Table Of Contents
Configuring Devices
Using the Templates
Template Choices
IOS Templates
Naming the Template
Using Basic Settings
Setting Up Network Interfaces
Defining Security Settings
Defining Services
Configuring the Event Log
Configuring Wireless Services
Configuring Custom Values
Non-IOS Templates
Naming the Template
Using Basic Settings
Setting Up Association
Configuring the Ethernet Port
Configuring the 11b Radio
Configuring the 11a Radio
Defining the Security Settings
Configuring Services
Configuring Events
Configuring Custom Values
Previewing the Template
Finishing the Template
Creating a Template
Copying a Template
Editing a Template
Converting a Template
Deleting a Template
Importing a Template
Exporting a Template
Managing Configuration Archives
Viewing Archived Configurations
Scheduling an Archive Collection
Viewing Archive Status
Editing the Archive
Selecting Overwrite Settings
Deleting Archived Configurations
Comparing Configurations
Exporting a Configuration to a File
Exporting a Configuration to a Template
Managing Jobs
Managing Configuration Jobs
Configuration Job Choices
Creating a Configuration Job
Viewing Configuration Job Status
Managing Archive Jobs
Archive Job Choices
Creating an Archive Job
Viewing Archive Job Status
Automating Configurations
Assigning a Startup Configuration
Creating a Startup Configuration Template
Creating an IOS Startup Template
Creating a Non-IOS Startup Template
Assigning an Auto-Managed Configuration
Assigning Auto-Managed Configurations
Using Auto-Managed Options
Configuring Devices
The Configure tab allows you to view, create, copy, edit, and delete configuration templates and apply them to large numbers of devices at a time.It also allows you to schedule a configuration job and to check on the job's status.
Following are the subtabs under Configure:
Note 
Some of the subtabs may not be visible to some users.
•Templates—See Using the Templates.
•Archives—See Managing Configuration Archives.
•Jobs—See Managing Jobs.
•Auto Update—See Automating Configurations.
Using the Templates
This is window allows you to create, modify, and delete configuration templates.
The topics covered in this section are:
•Creating a Template
•Copying a Template
•Editing a Template
•Converting a Template
•Deleting a Template
•Importing a Template
•Exporting a Template
Related Topics
Managing Jobs
Template Choices
The template choices vary depending upon the type of template you are creating:
•IOS Templates
•Non-IOS Templates
IOS Templates
When you create or edit an IOS configuration template, the following choices appear in the left pane of the Templates window:
1. Template Name—See Naming the Template.
2. Template Categories
Note Any or all of the template categories can be completed in any order.
–Basic Settings—See Using Basic Settings.
–Network Interfaces—See Setting Up Network Interfaces.
–Security—See Defining Security Settings.
–Services—See Defining Services.
–Event Log—See Configuring the Event Log.
–Wireless Services—See Configuring Wireless Services.
–Custom Values—See Configuring Custom Values.
3. Preview—See Previewing the Template.
4. Finish—See Finishing the Template.
Naming the Template
This option enables to you to name the template.
Procedure
Note Clicking Clear removes all the entries you have made.
Step 1 Select Template Name. The Template Name dialog box appears:
Step 2 Select a template category. For additional information, see Template Categories.
Using Basic Settings
Use this option if you need to set up an access point quickly with a simple configuration. This will allow you to enter all the access point's essential settings for basic operation.
Procedure
Step 1 Select Basic Settings. The Basic Settings dialog box displays in the right pane:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 3-1 Basic Settings
Field
|
Description
|
Configuration Server Protocol
|
Set this entry to match the network's method of IP address assignment.
Select one of the following options:
•DHCP—Use this setting if your network uses Dynamic Host Configuration Protocol, in which IP addresses are "leased" for predetermined periods of time.
•Static IP—Use this setting if your network does has an automatic system for IP address assignment.
|
Default Gateway
|
Enter the IP address of your default Internet gateway.
The entry 255.255.255.255 indicates no gateway.
|
SNMP Community
|
Enter the SNMP community name.
|
Select one of the following: Read-Only, Read-Write
|
Radio0-802.11b
|
SSID
|
Enter any alphanumeric, case-sensitive string, from 1 to 32 characters long.
The SSID is a unique identifier that clients use to associate with the radio.
|
Role in Radio Network
|
Select one of the following:
•Access Point Root—Use this setting for a root access point to become a repeater and associate to a nearby root access point when the wired connection is lost.
