Cisco Systems OL-6415-04 User Manual

Cisco Wireless ISR and HWIC Access Point Configuration Guide

December 2006

Corporate Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Text Part Number: 0L-6415-04

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of
Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo,
Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step,
Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick
Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet,
StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and
certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0612R)

IMPLIED, INCLUDING, WITHOUT

Cisco Wireless ISR and HWIC Access Point Configuration Guide
Copyright © 2006 Cisco Systems, Inc.
All rights reserved.

Preface 9

Audience 9

Purpose 9

Organization 10

Conventions 10

Related Publications 12

Obtaining Documentation 13

Cisco.com 13
Product Documentation DVD 14
Ordering Documentation 14

Documentation Feedback 14

Cisco Product Security Overview 15

Reporting Security Problems in Cisco Products 15

Obtaining Technical Assistance 16

Cisco Technical Support & Documentation Website 16
Submitting a Service Request 16
Definitions of Service Request Severity 17

CONTENTS

CHAPTER

CHAPTER

OL-6415-04

Obtaining Additional Publications and Information 17

1 Overview 1

Wireless Device Management 1

Network Configuration Example 2

Root Unit on a Wired LAN 2

Features 3

5

2 Configuring Radio Settings 1

Enabling the Radio Interface 2

Roles in Radio Network 2

Configuring Network or Fallback Role 3

Bridge Features Not Supported 4
Sample Bridging Configuration 4

Universal Client Mode 7

Cisco Wireless Router and HWIC Configuration Guide

3

Contents

Configuring Universal Client Mode 7

Configuring Radio Data Rates 10

Configuring Radio Transmit Power 12

Limiting the Power Level for Associated Client Devices 13

Configuring Radio Channel Settings 14

DFS Automatically Enabled on Some 5-GHz Radio Channels 19

Enabling and Disabling World Mode 20

Enabling and Disabling Short Radio Preambles 21

Configuring Transmit and Receive Antennas 22

Disabling and Enabling Access Point Extensions 23

Configuring the Ethernet Encapsulation Transformation Method 23

Enabling and Disabling Reliable Multicast to Workgroup Bridges 24

Enabling and Disabling Public Secure Packet Forwarding 25

Configuring Protected Ports 26

CHAPTER

Configuring Beacon Period and DTIM 26

Configuring RTS Threshold and Retries 27

Configuring Maximum Data Retries 27

Configuring Fragmentation Threshold 28

Enabling Short Slot Time for 802.11g Radios 28

Performing a Carrier Busy Test 29

3 Configuring Multiple SSIDs 1

Understanding Multiple SSIDs 2

SSID Configuration Methods Supported by Cisco IOS Releases 2

Configuring Multiple SSIDs 3

Creating an SSID Globally 3
Using a RADIUS Server to Restrict SSIDs 5

Configuring Multiple Basic SSIDs 6

Requirements for Configuring Multiple BSSIDs 6
Guidelines for Using Multiple BSSIDs 6

Enabling MBSSID and SSIDL at the same time 7

Sample Configuration for Enabling MBSSID and SSIDL 8

CHAPTER

4

4 Configuring an Access Point as a Local Authenticator 1

Understand Local Authentication 2

Configure a Local Authenticator 2

Guidelines for Local Authenticators 3

Cisco Wireless Router and HWIC Configuration Guide

OL-6415-04

12

Contents

Configuration Overview 3
Configuring the Local Authenticator Access Point 3
Configuring Other Access Points to Use the Local Authenticator 8
Configuring EAP-FAST Settings 9
Limiting the Local Authenticator to One Authentication Type 11
Unblocking Locked Usernames 11
Viewing Local Authenticator Statistics 11
Using Debug Messages 12

CHAPTER

CHAPTER

5 Configuring Encryption Types 1

Understand Encryption Types 2

Configure Encryption Types 3

Creating WEP Keys 3
Creating Cipher Suites 5
Enabling and Disabling Broadcast Key Rotation 7
Security Type in Universal Client Mode 8

6 Configuring Authentication Types 1

Understand Authentication Types 2

Open Authentication to Access Point 2
Shared Key Authentication to Access Point 3
EAP Authentication to Network 4
MAC Address Authentication to the Network 5
Combining MAC-Based, EAP, and Open Authentication 6
Using WPA Key Management 6
Software and Firmware Requirements for WPA and WPA-TKIP 8

Configure Authentication Types 9

Assigning Authentication Types to an SSID 9
Configuring Authentication Holdoffs, Timeouts, and Intervals 15

