Cisco OL-29225-01 User Manual

Cisco IOS Configuration Guide for Autonomous Cisco Aironet Access Points
Cisco IOS Release 15.3(3)JAB
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.
Text Part Number: OL-31535-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Cisco IOS Configuration Guide for Autonomous Cisco Aironet Access Points
© 1992-2014 Cisco Systems, Inc. All rights reserved.
1
Preface xix
Audience i-xix
Purpose i-xix
Configuration Procedures and Examples i-xx
Organization i-xx
Conventions i-xxii
Related Publications i-xxii

CONTENTS

CHAPTER
Obtaining Documentation, Obtaining Support, and Security Guidelines i-xxiii
1 Overview of Access Point Features 1-1
Radios in Access Points 1-1
New Features and Platforms in this Release 1-2
New Access Point Platforms Supported 1-2
Support for Cisco Aironet 3700 Series access point 1-2 Support for Cisco Aironet 2700 Series access point 1-2 Support for Cisco Aironet 1700 Series access point 1-3
New Features 1-3
Multiple Port Support for Cisco Aironet 1550 Series Outdoor Access Points 1-3 Automatic Configuring of the Access Point 1-4 Support for L2TPv3 1-4
Configuration and CLI Changes in this Release 1-4
Management Options 1-4
Roaming Client Devices 1-5
Network Configuration Examples 1-5
Root Access Point 1-5 Repeater Access Point 1-6 Bridges 1-7 Workgroup Bridge 1-7 Central Unit in an All-Wireless Network 1-8
CHAPTER
OL-29225-01
2 Using the Web-Browser Interface 2-1
Using the Web-Browser Interface for the First Time 2-2
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
1
Contents
Using the Management Pages in the Web-Browser Interface 2-2
Using Action Buttons 2-3 Character Restrictions in Entry Fields 2-4
Enabling HTTPS for Secure Browsing 2-5
Deleting an HTTPS Certificate 2-7
Using Online User Guides 2-7
Disabling the Web-Browser Interface 2-7
CHAPTER
3 Using the Command-Line Interface 3-1
Cisco IOS Command Modes 3-2
Getting Help 3-3
Abbreviating Commands 3-3
Using the no and Default Forms of Commands 3-4
Understanding CLI Messages 3-4
Using Command History 3-4
Changing the Command History Buffer Size 3-5 Recalling Commands 3-5 Disabling the Command History Feature 3-5
Using Editing Features 3-6
Enabling and Disabling Editing Features 3-6 Editing Commands Through Keystrokes 3-6 Editing Command Lines that Wrap 3-7
Searching and Filtering Output of show and more Commands 3-8
Accessing the CLI 3-9
Opening the CLI with Telnet 3-9 Opening the CLI with Secure Shell 3-9
CHAPTER
2
4 Configuring the Access Point for the First Time 4-1
Before You Start 4-1
Resetting the Device to Default Settings 4-2
Resetting to Default Settings Using the MODE Button 4-2 Resetting to Default Settings Using the GUI 4-2 Resetting to Default Settings Using the CLI 4-3
Logging into the Access Point 4-3
Obtaining and Assigning an IP Address 4-4
Default IP Address Behavior 4-5
Connecting to the 1040, 1140, 1240, 1250, 1260, and 2600 Series Access Points Locally 4-5
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Connecting to the 1550 Series Access Point Locally 4-5
Default Radio Settings 4-6
Assigning Basic Settings 4-6
Default Settings on the Easy Setup Page 4-10 Understanding the Security Settings 4-11
Using VLANs 4-12 Security Types for an SSID 4-12 Limitations of Security Settings 4-14
CLI Configuration Examples 4-15
Configuring System Power Settings Access Points 4-21
Using the AC Power Adapter 4-21 Using a Switch Capable of IEEE 802.3af Power Negotiation 4-21 Using a Switch That Does Not Support IEEE 802.3af Power Negotiation 4-22 Using a Power Injector 4-22 dot11 extension power native Command 4-22
Contents
Support for 802.11n Performance on 1250 Series Access Points with Standard 802.3af PoE 4-22
1250 Series Power Modes 4-22
Support for 802.11ac 4-23
Channel Widths for 802.11ac 4-23 Power Management for 802.11ac 4-24
Assigning an IP Address Using the CLI 4-25
Using a Telnet Session to Access the CLI 4-25
Configuring the 802.1X Supplicant 4-26
Creating a Credentials Profile 4-26 Applying the Credentials to an Interface or SSID 4-27
Applying the Credentials Profile to the Wired Port 4-27 Applying the Credentials Profile to an SSID Used For the Uplink 4-27 Creating and Applying EAP Method Profiles 4-28
Configuring IPv6 4-28
Configuring DHCPv6 address 4-30 IPv6 Neighbor Discovery 4-30 Configuring IPv6 Access Lists 4-32
RADIUS Configuration 4-32 IPv6 WDS Support 4-32
CDPv6 Support: 4-33 RA filtering 4-34
OL-29225-01
Automatic Configuring of the Access Point 4-34
Enabling Autoconfig 4-34
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
3
Contents
Prepare a Configuration Information File 4-34 Enable environmental variables 4-35
Schedule the Configuration Information File Download 4-35 Enabling Autoconfig via a Boot File 4-36 Checking the Autoconfig Status 4-36 Debugging Autoconfig 4-37
CHAPTER
5 Administrating the Access Point 5-1
Disabling the Mode Button 5-2
Preventing Unauthorized Access to Your Access Point 5-3
Protecting Access to Privileged EXEC Commands 5-3
Default Password and Privilege Level Configuration 5-4 Setting or Changing a Static Enable Password 5-4 Protecting Enable and Enable Secret Passwords with Encryption 5-6 Configuring Username and Password Pairs 5-7 Configuring Multiple Privilege Levels 5-8
Setting the Privilege Level for a Command 5-9
Logging Into and Exiting a Privilege Level 5-9
Configuring Easy Setup 5-10
Configuring Spectrum Expert Mode 5-11
Controlling Access Point Access with RADIUS 5-12
Default RADIUS Configuration 5-12 Configuring RADIUS Login Authentication 5-12 Defining AAA Server Groups 5-14 Configuring RADIUS Authorization for User Privileged Access and
Network Services
5-16
Displaying the RADIUS Configuration 5-17
Controlling Access Point Access with TACACS+ 5-17
Default TACACS+ Configuration 5-17 Configuring TACACS+ Login Authentication 5-17 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 5-19 Displaying the TACACS+ Configuration 5-19
Configuring Ethernet Speed and Duplex Settings 5-20
Configuring the Access Point for Wireless Network Management 5-20
Configuring the Access Point for Local Authentication and Authorization 5-21
Configuring the Authentication Cache and Profile 5-22
Configuring the Access Point to Provide DHCP Service 5-24
Setting up the DHCP Server 5-24
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4
OL-29225-01
Monitoring and Maintaining the DHCP Server Access Point 5-26
Show Commands 5-26 Clear Commands 5-26 Debug Command 5-27
Configuring the Access Point for Secure Shell 5-27
Understanding SSH 5-27 Configuring SSH 5-27 Support for Secure Copy Protocol 5-28
Configuring Client ARP Caching 5-28
Understanding Client ARP Caching 5-28
Optional ARP Caching 5-29
Configuring ARP Caching 5-29
Managing the System Time and Date 5-29
Understanding Simple Network Time Protocol 5-30 Configuring SNTP 5-30 Configuring Time and Date Manually 5-30
Setting the System Clock 5-31 Displaying the Time and Date Configuration 5-32 Configuring the Time Zone 5-32 Configuring Summer Time (Daylight Saving Time) 5-33
Contents
CHAPTER
Defining HTTP Access 5-35
Configuring a System Name and Prompt 5-35
Default System Name and Prompt Configuration 5-35 Configuring a System Name 5-36 Understanding DNS 5-36
Default DNS Configuration 5-37 Setting Up DNS 5-37 Displaying the DNS Configuration 5-38
Creating a Banner 5-38
Default Banner Configuration 5-38 Configuring a Message-of-the-Day Login Banner 5-38 Configuring a Login Banner 5-40
Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode 5-41
6 Configuring Radio Settings 6-1
Enabling the Radio Interface 6-2
Configuring the Role in Radio Network 6-3
Universal Workgroup Bridge Mode 6-6
Point-to-point and Multi Point bridging support for 802.11n platforms 6-6
OL-29225-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
5
Contents
Configuring Dual-Radio Fallback 6-7 Radio Tracking 6-8 Fast Ethernet Tracking 6-8 MAC-Address Tracking 6-8
Configuring Radio Data Rates 6-9
Access Points Send Multicast and Management Frames at Highest Basic Rate 6-9
Configuring MCS Rates 6-12
Configuring Radio Transmit Power 6-13
Limiting the Power Level for Associated Client Devices 6-15
Configuring Radio Channel Settings 6-15
Channel Widths for 802.11n 6-16 Dynamic Frequency Selection 6-17
Radar Detection on a DFS Channel 6-19 CLI Commands 6-19
Confirming that DFS is Enabled 6-19
Configuring a Channel 6-20
Blocking Channels from DFS Selection 6-20 Setting the 802.11n Guard Interval 6-21
Enabling and Disabling World Mode 6-22
Disabling and Enabling Short Radio Preambles 6-22
Configuring Transmit and Receive Antennas 6-23
Enabling and Disabling Gratuitous Probe Response 6-25
Disabling and Enabling Aironet Extensions 6-25
Configuring the Ethernet Encapsulation Transformation Method 6-26
Enabling and Disabling Reliable Multicast to Workgroup Bridges 6-27
Enabling and Disabling Public Secure Packet Forwarding 6-29
Configuring Protected Ports 6-30
Configuring the Beacon Period and the DTIM 6-31
Configure RTS Threshold and Retries 6-31
Configuring the Maximum Data Packet Retries 6-32
Configuring the Fragmentation Threshold 6-33
Enabling Short Slot Time for 802.11g Radios 6-33
Performing a Carrier Busy Test 6-34
Configuring VoIP Packet Handling 6-34
Configuring ClientLink 6-37
Using the CLI to Configure ClientLink 6-38
Debugging Radio Functions 6-38
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
6
OL-29225-01
802.11r Configuration 6-39
Contents
CHAPTER
7 Configuring Multiple SSIDs 7-1
Understanding Multiple SSIDs 7-2
Configuring Multiple SSIDs 7-3
Creating an SSID Globally 7-3
Viewing SSIDs Configured Globally 7-5
Using a RADIUS Server to Restrict SSIDs 7-5
Configuring Multiple Basic SSIDs 7-6
Requirements for Configuring Multiple BSSIDs 7-6 Guidelines for Using Multiple BSSIDs 7-6 Configuring Multiple BSSIDs 7-7
CLI Configuration Example 7-8 Displaying Configured BSSIDs 7-8
Assigning IP Redirection for an SSID 7-8
Guidelines for Using IP Redirection 7-9 Configuring IP Redirection 7-10
Including SSIDL IE in an SSID Beacon 7-10
NAC Support for MBSSID 7-11
Configuring NAC for MBSSID 7-13
CHAPTER
8 Configuring Spanning Tree Protocol 8-1
Understanding Spanning Tree Protocol 8-2
STP Overview 8-2 Access Point/Bridge Protocol Data Units 8-3 Election of the Spanning-Tree Root 8-4 Spanning-Tree Timers 8-4 Creating the Spanning-Tree Topology 8-5 Spanning-Tree Interface States 8-5
Blocking State 8-6 Listening State 8-7 Learning State 8-7 Forwarding State 8-7 Disabled State 8-7
Configuring STP Features 8-8
Default STP Configuration 8-8 Configuring STP Settings 8-9 STP Configuration Examples 8-10
Root Bridge Without VLANs 8-10
OL-29225-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
7
Contents
Non-Root Bridge Without VLANs 8-11
Root Bridge with VLANs 8-12
Non-Root Bridge with VLANs 8-14
Displaying Spanning-Tree Status 8-16
CHAPTER
CHAPTER
9 Configuring an Access Point as a Local Authenticator 9-1
Understanding Local Authentication 9-2
Configuring a Local Authenticator 9-2
Guidelines for Local Authenticators 9-3 Configuration Overview 9-3 Configuring the Local Authenticator Access Point 9-3 Configuring Other Access Points to Use the Local Authenticator 9-6 Configuring EAP-FAST Settings 9-7
Configuring PAC Settings 9-7
Configuring an Authority ID 9-8
Configuring Server Keys 9-8
Possible PAC Failures Caused by Access Point Clock 9-8 Limiting the Local Authenticator to One Authentication Type 9-9 Unblocking Locked Usernames 9-9 Viewing Local Authenticator Statistics 9-9 Using Debug Messages 9-10
10 Configuring WLAN Authentication and Encryption 10-1
CHAPTER
8
Understanding Authentication and Encryption Mechanisms 10-2
Understanding Encryption Modes 10-6
Configuring Encryption Modes 10-7
Creating Static WEP Keys 10-8
WEP Key Restrictions 10-9
Example WEP Key Setup 10-9 Enabling Cipher Suites 10-10
Matching Cipher Suites with WPA or CCKM 10-11 Enabling and Disabling Broadcast Key Rotation 10-13
11 Configuring Authentication Types 11-1
Understanding Authentication Types 11-2
Open Authentication to the Access Point 11-2 WEP Shared Key Authentication to the Access Point 11-3 EAP Authentication to the Network 11-4 MAC Address Authentication to the Network 11-5
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Combining MAC-Based, EAP, and Open Authentication 11-6 Using CCKM for Authenticated Clients 11-6 Using WPA Key Management 11-7
Configuring Authentication Types 11-9
Assigning Authentication Types to an SSID 11-9
Configuring WPA Migration Mode for Legacy WEP SSIDs 11-13 Configuring Additional WPA Settings 11-14
Configuring MAC Authentication Caching 11-15 Configuring Authentication Holdoffs, Timeouts, and Intervals 11-16 Creating and Applying EAP Method Profiles for the 802.1X Supplicant 11-17
Creating an EAP Method Profile 11-18
Applying an EAP Profile to the Fast Ethernet Interface 11-18
Applying an EAP Profile to an Uplink SSID 11-20
Matching Access Point and Client Device Authentication Types 11-20
Guest Access Management 11-23
Guest Account Creation 11-24
Customized Guest Access Pages 11-25
Contents
CHAPTER
12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection
Services
12-1
Understanding WDS 12-2
Role of the WDS Device 12-2 Role of Access Points Using the WDS Device 12-3
Understanding Fast Secure Roaming 12-3
Understanding Wireless Intrusion Detection Services 12-4
Configuring WDS 12-5
Guidelines for WDS 12-6 Requirements for WDS 12-6 Configuration Overview 12-6 Configuring Access Points as Potential WDS Devices 12-7
CLI Configuration Example 12-9 Configuring Access Points to use the WDS Device 12-10
CLI Configuration Example 12-11 Configuring the Authentication Server to Support WDS 12-12 Configuring WDS Only Mode 12-14 Viewing WDS Information 12-15 Using Debug Messages 12-16
OL-29225-01
Configuring Fast Secure Roaming 12-17
Requirements for Fast Secure Roaming 12-17
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
9
Contents
Configuring Access Points to Support Fast Secure Roaming 12-18 CLI Configuration Example 12-20 Support for 802.11r 12-20
Configuring Management Frame Protection 12-21
Management Frame Protection 12-21 Client MFP Overview 12-21 Client MFP For Access Points in Root mode 12-22 Configuring Client MFP 12-23 Protection of Management Frames with 802.11w 12-24
Configuring Radio Management 12-25
CLI Configuration Example 12-25
Configuring Access Points to Participate in WIDS 12-26
Configuring the Access Point for Scanner Mode 12-26 Configuring the Access Point for Monitor Mode 12-26 Displaying Monitor Mode Statistics 12-27 Configuring Monitor Mode Limits 12-28
Configuring an Authentication Failure Limit 12-28
CHAPTER
13 Configuring RADIUS and TACACS+ Servers 13-1
Configuring and Enabling RADIUS 13-1
Understanding RADIUS 13-2 RADIUS Operation 13-2 Configuring RADIUS 13-4
Default RADIUS Configuration 13-4 Identifying the RADIUS Server Host 13-5 Configuring RADIUS Login Authentication 13-7 Defining AAA Server Groups 13-9 Configuring RADIUS Authorization for User Privileged Access and Network Services 13-11 Configuring Packet of Disconnect 13-12 Selecting the CSID Format 13-13 Starting RADIUS Accounting 13-14 Configuring Settings for All RADIUS Servers 13-15 Configuring the Access Point to Use Vendor-Specific RADIUS Attributes 13-16 Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication 13-17
Configuring WISPr RADIUS Attributes 13-18 Displaying the RADIUS Configuration 13-19 RADIUS Attributes Sent by the Access Point 13-20
10
Configuring and Enabling TACACS+ 13-23
Understanding TACACS+ 13-23
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
TACACS+ Operation 13-24 Configuring TACACS+ 13-24
Default TACACS+ Configuration 13-25 Identifying the TACACS+ Server Host and Setting the Authentication Key 13-25 Configuring TACACS+ Login Authentication 13-26 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 13-27 Starting TACACS+ Accounting 13-28
Displaying the TACACS+ Configuration 13-29
Contents
CHAPTER
CHAPTER
14 Configuring VLANs 14-1
Understanding VLANs 14-2
Incorporating Wireless Devices into VLANs 14-3
Configuring VLANs 14-4
Configuring a VLAN 14-5 Assigning Names to VLANs 14-7
Guidelines for Using VLAN Names 14-7
Creating a VLAN Name 14-7 Using a RADIUS Server to Assign Users to VLANs 14-8 Viewing VLANs Configured on the Access Point 14-8
VLAN Configuration Example 14-10
15 Configuring QoS 15-1
Understanding QoS for Wireless LANs 15-2
QoS for Wireless LANs Versus QoS on Wired LANs 15-2 Impact of QoS on a Wireless LAN 15-2 Precedence of QoS Settings 15-3 Using Wi-Fi Multimedia Mode 15-4 Using Band Select 15-5
OL-29225-01
Configuring QoS 15-6
Configuration Guidelines 15-6 Configuring QoS Using the Web-Browser Interface 15-7 The QoS Policies Advanced Page 15-10
QoS Element for Wireless Phones 15-10
IGMP Snooping 15-11
AVVID Priority Mapping 15-11
WiFi Multimedia (WMM) 15-11
Rate Limiting 15-12 Adjusting Radio Access Categories 15-12
Configuring Nominal Rates 15-13
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
11
Contents
Optimized Voice Settings 15-14
CHAPTER
CHAPTER
16 Configuring Filters 16-1
Understanding Filters 16-2
Configuring Filters Using the CLI 16-2
Configuring Filters Using the Web-Browser Interface 16-3
Configuring and Enabling MAC Address Filters 16-3
Creating a MAC Address Filter 16-4 Using MAC Address ACLs to Block or Allow Client Association to the Access Point 16-6
Configuring MAC Address Authentication 16-8
Determining the source of MAC Authentication 16-9 Configuring the SSID for MAC Authentication 16-11
Creating a Time-Based ACL 16-12
ACL Logging 16-13
Configuring and Enabling IP Filters 16-13
Creating an IP Filter 16-14
Configuring and Enabling EtherType Filters 16-15
Creating an EtherType Filter 16-16
17 Configuring CDP 17-1
CHAPTER
Understanding CDP 17-2
Configuring CDP 17-2
Default CDP Configuration 17-2 Configuring the CDP Characteristics 17-2 Disabling and Enabling CDP 17-3 Disabling and Enabling CDP on an Interface 17-4
Monitoring and Maintaining CDP 17-5
Enabling CDP Logging 17-7
18 Configuring SNMP 18-1
Understanding SNMP 18-2
SNMP Versions 18-2 SNMP Manager Functions 18-3 SNMP Agent Functions 18-4 SNMP Community Strings 18-4 Using SNMP to Access MIB Variables 18-4
Configuring SNMP 18-5
Default SNMP Configuration 18-5
12
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Enabling the SNMP Agent 18-6 Configuring Community Strings 18-6 Specifying SNMP-Server Group Names 18-8 Configuring SNMP-Server Hosts 18-8 Configuring SNMP-Server Users 18-8 Configuring Trap Managers and Enabling Traps 18-8 Setting the Agent Contact and Location Information 18-10 Using the snmp-server view Command 18-11 SNMP Examples 18-11
Displaying SNMP Status 18-12
Contents
CHAPTER
19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode 19-1
Understanding Repeater Access Points 19-2
Configuring a Repeater Access Point 19-3
Default Configuration 19-4 Guidelines for Repeaters 19-4 Setting Up a Repeater 19-5
Aligning Antennas 19-6
Verifying Repeater Operation 19-7 Setting Up a Repeater As a WPA2 Client 19-7 Setting Up a Repeater As a EAP-FAST Client 19-8
Understanding Hot Standby 19-9
Configuring a Hot Standby Access Point 19-10
Verifying Standby Operation 19-12
Understanding Workgroup Bridge Mode 19-13
Treating Workgroup Bridges as Infrastructure Devices or as Client Devices 19-14 Configuring a Workgroup Bridge for Roaming 19-15 Configuring a Workgroup Bridge for Limited Channel Scanning 19-16
Configuring the Limited Channel Set 19-16
Ignoring the CCX Neighbor List 19-16 Configuring a Client VLAN 19-17
OL-29225-01
Workgroup Bridge VLAN Tagging 19-17
Configuring Workgroup Bridge Mode 19-17
Using Workgroup Bridges in a Lightweight Environment 19-21
Guidelines for Using Workgroup Bridges in a Lightweight Environment 19-22
Sample Workgroup Bridge Association Verification 19-23 Enabling VideoStream Support on Workgroup Bridges 19-23
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
13
Contents
CHAPTER
20 Managing Firmware and Configurations 20-1
Working with the Flash File System 20-1
Displaying Available File Systems 20-2 Setting the Default File System 20-3 Displaying Information About Files on a File System 20-4 Changing Directories and Displaying the Working Directory 20-4 Creating and Removing Directories 20-4 Copying Files 20-5 Deleting Files 20-6 Creating, Displaying, and Extracting tar Files 20-6
Creating a tar File 20-6 Displaying the Contents of a tar File 20-7 Extracting a tar File 20-8
Displaying the Contents of a File 20-8
Working with Configuration Files 20-8
Guidelines for Creating and Using Configuration Files 20-9 Configuration File Types and Location 20-10 Creating a Configuration File by Using a Text Editor 20-10 Copying Configuration Files by Using TFTP 20-10
Preparing to Download or Upload a Configuration File by Using TFTP 20-11 Downloading the Configuration File by Using TFTP 20-11 Uploading the Configuration File by Using TFTP 20-11
Copying Configuration Files by Using FTP 20-12
Preparing to Download or Upload a Configuration File by Using FTP 20-13 Downloading a Configuration File by Using FTP 20-13 Uploading a Configuration File by Using FTP 20-14
Copying Configuration Files by Using RCP 20-15
Preparing to Download or Upload a Configuration File by Using RCP 20-16 Downloading a Configuration File by Using RCP 20-16 Uploading a Configuration File by Using RCP 20-17
Clearing Configuration Information 20-18
Deleting a Stored Configuration File 20-18
14
Working with Software Images 20-18
Image Location on the Access Point 20-19 tar File Format of Images on a Server or Cisco.com 20-19 Copying Image Files by Using TFTP 20-20
Preparing to Download or Upload an Image File by Using TFTP 20-20 Downloading an Image File by Using TFTP 20-20 Uploading an Image File by Using TFTP 20-22
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Copying Image Files by Using FTP 20-22
Preparing to Download or Upload an Image File by Using FTP 20-23
Downloading an Image File by Using FTP 20-24
Uploading an Image File by Using FTP 20-26 Copying Image Files by Using RCP 20-27
Preparing to Download or Upload an Image File by Using RCP 20-27
Downloading an Image File by Using RCP 20-29
Uploading an Image File by Using RCP 20-31 Reloading the Image Using the Web Browser Interface 20-32
Browser HTTP Interface 20-32
Browser TFTP Interface 20-33
Contents
CHAPTER
CHAPTER
21 Configuring L2TPv3 Over UDP/IP 21-1
Prerequisites 21-1
Configuring L2TP Class 21-2
Configuring Pseudowire Class 21-3
Relationship between L2TP Class and Pseudowire Class 21-4
Configuring the Tunnel interface 21-4
Configure Tunnel management Interface 21-4
Mapping SSID to the Tunnel/Xconnect 21-5
Configuring TCP mss adjust 21-6
Configuring UDP checksum 21-6
22 Configuring System Message Logging 22-1
Understanding System Message Logging 22-2
Configuring System Message Logging 22-2
System Log Message Format 22-2 Default System Message Logging Configuration 22-3 Disabling and Enabling Message Logging 22-4 Setting the Message Display Destination Device 22-5 Enabling and Disabling Timestamps on Log Messages 22-6 Enabling and Disabling Sequence Numbers in Log Messages 22-6 Defining the Message Severity Level 22-7 Limiting Syslog Messages Sent to the History Table and to SNMP 22-8 Setting a Logging Rate Limit 22-9 Configuring the System Logging Facility 22-10
OL-29225-01
Displaying the Logging Configuration 22-11
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
15
Contents
CHAPTER
23 Troubleshooting 23-1
Checking the LED Indicators 23-2
Checking Power 23-2
Low Power Condition 23-2
Checking Basic Settings 23-3
SSID 23-3 WEP Keys 23-3 Security Settings 23-3
Resetting to the Default Configuration 23-4
Using the MODE Button 23-4 Using the Web Browser Interface 23-5 Using the CLI 23-5
Reloading the Access Point Image 23-6
Using the MODE button 23-7 Using the Web Browser Interface 23-7
Browser HTTP Interface 23-8
Browser TFTP Interface 23-8 Using the CLI 23-9 Obtaining the Access Point Image File 23-11 Obtaining TFTP Server Software 23-11
APPENDIX
APPENDIX
APPENDIX
Image Recovery on the 1520 Access Point 23-11
A Protocol Filters A-1
B Supported MIBs B-1
MIB List B-1
Using FTP to Access the MIB Files B-2
C Error and Event Messages C-1
Conventions C-2
Software Auto Upgrade Messages C-3
Association Management Messages C-5
Unzip Messages C-6
System Log Messages C-7
802.11 Subsystem Messages C-8
Inter-Access Point Protocol Messages C-21
Local Authenticator Messages C-21
16
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
G
LOSSARY
Contents
WDS Messages C-24
Mini IOS Messages C-25
Access Point/Bridge Messages C-26
Cisco Discovery Protocol Messages C-26
External Radius Server Error Messages C-26
LWAPP Error Messages C-27
Sensor Messages C-28
SNMP Error Messages C-29
SSH Error Messages C-30
OL-29225-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
17
Contents
18
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01