•Repeater Non-Root—Use this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent.
|
Broadcast SSID in Beacon:
|
Select one of the following:
•Yes—Use this setting to allow devices that do not specify an SSID to associate with the access point.
•No—Use this setting require that the SSID used by the client devices must match exactly the access point's SSID.
|
Optimize Radio Network for
|
Select one of the following:
•Throughput—Use this setting to maximize the data volume handled by the access point; however, it might reduce the access point's range.
•Range—Use this setting to maximize the access point's range; however, it might reduce throughput.
|
Aironet Extensions
|
Select one of the following:
•Enable—Use this setting to enable load balancing, Message Integrity Check (MIC), and WEP key hashing.
•Disable—Use this setting to disables load balancing, Message Integrity Check (MIC), and WEP key hashing.
|
Radio0-802.11a
|
SSID
|
Enter any alphanumeric, case-sensitive string, from 1 to 32 characters long.
The SSID is a unique identifier that clients use to associate with the radio.
|
Role in Radio Network
|
Select one of the following:
•Access Point Root—Use this setting for a root access point to become a repeater and associate to a nearby root access point when the wired connection is lost.
•Repeater Non-Root—Use this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent.
|
Broadcast SSID in Beacon:
|
Select one of the following:
•Yes—Use this setting to allow devices that do not specify an SSID to associate with the access point.
•No—Use this setting require that the SSID used by the client devices must match exactly the access point's SSID.
|
Optimize Radio Network for
|
Select one of the following:
•Throughput—Use this setting to maximize the data volume handled by the access point; however, it might reduce the access point's range.
•Range—Use this setting to maximize the access point's range; however, it might reduce throughput.
•Default—Use this setting to specify the that the access point use settings entered for the Network Interfaces Settings.
|
Aironet Extensions
|
Select one of the following:
•Enable—Use this setting to enable load balancing, Message Integrity Check (MIC), and WEP key hashing.
•Disable—Use this setting to disables load balancing, Message Integrity Check (MIC), and WEP key hashing.
|
Step 2 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Finish to save the template. See Finishing the Template.
•Another template category to configure more options. See Template Categories.
Setting Up Network Interfaces
Use this option to configure the device's network interface settings.
Procedure
Step 1 Select Network Interfaces. The menu expands and the Network Interfaces: FastEthernet Settings dialog box displays in the right pane.
Step 2 Select one of the following from the menu:
•FastEthernet—See Configuring Fast Ethernet Settings.
•Radio-802.11b—See Configuring Radio-802.11b Settings.
•Radio-802.11a—See Configuring Radio-802.11a Settings
Configuring Fast Ethernet Settings
Use this option to define the Fast Ethernet port settings.
Procedure
Step 1 Select Network Interfaces > FastEthernet. The Network Interfaces: FastEthernet Settings dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 3-2 Fast Ethernet Settings
Field
|
Description
|
Enable Ethernet
|
Select one of the following:
•Enable—Use this setting to enable Ethernet.
•Disable—Use this setting to disable Ethernet.
|
Requested Duplex
|
Select one of the following:
•Auto—Use this setting to allow the duplex setting to be automatically negotiated between the access point and the hub, switch, or router to which the access point is connected.
•Half—Use this setting to allow operation in half-duplex mode.
•Full—Use this setting to allow operation in full-duplex mode.
|
Requested Speed
|
Select one of the following:
•Auto—Use this setting to allow the transmission speed to be automatically negotiated between the access point and the hub, switch, or router to which the access point is connected.
•100Mbps—Use this setting to allow a transmission speed of 100 Mbps.
•10Mbps—Use this setting to allow a transmission speed of 10 Mbps.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Finish to save the template. See Finishing the Template.
•Another template category to configure more options. See Template Categories.
Configuring Radio-802.11b Settings
Use this option to configure the device's 802.11b radio.
Procedure
Step 1 Select Network Interfaces > Radio-802.11b. The Network Interfaces: Radio-802.11b dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 3-3 Radio-802.11b Settings
Field
|
Description
|
Enable Radio
|
Select one of the following:
•Enable—Use this setting to allow the access point to send packets through its 802.11b radio interface and monitor when other devices use the 802.11b radio interface to send packets.
