access point connected directly to a wired LAN provides a connection point for wireless users. If

more than one access point is connected to the LAN, users can roam from one area of a facility to anotherwithout losing their connection to the network. As users move out of range of one access point, they

automatically connect to the network (associate) through another access point. The roaming process is

seamless and transparent to the user. Figure 1-1shows access points acting as root units on a wired LAN.


27/373

1-5


OL-4526-01

Chapter 1 Overview

Network Configuration Examples

Figure 1-1 Access Points as Root Units on a Wired LAN

Access Point

(Root Unit)

Access Point

(Root Unit)

65999

Wired LAN


28/373

1-6


OL-4526-01

Chapter 1 Overview


Repeater Unit that Extends Wireless Range

An access point can be configured as a stand-alone repeater to extend the range of your infrastructure or

to overcome an obstacle that blocks radio communication. The repeater forwards traffic between

wireless users and the wired LAN by sending packets to either another repeater or to an access point

connected to the wired LAN. The data is sent through the route that provides the best performance forthe client. Figure 1-2 shows an access point acting as a repeater. Consult the Configuring a Repeater

Access Point section on page 19-3 for instructions on setting up an access point as a repeater.

Note Non-Cisco client devices might have difficulty communicating with repeater access points.

Figure 1-2 Access Point as Repeater

Access Point

(Root Unit)

Access Point

(Repeater)

66000

Wired LAN


29/373

1-7


OL-4526-01

Chapter 1 Overview


Central Unit in an All-Wireless Network

In an all-wireless network, an access point acts as a stand-alone root unit. The access point is not

attached to a wired LAN; it functions as a hub linking all stations together. The access point serves as

the focal point for communications, increasing the communication range of wireless users. Figure 1-3

shows an access point in an all-wireless network.

Figure 1-3 Access Point as Central Unit in All-Wireless Network

Access Point

(Root Unit)

65998


30/373

1-8


OL-4526-01

Chapter 1 Overview



31/373

C H A P T E R

2-1


OL-4526-01

2

Configuring the Access Point for the First Time

This chapter describes how to configure basic settings on your access point for the first time. The

contents of this chapter are similar to the instructions in the quick start guide that shipped with your

access point. You can configure all the settings described in this chapter using the CLI, but it might be

simplest to browse to the access points web-browser interface to complete the initial configuration and

then use the CLI to enter additional settings for a more detailed configuration.

This chapter contains these sections:

Before You Start, page 2-2

Obtaining and Assigning an IP Address, page 2-3

Connecting to the 350 Series Access Point Locally, page 2-3



Assigning Basic Settings, page 2-6

Protecting Your Wireless LAN, page 2-10

Using the IP Setup Utility, page 2-11

Assigning an IP Address Using the CLI, page 2-14

Using a Telnet Session to Access the CLI, page 2-14


32/373

2-2


OL-4526-01

Chapter 2 Configuring the Access Point for the First Time

Before You Start

Before You StartBefore you install the access point, make sure you are using a computer connected to the same network

as the access point, and obtain the following information from your network administrator:

A system name for the access point

The case-sensitive wireless service set identifier (SSID) for your radio network

If not connected to a DHCP server, a unique IP address for your access point (such as

172.17.255.115)

If the access point is not on the same subnet as your PC, a default gateway address and subnet mask

A Simple Network Management Protocol (SNMP) community name and the SNMP file attribute (if

SNMP is in use)

If you use IPSU to find or assign the access point IP address, the MAC address from the label on the

bottom of the access point (such as 00164625854c)

Resetting the Access Point to Default SettingsIf you need to start over during the initial setup process, follow these steps to reset the access point to

factory default settings using the access point MODE button:

Step 1 Disconnect power (the power jack for external power or the Ethernet cable for in-line power) from the

access point.

Step 2 Press and hold the MODE button while you reconnect power to the access point.

Step 3 Hold the MODE button until the Status LED turns amber (approximately 1 to 2 seconds), and release the

button. All access point settings return to factory defaults.

Follow these steps to return to default settings using the web-browser interface:

Step 1 Open your Internet browser. The browser interface is fully compatible with Microsoft Internet Explorer

version 5.5 and 6.0 on Windows platforms (98, NT, 2000, and XP) and on Linux and Solaris platforms.

Step 2 Enter the access points IP address in the browser address line and press Enter. An Enter Network

Password window appears.

Step 3 Enter your username in the User Name field. The default username is Cisco.

Step 4 Enter the access point password in the Password field and press Enter. The default password is Cisco.

