Table Of Contents
Administering the Wireless Device
Disabling the Mode Button Function
Preventing Unauthorized Access to Your Access Point
Protecting Access to Privileged EXEC Commands
Configuring Default Password and Privilege Level
Setting or Changing a Static Enable Password
Protecting Enable and Enable Secret Passwords with Encryption
Configuring Username and Password Pairs
Configuring Multiple Privilege Levels
Setting the Privilege Level for a Command
Logging Into and Exiting a Privilege Level
Controlling Access Point Access with RADIUS
Configuring RADIUS Login Authentication
Configuring RADIUS Authorization for User Privileged Access and
Network ServicesDisplaying the RADIUS Configuration
Controlling Access Point Access with TACACS+
Configuring TACACS+ Login Authentication
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
Displaying the TACACS+ Configuration
Administering the Wireless Hardware and Software
Resetting the Wireless Device to the Factory Default Configuration
Upgrading Software on the Access Point
Downgrading Software on the Access Point
Recovering Software on the Access Point
Monitoring the Wireless Device
Displaying Wireless Device Statistics
Displaying Wireless Device Status
Managing the System Time and Date
Understanding Simple Network Time Protocol
Configuring Time and Date Manually
Displaying the Time and Date Configuration
Configuring Summer Time (Daylight Saving Time)
Configuring a System Name and Prompt
Default System Name and Prompt Configuration
Displaying the DNS Configuration
Configuring a Message-of-the-Day Login Banner
Configuring Ethernet Speed and Duplex Settings
Configuring the Access Point for Wireless Network Management
Configuring the Access Point for Local Authentication and Authorization
Configuring the Authentication Cache and Profile
Configuring the Access Point to Provide DHCP Service
Monitoring and Maintaining the DHCP Server Access Point
Configuring the Access Point for Secure Shell
Configuring Client ARP Caching
Understanding Client ARP Caching
Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging
Administering the Wireless Device
This chapter describes the following administration tasks.
Controlling and Securing Access to the Wireless Device
•
Disabling the Mode Button Function
•
•
•
•
Administering the Hardware and Software
•
–
–
–
–
–
–
•
•
Administering Wireless Device Communication
•
•
•
•
•
•
•
•
Disabling the Mode Button Function
You can disable the mode button on the wireless device by using the [no] boot mode-button command.
Caution
Note
The mode button is enabled by default. To disable the access point's mode button, Follow these steps, beginning in privilegde EXEC mode:
You can check the status of the mode button by executing the show boot or show boot mode-button command in privileged EXEC mode. The status does not appear in the running configuration. The following shows typical responses to the show boot and show boot mode-button commands:
ap# show boot BOOT path-list: flash:/c1200-k9w7-mx-v123_7_ja.20050430/c1200-k9w7-mx.v123_7_ja.20050430 Config file: flash:/config.txt Private Config file: flash:/private-config Enable Break: no Manual boot: no Mode button: on Enable IOS break: no HELPER path-list: NVRAM/Config file buffer size: 32768 ap#show boot mode-button on ap#
Note
Preventing Unauthorized Access to Your Access Point
You can prevent unauthorized users from reconfiguring the wireless device and viewing configuration information. Typically, you want the network administrators to have access to the wireless device while restricting access to users who connect through a terminal or workstation from within the local network.
To prevent unauthorized access to the wireless device, configure one of these security features:
•
Note
•
Protecting Access to Privileged EXEC Commands
A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can issue after they have logged in a network device.
Note
This section describes how to control access to the configuration file and privileged EXEC commands. It contains this configuration information:
•
•
•
•
•
Configuring Default Password and Privilege Level
Table 17-1 shows the default password and privilege level configuration.
Setting or Changing a Static Enable Password
The enable password controls access to the privileged EXEC mode.
Note
To set or change a static enable password, follow these steps, beginning in privileged EXEC mode:
The enable password is not encrypted and can be read in the wireless device configuration file.
The following example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (standard privileged EXEC mode access):
AP(config)# enable password l1u2c3k4y5Protecting Enable and Enable Secret Passwords with Encryption
To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a TFTP server, you can use either the enable password or enable secret command in global configuration mode. The commands accomplish the same thing; that is, you can establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level that you specify.
We recommend that you use the enable secret command because it uses an improved encryption algorithm.
If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.
To configure encryption for enable and enable secret passwords, follow these steps, beginning in privileged EXEC mode:
If both the enable and enable secret passwords are defined, users must enter the enable secret password.
Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level command in global configuration mode to specify commands accessible at various levels. For more information, see the "Configuring Multiple Privilege Levels" section.
If you enable password encryption, it applies to all passwords, including username passwords, authentication key passwords, the privileged command password, and console and virtual terminal line passwords.
