Cisco 3200 Series Wireless MIC Software Configuration Guide
Administering the WMIC
Download this chapter
Administering the WMICAdministering the WMIC
Download the complete book
Cisco 3200 Series Rugged ISRCisco 3200 Series Rugged ISR (PDF - 9 MB)
give_us_feedback

Table Of Contents

Administering the WMIC

Configuring a System Name and Prompt

Configuring a System Name

Managing DNS

Default DNS Configuration

Setting Up DNS

Displaying the DNS Configuration

Creating a Banner

Default Banner Configuration

Configuring a Message-of-the-Day Login Banner

Configuring a Login Banner

Protecting Access to Privileged EXEC Commands

Default Password and Privilege Level Configuration

Setting or Changing a Static Enable Password

Protecting Enable and Enable Secret Passwords with Encryption

Configuring Username and Password Pairs

Configuring Multiple Privilege Levels

Setting the Privilege Level for a Command

Logging Into and Exiting a Privilege Level

Protecting the Wireless LAN

Using VLANs

Express Security Types

Security Configuration Examples

Configuring and Enabling RADIUS

Understanding RADIUS

RADIUS Operation

Controlling WMIC Access with RADIUS

Identifying the RADIUS Server Host

Configuring RADIUS Login Authentication

Defining AAA Server Groups

Configuring RADIUS Authorization for User Privileged Access and Network Services

Starting RADIUS Accounting

Configuring Settings for All RADIUS Servers

Configuring the Bridge to Use Vendor-Specific RADIUS Attributes

Configuring the Bridge for Vendor-Proprietary RADIUS Server Communication

Displaying the RADIUS Configuration

Controlling WMIC Access with TACACS+

Understanding TACACS+

TACACS+ Operation

Default TACACS+ Configuration

Configuring TACACS+ Login Authentication

Identifying the TACACS+ Server Host and Setting the Authentication Key

Configuring TACACS+ Login Authentication

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services

Starting TACACS+ Accounting

Displaying the TACACS+ Configuration

Configuring the WMIC for Local Authentication and Authorization

Configuring the WMIC for Secure Shell

Understanding SSH

Configuring SSH

Managing Aironet Extensions

Managing the System Time and Date

Understanding the System Clock

Understanding Network Time Protocol

Configuring Time and Date Manually

Setting the System Clock

Displaying the Time and Date Configuration

Configuring the Time Zone

Configuring Summer Time (Daylight Saving Time)

Configuring NTP

Default NTP Configuration

Configuring NTP Authentication

Configuring NTP Associations

Configuring NTP Broadcast Service

Configuring NTP Access Restrictions

Disabling NTP Services on a Specific Interface

Configuring the Source IP Address for NTP Packets

Displaying the NTP Configuration


Administering the WMIC

This document describes how to administer the Cisco Wireless Mobile Interface (WMIC).

Configuring a System Name and Prompt

You configure the system name on the WMIC to identify it. A "greater than" symbol (>) is appended. The prompt is updated whenever the system name changes, unless you manually configure the prompt by using the prompt command in global configuration mode.

Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command Reference for Release 12.1.

Configuring a System Name

To manually configure a system name, follow these steps, beginning in privileged EXEC mode:

 
Command
Purpose

Step 1 

configure terminal

Enters global configuration mode.

Step 2 

hostname name

Manually configure a system name.

The name must follow the rules for ARPANET hostnames. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphens. Names can be up to 63 characters.

Step 3 

end

Returns to privileged EXEC mode.

Step 4 

show running-config

Verifies your entries.

Step 5 

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

When you set the system name, it is also used as the system prompt.

To return to the default hostname, use the no hostname global configuration command.

Managing DNS

The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can map hostnames to IP addresses. When you configure DNS on your WMIC, you can substitute the hostname for the IP address with all IP commands, such as ping, telnet, connect, and related Telnet support operations.

IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that is identified by a com domain name; its domain name is cisco.com.

To keep track of domain names, IP has defined the concept of a domain name server that holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, identify the hostnames, specify the name server that is present on your network, and enable the DNS.

Default DNS Configuration

Table 1 shows the default DNS configuration.

Table 1 Default DNS Configuration 

Feature
Default Setting

DNS enable state

Disabled.

DNS default domain name

None configured.