CHAPTER

OL-6415-04

Matching Access Point and Client Device Authentication Types 16

7 Configuring RADIUS Servers 1

Configuring and Enabling RADIUS 2

Understanding RADIUS 2
RADIUS Operation 3
Configuring RADIUS 4
Displaying the RADIUS Configuration 17

Cisco Wireless Router and HWIC Configuration Guide

5

Contents

RADIUS Attributes Sent by the Access Point 18

CHAPTER

CHAPTER

8 Configuring VLANs 1

Understanding VLANs 2

Related Documents 3
Incorporating Wireless Devices into VLANs 4

Configuring VLANs 4

Configuring a VLAN 5
Assigning Names to VLANs 7
Using a RADIUS Server to Assign Users to VLANs 7
Viewing VLANs Configured on the Access Point 8

VLAN Configuration Example 9

9 Configuring QoS 1

Understanding QoS for Wireless LANs 2

QoS for Wireless LANs Versus QoS on Wired LANs 2
Impact of QoS on a Wireless LAN 2
Precedence of QoS Settings 3
Using Wi-Fi Multimedia Mode 4

Configuring QoS 4

Configuration Guidelines 5
Adjusting Radio Access Categories 5
Disabling IGMP Snooping Helper 6
Sample Configuration Using the CLI 6

APPENDIX

APPENDIX

APPENDIX

APPENDIX

6

A Channel Settings 1

IEEE 802.11b (2.4-GHz Band) 1

IEEE 802.11g (2.4-GHz Band) 2

IEEE 802.11a (5-GHz Band) 2

B Protocol Filters 1

C Supported MIBs 1

MIB List 1

Using FTP to Access the MIB Files 2

D Error and Event Messages 1

How to Read System Messages 1

Cisco Wireless Router and HWIC Configuration Guide

OL-6415-04

G

LOSSARY

I

NDEX

Contents

Message Traceback Reports 2

Association Management Messages 2

802.11 Subsystem Messages 3

Local Authenticator Messages 12

OL-6415-04

Cisco Wireless Router and HWIC Configuration Guide

7

Contents

Cisco Wireless Router and HWIC Configuration Guide

8

OL-6415-04

Audience

Preface

The Preface provides information on the following topics:

• Audience

• Purpose

• Organization

• Related Publications

• Obtaining Documentation

This guide is for the networking professional who installs and manages Cisco stationary routers with
wireless capabilities. You should have experience working with the Cisco IOS software and be familiar
with the concepts and terminology of wireless LANs.

This document provides information for the following interfaces:

• Access Point High-speed WAN Interface Card (AP HWIC)

• Cisco 800 series routers with wireless capabilities

• Cisco 1800 series routers with wireless capabilities.

Purpose

OL-6415-04

This guide provides the information you need to install and configure your Cisco wireless device, for
example, AP HWIC, Cisco
using the Cisco IOS software commands that have been created or changed for use with the wireless
device. It does not provide detailed information about these commands. For information about the
standard Cisco IOS software commands, see the Cisco IOS software documentation set available from
the Cisco.com home page at Service and Support > Technical Documents. On the Cisco Product
Documentation home page, select Release 12.4 from the Cisco IOS Software drop-down list.

800 series and Cisco 1800 series routers. This guide provides procedures for

Cisco Wireless ISR and HWIC Access Point Configuration Guide

9

Organization

Organization

This guide consists of the following chapters:

Chapter 1, “Overview,” lists the software and hardware features of the wireless device and describes the

role of the wireless device in your network.

Chapter 2, “Configuring Radio Settings,” describes how to configure settings for the wireless device

radio such as the role in the radio network, data rates, transmit power, channel settings, and others.

Chapter 3, “Configuring Multiple SSIDs,” describes how to configure and manage multiple service set

identifiers (SSIDs) and multiple basic SSIDs (BSSIDs) on your wireless device. You can configure up
to 16 SSIDs and 16 BSSIDs on your wireless device and assign different configuration settings to each.

Chapter 4, “Configuring an Access Point as a Local Authenticator,” describes how to configure the

wireless device to act as a local RADIUS server for your wireless LAN. If the WAN connection to your
main RADIUS server fails, the wireless device acts as a backup server to authenticate wireless devices.

Chapter 5, “Configuring Encryption Types,” describes how to configure the cipher suites required to use

authenticated key management, Wired Equivalent Privacy (WEP), and WEP features.

Chapter 6, “Configuring Authentication Types,” describes how to configure authentication types on the

wireless device. Client devices use these authentication methods to join your network.