Audience

Preface

This guide is for the networking professional who installs and manages Cisco Aironet Access Points in Autonomous mode. To use this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of wireless local area networks.
The guide covers Cisco IOS Releases 15.3(3)JAB. The following access point platforms are supported:
AP 802
AP 1040
AP 1140
AP 1260
AP 1530
AP 1550
AP 1600
AP 1700
AP 2600
AP 2700
AP 3500
AP 3600
AP 3700
Note This guide does not cover lightweight access points. Configuration for these devices can be found in the
appropriate installation and configuration guides on Cisco.com.

Purpose

OL-30644-01
This guide provides the information you need to install and configure your access point. This guide provides procedures for using the Cisco IOS software commands that have been created or changed for use with the access point. It does not provide detailed information about these commands. For detailed information about these commands, refer to the Cisco IOS Command Reference for Cisco Aironet Access
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
-xix

Configuration Procedures and Examples

Points and Bridges for this release. For information about the standard Cisco IOS software commands, refer to the Cisco IOS software documentation set available from the Cisco.com home page at Support > Documentation.
This guide also includes an overview of the access point web-based interface (APWI), which contains all the functionality of the command-line interface (CLI). This guide does not provide field-level descriptions of the APWI windows nor does it provide the procedures for configuring the access point from the APWI. For all APWI window descriptions and procedures, refer to the access point online help, which is available from the Help buttons on the APWI pages.
Configuration Procedures and Examples
The procedures and examples given in this guide have been documented as seen on the Cisco Aironet 3600 Series Access Points.
To view the latest configuration examples, visit Cisco Tech Zone(https://techzone.cisco.com). In the Tech Zone Navigator, browse to Wireless LAN > Autonomous APs (IOS) - Knowledge base for Autonomous (IOS) Wireless Deployments.
Note You need to have an account on Cisco.com to access Cisco Tech Zone. If you do not have an account,
you can create one by clicking Register Now on the Log In page.

Organization

This guide is organized into these chapters:
Chapter 1, “Overview of Access Point Features,” lists the software and hardware features of the access
point and describes the access point role in your network.
Chapter 2, “Using the Web-Browser Interface,” describes how to use the web-browser interface to
configure the access point.
Chapter 3, “Using the Command-Line Interface,” describes how to use the command-line interface (CLI)
to configure the access point.
Chapter 4, “Configuring the Access Point for the First Time,”describes how to configure basic settings
on a new access point.
Chapter 5, “Administrating the Access Point,” describes how to perform one-time operations to
administer your access point, such as preventing unauthorized access to the access point, setting the system date and time, and setting the system name and prompt.
Chapter 6, “Configuring Radio Settings,” describes how to configure settings for the access point radio
such as the role in the radio network, transmit power, channel settings, and others.
Chapter 7, “Configuring Multiple SSIDs,” describes how to configure and manage multiple Service Set
Identifiers (SSIDs) and multiple basic SSIDs (BSSIDs) on your access point. You can configure up to 16 SSIDs and up to eight BSSIDs on your access point.
Chapter 8, “Configuring Spanning Tree Protocol,”describes how to configure Spanning Tree Protocol
(STP) on your access point, bridge, or access point operating in a bridge mode. STP prevents bridge loops from occurring in your network.
-xx
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Organization
Chapter 9, “Configuring an Access Point as a Local Authenticator,” describes how to configure the
access point to act as a local RADIUS server for your wireless LAN. If the WAN connection to your main RADIUS server fails, the access point acts as a backup server to authenticate wireless devices.
Chapter 10, “Configuring WLAN Authentication and Encryption,” describes how to configure the cipher
suites required to use authenticated key management, Wired Equivalent Privacy (WEP), and WEP features including MIC, CMIC, TKIP, CKIP, and broadcast key rotation.
Chapter 11, “Configuring Authentication Types,” describes how to configure authentication types on the
access point. Client devices use these authentication methods to join your network.
Chapter 12, “Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services,” describes how to configure the access point to participate in WDS, to allow fast
reassociation of roaming client services, and to participate in radio management.
Chapter 13, “Configuring RADIUS and TACACS+ Servers,” describes how to enable and configure the
RADIUS and Terminal Access Controller Access Control System Plus (TACACS+), which provide detailed accounting information and flexible administrative control over authentication and authorization processes.
Chapter 14, “Configuring VLANs,” describes how to configure your access point to interoperate with
the VLANs set up on your wired LAN.
Chapter 15, “Configuring QoS,” describes how to configure and manage MAC address, IP, and
EtherType filters on the access point using the web-browser interface.
Chapter 16, “Configuring Filters,” describes how to configure and manage MAC address, IP, and
EtherType filters on the access point using the web-browser interface.
Chapter 17, “Configuring CDP,” describes how to configure Cisco Discovery Protocol (CDP) on your
access point. CDP is a device-discovery protocol that runs on all Cisco network equipment.
Chapter 18, “Configuring SNMP,” describes how to configure the Simple Network Management
Protocol (SNMP) on your access point.
Chapter 19, “Configuring Repeater and Standby Access Points and Workgroup Bridge Mode,” describes
how to configure your access point as a hot standby unit or as a repeater unit.
Chapter 20, “Managing Firmware and Configurations,” describes how to manipulate the Flash file
system, how to copy configuration files, and how to archive (upload and download) software images.
Chapter 21, “Configuring L2TPv3 Over UDP/IP,” describes how to configure the Layer 2 Tunneling
Protocol (L2TPv3), which is a tunneling protocol that enables tunneling of Layer 2 packets over IP core networks.
Chapter 22, “Configuring System Message Logging,” describes how to configure system message
logging on your access point.
Chapter 23, “Troubleshooting,”provides troubleshooting procedures for basic problems with the access
point.
Appendix A, “Protocol Filters,” lists some of the protocols that you can filter on the access point.
Appendix B, “Supported MIBs,” lists the Simple Network Management Protocol (SNMP) Management
Information Bases (MIBs) that the access point supports for this software release.
Appendix C, “Error and Event Messages,” lists the CLI error and event messages and provides an
explanation and recommended action for each message.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
-xxi

Conventions

Conventions
This publication uses these conventions to convey instructions and information:
Command descriptions use these conventions:
Interactive examples use these conventions:
Notes, cautions, and timesavers use these conventions and symbols:
Commands and keywords are in boldface text.
Arguments for which you supply values are in italic.
Square brackets ([ ]) mean optional elements.
Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional
element.
Terminal sessions and system displays are in screen font.
Information you enter is in boldface screen font.
Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).
Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in
this manual.
Caution Means reader be careful. In this situation, you might do something that could result equipment damage
or loss of data.
Tip Means the following will help you solve a problem. The tips information might not be troubleshooting
or even an action, but could be useful information.

Related Publications

Release Notes for Cisco Aironet Access Points and Bridges for Cisco IOS Release 15.3(3)JAB.
For each of the supported access points, the following types of guides have been provided as
required on its respective support page on Cisco.com:
Access Point Getting Started Guide
Access Point Hardware Installation Guide (Only in cases where hardware installation is not covered in the Getting Started Guide)
Installation Instructions for Cisco Aironet Power Injectors
Access Point Deployment Guide
-xxii
Cisco Aironet 802.11 a/b/g/n/ac Radio Installion and Upgrade Instructions
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01

Obtaining Documentation, Obtaining Support, and Security Guidelines

Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
-xxiii
Obtaining Documentation, Obtaining Support, and Security Guidelines
-xxiv
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
CHA P T ER
1

Overview of Access Point Features

Cisco Aironet Access Points (hereafter called access points, or abbreviated as APs) provide a secure, affordable, and easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class features required by networking professionals. With a management system based on Cisco IOS software, Cisco Aironet access points are Wi-Fi certified, and depending on the specific model are 802.11a-compliant, 802.11b-compliant, 802.11g-compliant, 802.11n-compliant, and
802.11ac-compliant wireless LAN transceivers.
Note When booting up a 1530, 1700, or a 2700 series AP for the first time, it will boot up with a unified mode
software image. To deploy the AP in an autonomous network, use following command from the AP console or telnet to force AP to reboot using autonomous mode software image.
capwap ap autonomous
For more information on software images on the AP, see Working with Software Images, page 20-18.
You can configure and monitor the wireless device using the command-line interface (CLI), the browser-based management system, or Simple Network Management Protocol (SNMP).
This chapter contains the following sections:
Radios in Access Points, page 1-1
New Features and Platforms in this Release, page 1-2
Management Options, page 1-4
Roaming Client Devices, page 1-5
Network Configuration Examples, page 1-5

Radios in Access Points

An access point serves as the connection point between wireless and wired networks or as the center point of a stand-alone wireless network. In large installations, wireless users within the radio range of an access point can roam throughout a facility while maintaining seamless, uninterrupted access to the network.
Each access point platform contains one, two, or three radios. For more information on the radios supported by each access point model, see the corresponding Access Point Data Sheet.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
1-1

New Features and Platforms in this Release

New Features and Platforms in this Release
For full information on the new features and updates to existing features in this release, see the Release Notes for Autonomous Cisco Aironet Access Points and Bridges for Cisco IOS Release 15.3(3)JA.
For the full list of CLI commands supported in this release, see the Cisco IOS Command Reference for Autonomous Cisco Aironet Access Points and Bridges, Cisco IOS Release 15.3(3)JA.
Note The proxy Mobile-IP feature is not supported in Cisco IOS Release 12.3(2)JA and later.