DNS servers

No name server addresses are configured.


Setting Up DNS

To set up your WMIC to use the DNS, follow these steps, beginning in privileged EXEC mode:

 
Command
Purpose

Step 1 

configure terminal

Enters global configuration mode.

Step 2 

ip domain-name name

Defines a default domain name that the software uses to complete unqualified hostnames (names without a dotted-decimal domain name).

Do not include the initial period that separates an unqualified name from the domain name.

At boot time, no domain name is configured; however, if the configuration comes from a BOOTP or Dynamic Host Configuration Protocol (DHCP) server, then the default domain name might be set by the BOOTP or DHCP server (if the servers were configured with this information).

Step 3 

ip name-server server-address1 [server-address2 ... server-address6]

Specifies the address of one or more name servers to use for name and address resolution.

You can specify up to six name servers. Separate each server address with a space. The first server specified is the primary server. The WMIC sends DNS queries to the primary server first. If that query fails, the backup servers are queried.

Step 4 

ip domain-lookup

(Optional) Enables DNS-based hostname-to-address translation on your WMIC. This feature is enabled by default.

If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS).

Step 5 

end

Returns to privileged EXEC mode.

Step 6 

show running-config

Verifies your entries.

Step 7 

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

If you use the WMIC IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.), a period followed by the default domain name is appended to the hostname before the DNS query is made to map the name to an IP address.

The default domain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.

To remove a domain name, use the no ip domain-name name command in global configuration mode. To remove a name server address, use the no ip name-server server-address command in global configuration mode. To disable DNS on the WMIC, use the no ip domain-lookup command in global configuration mode.

Displaying the DNS Configuration

To display the DNS configuration information, use the show running-config command in privileged EXEC command.

Creating a Banner

You can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner appears on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns).

The login banner also appears on all connected terminals. It appears after the MOTD banner and before the login prompts.

Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.

Default Banner Configuration

The MOTD and login banners are not configured.

Configuring a Message-of-the-Day Login Banner

You can create a single- or multiple-line message banner that appears on the screen when someone logs in to the WMIC.

To configure a MOTD login banner, follow these steps, beginning in privileged EXEC mode:

 
Command
Purpose

Step 1 

configure terminal

Enters global configuration mode.

Step 2 

banner motd c message c

Specifies the message of the day.

For c, enter the delimiting character of your choice, such as a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.

For message, enter a banner message up to 255 characters. You cannot use the delimiting character in the message.

Step 3 

end

Returns to privileged EXEC mode.

Step 4 

show running-config

Verifies your entries.

Step 5 

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

To delete the MOTD banner, use the no banner motd global configuration command.

This example shows how to configure a MOTD banner for the WMIC by using the pound sign (#) as the beginning and ending delimiter: 

bridge(config)# banner motd #

This is a secure site. Only authorized users are allowed.

For access, contact technical support.

#

bridge(config)#

This example shows the banner displayed from the previous configuration: 

Unix> telnet 172.2.5.4

Trying 172.2.5.4...

Connected to 172.2.5.4.

Escape character is '^]'.


This is a secure site. Only authorized users are allowed.

For access, contact technical support.


User Access Verification


Password:

Configuring a Login Banner

You can configure a login banner to appear on all connected terminals. This banner appears after the MOTD banner and before the login prompt.

To configure a login banner, follow these steps, beginning in privileged EXEC mode:

 
Command
Purpose

Step 1 

configure terminal

Enters global configuration mode.

Step 2 

banner login c message c

Specifies the login message.

For c, enter the delimiting character of your choice, such as a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.

For message, enter a login message up to 255 characters. You cannot use the delimiting character in the message.

Step 3 

end

Returns to privileged EXEC mode.

Step 4 

show running-config

Verifies your entries.

Step 5 

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

To delete the login banner, use the no banner login global configuration command.

This example shows how to configure a login banner for the WMIC using the dollar sign ($) symbol as the beginning and ending delimiter: 

bridge(config)# banner login $

Access for authorized users only. Please enter your username and password.

$

bridge(config)#

Protecting Access to Privileged EXEC Commands

A simple way of controlling terminal access in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can issue after they have logged into a network device.

Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference for Release 12.2.

This section describes how to control access to the configuration file and privileged EXEC commands.

