Home » Cisco Manuals » Wireless » Cisco AIR-LAP1252AG-A-K9 » Manual Viewer

Cisco AIR-LAP1252AG-A-K9 Software Configuration Guide - Page 152

Authenticating Client Devices Using MAC Addresses or EAP, Disallowed, Require EAP

UPC - 882658140716

View all Cisco AIR-LAP1252AG-A-K9 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 152 highlights

Setting Up MAC-Based Authentication Chapter 4 Security Setup devices to authenticate using MAC addresses. To force all client devices to authenticate using MAC addresses, select Disallowed for all the enabled authentication types. When you set Default Unicast Address Filter to disallowed, the radio discards all unicast traffic except packets sent to the MAC addresses listed as allowed on the authentication server or on the access point's Address Filters page. Note Client devices associated to the radio are not immediately affected when you set the Default Unicast Address Filter to disallowed. Step 16 Click OK. You return automatically to the Setup page. Client devices that associate with the access point through this radio will not be allowed to authenticate unless their MAC addresses are included in the list of allowed addresses. Authenticating Client Devices Using MAC Addresses or EAP You can set up one or both access point radios to authenticate client devices using a combination of MAC-based and EAP authentication. When you enable this feature, client devices that associate to the access point using open authentication first attempt MAC authentication. If MAC authentication succeeds, the client device joins the network; if the client is also using EAP authentication, it attempts to authenticate using EAP. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication. Follow these steps to combine MAC-based and EAP authentication for client devices using IEEE 802.11 open authentication: Step 1 Step 2 Follow the steps in the "Setting Up EAP Authentication" section on page 4-20 to set up EAP. You must select Require EAP under Open authentication on the radio's AP Radio Data Encryption page to force client devices to perform EAP athentication if they fail MAC authentication. If you do not select Require EAP, client devices that fail MAC authentication might be able to join the network without performing EAP authentication. Follow the steps in the "Setting Up MAC-Based Authentication" section on page 4-29 to set up MAC-based authentication. 4-34 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL-2159-03