New Access Point Platforms Supported

This release supports the following new access point platforms:
Support for Cisco Aironet 3700 Series access point
Chapter 1 Overview of Access Point Features
This access point is built on 4x4:3(2.4GHz), 4x4:3(5GHz) MIMO technology, with integrated and
external antenna options, and supports 802.11a,b,g,n,ac.
Supported models are 3700E and 3700I
Supported operating modes are:
Root
Root Bridge
Non Root Bridge
Workgroup Bridge
Scanner
Spectrum
Repeater
Support for Cisco Aironet 2700 Series access point
This access point is built on 3x4:3(2.4GHz), 4x4:3(5GHz) MIMO technology, with integrated and
external antenna options, and supports 802.11a,b,g,n,ac. This access point has both primary and secondary gigabit Ethernet ports. The primary port is gigabit Ethernet 0 and is the backhaul port. The primary port can be set as trunk port. The secondary port is gigabitEthernet 1, and is the access port. You can configure the secondary port to a VLAN ID using the interface configuration command bridge multiple-port client-vlan vlan-id
Supported models are 2700E and 2700I
1-2
Supported operating modes are:
Root
Root Bridge
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 1 Overview of Access Point Features
Non Root Bridge
Workgroup Bridge
Scanner
Spectrum
Repeater
Support for Cisco Aironet 1700 Series access point
This access point is built on 3x4:3(2.4GHz), 4x4:3(5GHz) MIMO technology, and comes with
integrated antennas, and supports 802.11a,b,g,n,ac. This access point has both primary and secondary gigabit Ethernet ports. The primary port is gigabit Ethernet 0 and is the backhaul port. The primary port can be set as trunk port. The secondary port is gigabitEthernet 1, and is the access port. You can configure the secondary port to a VLAN ID using the interface configuration command bridge multiple-port client-vlan vlan-id
Supported model is 1700I
Supported operating modes are:
New Features and Platforms in this Release
Root
Root Bridge
Non Root Bridge
Workgroup Bridge
Scanner
Spectrum
Repeater

New Features

Multiple Port Support for Cisco Aironet 1550 Series Outdoor Access Points
The 1550 series has four Ethernet ports – PoE-In port, PoE-Out port, Auxiliary port, and SFP Port. All four ports are supported in the current release. This series also has an internal cable modem in the 1552C and 1552CU models. The cable modem connects to the Auxiliary port.
You can set the PoE-In port, SFP port, or the Auxiliary port as the primary Ethernet port. You can set the primary Ethernet port using the configuration command:
dot11 primary-ethernet-port port-number-0to3
You can set the primary Ethernet port as a trunk and handle multiple VLANs, but the secondary ports can be set as access ports only. To configure the vlan-id in secondary ports, use the interface configuration command bridge multiple-port client-vlan vlan-id
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
1-3

Management Options

Automatic Configuring of the Access Point
The Autoconfig feature of autonomous access points allows the AP to download its configuration, periodically, from a Secure Copy Protocol (SCP) server. For more information, see Automatic
Configuring of the Access Point, page 4-34
Support for L2TPv3
Layer 2 Tunneling Protocol (L2TPv3), is a tunneling protocol that enables tunneling of Layer 2 packets over IP core networks.
For detailed information, see Chapter 21, “Configuring L2TPv3 Over UDP/IP.”

Configuration and CLI Changes in this Release

The following updates and new additions have been made:
For Cisco Aironet 2700 series access points, you can configure the secondary port to a VLAN ID
using the interface configuration command bridge multiple-port client-vlan vlan-id
For Cisco Aironet 1550 series outdoor access points:
Chapter 1 Overview of Access Point Features
You can set the PoE-In port, SFP port, or the Auxiliary port as the primary Ethernet port. You can set the primary Ethernet port using the configuration command:
dot11 primary-ethernet-port port-number-0to3
You can set the primary Ethernet port as a trunk and handle multiple VLANs, but the secondary ports can be set as access ports only. To configure the vlan-id in secondary ports, use the interface configuration command bridge multiple-port client-vlan vlan-id
Removal of WPA/TKIP Configuration—Wi-Fi certified access points no longer support a
WPA/TKIP configuration. TKIP is only allowed in combination with WPA2/AES for backward compatibility to allow older TKIP-only devices to associate.
Authentication key-management WPA version 1 will be changed to authentication key-management WPA. The following message will be displayed:
Warning: WPA Version 1 no longer permitted by itself - WPA2 has been enabled
WPA version 1 option has been removed from the authentication key-management WPA CLI and configuring TKIP only under this interface is not supported. It will be changed to aes-ccm tkip to work on mixed mode with the following message on the ap console:
Warning: TKIP encryption no longer permitted by itself - AES-CCM has been enabled
Management Options
1-4
You can use the wireless device management system through the following interfaces:
The Cisco IOS command-line interface (CLI), which you use through a console port or Telnet
session. Use the interface dot11radio global configuration command to place the wireless device into the radio configuration mode. Most of the examples in this manual are taken from the CLI.
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 1 Overview of Access Point Features
Chapter 3, “Using the Command-Line Interface,” provides a detailed description of the CLI.
A web-browser interface, which you use through a Web browser. Chapter 2, “Using the
Web-Browser Interface,” provides a detailed description of the web-browser interface.
Simple Network Management Protocol (SNMP). Chapter 18, “Configuring SNMP,” explains how to
configure the wireless device for SNMP management.

Roaming Client Devices

If you have more than one wireless device in your wireless LAN, wireless client devices can roam seamlessly from one wireless device to another. The roaming functionality is based on signal quality, not proximity. When signal quality drops from a client, it roams to another access point.
Wireless LAN users are sometimes concerned when a client device stays associated to a distant access point instead of roaming to a closer access point. However, if a client signal to a distant access point remains strong and the signal quality is high, the client will not roam to a closer access point. Checking constantly for closer access points would be inefficient, and the extra radio traffic would slow throughput on the wireless LAN.
Roaming Client Devices
Using Cisco Centralized Key Management (CCKM) or 802.11r, with a device providing wireless distribution system (WDS), client devices can roam from one access point to another so quickly that there is no perceptible delay in voice or other time-sensitive applications.

Network Configuration Examples

This section describes the role of an access point in common wireless network configurations. The access point default configuration is as a root unit connected to a wired LAN or as the central unit in an all-wireless network. Access points can also be configured as repeater access points, bridges, and workgroup bridges. These roles require specific configurations.

Root Access Point

An access point connected directly to a wired LAN provides a connection point for wireless users. If more than one access point is connected to the LAN, users can roam from one area of a facility to another without losing their connection to the network. As users move out of range of one access point, they automatically connect to the network (associate) through another access point. The roaming process is seamless and transparent to the user. Figure 1-1 shows access points acting as root units on a wired LAN.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
1-5
Network Configuration Examples
Access point Repeater
135444
Figure 1-1 Access Points as Root Units on a Wired LAN
Chapter 1 Overview of Access Point Features
Access point
Access point
135445

Repeater Access Point

An access point can be configured as a stand-alone repeater to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. The repeater forwards traffic between wireless users and the wired LAN by sending packets to either another repeater or to an access point connected to the wired LAN. The data is sent through the route that provides the best performance for the client. Figure 1-2 shows an access point acting as a repeater. Consult the “Configuring a Repeater
Access Point” section on page 19-3 for instructions on setting up an access point as a repeater.
Note Non-Cisco client devices might have difficulty communicating with repeater access points.
Figure 1-2 Access Point as Repeater
1-6
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 1 Overview of Access Point Features
Root bridge Non-root bridge
135447
Root bridge Non-root bridge
135446

Bridges

Access points can be configured as root or non-root bridges. In this role, an access point establishes a wireless link with a non-root bridge. Traffic is passed over the link to the wired LAN. Access points in root and non-root bridge roles can be configured to accept associations from clients. Figure 1-3 shows an access point configured as a root bridge with clients. Figure 1-4 shows two access points configured as a root and non-root bridge, both accepting client associations. Consult the “Configuring the Role in
Radio Network” section on page 6-3 for instructions on setting up an access point as a bridge.
When wireless bridges are used in a point-to-multipoint configuration the throughput is reduced depending on the number of non-root bridges that associate with the root bridge. With a link data rate at 54 Mbps, the maximum throughput is about 25 Mbps in a point-to-point link. The addition of three bridges to form a point-to-multipoint network reduces the throughput to about 12.5 Mbps.
Figure 1-3 Access Point as a Root Bridge with Clients
Network Configuration Examples
Figure 1-4 Access Points as Root and Non-root Bridges with Clients

Workgroup Bridge

You can configure access points as workgroup bridges. In workgroup bridge mode, the unit associates to another access point as a client and provides a network connection for the devices connected to its Ethernet port. For example, if you need to provide wireless connectivity for a group of network printers,
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
1-7
Network Configuration Examples
Access point
Workgroup bridge
135448
Access point
135443
you can connect the printers to a hub or to a switch, connect the hub or switch to the access point Ethernet port, and configure the access point as a workgroup bridge. The workgroup bridge associates to an access point on your network.
If your access point has multiple radios, either radio can function in workgroup bridge mode..
Figure 1-5 shows an access point configured as a workgroup bridge. Consult the “Understanding Workgroup Bridge Mode” section on page 19-13 and the “Configuring Workgroup Bridge Mode” section on page 19-17 for information on configuring your access point as a workgroup bridge.
Figure 1-5 Access Point as a Workgroup Bridge
Chapter 1 Overview of Access Point Features

Central Unit in an All-Wireless Network

In an all-wireless network, an access point acts as a stand-alone root unit. The access point is not attached to a wired LAN; it functions as a hub linking all stations together. The access point serves as the focal point for communications, increasing the communication range of wireless users. Figure 1-6 shows an access point in an all-wireless network.
Figure 1-6 Access Point as Central Unit in All-Wireless Network
1-8
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
CHA P T ER
2

Using the Web-Browser Interface

This chapter describes the web-browser interface that you can use to configure the wireless device. This chapter contains the following sections:
Using the Web-Browser Interface for the First Time, page 2-2
Using the Management Pages in the Web-Browser Interface, page 2-2
Enabling HTTPS for Secure Browsing, page 2-5
Using Online User Guides, page 2-7
Disabling the Web-Browser Interface, page 2-7
The web-browser interface contains management pages that you use to change the wireless device settings, upgrade firmware, and monitor and configure other wireless devices on the network.
Note The wireless device web-browser interface is fully compatible with Microsoft Internet Explorer version
9.0 and Mozilla Firefox version 17.
OL-30644-01
Note Avoid using both the CLI and the web-browser interfaces to configure the wireless device. If you
configure the wireless device using the CLI, the web-browser interface might display an inaccurate interpretation of the configuration. However, the inaccuracy does not necessarily mean that the wireless device is misconfigured.
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
2-1
Chapter 2 Using the Web-Browser Interface

Using the Web-Browser Interface for the First Time

Using the Web-Browser Interface for the First Time
Use the wireless device IP address to browse to the management system. See the “Logging into the
Access Point” section on page 4-3 for instructions on assigning an IP address to the wireless device.
Follow these steps to begin using the web-browser interface:
Step 1 Start the browser.
Step 2 Enter the wireless device IP address in the address bar of the and press Enter.
The Summary Status page appears.

Using the Management Pages in the Web-Browser Interface

The system management pages use consistent techniques to present and save configuration information. You can use the navigation bar present at the top of a page to select the main menu options. Another navigation bar is present on the left side of the page, to use for navigating through the sub menus. You can use the navigation bar to browse to other management pages, and use the configuration action buttons to save or cancel changes to the configuration.
Note It is important to remember that clicking your web-browser Back button returns you to the previous page
without saving any changes you have made. Clicking Cancel cancels any changes you made in the page and keeps you on that page. Changes are only applied when you click Apply.
Figure 2-1 shows the web-browser interface home page.
2-2
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 2 Using the Web-Browser Interface
Figure 2-1 Web-Browser Interface Home Page
Using the Management Pages in the Web-Browser Interface

Using Action Buttons

Table 2-1 lists the page links and buttons that appear on the management page.
Table 2-1 Buttons and Links on the Management Page
Button/Link Description
Navigation Links
Home Displays wireless device status page with information on the number of radio
Easy Setup Displays the Easy Setup page that includes basic settings such as system name,
Network Displays a list of infrastructure devices on your wireless LAN. Provides
Association Displays a list of all devices on your wireless LAN, listing their system names,
Wireless Displays a summary of wireless Domain services configuration and devices,
Security Displays a summary of security settings and provides links to security
devices associated to the wireless device, the status of the Ethernet and radio interfaces, and a list of recent wireless device activity.
IP address, and role in radio network.
configuration submenus for the access point interfaces (radio and Ethernet).
network roles, and parent-client relationships.
and provides links to WDS configuration pages.
configuration pages.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
2-3
Using the Management Pages in the Web-Browser Interface
Table 2-1 Buttons and Links on the Management Page (continued)
Button/Link Description
Services Displays status for several wireless device features and links to configuration
pages for Telnet/SSH, CDP, domain name server, filters, QoS, SNMP, SNTP, and VLANs.
Management Displays a list of current guest users and provides links to configuration pages
for guest users and web authentication pages.
Software Displays the Version number of the firmware that the wireless device is
running and provides links to configuration pages for upgrading and managing firmware.
Event Log Displays the wireless device event log and provides links to configuration
pages where you can select events to be included in traps, set event severity levels, and set notification methods.
Configuration Action Buttons
Apply Saves changes made on the page and remains on the page.
Refresh Updates status information or statistics displayed on a page.
Cancel Discards changes to the page and remains on the page.
Back Discards any changes made to the page and returns to the previous page.
Logout Exits the AP configuration web interface without saving.
Ping Pings an IPv4 or IPv6 address
Save Configuration Saves the AP’s current configuration to NVRAM.
Chapter 2 Using the Web-Browser Interface

Character Restrictions in Entry Fields

You cannot use the following characters in the entry fields on the web-browser interface. This is true for all access points using Cisco IOS software.
“ ] + /
Tab
Trailing space
2-4
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 2 Using the Web-Browser Interface

Enabling HTTPS for Secure Browsing

You can protect the communication with the access point web-browser interface by enabling HTTPS. HTTPS protects HTTP browser sessions by using the Secure Socket Layer (SSL) protocol.
Note When you enable HTTPS, your browser might lose its connection to the access point. If you lose the
connection, change the URL in your browser address line from http://ip_address to https://ip_address and log into the access point again.
Note When you enable HTTPS, most browsers prompt you for approval each time you browse to a device that
does not have a fully qualified domain name (FQDN). To avoid the approval prompts, create an FQDN for the access point as detailed in the following procedure.
Follow these steps to create an FQDN and enable HTTPS:
Step 1 If your browser uses popup-blocking software, disable the popup-blocking feature.
Step 2 Choose Easy Setup > Network Configuration.
The Network Configuration page appears.
Enabling HTTPS for Secure Browsing
Step 3 Enter a name for the access point in the Host Name field, and then click Apply.
Step 4 Choose Services > DNS page.
The Services: DNS - Domain Name Service page appears.
Step 5 In the Domain Name System (DNS) field, click the Enable radio button.
Step 6 In the Domain Name field, enter your company’s domain name.
Step 7 Enter at least one IP address for your DNS server in the Name Server IPv4/IPv6 Addresses fields.
Step 8 Click Apply.
The access point FQDN is a combination of the system name and the domain name. For example, if your system name is ap3600 and your domain name is company.com, the FQDN is ap3600.company.com.
Step 9 Enter the FQDN on your DNS server.
Tip If you do not have a DNS server, you can register the access point FQDN with a dynamic DNS service.
Search the Internet for dynamic DNS to find a fee-based DNS service.
Step 10 Choose Services > HTTP.
The Services: HTTP - Web Server page is displayed.
Step 11 In the Web-based Configuration Management field, select the Enable Secure (HTTPS) Browsing
check box.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
2-5
Enabling HTTPS for Secure Browsing
Step 12 In the Domain Name field, enter a domain name, and then click Apply.
Note Enabling HTTPS automatically disables HTTP. To maintain HTTP access with HTTPS enabled,
check the Enable Secure (HTTPS) Browsing check box, and then check the Enable Standard (HTTP) Browsing check box. Although you can enable both standard HTTP and HTTPS, we
recommend that you enable only one.
A warning appears stating that you will now use secure HTTP to browse to the access point. The warning also displays the new URL containing https, which you will need to use to browse to the access point.
Step 13 In the warning box, click OK.
The address in your browser address line changes from http://<ip-address> to https://<ip-address>.
Step 14 Another warning appears stating that the access point security certificate was not issued by a trusted
certificate authority. However, you can ignore this warning. Click Continue to this Website (not recommended).
Note The following steps assume that you are using Microsoft Internet Explorer. If you are not, please
refer to your browser documentation for more information on how to access web sites using self signed certificates.
Chapter 2 Using the Web-Browser Interface
Step 15 The access point login window appears and you must log in to the access point again. The default
username is Cisco (case-sensitive) and the default password is Cisco (case-sensitive).
Step 16 To display the access point’s security certificate, click the Certificate error icon in the address bar.
Step 17 Click View Certificates.
Step 18 In the Certificate window, click Install Certificate.
The Microsoft Windows Certificate Import Wizard appears.
Step 19 Click Next.
The next screen asks where you want to store the certificate. We recommend that you use the default storage area on your system.
Step 20 Click Next to accept the default storage area.
You have now successfully imported the certificate.
Step 21 Click Finish.
A security warning is displayed.
Step 22 Click Ye s.
A message box stating that the installation is successful is displayed.
Step 23 Click OK.