Default Password and Privilege Level Configuration

Table 2 shows the default password and privilege level configuration.

Table 2 Default Password and Privilege Levels 

Feature
Default Setting

Username and password

Default username is Cisco and the default password is Cisco.

Enable password and privilege level

Default password is Cisco. The default is level 15 (privileged EXEC level). The password is encrypted in the configuration file.

Enable secret password and privilege level

The default enable password is Cisco. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file.

Line password

Default password is Cisco. The password is encrypted in the configuration file.


Setting or Changing a Static Enable Password

The enable password controls access to the privileged EXEC mode.

Note The no enable password global configuration command removes the enable password, but you should use extreme care when using this command. If you remove the enable password, you are locked out of the EXEC mode.

To set or change a static enable password, follow these steps, beginning in privileged EXEC mode:

 
Command
Purpose

Step 1 

configure terminal

Enters global configuration mode.

Step 2 

enable password password

Defines a new password or change an existing password for access to privileged EXEC mode.

The default password is Cisco.

For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, it is case sensitive, and it allows spaces but ignores leading spaces. It can contain the question mark (?) character if you precede the question mark with the key combination Crtl-V when you create the password; for example, to create the password abc?123, do this:

1. Enter abc.

2. Enter Crtl-V.

3. Enter ?123.

When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-V; you can simply enter abc?123 at the password prompt.

Step 3 

end

Returns to privileged EXEC mode.

Step 4 

show running-config

Verifies your entries.

Step 5 

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

The enable password is not encrypted and can be read in the WMIC configuration file.

This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access). 

bridge(config)# enable password l1u2c3k4y5

Protecting Enable and Enable Secret Passwords with Encryption

To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or the enable secret command. Both commands accomplish the same thing; that is, you can establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level you specify.

We recommend that you use the enable secret command because it uses an improved encryption algorithm.

If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.

To configure encryption for enable and enable secret passwords, follow these steps, beginning in privileged EXEC mode:

 
Command
Purpose

Step 1 

configure terminal

Enters global configuration mode.

Step 2 

enable password [level level] {password | encryption-type encrypted-password}

or

enable secret [level level] {password | encryption-type encrypted-password}

Defines a new password or change an existing password for access to privileged EXEC mode.

or

Defines a secret password, which is saved using a nonreversible encryption method.

(Optional) For level, the range is from 0 to 15. Level 1 is normal user EXEC mode privileges. The default level is 15 (privileged EXEC mode privileges).

For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, it is case sensitive, and it allows spaces but ignores leading spaces. By default, no password is defined.

(Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you copy from another WMIC configuration.

Note If you specify an encryption type and then enter a clear text password, you can not reenter privileged EXEC mode. You cannot recover a lost encrypted password by any method.

Step 3 

service password-encryption

(Optional) Encrypt the password when the password is defined or when the configuration is written.

Encryption prevents the password from being readable in the configuration file.

Step 4 

end

Returns to privileged EXEC mode.

Step 5 

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

If both the enable and enable secret passwords are defined, users must enter the enable secret password.

Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. To specify commands accessible at various levels, use the privilege level command in global configuration mode. For more information, see the "Configuring Multiple Privilege Levels" section.

If you enable password encryption, it applies to all passwords, including username passwords, authentication key passwords, the privileged command password, and console and virtual terminal line passwords.

To remove a password and level, use the no enable password [level level] or no enable secret [level level] command in global configuration mode. To disable password encryption, use the no service password-encryption command in global configuration mode.

This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: 

bridge(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8

Configuring Username and Password Pairs

You can configure username and password pairs, which are locally stored on the WMIC. These pairs are assigned to lines or interfaces, and they authenticate each user before that user can access the WMIC. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.

To establish a username-based authentication system that requests a login username and a password, follow these steps, beginning in privileged EXEC mode:

 
Command
Purpose

Step 1 

configure terminal

Enters global configuration mode.

Step 2 

username name [privilege level] {password encryption-type password}

Enters the username, privilege level, and password for each user.

For name, specify the user ID as one word. Spaces and quotation marks are not allowed.

(Optional) For level, specify the privilege level the user has after gaining access. The range is from 0 to 15. Level 15 gives privileged EXEC mode access. Level 1 gives user EXEC mode access.