Section	Page
Cisco Aironet 1200 Series Access Point Software Configuration Guide	1
Contents	3
Preface	13
Audience and Scope	13
Organization	13
Conventions	14
Related Publications	15
Obtaining Documentation	16
World Wide Web	16
Documentation CD-ROM	16
Ordering Documentation	16
Documentation Feedback	17
Obtaining Technical Assistance	17
Cisco.com	17
Technical Assistance Center	18
Cisco TAC Web Site	18
Cisco TAC Escalation Center	19
Overview	21
Key Features	22
Management Options	22
Roaming Client Devices	23
Network Configuration Examples	23
Root Unit on a Wired LAN	23
Repeater Unit that Extends Wireless Range	24
Central Unit in an All-Wireless Network	25
Using the Management Interfaces	27
Using the Web-Browser Interface	28
Using the Web-Browser Interface for the First Time	28
Using the Management Pages in the Web-Browser Interface	28
Navigating Using the Map Windows	30
Using the Command-Line Interface	31
Preparing to Use a Terminal Emulator	32
Connecting the Serial Cable	32
Setting Up the Terminal Emulator	33
Changing Settings with the CLI	33
Selecting Pages and Settings	35
Applying Changes to the Configuration	35
Using a Telnet Session	35
Using SNMP	36
Supported MIBs	36
Configuration	39
Basic Settings	40
Entering Basic Settings	41
System Name	41
MAC Address	41
Configuration Server Protocol	42
Default IP Address	42
Default IP Subnet Mask	42
Default Gateway	42
Radio Service Set ID (SSID)	43
Role in Radio Network	43
Radio Network Optimization (Optimize Radio Network For)	46
Radio Network Compatibility (Ensure Compatibility With)	46
SNMP Admin. Community	46
Filter Setup	47
Protocol Filtering	47
Creating a Protocol Filter	48
Enabling a Protocol Filter	52
MAC Address Filtering	52
Creating a MAC Address Filter	53
Radio Configuration	57
Entering Identity Information	57
Settings on the AP Radio Identification Page	58
Primary Port Settings	59
Default IP Address	59
Default IP Subnet Mask	59
Service Set ID (SSID)	60
LEAP User Name	60
LEAP Password	60
Entering Radio Hardware Information	60
Settings on the AP Radio Hardware Page	61
Service Set ID (SSID)	62
Allow Broadcast SSID to Associate?	62
Enable World Mode	63
Data Rates	63
Transmit Power	64
Frag. Threshold	65
RTS Threshold	65
Max. RTS Retries	65
Max. Data Retries	65
Beacon Period	65
Data Beacon Rate (DTIM)	65
Default Radio Channel	66
Search for Less-Congested Radio Channel	66
Restrict Searched Channels	67
Receive Antenna and Transmit Antenna	67
Entering Advanced Configuration Information	69
Settings on the AP Radio Advanced Page	70
Requested Status	71
Packet Forwarding	71
Default Multicast Address Filters	71
Maximum Multicast Packets/Second	72
Radio Cell Role	72
Maximum Number of Associations	72
Use Aironet Extensions	73
Classify Workgroup Bridges as Network Infrastructure	73
Require Use of Radio Firmware x.xx	74
Ethernet Encapsulation Transform	74
Enhanced MIC verification for WEP	75
Temporal Key Integrity Protocol	75
Broadcast WEP Key rotation interval (sec)	76
Accept Authentication Types	76
Require EAP	76
Default Unicast Address Filter	77
Specified Access Points	77
Radio Modulation	78
Radio Preamble	78
Ethernet Configuration	79
Entering Identity Information	79
Settings on the Ethernet Identification Page	80
Primary Port Settings	80
Default IP Address	80
Default IP Subnet Mask	81
Entering Ethernet Hardware Information	81
Settings on the Ethernet Hardware Page	82
Speed	82
Entering Advanced Configuration Information	84
Settings on the Ethernet Advanced Page	84
Requested Status	84
Packet Forwarding	85
Default Unicast and Multicast Address Filters	85
Maximum Multicast Packets/Second	86
Server Setup	86
Entering Time Server Settings	87
Settings on the Time Server Setup Page	87
Simple Network Time Protocol	88
Default Time Server	88
GMT Offset (hr)	88
Use Daylight Savings Time	88
Manually Set Date and Time	88
Entering Boot Server Settings	89
Settings on the Boot Server Setup Page	89
Configuration Server Protocol	90
Use Previous Configuration Server Settings	90
Read .ini File from File Server	90
BOOTP Server Timeout (sec)	91
DHCP Multiple-Offer Timeout (sec)	91
DHCP Requested Lease Duration (min)	91
DHCP Minimum Lease Duration (min)	91
DHCP Client Identifier Type	92
DHCP Client Identifier Value	93
DHCP Class Identifier	93
Entering Web Server Settings and Setting Up Access Point Help	93
Settings on the Web Server Setup Page	94
Allow Non-Console Browsing	94
HTTP Port	94
Default Help Root URL	94
Extra Web Page File	95
Default Web Root URL	95
Entering Name Server Settings	96
Settings on the Name Server Setup Page	96
Domain Name System	97
Default Domain	97
Domain Name Servers	97
Domain Suffix	97
Entering FTP Settings	98
Settings on the FTP Setup Page	98
File Transfer Protocol	99
Default File Server	99
FTP Directory	99
FTP User Name	99
FTP User Password	99
Routing Setup	99
Entering Routing Settings	100
Default Gateway	100
New Network Route Settings	101
Installed Network Routes list	101
Association Table Display Setup	102
Association Table Filters Page	102
Settings on the Association Table Filters Page	103
Stations to Show	103
Fields to Show	103
Packets To/From Station	104
Bytes To/From Station	104
Primary Sort	105
Secondary Sort	105
Association Table Advanced Page	106
Settings on the Association Table Advanced Page	107
Handle Station Alerts as Severity Level	107
Maximum number of bytes stored per Station Alert packet	108
Maximum Number of Forwarding Table Entries	108
Aironet Extended Statistics in MIB (awcTpFdbTable)	108
Block ALL Inter-Client Communications (PSPF)	108
Default Activity Timeout (seconds) Per Device Class	108