CLI Configuration Example

This example shows the CLI commands that are equivalent to the steps listed in the “Enabling HTTPS
for Secure Browsing” section on page 2-5:
AP# configure terminal AP(config)# hostname ap3600 AP(config)# ip domain name company.com AP(config)# ip name-server 10.91.107.18 AP(config)# ip http secure-server
2-6
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 2 Using the Web-Browser Interface
AP(config)# end
In this example, the access point system name is ap3600, the domain name is company.com, and the IP address of the DNS server is 10.91.107.18.
For complete descriptions of the commands used in this example, consult the Cisco IOS Commands Master List, Release 12.4. Click this link to browse to the master list of commands:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/124htnml.htm

Deleting an HTTPS Certificate

The access point generates a certificate automatically when you enable HTTPS. However, if you need to change the fully qualified domain name (FQDN) for an access point, or you need to add an FQDN after enabling HTTPS, you might need to delete the certificate. Follow these steps:
Step 1 Browse to the Services: HTTP Web Server page.
Step 2 Uncheck the Enable Secure (HTTPS) Browsing check box to disable HTTPS.
Step 3 Click Delete Partial SSL certificate to delete the certificate.
Step 4 Click Apply. The access point generates a new certificate using the new FQDN.

Using Online User Guides

CLI Commands for Deleting an HTTPS Certificate
In the global configuration mode, use the following commands for deleting an HTTPS certificate.
Command Purpose
Step 1
Step 2
no ip http secure-server Disables HTTPS
crypto key zeroize rsa name-of-rsa-key Deletes the RSA key for the http server. Along with
this all the router certificates (HTTPS certificates) issued using these keys will also be removed.
Using Online User Guides
In the web-browser interface, click the help icon at the top of the Home page to the online version of this guide (Cisco IOS Configuration Guide for Autonomous Cisco Aironet Access Points). You can choose view the guide online or you can also download a PDF version of the guide for offline reference. The online guide is periodically updated and hence will give you more up to date information.

Disabling the Web-Browser Interface

To prevent all use of the web-browser interface, select the Disable Web-Based Management check box on the Services: HTTP-Web Server page and click Apply.
OL-30644-01
To re-enable the web-browser interface, enter this global configuration command on the access point CLI:
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
2-7
Disabling the Web-Browser Interface
ap(config)# ip http server
Chapter 2 Using the Web-Browser Interface
2-8
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
CHA P T ER
3

Using the Command-Line Interface

This chapter describes the Cisco IOS command-line interface (CLI) that you can use to configure the wireless device. It contains the following sections:
Cisco IOS Command Modes, page 3-2
Getting Help, page 3-3
Abbreviating Commands, page 3-3
Using the no and Default Forms of Commands, page 3-4
Understanding CLI Messages, page 3-4
Using Command History, page 3-4
Using Editing Features, page 3-6
Searching and Filtering Output of show and more Commands, page 3-8
Accessing the CLI, page 3-9
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
3-1

Cisco IOS Command Modes

Cisco IOS Command Modes
The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.
When you start a session on the wireless device, you begin in user mode, often called user EXEC mode. A subset of the Cisco IOS commands are available in user EXEC mode. For example, most of the user EXEC commands are one-time commands, such as show commands, which show the current configuration status, and clear commands, which clear counters or interfaces. The user EXEC commands are not saved when the wireless device reboots.
To have access to all commands, you must enter privileged EXEC mode. Normally, you must enter a password to enter privileged EXEC mode. From this mode, you must enter privileged EXEC mode before you can enter the global configuration mode.
Using the configuration modes (global, interface, and line), you can make changes to the running configuration. If you save the configuration, these commands are stored and used when the wireless device reboots. To access the various configuration modes, you must start at global configuration mode. From global configuration mode, you can enter interface configuration mode and line configuration mode.
Tabl e 3-1 describes the main command modes, how to access each one, the prompt you see in that mode, and
how to exit the mode. The examples in the table use the host name ap.
Chapter 3 Using the Command-Line Interface
Table 3-1 Command Mode Summary
Mode Access Method Prompt Exit Method About This Mode
User EXEC Begin a session with
the wireless device.
ap>
Enter logout or quit. Use this mode to:
Change terminal settings
Perform basic tests
Display system
information
Privileged EXEC While in user EXEC
mode, enter the enable command.
Global configuration While in privileged
EXEC mode, enter the configure
ap#
ap(config)#
Enter disable to exit. Use this mode to verify
commands. Use a password to protect access to this mode.
To exit to privileged EXEC mode, enter exit or end, or press Ctrl-Z.
Use this mode to configure parameters that apply to the entire wireless device.
command.
Interface configuration
While in global configuration mode, enter the interface command (with a specific interface).
ap(config-if) #
To exit to global configuration mode, enter exit. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Use this mode to configure parameters for the Ethernet and radio interfaces.
The 2.4-GHz radio and the
802.11n 2.4-GHz radio is radio 0,
The 5-GHz radio and the
802.11n 5-GHz radio is radio 1.
3-2
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 3 Using the Command-Line Interface

Getting Help

You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 3-2 .
Table 3-2 Help Summary
Command Purpose
help Obtains a brief description of the help system in any command mode.
abbreviated-command-entry? Obtains a list of commands that begin with a particular character string.
For example:
ap# di? dir disable disconnect
abbreviated-command-entry<Tab > Completes a partial command name.
For example:
ap# sh conf<tab> ap# show configuration
? Lists all commands available for a particular command mode.
For example:
ap> ?
command ? Lists the associated keywords for a command.
Getting Help
For example:
ap> show ?
command keyword ? Lists the associated arguments for a keyword.
For example:
ap(config)# cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet

Abbreviating Commands

You have to enter only enough characters for the wireless device to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command:
ap# show conf
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
3-3
Chapter 3 Using the Command-Line Interface

Using the no and Default Forms of Commands

Using the no and Default Forms of Commands
Most configuration commands also have a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface. Use the command without the keyword no to re-enable a disabled feature or to enable a feature that is disabled by default.
Configuration commands can also have a default form. The default form of a command returns the command setting to its default. Most commands are disabled by default, so the default form is the same as the no form. However, some commands are enabled by default and have variables set to certain default values. In these cases, the default command enables the command and sets variables to their default values.

Understanding CLI Messages

Table 3-3 lists some error messages that you might encounter while using the CLI to configure the
wireless device.
Table 3-3 Common CLI Error Messages
Error Message Meaning How to Get Help
% Ambiguous command: "show con"
% Incomplete command.
% Invalid input detected at ‘^’ marker.
You did not enter enough characters for the wireless device to recognize the command.
You did not enter all the keywords or values required by this command.
You entered the command incorrectly. The caret (^) marks the point of the error.
Re-enter the command followed by a question mark (?) with a space between the command and the question mark.
The possible keywords that you can enter with the command are displayed.
Re-enter the command followed by a question mark (?) with a space between the command and the question mark.
The possible keywords that you can enter with the command are displayed.
Enter a question mark (?) to display all the commands that are available in this command mode.
The possible keywords that you can enter with the command are displayed.

Using Command History

The CLI provides a history or record of commands that you have entered. This feature is particularly useful for recalling long or complex commands or entries, including access lists. You can customize the command history feature to suit your needs as described in these sections:
Changing the Command History Buffer Size, page 3-5
Recalling Commands, page 3-5
3-4
Disabling the Command History Feature, page 3-5
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 3 Using the Command-Line Interface

Changing the Command History Buffer Size

By default, the wireless device records ten command lines in its history buffer. Beginning in privileged EXEC mode, enter this command to change the number of command lines that the wireless device records during the current terminal session:
ap# terminal history [size number-of-lines]
The range is from 0 to 256.
Beginning in line configuration mode, enter this command to configure the number of command lines the wireless device records for all sessions on a particular line:
ap(config-line)# history [size number-of-lines]
The range is from 0 to 256.

Recalling Commands

To recall commands from the history buffer, perform one of the actions listed in Tab l e 3-4.
Using Command History
Table 3-4 Recalling Commands
1
Action
Press Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command.
Press Ctrl-N or the down arrow key. Return to more recent commands in the history buffer after recalling commands
show history While in privileged EXEC mode, list the last several commands that you just
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.
Result
Repeat the key sequence to recall successively older commands.
with Ctrl-P or the up arrow key. Repeat the key sequence to recall successively more recent commands.
entered. The number of commands that are displayed is determined by the setting of the terminal history global configuration command and history line configuration command.

Disabling the Command History Feature

The command history feature is automatically enabled.
To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command.
To disable command history for the line, enter the no history line configuration command.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
3-5

Using Editing Features

Using Editing Features
This section describes the editing features that can help you manipulate the command line. It contains these sections:
Enabling and Disabling Editing Features, page 3-6
Editing Commands Through Keystrokes, page 3-6
Editing Command Lines that Wrap, page 3-7

Enabling and Disabling Editing Features

Although enhanced editing mode is automatically enabled, you can disable it.
To re-enable the enhanced editing mode for the current terminal session, enter this command in privileged EXEC mode:
ap# terminal editing
To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration mode:
ap(config-line)# editing
Chapter 3 Using the Command-Line Interface
To globally disable enhanced editing mode, enter this command in line configuration mode:
ap(config-line)# no editing

Editing Commands Through Keystrokes

Table 3-5 shows the keystrokes that you need to edit command lines.
Table 3-5 Editing Commands Through Keystrokes
Capability Keystroke
Move around the command line to make changes or corrections.
Recall commands from the buffer and paste them in the command line. The wireless device provides a buffer with the last ten items that you deleted.
Ctrl-B or the left arrow key
Ctrl-F or the right arrow key
Ctrl-A Move the cursor to the beginning of the command line.
Ctrl-E Move the cursor to the end of the command line.
Esc B Move the cursor back one word.
Esc F Move the cursor forward one word.
Ctrl-T Transpose the character to the left of the cursor with the
Ctrl-Y Recall the most recent entry in the buffer.
Esc Y Recall the next buffer entry.
1
Purpose
Move the cursor back one character.
Move the cursor forward one character.
character located at the cursor.
The buffer contains only the last 10 items that you have deleted or cut. If you press Esc Y more than ten times, you cycle to the first buffer entry.
3-6
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 3 Using the Command-Line Interface
Table 3-5 Editing Commands Through Keystrokes (continued)
Using Editing Features
Capability Keystroke
Delete entries if you make a mistake or change your mind.
Delete or Backspace Erase the character to the left of the cursor.
Ctrl-D Delete the character at the cursor.
1
Ctrl-K Delete all characters from the cursor to the end of the
Ctrl-U or Ctrl-X Delete all characters from the cursor to the beginning of
Ctrl-W Delete the word to the left of the cursor.
Esc D Delete from the cursor to the end of the word.
Capitalize or lowercase words or capitalize a set of letters.
Esc C Capitalize at the cursor.
Esc L Change the word at the cursor to lowercase.
Esc U Capitalize letters from the cursor to the end of the word.
Designate a particular keystroke as
Ctrl-V or Esc Q an executable command, perhaps as a shortcut.
Scroll down a line or screen on displays that are longer than the terminal screen can display.
Note The More prompt appears for
Return Scroll down one line.
Space Scroll down one screen.
output that has more lines than can be displayed on the terminal screen, including show command output. You can use the Return and Space bar keystrokes whenever you see the
More
prompt.
Redisplay the current command line
Ctrl-L or Ctrl-R Redisplay the current command line. if the wireless device suddenly sends a message to your screen.
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.
Purpose
command line.
the command line.

Editing Command Lines that Wrap

You can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command.
To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You can also press Ctrl-A to immediately move to the beginning of the line.
Note The arrow keys function only on ANSI-compatible terminals such as VT100s.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
3-7

Searching and Filtering Output of show and more Commands

In this example, the access-list global configuration command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line, the line is again shifted ten spaces to the left.
ap(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1 ap(config)# $ 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.25 ap(config)# $t tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq ap(config)# $108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq 45
After you complete the entry, press Ctrl-A to check the complete syntax before pressing the Return key to execute the command. The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right:
ap(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$
The software assumes you have a terminal screen that is 80 columns wide. If you have a width other than that, use the terminal width privileged EXEC command to set the width of your terminal.
Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands Through
Keystrokes” section on page 3-6.
Chapter 3 Using the Command-Line Interface
Searching and Filtering Output of show and more Commands
You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see.
To use this functionality, enter a show or more command followed by the pipe character (|), one of the keywords begin, include, or exclude, and an expression that you want to search for or filter out:
command | {begin | include | exclude} regular-expression
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.
This example shows how to include in the output display only lines where the expression protocol appears:
ap# show interfaces | include protocol Vlan1 is up, line protocol is up Vlan10 is up, line protocol is down GigabitEthernet0/1 is up, line protocol is down GigabitEthernet0/2 is up, line protocol is up
3-8
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 3 Using the Command-Line Interface

Accessing the CLI

You can open the wireless device CLI using Telnet or Secure Shell (SSH).

Opening the CLI with Telnet

Follow these steps to open the CLI with Telnet. These steps are for a PC running Microsoft Windows with a Telnet terminal application. Check your PC operating instructions for detailed instructions for your operating system.
Step 1 Select Start > Programs > Accessories > Telnet.
If Telnet is not listed in your Accessories menu, select Start > Run, type Tel ne t in the entry field, and press Enter.
Step 2 In the Telnet window, type open followed by the wireless device IP address, and press Enter.
Step 3 At the username and password prompts, enter your administrator username and password. The default
username is Cisco, and the default password is Cisco. The default enable password is also Cisco. Usernames and passwords are case-sensitive.
Accessing the CLI

Opening the CLI with Secure Shell

Secure Shell Protocol is a protocol that provides a secure, remote connection to networking devices set up to use it. Secure Shell (SSH) is a software package that provides secure login sessions by encrypting the entire session. SSH features strong cryptographic authentication, strong encryption, and integrity protection. For detailed information on SSH, visit the homepage of SSH Communications Security, Ltd. at this URL: http://www.ssh.com/
SSH provides more security for remote connections than Telnet by providing strong encryption when a device is authenticated. SSH versions 1 and 2 are supported in this release. See the “Configuring the
Access Point for Secure Shell” section on page 5-27 for detailed instructions on setting up the wireless
device for SSH access.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
3-9
Accessing the CLI
Chapter 3 Using the Command-Line Interface
3-10
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
CHA P T ER
4

Configuring the Access Point for the First Time

This chapter describes how to configure basic settings on the wireless device for the first time. The contents of this chapter are similar to the instructions in the quick start guide that shipped with the wireless device. You can configure all the settings described in this chapter using the CLI, but it might be simplest to browse to the wireless device web-browser interface to complete the initial configuration and then use the CLI to enter additional settings for a more detailed configuration.
This chapter contains the following sections:
Before You Start, page 4-1
Logging into the Access Point, page 4-3
Obtaining and Assigning an IP Address, page 4-4
Connecting to the 1040, 1140, 1240, 1250, 1260, and 2600 Series Access Points Locally, page 4-5
Connecting to the 1550 Series Access Point Locally, page 4-5
Default Radio Settings, page 4-6
Assigning Basic Settings, page 4-6
CLI Configuration Examples, page 4-15
Configuring System Power Settings Access Points, page 4-21
Assigning an IP Address Using the CLI, page 4-25
Assigning an IP Address Using the CLI, page 4-25
Using a Telnet Session to Access the CLI, page 4-25
Configuring the 802.1X Supplicant, page 4-26
Configuring IPv6, page 4-28
Automatic Configuring of the Access Point, page 4-34
Note In this release, the access point radio interfaces are disabled by default.

Before You Start

Before you install the wireless device, make sure you are using a computer connected to the same network as the wireless device, and obtain the following information from your network administrator:
A system name for the wireless device
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-1
Before You Start
The case-sensitive wireless service set identifier (SSID) for your radio network
If not connected to a DHCP server, a unique IP address for the wireless device (such as
172.17.255.115)
If the wireless device is not on the same subnet as your PC, a default gateway address and subnet
mask
A Simple Network Management Protocol (SNMP) community name and the SNMP file attribute (if
SNMP is in use)
If you use IPSU to find the wireless device IP address, the access point MAC address. The MAC
address can be found on the label on the bottom of the access point (such as 00164625854c).

Resetting the Device to Default Settings

If you need to start over during the initial setup process, you can reset the access point to factory default settings.
Resetting to Default Settings Using the MODE Button
Chapter 4 Configuring the Access Point for the First Time
Note Using the MODE button for resetting to default settings applies only to autonomous mode access points
and not to lightweight mode access points.
Follow these steps to reset the access point to factory default settings using the access point MODE button:
Step 1 Disconnect power (the power jack for external power or the Ethernet cable for in-line power) from the
access point.
Step 2 Press and hold the MODE button while you reconnect power to the access point.
Step 3 Hold the MODE button until the Status LED turns amber (approximately 1 to 2 seconds), and release the
button. All access point settings return to factory defaults.
Resetting to Default Settings Using the GUI
Follow these steps to return to the default settings using the access point GUI:
Step 1 Open your Internet browser.
The wireless device web-browser interface is fully compatible with Microsoft Internet Explorer version
9.0 and Mozilla Firefox version 17.
Step 2 Enter the wireless device IP address in the browser address line and press Enter. An Enter Network
Password window appears.
Step 3 Enter your username in the User Name field. The default username is Cisco.
4-2
Step 4 Enter the wireless device password in the Password field and press Enter. The default password is Cisco.
The Summary Status page appears.
Step 5 Click Software and the System Software screen appears.
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
Step 6 Click System Configuration and the System Configuration screen appears.
Step 7 Click the Reset to Defaults button to reset all settings, including the IP address, to factory defaults. To
reset all settings except the IP address to defaults, click the Reset to Defaults (Except IP) button.
Resetting to Default Settings Using the CLI
Caution You should never delete any of the system files prior to resetting defaults or reloading software.
If you want to reset the access point to its default settings and a static IP address, use the write erase or erase /all nvram command. If you want to erase everything including the static IP address, in addition
to the above commands, use the erase and erase boot static-ipaddr static-ipmask command.
From the privileged EXEC mode, you can reset the access point/bridge configuration to factory default values using the CLI by following these steps:
Step 1 Enter erase nvram: to erase all NVRAM files including the startup configuration.