Chapter 7, “Configuring RADIUS Servers,” describes how to enable and configure the RADIUS, which

provides detailed accounting information and flexible administrative control over authentication and
authorization processes.

Chapter 8, “Configuring VLANs,” describes how to configure your wireless device to interoperate with

the VLANs set up on your wired LAN.

Preface

Chapter 9, “Configuring QoS,” describes how to configure quality of service (QoS) on your wireless

device. With this feature, you can provide preferential treatment to certain traffic at the expense of
others.

Appendix A, “Channel Settings,” lists the wireless device radio channels and the maximum power levels

supported by the world’s regulatory domains.

Appendix B, “Protocol Filters,” lists some of the protocols that you can filter on the wireless device.

Appendix C, “Supported MIBs,” lists the Simple Network Management Protocol (SNMP) Management

Information Bases (MIBs) that the wireless device supports for this software release.

Appendix D, “Error and Event Messages,” lists the CLI error and event messages and provides an

explanation and recommended action for each message.

Conventions

This publication uses these conventions to convey instructions and information:

Command descriptions use these conventions:

• Commands and keywords are in boldface text.

• Arguments for which you supply values are in italic.

• Square brackets ([ ]) mean optional elements.

• Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.

10

• Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional

element.

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04

Preface

Conventions

Interactive examples use these conventions:

• Terminal sessions and system displays are in screen font.

• Information you enter is in boldface screen font.

• Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).

Notes, cautions, and timesavers use these conventions and symbols:

Tip Means the following will help you solve a problem. The tips information might not be troubleshooting

or even an action, but could be useful information.

Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in

this manual.

Caution Means reader be careful. In this situation, you might do something that could result equipment damage

or loss of data.

Warning

Waarschuwing

Varoitus

Attention

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you
work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar
with standard practices for preventing accidents. (To see translations of the warnings that appear
in this publication, refer to the appendix “Translated Safety Warnings.”)

Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan
veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij
elektrische schakelingen betrokken risico’s en dient u op de hoogte te zijn van standaard
maatregelen om ongelukken te voorkomen. (Voor vertalingen van de waarschuwingen die in deze
publicatie verschijnen, kunt u het aanhangsel “Translated Safety Warnings” (Vertalingen van
veiligheidsvoorschriften) raadplegen.)

Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen
kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja
tavanomaisista onnettomuuksien ehkäisykeinoista. (Tässä julkaisussa esiintyvien varoitusten
käännökset löydät liitteestä "Translated Safety Warnings" (käännetyt turvallisuutta koskevat
varoitukset).)

Ce symbole d’avertissement indique un danger. Vous vous trouvez dans une situation pouvant
entraîner des blessures. Avant d’accéder à cet équipement, soyez conscient des dangers posés par
les circuits électriques et familiarisez-vous avec les procédures courantes de prévention des
accidents. Pour obtenir les traductions des mises en garde figurant dans cette publication, veuillez
consulter l’annexe intitulée «

Translated Safety Warnings » (Traduction des avis de sécurité).

OL-6415-04

Cisco Wireless ISR and HWIC Access Point Configuration Guide

11

Related Publications

Preface

Warnung

Avvertenza

Advarsel

Aviso

Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer
Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie
sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur
Vermeidung von Unfällen bewußt. (Übersetzungen der in dieser Veröffentlichung enthaltenen
Warnhinweise finden Sie im Anhang mit dem Titel “Translated Safety Warnings” (Übersetzung der
Warnhinweise).)

Questo simbolo di avvertenza indica un pericolo. Si è in una situazione che può causare infortuni.
Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti
elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione
delle avvertenze riportate in questa pubblicazione si trova nell’appendice, “Translated Safety
Warnings” (Traduzione delle avvertenze di sicurezza).

Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du
utfører arbeid på utstyr, må du være oppmerksom på de faremomentene som elektriske kretser
innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. (Hvis du vil se
oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i vedlegget "Translated
Safety Warnings" [Oversatte sikkerhetsadvarsler].)

Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos
fisicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos
relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir
possíveis acidentes. (Para ver as traduções dos avisos que constam desta publicação, consulte o
apêndice “Translated Safety Warnings” - “Traduções dos Avisos de Segurança”).

¡Advertencia!

Varning!

Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular
cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los
procedimientos estándar de prevención de accidentes. (Para ver traducciones de las advertencias
que aparecen en esta publicación, consultar el apéndice titulado “Translated Safety Warnings.”)

Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada.
Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och
känna till vanligt förfarande för att förebygga skador. (Se förklaringar av de varningar som
förekommer i denna publikation i appendix "Translated Safety Warnings" [Översatta
säkerhetsvarningar].)

Related Publications

Related Cisco technical documentation include the following:

Ta b l e 1 Related and Referenced Documents

Cisco Product Document Title

Cisco Access Point
High-Speed WAN Interface
Card

Cisco Interface Cards Installation Guide

Quick Start Guide: Interface Cards for Cisco Access Routers

Installing, Replacing, and Upgrading Components in Cisco Modular
Access Routers and Integrated Services Routers

12

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04

Preface

Obtaining Documentation

Table 1 Related and Referenced Documents (continued)

Cisco Product Document Title

Cisco 800 series routers Cisco 850 Series and Cisco 870 Series Routers Hardware Installation

Guide

Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup
Quick Start Guide

Cisco 850 Series and Cisco 870 Series Access Routers Software
Configuration Guide

Regulatory Compliance and Safety Information for Cisco 800 Series and
SOHO Series Routers

Upgrading Memory in Cisco 800 Routers

Cisco 1800 series routers Cisco 1800 Series Integrated Services Routers (Modular) Quick Start

Guide

Cisco 1800 Series Routers Hardware Installation Documents

Cisco 1800 Series Software Configuration Guide

Cisco 1800 Series Cards and Modules

Regulatory Compliance and Safety Information for Cisco 1840 Routers

Cisco Modular Access Router Cable Specifications

Cisco IOS software Cisco IOS software documentation, all releases.

Additional Documentation Cisco AP HWIC and Access Router Wireless Configuration Guide

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.

Cisco.com

Refer to the documentation for the Cisco IOS software release installed
on your router.

Cisco Aironet 2.4-GHz Articulated Dipole Antenna (AIR-ANT4941

Cisco Aironet High Gain Omnidirectional Ceiling Mount Antenna
(AIR-ANT1728)

Cisco Aironet 2 dBi Diversity Omnidirectional Ceiling Mount Antenna
(AIR-ANT5959)

Antenna Cabling

Declarations of Conformity and Regulatory Information for Cisco Access
Products with 802.11a/b/g and 802.11b/g Radios

OL-6415-04

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

Cisco Wireless ISR and HWIC Access Point Configuration Guide

13

Documentation Feedback

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVD

Cisco documentation and additional literature are available in the Product Documentation DVD package,
which may have shipped with your product. The Product Documentation DVD is updated regularly and
may be more current than printed documentation.

The Product Documentation DVD is a comprehensive library of technical product documentation on
portable media. The DVD enables you to access multiple versions of hardware and software installation,
configuration, and command guides for Cisco products and to view technical documentation in HTML.
With the DVD, you have access to the same documentation that is found on the Cisco website without
being connected to the Internet. Certain products also have .pdf versions of the documentation available.

The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com
users (Cisco direct customers) can order a Product Documentation DVD (product number
DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.

Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Preface

Cisco Marketplace:

http://www.cisco.com/go/marketplace/

Ordering Documentation

Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product
Documentation Store in the Cisco Marketplace at this

http://www.cisco.com/go/marketplace/

Cisco will continue to support documentation orders using the Ordering tool:

• Registered Cisco.com users (Cisco direct customers) can order documentation from the

Ordering

http://www.cisco.com/en/US/partner/ordering/

• Instructions for ordering documentation using the Ordering tool are at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

• Nonregistered Cisco.com users can order documentation through a local account representative by

calling Cisco Systems Corporate Headquarters (California, USA) at 408
North America, by calling 1 800

tool:

URL:

526-7208 or, elsewhere in

553-NETS (6387).

Documentation Feedback

You can rate and provide feedback about Cisco technical documents by completing the online feedback
form that appears with the technical documents on Cisco.com.

Cisco Wireless ISR and HWIC Access Point Configuration Guide

14

OL-6415-04

Preface

You can send comments about Cisco documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you can perform these tasks:

• Report security vulnerabilities in Cisco products.

Cisco Product Security Overview

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

A current list of security advisories and notices for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

If you prefer to see advisories and notices as they are updated in real time, you can access a Product
Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them,
and we strive to correct all vulnerabilities quickly. If you think that you might have identified a
vulnerability in a Cisco product, contact PSIRT:

• Emergencies — security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which
a severe and urgent security vulnerability should be reported. All other conditions are considered
non emergencies.

• Non emergencies — psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

URL:

OL-6415-04

• 1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive

information that you send to Cisco. PSIRT can work from encrypted information that is compatible with
PGP versions

2.x through 8.x.