Event Notification Setup	109
Event Display Setup Page	109
Settings on the Event Display Setup Page	110
How should time generally be displayed?	110
How should Event Elapsed (non-wall-clock) Time be displayed?	110
Severity Level at which to display events	110
Event Handling Setup Page	112
Settings on the Event Handling Setup Page	114
Disposition of Events	114
Handle Station Events as Severity Level	115
Maximum memory reserved for Detailed Event Trace Buffer (bytes)	115
Download Detailed Event Trace Buffer	115
Clear Alert Statistics	115
Purge Trace Buffer	115
Event Notifications Setup Page	116
Settings on the Event Notifications Setup Page	117
Should Notify-Disposition Events generate SNMP Traps?	117
SNMP Trap Destination	117
SNMP Trap Community	117
Should Notify-Disposition Events generate Syslog Messages?	117
Syslog Destination Address	118
Syslog Facility Number	118
Security Setup	119
Security Overview	120
Levels of Security	120
Encrypting Radio Signals with WEP	121
Additional WEP Security Features	121
Network Authentication Types	122
Combining MAC-Based, EAP, and Open Authentication	126
Protecting the Access Point Configuration with User Manager	127
Setting Up WEP	127
Using SNMP to Set Up WEP	131
Enabling Additional WEP Security Features	132
Enabling Message Integrity Check (MIC)	132
Enabling Temporal Key Integrity Protocol (TKIP)	134
Enabling Broadcast WEP Key Rotation	136
Setting Up Open or Shared Key Authentication	137
Setting Up EAP Authentication	138
Enabling EAP on the Access Point	138
Enabling EAP in Cisco Secure ACS	143
Setting a Session-Based WEP Key Timeout	144
Setting up a Repeater Access Point as a LEAP Client	145
Setting Up MAC-Based Authentication	147
Enabling MAC-Based Authentication on the Access Point	147
Authenticating Client Devices Using MAC Addresses or EAP	152
Enabling MAC-Based Authentication in Cisco Secure ACS	153
Summary of Settings for Authentication Types	155
Setting Up Backup Authentication Servers	158
Setting Up Administrator Authorization	159
Creating a List of Authorized Management System Users	160
Network Management	165
Using the Association Table	166
Browsing to Network Devices	166
Setting the Display Options	167
Using Station Pages	167
Information on Station Pages	169
Station Identification and Status	169
To Station Information	170
From Station Information	171
Rate, Signal, and Status Information	171
Hops and Timing Information	172
Performing Pings and Link Tests	172
Performing a Ping	173
Performing a Link Test	173
Clearing and Updating Statistics	174
Deauthenticating and Disassociating Client Devices	175
Using the Network Map Window	175
Using Cisco Discovery Protocol	177
Settings on the CDP Setup Page	178
MIB for CDP	178
Assigning Network Ports	179
Settings on the Port Assignments Page	180
Enabling Wireless Network Accounting	180
Settings on the Accounting Setup Page	181
Accounting Attributes	183
Managing Firmware and Configurations	187
Updating Firmware	188
Updating with the Browser from a Local Drive	188
Full Update of the Firmware Components	189
Selective Update of the Firmware Components	190
Updating from a File Server	191
Full Update of the Firmware Components	191
Selective Update of the Firmware Components	193
Distributing Firmware	194
Distributing a Configuration	195
Limiting Distributions	197
Downloading, Uploading, and Resetting the Configuration	198
Downloading the Current Configuration	199
Uploading a Configuration	199
Uploading from a Local Drive	200
Uploading from a File Server	200
Resetting the Configuration	202
Restarting the Access Point	203
Management System Setup	205
SNMP Setup	206
Settings on the SNMP Setup Page	206
Using the Database Query Page	207
Settings on the Database Query Page	208
Changing Settings with the Database Query Page	208
Console and Telnet Setup	209
Settings on the Console/Telnet Page	209
Special Configurations	211
Setting Up a Repeater Access Point	211
Using Hot Standby Mode	215
Diagnostics and Troubleshooting	219
Using Diagnostic Pages	220
Radio Diagnostics Page	220
Antenna Alignment Test	221
Carrier Test	223
Network Ports Page	225
Identifying Information and Status	226
Data Received	226
Data Transmitted	227
Ethernet Port Page	227
Configuration Information	228
Receive Statistics	229
Transmit Statistics	230
AP Radio Page	230
Configuration Information	231
Receive Statistics	232
Transmit Statistics	233
Display Options	234
Event Log Page	235
Display Settings	235
Log Headings	236
Saving the Log	236
Event Log Summary Page	237
Using Command-Line Diagnostics	238
Entering Diagnostic Commands	239
Diagnostic Command Results	239
:eap_diag1_on	240
:eap_diag2_on	240
:vxdiag_arpshow	241
:vxdiag_checkstack	243
:vxdiag_hostshow	243
:vxdiag_i	244
:vxdiag_ipstatshow	245
:vxdiag_memshow	247
:vxdiag_muxshow	247
:vxdiag_routeshow	248
:vxdiag_tcpstatshow	249
:vxdiag_udpstatshow	250
Tracing Packets	251
Reserving Access Point Memory for a Packet Trace Log File	251
Tracing Packets for Specific Devices	252
Tracing Packets for Ethernet and Radio Ports	253
Viewing Packet Trace Data	254
Packets Stored in a Log File	254
Packets Displayed on the CLI	255
Checking the Top Panel Indicators	255
Finding an Access Point by Blinking the Top Panel Indicators	258
Checking Basic Settings	258
SSID	258
WEP Keys	258
EAP Authentication Requires Matching 802.1x Protocol Drafts	259
Resetting to the Default Configuration	261
Channels, Power Levels, and Antenna Gains	263
Channels	264
Channels for IEEE 802.11a	264
Channels for IEEE 802.11b	265
Maximum Power Levels and Antenna Gains	266
For IEEE 802.11a	266
For IEEE 802.11b	267
Protocol Filter Lists	269