•Disable—Use this setting to change the administrative state of the radio from up to down.
|
Role in Radio Network
(Fallback mode upon loss of Ethernet connection)
|
This setting is used to configure a fallback role for the access point. The access point automatically assumes the fallback role when its Ethernet port is disabled or disconnected from the wired LAN.
Select one of the following:
•Access Point Root (Fallback to Radio Island)—Use this setting to enable wireless clients to continue to associate even when there is no connection to the wired LAN.
•Access Point Root (Fallback to Radio Shutdown)—Use this setting to force the clients to associate to another access point, if one is available, when the radio shuts down because the wired connection is lost.
•Access Point Root (Fallback to Repeater)—Use this setting for a root access point to become a repeater and associate to a nearby root access point when the wired connection is lost.
•Repeater Non-Root—Use this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent.
|
Data Rates
|
•Select one of the following to automatically set the data transmission rates:
–Best Range—Use this setting to maximize the access point's range; however, it might reduce throughput.
–Best Throughput—Use this setting to maximize the data volume handled by the access point; however, it might reduce the access point's range.
Or
•Select one of the following to manually set the data transmission rates:
–Require—Use this setting to enable transmission at this rate for all packets, both unicast and multicast. At least one data rate must be set to Require. A client must support a required rate before it can associate.
–Enable—Use this setting to enable transmission at this rate for unicast packets only.
–Disable—Use this setting to not allow transmission at this rate.
|
Transmitter Power (mW)
|
Select the power level of the radio transmission.
Note Government regulations define the highest allowable power level for radio devices. This setting must conform to established standards for the country in which you use the device.
To reduce interference, limit the range of your access point, or conserve power, select a lower power setting.
Caution Do not use the 50mW or 10mW setting for Japanese channels.
|
Limit Client Power (mW)
|
Use this setting to limit the power level on client devices that associate to the access point. When a client device associates to the access point, the access point sends the maximum power level setting to the client.
|
Default Radio Channel
|
From the list, select the radio channel you want for a default.
|
World Mode Multi-Domain Operation
|
Select one of the following:
•Enable—Use this setting to enable the access point to add channel carrier set information to its beacon.
Client devices with world-mode enabled receive the carrier set information and adjust their settings automatically.
•Disable—Use this setting to not allow the access point to add channel carrier set information to its beacon.
|
Radio Preamble
|
Select one of the following:
•Short—Use this setting to improves throughput performance; Cisco Aironet's Wireless LAN Adapter supports short preambles.
•Long—Use this setting to ensure compatibility between the access point and all early models of Cisco Aironet Wireless LAN Adapters (PC4800 and PC4800A).
|
Receive Antenna
|
From the list, select one of the following:
•Diversity—Use this setting if your access point has two fixed (non-removable) antennas; it tells the access point to use the antenna that receives the best signal.
•Left—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's left connector. (When you look at the access point's back panel, the left antenna is on the left.)
•Right—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's right connector. (When you look at the access point's back panel, the right antenna is on the right.)
|
Transmit Antenna
|
Aironet Extensions
|
Select one of the following:
•Enable—Use this setting to enable load balancing, Message Integrity Check (MIC), and WEP key hashing.
•Disable—Use this setting to disable load balancing, Message Integrity Check (MIC), and WEP key hashing.
|
Ethernet Encapsulation Transform
|
Select one of the following:
•RFC1042—Use this setting to ensure interoperability with non-Cisco Aironet wireless equipment.
•802.1H—Use this setting to provide optimum performance for Cisco Aironet wireless products.
|
Reliable Multicast to WGB
|
Select one of the following:
•Disable—Use this setting to not allow reliable multicast to workgroup bridges.
•Enable—Use this setting to allow reliable multicast to workgroup bridges.
|
Public Secure Packet Forwarding
|
Select one of the following:
•Enable—Use this setting to enable use of the protected port for secure mode configuration. (No exchange of unicast, broadcast, or multicast traffic occurs between protected ports.)
•Disable—Use this setting to disable the use of the port fro secure mode configuration.
|
Beacon Period
|
Enter the amount of time between beacons in kilomicroseconds. (One kilomicrosecond equals 1,024 microseconds.)
|
Data Beacon Rate (DTIM)
|
Enter the amount of time, always a multiple of the beacon period, to determine how often the beacon contains a delivery traffic indication message (DTIM).
The DTIM tells power-save client devices that a packet is waiting for them.
