Cisco Router 860, 880 Series User Manual

							CH A P T E R
 
4-1
Book Title
OL-xxxxx-xx
4
Basic Wireless Device Configuration
This chapter describes how to configure the wireless device for the first time. The wireless device is 
embedded on the Cisco 800 series router and runs a separate Cisco
 IOS from the router. 
The wireless device does not have an external console port for connections. To configure the wireless 
device, use a console cable to connect a PC to the host router’s console port, and then follow these 
procedures to establish connectivity and configure the wireless settings: 
 Establishing a Wireless Configuration Session, page 4-1
 Configuring Basic Settings, page 4-4
 Configuring Wireless Security Settings, page 4-9
 Configuring Wireless Quality of Service, page 4-10
Establishing a Wireless Configuration Session
Important  Before you configure the wireless settings in the router’s setup, you must open a session to 
initiate an internal communication link between the wireless device and the router.  
						

							 
4-2
Book Title
OL-xxxxx-xx
Chapter 4      Basic Wireless Device Configuration
  Establishing a Wireless Configuration Session
Enter the following commands in global configuration mode on the router’s Cisco IOS CLI. 
CommandPurpose
Step 1interface wlan-ap0 
 
 
 
Example:
router(config)#interface wlan-ap0
router(config-if)#
Defines the router’s console interface to the wireless 
device. It is used for reverse Telnet communication 
between the router’s Console and the wireless device.
Always use port 0.
The following message appears: 
 
The wlan-ap 0 interface is used for managing the 
embedded AP. Please use the service-module 
wlan-ap 0 session command to console into the 
embedded AP.
Step 2ip address subnet mask
Example:
router(config-if)#ip address 
10.21.0.20 255.255.255.0
orrouter(config-if)#ip unnumbered vlan1 
10.21.0.20 255.255.255.0
Specifies the interface IP address and subnet mask. 
 
 
 
NoteThe IP address can be shared with the IP 
address assigned to the Cisco Integrated 
Services Router by using the ip unnumbered 
vlan1 command.
Step 3no shut
Example:
router(config-if)#no shut
Specifies the internal interface connection will remain 
open.
Step 4interface vlan1
Example:
router(config-if)#interface vlan1
Specifies the virtual LAN interface for data 
communication on the internal Gigabit Ethernet 0 
(GE0) port to other interfaces.
 
 
NoteAll the switch ports inherit the default vlan1 
interface.
Step 5ip address subnet mask
Example:
router(config-if)#ip address 
10.21.0.30 255.255.255.0
Specifies the interface IP address and subnet mask.
Step 6exit
Example:
router(config-if)#exitrouter(config)#
Exits the mode. 
						

							 
4-3
Book Title
OL-xxxxx-xx
Chapter 4      Basic Wireless Device Configuration
  Establishing a Wireless Configuration Session
TipTo create an IOS software alias for the Console session to the wireless device, enter the alias exec 
dot11radio service-module wlan-ap 0 session command at the router prompt. Now, when you want to 
open a session, just enter the command dot11 radio.
Closing the Session
To close a session between the wireless device and the router’s console, perform both of the following 
procedures.
Wireless Device
1.Control-Shift-6 x 
Router
2.disconnect 
or 
service-module wlan-ap 0 session clear
3.Press Enter twice.
NoteIf you do not use the disconnect command to close the session to the wireless device, you can 
resume the session by pressing Enter on the keyboard.
Step 7exit
Example:
router(config)#exit
router#
Exits the mode.
Step 8service-module wlan-ap 0 session 
Example:
router#service-module wlan-ap0 sessionTrying 10.21.0.20, 2002 ... Open
ap>
Opens the reverse Telnet connection between the 
wireless device and the router’s console.
Command Purpose 
						