For encryption-type, enter 0 to specify that an unencrypted password will follow. Enter 7 to specify that a hidden password will follow.

For password, specify the password the user must enter to gain access to the WMIC. The password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.

Step 3 

login local

Enables local password checking at login time. Authentication is based on the username specified in Step 2.

Step 4 

end

Returns to privileged EXEC mode.

Step 5 

show running-config

Verifies your entries.

Step 6 

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

To disable username authentication for a specific user, use the no username name command in global configuration mode.

To disable password checking and allow connections without a password, use the no login command in line configuration mode.

Note You must have at least one username configured and you must set your local login to open a Telnet session to the WMIC. If you enter no username for the only username, you can be locked out of the WMIC.

Configuring Multiple Privilege Levels

By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.

For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want fewer users to have access to the configure command, you can assign it level 3 security and distribute that password to a smaller group of users.

Setting the Privilege Level for a Command

To set the privilege level for a command mode, follow these steps, beginning in privileged EXEC mode:

 
Command
Purpose

Step 1 

configure terminal

Enters global configuration mode.

Step 2 

privilege mode level level command

Sets the privilege level for a command.

For mode, enter configure for global configuration mode, exec for EXEC mode, interface for interface configuration mode, or line for line configuration mode.

For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password.

For command, specify the command to which you want to restrict access.

Step 3 

enable password level level password

Specifies the enable password for the privilege level.

For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.

For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, it is case sensitive, and it allows spaces but ignores leading spaces. By default, no password is defined.

Step 4 

end

Returns to privileged EXEC mode.

Step 5 

show running-config

or

show privilege

Verifies your entries.

The show running-config command displays the password and access level configuration. The show privilege command displays the privilege level configuration.

Step 6 

copy running-config startup-config

(Optional) Saves your entries in the configuration file.

When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip route command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.

To return to the default privilege for a given command, use the no privilege mode level level command command in global configuration mode.

This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password that users must enter to use level 14 commands: 

bridge(config)# privilege exec level 14 configure

bridge(config)# enable password level 14 SecretPswd14

Logging Into and Exiting a Privilege Level

To log in to a specified privilege level and to exit to a specified privilege level, follow these steps, beginning in privileged EXEC mode:

 
Command
Purpose

Step 1 

enable level

Logs in to a specified privilege level.
For level, the range is from 0 to 15.

Step 2 

disable level

Exits to a specified privilege level.
For level, the range is from 0 to 15.

Protecting the Wireless LAN

Configure security settings to prevent unauthorized access to your network. Because it is a radio device, the WMIC can communicate beyond the physical boundaries of your building. You can apply advanced security features such as the following:

Unique service set identifiers (SSIDs) that are not broadcast in the beacon (see "Service Set Identifiers")

Wired Equivalent Privacy (WEP) and WEP features (see "Cipher Suites and WEP")

Dynamic WEP authentication (see Authentication Types)

Using VLANs

Assign SSIDs to the VLANs on the wireless LAN. If you do not use VLANs on the wireless LAN, the security options that can be assigned to SSIDs are limited, because encryption settings and authentication types are linked. Without VLANs, encryption settings (WEP and ciphers) are applied to an interface, and no more than one encryption setting can be used on each interface.

For example, if an SSID with static WEP is created with VLANs disabled, an additional SSID with Wi-Fi Protected Access (WPA) authentication cannot be created because of the different encryption settings. If a security setting for an SSID conflicts with another SSID, delete one or more SSIDs to eliminate the conflict.

Express Security Types

Table 3 describes the four security types that you can assign to an SSID.

Table 3 Security Types Assignable to SSIDs 

Security Type
Description
Security Features Enabled

No Security

This is the least secure option. Use this option only for SSIDs that are used in a public space. Assign this option to a VLAN that restricts access to your network.

None.

Static WEP Key

This option is more secure than no security. However, static WEP keys are vulnerable to attack. If you configure this settings, you should limit association to the access point based on MAC address, or, if the network does not have a RADIUS server, consider using an access point as a local authentication server.

Mandatory WEP encryption, no key management, and open authentication. In root access point mode, client devices cannot associate using this SSID without a WEP key that matches the access point key.