If the beacon period is set at 100, its default setting, and the data beacon rate is set at 2, its default setting, then the access point sends a beacon containing a DTIM every 200 kilomicrosecond.
|
Max. Data Retries
|
Enter the maximum number of attempts the access point makes to send a packet before giving up and dropping the packet.
|
RTS Max. Retries
|
Enter the maximum number of times the access point issues an RTS before stopping the attempt to send the packet through the radio.
|
Fragmentation Threshold
|
Enter a setting to determine the size at which packets are fragmented (sent as several pieces instead of as one block).
Use a low setting in areas where communication is poor or where there is a great deal of radio interference.
|
RTS Threshold
|
Enter a setting to determine the packet size at which the access point issues a request to send (RTS) before sending the packet.
A low RTS Threshold setting can be useful in areas where many client devices are associating with the access point, or in areas where the clients are far apart and can detect only the access point and not each other.
|
Repeater Parent AP Timeout
|
Enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list.
|
Repeater Parent AP MAC1 though MAC 4
|
Enter the MAC address for the access point to which the repeater should associate.
You can enter MAC addresses for up to four parent access points. The repeater attempts to associate to MAC address 1 first; if that access point does not respond, the repeater tries the next access point in its parent list.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Finish to save the template. See Finishing the Template.
•Another template category to configure more options. See Template Categories.
Configuring Radio-802.11a Settings
Use this option to configure the device's 802.11a radio.
Procedure
Step 1 Select Network Interfaces > Radio-802.11a. The Network Interfaces: Radio-802.11a dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 3-4 Radio-802.11a Settings
Field
|
Description
|
Enable Radio
|
Select one of the following:
•Enable—Use this setting to allow the access point to send packets through its 802.11a radio interface and monitor when other devices use the 802.11a radio interface to send packets.
•Disable—Use this setting to change the administrative state of the radio from up to down.
|
Role in Radio Network
(Fallback mode upon loss of Ethernet connection)
|
This setting is used to configure a fallback role for the access point. The access point automatically assumes the fallback role when its Ethernet port is disabled or disconnected from the wired LAN.
Select one of the following:
•Access Point Root (Fallback to Radio Island)—Use this setting to enable wireless clients to continue to associate even when there is no connection to the wired LAN.
•Access Point Root (Fallback to Radio Shutdown)—Use this setting to force the clients to associate to another access point, if one is available, when the radio shuts down because the wired connection is lost.
•Access Point Root (Fallback to Repeater)—Use this setting for a root access point to become a repeater and associate to a nearby root access point when the wired connection is lost.
•Repeater Non-Root—Use this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent.
|
Data Rates
|
•Select one of the following to automatically set the data transmission rates:
–Best Range—Use this setting to maximize the access point's range; however, it might reduce throughput.
–Best Throughput—Use this setting to maximize the data volume handled by the access point; however, it might reduce the access point's range.
Or
•Select one of the following to manually set the data transmission rates:
–Require—Use this setting to enable transmission at this rate for all packets, both unicast and multicast. At least one data rate must be set to Require. A client must support a required rate before it can associate.
–Enable—Use this setting to enable transmission at this rate for unicast packets only.
–Disable—Use this setting to not allow transmission at this rate.
|
Transmitter Power (mW)
|
Select the power level of the radio transmission.
Note Government regulations define the highest allowable power level for radio devices. This setting must conform to established standards for the country in which you use the device.
To reduce interference, limit the range of your access point, or conserve power, select a lower power setting.
|
Limit Client Power (mW)
|
Use this setting to limit the power level on client devices that associate to the access point. When a client device associates to the access point, the access point sends the maximum power level setting to the client.
|
Default Radio Channel
|
From the list, select the radio channel you want for a default.
|
Receive Antenna
|
From the list, select one of the following:
•Diversity—Use this setting if your access point has two fixed (non-removable) antennas; it tells the access point to use the antenna that receives the best signal.
•Left—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's left connector. (When you look at the access point's back panel, the left antenna is on the left.)
•Right—Use this setting if your access point has removable antennas and you install a high-gain antenna on the access point's right connector. (When you look at the access point's back panel, the right antenna is on the right.)
|
Transmit Antenna
|
Aironet Extensions
|
Select one of the following:
•Enable—Use this setting to enable load balancing, Message Integrity Check (MIC), and WEP key hashing.
