Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide - Basic Wireless Device Configuration [Cisco 800 Series Routers]

Table Of Contents

Basic Wireless Device Configuration

Establishing a Wireless Configuration Session

Closing the Session

Configuring Basic Settings

Cisco Express Setup

Cisco IOS Setup

Configuring SSIDs, Authentication, and Encryption

Configuring Wireless Security Settings

Using VLANs

Security Types

Configuring Wireless Quality of Service

Basic Wireless Device Configuration

This chapter describes how to configure the wireless device for the first time. The wireless device is embedded on the Cisco 800 series router and runs a separate Cisco IOS from the router.

The wireless device does not have an external console port for connections. To configure the wireless device, use a console cable to connect a PC to the host router's console port, and then follow these procedures to establish connectivity and configure the wireless settings:

•Establishing a Wireless Configuration Session

•Configuring Basic Settings

•Configuring Wireless Security Settings

•Configuring Wireless Quality of Service

Establishing a Wireless Configuration Session

Important Before you configure the wireless settings in the router's setup, you must open a session to initiate an internal communication link between the wireless device and the router.

Enter the following commands in global configuration mode on the router's Cisco IOS CLI.
Command

Purpose
Step 1
interface wlan-ap0

Example:
router(config)#interface wlan-ap0
router(config-if)#
Defines the router's console interface to the wireless device. It is used for reverse Telnet communication between the router's Console and the wireless device.

Always use port 0.

The following message appears:

The wlan-ap 0 interface is used for managing the embedded AP. Please use the service-module wlan-ap 0 session command to console into the embedded AP.
Step 2
ip address subnet mask

Example:
router(config-if)#ip address 
10.21.0.20 255.255.255.0
or
router(config-if)#ip unnumbered vlan1 
10.21.0.20 255.255.255.0
Specifies the interface IP address and subnet mask.

Note The IP address can be shared with the IP address assigned to the Cisco Integrated Services Router by using the ip unnumbered vlan1 command.
Step 3
no shut

Example:
router(config-if)#no shut
Specifies the internal interface connection will remain open.
Step 4
interface vlan1
Example:
router(config-if)#interface vlan1
Specifies the virtual LAN interface for data communication on the internal Gigabit Ethernet 0 (GE0) port to other interfaces.

Note All the switch ports inherit the default vlan1 interface.
Step 5
ip address subnet mask

Example:
router(config-if)#ip address 
10.21.0.30 255.255.255.0
Specifies the interface IP address and subnet mask.
Step 6
exit

Example:
router(config-if)#exit
router(config)#
Exits the mode.
Step 7
exit

Example:
router(config)#exit
router#
Exits the mode.
Step 8
service-module wlan-ap 0 session

Example:
router#service-module wlan-ap0 session
Trying 10.21.0.20, 2002 ... Open
ap>
Opens the reverse Telnet connection between the wireless device and the router's console.
Tip To create an IOS software alias for the Console session to the wireless device, enter the alias exec dot11radio service-module wlan-ap 0 session command at the router prompt. Now, when you want to open a session, just enter the command dot11 radio.

Closing the Session

To close a session between the wireless device and the router's console, perform both of the following procedures.

Wireless Device

1. Control-Shift-6 x

Router

2. disconnect
or
service-module wlan-ap 0 session clear

3. Press Enter twice.

Note If you do not use the disconnect command to close the session to the wireless device, you can resume the session by pressing Enter on the keyboard.

Configuring Basic Settings

Note You must establish an internal link between the wireless device and the router before you configure settings on the wireless device. See the "Establishing a Wireless Configuration Session" section.

After the internal link is established, use one of the following methods to configure basic settings:

•Express Setup (GUI)—See the "Cisco Express Setup" section

•Cisco IOS Setup (CLI)—See the "Cisco IOS Setup" section

Cisco Express Setup

To use the web-browser:

Step 1 Establish a Console connection to the wireless device and get the BVI IP address by entering the show interface bvi1 IOS command.

Step 2 Open a browser window and enter the BVI IP address in the browser-window address line. Press enter and an Enter Network Password window appears.

Step 3 Enter your username. Cisco is the default User Name.

Step 4 Enter the wireless device password. Cisco is the default password. The Summary Status page appears. See the following URL for details about using the web-browser configuration page:
http://cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap4-first.html#wp1103336

Cisco IOS Setup

Cisco IOS Setup starts automatically when you boot up the embedded-wireless device with no saved configuration present in NVRAM; no saved configuration is present in the NVRAM when the device is not preconfigured at the factory. You can also invoke the setup dialog by issuing the setup command in enable mode.

When setup is initiated, it presents the System Configuration Dialog. When you complete all the steps in the dialog, the device displays the modified configuration file and asks if you want to use that file.

You must answer yes or no; there is no default for this prompt.

•Yes—saves the file to NVRAM as the starting configuration.

