Search This Blog

Monday, 28 February 2011

AP Failover with Mobilty Groups

In WLC 4.2, there is only a field for the name of the Primary, Secondary and tertiary controller. If the AP only learns about one WLC during discovery, it can use these names for other WLC's, but as there is no IP address to be configured here, the WLC uses mobility group information to establish the IP.

Now, if the WLC's are in different mobilty groups. There is no way to provide this information via the GUI. A CLI command is required.

config ap primary-base WLC1 AP1 10.10.10.10
config ap secondary-base WLC2 AP1 10.10.10.11

An AP reboot will probably be required!

Thursday, 24 February 2011

Best Practice Settings for 7921G Phone

General Recommendations
Set DTIM to 2
Beacon Period 100 ms

Data Rates



Multicast traffic will be sent at the highest basic data rate enabled on the access point, so will want to ensure that only the lowest enabled rate is configured as the only basic rate.
Broadcast traffic is sent at the lowest basic rate.


 
Autonomous Recommendations
Power no greater that 17dbm for 2.4GHz
Power no greater than 16dbm for 5GHz

Ensure the client uses the same power
power local x
power client local

enable wmm on the interface

enable arp-caching
dot11 arp-cache
For the Cisco Autonomous Access Point,
"dot11 phone" or "dot11 phone dot11e" will enable QBSS."Dot11 phone"
It is recommended to enable

TSPEC
configure values in the GUI for CAC
remenber to set-up admit-traffic on the SSID
admit-traffic
enable AVVID cos mappings

The documentation (7921G deployment guide) states setting up a QoS policy to set UP values based on DSCP, however this would not come into play if Layer 2 markings are already specified.

Enable world mode to ensure non US phone obeys local regulatory restrictions
world-mode dot11d country US both
will enable the 2 Cisco versions, where "dot11 phone dot11e" will enable both CCA versions (802.11e and Cisco version 2). "dot11 phone dot11e".Configure both "open with eap" and "network eap" for authentication

Unified Recommendations

DTIM 2 beacon period 100 ms
Disable Session timeout or increase
Disable client exclusion
Enable Aironet IE
Enable DTPC
Disable P2P Blocking
Enable DHCP Address Assignment
MFP Disabled or Optional
Enable CAC and Load Based CAC
Disable Low Latency Mac (as the phone has a dynamic buffer)
Platinum QoS Profile with dot1p set to 6
WMM Allowed or Required
Disable Aggressive load balancing
Enable Symetric Tunneling Mode
Enable Short Preamble for 802.11g
Enable CCX location measurement
config advanced eap request-timeout 30config network arpunicast disable
Remove channel 165 from the DCA list as the phone does not support it

Recommend to disable UNII-II extended when using UNII-3 for a 12 channel model

DFS(802.11h)
Power constraint should be left un-configured or set to 0 dBm as DTPC will be used by the Cisco Unified Wireless IP Phone7921G to control the transmission power.

For the Cisco Unified Wireless LAN Controller, enabling WMM will enable the 802.11e version of QBSS. There are also the
"7920 Client CAC" and "7920 AP CAC" options, where "7920 Client CAC" will enable Cisco version 1 and "7920 APCAC" enables Cisco version 2.
Enable Traffic Stream Metrics

The CAC voice stream-size and voice max-streams values can be adjusted as necessary by using the following command.
config 802.11a cac voice stream-size 84000 max-streams 2

Restoring Factory Defaults
The configuration can be cleared by using the factory default menu option on the phone.
The factory default option erases all user-defined entries in Network Profiles, Phone Settings, and Call History.
To erase the local configuration, follow these steps:
1. Choose Settings > Phone Settings.
2. Press
The phone briefly displays
"**2" on the keypad."Restore to Default?"3. Press the
The phone resets after selecting
"Yes" softkey to confirm or "No" to cancel.
(it is by default, this enables proxy arp)

Use AutoQos (without using AutoQos!) and without a reboot!

Its well known that this can be done by running Autoqos, copying into notepad and rebooting the switch. But this takes precious time, especially with the 6500.....So



copy running flash:old.cfg

run the autoqos commands

cut and paste what you need from the config

config replace flash:old.cfg

then you have the auto-qos best practice parameters and can copy them to your interface from notepad and you didn't configure the working config with auto-qos command.