•Disable—Use this setting to disable load balancing, Message Integrity Check (MIC), and WEP key hashing.
|
Ethernet Encapsulation Transform
|
Select one of the following:
•RFC1042—Use this setting to ensure interoperability with non-Cisco Aironet wireless equipment.
•802.1H—Use this setting to provide optimum performance for Cisco Aironet wireless products.
|
Reliable Multicast to WGB
|
Select one of the following:
•Disable—Use this setting to not allow reliable multicast to workgroup bridges.
•Enable—Use this setting to allow reliable multicast to workgroup bridges.
|
Public Secure Packet Forwarding
|
Select one of the following:
•Enable—Use this setting to enable use of the protected port for secure mode configuration. (No exchange of unicast, broadcast, or multicast traffic occurs between protected ports.)
•Disable—Use this setting to disable the use of the port fro secure mode configuration.
|
Beacon Period
|
Enter the amount of time between beacons in kilomicroseconds. (One kilomicrosecond equals 1,024 microseconds.)
|
Data Beacon Rate (DTIM)
|
Enter the amount of time, always a multiple of the beacon period, to determine how often the beacon contains a delivery traffic indication message (DTIM).
The DTIM tells power-save client devices that a packet is waiting for them.
If the beacon period is set to 100, its default setting, and the data beacon rate is set to 2, its default setting, then the access point sends a beacon containing a DTIM every 200 kilomicrosecond.
|
Max. Data Retries
|
Enter the maximum number of attempts the access point makes to send a packet before giving up and dropping the packet.
|
RTS Max. Retries
|
Enter the maximum number of times the access point issues an RTS before stopping the attempt to send the packet through the radio.
|
Fragmentation Threshold
|
Enter a setting to determine the size at which packets are fragmented (sent as several pieces instead of as one block).
Use a low setting in areas where communication is poor or where there is a great deal of radio interference.
|
RTS Threshold
|
Enter a setting to determine the packet size at which the access point issues a request to send (RTS) before sending the packet.
A low RTS Threshold setting can be useful in areas where many client devices are associating with the access point, or in areas where the clients are far apart and can detect only the access point and not each other.
|
Repeater Parent AP Timeout
|
Enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list.
|
Repeater Parent AP MAC1 though MAC 4
|
Enter the MAC address for the access point to which the repeater should associate.
You can enter MAC addresses for up to four parent access points. The repeater attempts to associate to MAC address 1 first; if that access point does not respond, the repeater tries the next access point in its parent list.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Finish to save the template. See Finishing the Template.
•Another template category to configure more options. See Template Categories.
Defining Security Settings
Use this option to configure the device's security settings.
Procedure
Step 1 Select Security. The menu expands and the Security: Admin Access dialog box displays in the right pane.
Step 2 Select one of the following from the menu:
•Admin Access—See Configuring Admin Access Settings.
•SSID 802.11x—See Configuring SSID 802.11x Settings.
•WEP 802.11x—See Configuring WEP 802.11x Settings.
•Server Manager—See Configuring Server Manager Settings.
•Advanced Security—See Configuring Advanced Security.
•Local Radius Server—See Setting Up the Local RADIUS Server.
Configuring Admin Access Settings
Use this option to add users to the system, remove users from the system, and assign user capabilities.
Procedure
Step 1 Select Security > Admin Access. The Security: Admin Access dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 3-5 Admin Access Settings
Field
|
Description
|
Administrator Authenticated by
|
Select one of the following:
•Default Authentication (Global Password)—Use this setting to skip the username and enter only a password.
You will need to enter the password in the Default Authentication (Global Password field below).
•Local User List Only (Individual Password)—Use this setting to designate the local user list for authentication.
You will need to have at least one Read-Write user in the Local User List on the access point or in the Local User List field below.
•Authentication Server Only—Use this setting to designate the server for authentication.
•Authentication Server if not found in Local List—Use this setting to designate the server for authentication if not in the local list.
You will need to have at least one Read-Write user in the Local User List on the access point or in the Local User List field below.
|
Default Authentication (Global Password)
|
Default Authentication Password
|
Enter the password to be used as the default.
|
Confirm Authentication Password
|
Reenter the password.
|
Local User List (Individual Passwords)
|
User List
|
Lists the existing users.