Cisco Wireless ISR and HWIC Access Point Configuration Guide

15

Obtaining Technical Assistance

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page
at this

URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htm

The link on this page has the current PGP key ID in use.

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco
Technical Support & Documentation website on Cisco.com features extensive online support resources.
In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC)
engineers provide telephone support. If you do not have a valid Cisco service contract, contact your
reseller.

Cisco Technical Support & Documentation Website

Preface

The Cisco Technical Support & Documentation website provides online documents and tools for
troubleshooting and resolving technical issues with Cisco products and technologies. The website is
available 24 hours a day, at this

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user
ID and password. If you have a valid service contract but do not have a user ID or password, you can
register at this

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting

a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &
Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose

Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco
Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by

product ID or model name; by tree view; or for certain products, by copying and pasting show command
output. Search results show an illustration of your product with the serial number label location
highlighted. Locate the serial number label on your product and record the information before placing a
service call.

URL:

Submitting a Service Request

URL:

16

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04

Preface

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.

Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You
and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operation are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.

Obtaining Additional Publications and Information

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo

merchandise. Visit Cisco Marketplace, the company store, at this

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this

http://www.ciscopress.com

• Pack et magazine is the Cisco Systems technical user magazine for maximizing Internet and

networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
technology breakthroughs, and Cisco products and solutions, as well as network deployment and
troubleshooting tips, configuration examples, customer case studies, certification and training
information, and links to scores of in-depth online resources. You can access Packet magazine at
this

URL:

http://www.cisco.com/packet

URL:

URL:

OL-6415-04

Cisco Wireless ISR and HWIC Access Point Configuration Guide

17

Obtaining Additional Publications and Information

• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies

learn how they can use technology to increase revenue, streamline their business, and expand
services. The publication identifies the challenges facing these companies and the technologies to
help solve them, using real-world case studies and business strategies to help readers make sound
technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

or view the digital edition at this URL:

http://ciscoiq.texterity.com/ciscoiq/sample/

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this

http://www.cisco.com/ipj

• Networking products offered by Cisco Systems, as well as customer support services, can be

obtained at this

http://www.cisco.com/en/US/products/index.html

• Networking Professionals Connection is an interactive website for networking professionals to share

questions, suggestions, and information about networking products and technologies with Cisco
experts and other networking professionals. Join a discussion at this

http://www.cisco.com/discuss/networking

• World-class networking training is available from Cisco. You can view current offerings at

this

URL:

Preface

URL:

URL:

URL:

http://www.cisco.com/en/US/learning/index.html

18

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04

CHA P TER

1

Overview

Cisco wireless devices provide a secure, affordable, and easy-to-use wireless LAN solution that
combines mobility and flexibility with the enterprise-class features required by networking
professionals. With a management system based on Cisco IOS software, Cisco wireless devices are
Wi-Fi certified, 802.11b-compliant, 802.11g-compliant, or 802.11a-compliant wireless LAN
transceivers.

This document provides information for the following devices:

• Access Point High-speed WAN Interface Card (AP HWIC)

• Cisco 800 Series routers with wireless capabilities

• Cisco 1800 Series routers with wireless capabilities

This chapter provides information on the following topics:

• Wireless Device Management

• Network Configuration Example

• Features

Wireless Device Management

You can use the wireless device management system through the following interfaces:

• The Cisco IOS command-line interface (CLI), that can be used through a console port or a Telnet

session. Use the interface dot11radio configuration command in global mode to place the wireless
device into radio configuration mode.

• Simple Network Management Protocol (SNMP).

OL-6415-04

Cisco Wireless ISR and HWIC Access Point Configuration Guide

1-1

Network Configuration Example

Network Configuration Example

This section describes the wireless device role in common wireless network configurations. The access
point default configuration is as a root unit connected to a wired LAN or as the central unit in an
all-wireless network.

Root Unit on a Wired LAN

An access point connected directly to a wired LAN provides a connection point for wireless users.

Figure 1-1 shows access points acting as root units on a wired LAN.

Figure 1-1 Access Points as Root Units on a Wired LAN

Chapter 1 Overview

1-2

Cisco Wireless Router and HWIC Configuration Guide

OL-6415-04

Chapter 1 Overview

Features

Features

This section lists features supported on access points running Cisco IOS software.

• Access Point Link Role Flexibility—This feature allows the user to configure root and non-root

bridging mode functionality, universal client mode, and support of a WGB client device, in addition
to a root access point on the radio interface.

