Cisco Router 860, 880 Series User Manual
Have a look at the manual Cisco Router 860, 880 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Service Set Identifier (SSID) Multiple Basic SSIDs 9 Configuring SSIDs OL-11499-01 The guest-mode SSID and Delivery Traffic Indicator Message (DTIM) period configured in this command are applied only when MBSSIDs are enabled on the radio interface. When client devices receive a beacon that contains a DTIM, they wake up to check for pending packets. Longer intervals between DTIMs let battery-powered clients sleep longer and preserve power. Conversely, shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often. Increasing the DTIM period count delays the delivery of multicast packets. Because multicast packets are buffered, large DTIM period counts can cause a buffer overflow. If you configure a DTIM period for a BSSID and you also use the beacon command to configure a DTIM period for the radio interface, the BSSID DTIM period takes precedence. Any Wi-Fi-certified client device can associate to an access point by using multiple BSSIDs. You can enable multiple BSSIDs on access points that participate in WDS. Steps for Configuring Multiple BSSIDs on an Interface To configure multiple BSSIDs on an interface, follow these steps, beginning in privileged EXEC mode: CommandPurpose Step 1configure terminalEnters global configuration mode. Step 2interface radio-interfaceEnters interface configuration mode for the radio interface to which you want to assign the SSID. Step 3mbssid Enables multiple BSSIDs on the interface. You can also use the dot11 mbssid global configuration command to simultaneously enable multiple BSSIDs on all radio interfaces that support multiple BSSIDs. Step 4exitExits interface configuration mode. Step 5dot11 ssid ssid-stringCreates a global SSID and enter SSID configuration mode for this SSID. The SSID can consist of up to 32 alphanumeric, case-sensitive, characters. The first character cannot contain the !, #, or ; character. +, ], /, , TAB, and trailing spaces are invalid characters for SSIDs. Step 6mbssid [guest-mode] [dtim-period period] Entering the mbssid SSID interface configuration mode command includes the SSID name in the beacon and broadcast probe response and to configure the DTIM period for the SSID. The default DTIM period is 2, which means that every other beacon contains a DTIM. Include the guest-mode parameter to include the SSID in the beacon. Guest mode is disabled by default. Step 7exitExits interface configuration mode.
Service Set Identifier (SSID) Multiple Basic SSIDs 10 Configuring SSIDs OL-11499-01 This example shows how to: Enable multiple BSSIDs on a radio interface Create an SSID called visitor Designate the SSID as a BSSID Specify that the BSSID is included in beacons Set a DTIM period for the BSSID Assign the SSID visitor to the radio interface ap# configure terminal ap(config)# interface d0 ap(config-if)# mbssidap(config-if)# exit ap(config)# dot11 ssid visitor ap(config-ssid)# mbssid guest-mode dtim-period 75ap(config-ssid)# exit ap(config)# interface d0 ap(config-if)# ssid visitor Displaying Configured BSSIDs Use the show dot11 bssid privileged EXEC command to display the relationship between SSIDs and BSSIDs or MAC addresses. This example shows the command output: AP1230#show dot11 bssid Interface BSSID Guest SSIDDot11Radio1 0011.2161.b7c0 Yes atlantic Dot11Radio0 0005.9a3e.7c0f Yes WPA2-TLS-g Step 8interface radio-interfaceEnters interface configuration mode for the radio interface to which you want to assign the SSID. Step 9ssid ssid-stringAssigns the SSID to the radio interface. Use the no form of the command to disable the SSID on this interface. Step 10exitExits interface configuration mode. Command Purpose
Service Set Identifier (SSID) Using a RADIUS Server for SSID Authorization 11 Configuring SSIDs OL-11499-01 Using a RADIUS Server for SSID Authorization To prevent unauthorized client devices from associating to the access point, you can create a list of authorized SSIDs on your RADIUS authentication server. The RADIUS SSID authorization process consists of these steps: 1.A client device associates to the access point using any SSID that is configured on the access point. 2.The client begins RADIUS authentication. 