Wednesday, 23 February 2011

TACACS+ WLC User Authentication

Use this process to configure the WLC for Tacacs

Add a TACACS Authentication server
Add a TACACS Authorisation server (also required)

Go to ACS add NAS
Go to interface config and add PPP SHELL and ADVANCED TACACS (for user also if required)
Add ciscowlc and common under new services

Select these attributes in either user or group and add the required roles for access

role1=ALL (full admin rights)

role1=WIRELESS
role2=WLANS  (for specific WLC tab access)
roleX=X

role1=MONITOR (read only rights)

WLC Syslog Levels

This caught me out when going through the IPX workbook and I also had a similar issue at the Fastlane bootcamp.
If they ask you in the lab to configure a specific log level, its not clear in the GUI what level it is as they are not in level order. So I thought, check the 4.2 config guide. ITS WRONG. The 5.0 config guide has the correct information! Learn if you can, but if you forget, remember to check the 5.0 Guide for reference!



To set the severity level for filtering syslog messages to the syslog servers, choose one of the following options from the Syslog Level drop-down box:


Emergencies = Severity level 0
Alerts = Severity level 1 (default value)
Critical = Severity level 2
Errors = Severity level 3
Warnings = Severity level 4
Notifications = Severity level 5
Informational = Severity level 6
Debugging = Severity level 7

If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog servers. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are sent to the syslog servers.

Tuesday, 22 February 2011

WLC CLI Commands Only - Work in progress

Commands that are only available in the CLI


config advanced eap request-timeout 20
config advanced eap identity-request-timeout 20
Generally considered best practice to configure these. The phone is slow and can time out the request if the default is set to 1.

config network secureweb cipher-option high enable
Changes level of encryption on HTTPS GUI

config network arp unicast enable
Turns on proxy arp. The controller will provide its own mac to clients requesting a mac not in its database. It will then make the request on behalf of the client.

config advanced dot11-padding enable
Pads proxy arp responses to 60 bytes. Some non Cisco clients can have an issue with arp responses that are below this level.

config advanced 802.11a logging txpower on 
Example, can be used for both radios and different logging metods for the AP's.


config advanced client-handoff x
Used to inform CCX clients of the amount of excessive retries required before a roam is forced.


config mobility secure-mode enable
Configures secure mobility on port 16667. All members of mobility group need it. Not supported in 2100's


config wlan security tkip hold-down 0 [wlan id]
This is used to stop the 60 second counter measure when 2 TKIP MIC errors are detected on an SSID.

Configuring WLC Interfaces in Notepad

It can take all year to set up interfaces that span multiple controllers via the GUI. A good trick is to do this in Notepad and just change the values for each interface, once they are built for a single controller, just chance the IP address and paste to the others! If you cant remember the commands do one interface in CLI using Tab, if you cant do it using Tab, learn!

Also, only use lower case for inteface names, if you use upper case, they will show in GUI as lower case, but not map to WLAN's correctly!

config interface create guest 11
config interface address dynamic-interface guest 10.10.11.15 255.255.255.0 10.10.11.1
config interface dhcp dynamic-interface guest primary 10.10.210.6  
config interface port guest 1

Cisco Unified Wireless Network Ports

Cisco Unified Wireless Network Ports

LWAPP Data Packets: UDP 12222 to the WLC (AP uses ephemeral ports)
LWAPP Control Messages: UDP 12223 to the WLC

CAPWAP Control: UDP 5246
CAPWAP Data: UDP 5247

WCP for WiSM: UDP 10000

Mobility Control Messages: UDP 16666 and/or UDP 16667 (secure-mode)
Mobility EoIP Tunnel: IP Protocol 97

Use mping for mobility control verifcation and eping for mobility data verification

RRM Messages 802.11b/g Client: UDP 12124
RRM Messages 802.11b/g Server: UDP 12134
RRM Messages 802.11a Client: UDP 12125
RRM Messages 802.11a Server: UDP 12135

Radius Authentication: UDP 1812
Radius Accounting: UDP 1813
Radius Authentication (legacy): UDP 1645
Radius Accounting (legacy): UDP 1646

TACACS+: TCP 49

DHCPv4 Clients: UDP 68
DHCPv4 Server: UDP 67
DHCPv6 Clients: TCP/UDP 546
DHCPv6 Server: TCP/UDP 547

HTTPS: TCP 443
HTTP: TCP 80
Telnet: TCP 23
SSH: TCP 22
TFTP: UDP 69
SNMP: UDP 161 and UDP 162
Syslog: UDP 514
NTP: UDP 123

Monday, 21 February 2011

Configuring Multicast using Auto-RP

Enable multicast routing globally
ip multicast-routing distributed

Enable pim-sparse mode on all interfaces required to receive the stream including SVI's and Loopbacks
ip pim sparse-mode

Then configure both switches as RP's if required

configure pim auto listener so that the RP disovery messages can be sent out using dense mode
ip pim autorp listener

Configure both RP's to announce themsleves as the RPip pim send-rp-announce Loopback0 scope 10

Also set them up as the mapping agents for Auto-RPip pim send-rp-discovery Loopback0 scope 10

Clearing LWAPP configs

Thanks to Jason Boyers for this great info on clearing those annoying configs!