To delete a username from the list, select it, then click Delete.
|
Username
|
Enter the username.
|
Password
|
Enter the password
|
Confirm Password
|
Reenter the password
|
Capability Settings
|
Select one of the settings, then click Add.
|
Delete Users
|
User ID
|
Enter the user identification, then click Add.
|
Users to Delete
|
Select the user from the list, then click Delete.
|
Step 3 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Finish to save the template. See Finishing the Template.
•Another template category to configure more options. See Template Categories.
Configuring SSID 802.11x Settings
Use this option to configure SSID 802.11b and 802.11a settings.
Procedure
Step 1 Select Security > SSID Manager. The Security: SSID Manager dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 3-6 SSID 802.11x Settings
Field
|
Description
|
SSID List
|
Lists the currently configured SSIDs.
|
SSID
|
Enter any alphanumeric, case-sensitive string, from 1 to 32 characters long.
The SSID is a unique identifier that clients use to associate with the radio.
|
VLAN
|
Enter the identification number of the VLAN.
|
Authentication Methods Accepted
|
Open Authentication
|
Select one of the following from the list:
•MAC Authentication—Use this setting to specify that client devices that associate to the access point with open authentication, use MAC authentication.
•EAP—Use this setting to specify that client devices that associate to the access point with open authentication, use EAP authentication.
•MAC Authentication and EAP—Use this setting to allow client devices that associate to the access point using 802.11 open authentication to first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication.
•MAC Authentication or EAP—Use this setting to allow client devices that associate to the access point using open authentication to first attempt MAC authentication. If MAC authentication succeeds, the client device joins the network; if the client is also using EAP authentication, it attempts to authenticate using EAP. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication.
|
Shared Authentication
|
Select one of the following from the list:
•MAC Authentication—Use this setting to specify that client devices that associate to the access point with shared authentication, use MAC authentication.
•EAP—Use this setting to specify that client devices that associate to the access point with shared authentication, use EAP authentication.
•MAC Authentication and EAP—Use this setting to specify that client devices that associate to the access point with shared authentication, use MAC and EAP authentication.
|
Network EAP
|
Select the following from the list:
MAC Authentication—Use this setting to specify that client devices that associate to the access point with network EAP authentication, use MAC authentication.
|
Authenticated Key Management
|
None
|
Select to indicate you do not want to use authenticated key management.
|
CCKM
|
Select this option to use Cisco Centralized Key Management (CCKM).
Using CCKM, authenticated client devices can roam from one access point to another without any perceptible delay during reassociation. An access point on your network acts as a wireless domain services (WDM) and creates a cache of security credentials for CCKM-enabled client devices on the subnet. The WDM's cache of credentials reduces the time required for reassociation when a CCKM-enabled client device roams to a new access point.
Note To enable CCKM for an SSID, you must configure network-EAP authentication.
Select one of the following from the list:
•Mandatory—Use this setting to require CCKM.
•Optional—Use this setting to make CCKM optional.
|
WPA
|
Select this option to use Wi-Fi Protected Access (WPA).
The WPA key management uses a combination of encryption methods to protect communication between client devices and the access point.
If authentication key management is WPA, the client and authentication server authenticate to each other using an EAP authentication method (e.g., EAP-TLS) and generate a Pairwise Master Key.
Note To enable WPA for an SSID, you must also enable Open authentication and/or Network EAP.
Select one of the following from the list:
•Mandatory—Use this setting to require WPA.
•Optional—Use this setting to make WPA optional.
|
WPA Pre-shared Key
|
Enter a key for the access point to support client devices using WPA key management.
For versions earlier than 12.2(11)JA, Enter a WEP key. For 40-bit encryption, enter 10 hexadecimal digits; for 128-bit encryption, enter 26 hexadecimal digits.
Select either ASCII or Hexadecimal. If you use hexadecimal, you must enter 64 hexadecimal characters (unencrypted key) to complete the 256-bit key. If you use ASCII, you must enter a minimum of 8 letters, numbers, or symbols, and the access point expands the key for you. Up to 63 ASCII characters are allowed.
|
EAP Client Username
|
Enter the username used for EAP authentication when the repeater access point is associating with a parent access point.
|
Password
|
Enter the EAP client password.
|
Association Limit
|
Enter the maximum number of clients that may associate to a particular SSID. This limit prevents access points from getting overloaded and helps to provide an adequate level of service to associated clients.
|
Proxy Mobile IP
|
Select one of the following:
•Enable—Use this setting to use this server for storing security association (SA) bindings for mobile agents. The access point uses this server to retrieve the SPI and key associated with the IP address of the client to which it is trying to roam. The SPI and key is then sent to the home agent to validate the client before allowing it to roam.