•No—the file is not saved, and you must start at the beginning of the dialog to build another initial configuration.

Configuring SSIDs, Authentication, and Encryption

The System Configuration Dialog guides you through an initial configuration for the interface, SSIDs, authentication mode, and encryption type. The dialog then creates an initial configuration file.

Step 1 Type setup in privileged EXEC mode on the router to initiate the configuration dialog.

Step 2 Choose Yes to continue with the configuration dialog.

Step 3 Select the type of setup by answering the following question:
Would you like to enter basic management setup? [yes/no]
Yes—Basic setup
No—Secure setup
Settings

Basic Setup

Secure Setup

Hostname

X

X

Passwords

X

X

IP address for Bridged Virtual Interface (BVI)

X

X

SSIDs for radio(s)

-

X

Authentication mode for SSIDs

-

X

Encryption ([WEP] and [WPA2])

-

X

Step 4 Configure and save the settings to NVRAM.

Note Ensure your previous setup selections for the dot11radio interface(s) do not have SSIDs associated with them, and they do not have encryption commands configured. The configuration selections you make in the setup should not conflict with a previous configuration on the embedded-wireless device.

You may also configure these settings using the web interface. See the following link for configuration details using the web interface:
http://cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap4-first.html#wp1103336

Example of: Basic Setup
Enter host name [ap]:
The enable secret is a password used to protect access to privileged EXEC and 
configuration modes. This password, after entered, becomes encrypted in the configuration. 
Enter enable secret: ******
The enable password is used when you do not specify an enable secret password, with some 
older software version, and some boot images.
Enter enable password: ***********
The virtual terminal password is used to protect access to the router over a network 
interface. Enter virtual terminal password: *******
Configure SNMP Network Management? [yes]:
Community string [public]:
Current interface summary
Any interface listed with OK? value "NO" does not have a valid configuration
Interface 	 	 	 		IP-Address 	 OK? 	Method Status 	 	 		 	 Protocol
BVI1					unassigned			 YES	 unset up			 		up
Enter interface name used to connect to the management network from the above interface 
summary [BVI1]:
Configuring interface BVI1:
Configure IP on this interface?[no]: yes
IP address for this interface: x.xx.xx.xx
Subnet mask for this interface [255.0.0.0]: 255.255.0.0
Class A network is 2.0.0.0, 16 subnet bits;mask is/16
Note After the wireless device BVI interface is configured with an IP address, you can use the web interface to perform additional configuration tasks. Connect to the web interface with a browser directed to the wireless device BVI IP address from a personal computer or laptop connected to the host router's switch-port. See the following link for details on how to establish connection to the web interface:
http://cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap2-gui.html#wp1034703

Example of: Secure Setup

These parameters are used in the following example:

ssid—abcd

encryption mode—Wep

encryption key—4085364000
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: yes
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system
Would you like to enter basic management setup? [yes/no]: no
First, would you like to see the current interface summary? [yes]: n
Configuring global parameters:
  Enter host name [ap]: 
  The enable secret is a password used to protect access to
  privileged EXEC and configuration modes. This password, after
  entered, becomes encrypted in the configuration.
  Enter enable secret: abc
  The enable password is used when you do not specify an
  enable secret password, with some older software versions, and
  some boot images.
  Enter enable password: Cisco
  The virtual terminal password is used to protect
  access to the router over a network interface.
  Enter virtual terminal password: lab
  Configure SNMP Network Management? [yes]: 
    Community string [public]: 
Configuring interface parameters:
Do you want to configure BVI1  interface? [yes]: 
  Configure IP on this interface? [no]: yes
    IP address for this interface: 
    IP address for this interface: 
    IP address for this interface: 2.12.56.121
    Subnet mask for this interface [255.0.0.0] : 255.255.0.0
    Class A network is 2.0.0.0, 16 subnet bits; mask is /16
  Configure SSID on Dot11Radio0(2.4GHz) interface? [yes]: 
  Enter SSID (Up to 32 characters): abcd  
  Configure security for this SSID? [yes]: 
  Enter security type [wpa2|wep]: wep
  Enter WEP encryption key length [40|128]: 40
  Enter the 'unencrypted' WEP key (HEX): 4085264000
The following configuration command script was created:
hostname ap
enable secret 5 $1$eTFk$akYCxufCW4tzIqDWCIStm0
enable password Cisco
line vty 0 4
password abc
snmp-server community public
!
!
interface BVI1
ip address 2.12.56.121 255.255.0.0
!
interface BVI1
no shut
!
dot11 ssid abcd
authentication open
!
interface Dot11Radio0
encryption mode wep mandatory
encryption key 1 size 40bit 0 4085264000
ssid abcd
!
End
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.
Enter your selection [2]: 
Building configuration...
Use the enabled mode 'configure' command to modify this configuration.
Press RETURN to get started!
Example of: WEP with Key Length 40 - Running Configuration
ap#show running
Building configuration...
Current configuration : 1344 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ap
!
enable secret 5 $1$eTFk$akYCxufCW4tzIqDWCIStm0
enable password Cisco
!
no aaa new-model
!
!
dot11 ssid abcd
   authentication open 
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 0 4085264000 transmit-key
 encryption mode wep mandatory 
 !
 ssid abcd
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 description  the embedded AP GigabitEthernet 0 is an internal interface connecting AP 
with the host router
 no ip address
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 2.12.56.121 255.255.0.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
snmp-server community public RO
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
 no activation-character
line vty 0 4 
password abc
 login
!
end
ap#
Configuring Wireless Security Settings