Extensible Authentication Protocol (EAP) Authentication

This option enables 802.1x authentication (such as LEAP, PEAP, EAP-TLS, EAP-TTLS, EAP-GTC, and other 802.1X/EAP based products). It requires an IP address and shared secret for an authentication server on the network (server authentication port 1645). Because 802.1x authentication provides dynamic encryption keys, a WEP key is not required.

Mandatory 802.1x authentication, In root access point mode, client devices that associate using this SSID must perform 802.1x authentication.

If radio clients are configured to authenticate using EAP-FAST, open authentication with EAP should also be configured. If you do not configure open authentication with EAP, the following GUI warning message appears:

WARNING:
Network EAP is used for LEAP authentication only. If radio clients are configured to authenticate using EAP-FAST, Open Authentication with EAP should also be configured.

If you are using the command-line interface (CLI), this warning message appears:

SSID CONFIG WARNING: [SSID]: If radio clients are using EAP-FAST, AUTH OPEN with EAP should also be configured.

WPA

WPA permits wireless access to users authenticated against a database through the services of an authentication server, and encrypts those users' IP traffic with stronger algorithms than those used in WEP. As with EAP authentication, the IP address and shared secret for an authentication server on your network (server authentication port 1645) are required.

This setting uses encryption ciphers, Temporal Key Integrity Protocol (TKIP), open authentication + EAP, network EAP authentication, key management WPA mandatory, and RADIUS server authentication port 1645.

Mandatory WPA authentication. Client devices that associate using this SSID must be WPA-capable.

If radio clients are configured to authenticate using EAP-FAST, open authentication with EAP should also be configured. If you don't configure open authentication with EAP, the following GUI warning message appears:

WARNING:
Network EAP is used for LEAP authentication only. If radio clients are configured to authenticate using EAP-FAST, Open Authentication with EAP should also be configured.

If you are using the CLI, this warning message appears:

SSID CONFIG WARNING: [SSID]: If radio clients are using EAP-FAST, AUTH OPEN with EAP should also be configured.


Security Configuration Examples

This section contains these configuration examples:

No Security SSID Example

Static WEP Security Example

EAP Authentication Security Example

WPA Security Example

No Security SSID Example

This example shows part of the configuration for creating an SSID called no_security_ssid, including the SSID in the beacon, assigning it to VLAN 10, and selecting VLAN 10 as the native VLAN (as it applies to the 2.4-GHz ([802.11b/g]) WMIC): 

Dot11 ssid no_security-ssid

    vlan 10

    authentication open

    guest-mode

interface Dot11Radio0

 no ip address

 no ip route-cache

!

ssid no_security-ssid

!

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

 rts threshold 4000

 station-role root

 infrastructure-client

 bridge-group 1

!

interface Dot11Radio0.10

 encapsulation dot1Q 10

 no ip route-cache

 bridge-group 10

 bridge-group 10 spanning-disabled

!

interface FastEthernet0

 no ip address

 no ip route-cache

 duplex auto

 speed auto

 bridge-group 1

!

interface FastEthernet0.10

      encapsulation dot1Q 10

      no ip address

      no ip route-cache

 duplex auto

 speed auto

 bridge-group 1

As it applies to the 4.9-GHz WMIC: 

hostname root

!

username Cisco password 7 02250D480809

ip subnet-zero

!

no aaa new-model

!

bridge irb

!

interface Dot11Radio0

 no ip address

 no ip route-cache

 !

 ssid test

    authentication open 

    infrastructure-ssid

 !

 spacing 5 channel 4942

 speed basic-1.5 2.25 basic-3.0 4.5 basic-6.0 9.0 12.0 13.5

 power local 10

 station-role root

 infrastructure-client

 bridge-group 1

 bridge-group 1 spanning-disabled

!

interface FastEthernet0

 no ip address

 no ip route-cache

 duplex auto

 speed auto

 bridge-group 1

 bridge-group 1 spanning-disabled

!

interface BVI1

 ip address 192.1.1.2 255.255.255.0

 no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1 

logging snmp-trap emergencies

logging snmp-trap alerts

logging snmp-trap critical

logging snmp-trap errors

logging snmp-trap warnings

bridge 1 route ip

!

!

