Cisco Router 860, 880 Series User Manual
Have a look at the manual Cisco Router 860, 880 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![](/img/blank.gif)
17-13 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Controlling Access Point Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address command in global configuration mode. To remove a server group from the configuration list, use the no aaa group server radius group-name command in global configuration mode. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command in sg-radius configuration mode. In this example, the wireless device is configured to recognize two different RADIUS group servers (group1 and group2). Group1 has two different host entries on the same RADIUS server configured for the same services. The second host entry acts as a failover backup to the first entry. AP(config)# aaa new-model AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646AP(config)# aaa group server radius group1 AP(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001 AP(config-sg-radius)# exitAP(config)# aaa group server radius group2 AP(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001 AP(config-sg-radius)# exit Configuring RADIUS Authorization for User Privileged Access and Network Services AAA authorization limits the services available to a user. When AAA authorization is enabled, the wireless device uses information retrieved from the user’s profile, which is in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it. You can use the aaa authorization command in global configuration mode with the radius keyword to set parameters that restrict a user’s network access to privileged EXEC mode. The aaa authorization exec radius local command sets these authorization parameters: Use RADIUS for privileged EXEC access authorization if authentication was performed by using RADIUS. Use the local database if authentication was not performed by using RADIUS. NoteAuthorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured. Tto specify RADIUS authorization for privileged EXEC access and network services, follow these steps beginning in privileged EXEC mode: CommandPurpose Step 1configure terminalEnters global configuration mode. Step 2aaa authorization network radiusConfigures the wireless device for user RADIUS authorization for all network-related service requests. Step 3aaa authorization exec radiusConfigures the wireless device for user RADIUS authorization to determine if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information).
![](/img/blank.gif)
17-14 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Controlling Access Point Access with TACACS+ To disable authorization, use the no aaa authorization {network | exec} method1 command in global configuration mode. Displaying the RADIUS Configuration To display the RADIUS configuration, use the show running-config command in privileged EXEC mode. Controlling Access Point Access with TACACS+ This section describes how to control administrator access to the wireless device using Terminal Access Controller Access Control System Plus (TACACS+). For complete instructions on configuring the wireless device to support TACACS+, see the “Configuring Radius and TACACS+ Servers” chapter in the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points. TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands. NoteFor complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference. These sections describe TACACS+ configuration: Default TACACS+ Configuration, page 17-14 Configuring TACACS+ Login Authentication, page 17-15 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 17-16 Displaying the TACACS+ Configuration, page 17-17 Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application.When enabled, TACACS+ can authenticate administrators accessing the wireless device through the CLI. Step 4endReturns to privileged EXEC mode. Step 5show running-configVerifies your entries. Step 6copy running-config startup-config(Optional) Saves your entries in the configuration file. Command Purpose
![](/img/blank.gif)
17-15 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Controlling Access Point Access with TACACS+ Configuring TACACS+ Login Authentication To configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list. A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted. Tto configure login authentication, follow these steps beginning in privileged EXEC mode. This procedure is required. CommandPurpose Step 1configure terminalEnters global configuration mode. Step 2aaa new-modelEnables AAA. Step 3aaa authentication login {default | list-name} method1 [method2...]Creates a login authentication method list. To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces. For list-name, specify a character string to name the list you are creating. For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. Select one of these methods: local—Use the local username database for authentication. You must enter username information into the database. Use the username password command in global configuration mode. tacacs+—Use TACACS+ authentication. You must configure the TACACS+ server before you can use this authentication method. Step 4line [console | tty | vty] line-number [ending-line-number]Enters line configuration mode, and configure the lines to which you want to apply the authentication list. Step 5login authentication {default | list-name}Applies the authentication list to a line or set of lines. If you specify default, use the default list created with the aaa authentication login command. For list-name, specify the list created with the aaa authentication login command.