							 
4-4
Book Title
OL-xxxxx-xx
Chapter 4      Basic Wireless Device Configuration
  Configuring Basic Settings
Configuring Basic Settings
NoteYou must establish an internal link between the wireless device and the router before you configure 
settings on the wireless device. See the 
“Establishing a Wireless Configuration Session” section on 
page 4-1.
After the internal link is established, use one of the following methods to configure basic settings:
 Express Setup (GUI)—See the “Cisco Express Setup” section on page 4-4
 Cisco IOS Setup (CLI)—See the “Cisco IOS Setup” section on page 4-4
Cisco Express Setup
To use the web-browser:
Step 1Establish a Console connection to the wireless device and get the BVI IP address by entering the show 
interface bvi1 IOS command.
Step 2Open a browser window and enter the BVI IP address in the browser-window address line. Press enter 
and an Enter Network Password window appears.
Step 3Enter your username. Cisco is the default User Name.
Step 4Enter the wireless device password. Cisco is the default password. The Summary Status page appears. 
See the following URL for details about using the web-browser configuration page:
 
http://cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap
4-first.html#wp1103336
Cisco IOS Setup
Cisco IOS Setup starts automatically when you boot up the embedded-wireless device with no saved 
configuration present in NVRAM; no saved configuration is present in the NVRAM when the device is 
not preconfigured at the factory. You can also invoke the setup dialog by issuing the setup command in 
enable mode.
 
When setup is initiated, it presents the System Configuration Dialog. When you complete all the steps 
in the dialog, the device displays the modified configuration file and asks if you want to use that file. 
You must answer yes or no; there is no default for this prompt. 
 Yes—saves the file to NVRAM as the starting configuration. 
 No—the file is not saved, and you must start at the beginning of the dialog to build another initial 
configuration.
Configuring SSIDs, Authentication, and Encryption
The System Configuration Dialog guides you through an initial configuration for the interface, SSIDs, 
authentication mode, and encryption type. The dialog then creates an initial configuration file.  
						

							 
4-5
Book Title
OL-xxxxx-xx
Chapter 4      Basic Wireless Device Configuration
  Configuring Basic Settings
Step 1Ty p e  setup in privileged EXEC mode on the router to initiate the configuration dialog.
Step 2Choose Ye s to continue with the configuration dialog.
Step 3Select the type of setup by answering the following question:
Would you like to enter basic management setup? [yes/no]
Yes—Basic setupNo—Secure setup
Step 4Configure and save the settings to NVRAM.
NoteEnsure your previous setup selections for the dot11radio interface(s) do not have SSIDs associated with 
them, and they do not have encryption commands configured. The configuration selections you make in 
the setup should not conflict with a previous configuration on the embedded-wireless device. 
 
 
You may also configure these settings using the web interface. See the following link for configuration   
details using the web interface:
 
 
http://cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap
4-first.html#wp1103336
Example of: Basic Setup
Enter host name [ap]:
The enable secret is a password used to protect access to privileged EXEC and 
configuration modes. This password, after entered, becomes encrypted in the configuration. 
Enter enable secret: ******
The enable password is used when you do not specify an enable secret password, with some 
older software version, and some boot images.
Enter enable password: ***********
The virtual terminal password is used to protect access to the router over a network 
interface. Enter virtual terminal password: *******
Configure SNMP Network Management? [yes]:
Community string [public]:
Current interface summary
Any interface listed with OK? value “NO” does not have a valid configuration
Interface     IP-Address  OK? Method Status     ProtocolBVI1 unassigned  YES unset up   up
SettingsBasic SetupSecure Setup
HostnameXX
PasswordsXX
IP address for Bridged Virtual Interface (BVI)XX
SSIDs for radio(s)-X
Authentication mode for SSIDs-X
Encryption ([WEP] and [WPA2])-X 
						

							 
4-6
Book Title
OL-xxxxx-xx
Chapter 4      Basic Wireless Device Configuration
  Configuring Basic Settings
Enter interface name used to connect to the management network from the above interface 
summary [BVI1]:
Configuring interface BVI1:Configure IP on this interface?[no]: yes
IP address for this interface: x.xx.xx.xx
Subnet mask for this interface [255.0.0.0]: 255.255.0.0Class A network is 2.0.0.0, 16 subnet bits;mask is/16
NoteAfter the wireless device BVI interface is configured with an IP address, you can use the web interface 
to perform additional configuration tasks. Connect to the web interface with a browser directed to the 
wireless device BVI IP address from a personal computer or laptop connected to the host router’s 
switch-port. See the following link for details on how to establish connection to the web interface:
 