3.The RADIUS server returns a list of SSIDs that the client is allowed to use. The access point checks the list for a match of the SSID used by the client. There are three possible outcomes: a.If the SSID that the client used to associate to the access point matches an entry in the allowed list returned by the RADIUS server, the client is allowed network access after completing any other authentication requirements. b.If the access point does not find a match for the client in the allowed list of SSIDs, the access point disassociates the client. c.If the RADIUS server does not return any SSIDs (no list) for the client, then the administrator has not configured the list, and the client is allowed to associate and attempt to authenticate. The list of SSIDs from the RADIUS server are in the form of Cisco vendor-specific attributes (VSAs). The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the access point and the RADIUS server by using the vendor-specific attribute (attribute 26). VSAs allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. The vendor-ID for Cisco is 9, and the supported option has vendor-type 1, which is named cisco-avpair. The RADIUS server is allowed to have zero or more SSID VSAs per client. In this example, the following AV pair adds the SSID batman to the list of allowed SSIDs for a user: cisco-avpair= ”ssid=batman” For instructions on configuring the access point to recognize and use VSAs, see the “RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values” chapter of the Cisco IOS Security Configuration Guide at the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918 6a00804e02d5.html To create a global SSID with RADIUS accounting, follow these steps, beginning in privileged EXEC mode: Command Purpose Step 1configure terminalEnters global configuration mode. Step 2dot11 ssid ssid-stringCreates a global SSID and enter SSID configuration mode for this SSID. The SSID can consist of up to 32 alphanumeric, case-sensitive, characters. The first character cannot contain the !, #, or ; character. +, ], /, , TAB, and trailing spaces are invalid characters for SSIDs.
Service Set Identifier (SSID) NAC Support for MBSSID 12 Configuring SSIDs OL-11499-01 NAC Support for MBSSID Networks must be protected from security threats, such as viruses, worms, and spyware. These security threats disrupt business, causing downtime and continual patching. Endpoint visibility and control are needed to help ensure that all wired and wireless devices attempting to access a network meet corporate security policies. Infected or vulnerable endpoints need to be automatically detected, isolated, and cleaned. Network Admission Control (NAC) ensures that all wired and wireless endpoint devices (such as PCs, laptops, servers, and PDAs) accessing network resources are adequately protected from security threats. NAC allows organizations to analyze and control all devices coming into the network. By ensuring that every endpoint device complies with corporate security policy and is running the latest and most relevant security protections, organizations can significantly reduce or eliminate endpoint devices as a common source of infection or network compromise. The NAC Appliance and the NAC Framework provide security threat protection for WLANs by enforcing device security policy compliance when WLAN clients attempt to access the network. These solutions quarantine non-compliant WLAN clients and provide remediation services to help ensure compliance. Based on its health (software version, virus version, and so on) a client is placed on a separate VLAN that is specified to download the required software to upgrade the client to the software versions required for accessing the network. Four VLANs are specified for NAC support, one of which is the normal VLAN in which clients with correct software version are placed. The other VLANs are reserved for specific quarantine action, and all infected clients are placed on one of these VLANs until the client is upgraded. Each SSID has up to three additional VLANs configured as “unhealthy” VLANs. Infected clients are placed on one of these VLANs, based on how the client is infected. When a client sends an association request, it includes its infected status in the request to the RADIUS server. The policy to place the client on a specific VLAN is provisioned on the RADIUS server. When an infected client associates with an access point and sends its state to the RADIUS server, the RADIUS server puts it into one of the quarantine VLANs, based on its health. This VLAN is sent in the RADIUS server Access Accept response during the dot1x client authentication process. If the client is healthy and NAC compliant, the RADIUS server returns a normal VLAN assignment for the SSID and the client is placed in the correct VLAN and BSSID. Step 3accounting list-nameEnables RADIUS accounting for this SSID. For list-name, specify the accounting method list. Click this link for more information on method lists: http://www.cisco.com/univercd/cc/td/doc/product/s oftware/ios122/122cgcr/fsecur_c/fsaaa/scfacct.htm #xtocid2 Step 4interface dot11radio radio-interfaceEnters interface configuration mode for the radio interface to which you want to assign the SSID. Step 5ssid ssid-stringAssigns the global SSID that you created in Step 2 to the radio interface. Use the no form of the command to disable the SSID. Step 6endReturns to privileged EXEC mode.