To remove a password and level, use the no enable password [level level] command or no enable secret [level level] command in global configuration mode. To disable password encryption, use the no service password-encryption command in global configuration mode.
This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2:
AP(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8Configuring Username and Password Pairs
You can configure username and password pairs, which are locally stored on the wireless device. These pairs are assigned to lines or interfaces, and they authenticate each user before the user can access the wireless device. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
To establish a username-based authentication system that requests a login username and a password, follow these steps, beginning in privileged EXEC mode:
To disable username authentication for a specific user, use the no username name command in global configration mode.
To disable password checking and allow connections without a password, use the no login command in line configuration mode.
Note
Configuring Multiple Privilege Levels
By default, Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to a more restricted group of users.
This section includes this configuration information:
•
•
Setting the Privilege Level for a Command
To set the privilege level for a command mode, follow these steps, beginning in privileged EXEC mode:
When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip route command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
To return to the default privilege for a given command, use the no privilege mode level level command command in global configuration mode.
The following example shows how to set the configure command to privilege level 14 and how to define SecretPswd14 as the password users must enter to use level 14 commands:
AP(config)# privilege exec level 14 configureAP(config)# enable password level 14 SecretPswd14Logging Into and Exiting a Privilege Level
To log in to a specified privilege level or to exit to a specified privilege level, follow these steps, beginning in privileged EXEC mode:
Controlling Access Point Access with RADIUS
This section describes how to control administrator access to the wireless device by using Remote Authentication Dial-In User Service (RADIUS). For complete instructions on configuring the wireless device to support RADIUS, see the "Configuring Radius and TACACS+ Servers" chapter in the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points.
RADIUS provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through authentication, authorization, and accounting (AAA) and can be enabled only through AAA commands.
Note
These sections describe RADIUS configuration:
•
•
•
•
Default RADIUS Configuration
RADIUS and AAA are disabled by default.
To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users who are accessing the wireless device through the command-line interface (CLI).
Configuring RADIUS Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply the list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any defined authentication methods are performed. The only exception is the default method list (which is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be used to authenticate a user. You can designate one or more security protocols for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users. If that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—that is, the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.
To configure login authentication, follow these steps, beginning in privileged EXEC mode. This procedure is required.
Step 1
configure terminal
Enters global configuration mode.
Step 2
aaa new-model
Enables AAA.
Step 3
aaa authentication login {default | list-name} method1 [method2...]
Creates a login authentication method list.
•
•
•
Select one of these methods:
•
•
Step 4
line [console | tty | vty] line-number [ending-line-number]
Enters line configuration mode, and configure the lines to which you want to apply the authentication list.
Step 5
login authentication {default | list-name}
Applies the authentication list to a line or set of lines.
•
•
Step 6
end
Returns to privileged EXEC mode.
Step 7
show running-config
Verifies your entries.
Step 8
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
To disable AAA, use the no aaa new-model command in global command mode. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] command in global command mode. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} command in line configuration mode.
Defining AAA Server Groups
You can configure the wireless device to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Server groups canalso include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. If you configure two different host entries on the same RADIUS server for the same service (such as accounting), the second configured host entry acts as a failover backup to the first one.
You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords.
Tto define the AAA server group and associate a particular RADIUS server with it, follow these steps, beginning in privileged EXEC mode:
Step 1
configure terminal
Enters global configuration mode.
Step 2
aaa new-model
Enables AAA.
Step 3
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]
Specifies the IP address or hostname of the remote RADIUS server host.
•
•
•
•
•
Note
To configure the wireless device to recognize more than one host entry that is associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different. The wireless device software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host.
Step 4
aaa group server radius group-name
Defines the AAA server-group with a group name.
This command puts the wireless device in a server group configuration mode.
Step 5
server ip-address
Associates a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group.
Each server in the group must be previously defined in Step 2.
Step 6
end
Returns to privileged EXEC mode.
Step 7
show running-config
Verifies your entries.
Step 8
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Step 9
Enables RADIUS login authentication. See the "Configuring RADIUS Login Authentication" section of the "Configuring Radius and TACACS+ Servers" chapter in the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points.
To remove the specified RADIUS server, use the no radius-server host hostname | ip-address command in global configuration mode. To remove a server group from the configuration list, use the no aaa group server radius group-name command in global configuration mode. To remove the IP address of a RADIUS server, use the no server ip-address command in sg-radius configuration mode.
In the following is example, the wireless device is configured to recognize two different RADIUS group servers (group1 and group2). Group1 has two different host entries on the same RADIUS server which are configured for the same services. The second host entry acts as a failover backup to the first entry.
AP(config)# aaa new-modelAP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646AP(config)# aaa group server radius group1AP(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001AP(config-sg-radius)# exitAP(config)# aaa group server radius group2AP(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001AP(config-sg-radius)# exitConfiguring RADIUS Authorization for User Privileged Access and
Network ServicesAAA authorization limits the services that are available to a user. When AAA authorization is enabled, the wireless device uses information retrieved from the user's profile, which is in the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the user profile allows it.