Note Root/Non-Root bridging mode is supported only on modular ISR platforms, such as Cisco

3800

series , Cisco 2800 and Cisco 1841 series. Fixed ISR platforms, such as the Cisco 800

and Cisco 1800 do not support this feature.

• QoS Basic Service Set (QBSS) support—This feature aligns Cisco QBSS implementation with the

evolving 802.11e standard. The QBSS element of the access point’s beacon advertises channel load
instead of traffic load. A new configuration command, dot11 phone dot11e has been added in
Release 12.4 that allows the standard QBSS Load element to be sent in the beacon. This command
should be used when compatible phones are employed in the network.

• Secure Shell version 2 (SSHv2) support—SSH v2 is a standards-based protocol to provide secure

Telnet capability for router configuration and administration.

• Support for Multiple BSSIDs—This feature permits a single access point to appear to the WLAN as

multiple virtual access points. It does this by assigning an access point with multiple Basic Service
Set IDs (MBSSIDs) or MAC addresses.

To determine whether a radio supports multiple basic SSIDs, enter the show controllers command
for the radio interface. The radio supports multiple basic SSIDs if the results include this line:

Number of supported simultaneous BSSID on radio_interface: 8

• Support for Wi-Fi 802.11h and Dynamic Frequency Selection (DFS)—This feature allows access

points configured at the factory for use in Europe to detect radar signals such as military and weather
sources and switch channels on the access points.

• SNMPv3—This feature enables SNMPv3 support on Cisco wireless devices to provide an additional

level of security.

• World mode—Use this feature to communicate the access point’s regulatory setting information,

including maximum transmit power and available channels, to world mode-enabled clients. Clients
using world mode can be used in countries with different regulatory settings and automatically
conform to local regulations. World mode is supported only on the 2.4-GHz radio.

• Multiple SSIDs—Create up to 16 SSIDs on the wireless device and assign any combination of these

settings to each SSID:

–

Broadcast SSID mode for guests on your network

–

Client authentication methods

–

Maximum number of client associations

–

VLAN identifier

–

RADIUS accounting list identifier

–

A separate SSID for infrastructure devices such as repeaters and workgroup bridges

OL-6415-04

Note Only 10 SSIDs are supported on the Cisco 800 series platforms.

Cisco Wireless Router and HWIC Configuration Guide

1-3

Features

Chapter 1 Overview

• VLANs—Assign VLANs to the SSIDs on the wireless device (one VLAN per SSID) to differentiate

policies and services among users.

• QoS—Use this feature to support quality of service for prioritizing traffic from the Ethernet to the

access point. The access point also supports the voice-prioritization schemes used by 802.11b
wireless phones such as the Cisco

• RADIUS Accounting—Enable accounting on the access point to send accounting data about

wireless client devices to a RADIUS server on your network.

• Enhanced security—Enable three advanced security features to protect against sophisticated attacks

on your wireless network's WEP keys: Message Integrity Check (MIC), WEP key hashing, and
broadcast WEP key rotation.

• Enhanced authentication services—Set up repeater access points to authenticate to your network

like other wireless client devices. After you provide a network username and password for the
repeater, it authenticates to your network using Light Extensible Authentication Protocol (LEAP),
Cisco's wireless authentication method, and receives and uses dynamic WEP keys.

• Wi-Fi Protected Access (WPA)—Wi-Fi Protected Access is a standards-based, interoperable

security enhancement that strongly increases the level of data protection and access control for
existing and future wireless LAN systems. It is derived from and will be forward-compatible with
the upcoming IEEE 802.11i standard. WPA leverages Temporal Key Integrity Protocol (TKIP) for
data protection and 802.1X for authenticated key management.

• Access point as backup or stand-alone authentication server—You can configure an access point to

act as a local authentication server to provide authentication service for small wireless LANs
without a RADIUS server or to provide backup authentication service in case of a WAN link or a
server failure. The number of clients supported varies based on platform, with up to 1000 user
accounts supported on the higher end platforms.

• Support for 802.11g radios—Cisco IOS Releases 12.4(2)T or later support the standard 802.11g,

2.4-GHz radio.

7920 and Spectralink's Netlink™.

• Support for Cisco 802.11a Radios—The 802.11a radios support all access point features introduced

in Cisco IOS Release 12.4 and later.

• AES-CCMP—This feature supports Advanced Encryption Standard-Counter Mode with Cipher

Block Chaining Message Authentication Code Protocol (AES-CCMP). AES-CCMP is required for
Wi-Fi Protected Access 2 (WPA2) and IEEE 802.11i wireless LAN security.