Service Set Identifier (SSID) NAC Support for MBSSID 13 Configuring SSIDs OL-11499-01 Each SSID is assigned a normal VLAN, which is the VLAN on which healthy clients are placed. The SSID can also be configured to have up to three backup VLANs that correspond to the quarantine VLANs on which clients are placed based on their state of health. These VLANs for the SSID use the same BSSID as assigned by the MBSSID for the SSID. The configured VLANs are different and no VLAN overlap within an SSID is allowed. Therefore, a VLAN can be specified once and cannot be part of two different SSIDs per interface. Quarantine VLANs are automatically configured under the interface on which the normal VLAN is configured. A quarantine VLAN has the same encryption properties as that of the normal VLAN. VLANs have the same key/authentication type, and the keys for the quarantine VLANs are derived automatically. Dot11 subinterfaces are generated and configured automatically along with the dot1q encapsulation VLAN (equal to the number of configured VLANs). The subinterfaces on the wired side are also configured automatically, along with the bridge-group configurations under the FE0 subinterface. When a client associates and the RADIUS server determines that it is unhealthy, the server returns one of the quarantine NAC VLANs in its RADIUS authentication response for dot1x authentication. This VLAN should be one of the configured backup VLANs under the client’s SSID. If the VLAN is not one of the configured backup VLANs, the client is disassociated. Data corresponding to the all the backup VLANs are sent and received using the BSSID that is assigned to the SSID. Therefore, all clients (healthy and unhealthy) listening to the BSSID corresponding the the SSID wake-up. Based on the multicast key being used corresponding to the VLAN (healthy or unhealthy), packet decrypting takes place on the client. Wired-side traffic is segregated because different VLANs are used, thereby ensuring that traffic from infected and uninfected clients do not mix.
Service Set Identifier (SSID) NAC Support for MBSSID 14 Configuring SSIDs OL-11499-01 Configuring NAC NoteThis feature supports only Layer 2 mobility within VLANs. Layer 3 mobility using network ID is not supported in this feature. NoteBefore you attempt to enable NAC for MBSSID on your access points, you should first have NAC working properly. Figure 2 shows a typical network setup. Figure 2 Typical NAC Network Setup For additional information, see the documentation for deploying NAC for Cisco wireless networks. http://cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html To configure NAC for MBSSID on your access point, follow these steps: Step 1Configure your network as shown in Figure 2. Step 2Configure standalone access points and NAC-enabled client-EAP authentication. Step 3Configure the local profiles on the ACS server for posture validation. Step 4Configure the client and access point to allow the client to successful authenticate using EAP-FAST. Step 5Ensure that the client posture is valid. Step 6Verify that the client associates to the access point and that the client is placed on the unrestricted VLAN after successful authentication and posture validation. A sample configuration is shown below. dot11 mbssid dot11 vlan-name engg-normal vlan 100 dot11 vlan-name engg-infected vlan 102 dot11 vlan-name mktg-normal vlan 101 dot11 vlan-name mktg-infected1 vlan 103 dot11 vlan-name mktg-infected2 vlan 104 dot11 vlan-name mktg-infected3 vlan 105! dot11 ssid engg vlan engg-normal backup engg-infected ACS Wireless laptops Quarantine/ Restricted Access VLAN/Network Unrestricted Access VLAN/Network 170598