One issue I’ve run into both in studying for the ccie wireless lab, and now in developing training material, is how to completely clear the configuration on a lightweight AP.  In the “old” days, you would write erase the IOS configuration, reboot, and BAM – you had a clean slate to work from.  However, the pesky LAPs keep the IP addresses of previously joined WLCs and other WLCs in the same mobility group in NVRAM.  So, what do you do?  There is that command, clear ap-config AP_Name that you can run from the CLI of the WLC, if it’s joined to a WLC.



(Cisco Controller) >clear ap-config LWAP1
clear ap-config will clear ap config and reboot the AP, Are you sure you want continue? (y/n) y

All AP configuration including AP's static IP configuration has been cleared.
And, that will clear the configuration in NVRAM.  You can verify that with the “show lwapp client config command.  The first is the before, and the second is the after (after it has rebooted).


LWAP1#show lwapp client config
... (lines removed for ease of explanation)
name                    LWAP1
mwarName                WLC1
mwarName                WLC2
And, then, after the command is run
AP001d.a1ec.11cc#show lwapp client config
AP001d.a1ec.11cc#
 
 
So, now, you have a clean config.  Or, mostly clean.  You can use various methods to have the AP discover a WLC (DNS, DHCP, broadcast), but you still cannot statically define information from the CLI.  Go ahead.  Try lwapp ap controller ip address x.x.x.x or clear lwapp private-config.  You will get the infamous ERROR!!! Command is disabled. error message.

AP001d.a1ec.11cc#lwapp ap controller ip address 10.10.111.20
ERROR!!! Command is disabled.
 
 
But, wasn’t the configuration cleared???  Mostly yes.  However, the image file used to boot the AP after the config was cleared is the full LWAPP image that it was last using.  It uses the information in the flash:env_vars file in order to boot using that information.


AP001d.a1ec.11cc#more flash:env_vars
BOOT=flash:/c1130-k9w8-mx.124-10b.JDD/c1130-k9w8-mx.124-10b.JDD
DEFAULT_ROUTER=10.0.0.1
ENABLE_BREAK=no
IP_ADDR=10.0.0.1
MANUAL_BOOT=no
NETMASK=255.255.255.224
RELOAD_REASON=9
TERMLINES=0
 
 
The other pieces should look familiar as well, to those who have used the local TFTP method of converting from LWAPP to IOS.  Because of using a full LWAPP image, the AP knows that at one point it was joined to a WLC.  If it was joined to a WLC, then the lwapp commands shouldn’t be used.
So, how do we get around this?  The simplest way I have found is to treat the AP as if you were going to do a local TFTP upgrade, but without the TFTP server.  If you power down the AP and then hold the Mode button until it turns red (about 20 seconds), the AP will boot up.  If you look at the console, you will see the following:


button pressed for 20 seconds
process_config_recovery: set IP address and config to default 10.0.0.1
process_config_recovery: image recovery
image_recovery: Download default IOS tar image tftp://255.255.255.255/c1130-k9w7-tar.default
 
 
Looks like a TFTP upgrade.  Then, when the TFTP transfer times out, the AP gives an error message %Error opening long_file_name.  After this, it shows:


Loading "flash:/c1130-rcvk9w8-mx/c1130-rcvk9w8-mx"...###############################[...]

File "flash:/c1130-rcvk9w8-mx/c1130-rcvk9w8-mx" uncompressed and installed, entry point: 0x3000
executing...
Ah, the recovery image!  After the AP boots, the flash:env_vars file no longer has that BOOT line.
AP001d.a1ec.11cc#more flash:env_vars
DEFAULT_ROUTER=10.0.0.1
ENABLE_BREAK=no
IP_ADDR=10.0.0.1
MANUAL_BOOT=no
NETMASK=255.255.255.224
RELOAD_REASON=9
TERMLINES=0
 