![](/img/blank.gif)
17-16 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Controlling Access Point Access with TACACS+ To disable AAA, use the no aaa new-model command in global configuration mode. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] command in global configuration mode. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} command in line configuration mode. Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services AAA authorization limits the services available to a user. When AAA authorization is enabled, the wireless device uses information retrieved from the user’s profile, which is located either in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it. You can use the aaa authorization command in global configuration mode with the tacacs+ keyword to set parameters that restrict a user’s network access to privileged EXEC mode. The aaa authorization exec tacacs+ local command sets these authorization parameters: Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TA C A C S + . Use the local database if authentication was not performed by using TACACS+. NoteAuthorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured. To specify TACACS+ authorization for privileged EXEC access and network services, follow these steps beginning in privileged EXEC mode: Step 6endRetursn to privileged EXEC mode. Step 7show running-configVerifies your entries. Step 8copy running-config startup-config(Optional) Saves your entries in the configuration file. Command Purpose CommandPurpose Step 1configure terminalEnters global configuration mode. Step 2aaa authorization network tacacs+Configures the wireless device for user TACACS+ authorization for all network-related service requests. Step 3aaa authorization exec tacacs+Configures the wireless device for user TACACS+ authorization to determine if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4endReturns to privileged EXEC mode. Step 5show running-configVerifies your entries. Step 6copy running-config startup-config(Optional) Saves your entries in the configuration file.
![](/img/blank.gif)
17-17 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Administering the Wireless Hardware and Software To disable authorization, use the no aaa authorization {network | exec} method1 command in global configuration mode. Displaying the TACACS+ Configuration To display TACACS+ server statistics, use the show tacacs command in privileged EXEC mode. Administering the Wireless Hardware and Software This section provides instructions for performing the following tasks: Resetting the Wireless Device to Factory Default Configuration, page 17-17 Rebooting the Wireless Device, page 17-17 Upgrading Software on the Access Point, page 17-18 Downgrading Software on the Access Point, page 17-20 Recovering Software on the Access Point, page 17-20 Monitoring the Wireless Device, page 17-20 Resetting the Wireless Device to Factory Default Configuration To reset the wireless device hardware and software back to its factory default configuration, use the service-module wlan-ap0 reset default-config command in the router’s Cisco IOS privileged EXEC mode. CautionBecause you may lose data, use only the service-module wlan-ap0 reset command to recover from a shutdown or failed state. Rebooting the Wireless Device To perform a graceful shutdown and reboot the wireless device, use the service-module wlan-ap0 reload command in the router’s Cisco IOS privileged EXEC mode. At the confirmation prompt, press Enter to confirm the action or enter n to cancel. When running in autonomous mode, the reload command saves the configuration before rebooting. If the attempt is unsuccessful, the following message displays: Failed to save service module configuration. When running in LWAPP mode, the reload function is typically handled by the Wireless LAN Controller (WLC). Therefore, if you enter the service-module wlan-ap0 reload command, you will be prompted with the following message: The AP is in LWAPP mode. Reload is normally handled by WLC controller. Still want to proceed? [yes]
![](/img/blank.gif)
17-18 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Administering the Wireless Hardware and Software Upgrading Software on the Access Point Software Prerequisites Cisco 880 Series routers with embedded access points are eligible to upgrade from autonomous image to Unified image, if the router is running advanced IP services feature set and Internet Operating System (IOS) software 12.4(20)T or 12.4(15) XZ1. Update the Wireless LAN Controller (WLC) software version to 5.1 or later. Preparing for the Upgrade Secure an IP Address on the Access Point Secure an IP address on the access point so it can communicate with the WLC and download the Unified image upon boot up. The host router provides the access point DHCP server functionality through the DHCP pool, then the access point communicates with the WLC and setup option 43 for the controller IP address in the DHCP pool configuration. A sample configuration is provided. ip dhcp pool embedded-ap-poolnetwork 60.0.0.0 255.255.255.0 dns-server 171.70.168.183 default-router 60.0.0.1 option 43 hex f104.0a0a.0a0f (single WLC IP address(10.10.10.15) in hex format) int vlan1 ip address 60.0.0.1 255.255.255.0 For more information about the WLC discovery process, refer to the Cisco Wireless LAN Configuration Guide on Cisco.com. http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/ccfig40.html Prior to the Upgrade Perform the following steps. 