Match case Limit results 1 per page

Chapter 4

Security Setup

Setting Up MAC-Based Authentication

4-34

Cisco Aironet 1200 Series Access Point Software Configuration Guide

OL-2159-03

devices to authenticate using MAC addresses. To force all client devices to

authenticate using MAC addresses, select

Disallowed

for all the enabled

authentication types.

When you set Default Unicast Address Filter to disallowed, the radio discards all

unicast traffic except packets sent to the MAC addresses listed as allowed on the

authentication server or on the access point

’

s Address Filters page.

Note

Client devices associated to the radio are not immediately affected when

you set the Default Unicast Address Filter to disallowed.

Step 16

Click

. You return automatically to the Setup page. Client devices that

associate with the access point through this radio will not be allowed to

authenticate unless their MAC addresses are included in the list of allowed

addresses.

Authenticating Client Devices Using MAC Addresses or EAP

You can set up one or both access point radios to authenticate client devices using

a combination of MAC-based and EAP authentication. When you enable this

feature, client devices that associate to the access point using open authentication

first attempt MAC authentication. If MAC authentication succeeds, the client

device joins the network; if the client is also using EAP authentication, it attempts

to authenticate using EAP. If MAC authentication fails, the access point waits for

the client device to attempt EAP authentication.

Follow these steps to combine MAC-based and EAP authentication for client

devices using IEEE 802.11 open authentication:

Step 1

Follow the steps in the

“

Setting Up EAP Authentication

”

section on page 4-20

set up EAP. You must select

Require EAP

under Open authentication on the

radio

’

s AP Radio Data Encryption page to force client devices to perform EAP

athentication if they fail MAC authentication. If you do not select

Require EAP

client devices that fail MAC authentication might be able to join the network

without performing EAP authentication.

Step 2

Follow the steps in the

“

Setting Up MAC-Based Authentication

”

section on

page 4-29

to set up MAC-based authentication.