 
Now, when we try the lwapp commands, they will be accepted.  This is because it is the recovery image, not the full image.  Let’s see what happens:
AP001d.a1ec.11cc#lwapp ap controller ip address 10.10.111.20
AP001d.a1ec.11cc#
examining image...
Loading file /c1130...
!
extracting info (292 bytes)
Image info:
    Version Suffix: k9w8-.124-10b.JDD
    Image Name: c1130-k9w8-mx.124-10b.JDD
    Version Directory: c1130-k9w8-mx.124-10b.JDD
    Ios Image Size: 3645952
    Total Image Size: 3645952
    Image Feature: WIRELESS LAN|LWAPP
    Image Family: C1130
    Wireless Switch Management Version: 4.2.207.0
Extracting files...
c1130-k9w8-mx.124-10b.JDD/ (directory) 0 (bytes)
extracting c1130-k9w8-mx.124-10b.JDD/c1130-k9w8-mx.124-10b.JDD (3374566 bytes)
*Mar  1 0!0:08:23.897: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
*Dec  2 23:38:41.161: %LWAPP-5-CHANGED: LWAPP changed state to IMAGE!!
 
 
So, the lwapp command was accepted, and now we can statically define the WLC for it to discover. While you probably won’t have to do this on the lab (though, who knows!) hopefully it can be useful in the field or in your home lab.

Thursday, 17 February 2011

VTP Modes

Use Version 2 when a transparent mode switch needs to send received updates out of its trunks.

 

VTP Modes

You can configure a switch to operate in any one of these VTP modes:
  • Server—In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters, such as VTP version and VTP pruning, for the entire VTP domain. VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on advertisements received over trunk links. VTP server is the default mode.
  • Client—VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.
  • Transparent—VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements, but transparent switches do forward VTP advertisements that they receive out their trunk ports in VTP Version 2.
  • Off (configurable only in CatOS switches)—In the three described modes, VTP advertisements are received and transmitted as soon as the switch enters the management domain state. In the VTP off mode, switches behave the same as in VTP transparent mode with the exception that VTP advertisements are not forwarded.

Thursday, 10 February 2011

Autonomous QoS

If a CoS Value comes into the AP, that takes priority over all other QoS policies.

Then the dot11 phone setting is used to "identify" a phone and provide priority.

Then QoS policies are looked at.


For QBSS Draft 6 supported by the 7920, QoS Element for Wireless Phones to enable (no dot11e)
dot11 phone

For QBSS Draft 12 IEE802.11e supported by the 7921 also tick dot11e
dot11 phone dot11e

Enable WMM for the Vendor specific que values to be offered in the beacons (per radio) does not hurt to leave on in most cases unless they ask you to remove it
default

Enable Low latency where needed so that packets are dropped after certain level of discard. Not for 7921 due to its dynamic queing mechanism.

When optimising for 7921 phones, design guides state to match RTP and SCCP by DSCP and map to relevent cos (possibly not needed but hey!)
class-map match-all _class_RTP0
 match ip dscp ef
class-map match-all _class_RTP1
 match ip dscp cs3

policy-map RTP
 class _class_RTP0
  set cos 6
 class _class_RTP1
  set cos 4


interface Dot11Radio0.13
 service-policy input RTP
 service-policy output RTP


Also when optimising. Select Optimized for voice, but remove low latency queing from Stream as 7921 dont need it!

Wednesday, 9 February 2011

WDS and CCKM

A breakdown of the configuration required for WDS and a CCKM ssid. Scenario requires EAP-FAST for the WDS auth and LEAP for the client auth.

aaa authentication login eap_methods group rad_eap
(set up the auth method, can be the same as the client auth)

aaa group server radius rad_eap
server 10.10.110.103 auth-port 1812 acct-port 1813
(configure a radius group for local or ACS)
radius-server host 10.10.110.103 auth-port 1812 acct-port 1813 key 7 020F145E13160A3358
(define the radius server and key)

radius-server local
 eapfast server-key primary auto
 nas 10.10.110.103 key xxx
(nas only required on WDS AP, other AP's in the domain use WLCCP for client auth)
 user wds pass xxx
(user for infrastructure auth)
 user leap pass xxx
(user for client auth)
eap profile FAST
 method fast

wlccp ap username wds password xxx
(to join the AP to the WDS, also needs to be done on domain AP's)
wlccp ap eap profile FAST
(this is required to specify EAP-FAST as the infrastructure auth type, if not LEAP is used!)wlccp authentication-server infrastructure eap_methods
(specifies the infrastructure auth method)wlccp authentication-server client leap eap_methods
(specifies client auth method)  ssid Test5
wlccp wds recovery rate 10
(allows only 10 authentications per second during failover to prevent DoS)wlccp wds priority 255 interface BVI1
(enables WDS on this AP and configures priority, 255 is the highest and will be WDS)

dot11 ssid Test5
   vlan 15
   authentication network-eap eap_methods
  (open eap not required as LEAP only)   authentication key-management cckm
 (enable CCKM fast roaming for the SSID)

interface Dot11Radio0
 encryption vlan 15 mode ciphers ckip-cmic
(enable ckip Cisco proprietary encryption with cmic to check integrity)
dot11 extension aironet
(this must be enabled with ckip and cmic, it should be by default)

