Home » Cisco Manuals » Wireless » Cisco AIR-LAP1252AG-A-K9 » Manual Viewer

Cisco AIR-LAP1252AG-A-K9 Software Configuration Guide - Page 141

EAP Authentication, Radio Data Encryption WEP, Network-EAP, Require EAP

UPC - 882658140716

View all Cisco AIR-LAP1252AG-A-K9 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 141 highlights

Chapter 4 Security Setup Setting Up EAP Authentication 1. Functionality in Draft 10 is equivalent to the functionality in Draft 11, the ratified draft of the 802.1X standard. 2. The default draft setting in access point and bridge firmware version 11.06 and later is Draft 10. Note Draft standard 8 is the default setting in firmware version 11.05 and earlier, and it might remain in effect when you upgrade the firmware to version 11.06 or later. Check the setting on the Authenticator Configuration page in the management system to make sure the best draft standard for your network is selected. Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Enter the name or IP address of the RADIUS server in the Server Name/IP entry field. Enter the port number your RADIUS server uses for authentication. The default setting, 1812, is the port setting for Cisco's RADIUS server, the Cisco Secure Access Control Server (ACS), and for many other RADIUS servers. Check your server's product documentation to find the correct port setting. Enter the shared secret used by your RADIUS server in the Shared Secret entry field. The shared secret on the access point must match the shared secret on the RADIUS server. The shared secret can contain up to 64 alphanumeric characters. Enter the number of seconds the access point should wait before authentication fails. If the server does not respond within this time, the access point tries to contact the next authentication server in the list if one is specified. Other backup servers are used in list order when the previous server times out. Select EAP Authentication under the server. The EAP Authentication checkbox designates the server as an authenticator for any EAP type, including LEAP, EAP-TLS, and EAP-MD5. Click OK. You return automatically to the Security Setup page. On the Security Setup page, click Radio Data Encryption (WEP) for the internal radio or the radio module to browse to the radio's AP Radio Data Encryption page. Select Network-EAP for the Authentication Type setting to allow EAP-enabled client devices to authenticate through the access point. Select Require EAP under Open or Shared Key to allow client devices with EAP-TLS or EAP-MD5 enabled through Windows XP to authenticate through the access point. If you do not select Require EAP, client devices with EAP enabled through Windows XP authenticate to the access point but might not perform OL-2159-03 Cisco Aironet 1200 Series Access Point Software Configuration Guide 4-23