Service Set Identifier (SSID) NAC Support for MBSSID 15 Configuring SSIDs OL-11499-01 authentication open authentication network-eap eap_methods ! dot11 ssid mktgvlan mktg-normal backup mktg-infected1, mktg-infected2, mktg-infected3 authentication open authentication network-eap eap_methods ! interface Dot11Radio0 !encryption vlan engg-normal key 1 size 40bit 7 482CC74122FD transmit-key encryption vlan engg-normal mode ciphers wep40 ! encryption vlan mktg-normal key 1 size 40bit 7 9C3A6F2CBFBC transmit-key encryption vlan mktg-normal mode ciphers wep40 ! ssid engg ! ssid mktg ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio0.100 encapsulation dot1Q 100 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled! interface Dot11Radio0.102 encapsulation dot1Q 102 no ip route-cache bridge-group 102 bridge-group 102 subscriber-loop-control bridge-group 102 block-unknown-source no bridge-group 102 source-learning no bridge-group 102 unicast-flooding bridge-group 102 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface FastEthernet0.100 encapsulation dot1Q 100 native no ip route-cache bridge-group 1no bridge-group 1 source-learning bridge-group 1 spanning-disabled !interface FastEthernet0.102 encapsulation dot1Q 102 no ip route-cachebridge-group 102 no bridge-group 102 source-learning bridge-group 102 spanning-disabled
Service Set Identifier (SSID) NAC Support for MBSSID 16 Configuring SSIDs OL-11499-01
CH A P T E R 10-1 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx 10 Configuring Radio Settings This chapter describes how to configure radio settings for the wireless device in the following sections: Enabling the Radio Interface, page 10-2 Configuring the Role in the Radio Network, page 10-2 Radio Tracking, page 10-4 Configuring Radio Data Rates, page 10-4 Configuring MCS Rates, page 10-7 Configuring Radio Transmit Power, page 10-9 Configuring Radio Channel Settings, page 10-10 Enabling and Disabling World Mode, page 10-11 Disabling and Enabling Short Radio Preambles, page 10-12 Configuring Transmit and Receive Antennas, page 10-13 Disabling and Enabling Aironet Extensions, page 10-14 Configuring the Ethernet Encapsulation Transformation Method, page 10-15 Enabling and Disabling Public Secure Packet Forwarding, page 10-15 Enabling and Disabling Public Secure Packet Forwarding, page 10-15 Configuring the Beacon Period and the DTIM, page 10-17 Configure RTS Threshold and Retries, page 10-17 Configuring the Maximum Data Retries, page 10-18 Configuring the Fragmentation Threshold, page 10-19 Enabling Short Slot Time for 802.11g Radios, page 10-19 Performing a Carrier Busy Test, page 10-19 Configuring VoIP Packet Handling, page 10-20
10-2
Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide
xx-xxxxx-xx
Chapter 10 Configuring Radio Settings
Enabling the Radio Interface
Enabling the Radio Interface
The wireless device radios are disabled by default.
NoteYou must create a service set identifier (SSID) before you can enable the radio interface.
To enable the access point radio, follow these steps, beginning in privileged EXEC mode:
Use the shutdown command to disable the radio port.
Configuring the Role in the Radio Network
Ta b l e 10-1 shows the role the radio performs in the wireless network.
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2dot11 ssid ssidEntesr the SSID. The SSID can consist of up to 32
alphanumeric characters. SSIDs are case sensitive.
Step 3interface dot11radio { 0 }Enters interface configuration mode for the radio interface.The
2.4-GHz and the 802.11g/n 2.4-GHz radios are radio 0.
Step 4ssid ssidAssigns the SSID you created in Step 2 to the appropriate radio
interface.
Step 5no shutdownEnables the radio port.
Step 6endReturns to privileged EXEC mode.
Step 7copy running-config startup-config(Optional) Saves your entries in the configuration file.
Ta b l e 10-1 Device Role in Radio Network Configuration
Role in Radio NetworkCisco 860 ISRCisco 880 ISR
Access pointXX
Access point (fallback to radio shutdown)XX
Root bridgeXX
Non-root bridgeXX
Root bridge with wireless clientsXX
Non-root bridge with wireless clientsXX