You can use the aaa authorization command in global configuration mode with the radius keyword to set parameters that restrict a user's network access to privileged EXEC mode.
The aaa authorization exec radius command sets these authorization parameters:
•
•
Note
To specify RADIUS authorization for privileged EXEC access and network services, follow these steps, beginning in privileged EXEC mode:
To disable authorization, use the no aaa authorization {network | exec} method1 command in global configuration mode.
Displaying the RADIUS Configuration
To display the RADIUS configuration, use the show running-config command in privileged EXEC mode.
Controlling Access Point Access with TACACS+
This section describes how to control administrator access to the wireless device using Terminal Access Controller Access Control System Plus (TACACS+). For complete instructions on configuring the wireless device to support TACACS+, see the "Configuring Radius and TACACS+ Servers" chapter in the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points.
TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands.
Note
These sections describe TACACS+ configuration:
•
•
•
•
Default TACACS+ Configuration
TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management application.When enabled, TACACS+ can authenticate administrators who are accessing the wireless device through the CLI.
Configuring TACACS+ Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply the list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any defined authentication methods are performed. The only exception is the default method list (which is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be used to authenticate a user. You can designate one or more security protocols for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users. If that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—that is, the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.
To configure login authentication, follow these steps, beginning in privileged EXEC mode. This procedure is required.
To disable AAA, use the no aaa new-model command in global configuration mode. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] command in global configuration mode. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} command in line configuration mode.
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the wireless device uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it.
You can use the aaa authorization command in global configuration mode with the tacacs+ keyword to set parameters that restrict a user's network access to privileged EXEC mode.
The aaa authorization exec tacacs+ local command sets these authorization parameters:
•
•
Note
To specify TACACS+ authorization for privileged EXEC access and network services, follow these steps, beginning in privileged EXEC mode:
To disable authorization, use the no aaa authorization {network | exec} method1 command in global configuration mode.
Displaying the TACACS+ Configuration
To display TACACS+ server statistics, use the show tacacs command in privileged EXEC mode.
Administering the Wireless Hardware and Software
This section provides instructions for performing the following tasks:
•
•
•
•
•
•
Resetting the Wireless Device to the Factory Default Configuration
To reset the wireless device hardware and software to its factory default configuration, use the service-module wlan-ap0 reset default-config command in the router's Cisco IOS privileged EXEC mode.
Caution
Rebooting the Wireless Device
To perform a graceful shutdown and reboot the wireless device, use the service-module wlan-ap0 reload command in the router's Cisco IOS privileged EXEC mode. At the confirmation prompt, press Enter to confirm the action, or enter n to cancel.
When running in autonomous mode, the reload command saves the configuration before rebooting. If the attempt is unsuccessful, the following message displays:
Failed to save service module configuration.
When running in Lightweight Access Point Protocol (LWAPP) mode, the reload function is typically handled by the wireless LAN controller (WLC). If you enter the service-module wlan-ap0 reload command, you will be prompted with the following message:The AP is in LWAPP mode. Reload is normally handled by WLC controller. Still want to proceed? [yes]Upgrading Software on the Access Point
Software Prerequisites
Cisco 880 Series routers with embedded access points are eligible to upgrade from autonomous image to Unified image, if the router is running advanced IP services feature set and Cisco IOS software 12.4(20)T or 12.4(15) XZ1. Update the WLC software version to 5.1 or later.
Preparing for the Upgrade
Secure an IP Address on the Access Point
Secure an IP address on the access point sothat it can communicate with the WLC and download the Unified image upon bootup. The host router provides the access point DHCP server functionality through the DHCP pool. Then the access point communicates with the WLC and setup option 43 for the controller IP address in the DHCP pool configuration.
The following is a sample configuration:ip dhcp pool embedded-ap-poolnetwork 60.0.0.0 255.255.255.0dns-server 171.70.168.183default-router 60.0.0.1option 43 hex f104.0a0a.0a0f (single WLC IP address(10.10.10.15) in hex format)int vlan1ip address 60.0.0.1 255.255.255.0For more information about the WLC discovery process, refer to the Cisco Wireless LAN Configuration Guide on Cisco.com. http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/ccfig40.html
Prior to the Upgrade
Perform the following steps.
1.
2.
3.
4.
Autonomous-AP#show bootBOOT path-list: flash:ap801-k9w7-mx.124-10b.JA3/ ap801-k9w7-mx.124-10b.JA3Config file: flash:/config.txtPrivate Config file: flash:/private-configEnable Break: yesManual Boot: yesEnable IOS Break: noHELPER path-list:NVRAM/Config file