Logging into the Access Point

Note The erase nvram command does not erase a static IP address.
Step 2 Follow the step below to erase a static IP address and subnet mask. Otherwise, go to step 3.
a. Enter write default-config.
Step 3 Enter Y when the following CLI message displays: Erasing the nvram filesystem will remove all
configuration files! Continue? [confirm].
Step 4 Enter reload when the following CLI message displays: Erase of nvram: complete. This command
reloads the operating system.
Step 5 Enter Y when the following CLI message displays: Proceed with reload? [confirm].
Caution Do not interrupt the boot process to avoid damaging the configuration file. Wait until the access
point/bridge Install Mode LED begins to blink green before continuing with CLI configuration changes. You can also see the following CLI message when the load process has finished: Line protocal on Interface Dot11Radio0, changed state to up.
Step 6 After the access point/bridge reboots, you can reconfigure the access point by using the Web-browser
interface if you previously assigned a static IP address, or the CLI if you did not.
The access point is configured with the factory default values including the IP address (set to receive an IP address using DHCP), from privileged EXEC mode. To obtain the new IP address for an access point/bridge, you can use the show interface bvi1 CLI command.
Logging into the Access Point
A user can login to the access point using one of the following methods:
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
4-3

Obtaining and Assigning an IP Address

graphical user interface (GUI)
Telnet (if the AP is configured with an IP address)
console port
Note Not all models of Cisco Aironet Access Points have the console port. If the access point does not have
a console port, use either the GUI or the Telnet for access.
For information on logging into the AP through the GUI, refer to Using the Web-Browser Interface for
the First Time, page 2-2.
For information on logging into the AP through the CLI refer to Accessing the CLI, page 3-9.
For information on logging into the AP through a console port refer to Connecting to the 1040, 1140,
1240, 1250, 1260, and 2600 Series Access Points Locally, page 4-5.
Obtaining and Assigning an IP Address
Chapter 4 Configuring the Access Point for the First Time
To browse to the wireless device Express Setup page, you must either obtain or assign the wireless device IP address using one of the following methods:
If you have a 1040, 1130AG, 1240, 1250, 1260 series access point or a 1300 series access
point/bridge, connect to the access point console port and assign a static IP address. Follow the steps in the appropriate section to connect to the device console port:
Connecting to the 1040, 1140, 1240, 1250, 1260, and 2600 Series Access Points Locally, page 4-5.
Connecting to the 1550 Series Access Point Locally, page 4-5
Note In some terminal emulator applications you may need to set the Flow control parameter to
Xon/Xoff. If you are not able to console into the device with the flow control value set to none, try changing the flow control value to Xon/Xoff.
Use a DHCP server (if available) to automatically assign an IP address. You can find out the
DHCP-assigned IP address using one of the following methods:
Connect to the wireless device console port and use the show ip interface brief command to display the IP address.
Follow the steps in the “Connecting to the 1040, 1140, 1240, 1250, 1260, and 2600 Series
Access Points Locally” section on page 4-5 to connect to the console port.
Provide your network administrator with the wireless device Media Access Control (MAC) address. Your network administrator will query the DHCP server using the MAC address to identify the IP address. The access point MAC address is on label attached to the bottom of the access point.
4-4
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time

Connecting to the 1040, 1140, 1240, 1250, 1260, and 2600 Series Access Points Locally

Default IP Address Behavior

When you connect a 1040, 1130AG, 1140, 1240, 1250, 1260, 2600 access point, or 1300 series access point/bridge with a default configuration to your LAN, the access point requests an IP address from your DHCP server and, if it does not receive an address, continues to send requests indefinitely.
The 1300 series access point/bridge assumes a radio network role of a root access point. To configure it as a bridge, you must manually place it in install mode in order to align the antennas and establish a link. To establish the link you must have two access point/bridges configured in the install mode. In the install mode, one access point/bridge must be configured as a root bridge and the other a non-root bridge. To facilitate the configuration, an automatic option is available when the access point/bridge is in the install mode. After the wireless link is established and the bridge antennas are aligned, you take both access point/bridges out of install mode and place them on your LAN as root and non-root bridges.
Connecting to the 1040, 1140, 1240, 1250, 1260, and 2600 Series Access Points Locally
If you need to configure the access point locally (without connecting the access point to a wired LAN), you can connect a PC to its console port using a DB-9 to RJ-45 serial cable. Follow these steps to open the CLI by connecting to the access point console port:
Step 1 Connect a nine-pin, female DB-9 to RJ-45 serial cable to the RJ-45 serial port on the access point and
to the COM port on a computer. The Cisco part number for the DB-9 to RJ-45 serial cable is AIR-CONCAB1200. Browse to http://www.cisco.com/go/marketplace to order a serial cable.
Step 2 Set up a terminal emulator to communicate with the access point. Use the following settings for the
terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control.
Note If xon/xoff flow control does not work, use no flow control.
Step 3 When connected, press enter or type en to access the command prompt. Pressing enter takes you to the
user exec mode. Entering en prompts you for a password, then takes you to the privileged exec mode. The default password is Cisco and is case-sensitive.
Note When your configuration changes are completed, you must remove the serial cable from the
access point.

Connecting to the 1550 Series Access Point Locally

If you need to configure the access point locally (without connecting to a wired LAN), you can connect a PC to the Ethernet port on the long-reach power injector using a Category 5 Ethernet cable. You can use a local connection to the power injector Ethernet port the same as you would use a serial port connection.
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
4-5

Default Radio Settings

Note You do not need a special crossover cable to connect your PC to the power injector; you can use either
Step 1 Make sure that the PC you intend to use is configured to obtain an IP address automatically, or manually
Step 2 With the power cable disconnected from the power injector, connect your PC to the power injector using
Step 3 Connect the power injector to the access point/bridge using dual coaxial cables.
Step 4 Connect the power injector power cable and power on the access point/bridge.
Step 5 Follow the steps in the “Assigning Basic Settings” section on page 4-6. If you make a mistake and need
Step 6 After configuring the access point/bridge, remove the Ethernet cable from your PC and connect the
Chapter 4 Configuring the Access Point for the First Time
a straight-through cable or a crossover cable.
Follow these steps to connect to the bridge locally:
assign it an IP address within the same subnet as the access point/bridge IP address. For example, if you assigned the access point/bridge an IP address of 10.0.0.1, assign the PC an IP address of 10.0.0.20.
a Category 5 Ethernet cable. You can use either a crossover cable or a straight-through cable.
Note Communication takes place between the power injector and the access point/bridge using
Ethernet Port 0. Do not attempt to change any of the Ethernet Port 0 settings.
to start over, follow the steps in the “Resetting the Device to Default Settings” procedure on page 4-2.
power injector to your wired LAN.
Note When you connect your PC to the access point/bridge or reconnect your PC to the wired LAN,
you might need to release and renew the IP address on the PC. On most PCs, you can perform a release and renew by rebooting your PC or by entering ipconfig /release and ipconfig /renew commands in a command prompt window. Consult your PC operating instructions for detailed instructions.
Default Radio Settings
Beginning with Cisco IOS Release 12.3(8)JA, access point radios are disabled and no default SSID is assigned. This was done in order to prevent unauthorized users to access a customer wireless network through an access point having a default SSID and no security settings. You must create an SSID before you can enable the access point radio interfaces.

Assigning Basic Settings

After you determine or assign the wireless device IP address, you can browse to the wireless device Express Setup page and perform an initial configuration:
4-6
Step 1 Open your Internet browser.
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
Step 2 Enter the wireless device IP address in the browser address line and press Enter.
An Enter Network Password screen appears.
Step 3 Press Ta b to bypass the Username field and advance to the Password field.
Step 4 Enter the case-sensitive password Cisco and press Enter.
The Summary Status page appears.
Step 5 Click Easy Setup.
The Express Setup screen appears.
Step 6 Click Network Configuration.
Step 7 Enter the Network Configuration settings which you obtained from your system administrator.
The configurable settings include:
Host Name—The host name, while not an essential setting, helps identify the wireless device on
your network. The host name appears in the titles of the management system pages.
Note You can enter up to 32 characters for the system name. However, when the wireless device
identifies itself to client devices, it uses only the first 15 characters in the system name. If it is important for client users to distinguish between wireless devices, make sure that a unique portion of the system name appears in the first 15 characters.
Assigning Basic Settings
Note When you change the system name, the wireless device resets the radios, causing associated
client devices to disassociate and quickly reassociate.
Server Protocol—Click the radio button that matches the network method of IP address assignment.
DHCP—IP addresses are automatically assigned by your network DHCP server.
Static IP—The wireless device uses a static IP address that you enter in the IP address field.
IP Address—Use this setting to assign or change the wireless device IP address. If DHCP is enabled
for your network, leave this field blank.
Note If the wireless device IP address changes while you are configuring the wireless device using the
web-browser interface or a Telnet session over the wired LAN, you lose your connection to the wireless device. If you lose your connection, reconnect to the wireless device using its new IP address. Follow the steps in the “Resetting the Device to Default Settings” section on page 4-2 if you need to start over.
IP Subnet Mask—Enter the IP subnet mask provided by your network administrator so the IP
address can be recognized on the LAN. If DHCP is enabled, leave this field blank.
Default Gateway—Enter the default gateway IP address provided by your network administrator.
If DHCP is enabled, leave this field blank.
IPv6 ProtocolP—Specify the protcols to be applied, by selecting the required check boxes. You can
select:
DHCP
OL-30644-01
Autoconfig
Static IP
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-7
Assigning Basic Settings
Step 8 Enter the following Radio Configuration settings for the radio bands supported by the access point.
Chapter 4 Configuring the Access Point for the First Time
IPv6 Address—Enter the IPv6 address
Username—Enter the username required to access the network.
Password—Enter the password corresponding to the username required to access the network.
SNMP Community—If your network is using SNMP, enter the SNMP Community name provided
by your network administrator and select the attributes of the SNMP data (also provided by your network administrator).
Current SSID List (Read Only)
Both the 2.4 GHz and 5 GHz radios have the following options:
SSID—Type the SSID in the SSID entry field. The SSID can contain up to 32 alphanumeric
characters.
Broadcast SSID in Beacon—To allow devices without a specified SSID to associate with the access point, select this check box. If this check box is selected, the access point will respond to Broadcast SSID probe requests and also broadcast its own SSID with its Beacons. When you broadcast the SSID, devices that do not specify an SSID can associate to the wireless device. This is a useful option for an SSID used by guests or by client devices in a public space. If you do not broadcast the SSID, client devices cannot associate to the wireless device unless their SSID matches this SSID. Only one SSID can be included in the wireless device beacon.
VLAN—To enableVLAN for the radio, click the Enable VLAN ID radio button and then enter a
VLAN identifier ranging from 1- 4095. To specify this as the native VLAN, check the Native VLAN check box. To disable VLAN, click the No VLAN radio button.
Security—Select the security setting for the SSID. The settings are listed in order of robustness,
from No Security to WPA, which is the most secure setting. If you select EAP Authentication or WPA, enter the IP address (the RADIUS Server IP address) and shared secret (RADIUS Server Secret) for the authentication server on your network.
Note If you do not use VLANs on your wireless LAN, the security options that you can assign to
multiple SSIDs are limited. See the “Using VLANs” section on page 4-12 for details.
No Security—This security setting does not use an encryption key or key management, and uses open authentication.
WEP Key—This security setting uses mandatory WEP encryption, no key management and open authentication. You can specify up to four WEP keys, i.e. Key 1, 2, 3, and 4. Enter each key value, and specify whether it is 128 bit or 40 bit.
EAP Authentication—The Extensible Authentication Protocols (EAP) Authentication permits wireless access to users authenticated against a database through the services of an authentication server then encrypts the authenticated and authorized traffic. Use this setting for LEAP, PEAP, EAP-TLS, EAP-TTLS, EAP-GTC, EAP-SIM, and other 802.1x/EAP based protocols. This setting uses mandatory encryption WEP, open authentication + EAP, network EAP authentication, no key management, RADIUS server authentication port 1645. Specify the RADIUS Server and the RADIUS Server Secret.
WPA—The Wi-Fi Protected Access (WPA) security setting permits wireless access to users authenticated against a database through the services of an authentication server, then encrypts their authenticated and authorized IP traffic with stronger algorithms than those used in WEP. Make sure clients are WPA certified before selecting this option. This setting uses encryption
4-8
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
ciphers tkip, open authentication + EAP, network EAP authentication, key management WPA mandatory, and RADIUS server authentication port 1645. Specify the RADIUS Server and the RADIUS Server Secret.
Note To better understand the security settings used here, see “Understanding the Security Settings”
section on page 4-11.
Role in Radio Network—Click the button that describes the role of the wireless device on your
network. Select Access Point (Root) if the wireless device is connected to the wired LAN. Select Repeater (Non-Root) if it is not connected to the wired LAN. The only role supported on the Airlink is root. For information on the roles supported by different APs in a radio network, see
Configuring the Role in Radio Network, page 6-3. The following roles are available in a radio
network:
Access Point—A root device. Accepts associations from clients and bridges wireless traffic from the clients to the wireless LAN. This setting can be applied to any access point.
Repeater—A non-root device. Accepts associations from clients and bridges wireless traffic from the clients to root access point connected to the wireless LAN. This setting can be applied to any access point.
Assigning Basic Settings
Root Bridge—Establishes a link with a non-root bridge. In this mode, the device also accepts associations from clients.
Non-Root Bridge—In this mode, the device establishes a link with a root bridge.
Install Mode—Places the 1300 series access point/bridge in auto installation mode so you can align and adjust a bridge link for optimum efficiency.
Workgroup Bridge—In the Workgroup bridge mode, the access point functions as a client device that associates with a Cisco Aironet access point or bridge. A workgroup bridge can have a maximum of 254 clients, presuming that no other wireless clients are associated to the root bridge or access point.
Universal Workgroup Bridge—Configures the access point as a workgroup bridge capable of associating with non-Cisco access points.
Client MAC:—The Ethernet MAC address of the client connected to the universal workgroup bridge. This field appears only in the universal workgroup bridge mode.
Scanner—Functions as a network monitoring device. In the Scanner mode, the access point does not accept associations from clients. It continuously scans and reports wireless traffic it detects from other wireless devices on the wireless LAN. All access points can be configured as a scanner.
Optimize Radio Network for—Use this setting to select either preconfigured settings for the
wireless device radio or customized settings for the wireless device radio.
Throughput—Maximizes the data volume handled by the wireless device, but might reduce its range.
Range—Maximizes the wireless device range but might reduce throughput.
Default—Sets the default values for the access point.
OL-30644-01
Custom—The wireless device uses the settings you enter on the Network Interfaces. Clicking Custom takes you to the Network Interfaces.
Aironet Extensions—Enable this setting if there are only Cisco Aironet wireless devices on your
wireless LAN.
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-9
Assigning Basic Settings
Step 9 Click Apply to save your settings.
Step 10 Click Network Interfaces to browse to the Network Interfaces Summary page.
Step 11 Click the radio interface to browse to the Network Interfaces: Radio Status page.
Step 12 Click the Settings tab to browse to the Settings page for the radio interface.
Step 13 Click Enable to enable the radio.
Chapter 4 Configuring the Access Point for the First Time
Channel—The default channel setting for the wireless device radios is least congested; at startup,
the wireless device scans for and selects the least-congested channel. For the most consistent performance after a site survey, however, we recommend that you assign a static channel setting for each access point.
For the 2.4 GHz radio, the relevant options are Least-Congested, channel 1-2412, channel 2-2417, channel 3-2422, channel 4-2427, channel 5-2432, channel 6-2437, channel 7-2442, channel 8-2447, channel 9-2452, channel 10-2457, and channel 11-2462.
For the 5 GHz radio, the relevant options are Dynamic Frequency selection, channel 36-5180, channel 40-5200, channel 44-5220, channel 48-5240, channel 149-5745, channel 153-5765, channel 157-5785, channel 161-5805, and channel 165-5825.
Power—Choose the power level from the Power drop-down list.
For the 2.4 GHz radio, the relevant options are Maximum, 22, 19, 16, 13, 10, 7, and 4.
For the 5 GHz radio, the relevant options are Maximum, 14, 11, 8, 5, and 2.
Step 14 Click Apply.
Your wireless device is now running but probably requires additional configuring to conform to your network operational and security requirements. Consult the chapters in this manual for the information you need to complete the configuration.
Note You can restore access points to factory defaults by unplugging the power jack and plugging it
back in while holding down the Mode button for a few seconds, or until the Status LED turns amber.