1.Ping the WLC from the router to confirm IP connectivity. 2.Enter the service-module wlan-ap 0 session command to session into the access point. 3.Confirm the access point is running an autonomous boot image. 4.Enter the show boot command on the access point to confirm the mode setting is enabled. Autonomous-AP#show boot BOOT path-list: flash:ap801-k9w7-mx.124-10b.JA3/ ap801-k9w7-mx.124-10b.JA3 Config file: flash:/config.txtPrivate Config file: flash:/private-config Enable Break: yes Manual Boot: yesEnable IOS Break: no HELPER path-list: NVRAM/Config filebuffer size: 32768 Mode Button: on
![](/img/blank.gif)
17-19 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Administering the Wireless Hardware and Software Performing the Upgrade Upgrade the autonomous software image to a Unified software image on the access point. Step 1Issue the service-module wlan-ap 0 bootimage unified command to change the access point boot image to a Unified upgrade image, which is also known as a recovery image. Router#conf terminal Router(config)#service-module wlan-ap 0 bootimage unified Router(config)#end NoteIf the service-module wlan-ap 0 bootimage unified command does not work successfully, check if the software license is still eligible. On the access point Console, use the show boot command to identify the access point’s boot image path: autonomous-AP#show boot BOOT path-list: flash:/ap801-rcvk9w8-mx/ap801-rcvk9w8-mx Step 2Issue the service-module wlan-ap 0 reload command to perform a graceful shutdown and reboot of the access point to complete the upgrade process. Then session into the access point and monitor the upgrade process. NoteSee the 12.4(20)T Command Reference guides on Cisco.com for more information about the service-module wlan-ap 0 bootimage command. Troubleshooting an Upgrade or Reverting the AP to Autonomous Mode Q.My access point failed to upgrade to Unified software, and it appears stuck in recovery mode. What shall I do? A.If the access point fails to upgrade to the Unified software, and it appears stuck in recovery mode; check connectivity between the router and WLC by issuing the ping command. Next, downgrade the access point software back to autonomous and perform troubleshooting. Issue the service-module wlan-ap0 bootimage autonomous command, and then issue the service-module wlan-ap0 reset bootloader command to return the access point to bootloader mode. Issue the service-module wlan-ap 0 session command to access the wireless device’s bootloader mode, then boot up the access point by loading the autonomous image. c880#conf terminalc880(config)#service-module wlan-ap 0 bootimage autonomous c880(config)#end C880# service-module wlan-ap0 reset bootloaderC880# service-module wlan-ap0 session ap: dir flash: Directory of flash:/1 drwx 192 ap801-k9w7-mx.124-16b.JA 2 drwx 192 ap801-rcvk9w8-mx ap: BOOT=flash:ap801-k9w7-mx.124-16b.JA/ap801-k9w7-mx.124-16b.JAap: boot
![](/img/blank.gif)
17-20 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Administering the Wireless Hardware and Software NoteThe service-module wlan-ap0 bootimage command does not take effect when the access point is in bootloader or Unified recovery mode. Q.My access point is attempting to boot, but keeps failing. Why? My access point is stuck in the recovery image and will not upgrade to the Unified software. Why? A.When the access point tries to boot but fails, or when it is stuck in the recovery image and fails to upgrade to the Unified software; use the service-module wlan-ap0 reset bootloader command to return it to bootloader for manual image recovery. Downgrading Software on the Access Point Use the service-module wlan-ap0 bootimage autonomous command to reset the access point BOOT back to the last autonomous image. Follow up with the service-module wlan-ap 0 reload command to reload the access point with the autonomous software image. Recovering Software on the Access Point Recover the image on the access point with the service-module wlan-ap0 reset bootloader command. This command returns the access point to the bootloader for manual image recovery. CautionUse this command with caution. It does not provide an orderly shutdown