Section	Page
Cisco Aironet 1200 Series Access Point Software Configuration Guide	1
Contents	3
Preface	13
Audience and Scope	13
Organization	13
Conventions	14
Related Publications	15
Obtaining Documentation	16
World Wide Web	16
Documentation CD-ROM	16
Ordering Documentation	16
Documentation Feedback	17
Obtaining Technical Assistance	17
Cisco.com	17
Technical Assistance Center	18
Cisco TAC Web Site	18
Cisco TAC Escalation Center	19
Overview	21
Key Features	22
Management Options	22
Roaming Client Devices	23
Network Configuration Examples	23
Root Unit on a Wired LAN	23
Repeater Unit that Extends Wireless Range	24
Central Unit in an All-Wireless Network	25
Using the Management Interfaces	27
Using the Web-Browser Interface	28
Using the Web-Browser Interface for the First Time	28
Using the Management Pages in the Web-Browser Interface	28
Navigating Using the Map Windows	30
Using the Command-Line Interface	31
Preparing to Use a Terminal Emulator	32
Connecting the Serial Cable	32
Setting Up the Terminal Emulator	33
Changing Settings with the CLI	33
Selecting Pages and Settings	35
Applying Changes to the Configuration	35
Using a Telnet Session	35
Using SNMP	36
Supported MIBs	36
Configuration	39
Basic Settings	40
Entering Basic Settings	41
System Name	41
MAC Address	41
Configuration Server Protocol	42
Default IP Address	42
Default IP Subnet Mask	42
Default Gateway	42
Radio Service Set ID (SSID)	43
Role in Radio Network	43
Radio Network Optimization (Optimize Radio Network For)	46
Radio Network Compatibility (Ensure Compatibility With)	46
SNMP Admin. Community	46
Filter Setup	47
Protocol Filtering	47
Creating a Protocol Filter	48
Enabling a Protocol Filter	52
MAC Address Filtering	52
Creating a MAC Address Filter	53
Radio Configuration	57
Entering Identity Information	57
Settings on the AP Radio Identification Page	58
Primary Port Settings	59
Default IP Address	59
Default IP Subnet Mask	59
Service Set ID (SSID)	60
LEAP User Name	60
LEAP Password	60
Entering Radio Hardware Information	60
Settings on the AP Radio Hardware Page	61
Service Set ID (SSID)	62
Allow Broadcast SSID to Associate?	62
Enable World Mode	63
Data Rates	63
Transmit Power	64
Frag. Threshold	65
RTS Threshold	65
Max. RTS Retries	65
Max. Data Retries	65
Beacon Period	65
Data Beacon Rate (DTIM)	65
Default Radio Channel	66
Search for Less-Congested Radio Channel	66
Restrict Searched Channels	67
Receive Antenna and Transmit Antenna	67
Entering Advanced Configuration Information	69
Settings on the AP Radio Advanced Page	70
Requested Status	71
Packet Forwarding	71
Default Multicast Address Filters	71
Maximum Multicast Packets/Second	72
Radio Cell Role	72
Maximum Number of Associations	72
Use Aironet Extensions	73
Classify Workgroup Bridges as Network Infrastructure	73
Require Use of Radio Firmware x.xx	74
Ethernet Encapsulation Transform	74
Enhanced MIC verification for WEP	75
Temporal Key Integrity Protocol	75
Broadcast WEP Key rotation interval (sec)	76
Accept Authentication Types	76
Require EAP	76
Default Unicast Address Filter	77
Specified Access Points	77
Radio Modulation	78
Radio Preamble	78
Ethernet Configuration	79
Entering Identity Information	79
Settings on the Ethernet Identification Page	80
Primary Port Settings	80
Default IP Address	80
Default IP Subnet Mask	81
Entering Ethernet Hardware Information	81
Settings on the Ethernet Hardware Page	82
Speed	82
Entering Advanced Configuration Information	84
Settings on the Ethernet Advanced Page	84
Requested Status	84
Packet Forwarding	85
Default Unicast and Multicast Address Filters	85
Maximum Multicast Packets/Second	86
Server Setup	86
Entering Time Server Settings	87
Settings on the Time Server Setup Page	87
Simple Network Time Protocol	88
Default Time Server	88
GMT Offset (hr)	88
Use Daylight Savings Time	88
Manually Set Date and Time	88
Entering Boot Server Settings	89
Settings on the Boot Server Setup Page	89
Configuration Server Protocol	90
Use Previous Configuration Server Settings	90
Read .ini File from File Server	90
BOOTP Server Timeout (sec)	91
DHCP Multiple-Offer Timeout (sec)	91
DHCP Requested Lease Duration (min)	91
DHCP Minimum Lease Duration (min)	91
DHCP Client Identifier Type	92
DHCP Client Identifier Value	93
DHCP Class Identifier	93
Entering Web Server Settings and Setting Up Access Point Help	93
Settings on the Web Server Setup Page	94
Allow Non-Console Browsing	94
HTTP Port	94
Default Help Root URL	94
Extra Web Page File	95
Default Web Root URL	95
Entering Name Server Settings	96
Settings on the Name Server Setup Page	96
Domain Name System	97
Default Domain	97
Domain Name Servers	97
Domain Suffix	97
Entering FTP Settings	98
Settings on the FTP Setup Page	98
File Transfer Protocol	99
Default File Server	99
FTP Directory	99
FTP User Name	99
FTP User Password	99
Routing Setup	99
Entering Routing Settings	100
Default Gateway	100
New Network Route Settings	101
Installed Network Routes list	101
Association Table Display Setup	102
Association Table Filters Page	102
Settings on the Association Table Filters Page	103
Stations to Show	103
Fields to Show	103
Packets To/From Station	104
Bytes To/From Station	104
Primary Sort	105
Secondary Sort	105
Association Table Advanced Page	106
Settings on the Association Table Advanced Page	107
Handle Station Alerts as Severity Level	107
Maximum number of bytes stored per Station Alert packet	108
Maximum Number of Forwarding Table Entries	108
Aironet Extended Statistics in MIB (awcTpFdbTable)	108
Block ALL Inter-Client Communications (PSPF)	108
Default Activity Timeout (seconds) Per Device Class	108