!

line con 0

 exec-timeout 0 0

 transport preferred all

 transport output all

line vty 0 4

 login local

 transport preferred all

 transport input all

 transport output all

line vty 5 15

 login

 transport preferred all

 transport input all

 transport output all

!

end

Static WEP Security Example

This example shows part of the configuration for creating an SSID called static_wep_ssid, excluding the SSID from the beacon, assigning the SSID to VLAN 20, selecting 3 as the key slot, and entering a 128-bit key: 


 encryption vlan 20 key 3 size 128bit 7 4E78330C1A841439656A9323F25A transmit-key

 encryption vlan 20 mode wep mandatory

 !

Dot11 ssid static_wep_ssid

    vlan 20

    authentication open

interface Dot11Radio0

 no ip address

 no ip route-cache

 !

ssid static_wep_ssid

 !

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

 rts threshold 4000

 station-role root

 infrastructure-client

 bridge-group 1

!

interface Dot11Radio0.20

 encapsulation dot1Q 20

 no ip route-cache

 bridge-group 20

 bridge-group 20 spanning-disabled

!

interface FastEthernet0

 no ip address

 no ip route-cache

 duplex auto

 speed auto

 bridge-group 1

!

interface FastEthernet0.20

 encapsulation dot1Q 20

 no ip route-cache

 bridge-group 20

 bridge-group 20 spanning-disabled

EAP Authentication Security Example

This example shows part of the configuration for creating an SSID called eap_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 30: 

encryption vlan 30 mode wep mandatory

 !

Dot11 ssid eap_ssid

    vlan 30

    authentication open eap eap_methods

    authentication network-eap eap_methods

interface Dot11Radio0

 no ip address

 no ip route-cache

 !

ssid eap_ssid

 !

 speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

 rts threshold 2312

 station-role root

 bridge-group 1

 bridge-group 1 subscriber-loop-control

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

 bridge-group 1 spanning-disabled

!

interface Dot11Radio0.30

 encapsulation dot1Q 30

 no ip route-cache

 bridge-group 30

 bridge-group 30 subscriber-loop-control

 bridge-group 30 block-unknown-source

 no bridge-group 30 source-learning

 no bridge-group 30 unicast-flooding

 bridge-group 30 spanning-disabled

!

interface FastEthernet0

 mtu 1500

 no ip address

 ip mtu 1564

 no ip route-cache

 duplex auto

 speed auto

 bridge-group 1

 no bridge-group 1 source-learning

 bridge-group 1 spanning-disabled

!

interface FastEthernet0.30

 mtu 1500

 encapsulation dot1Q 30

 no ip route-cache

 bridge-group 30

 no bridge-group 30 source-learning

 bridge-group 30 spanning-disabled

!

WPA Security Example

This example shows part of the configuration for creating an SSID called wpa_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 40: 

aaa new-model

!

aaa group server radius rad_eap

 server 10.91.104.92 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

!

bridge irb

!

!

interface Dot11Radio0

 no ip address

 no ip route-cache

 !

 encryption vlan 40 mode ciphers tkip

!

 ssid wpa_ssid

    vlan 40

    authentication open eap eap_methods

    authentication network-eap eap_methods

    authentication key-management wpa

!

 concatenation

 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48 54.0

 rts threshold 4000

 station-role root

 infrastructure-client

 bridge-group 1

!

interface Dot11Radio0.40

 encapsulation dot1Q 40

 no ip route-cache

 bridge-group 40

!

interface FastEthernet0

 no ip address

 no ip route-cache

 duplex auto

 speed auto

 bridge-group 1

!

interface FastEthernet0.40

 encapsulation dot1Q 40

 no ip route-cache

 bridge-group 40

!

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

/122-15.JA/1100

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format%h

radius-server host 10.91.104.92 auth-port 1645 acct-port 1646 key 7 135445415F59

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

line vty 5 15

!

end

Configuring and Enabling RADIUS

This section describes how to configure and enable Remote Authentication Dial-In User Service (RADIUS).

Understanding RADIUS

RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco devices and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco, Livingston, Merit, Microsoft, or another software provider. For more information, see the RADIUS server documentation.

Use RADIUS in these network environments:

Networks with multiple-vendor access servers, each supporting RADIUS. For example, access servers from several vendors use a single RADIUS server-based security database. In an IP-based network with multiple vendors' access servers, dial-in users are authenticated through a RADIUS server that is customized to work with the Kerberos security system.

