Cisco Router 860, 880 Series User Manual
Have a look at the manual Cisco Router 860, 880 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Using an Access Point as a Local Authenticator
Configuring a Local Authenticator
11
Using an Access Point as a Local Authenticator
OL-15915-01
Using Debug Messages
To control the display of debug messages for the local authenticator, enter this command in privileged
EXEC mode:
AP# debug radius local-server {client | eapfast | error | packets}
Use the command options to display this debug information:
Use the client option to display error messages related to failed client authentications.
Use the eapfast option to display error messages related to EAP-FAST authentication. Use the
sub-options to select specific debugging information:
–encryption —displays information on the encryption and decryption of received and
transmitted packets
–events—displays information on all EAP-FAST events
–pac—displays information on events related to PACs, such as PAC generation and verification
–pkts—displays packets sent to and received from EAP-FAST clients
Use the error option to display error messages related to the local authenticator.
Use the packets option to turn on display of the content of RADIUS packets sent and received.
Using an Access Point as a Local Authenticator Configuring a Local Authenticator 12 Using an Access Point as a Local Authenticator OL-15915-01
Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA © 2008 Cisco Systems, Inc. All rights reserved. Hot Standby Access Points This note describes how to configure your wireless device as hot standby unit in these sections: Understanding Hot Standby, page 1 Configuring a Hot Standby Access Point, page 2 Understanding Hot Standby Hot standby mode designates an access point as a backup for another access point. The standby access point is placed near the access point it monitors, configured exactly the same as the monitored access point. The standby access point associates with the monitored access point as a client and sends IAPP queries to the monitored access point through both the Ethernet and the radio ports. If the monitored access point fails to respond, the standby access point comes online and takes the monitored access point’s place in the network. Except for the IP address, the standby access point’s settings should be identical to the settings on the monitored access point. If the monitored access point goes offline and the standby access point takes its place in the network, matching settings ensures that client devices can switch easily to the standby access point. The standby access point monitors another access point in a device-to-device relationship, not in an interface-to-interface relationship. For example, you cannot configure the standby access point’s 5-GHz radio to monitor the 5-GHz radio in access point alpha and the standby’s 2.4-GHz radio to monitor the 2.4-GHz radio in access point bravo. You also cannot configure one radio in a dual-radio access point as a standby radio and configure the other radio to serve client devices. Hot standby mode is disabled by default. NoteIf the monitored access point malfunctions and the standby access point takes its place, repeat the hot standby setup on the standby access point when you repair or replace the monitored access point. The standby access point does not revert to standby mode automatically.
Hot Standby Access Points Configuring a Hot Standby Access Point 2 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx NoteThe MAC address of the monitored access point might change if a BSSID on the monitored unit is added or deleted. If you use multiple BSSIDs on your wireless LAN, check the status of the standby unit when you add or delete BSSIDs on the monitored access point. If necessary, reconfigure the standby unit to use the BSSID’s new MAC address. Configuring a Hot Standby Access Point When you set up the standby access point, you must enter the MAC address of the access point that the standby unit will monitor. Record the MAC address of the monitored access point before you configure the standby access point. The standby access point also must duplicate several key settings on the monitored access point. These settings are: Primary SSID (as well as additional SSIDs configured on the monitored access point) Default IP Subnet Mask Default Gateway Data rates WEP settings Authentication types and authentication servers Check the monitored access point and record these settings before you set up the standby access point. NoteWireless client devices associated to the standby access point lose their connections during the hot standby setup process. TipTo quickly duplicate the monitored access point’s settings on the standby access point, save the monitored access point configuration and load it on the standby access point.
Hot Standby Access Points Configuring a Hot Standby Access Point 3 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx To enable hot standby mode on an access point, follow these steps, beginning in privileged EXEC mode: CommandDescription Step 1configure terminalEnters global configuration mode. Step 2iapp standby mac-addressPuts the access point into standby mode and specifies the MAC address of radio on the monitored access point. NoteThe MAC address of the monitored access point might change if a BSSID on the monitored unit is added or deleted. If you use multiple BSSIDs on your wireless LAN, check the status of the standby unit when you add or delete BSSIDs on the monitored access point. If necessary, reconfigure the standby unit to use the BSSID’s new MAC address. Step 3interface dot11radio port Enters interface configuration mode for the radio interface. Step 4ssid ssid-stringCreates the SSID that the standby access point uses to associate to the monitored access point; in the next step designate this SSID as an infrastructure SSID. If you created an infrastructure SSID on the monitored access point, create the same SSID on the standby access point, also. Step 5infrastructure-ssid [optional]Designates the SSID as an infrastructure SSID. The standby uses this SSID to associate to the monitored access point. If the standby access point takes the place of the monitored access point, infrastructure devices must associate to the standby access point using this SSID unless you also enter the optional keyword. Step 6authentication client username username password password If the monitored access point is configured to require LEAP authentication, configure the username and password that the standby access point uses when it performs LEAP authentication. This username and password must match the username and password that you set up for the standby access point on the authentication server. Step 7exitExits SSID configuration mode and return to radio interface configuration mode. Step 8iapp standby poll-frequency secondsSets the number of seconds between queries that the standby access point sends to the monitored access point’s radio and Ethernet ports. The default poll frequency is 2 seconds.