Default Settings on the Easy Setup Page

Table 4-1 lists the default settings for the settings on the Express Setup page.
Table 4-1 Default Settings on the Express Setup Page
Setting Default
Host Name ap
Configuration Server Protocol DHCP
IP Address Assigned by DHCP by default; see the “Default IP Address
Behavior” section on page 4-5 for a description of default IP
address behavior on the access point
IP Subnet Mask Assigned by DHCP by default; if DHCP is disabled, the default
setting is 255.255.255.224
4-10
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
Table 4-1 Default Settings on the Express Setup Page (continued)
Setting Default
Default Gateway Assigned by DHCP by default; if DHCP is disabled, the default
IPv6 Protocol DHCP and Autoconfig
SNMP Community defaultCommunity (Read-only)
VLAN No VLAN
Security No Security
Role in Radio Network (for each radio installed)
Optimize Radio Network for Default
Aironet Extensions Enable
Channel Least-Congested (for 2.4GHz) and Dynamic Frequency Selection
Power Maximum
Assigning Basic Settings
setting is 0.0.0.0
Access point
(for 5GHz)

Understanding the Security Settings

You can configure basic security settings in the Easy Setup > Radio Configuration section. You can use the options given in this section to create unique SSIDs and assign one of four security types to them.
You can create up to 16 SSIDs on the wireless device. The created SSIDs appear in the Current SSID List. On dual-radio wireless devices, the SSIDs that you create are enabled by default on both radio interfaces.
Note In Cisco IOS Release 12.4(23c)JA and 12.xxx, there is no default SSID. You must configure an
SSID before client devices can associate to the access point.
The SSID can consist of up to 32 alphanumeric, case-sensitive, characters.
The first character can not contain the following characters:
Exclamation point (!)
Pound sign (#)
Semicolon (;)
The following characters are invalid and cannot be used in an SSID:
Plus sign (+)
Right bracket (])
Front slash (/)
Quotation mark (")
Tab
OL-30644-01
Trailing spaces
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-11
Assigning Basic Settings
Using VLANs
If you use VLANs on your wireless LAN and assign SSIDs to VLANs, you can create multiple SSIDs using any of the four security settings on the Express Security page. However, if you do not use VLANs on your wireless LAN, the security options that you can assign to SSIDs are limited because on the Express Security page encryption settings and authentication types are linked. Without VLANs, encryption settings (WEP and ciphers) apply to an interface, such as the 2.4-GHz radio, and you cannot use more than one encryption setting on an interface. For example, when you create an SSID with static WEP with VLANs disabled, you cannot create additional SSIDs with WPA authentication because they use different encryption settings. If you find that the security setting for an SSID conflicts with another SSID, you can delete one or more SSIDs to eliminate the conflict.
Security Types for an SSID
Table 4-2 describes the four security types that you can assign to an SSID.
Table 4-2 Security Types on Express Security Setup Page
Security Type Description Security Features Enabled
No Security This is the least secure option. You
Static WEP Key This option is more secure than no
Chapter 4 Configuring the Access Point for the First Time
should use this option only for SSIDs used in a public space and assign it to a VLAN that restricts access to your network.
security. However, static WEP keys are vulnerable to attack. If you configure this setting, you should consider limiting association to the wireless device based on MAC address (see the Chapter 16, “Using
MAC Address ACLs to Block or Allow Client Association to the Access Point” or, if your network
does not have a RADIUS server, consider using an access point as a local authentication server (see
Chapter 9, “Configuring an Access Point as a Local Authenticator”).
None.
Mandatory WEP. Client devices cannot associate using this SSID without a WEP key that matches the wireless device key.
4-12
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
Table 4-2 Security Types on Express Security Setup Page (continued)
Security Type Description Security Features Enabled
EAP Authentication This option enables 802.1X
authentication (such as LEAP, PEAP, EAP-TLS, EAP-FAST, EAP-TTLS, EAP-GTC, EAP-SIM, and other
802.1X/EAP based products)
This setting uses mandatory encryption, WEP, open authentication + EAP, network EAP authentication, no key management, RADIUS server authentication port 1645.
You are required to enter the IP address and shared secret for an authentication server on your network (server authentication port 1645). Because 802.1X authentication provides dynamic encryption keys, you do not need to enter a WEP key.
Assigning Basic Settings
Mandatory 802.1X authentication. Client devices that associate using this SSID must perform 802.1X authentication.
If radio clients are configured to authenticate using EAP-FAST, open authentication with EAP should also be configured. If you do not configure open authentication with EAP, the following GUI warning message appears:
WA R NI N G: Network EAP is used for LEAP authentication only. If radio clients are configured to authenticate using EAP-FAST, Open Authentication with EAP should also be configured.
If you are using the CLI, this warning message appears:
WPA Wi-Fi Protected Access (WPA)
permits wireless access to users authenticated against a database through the services of an authentication server, then encrypts their IP traffic with stronger algorithms than those used in WEP.
This setting uses encryption ciphers, TKIP, open authentication + EAP, network EAP authentication, key management WPA mandatory, and RADIUS server authentication port
1645.
As with EAP authentication, you must enter the IP address and shared secret for an authentication server on your network (server authentication port 1645).
SSID CONFIG WARNING: [SSID]: If radio clients are using EAP-FAST, AUTH OPEN with EAP should also be configured.
Mandatory WPA authentication. Client devices that associate using this SSID must be WPA-capable.
If radio clients are configured to authenticate using EAP-FAST, open authentication with EAP should also be configured. If you do not configure open authentication with EAP, the following GUI warning message appears:
WA R NI N G: Network EAP is used for LEAP authentication only. If radio clients are configured to authenticate using EAP-FAST, Open Authentication with EAP should also be configured.
If you are using the CLI, this warning message appears:
SSID CONFIG WARNING: [SSID]: If radio clients are using EAP-FAST, AUTH OPEN with EAP should also be configured.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-13
Assigning Basic Settings
Limitations of Security Settings
The security settings in the Easy Setup Radio Configuration section are designed for simple configuration of basic security. The options available are a subset of the wireless device security capabilities. Keep these limitations in mind when using the Express Security page:
If the No VLAN option is selected, the static WEP key can be configured once. If you select Enable
VLAN, the static WEP key should be disabled.
You cannot edit SSIDs. However, you can delete SSIDs and re-create them.
You cannot configure multiple authentication servers. To configure multiple authentication servers,
use the Security Server Manager page.
You cannot configure multiple WEP keys. To configure multiple WEP keys, use the Security
Encryption Manager page.
You cannot assign an SSID to a VLAN that is already configured on the wireless device. To assign
an SSID to an existing VLAN, use the Security SSID Manager page.
You cannot configure combinations of authentication types on the same SSID (for example, MAC
address authentication and EAP authentication). To configure combinations of authentication types, use the Security SSID Manager page.
Chapter 4 Configuring the Access Point for the First Time
4-14
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time

CLI Configuration Examples

The examples in this section show the CLI commands that are equivalent to creating SSIDs using each security type. This section contains these example configurations:
Example: No Security for Radio 2.4GHz, page 4-15
Example: Static WEP for Radio 2.4 GHz, page 4-16
Example: EAP Authentication, page 4-17
Example: WPA2 for Radio 2.4GHz, page 4-19
Example: No Security for Radio 2.4GHz
This example shows a part of the resulting configuration when an SSID called no_security_ssid is created, the SSID is included in the beacon, assigned to VLAN 10, and then VLAN 10 is selected as the native VLAN:
! dot11 ssid no_security_ssid vlan 10 authentication open guest-mode ! interface Dot11Radio0 no ip address no ip route-cache shutdown ! ssid no_security_ssid ! antenna gain 0 station-role root ! interface Dot11Radio0.10 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1 no ip address no ip route-cache shutdown antenna gain 0 peakdetect dfs band 3 block channel dfs station-role root ! interface Dot11Radio1.10 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning
CLI Configuration Examples
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-15
CLI Configuration Examples
no bridge-group 1 unicast-flooding !
Example: Static WEP for Radio 2.4 GHz
This example shows a part of the configuration that results from creating an SSID called static_wep_ssid, excluding the SSID from the beacon, assigning the SSID to VLAN 20, selecting 3 as the key slot, and entering a 128-bit key:
! dot11 ssid static_wep_ssid vlan 20 authentication open ! ! ! encryption vlan 20 key 3 size 128bit 7 76031220D71D63394A6BD63DE57F transmit-key encryption vlan 20 mode wep mandatory ! ssid static_wep_ssid ! ! interface Dot11Radio0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 subscriber-loop-control bridge-group 20 spanning-disabled bridge-group 20 block-unknown-source no bridge-group 20 source-learning no bridge-group 20 unicast-flooding ! interface Dot11Radio0.31 encapsulation dot1Q 31 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1 no ip address no ip route-cache ! encryption vlan 20 key 3 size 128bit 7 E55F05382FE2064B7C377B164B73 transmit-key encryption vlan 20 mode wep mandatory ! ssid static_wep_ssid ! ! interface Dot11Radio1.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 subscriber-loop-control bridge-group 20 spanning-disabled bridge-group 20 block-unknown-source no bridge-group 20 source-learning no bridge-group 20 unicast-flooding ! interface Dot11Radio1.31 encapsulation dot1Q 31 native
Chapter 4 Configuring the Access Point for the First Time
4-16
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface GigabitEthernet0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 spanning-disabled no bridge-group 20 source-learning ! interface GigabitEthernet0.31 encapsulation dot1Q 31 native no ip route-cache bridge-group 1 bridge-group 1 spanning-disabled no bridge-group 1 source-learning !
CLI Configuration Examples
Example: EAP Authentication
This example shows a part of the configuration that results from creating an SSID called eap_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 30:
Note The following warning message appears if your radio clients are using EAP-FAST and you do not
include open authentication with EAP as part of the configuration:
SSID CONFIG WARNING: [SSID]: If radio clients are using EAP-FAST, AUTH OPEN with EAP should also be configured.
dot11 ssid eap_ssid vlan 30 authentication open eap eap_methods authentication network-eap eap_methods ! dot11 guest ! username apuser password 7 096F471A1A0A ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache shutdown ! encryption vlan 30 mode wep mandatory ! ssid eap_ssid
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-17
CLI Configuration Examples
! antenna gain 0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio0.30 encapsulation dot1Q 30 no ip route-cache bridge-group 30 bridge-group 30 subscriber-loop-control bridge-group 30 spanning-disabled bridge-group 30 block-unknown-source no bridge-group 30 source-learning no bridge-group 30 unicast-flooding ! interface Dot11Radio1 no ip address no ip route-cache shutdown antenna gain 0 peakdetect dfs band 3 block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1.30 encapsulation dot1Q 30 no ip route-cache bridge-group 30 bridge-group 30 subscriber-loop-control bridge-group 30 spanning-disabled bridge-group 30 block-unknown-source no bridge-group 30 source-learning no bridge-group 30 unicast-flooding ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 bridge-group 1 spanning-disabled no bridge-group 1 source-learning ! interface GigabitEthernet0.30 encapsulation dot1Q 30 no ip route-cache bridge-group 30 bridge-group 30 spanning-disabled no bridge-group 30 source-learning ! interface BVI1 ip address dhcp client-id GigabitEthernet0 no ip route-cache ipv6 address dhcp
Chapter 4 Configuring the Access Point for the First Time
4-18
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
ipv6 address autoconfig ipv6 enable ! ip forward-protocol nd ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! ! radius-server attribute 32 include-in-access-req format %h radius-server vsa send accounting ! radius server 10.10.11.100 address ipv4 10.10.11.100 auth-port 1645 acct-port 1646 key 7 00271A150754 ! bridge 1 route ip
Example: WPA2 for Radio 2.4GHz
This example shows a part of the configuration that results from creating an SSID called wpa_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 40:
CLI Configuration Examples
aaa new-model ! aaa group server radius rad_eap server name 10.10.11.100 ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct ! aaa session-id common ! dot11 ssid wpa_ssid vlan 40 authentication open eap eap_methods authentication network-eap eap_methods
authentication key-management wpa version 2 ! interface Dot11Radio0 no ip address no ip route-cache shutdown ! encryption vlan 40 mode ciphers aes-ccm ! ssid wpa_ssid
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-19
CLI Configuration Examples
! antenna gain 0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio0.40 encapsulation dot1Q 40 no ip route-cache bridge-group 40 bridge-group 40 subscriber-loop-control bridge-group 40 spanning-disabled bridge-group 40 block-unknown-source no bridge-group 40 source-learning no bridge-group 40 unicast-flooding ! interface Dot11Radio1 no ip address no ip route-cache shutdown antenna gain 0 peakdetect dfs band 3 block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1.40 encapsulation dot1Q 40 no ip route-cache bridge-group 40 bridge-group 40 subscriber-loop-control bridge-group 40 spanning-disabled bridge-group 40 block-unknown-source no bridge-group 40 source-learning no bridge-group 40 unicast-flooding ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 bridge-group 1 spanning-disabled no bridge-group 1 source-learning ! interface GigabitEthernet0.40 encapsulation dot1Q 40 no ip route-cache bridge-group 40 bridge-group 40 spanning-disabled no bridge-group 40 source-learning ! interface BVI1 ip address dhcp client-id GigabitEthernet0 no ip route-cache ipv6 address dhcp
Chapter 4 Configuring the Access Point for the First Time
4-20
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time

Configuring System Power Settings Access Points

ipv6 address autoconfig ipv6 enable ! ip forward-protocol nd ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! ! radius-server attribute 32 include-in-access-req format %h radius-server vsa send accounting ! radius server 10.10.11.100 address ipv4 10.10.11.100 auth-port 1645 acct-port 1646 key 7 01300F175804 !
Configuring System Power Settings Access Points
The AP 1040, AP 802, AP 1140, AP 1550, AP 1600, AP 2600, AP 3500, AP 3600 and AP 1260 disable the radio interfaces when the unit senses that the power source to which it is connected does not provide enough power. Depending on your power source, you might need to enter the power source type in the access point configuration. Choose the Software > System Configuration page on the web-browser interface, and then select a power option. Figure 4-1 shows the System Power Settings section of the System Configuration page.
Figure 4-1 Power Options on the System Software: System Configuration Page

Using the AC Power Adapter

If you use the AC power adapter to provide power access point, you do not need to adjust the access point configuration.

Using a Switch Capable of IEEE 802.3af Power Negotiation

If you use a switch to provide Power over Ethernet (PoE) to the 1040, 1130, 1140, 1240, 1250, and 1260 access point, and the switch supports the IEEE 802.3af power negotiation standard, select Power Negotiation on the System Software: System Configuration page.
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
4-21
Chapter 4 Configuring the Access Point for the First Time

Support for 802.11n Performance on 1250 Series Access Points with Standard 802.3af PoE

Using a Switch That Does Not Support IEEE 802.3af Power Negotiation

If you use a switch to provide Power over Ethernet (PoE) to the 1040, 1130, or 1140 access point, and the switch does not support the IEEE 802.3af power negotiation standard, select Pre-Standard Compatibility on the System Software: System Configuration page.

Using a Power Injector

If you use a power injector to provide power to the 1040, 1130, 1140, 1240, 1250, or 1260 access point, select Power Injector on the System Software: System Configuration page and enter the MAC address of the switch port to which the access point is connected.

dot11 extension power native Command

When enabled, the dot11 extension power native shifts the power tables the radio uses from the IEEE
802.11 tables to the native power tables. The radio derives the values for this table from the NativePowerTable and NativePowerSupportedTable of the CISCO-DOT11-1F-MIB. The Native Power tables were designed specifically to configure powers as low as -1dBm for Cisco Aironet radios that support these levels.
Support for 802.11n Performance on 1250 Series Access Points with Standard 802.3af PoE
The Cisco Aironet 1250 Series access points requires 20W of power for optimum performance of
802.11n on both the 2.4- and 5-GHz bands. This allows you to configure one radio to operate using
802.3af. This allows full functionality under 802.3af on one radio while the other radio is disabled. Once you upgrade to a powering solution that provides 20W of power to the access point, you can configure the second radio so that both radios are fully functional with 2x3 multiple input multiple output (MIMO) technology.

1250 Series Power Modes

The 1250 series access point can be powered by either inline power or by an optional AC/DC power adapter. Certain radio configurations may require more power than can be provided by the inline power source. When insufficient inline power is available, you can select several options (based upon your access point radio configuration) as shown in Tabl e 4- 3 .
4-22
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
Table 4-3 Inline Power Options based on Access Point Radio Configuration
802.3af Mode (15.4W)
17
Disabled1714 (17 per Tx)
17
Disabled1720 (17 per Tx)1720 (17 per Tx)
Radio Band Data Rate
802.11b 1 N/A 20 20 20
802.11g 1 N/A 17 17 17
2.4 GHz
802.11n (MCS 0-7) 1
802.11n (MCS 8-15) 2 N/A Disabled 14 (17 per Tx) 20 (17 per Tx)
802.11a 1 N/A 17 17 17
5 GHz
802.11n (MCS 0-7) 1
802.11n (MCS 8-15) 2 N/A Disabled 20 (17 per Tx) 20 (17 per Tx)
Number of Trans­mitters
2
2
Cyclic Shift Diversity (CSD)
Disabled
Enabled (default)
Disabled
Enabled (default)

Support for 802.11ac

Maximum Transmit Power (dBm)
Enhanced PoE Power Optimized Mode (16.8 W)
Enhanced PoE Mode (20 W)
17
2
20 (17 per Tx)
1
1. Maximum transmit power will vary by channel and according to individual country regulations. Refer to the product
documentation for specific details.
2. Tx—Transmitter.
Support for 802.11ac
802.11ac is the next generation wireless standard of 802.11. It is designed to provide high throughput and operate in the 5 GHz band. 802.11ac is supported on the 3700, 2700, and 1700 series access points. The 802.11ac radio depends on the 802.11n radio to be fully functional. Shutting down the 802.11n radio will affect the 802.11ac functionalities.