After you assign initial settings to the wireless device, you must configure security settings to prevent unauthorized access to your network through your wireless device. Because it has a radio device, the wireless device can communicate beyond the physical boundaries of a building.

Using VLANs

If you use VLANs on your wireless LAN and assign SSIDs to VLANs you can create multiple SSIDs by using any of the four security settings defined in the Security Types section. However, if you do not use VLANs on your wireless LAN, the security options that you can assign to SSIDs are limited because the encryption settings and authentication types are linked on the Express Security page.

Without VLANs, encryption settings (WEP and ciphers) apply to an interface, such as the 2.4-GHz radio, and you cannot use more than one encryption setting on an interface. For example, when you create an SSID with static WEP with VLANs disabled, you cannot create additional SSIDs with WPA authentication because the SSIDs use different encryption settings. If you find that the security setting for an SSID conflicts with the settings for another SSID, you can delete one or more SSIDs to eliminate the conflict.

Security Types

Table 4-1 describes the four security types that you can assign to an SSID.

Table 4-1
Security Type

Description

Security Features Enabled

No Security

This is the least secure option. You should use this option only for SSIDs used in a public space and assign it to a VLAN that restricts access to your network.

None.

Static WEP Key

This option is more secure than no security. However, static WEP keys are vulnerable to attack. If you configure this setting, you should consider limiting association to the wireless device based on MAC address.

See the Cisco 800 Series ISR Wireless Software Configuration Guide "Using MAC Address ACLs to Block or Allow Client Association to the Access Point" section on page 14-6.

Or, if your network does not have a RADIUS server, consider using an access point as a local authentication server (see Chapter 7, "Configuring the Device as the Local Authenticator").

Mandatory WEP. Client devices cannot associate using this SSID without a WEP key that matches the wireless device key.
EAP¹ Authentication

This option enables 802.1X authentication (such as LEAP², PEAP³, EAP-TLS⁴, EAP-FAST⁵, EAP-TTLS⁶, EAP-GTC⁷ EAP-SIM⁸, and other 802.1X/EAP based products)

This setting uses mandatory encryption, WEP, open authentication + EAP, network EAP authentication, no key management, RADIUS server authentication port 1645.

You are required to enter the IP address and shared secret for an authentication server on your network (server authentication port 1645). Because 802.1X authentication provides dynamic encryption keys, you do not need to enter a WEP key.
Mandatory 802.1X authentication. Client devices that associate using this SSID must perform 802.1X authentication.

If radio clients are configured to authenticate using EAP-FAST, open authentication with EAP should also be configured. If you do not configure open authentication with EAP, the following warning message appears:
SSID CONFIG WARNING: [SSID]: If radio 
clients are using EAP-FAST, AUTH OPEN 
with EAP should also be configured.
WPA⁹

This option permits wireless access to users authenticated against a database through the services of an authentication server, then encrypts their IP traffic with stronger algorithms than those used in WEP.

This setting uses encryption ciphers, TKIP¹⁰, open authentication + EAP, network EAP authentication, key management WPA mandatory, and RADIUS server authentication port 1645.

As with EAP authentication, you must enter the IP address and shared secret for an authentication server on your network (server authentication port 1645).
Mandatory WPA authentication. Client devices that associate using this SSID must be WPA-capable.

If radio clients are configured to authenticate using EAP-FAST, open authentication with EAP should also be configured. If you don't configure open authentication with EAP, the following message appears:
SSID CONFIG WARNING: [SSID]: If radio 
clients are using EAP-FAST, AUTH OPEN 
with EAP should also be configured.
¹Extensible Authentication Protocol (EAP)

²Lightweight Extensible Authentication Protocol (LEAP)

³Protected Extensible Authentication Protocol (PEAP)

⁴Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)

⁵Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)

⁶Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS)

⁷Extensible Authentication Protocol--Generic Token Card (EAP- GTC)

⁸Extensible Authentication Protocol--Subscriber Identity Module (EAP-SIM)

⁹Wi-Fi Protected Access (WPA)

¹⁰Temporal Key Integrity Protocol (TKIP)
Types of SSID Security

Configuring Wireless Quality of Service

To configure quality of service (QoS) for your wireless device, see the document Quality of Service in a Wireless Environment at the following URL: http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/QualityOfService.html.