and consequently may impact file operations that are in progress. Use this command only to recover from a shutdown or failed state. Monitoring the Wireless Device This section provides commands for monitoring hardware on the router. Displaying Wireless Device Statistics, page 17-20 Displaying Wireless Device Status, page 17-21 Displaying Wireless Device Statistics Use the service-module wlan-ap0 statistics command in the router’s Cisco IOS privileged EXEC mode to display wireless device statistics. The following is sample output for the command: CLI reset count = 0 CLI reload count = 1 Registration request timeout reset count = 0 Error recovery timeout reset count = 0 Module registration count = 10 The last IOS initiated event was a cli reload at *04:27:32.041 UTC Fri Mar 8 2007
![](/img/blank.gif)
17-21 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Managing the System Time and Date Displaying Wireless Device Status Use the service-module wlan-ap0 status command in the router’s Cisco IOS privileged EXEC mode to display the status of the wireless device and its configuration information. The following is sample output for the command: Service Module is Cisco wlan-ap0 Service Module supports session via TTY line 2 Service Module is in Steady state Service Module reset on error is disabled Getting status from the Service Module, please wait.. Image path = flash:c8xx_19xx_ap-k9w7-mx.acregr/c8xx_19xx_ap-k9w7-mx.acre gr System uptime = 0 days, 4 hours, 28 minutes, 5 secondsRouter#d was introduced for embedded wireless LAN access points on Cisco 860 and 880 Series Integrated Services Routers. Managing the System Time and Date You can manage the system time and date on the wireless device automatically, using the Simple Network Time Protocol (SNTP), or manually, by setting the time and date on the wireless device. NoteFor complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.4. This section contains the following configuration information: Understanding Simple Network Time Protocol, page 17-21 Configuring SNTP, page 17-22 Configuring Time and Date Manually, page 17-22 Understanding Simple Network Time Protocol Simple Network Time Protocol (SNTP) is a simplified, client-only version of NTP. SNTP can only receive the time from NTP servers; it cannot be used to provide time services to other systems. SNTP typically provides time within 100 milliseconds of the accurate time, but it does not provide the complex filtering and statistical mechanisms of NTP. You can configure SNTP to request and accept packets from configured servers or to accept NTP broadcast packets from any source. When multiple sources are sending NTP packets, the server with the best stratum is selected. Click this URL for more information on NTP and strata: http://www.cisco.com/en/US/docs/ios/12_1/configfun/configuration/guide/fcd303.html#wp1001075 If multiple servers are at the same stratum, a configured server is preferred over a broadcast server. If multiple servers pass both tests, the first one to send a time packet is selected. SNTP will choose a new server only if it stops receiving packets from the currently selected server, or if a better server (according to the above criteria) is discovered.
![](/img/blank.gif)
17-22 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Managing the System Time and Date Configuring SNTP SNTP is disabled by default. To enable SNTP on the access point, use one or both of these commands in global configuration mode: Enter the sntp server command once for each NTP server. The NTP servers must be configured to respond to the SNTP messages from the access point. If you enter both the sntp server command and the sntp broadcast client command, the access point accepts time from a broadcast server but prefers time from a configured server, assuming the strata are equal. To display information about SNTP, use the show sntp EXEC command. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted. The time remains accurate until the next system restart. We recommend that you use manual configuration only as a last resort. If you have an outside source to which the wireless device can synchronize, you do not need to manually set the system clock. This section contains the following configuration information: Setting the System Clock, page 17-22 Displaying the Time and Date Configuration, page 17-23 Configuring the Time Zone, page 17-23 Configuring Summer Time (Daylight Saving Time), page 17-24 Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. To set the system clock, follow these steps beginning in privileged EXEC mode: Ta b l e 17-2 SNTP Commands CommandPurpose sntp server {address | hostname} [version number] Configures SNTP to request NTP packets from an NTP server. sntp broadcast clientConfigures SNTP to accept NTP packets from any NTP broadcast server.