http://cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap
2-gui.html#wp1034703
Example of: Secure Setup
These parameters are used in the following example: 
ssid—abcd
encryption mode—Wep
encryption key—4085364000 
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: yes
At any point you may enter a question mark ? for help.Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets [].
Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system
Would you like to enter basic management setup? [yes/no]: no
First, would you like to see the current interface summary? [yes]: n
Configuring global parameters:
  Enter host name [ap]: 
  The enable secret is a password used to protect access to
  privileged EXEC and configuration modes. This password, after
  entered, becomes encrypted in the configuration.  Enter enable secret: abc
  The enable password is used when you do not specify an  enable secret password, with some older software versions, and
  some boot images.
  Enter enable password: Cisco
  The virtual terminal password is used to protect
  access to the router over a network interface.  Enter virtual terminal password: lab
  Configure SNMP Network Management? [yes]: 
    Community string [public]: Configuring interface parameters: 
						

							 
4-7
Book Title
OL-xxxxx-xx
Chapter 4      Basic Wireless Device Configuration
  Configuring Basic Settings
Do you want to configure BVI1  interface? [yes]: 
  Configure IP on this interface? [no]: yes
    IP address for this interface:     IP address for this interface: 
    IP address for this interface: 2.12.56.121
    Subnet mask for this interface [255.0.0.0] : 255.255.0.0    Class A network is 2.0.0.0, 16 subnet bits; mask is /16
  Configure SSID on Dot11Radio0(2.4GHz) interface? [yes]: 
  Enter SSID (Up to 32 characters): abcd    Configure security for this SSID? [yes]: 
  Enter security type [wpa2|wep]: wep
  Enter WEP encryption key length [40|128]: 40  Enter the unencrypted WEP key (HEX): 4085264000
The following configuration command script was created:
hostname ap
enable secret 5 $1$eTFk$akYCxufCW4tzIqDWCIStm0enable password Cisco
line vty 0 4
password abcsnmp-server community public
!
!
interface BVI1ip address 2.12.56.121 255.255.0.0
!
interface BVI1no shut
!
dot11 ssid abcdauthentication open
!
interface Dot11Radio0encryption mode wep mandatory
encryption key 1 size 40bit 0 4085264000
ssid abcd!
End
[0] Go to the IOS command prompt without saving this config.[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.
Enter your selection [2]: 
Building configuration...
Use the enabled mode configure command to modify this configuration.
Press RETURN to get started!
Example of: WEP with Key Length 40 - Running Configuration
ap#show running
Building configuration...
Current configuration : 1344 bytes
!
! No configuration change since last restart!
version 12.4
no service padservice timestamps debug datetime msec
service timestamps log datetime msec 
						

							 
4-8
Book Title
OL-xxxxx-xx
Chapter 4      Basic Wireless Device Configuration
  Configuring Basic Settings
no service password-encryption!
hostname ap
!enable secret 5 $1$eTFk$akYCxufCW4tzIqDWCIStm0
enable password Cisco
!no aaa new-model
!
!dot11 ssid abcd
   authentication open 
!!
bridge irb
!!
interface Dot11Radio0
 no ip address no ip route-cache
 !
 encryption key 1 size 40bit 0 4085264000 transmit-key encryption mode wep mandatory 
 !
 ssid abcd
 ! station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled
!
interface GigabitEthernet0 description  the embedded AP GigabitEthernet 0 is an internal interface connecting AP 
with the host router
 no ip address no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning bridge-group 1 spanning-disabled
!
interface BVI1 ip address 2.12.56.121 255.255.0.0
 no ip route-cache
!ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eagsnmp-server community public RO
bridge 1 protocol ieee
bridge 1 route ip!
!
line con 0 no activation-character
line vty 0 4 
password abc login
!
end
ap# 
						