The Summary Status page appears.

Step 5 ClickSystem Software and the System Software screen appears.

Step 6 ClickSystem Configuration and the System Configuration screen appears.

Step 7 Click the Reset toDefaults button.

Note If the access point is configured with a static IP address, the IP address does not change.


33/373

2-3


OL-4526-01


Obtaining and Assigning an IP Address

Obtaining and Assigning an IP AddressTo browse to the access points Express Setup page, you must either obtain or assign the access points

IP address using one of the following methods:

Use default address 10.0.0.1 when you connect to the access point locally. For detailed instructions,

see the Connecting to the 1100 Series Access Point Locally section on page 2-4.

If you have a 350 or a 1200 series access point, connect to the access point console port and assign

a static IP address. Follow the steps in theConnecting to the 350 Series Access Point Locally

section on page 2-3 or in the Connecting to the 1200 Series Access Point Locally section on

page 2-5 to connect to the console port.

Use a DHCP server (if available) to automatically assign an IP address. You can find out the

DHCP-assigned IP address using one of the following methods:

If you have a 350 or a 1200 series access point, connect to the access point console port and use

the show ip interface briefcommand to display the IP address. Follow the steps intheConnecting to the 350 Series Access Point Locally section on page 2-3 or in the

Connecting to the 1200 Series Access Point Locally section on page 2-5 to connect to the

console port. Provide your organizations network administrator with your access points Media Access

Control (MAC) address. Your network administrator will query the DHCP server using the

MAC address to identify the IP address. The access points MAC address is on label attached

to the bottom of the access point.

Use the Cisco IP Setup Utility (IPSU) to identify the assigned address. You can also use IPSU

to assign an IP address to the access point if it did not receive an IP address from the DHCP

server. IPSU runs on most Microsoft Windows operating systems: Windows 9x, 2000, Me, NT,

and XP.

You can download IPSU from the Software Center on Cisco.com. Click this link to browse to

the Software Center:

http://www.cisco.com/public/sw-center/sw-wireless.shtml

Connecting to the 350 Series Access Point LocallyIf you need to configure the access point locally (without connecting the access point to a wired LAN),

you can connect a PC to its RS-232 console port using a nine-pin, male-to-female, straight-through serial

cable. Follow these steps to open the CLI by connecting to the access point console port:

Step 1 Connect a nine-pin, male-to-female, straight-through DB-9 serial cable to the RS-232 serial port on the

access point and to the COM port on a computer. Figure 2-3 shows the serial port connection.
http://www.cisco.com/public/sw-center/sw-wireless.shtmlhttp://www.cisco.com/public/sw-center/sw-wireless.shtml


34/373

2-4


OL-4526-01


Connecting to the 1100 Series Access Point Locally

Figure 2-1 Connecting the Serial Cable (Access Point with Plastic Case)

Figure 2-2 Connecting the Serial Cable (Access Point with Metal Case)

Step 2 Set up a terminal emulator to communicate with the access point. Use the following settings for the

terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and Xon/Xoff flow control.


you can connect a PC to its Ethernet port using a Category 5 Ethernet cable. You can use a local

connection to the Ethernet port much as you would use a serial port connection.

Note You do not need a special crossover cable to connect your PC to the access point; you can useeither a straight-through cable or a crossover cable.

If the access point is configured with default values and not connected to a DHCP server or cannot obtain

an IP address, it defaults to IP address 10.0.0.1 and becomes a mini-DHCP server. In that capacity, the

access point provides up to twenty IP addresses between 10.0.0.11 and 10.0.0.30 to the following

devices:

An Ethernet-capable PC connected to its Ethernet port

ETHERNET

SERIAL

SERIAL

5VDC

9-pin serial extensioncable to PC COM port

RS-232

CISC

OAI

RONE

T35

0SE

RIES

WI

RELE

SSA

CCE

SS

POI

NT

ETHE

RNETA

CTIV

ITY

ASSO

CIAT

ION

STAT

US

RAD

IOA

CTIV

ITY

SERIALPORT

ONLINE POWERETHERNET

LEFT

RIGHT/PRIMARY

SERIALPORT

5VDC

9-pin serial extensioncable to PC COM port

RS-232


35/373

2-5


OL-4526-01


Connecting to the 1200 Series Access Point Locally

Wireless client devices configured to use either no SSID or tsunami as the SSID, and with all

security settings disabled

The mini-DHCP server feature is disabled automatically when you assign a static IP address to the access

point.