•Disable—Use this setting if you do not want the server used for storing SA bindings for mobile agents.
|
Accounting
|
From the list, select one of the following:
•Enable—Use this setting to indicate whether you want this server to record usage data of clients associating with the access point.
•Disable—Use this setting to turn off accounting for your wireless network
|
Step 3 Click Save. The new entry appears in the listbox.
Step 4 To delete an entry from the listbox, select it, then click Delete.
Step 5 Complete the following to set global SSID properties:
Table 3-7 Setting SSID 802.11x Global Properties
Field
|
Description
|
Set Guest Mode SSID
|
Enter the your access point's guest-mode SSID. The access point includes the SSID in its beacon and allows associations from client devices that do not specify an SSID.
|
Set Infrastructure SSID
|
Enter the SSID that other access points and workgroup bridges use to associate to this access point. If you do not designate an SSID as the infrastructure SSID, infrastructure devices can associate to the access point using any SSID.
|
Force infrastructure device to associate only to this SSID
|
Select this option to force infrastructure devices to associate to the access point using the specified SSID.
|
Step 6 Complete the following to delete an SSID:
Table 3-8 Setting SSID 802.11x Global Properties
Field
|
Description
|
SSID
|
Enter the SSID you want to delete, then click >>. The SSID is added to the SSID to Delete list.
|
SSID to Delete
|
Lists the SSIDs to delete. To remove an SSID from this list, click <<.
|
Step 7 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Finish to save the template. See Finishing the Template.
•Another template category to configure more options. See Template Categories.
Configuring WEP 802.11x Settings
Use this option to select authentication types for the access point. The WEP keys allow you to encrypt radio signals sent by the device and decrypt radio signals received by the device.
Procedure
Step 1 Select Security > WEP 802.11x. The Security: WEP Key Manager dialog box appears.
Step 2 Complete the following:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 3-9 WEP 802.11x Settings
Field
|
Description
|
Set Encryption Mode and Keys for VLAN
|
Enter the VLAN for which you want to set the encryption mode and keys.
|
VLAN List
|
Lists the currently configured VLANs.
|
Encryption Modes
|
None
|
Select this option if the device communicates only with client devices that are not using WEP.
|
WEP Encryption
|
Select this option if you want to use WEP key encryption.
|
From the list, select one of the following:
•Optional—Use this option to allow client devices to communicate with the access point either with or without WEP.
•Mandatory—Use this option to require client devices to use WEP when communicating with the access point. Devices not using WEP are not allowed to communicate.
|
Check one of the following:
•Cisco Compliant TKIP Features—Use this option to enable Temporal Key Integrity Protocol (TKIP).
When TKIP is enabled, all WEP-enabled client devices associated to the access point must support WEP key hashing, or they will not be able to communicate with the access point.
•Enable MIC—Use this setting if you to enable Message Integrity Check (MIC). When you enable MIC, only MIC-capable client devices can communicate with the access point.
•Enable Per Packet Keying—Use this option to enable MIC on both the access point and all associated client devices. A few bytes are added to each packet to make the packets tamper-proof.
|
Cipher
|
Select this option to enable Wi-Fi Protected Access (WPA) or Cisco Centralized Key Management (CCKM).
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN.
From the list, select the one of the cipher suites.
•WEP—Wired equivalent privacy is the least secured cipher suite.
•TKIP—Temporal key integrity protocol is the most secured cipher suite.
•CKIP—Cisco Key Integrity Protocol is Cisco's WEP key permutation technique based on an early algorithm.
•CMIC—Cisco Message Integrity Check) is Cisco's message integrity check mechanism designed to detect forgeries attracts.
|
WEP Keys
|
Encryption Keys 1 through 4
|
Transmit Key
|
Select to indicate this is the key you want to use to transmit packets. Only one key can be selected at a time.
|
Encryption Key
|
Enter the type of encryption key used:
•For 40-bit WEP keys, enter as 10 hexadecimal digits (0-9, a-f, or A-F).