Channel Widths for 802.11ac

802.11n and 802.11ac radios operate in the same band. However the channel widths can be independently configured with the restriction that it should be above the channel width configured on
802.11n. Please see Table 4-4 for more details on the supported channel width combinations.
Table 4-4 Supported Channel Width Combinations
802.11n Channel Bandwidth 802.11ac Channel Bandwidth
20 20
20 40
20 80
40 40
40 80
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-23
Support for 802.11ac
Off channel scanning or transmissions are not supported. The 802.11ac radio depends on 802.11n radios for the off channel scanning functionality.
For example, to configure 80 Mhz channel width:
ap# configure terminal ap(config)# interface dot11Radio 1 ap(config-if)# channel width 80 ap(config-if)# end

Power Management for 802.11ac

The 3700, 2700, and 1700 802.11ac series access points can be powered by a Power-over-Ethernet (PoE) sources, local power, or a power injector. If the AP is powered by PoE, based on the whether the source is PoE+ (802.3at) or PoE (802.3af), the AP will adjust certain radio configurations as it may require more power than provided by the inline power source.
For example, a 3700 series AP which is powered by PoE+ (802.3at) will provide 4x4:3 configuration on both radios, and when powered by PoE (802.3af) it will provide a 3x3:3 configuration on both radios. Please refer to the below table.
Chapter 4 Configuring the Access Point for the First Time
Tip Radio configurations such as 4x4:3 imply 4 transmitters and 4 receivers capable of 3 spatial streams
Note To determine whether the AP is running at high PoE power or reduced (15.4W) power, in the AP's GUI,
got to the Home page. If the AP is running on reduced power, under Home:Summary Status, the following warning is displayed:
Due to insufficient inline power. Upgrade inline power source or install power injector.
All access points except outdoor mesh products can be powered over Ethernet. Access points with two radios powered over Ethernet are fully functional and support all the features. See Tab l e 4-5 for the various power management options available.
Table 4-5 Inline Power Options based on Power Sources
Power Draw Description AP Functionality PoE
Budget (Watts)
PoE +
802.3at
PoE
802.3af
PoE
802.3at
PoE
802.3af
1. This is the power required at the PSE, which is either a switch or an injector.
AP3700 Out of the box
AP3700 Out of the box
AP2700 Out of the Box
AP2700 Out of the Box
4x4:3 on 2.4/5 GHz 16.1 No Yes Yes
3x3:3 on 2.4/5 GHz 15.4 Yes N/A N/A
3x4:3 on 2.4/5 GHz and Auxillary
16.8NoNoYes
Ethernet Port Enabled
3x4:3 on 5 GHz and 2x2:2 on 2.4 GHz
15.4 Yes Yes N/A
and Auxiliary Ethernet Port Enabled
802.3af E-PoE 802.3at
1
PoE+ PWRINJ4
4-24
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
802.11n and 802.11ac use the power levels configured on 802.11n. You cannot configure power levels independently for 802.11ac.

Assigning an IP Address Using the CLI

When you connect the wireless device to the wired LAN, the wireless device links to the network using a bridge virtual interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the wireless device Ethernet and radio ports, the network uses the BVI.
When you assign an IP address to the wireless device using the CLI, you must assign the address to the BVI. Beginning in privileged EXEC mode, follow these steps to assign an IP address to the wireless device BVI:
Command Purpose
Step 1
Step 2
Step 3
configure terminal Enters global configuration mode.
interface bvi1 Enters interface configuration mode for the BVI.
ip address address
mask
Assigns an IP address and address mask to the BVI.
Note If you are connected to the wireless device using a
Telnet session, you lose your connection to the wireless device when you assign a new IP address to the BVI. If you need to continue configuring the wireless device using Telnet, use the new IP address to open another Telnet session to the wireless device.
Assigning an IP Address Using the CLI

Using a Telnet Session to Access the CLI

Follow these steps to access the CLI by using a Telnet session. These steps are for a PC running Microsoft Windows with a Telnet terminal application. Check your PC operating instructions for detailed instructions for your operating system.
Step 1 Choose Start > Programs > Accessories > Telnet.
If Telnet is not listed in your Accessories menu, select Start > Run, type Tel ne t in the entry field, and press Enter.
Step 2 When the Telnet window appears, click Connect and select Remote System.
Note In Windows 2000, the Telnet window does not contain drop-down lists. To start the Telnet
session in Windows 2000, type open followed by the wireless device IP address.
Step 3 In the Host Name field, type the wireless device IP address and click Connect.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-25

Configuring the 802.1X Supplicant

Configuring the 802.1X Supplicant
Traditionally, the dot1x authenticator/client relationship has always been a network device and a PC client respectively, as it was the PC user that had to authenticate to gain access to the network. However, wireless networks introduce unique challenges to the traditional authenticator/client relationship. First, access points can be placed in public places, inviting the possibility that they could be unplugged and their network connection used by an outsider. Second, when a repeater access point is incorporated into a wireless network, the repeater access point must authenticate to the root access point in the same way as a client does.
The supplicant is configured in two phases:
Create and configure a credentials profile
Apply the credentials to an interface or SSID
You can complete the phases in any order, but they must be completed before the supplicant becomes operational.

Creating a Credentials Profile

Chapter 4 Configuring the Access Point for the First Time
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Beginning in privileged EXEC mode, follow these steps to create an 802.1X credentials profile:
Command Purpose
configure terminal Enter global configuration mode.
dot1x credentials profile Creates a dot1x credentials profile and enters the dot1x
credentials configuration submode.
anonymous-id description (Optional)—Enter the anonymous identity to be used.
description description (Optional)—Enter a description for the credentials profile
username username Enter the authentication user id.
password {0 | 7 | LINE} Enter an unencrypted password for the credentials.
0—An unencrypted password will follow.
7—A hidden password will follow. Hidden passwords are used
when applying a previously saved configuration.
LINE—An unencrypted (clear text) password.
Note Unencrypted and clear text are the same. You can enter a
0 followed by the clear text password, or omit the 0 and enter the clear text password.
pki-trustpoint pki-trustpoint (Optional and only used for EAP-TLS)—Enter the default
pki-trustpoint.
end Return to the privileged EXEC mode.
copy running config startup-config
(Optional) Save your entries in the configuration file.
4-26
Use the no form of the dot1x credentials command to negate a parameter.
The following example creates a credentials profile named test with the username Cisco and a the unencrypted password Cisco:
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
ap1240AG>enable Password:xxxxxxx ap1240AG#config terminal Enter configuration commands, one per line. End with CTRL-Z. ap1240AG(config)# dot1x credentials test ap1240AG(config-dot1x-creden)#username Cisco ap1240AG(config-dot1x-creden)#password Cisco ap1240AG(config-dot1x-creden)#exit ap1240AG(config)#

Applying the Credentials to an Interface or SSID

Credential profiles are applied to an interface or an SSID in the same way.
Applying the Credentials Profile to the Wired Port
Beginning in the privileged EXEC mode, follow these steps to apply the credentials to the access point wired port:
Configuring the 802.1X Supplicant
Step 1
Step 2
Step 3
Step 4
Step 5
Command Purpose
configure terminal Enter global configuration mode.
interface gigabitethernet 0 Enter the interface configuration mode for the access point
Gigabit Ethernet port.
Note You can also use interface fa0 to enter the Gigabit
Ethernet configuration mode.
dot1x credentials profile name Enter the name of a previously created credentials profile.
end Return to the privileged EXEC mode
copy running config
(Optional) Save your entries in the configuration file.
startup-config
The following example applies the credentials profile test to the access point gigabit Ethernet port:
ap1240AG>enable Password:xxxxxxx ap1240AG#config terminal Enter configuration commands, one per line. End with CTRL-Z. ap1240AG(config)#interface Gig0 ap1240AG(config-if)#dot1x credentials test ap1240AG(config-if)#end ap1240AG#
Applying the Credentials Profile to an SSID Used For the Uplink
If you have a repeater access point in your wireless network and are using the 802.1X supplicant on the root access point, you must apply the 802.1X supplicant credentials to the SSID the repeater uses to associate with and authenticate to the root access point.
Beginning in the privileged EXEC mode, follow these steps to apply the credentials to an SSID used for the uplink:
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
4-27

Configuring IPv6

Step 1
Step 2
Step 3
Step 4
Step 5
Chapter 4 Configuring the Access Point for the First Time
Command Purpose
configure terminal Enter global configuration mode.
dot11 ssid ssid Enter the 802.11 SSID. The SSID can consist of up to 32
alphanumeric characters. SSIDs are case sensitive.
Note The first character cannot contain the !, #, or; character.
+,], /, “, TAB, and trailing spaces are invalid characters for SSIDs.
dot1x credentials profile Enter the name of a preconfigured credentials profile.
end Exits the dot1x credentials configuration submode
copy running config startup-config
The following example applys the credentials profile test to the ssid testap1 on a repeater access point.
repeater-ap>enable Password:xxxxxxx repeater-ap#config terminal Enter configuration commands, one per line. End with CTRL-Z. repeater-ap(config-if)#dot11 ssid testap1 repeater-ap(config-ssid)#dot1x credentials test repeater-ap(config-ssid)#end repeater-ap(config)
(Optional) Save your entries in the configuration file.
Creating and Applying EAP Method Profiles
You can optionally configure an EAP method list to enable the supplicant to recognize a particular EAP method. See the “Creating and Applying EAP Method Profiles for the 802.1X Supplicant” section on
page 11-17.
Configuring IPv6
IPv6 is the latest Internet protocol for IPv, developed to provide an extremely large number of addresses. It uses 128 bit addresses instead of the 32 bit addresses that are used in IPv4.
As deployments in wireless networks use greater number of IP wireless devices and smart phones, IPv6 with its 128-bit address format can support 3.4 x 1038 address space.
IPv6 addresses are represented as a series of 16-bit hexadecimal fields separated by colons (:) in the format: x:x:x:x:x:x:x:x.
There are three types of IPv6 address types:
Unicast
The Cisco IOS software supports these IPv6 unicast address types:
Aggregatable Global Address
Aggregatable global unicast addresses are globally routable and reachable on the IPv6 portion of the Internet. These global addresses are identified by the format prefix of 001.
4-28
Link-Local Address
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
Link-Local Addressses are automatically configured on interface using link-local prefix FE80::/10 (1111 1110 10). The interface identifier is in the modified EUI-64 format.
Anycast can be used only by a router and not the host. Anycast addresses must not be used as the
source address of an IPv6 packet.
Multicast address is a logical identifier for a group of hosts that process frames intended to be
multicast for a designated network service. Multicast addresses in IPv6 use a prefix of FF00::/8
(1111 1111)
IPv6 configuration uses these multicast groups:
Solicited-node multicast group FF02:0:0:0:0:1:FF00::/104
All-nodes link-local multicast group FF02::1
All-routers link-local multicast group FF02::2
Table 4-6 lists the IPv6 address types and formats.
Table 4-6 IPv6 Address Formats
IPv6 Address Type Preferred Format Compressed Format
Unicast 2001:0:0:0:DB8:800:200C:417A 2001::DB8:800:200C:417A
Multicast FF01:0:0:0:0:0:0:101 FF01::101
Loopback 0:0:0:0:0:0:0:1 ::1
Unspecified 0:0:0:0:0:0:0:0 ::
Configuring IPv6
The following modes are supported
Root
Root bridge
Non Root bridge
Repeater
WGB
The following modes are not supported
Spectrum mode
Monitor mode
Beginning in privileged EXEC mode, use these commands to enable tie ipv6 address
ap(config)# int bv1
ap(config-if)# ipv6 address
A link-local address, based on the Modified EUI-64 interface ID, is automatically generated for the interface when stateless autoconfiguration is enabled.
Beginning in privileged EXEC mode, use the following command to enable stateless autoconfiguration:
ap(config-if)# ipv6 address autoconfig
Beginning in privileged EXEC mode, use the following command to configure a link local addreess without assigning any other IPv6 addressesto the interface:
ap(config-if)# ipv6 address ipv6-address link-local
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-29
Configuring IPv6
Beginning in privileged EXEC mode, use the following command to assign a site-local or global address to the interface:
ap(config-if)# ipv6 address ipv6-address [eui-64]
Note The optional eui-64 keyword is used to utilize the Modified EUI-64 interface ID in the low order 64 bits
of the address.

Configuring DHCPv6 address

DHCPv6 is a network protocol that is used for configuring IPv6 hosts with IP addresses, IP prefixes and other configuration required to operate on an IPv6 network. The DHCPv6 client obtains configuration parameters from a server either through a rapid two-message exchange (solicit, reply), or through a normal four-message exchange (solicit, advertise, request, reply). By default, the four-message exchange is used. When the rapid-commit option is enabled by both client and server, the two-message exchange is used.
Beginning in privileged EXEC mode, use these commands to enable the DHCPv6 client in an Access Point:
ap# conf t
ap(config)# int bv1
Chapter 4 Configuring the Access Point for the First Time
ap(config)# ipv6 address dhcp rapid-commit(optional)
Autonomous AP supports both DHCPv6 stateful and stateless addressing.
Stateful addressing
Stateful addressing uses a DHCP server. DHCP clients use stateful DHCPv6 addressing to obtain an IP address.
Beginning in privileged EXEC mode, use this command to configure stateful addressing:
ap(config)# ipv6 address dhcp
Stateless addressing
Stateless addressing does not use a DHCP server to obtain IP addresses. The DHCP clients autoconfigure their own IP addresses based on router advertisments.
Beginning in privileged EXEC mode, use this command to configure stateless addressing:
ap(config)# ipv6 address autoconfig

IPv6 Neighbor Discovery

The IPv6 neighbor discovery process uses ICMP messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network.
Beginning in privileged EXEC mode, use these commands to configure IPv6 neighbor discovery:
4-30
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
Configuring IPv6
Command Purpose
ipv6 nd ? Configures neighbor discovery protocol.
ipv6 nd ns-interval value This command is available only on bridge group virtual interface
(BVI).
Sets the interval between IPv6 neighbor solicitation retransmissions on an interface.
ipv6 nd reachable-time value Sets the amount of time that a remote IPv6 node is reachable.
ipv6 nd dad attempts value This command is available only on bridge group virtual interface
(BVI).
Configures the number of consecutive neighbor solicitation messages sent when duplicate address detection is performed on the unicast IPv6 addresses.
ipv6 nd dad time value Configures the interval between IPv6 neighbor solicit transmissions
for duplicate address detection.
ipv6 nd autoconfig default-router This command is available only on bridge group virtual interface
(BVI).
Configures a default route to the Neighbor Discovery-derived default router.
ipv6 nd autoconfig prefix This command is available only on bridge group virtual interface
(BVI).
Configures router solicitation message to solicit a router advertisement to eliminate any delay in waiting for the next periodic router advertisement.
ipv6 nd cache expire expire-time-in-seconds Configures the length of time before the IPv6 neighbor discovery cache
entry expires.
ipv6 nd cache interface-limit size [log rate] Configures a neighbor discovery cache limit on a specified interface.
ipv6 nd na glean This command is available only on bridge group virtual interface
(BVI).
Configures neighbor discovery to glean an entry from an unsolicited neighbor advertisement.
ipv6 nd nsf {convergence time-in-seconds| dad [suppress]| throttle resolutions}
Configures IPv6 neighbor discovery non-stop forwarding. You can specify the covergence time in seconds (10 to 600 seconds), suppress duplicate address detection (DAD), or set the number of resolutions to use with non-stop forwarding (NSF).
ipv6 nd nud limit limit Configures the number of neighbor unreachability detection (NUD)
resends, and set a limit to the number of unresolved resends.
ipv6 nd resolution data limit limit-in-packets Configures a limit to the number of data packets in queue awaiting
neighbor discovery (ND) resolution.
ipv6 nd route-owner Inserts Neighbor Discovery-learned routes into the routing table with
"ND" status and enables ND autoconfiguration behavior.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-31
Configuring IPv6

Configuring IPv6 Access Lists

IPv6 access lists (ACL) are used to filter traffic and restrict access to the router. IPv6 prefix lists are used to filter routing protocol updates.
Beginning in privileged EXEC mode, use these commands to to configure the access list globally and assign it to interface:
ap(config)# ipv6 access-list acl-name
Beginning in privileged EXEC mode, you can use the command given in Tabl e 4- 7 for IPv6 Access List configuration.
Table 4-7 IPv6 Access List configuration commands
Command Purpose
default Set a command to its defaults.
deny Specify packets to reject.
evaluate Evaluate an access list.
exit Exit from access-list configuration mode.
no Negate a command or set its defaults.
permit Specify packets to forward.
remark Set an access list entry comment.
sequence Set a sequence number for this entry.
Chapter 4 Configuring the Access Point for the First Time
Beginning in privileged EXEC mode, use these commands to assign the globally configured ACL to the outbound and inbound traffic on layer3 interface:
ap(config)# interface interface
ap(config)# ipv6 traffic-filter acl-name in/out

RADIUS Configuration

RADIUS server is a background process serving three functions:
Authenticate users before granting them access to the network
Authorize users for certain network services
Account for the usage of certain network services
See Controlling Access Point Access with RADIUS, page 5-12.

IPv6 WDS Support

The WDS and the infrastructure access points communicate over a multicast protocol called WLAN Context Control Protocol (WLCCP).
Cisco IOS Release 15.2(4)JA supports communication between the WDS and Access Point through IPv6 addresses. The WDS works on a Dual Stack; that is, it accepts both IPv4 and IPv6 registeration.
4-32
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
IPv6 WDS AP registration
The first active IPv6 address is used to register the WDS. Table 4-8 shows different scenarios in the IPv6 WDS AP registration process.
Table 4-8 IPv6 WDS–AP Registration
Configuring IPv6
WDS AP
Scenario
Mode of CommunicationDual IPv6 IPv4 Dual IPv6 IPv4
1Yes yes IPv6
2Yes yes IPv6
3Yes yesIPv4
4yesyes IPv6
5yes yesIPv6
6 yes yes Fails
7yesyesIPv4
8 yes yes Fails
9yesyesIPv4
Note 11r roaming between IPv4 and IPv6 access points is not supported because the MDIE is different. Both
AP and WDS use the first active IPv6 address in BV1 to register and advertise. Link-local is not used for registration.

CDPv6 Support:

CDP is a layer2 protocol used to get information on the immediate neighbor’s device-ID, capabilities, mac address, ip address or duplex. Each CDP enabled device sends information about itself to its immediate neighbor. As part of native IPv6, the access point sends its IPv6 address as well as part of the address TLV in the cdp message; it also parses the IPv6 address information it gets from the neighboring switch.
This command shows the connected IPv6 neighbor:
ap# show cdp neighbors detail
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-33
Chapter 4 Configuring the Access Point for the First Time

Automatic Configuring of the Access Point

RA filtering

RA filtering increases the security of the IPv6 network by dropping RAs coming from wireless clients. RA filtering prevents misconfigured or malicious IPv6 clients from connecting to the network, often with a high priority that takes precedence over legitimate IPv6 routers. In all cases, the IPv6 RA is dropped at some point, protecting other wireless devices and upstream wired network from malicious or misconfigured IPv6 devices.
However, RA filtering is not supported in the uplink direction.
Automatic Configuring of the Access Point
The Autoconfig feature of autonomous access points allows the AP to download its configuration, periodically, from a Secure Copy Protocol (SCP) server. If the Autoconfig feaure is enabled, the AP downloads a configuration information file from the server at a pre-configured time and applies this configuration. The next configuration download is also scheduled along with this.
Note The AP does not apply a configuration if it is the same as the last downloaded configuration.