Caution When an access point with default settings is connected on a wired LAN and does not receive an IP

address from a DHCP server, the access point provides an IP address to any DHCP requests it receives

Follow these steps to connect to the access point locally:

Step 1 Make sure that the PC you intend to use is configured to obtain an IP address automatical ly, or manually

assign it an IP address from 10.0.0.2 to 10.0.0.10. Connect your PC to the access point using a Category

5 Ethernet cable. You can use either a crossover cable or a straight-through cable.

Step 2 Power up the access point.

Step 3 Follow the steps in the Assigning Basic Settings section on page 2-6. If you make a mistake and need

to start over, follow the steps in the Resetting the Access Point to Default Settings section on page 2-2

Step 4 After configuring the access point, remove the Ethernet cable from your PC and connect the access point

to your wired LAN.

Note When you connect your PC to the access point or reconnect your PC to the wired LAN, you might need

to release and renew the IP address on the PC. On most PCs, you can perform a release and renew by

rebooting your PC or by entering ipconfig /release and ipconfig /renew commands in a commandprompt window. Consult your PC operating instructions for detailed instructions.


you can connect a PC to its console port using a DB-9 to RJ-45 serial cable. Follow these steps to open

the CLI by connecting to the access point console port:

Step 1 Connect a nine-pin, female DB-9 to RJ-45 serial cable to the RJ-45 serial port on the access point and

to the COM port on a computer. Figure 2-3shows the serial port connection.


36/373

2-6


OL-4526-01


Assigning Basic Settings

Figure 2-3 Connecting the Serial Cable

Note The Cisco part number for the DB-9 to RJ-45 serial cable is AIR-CONCAB1200. Browse to

http://www.cisco.com/go/marketplace to order a serial cable.

Step 2 Set up a terminal emulator to communicate with the access point. Use the following settings for the

terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control.

Assigning Basic SettingsAfter you determine or assign the access points IP address, you can browse to the access points Express

Setup page and perform an initial configuration:

Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or NetscapeNavigator (version 4.x).

Step 2 Enter the access points IP address in the browser address line and press Enter. An Enter Network

Password screen appears.

Step 3 Press Tab to bypass the Username field and advance to the Password field.

Step 4 Enter the case-sensitive password Cisco and press Enter. The Summary Status page appears. Figure 2-4shows the Summary Status page.

RJ-45 serialconnector

DB-9 to RJ-45serial cable

74005
http://www.cisco.com/go/marketplacehttp://www.cisco.com/go/marketplace


37/373

2-7


OL-4526-01



Figure 2-4 Summary Status Page

Step 5 ClickExpress Setup. The Express Setup screen appears. Figure 2-5 shows the Express Setup page.


38/373

2-8


OL-4526-01



Figure 2-5 Express Setup Page

Step 6 Enter the configuration settings you obtained from your system administrator. The configurable settings

include:

System Name The system name, while not an essential setting, helps identify the access point on

your network. The system name appears in the titles of the management system pages.

Note When you change the system name, the access point resets the radios, causing associated

client devices to disassociate and quickly reassociate.

Configuration Server ProtocolClick on the button that matches the networks method of IPaddress assignment.

DHCPIP addresses are automatically assigned by your networks DHCP server.

Static IPThe access point uses a static IP address that you enter in the IP address field.

IP AddressUse this setting to assign or change the access points IP address. If DHCP is enabledfor your network, leave this field blank.

Note If the access points IP address changes while you are configuring the access point using theweb-browser interface or a Telnet session over the wired LAN, you lose your connection to the

access point. If you lose your connection, reconnect to the access point using its new IP address.

Follow the steps in the Resetting the Access Point to Default Settings section on page 2-2if

you need to start over.

IP Subnet MaskEnter the IP subnet mask provided by your network administrator so the IPaddress can be recognized on the LAN. If DHCP is enabled, leave this field blank.


39/373

2-9


OL-4526-01



Default GatewayEnter the default gateway IP address provided by your network administrator.

If DHCP is enabled, leave this field blank.

Radio Service Set ID (SSID)Enter the case-sensitive SSID (32 alphanumeric characters

maximum) provided by your network administrator. The SSID is a unique identifier that client

devices use to associate with the access point.

Broadcast SSID in BeaconUse this setting to allow devices that do not specify an SSID toassociate with the access point.

YesThis is the default setting; it allows devices that do not specify an SSID to associate withthe access point.

NoDevices must specify an SSID to associate with the access point. With No selected, the

SSID used by the client devices must match exactly the access point s SSID.