•For 128-bit WEP keys, enter as 26 hexadecimal digits (0-9, a-f, or A-F).
|
Key Size
|
From the list, select one of the following:
•40 bit
•128 bit
|
Broadcast Key Rotation Interval
|
Select one of the following:
•Disable Rotation—Use this setting to disable broadcast key rotation.
•Enable Rotation with Interval—Use this setting for the access point to provide a dynamic broadcast WEP key and to change it at the selected interval.
|
WPA Group Key Update
|
Select the appropriate checkbox to determine how frequently the access point changes and distributes the group key to WPA-enabled client devices.
•Enable Group Key Update on Membership Termination—Select this setting if clients do not roam frequently among access points.
The access point generates and distributes a new group key when any authenticated station disassociates from the access point. This option keeps the group key private to only currently active members. However, it may generate some overhead if clients in your network roam frequently.
•Enable Group Key Update on Member's Capability Change—Use this setting, when in WPA migration mode, to improve the security of the key management capable clients when there are no legacy clients associated to the access point.
The access point generates and distributes a dynamic group key when the last non-key management (static WEP) client disassociates, and it distributes the statically configured WEP key when the first non-key management (static WEP) client authenticates.
|
Step 3 Click Save. The VLAN is added to the list box.
Step 4 Select one of the following:
•Preview to see your changes before you apply them. See Previewing the Template.
•Finish to save the template. See Finishing the Template.
•Another template category to configure more options. See Template Categories.
Configuring Server Manager Settings
Use this option to enter the authentication settings. The RADIUS server on the your network uses EAP to provide authentication service for wireless client devices.
Procedure
Step 1 Select Security > Server Manager. The Security: Server Manager dialog box appears.
Step 2 Complete the following to add a server to the list:
Note Clicking Clear removes all the current entries in the window and any entries you have made in other Template windows up until that point.
Table 3-10 Server Manager Settings for the Radius Server List
Field
|
Description
|
Backup Radius Server
|
Select one of the following:
•Create—Use this setting to create a backup RADIUS server.
•Delete—Use this setting to delete a backup RADIUS server.
|
Backup Radius Server
|
Enter the hostname or IP address of the RADIUS server you are either creating or deleting.
|
Shared Secret
|
Enter the server's shared secret.
|
Corporate Servers
|
Current Server List
|
Lists the servers that are currently configured.
|
RADIUS
|
Select this option if you are configuring settings for RADIUS.
|
TACACS+
|
Select this option if you are configuring settings for TACACS+.
|
Server
|
Enter the hostname or IP address for the selected server.
|
Shared Secret
|
Enter the shared secret used by your server.
|
Authentication Port
|
Enter the port number your server uses for authentication. Enter the port number the server uses for authentication.
|
Accounting Port
|
Enter the port number your server uses for accounting.
|
Use this server for
|
Select one of the following:
•EAP Authentication—Use this setting for authentication in which the access point relays authentication messages between the server and the authenticating client device.
•MAC Authentication—Use this setting for authentication that allows only client devices with specified MAC addresses to associate and pass data through the access point. Client devices with MAC addresses not in a list of allowed MAC addresses are not allowed to associate with the access point.
•Proxy Mobile IP Authentication—Use this setting for authentication that requires that registration messages sent by the access point on behalf of the visiting clients to the home agent contain the mobile-home authentication extension (MHAE).
•Admin Authentication—Use this setting if you want to use any of the server options specified in Security > Admin Access. See Configuring Admin Access Settings.
•Accounting—Use this setting if you want to use this server for accounting purposes.
|
Step 3 Click Save. The server appears on the list.
Step 4 To delete a server, select it from the list, then click Delete.
Step 5 Complete the following to set global server properties:
Table 3-11 Server Manager Settings for the Global Server Properties
Field
|
Description
|
Accounting Update Interval
|
Enter the interval at which the accounting updates should be performed.
The accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming.
|
TACACS+ Server Timeout
|
Enter the number of seconds the access point should wait before resending the request.
|
RADIUS Server Timeout
|
Enter the number of seconds the access point should wait before resending the request.
|
RADIUS Server Retransmit Retries
|
Enter the number of seconds the access point should wait before giving up contacting the server.
|
Dead Server List
|
When a server is found to be unresponsive after numerous retransmissions and time-outs, it is assumed to be dead and is put in a dead server list.
Select one of the following:
•Disable—Use this setting to disable the feature.
•Enable; Server remains on list for—Use this setting to enable the feature and to set the length of time for which the server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
|