							 
4-9
Book Title
OL-xxxxx-xx
Chapter 4      Basic Wireless Device Configuration
  Configuring Wireless Security Settings
Configuring Wireless Security Settings
After you assign initial settings to the wireless device, you must configure security settings to prevent 
unauthorized access to your network through your wireless device. Because it has a radio device, the 
wireless device can communicate beyond the physical boundaries of a building. 
Using VLANs
If you use VLANs on your wireless LAN and assign SSIDs to VLANs you can create multiple SSIDs by 
using any of the four security settings defined in the 
Security Types section. However, if you do not use 
VLANs on your wireless LAN, the security options that you can assign to SSIDs are limited because the 
encryption settings and authentication types are linked on the Express Security page. 
Without VLANs, encryption settings (WEP and ciphers) apply to an interface, such as the 2.4-GHz 
radio, and you cannot use more than one encryption setting on an interface. For example, when you 
create an SSID with static WEP with VLANs disabled, you cannot create additional SSIDs with WPA 
authentication because the SSIDs use different encryption settings. If you find that the security setting 
for an SSID conflicts with the settings for another SSID, you can delete one or more SSIDs to eliminate 
the conflict.
Security Types
Ta b l e 4-1 describes the four security types that you can assign to an SSID.
Ta b l e 4-1Types of SSID Security
Security TypeDescriptionSecurity Features Enabled
No SecurityThis is the least secure option. You should use this option 
only for SSIDs used in a public space and assign it to a 
VLAN that restricts access to your network.None.
Static WEP KeyThis option is more secure than no security. However, static 
WEP keys are vulnerable to attack. If you configure this 
setting, you should consider limiting association to the 
wireless device based on MAC address.
See the Cisco IOS Software Configuration Guide for Cisco 
Aironet Access Points 
“Using MAC Address ACLs to Block 
or Allow Client Association to the Access Point” section in 
the Configuring Filters chapter.
Or, if your network does not have a RADIUS server, 
consider using an access point as a local authentication 
server (see Chapter 7, 
“Configuring the Device as the Local 
Authenticator”).
Mandatory WEP. Client devices cannot 
associate using this SSID without a WEP 
key that matches the wireless device key. 
						

							 
4-10
Book Title
OL-xxxxx-xx
Chapter 4      Basic Wireless Device Configuration
  Configuring Wireless Quality of Service
Configuring Wireless Quality of Service
To configure quality of service (QoS) for your wireless device, see the document Quality of Service in 
a Wireless Environment at the following URL: 
http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/QualityOfService.html.
EAP1 
Authentication
This option enables 802.1X authentication (such as LEAP2, 
PEAP3, EAP-TLS4, EAP-FAST5, EAP-TTLS6, EAP-GTC7 
EAP-SIM8, and other 802.1X/EAP based products)
This setting uses mandatory encryption, WEP, open 
authentication + EAP, network EAP authentication, no key 
management, RADIUS server authentication port 1645.
You are required to enter the IP address and shared secret 
for an authentication server on your network (server 
authentication port 1645). Because 802.1X authentication 
provides dynamic encryption keys, you do not need to enter 
a WEP key.
Mandatory 802.1X authentication. Client 
devices that associate using this SSID must 
perform 802.1X authentication.
If radio clients are configured to 
authenticate using EAP-FAST, open 
authentication with EAP should also be 
configured. If you do not configure open 
authentication with EAP, the following 
warning message appears:
SSID CONFIG WARNING: [SSID]: If radio 
clients are using EAP-FAST, AUTH OPEN 
with EAP should also be configured.
WPA9This option permits wireless access to users authenticated 
against a database through the services of an authentication 
server, then encrypts their IP traffic with stronger 
algorithms than those used in WEP.
This setting uses encryption ciphers, TKIP10, open 
authentication + EAP, network EAP authentication, key 
management WPA mandatory, and RADIUS server 
authentication port 1645.
As with EAP authentication, you must enter the IP address 
and shared secret for an authentication server on your 
network (server authentication port 1645).
Mandatory WPA authentication. Client 
devices that associate using this SSID must 
be WPA-capable.
If radio clients are configured to 
authenticate using EAP-FAST, open 
authentication with EAP should also be 
configured. If you don’t configure open 
authentication with EAP, the following 
message appears:
SSID CONFIG WARNING: [SSID]: If radio 
clients are using EAP-FAST, AUTH OPEN 
with EAP should also be configured.
1. Extensible Authentication Protocol (EAP)
2. Lightweight Extensible Authentication Protocol (LEAP)
3. Protected Extensible Authentication Protocol (PEAP)
4. Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)
5. Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
6. Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS)
7. Extensible Authentication Protocol--Generic Token Card (EAP- GTC)
8. Extensible Authentication Protocol--Subscriber Identity Module (EAP-SIM)
9. Wi-Fi Protected Access (WPA)
10. Temporal Key Integrity Protocol (TKIP)
Security Type Description Security Features Enabled