Role in Radio NetworkClick on the button that describes the role of the access point on your

network. Select Access Point (Root) if your access point is connected to the wired LAN. Select

Repeater (Non-Root) if it is not connected to the wired LAN.

Optimize Radio Network forUse this setting to select either preconfigured settings for the access

point radio or customized settings for the access point radio.

ThroughputMaximizes the data volume handled by the access point but might reduce itsrange.

RangeMaximizes the access points range but might reduce throughput.

CustomThe access point uses settings you enter on the Network Interfaces: Radio-802.11b

Settings page. Clicking Custom takes you to the Network Interfaces: Radio-802.11b Settingspage.

Aironet ExtensionsEnable this setting if there are only Cisco Aironet devices on your wireless

LAN.

SNMP CommunityIf your network is using SNMP, enter the SNMP Community name provided

by your network administrator and select the attributes of the SNMP data (also provided by your

network administrator).

Step 7 ClickApply to save your settings. If you changed the IP address, you lose your connection to the access

point. Browse to the new IP address to reconnect to the access point.

Your access point is now running but probably requires additional configuring to conform to your

networks operational and security requirements . Consult the chapters in this manual for the information

you need to complete the configuration.

Note You can restore the access point to its factory defaults by unplugging the power jack and

plugging it back in while holding down the Mode button for a few seconds, or until the Status

LED turns amber.


40/373

2-10


OL-4526-01


Protecting Your Wireless LAN

Default Settings on the Express Setup Page

Table 2-1 lists the default settings for the settings on the Express Setup page.

Protecting Your Wireless LANAfter you assign basic settings to your access point, you must configure security settings to prevent

unauthorized access to your network. Because it is a radio device, the access point can communicate

beyond the physical boundaries of your building. Configure some combination of these security features

to protect your network from intruders:

Unique SSIDs that are not broadcast in the access point beacon (see Chapter 7, Configuring

Multiple SSIDs)

Cipher suites, WEP, and WEP features (see Chapter 9, Configuring Cipher Suites and WEP)

Dynamic WEP and client authentication (see Chapter 10, Configuring Authentication Types)

Table 2-1 Default Settings on the Express Setup Page

Setting Default

System Name ap

Configuration Server Protocol DHCP

IP Address Assigned by DHCP by default; if

DHCP is disabled, the default

setting is 10.0.0.1

IP Subnet Mask Assigned by DHCP by default; if

DHCP is disabled, the default

setting is 255.255.255.224

Default Gateway Assigned by DHCP by default; if

DHCP is disabled, the defaultsetting is 0.0.0.0

Radio Service Set ID (SSID) tsunami

Broadcast SSID in Beacon Yes1

1. When you assign multiple SSIDs, this setting no longer appears.

Role in Radio Network Access point (root)

Optimize Radio Network for Throughput

Aironet Extensions Enable

SNMP Community defaultCommunity


41/373

2-11


OL-4526-01


Using the IP Setup Utility

Using the IP Setup UtilityIPSU enables you to find the access points IP address when it has been assigned by a DHCP server. You

can also use IPSU to set the access points IP address and SSID if they have not been changed from the

default settings. This section explains how to install the utility, how to use it to find the access points IP

address, and how to use it to set the IP address and the SSID.

Note IPSU can be used only on the following operating systems: Windows 95, 98, NT, 2000, ME, or XP.

Tip Another simple way to find the access points IP address is to look on the Status screen in the Aironet

Client Utility on a client device associated to the access point.

Obtaining IPSU

IPSU is available on the Cisco website. Click this link to browse to the Software Center on Cisco.com:

http://www.cisco.com/public/sw-center/sw-wireless.shtml

You can find IPSU in the Software Display Tables for access points that run Cisco IOS software.

Using IPSU to Find the Access Points IP Address

If your access point receives an IP address from a DHCP server, you can use IPSU to find its IP address.

Because IPSU sends a reverse-ARP request based on the access point MAC address, you must run IPSU

from a computer on the same subnet as the access point. Follow these steps to find the access points IP

address:

Step 1 Double-click the IPSU icon on your computer desktop to start the utility. The IPSU screen appears (see

Figure 2-6).

Figure 2-6 IPSU Get IP Address Screen
http://www.cisco.com/public/sw-center/sw-wireless.shtmlhttp://www.cisco.com/public/sw-center/sw-wireless.shtml


42/373

2-12


OL-4526-01

Chapter 2 Configur