Cisco WAP200 Administration Guide - Page 40

Chapter 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The

Authentication settings

page enables you to specify the following global

parameters:

•

Supplicant timeout

—Enter the maximum number of seconds for the WAP-200 to

wait for a client station to respond to an Extensible Authentication Protocol (EAPOL)

packet before resending it. Default is 3 seconds.

If wireless client stations are configured to manually enter an 802.1x username or

password or both, you must increase the

Supplicant timeout

to 15 to 20 seconds.

•

Group key update

—Enable this checkbox in order to force updating of 802.1x group

keys at the selected

Key change interval.

•

Reauthentication

—Enable this checkbox in order to force 802.1x clients to

reauthenticate as determined by the following parameters:

•

Period

—Select the interval at which client stations must reauthenticate. Select 15 or

30 minutes or 1, 2, 4, 8, or 12 hours. Default is 1 hour.

•

Terminate

—Enable this checkbox to specify that client traffic is blocked during

reauthentication and is reactivated only when authentication succeeds. Disable this

checkbox to specify that client stations remain connected during reauthentication and

that client traffic is blocked only if reauthentication fails.

Using multiple

authentication

mechanisms

802.1x and MAC-based authentication are configurable for each virtual service

community. Both options can be enabled at the same time for added flexibility. When this

occurs, the result for 802.1x authentication takes precedence over the MAC

authentication result. It is therefore possible for a client station to be authenticated via

MAC and then refused via 802.1x, or refused by MAC and accepted by 802.1x.

An additional option is available that can be used to force all client stations to

authenticate via 802.1x. When active, even if a client station is authenticated via MAC,

the client station will be refused if it cannot authenticate via 802.1x.

Restriction

Both MAC and 802.1x authentication options can only be active at the same time on the

same VSC when the setting for wireless protection is:

•

802.1x with no encryption (WEP option disabled)

OR

•

802.1x with WEP encryption enabled and static keys enabled

Note:

If you intend to only use dynamic keys, only 802.1x authentication is supported.

The following table illustrates the results for all authentication scenarios.

Active Authentication Method

Authentication result

Network

Access?

MAC

802.1x

MAC

Failure

-

No

Success

-

Yes

802.1x Not Mandatory

-

Success

Yes

-

Failure

No

-

-

Yes

802.1x Mandatory

-

Failure

No

-

Success

Yes

-

-

No

Section	Page
Contents	3
Introduction	5
About this guide	6
Important terms	6
Typographical conventions	6
Warnings, cautions, and notes	6
RRelated documentation	7
Hardware overview	8
Front and rear panels	8
Antenna connectors	9
Antenna diversity	9
Ethernet port(s)	9
Powering the WAP200	9
DC power adapter	9
Power over Ethernet (PoE)	9
Status lights	10
Radio	10
Reset button	10
Restarting	10
Resetting to factory defaults	10
Hardware Installation	11
Mounting options	11
Plenum installations	11
Configuring the WAP200	11
Regulatory information	12
Canada— Industry Canada (IC)	12
USA—Federal Communications Commission (FCC)	12
Caution! Exposure to Radio Frequency Radiation	12
Interference Statement	13
Europe	13
1313	15
Information for the user	15
Health information	16
Declaration of conformity	17
North American Standards	17
How it works	19
Overview	20
Public access deployment	20
Enterprise deployment	21
Management Tool	22
Management station	22
Configuring the management station for wireless access	22
Configuring the management station for wired access	22
Starting the Management Tool	22
Administrator account	23
Account policy	23
Validating administrator logins using a RADIUS server	23
Security	25
Virtual service communities	26
Setting up a VSC	26
General	29
Virtual AP	29
Maximum wireless clients per radio	29
DTIM count	29
Permit traffic exchange between wireless clients	29
Minimum rate	30
Maximum rate	30
Transmit/Receive on	30
Broadcast WLAN name (SSID)	31
Advertise Tx power	31
Egress VLAN	31
Wireless security filters	32
Restrict wireless traffic to	32
Default filter definitions	32
Custom	33
Wireless protection	33
WPA	33
802.1x	34
WEP	35
MAC-based authentication	35
Location-aware	36
MAC filter	36
Working with an access controller	37
Connecting to a Colubris access controller	37
Using other access controllers	37
Customer authentication and access control	39
Authentication methods	39
WPA/802.1x	39
MAC-based authentication	39
Location-aware authentication	39
802.1x global authentication settings	39
Using multiple authentication mechanisms	40
Wireless coverage	42
Wireless mode	42
Factors limiting wireless coverage	42
Radio power	42
Antenna configuration	42
Interference	43
Physical characteristics of the location	43
Configuring overlapping wireless cells	44
Performance degradation and channel separation	44
Selecting channels	45
Automatic power control	47
Conducting a site survey	48
Monitor mode	48
Identifying unauthorized access points	49
RF channel management	50
Operating mode	50
Wireless mode	51
Channel	51
DFS/TPC	51
Automatic power adjustment	51
How it works	51
Distance between access points	52
RTS threshold	52
Multicast Tx rate	52
Antenna selection	52
Transmit power control	53
Configuring transmit power	53
Guidelines for configuring transmit power	53
RF performance	54
Client station data rate limits	54
Multicast rate limit	54
Addressing	55
Default settings	55
DNS	55
Layer 2 security	56
Session limits	56
Authentication	56
Security options	56
WEP	56
802.1x	56
WPA1/WPA2	57
Do not broadcast wireless network name	57
Wireless bridging	58
RF extension	58
Building-to- building connections	58
Guidelines	59
Setting up a wireless link	60
VLAN support	62
Creating VLANs	62
Default VLAN	63
Assigning traffic to VLANs	63
Per-VSC VLAN assignment	63
Per-user VLAN assignment	63
VLAN bridging	63
Firmware management	64
Manual update	64
Scheduled install	65
Using cURL	65
Uploading the firmware	65
Configuration management	66
Manual management	66
Using cURL	68
Uploading the configuration file	68
Downloading the configuration file	69
Resetting the configuration to factory defaults	69
Using a RADIUS server	70
Creating a RADIUS client entry for the WAP200	70
Configuration settings	70
Configuring the connection	71
Profile name	71
RADIUS profile settings	71
Primary RADIUS server	72
Secondary RADIUS server	72
Creating user profiles on the RADIUS server	73
Supported RADIUS attributes	73
Creating administrator profiles on the RADIUS server	78
Supported RADIUS attributes	78
Chapter 3: More from Colubris	79
Colubris.com	80
For registered customers	80
For Annual Maintenance Support Program customers	80

Cisco WAP200 Administration Guide - Page 40

Using multiple, authentication, mechanisms - manual

Page 40 highlights