Hot Standby Access Points Configuring a Hot Standby Access Point 4 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx After you enable standby mode, configure the settings that you recorded from the monitored access point to match on the standby access point. Step 9iapp standby timeout secondsSets the number of seconds that the standby access point waits for a response from the monitored access point before it assumes that the monitored access point has malfunctioned. The default timeout is 20 seconds. NoteYou should increase the standby timeout setting if the bridged path between the standby and monitored access points can be lost for periods greater than 20 seconds (during spanning tree recalculation, for example). NoteIf the monitored access point is configured to select the least congested radio channel, you might need to increase the standby timeout setting. The monitored unit might take up to 40 seconds to select the least congested channel. Step 10iapp standby primary-shutdown(Optional) Configures the standby access point to send a Dumb Device Protocol (DDP) message to the monitored access point to disable the radios of the monitored access point when the standby unit becomes active. This feature prevents client devices that are associated to the monitored access point from remaining associated to the malfunctioning unit. Step 11show iapp standby-parmsVerifies your entries. If the access point is in standby mode, this command displays the standby parameters, including the MAC address of the monitored access point and the poll-frequency and timeout values. If the access point is not in standby mode, no iapp standby mac-address appears. Step 12endReturns to privileged EXEC mode. Command Description
Hot Standby Access Points Configuring a Hot Standby Access Point 5 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx Verifying Standby Operation Use this command to check the status of the standby access point: show iapp standby-status This command displays the status of the standby access point. Ta b l e 1 lists the standby status messages that can appear. Use this command to check the standby configuration: show iapp standby-parms This command displays the MAC address of the standby access point, the standby timeout, and the poll-frequency values. If no standby access point is configured, this message appears: no iapp standby mac-address If a standby access point takes over for the monitored access point, you can use the show iapp statistics command to help determine the reason that the standby access point took over. Ta b l e 1 Standby Status Messages MessageDescription IAPP Standby is DisabledThe access point is not configured for standby mode. IAPP—AP is in standby modeThe access point is in standby mode. IAPP—AP is operating in active modeThe standby access point has taken over for the monitored access point and is functioning as a root access point. IAPP—AP is operating in repeater modeThe standby access point has taken over for the monitored access point and is functioning as a repeater access point. The Cisco 800 Series router does not support repeater mode. Standby status: InitializingThe standby access point is initializing link tests with the monitored access point. Standby status: TakeoverThe standby access point has transitioned to active mode. Standby status: StoppedStandby mode has been stopped by a configuration command. Standby status: Ethernet Linktest FailedAn Ethernet link test failed from the standby access point to the monitored access point. Standby status: Radio Linktest FailedA radio link test failed from the standby access point to the monitored access point. Standby status: Standby ErrorAn undefined error occurred. Standby State: InitThe standby access point is initializing link tests with the monitored access point. Standby State: RunningThe standby access point is operating in standby mode and is running link tests to the monitored access point. Standby State: StoppedStandby mode has been stopped by a configuration command. Standby State: Not RunningThe access point is not in standby mode.
Hot Standby Access Points Configuring a Hot Standby Access Point 6 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx
Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA © 2008 Cisco Systems, Inc. All rights reserved. Workgroup Bridge Mode This note describes how to configure your wireless device as a workgroup bridge and contains these sections: Understanding Workgroup Bridge Mode, page 1 Configuring Workgroup Bridge Mode, page 5 The Workgroup Bridge in a Lightweight Environment, page 7 Understanding Workgroup Bridge Mode You can configure the device as a workgroup bridge. In workgroup bridge mode, the unit associates to another access point as a client and provides a network connection for the devices connected to its Ethernet port. For example, if you need to provide wireless connectivity for a group of network printers, you can connect the printers to a hub or to a switch, connect the hub or switch to the access point Ethernet port, and configure the access point as a workgroup bridge. The workgroup bridge associates to an access point on your network. If your access point has two radios, either the 2.4-GHz radio or the 5-GHz radio can function in workgroup bridge mode. When you configure one radio interface as a workgroup bridge, the other radio interface the other remains up. CautionAn access point in workgroup bridge mode can introduce a bridge loop if you connect its Ethernet port to your wired LAN. To avoid a bridge loop on your network, disconnect the workgroup bridge from your wired LAN before or soon after you configure it as a workgroup bridge. NoteIf multiple BSSIDs are configured on a root access point that is designated as the parent of a workgroup bridge, the parent MAC address might change if a BSSID on the parent is added or deleted. If you use multiple BSSIDs on your wireless LAN and a workgroup bridge on your wireless LAN is configured to associate to a specific parent, check the association status of the workgroup bridge when you add or delete BSSIDs on the parent access point. If necessary, reconfigure the workgroup bridge to use the BSSID’s new MAC address.
Workgroup Bridge Mode Understanding Workgroup Bridge Mode 2 Cisco 800 Series Integrated Services Routers Wireless Software Configuration Guide xx-xxxxx-xx NoteAlthough it functions as a bridge, an access point in workgroup bridge mode has a limited radio range. Workgroup bridges do not support the distance setting, which enables you to configure wireless bridges to communicate across several kilometers. Figure 1 shows an access point in workgroup bridge mode. Figure 1 Access Point in Workgroup Bridge Mode Access Point (Root Unit) 121646 Wired LAN E THER NETSPEED15263748LED 100BaseTX SOLID 10BaseT BLINK1X 2X 3X 4X5X 6X 7XMDI M DI-X 8X Hub Workstation Laptop Workstation Workstation