Event Notification Setup	109
Event Display Setup Page	109
Settings on the Event Display Setup Page	110
How should time generally be displayed?	110
How should Event Elapsed (non-wall-clock) Time be displayed?	110
Severity Level at which to display events	110
Event Handling Setup Page	112
Settings on the Event Handling Setup Page	114
Disposition of Events	114
Handle Station Events as Severity Level	115
Maximum memory reserved for Detailed Event Trace Buffer (bytes)	115
Download Detailed Event Trace Buffer	115
Clear Alert Statistics	115
Purge Trace Buffer	115
Event Notifications Setup Page	116
Settings on the Event Notifications Setup Page	117
Should Notify-Disposition Events generate SNMP Traps?	117
SNMP Trap Destination	117
SNMP Trap Community	117
Should Notify-Disposition Events generate Syslog Messages?	117
Syslog Destination Address	118
Syslog Facility Number	118
Security Setup	119
Security Overview	120
Levels of Security	120
Encrypting Radio Signals with WEP	121
Additional WEP Security Features	121
Network Authentication Types	122
Combining MAC-Based, EAP, and Open Authentication	126
Protecting the Access Point Configuration with User Manager	127
Setting Up WEP	127
Using SNMP to Set Up WEP	131
Enabling Additional WEP Security Features	132
Enabling Message Integrity Check (MIC)	132
Enabling Temporal Key Integrity Protocol (TKIP)	134
Enabling Broadcast WEP Key Rotation	136
Setting Up Open or Shared Key Authentication	137
Setting Up EAP Authentication	138
Enabling EAP on the Access Point	138
Enabling EAP in Cisco Secure ACS	143
Setting a Session-Based WEP Key Timeout	144
Setting up a Repeater Access Point as a LEAP Client	145
Setting Up MAC-Based Authentication	147
Enabling MAC-Based Authentication on the Access Point	147
Authenticating Client Devices Using MAC Addresses or EAP	152
Enabling MAC-Based Authentication in Cisco Secure ACS	153
Summary of Settings for Authentication Types	155
Setting Up Backup Authentication Servers	158
Setting Up Administrator Authorization	159
Creating a List of Authorized Management System Users	160
Network Management	165
Using the Association Table	166
Browsing to Network Devices	166
Setting the Display Options	167
Using Station Pages	167
Information on Station Pages	169
Station Identification and Status	169
To Station Information	170
From Station Information	171
Rate, Signal, and Status Information	171
Hops and Timing Information	172
Performing Pings and Link Tests	172
Performing a Ping	173
Performing a Link Test	173
Clearing and Updating Statistics	174
Deauthenticating and Disassociating Client Devices	175
Using the Network Map Window	175
Using Cisco Discovery Protocol	177
Settings on the CDP Setup Page	178
MIB for CDP	178
Assigning Network Ports	179
Settings on the Port Assignments Page	180
Enabling Wireless Network Accounting	180
Settings on the Accounting Setup Page	181
Accounting Attributes	183
Managing Firmware and Configurations	187
Updating Firmware	188
Updating with the Browser from a Local Drive	188
Full Update of the Firmware Components	189
Selective Update of the Firmware Components	190
Updating from a File Server	191
Full Update of the Firmware Components	191
Selective Update of the Firmware Components	193
Distributing Firmware	194
Distributing a Configuration	195
Limiting Distributions	197
Downloading, Uploading, and Resetting the Configuration	198
Downloading the Current Configuration	199
Uploading a Configuration	199
Uploading from a Local Drive	200
Uploading from a File Server	200
Resetting the Configuration	202
Restarting the Access Point	203
Management System Setup	205
SNMP Setup	206
Settings on the SNMP Setup Page	206
Using the Database Query Page	207
Settings on the Database Query Page	208
Changing Settings with the Database Query Page	208
Console and Telnet Setup	209
Settings on the Console/Telnet Page	209
Special Configurations	211
Setting Up a Repeater Access Point	211
Using Hot Standby Mode	215
Diagnostics and Troubleshooting	219
Using Diagnostic Pages	220
Radio Diagnostics Page	220
Antenna Alignment Test	221
Carrier Test	223
Network Ports Page	225
Identifying Information and Status	226
Data Received	226
Data Transmitted	227
Ethernet Port Page	227
Configuration Information	228
Receive Statistics	229
Transmit Statistics	230
AP Radio Page	230
Configuration Information	231
Receive Statistics	232
Transmit Statistics	233
Display Options	234
Event Log Page	235
Display Settings	235
Log Headings	236
Saving the Log	236
Event Log Summary Page	237
Using Command-Line Diagnostics	238
Entering Diagnostic Commands	239
Diagnostic Command Results	239
:eap_diag1_on	240
:eap_diag2_on	240
:vxdiag_arpshow	241
:vxdiag_checkstack	243
:vxdiag_hostshow	243
:vxdiag_i	244
:vxdiag_ipstatshow	245
:vxdiag_memshow	247
:vxdiag_muxshow	247
:vxdiag_routeshow	248
:vxdiag_tcpstatshow	249
:vxdiag_udpstatshow	250
Tracing Packets	251
Reserving Access Point Memory for a Packet Trace Log File	251
Tracing Packets for Specific Devices	252
Tracing Packets for Ethernet and Radio Ports	253
Viewing Packet Trace Data	254
Packets Stored in a Log File	254
Packets Displayed on the CLI	255
Checking the Top Panel Indicators	255
Finding an Access Point by Blinking the Top Panel Indicators	258
Checking Basic Settings	258
SSID	258
WEP Keys	258
EAP Authentication Requires Matching 802.1x Protocol Drafts	259
Resetting to the Default Configuration	261
Channels, Power Levels, and Antenna Gains	263
Channels	264
Channels for IEEE 802.11a	264
Channels for IEEE 802.11b	265
Maximum Power Levels and Antenna Gains	266
For IEEE 802.11a	266
For IEEE 802.11b	267
Protocol Filter Lists	269