Turnkey network security environments in which applications support the RADIUS protocol, such as an access environment that uses a smart card access control system. In one case, RADIUS has been used with Enigma's security cards to validate users and to grant access to network resources.

Networks already using RADIUS. You can add a Cisco bridge containing a RADIUS client to the network.

Networks that require resource accounting. You can use RADIUS accounting independent of RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and end of services, showing the amount of resources (such as time, packets, bytes, and so forth) used during the session. An Internet service provider might use a freeware-based version of RADIUS access control and accounting software to meet special security and billing needs.

RADIUS is not suitable for these network situations:

Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA), NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or X.25 Packet Assembler Disassembler (PAD) connections.

Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication.

Networks using a variety of services. RADIUS generally binds a user to one service model.

RADIUS Operation

When a non-root bridge attempts to authenticate to a bridge whose access is controlled by a RADIUS server, authentication to the network occurs in the steps shown in Figure 1.

Figure 1 Sequence for EAP Authentication

In Figure 1, a non-root bridge and a RADIUS server on the wired LAN use 802.1x and EAP to perform a mutual authentication through the root device. The RADIUS server sends an authentication challenge to the non-root bridge. The non-root bridge uses a one-way encryption of the user-supplied password to generate a response to the challenge and sends that response to the RADIUS server. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the non-root bridge. When the RADIUS server authenticates the non-root bridge, the process repeats in reverse, and the non-root bridge authenticates the RADIUS server.

When mutual authentication is complete, the RADIUS server and the non-root bridge determine a WEP key that is unique to the non-root bridge and that provides the non-root bridge with the appropriate level of network access, thereby approximating the level of security in a wired switched segment to an individual desktop. The non-root bridge loads this key and prepares to use it for the logon session.

During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over the wired LAN to the root device. The root device encrypts its broadcast key with the session key and sends the encrypted broadcast key to the non-root bridge, which uses the session key to decrypt it. The non-root bridge and the root device activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session.

There is more than one type of EAP authentication, but the root device behaves the same way for each type: it relays authentication messages from the non-root bridge to the RADIUS server and from the RADIUS server to the non-root bridge. See the "Authentication Types" for instructions on setting up authentication using a RADIUS server.

Controlling WMIC Access with RADIUS

This section describes how to control administrator access to the WMIC using RADIUS.

RADIUS provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through authentication, authorization, and accounting (AAA) commands. RADIUS and AAA are disabled by default.

At a minimum, the host or hosts that run the RADIUS server software must be identified and the method lists for RADIUS authentication must be defined. Optionally, method lists for RADIUS authorization and accounting can be defined.

A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a non-root bridge. Method lists are used to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep accounts on non-root bridges; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.

You must have access to and should configure a RADIUS server before you configure RADIUS features.

These sections describe RADIUS configuration:

Identifying the RADIUS Server Host

Configuring RADIUS Login Authentication

Defining AAA Server Groups

Configuring RADIUS Authorization for User Privileged Access and Network Services

Starting RADIUS Accounting

Configuring Settings for All RADIUS Servers

Configuring the Bridge to Use Vendor-Specific RADIUS Attributes

Configuring the Bridge for Vendor-Proprietary RADIUS Server Communication

Displaying the RADIUS Configuration

Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference for Release 12.2.

Identifying the RADIUS Server Host

Access point-to-RADIUS-server communication involves several components:

Hostname or IP address

Authentication destination port

Accounting destination port

Key string

Timeout period

Retransmission value

RADIUS security servers are identified by their hostname or IP address, hostname and specific User Datagram Protocol (UDP) port numbers, or IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.

If two different host entries on the same RADIUS server are configured for the same service—such as accounting—the second host entry configured acts as a failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the bridge tries the second host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the order that they are configured.)

A RADIUS server and the bridge use a shared secret text string to encrypt passwords and exchange responses. To configure RADIUS to use the AAA security commands, you must specify the host that is running the RADIUS server daemon and a secret text (key) string that it shares with the bridge.

The timeout, retransmission, and encryption key values can be configured globally per server for all RADIUS servers or in some combination of global and per-server settings. To apply these settings globally to all RADIUS servers communicating with the