• IEEE 802.1X Local Authentication Service for EAP-FAST—This feature expands wireless domain

services (WDS) IEEE 802.1X local authentication to include support for Extensible Authentication
Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST).

• Wi-Fi Multimedia (WMM) Required Elements—This feature supports the required elements of

WMM. WMM is designed to improve the user experience for audio, video, and voice applications
over a Wi-Fi wireless connection. WMM is a subset of the IEEE 802.11e Quality of Service (QoS)
draft standard. WMM supports QoS prioritized media access via the Enhanced Distributed Channel
Access (EDCA) method. Optional elements of the WMM specification including call admission
control using traffic specifications (TSPEC) are not supported in this release.

• VLAN Assignment By Name—This feature allows the RADIUS server to assign a client to a virtual

LAN (VLAN) identified by its VLAN name. In releases before Cisco IOS Release 12.4(5)T, the
RADIUS server identified the VLAN by ID. This feature is important for deployments where VLAN
IDs are not used consistently throughout the network.

1-4

Cisco Wireless Router and HWIC Configuration Guide

OL-6415-04

Chapter 1 Overview

• Microsoft WPS IE SSIDL—This feature allows the access point to broadcast a list of configured

SSIDs (the SSIDL) in the Microsoft Wireless Provisioning Services Information Element (WPS IE).
A client with the ability to read the SSIDL can alert the user to the availability of the SSIDs. This
feature provides a bandwidth-efficient, software-upgradeable alternative to multiple broadcast
SSIDs (MB/SSIDs).

• HTTP Web Server v1.1—This feature provides a consistent interface for users and applications by

implementing the HTTP 1.1 standard (see RFC 2616). In previous releases, Cisco software
supported only a partial implementation of HTTP 1.0. The integrated HTTP Server API supports
server application interfaces. When combined with the HTTPS and HTTP 1.1 Client features,
provides a complete, secure solution for HTTP services to and from Cisco devices.

OL-6415-04

Cisco Wireless Router and HWIC Configuration Guide

1-5

Chapter 1 Overview

1-6

Cisco Wireless Router and HWIC Configuration Guide

OL-6415-04

CHA P TER

2

Configuring Radio Settings

This chapter describes how to configure radio settings for the wireless device. This chapter includes
these sections:

• Enabling the Radio Interface, page 2-2

• Roles in Radio Network, page 2-2

• Configuring Network or Fallback Role, page 2-3

• Sample Bridging Configuration, page 2-4

• Universal Client Mode, page 2-7

• Configuring Universal Client Mode, page 2-7

• Configuring Radio Data Rates, page 2-10

• Configuring Radio Transmit Power, page 2-12

• Configuring Radio Channel Settings, page 2-14

• Enabling and Disabling World Mode, page 2-20

• Enabling and Disabling Short Radio Preambles, page 2-21

OL-6415-04

• Configuring Transmit and Receive Antennas, page 2-22

• Disabling and Enabling Access Point Extensions, page 2-23

• Configuring the Ethernet Encapsulation Transformation Method, page 2-23

• Enabling and Disabling Reliable Multicast to Workgroup Bridges, page 2-24

• Enabling and Disabling Public Secure Packet Forwarding, page 2-25

• Configuring Beacon Period and DTIM, page 2-26

• Configuring RTS Threshold and Retries, page 2-27

• Configuring Maximum Data Retries, page 2-27

• Configuring Fragmentation Threshold, page 2-28

• Enabling Short Slot Time for 802.11g Radios, page 2-28

• Performing a Carrier Busy Test, page 2-29

Cisco Wireless ISR and HWIC Access Point Configuration Guide

2-1

Enabling the Radio Interface

Enabling the Radio Interface

The wireless device radios are disabled by default.

Note In Cisco IOS Release 12.4 there is no default SSID. You must create a Radio Service Set Identifier

(SSID) before you can enable the radio interface.

Beginning in privileged EXEC mode, follow these steps to enable the wireless device radio:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

configure terminal Enter global configuration mode.

interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The

ssid Enter the SSID. The SSID can consist of up to 32 alphanumeric

no shutdown Enable the radio port.

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Chapter 2 Configuring Radio Settings

2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

characters. SSIDs are case sensitive.

Use the shutdown command to disable the radio port.

Roles in Radio Network

You can configure the following roles in a radio network:

• Network or Fallback Role

• Universal Client Mode

Table 2-1 shows the role in the radio network for each device.