Match case Limit results 1 per page

4-23

Cisco Aironet 1200 Series Access Point Software Configuration Guide

OL-2159-03

Chapter 4

Security Setup

Setting Up EAP Authentication

Note

Draft standard 8 is the default setting in firmware version 11.05 and

earlier, and it might remain in effect when you upgrade the firmware to

version 11.06 or later. Check the setting on the Authenticator

Configuration page in the management system to make sure the best draft

standard for your network is selected.

Step 3

Enter the name or IP address of the RADIUS server in the Server Name/IP entry

field.

Step 4

Enter the port number your RADIUS server uses for authentication. The default

setting,

1812

, is the port setting for Cisco

’

s RADIUS server, the Cisco Secure

Access Control Server (ACS), and for many other RADIUS servers. Check your

server

’

s product documentation to find the correct port setting.

Step 5

Enter the shared secret used by your RADIUS server in the Shared Secret entry

field. The shared secret on the access point must match the shared secret on the

RADIUS server. The shared secret can contain up to 64 alphanumeric characters.

Step 6

Enter the number of seconds the access point should wait before authentication

fails. If the server does not respond within this time, the access point tries to

contact the next authentication server in the list if one is specified. Other backup

servers are used in list order when the previous server times out.

Step 7

Select

EAP Authentication

under the server. The EAP Authentication checkbox

designates the server as an authenticator for any EAP type, including LEAP,

EAP-TLS, and EAP-MD5.

Step 8

Click

. You return automatically to the Security Setup page.

Step 9

On the Security Setup page, click

Radio Data Encryption (WEP)

for the internal

radio or the radio module to browse to the radio

’

s AP Radio Data Encryption page.

Step 10

Select

Network-EAP

for the Authentication Type setting to allow EAP-enabled

client devices to authenticate through the access point.

Select

Require EAP

under Open or Shared Key to allow client devices with

EAP-TLS or EAP-MD5 enabled through Windows XP to authenticate through the

access point. If you do not select Require EAP, client devices with EAP enabled

through Windows XP authenticate to the access point but might not perform

Functionality in Draft 10 is equivalent to the functionality in Draft 11, the ratified draft of the

802.1X standard.

The default draft setting in access point and bridge firmware version 11.06 and later is Draft 10.