Enabling Autoconfig

To enable Autoconfig:
Step 1 Prepare a Configuration Information File
Step 2 Enable environmental variables
Step 3 Schedule the Configuration Information File Download
Prepare a Configuration Information File
An Autoconfig-enabled AP downloads the configuration information file from the SCP server. The configuration information file is an XML file, containing the following information:
The new startup-configuration.
An Absolute time and a Range value. The AP schedules the next information file download at this
absolute time plus a random value between 0 and the range value.
The configuration information file has the following format:
<?xml version="1.0" encoding="UTF-8"?> <l2tp_cfg>
<cfg_fetch_start_time>Absolute Time</cfg_fetch_start_time> <cfg_fetch_time_range>Random Jitter</cfg_fetch_time_range> <cfg_fetch_config>
<![CDATA[ <Startup config> ]]>
</cfg_fetch_config>
4-34
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time
</l2tp_cfg>
The xml tags used in the configuration information file are described below.
XML Tags Purpose
cfg_fetch_start_time This tag contains the Absolute Time in the format DAY HH:MM, where:
cfg_fetch_time_range A random number of seconds between 0 to this value is added to the start
cfg_fetch_config This tag contains the AP’s next startup configuration.
Automatic Configuring of the Access Point
DAY can be any of these values–Sun, Mon, Tue, Wed, Thu, Fri, Sat,
All.
HH, indicates the hour, and can be a number from 0 to 23.
MM, indicates the minute, and can be a number from 0 to 59.
Example: “Sun 10:30”, “Thu 00:00”, “All 12:40”
time, to randomize the time when next information file is downloaded.
Enable environmental variables
After you have the configuration information file ready and hosted on the SCP server, you need to configure the following environmental variables.
Environmental Variable Purpose
AUTO_CONFIG_AP_FUNCTIONALITY To enable Autoconfig, this variable must be set
AUTO_CONFIG_USER Username for accessing the SCP server
AUTO_CONFIG_PASSWD Password for accessing the SCP server
AUTO_CONFIG_SERVER Hostname/IP of SCP server
AUTO_CONFIG_INF_FILE Name of the configuration information file to be
You can configure the environmental variables by using the following command in global configuration mode:
dot11 autoconfig add environment-variable-name val value. For example:
dot11 autoconfig add AUTO_CONFIG_SERVER val 206.59.246.199
‘YES’.
fetched from the SCP server
Schedule the Configuration Information File Download
After setting the environmental variables, you need to schedule the download of the configuration information file from the SCP server. Follow these steps:
Step 1 The AP's clock time must be in sync with a SNTP (Simple Network Time Protocol) server. You can set
the SNTP server using the command, sntp server sntp-server-ip, where sntp-server-ip is the IP address of the SNTP server.
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
4-35
Automatic Configuring of the Access Point
Step 2 You need to set the correct time zone for the AP to have the correct time, This can be done using the
command clock timezone TIMEZONE HH MM, where:
TIMEZONE is name of timezone like IST, UTC, or others.
HH is the Hours offset from the timezone
MM is the Minutes offset from timezone
Step 3 For instances where the download of the configuration information file from the SCP server fails, you
can set a time interval after which the AP retries to download it again. This retry interval can be set using the command dot11 autoconfig download retry interval min MIN max MAX, where:
MIN is minimum number of seconds
MAX is maximum number of seconds between retries. After every failed download, the retry interval doubles, but the retires stop the interval when becomes larger than MAX.

Enabling Autoconfig via a Boot File

Chapter 4 Configuring the Access Point for the First Time
You can enable Autoconfig by also providing the following commands in a boot file as a part of the DHCP IP configuration.
The format of the contents of the boot file returned by the DHCP/BootTP server should be as shown in the following example:
dot11 autoconfig add env var AUTO_CONFIG_AP_FUNCTIONALITY val YES dot11 autoconfig add env var AUTO_CONFIG_USER val someusername dot11 autoconfig add env var AUTO_CONFIG_PASSWD val somepasswd dot11 autoconfig add env var AUTO_CONFIG_SERVER val scp.someserver.com dot11 autoconfig add env var AUTO_CONFIG_INF_FILE val some_inf_file.xml sntp server 208.210.12.199 clock timezone IST 5 30 dot11 autoconfig download retry interval min 100 max 400 end

Checking the Autoconfig Status

To know the Autoconfig status, use the show dot11 autoconfig status command.
Examples
AP1600-ATT# show dot11 autoconfig status Dot11 l2tp auto config is disabled
1600-89-absim# show dot11 autoconfig status Auto configuration download will occur after 45 seconds
4-36
1600-89-absim# show dot11 autoconfig status Trying to download information file from server
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 4 Configuring the Access Point for the First Time

Debugging Autoconfig

You can use the following debugging commands as required:
Debug commands to see Autoconfig state machine transition:
Deb dot11 autoconfigsm
Debug commands to see Autoconfig events:
Deb dot11 autoconfigev
Automatic Configuring of the Access Point
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
4-37
Automatic Configuring of the Access Point
Chapter 4 Configuring the Access Point for the First Time
4-38
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
CHA P T ER
5

Administrating the Access Point

This chapter describes how to administrate the wireless device. This chapter contains the following sections:
Disabling the Mode Button, page 5-2
Preventing Unauthorized Access to Your Access Point, page 5-3
Protecting Access to Privileged EXEC Commands, page 5-3
Configuring Easy Setup, page 5-10
Configuring Spectrum Expert Mode, page 5-11
Controlling Access Point Access with RADIUS, page 5-12
Controlling Access Point Access with TACACS+, page 5-17
Configuring Ethernet Speed and Duplex Settings, page 5-20
Configuring the Access Point for Wireless Network Management, page 5-20
Configuring the Access Point for Local Authentication and Authorization, page 5-21
Configuring the Authentication Cache and Profile, page 5-22
OL-30644-01
Configuring the Access Point to Provide DHCP Service, page 5-24
Configuring the Access Point for Secure Shell, page 5-27
Configuring Client ARP Caching, page 5-28
Managing the System Time and Date, page 5-29
Defining HTTP Access, page 5-35
Defining HTTP Access, page 5-35
Creating a Banner, page 5-38
Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode, page 5-41
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
5-1

Disabling the Mode Button

Disabling the Mode Button
You can disable the mode button on access points having a console port by using the global configuration [no] boot mode-button command. This command prevents password recovery and is used to prevent
unauthorized users from gaining access to the access point CLI.
Caution This command disables password recovery. If you lose the privileged EXEC mode password for the
access point after entering this command, you will need to contact the Cisco Technical Assistance Center (TAC) to regain access to the access point CLI.
The mode button is enabled by default. Beginning in the privilege EXEC mode, follow these steps to disable the access point mode button.
Command Purpose
Step 1
Step 2
Step 3
configure terminal Enter global configuration mode.
no boot mode-button Disables the access point mode button.
end Note It is not necessary to save the configuration.
Chapter 5 Administrating the Access Point
You can check the status of the mode-button by executing the show boot or show boot mode-button commands in the privileged EXEC mode. The status does not appear in the running configuration. The following shows a typical response to the show boot and show boot mode-button commands:
ap#show boot BOOT path-list: flash:/ap3g2-k9w7-mx.152-4.JA1/ap3g2-k9w7-mx.152-4.JA1 Config file: flash:/config.txt Private Config file: flash:/private-config Enable Break: yes Manual Boot: no Enable IOS Break: no HELPER path-list: NVRAM/Config file buffer size: 32768 Mode Button: on Radio Core TFTP: ap#
Note As long as the privileged EXEC password is known, you can restore the mode button to normal operation
using the global configuration boot mode-button command.
5-2
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 5 Administrating the Access Point

Preventing Unauthorized Access to Your Access Point

Preventing Unauthorized Access to Your Access Point
You can prevent unauthorized users from reconfiguring the wireless device and viewing configuration information. Typically, you want network administrators to have access to the wireless device while you restrict access to users who connect through a terminal or workstation from within the local network.
To prevent unauthorized access to the wireless device, you should configure one of these security features:
Username and password pairs, which are locally stored on the wireless device. These pairs
authenticate each user before that user can access the wireless device. You can also assign a specific
privilege level (read only or read/write) to each username and password pair. For more information,
see the “Configuring Username and Password Pairs” section on page 5-7. The default username is
Cisco, and the default password is Cisco. Usernames and passwords are case-sensitive.
Note Characters TAB, ?, $, +, and [ are invalid characters for passwords.
Username and password pairs stored centrally in a database on a RADIUS or TACACS+ security
server. For more information, see the “Controlling Access Point Access with RADIUS” section on
page 5-12 and the “Controlling Access Point Access with TACACS+” section on page 5-17.

Protecting Access to Privileged EXEC Commands

A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can issue after they have logged into a network device.
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS
Security Command Reference for Release 12.3.
This section describes how to control access to the configuration file and privileged EXEC commands. It contains this configuration information:
Default Password and Privilege Level Configuration, page 5-4
Setting or Changing a Static Enable Password, page 5-4
Protecting Enable and Enable Secret Passwords with Encryption, page 5-6
Configuring Username and Password Pairs, page 5-7
Configuring Multiple Privilege Levels, page 5-8
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
5-3
Chapter 5 Administrating the Access Point
Protecting Access to Privileged EXEC Commands

Default Password and Privilege Level Configuration

Table 5-1 shows the default password and privilege level configuration.
Table 5-1 Default Password and Privilege Levels
Feature Default Setting
Username and password Default username is Cisco and the default password is Cisco.
Enable password and privilege level Default password is Cisco. The default is level 15 (privileged EXEC
level). The password is encrypted in the configuration file.
Enable secret password and privilege level The default enable password is Cisco. The default is level 15 (privileged
EXEC level). The password is encrypted before it is written to the configuration file.
Line password Default password is Cisco. The password is encrypted in the configuration
file.

Setting or Changing a Static Enable Password

Step 1
Step 2
The enable password controls access to the privileged EXEC mode.
Note The no enable password global configuration command removes the enable password, but you should
use extreme care when using this command. If you remove the enable password, you are locked out of the EXEC mode.
Beginning in privileged EXEC mode, follow these steps to set or change a static enable password:
Command Purpose
configure terminal Enter global configuration mode.
enable password password Define a new password or change an existing password for access to
privileged EXEC mode.
The default password is Cisco.
For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. It can contain the question mark (?) character if you precede the question mark with the key combination Crtl-V when you create the password; for example, to create the password abc?123, do this:
1. Enter abc.
2. Enter Crtl-V.
5-4
3. Enter ?123.
When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-V; you can simply enter abc?123 at the password prompt.
Note Characters TAB, ?, $, +, and [ are invalid characters for
passwords.
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 5 Administrating the Access Point
Command Purpose
Step 3
Step 4
Step 5
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access):
AP(config)# enable password l1u2c3k4y5
Protecting Access to Privileged EXEC Commands
The enable password is not encrypted and can be read in the wireless device configuration file.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
5-5
Chapter 5 Administrating the Access Point
Protecting Access to Privileged EXEC Commands

Protecting Enable and Enable Secret Passwords with Encryption

To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands. Both commands accomplish the same thing; that is, you can establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level you specify.
We recommend that you use the enable secret command because it uses an improved encryption algorithm.
If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.
Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords:
Command Purpose
Step 1
Step 2
configure terminal Enter global configuration mode.
enable password [level level] {password |
encryption-type encrypted-password}
Define a new password or change an existing password for access to privileged EXEC mode.
Step 3
Step 4
Step 5
or
enable secret [level level] {password | encryption-type encrypted-password}
or
Define a secret password, which is saved using a nonreversible encryption method.
(Optional) For level, the range is from 0 to 15. Level 1 is
normal user EXEC mode privileges. The default level is 15 (privileged EXEC mode privileges).
For password, specify a string from 1 to 25
alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined.
(Optional) For encryption-type, both type 0 and type 7
are available. Encryption type 0 is for providing an unencrypted password. Encryption type 7 is for providing an encrypted password. Both types are taken and the password string is converted into an encryption type 5, a Cisco proprietary encryption algorithm. .
Note If you specify an encryption type and then enter a
clear text password, you can not re-enter privileged EXEC mode. You cannot recover a lost encrypted password by any method.
service password-encryption (Optional) Encrypt the password when the password is
defined or when the configuration is written.
Encryption prevents the password from being readable in the configuration file.
end Return to privileged EXEC mode.
copy running-config startup-config (Optional) Save your entries in the configuration file.
5-6
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 5 Administrating the Access Point
If both the enable and enable secret passwords are defined, users must enter the enable secret password.
Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels. For more information, see the “Configuring Multiple Privilege Levels” section on page 5-8.
If you enable password encryption, it applies to all passwords including username passwords, authentication key passwords, the privileged command password, and console and virtual terminal line passwords.
To remove a password and level, use the no enable password [level level] or no enable secret [level
level] global configuration command. To disable password encryption, use the no service password-encryption global configuration command.
This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2:
AP(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8

Configuring Username and Password Pairs

Protecting Access to Privileged EXEC Commands
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
You can configure username and password pairs, which are locally stored on the wireless device. These pairs are assigned to lines or interfaces and authenticate each user before that user can access the wireless device. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password:
Command Purpose
configure terminal Enter global configuration mode.
login local Enable local password checking at login time. Authentication is based on
the username specified in Step 2.
username name [privilege level] {password encryption-type password}
Enter the username, privilege level, and password for each user.
For name, specify the user ID as one word. Spaces and quotation
marks are not allowed.
(Optional) For level, specify the privilege level the user has after
gaining access. The range is 0 to 15. Level 15 gives privileged EXEC mode access. Level 1 gives user EXEC mode access.
For encryption-type, enter 0 to specify that an unencrypted password
will follow. Enter 7 to specify that a hidden password will follow.
For password, specify the password the user must enter to gain access
to the wireless device. The password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.
end Return to privileged EXEC mode.
show running-config Verify your entries.
copy running-config startup-config (Optional) Save your entries in the configuration file.
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
5-7
Protecting Access to Privileged EXEC Commands
To disable username authentication for a specific user, use the no username name global configuration command.
To disable password checking and allow connections without a password, use the no login line configuration command.
Note You must have at least one username configured and you must have login local set to open a Telnet
session to the wireless device. If you enter the only username for the no username command, you can be locked out of the wireless device.
Alternatively, you can disable username verification for telnet with the line configuration command no login. You can then login to the AP with user verification, and then you will need the enable password (or enable secret) commands to gain privilege exec level. You can also grant this level by default to the telnet line with the command privilege level 15.
Note If you use both the no login and privilege level 15 commands, any telnet client connecting to the AP will
have full privilege access to the AP.
Chapter 5 Administrating the Access Point
ap(config)# line vty 0 4 ap(config-line)# no login ap(config-line)# privilege level 15

Configuring Multiple Privilege Levels

By default, Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to a more restricted group of users.
This section includes this configuration information:
Setting the Privilege Level for a Command, page 5-9
Logging Into and Exiting a Privilege Level, page 5-9
5-8
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter 5 Administrating the Access Point
Setting the Privilege Level for a Command
Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode:
Command Purpose
Step 1
Step 2
Step 3
configure terminal Enter global configuration mode.
privilege mode level level command Set the privilege level for a command.
enable password level level password Specify the enable password for the privilege level.
Protecting Access to Privileged EXEC Commands
For mode, enter configure for global configuration mode, exec for
EXEC mode, interface for interface configuration mode, or line for line configuration mode.
For level, the range is from 0 to 15. Level 1 is for normal user EXEC
mode privileges. Level 15 is the level of access permitted by the enable password.
For command, specify the command to which you want to restrict
access.
Step 4
Step 5
Step 6
For level, the range is from 0 to 15. Level 1 is for normal user EXEC
mode privileges.
For password, specify a string from 1 to 25 alphanumeric characters.
The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined.
Note Characters TAB, ?, $, +, and [ are invalid characters for
passwords.
end Return to privileged EXEC mode.
show running-config
or
show privilege
Verify your entries.
The first command displays the password and access level configuration. The second command displays the privilege level configuration.
copy running-config startup-config (Optional) Save your entries in the configuration file.
When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip route command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
To return to the default privilege for a given command, use the no privilege mode level level command global configuration command.
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands:
AP(config)# privilege exec level 14 configure AP(config)# enable password level 14 SecretPswd14
Logging Into and Exiting a Privilege Level
Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level:
OL-30644-01
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
5-9

Configuring Easy Setup

Command Purpose
Step 1
Step 2
enable level Log in to a specified privilege level.
disable level Exit to a specified privilege level.
Configuring Easy Setup
You can now configure a network and radio in a single screen using the Easy Setup.
Network Configuration
To configure an access point using the network configuration, enter the values for the following fields:
Hostname
Server protocol (DHCP / Static)
IP Address
Chapter 5 Administrating the Access Point
For level, the range is 0 to 15.
For level, the range is 0 to 15.
IP Subnet
Default Gateway
IPv6 Protocol (DHCP / Autoconfig / Static IP)
IPV6 address
Username
Password
SNMP Community
Current SSID list (list SSIDs configured to the access point)
Radio Configuration
To configure an access point using Radio Configuration, configure the following fields:
SSID—a 32 byte string.
Broadcast SSID in beacon
Security
Role in Radio Network
Access point—Root device. This setting can be applied to any access point.
Repeater—Nonroot device. This setting also can be applied to any access point.
Root Bridge—This setting can be applied to any access point.
Non-Root Bridge—This setting can be applied to any access point.
5-10
Workgroup Bridge—This setting can be applied to any access point.
Universal Workgroup Bridge
Scanner—Access point functions as a network monitoring device. It continuously scans and reports wireless traffic that it detects from other wireless devices on the wireless LAN in this mode. All access points can be configured as a scanner.
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Loading...