Ta b l e 2-1 Device Role in Radio Network Configuration

Role in Radio Network

Root access point X X X X X

Root bridge with or without clients – – X X X

Non-root bridge without clients – – X X X

Universal client mode X X X X X

Support of Workgroup bridge
clients

Cisco 800 s

ISRs

eries

X X X X X

Cisco 1800
series ISRs

Cisco 1841
series

Cisco 2800
series ISRs

Cisco 3800
series ISRs

2-2

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04

Chapter 2 Configuring Radio Settings

Configuring Network or Fallback Role

You can also configure a fallback role for root access points. The wireless device automatically assumes
the fallback role when its Ethernet port is disabled or disconnected from the wired LAN. Thefallback
role is Shutdown—the wireless device shuts down its radio and disassociates all client devices.

Beginning in privileged EXEC mode, follow these steps to set the wireless device’s radio network role
and fallback role:

Command Purpose

Step 1

Step 2

Step 3

configure terminal Enter global configuration mode.

interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The

2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

station-role

non-root {bridge | return}

root {fallback | repeater | wireless
clients | shutdown]}

Sets the wireless device role to universal client mode.

• Set the role to non-root bridge with or without wireless

clients, repeater access point, root access point or bridge,
scanner, or workgroup bridge.

• The bridge mode radio supports point-to-point

configuration only.

• The Ethernet port is shut down when any one of the radios

is configured as a repeater. Only one radio per access point
may be configured as a workgroup bridge or repeater.

• The dot11radio 0|1 antenna-alignment command is

available when the access point is configured as a repeater.

Configuring Network or Fallback Role

Step 4

Step 5

• Spanning Tree Protocol (STP) is configurable on Cisco

ISR series access points in bridge modes.

• (Optional) Select the root access point’s fallback role. If

the wireless device’s Ethernet port is disabled or
disconnected from the wired LAN, the wireless device can
either shut down its radio port or become a repeater access
point associated to any nearby root access point.

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

OL-6415-04

Cisco Wireless ISR and HWIC Access Point Configuration Guide

2-3

Configuring Network or Fallback Role

Bridge Features Not Supported

The following features are not supported when a Cisco ISR series access point is configured as a bridge:

• Clear Channel Assessment (CCA)

• Interoperability with 1400 series bridge

• Concatenation

• Install mode

• EtherChannel and PageP configuration on switch

For root and non-root bridging mode operations, only bridge-group mode using BVI interface is
supported. Routing mode is not supported for root and non-root bridging operations.

Sample Bridging Configuration

The following is a sample of a Root Bridge Configuration:

!
aaa new-model
!
!
aaa group server radius rad_eap
server 20.0.0.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
dot11 ssid airlink2-bridge
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 12345678
!
dot11 priority-map avvid
ip cef
!
!
no ip domain lookup
!
!
bridge irb
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1

Chapter 2 Configuring Radio Settings

2-4

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04

Chapter 2 Configuring Radio Settings

ip address 30.0.0.1 255.0.0.0
duplex auto
speed auto
!
interface Dot11Radio0/0/0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid airlink2-bridge
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root bridge
!
interface Dot11Radio0/0/0.1
encapsulation dot1Q 1 native
no snmp trap link-status
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio0/0/1
no ip address
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface BVI1
ip address 20.0.0.1 255.0.0.0
!
ip route 0.0.0.0 0.0.0.0 20.0.0.5
!
!
ip http server
no ip http secure-server
!
!
radius-server local
nas 20.0.0.1 key 0 wireless
user non-root nthash 0 3741A4EE66E1AA56CD8B3A9038580DC9
!
radius-server host 20.0.0.1 auth-port 1812 acct-port 1813 key wireless
!
control-plane
!
bridge 1 route ip
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Configuring Network or Fallback Role

OL-6415-04

The following is a sample of Non-Root Bridge Configuration:

no aaa new-model

Cisco Wireless ISR and HWIC Access Point Configuration Guide

2-5

Configuring Network or Fallback Role

!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
dot11 ssid airlink2-bridge
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 12345678
!
dot11 priority-map avvid
ip cef
!
!
bridge irb
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio0/1/0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid airlink2-bridge
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role non-root bridge
!
interface Dot11Radio0/1/0.1
encapsulation dot1Q 1 native
no snmp trap link-status
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 20.0.0.5 255.0.0.0
!
ip route 0.0.0.0 0.0.0.0 20.0.0.1
!
!
ip http server
no ip http secure-server
!
!
control-plane
!
bridge 1 route ip
!
!

Chapter 2 Configuring Radio Settings

2-6

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04