Tuesday, 8 February 2011

Tacacs Authentication and Authorization

A breakdown of what is required for tacacs user auth on an AAP.

aaa new-model

aaa authentication login LOGIN group tac_users local
aaa authentication enable default group tac_users enable
aaa authorization exec LOGIN group tac_users local

(used LOGIN in this case as there was a requirement to use non default auth list)

aaa group server tacacs+ tac_users server 10.10.210.5

tacacs-server host 10.10.210.5 key 7 08285C4B1109000506

ip http authentication aaa login-authentication LOGINip http authentication aaa exec-authorization LOGIN
(define HTTP authentication lists)

line vty 0 4
 authorization exec LOGIN login authentication LOGIN transport input ssh
(define VTY line attributes)

ACS

Configure NAS
Interface Configuration - Advanced options
Select user options if required
Edit TACACS+,add shell and advanced options
Under User or Group, Set Max privilege to 15, Use Ciscosecure PAP password under enable

Set per user command auth
Permit unmatched in no specific commands required

Network EAP v Open with EAP

Thanks to Jerome Henry for this excellent explanation......

 

Autonomous APs: Network EAP vs. Open with EAP, the right combination

When configuring an SSID with EAP/802.1X on an autonomous AP, you are given the choice between Network EAP and Open with EAP (or both).

On the CLI, you would say:
dot11 ssid whatever
   authentication open eap eap_methods
   authentication network-eap eap_methods
As Cisco documentation (for example here) is... er... not completely clear (thanks Seth for pointing me to it!), if not completely wrong, here is a quick summary of which one to choose and when.

First, background information on why this is here (skip this part if you don't care about the whys and just care about the hows).
All this started at the time when we had "nothing (Authentication set to 0 in the AP beacons)" or WEP PSK (Authentication set to 1 in the AP beacons). WEP was weak, so everybody needed a replacement for it. Cisco implemented LEAP, which implies both au authenticaion mechainsm and some encryption. So Cisco set the Authentication value to 1 in the AP beacons using LEAP, not to indicate PSK but to indicate "authentication required" (and this is also why you cannot use LEAP with no encryption). But this does not really conform to the (future, when LEAP was created) 802.11i (and WPA) specifications, so this is Cisco specific...
Later on, when WPA and 802.11i appeared, the protocol detailed that, for compatibility with the 802.1X protocol, the authentication would occur at the association phase. In other words, with 802.1X you plug your PC to a switch, and it is only when you do that that authentication occurs. Similarly in the wireless space, you go through the 802.11 authentication phase (request/response) in an open manner, and it is only when you go to the association phase, which is the "hey, plug me to your cell" message, that the AP says "wait, I need to do 802.1X authentication first", and the EAP process starts. So, Authentication is set to 0 (for its 802.11 part), and EAP/802.1X starts at the association phase.
At the same time, in 2004, ASLEAP was released, and so was 802.11i, following WPA the year before. So when Cisco replaced LEAP with EAP-FAST, the information I have is that they conformed to the WPA/802.11i specifications, and Authentication is set to 0.

So, (whatever the documentation above says) Network EAP = LEAP. Open with EAP = Any other EAP. This is something you see when checking Network EAP: the popup window clearly states that if you use EAP-FAST or any other EAP (than LEAP), you should check Open with EAP. You can of course check both when you want to allow LEAP and another EAP, but you will not be able to authenticate using EAP-FAST if you choose Network EAP only...

There is one exception though... for long, LEAP used to be the default "secure" authentication method. This makes that some old Cisco clients (for example access points!) need to be offered LEAP to get started (or turned on, name it the way you like)!
In other words, if you build a wireless link between 2 APs, for a repeater, bridge or Workgroup Bridge configuration, and if you use 802.1X on that link, you need to offer LEAP (i.e Network EAP) for the secure authentication to be used. So you can offer Network EAP, or Network EAP and Open with EAP, but you should not offer just Open with EAP.
Which one is going to be used if you offer both? Well, it all depends on how you configure your client side (non root Bridge, Workgroup Bridge, etc). If you use the "old" EAP Client (optional feature), in the SSID page:

Which is in the CLI:
dot11 ssid whatever
   authentication client username jerome password 7 104D000A0618
This is going to use LEAP only.
If you want to use another EAP, for example EAP-FAST, you need to empty that EAP Client field (it cannot be used in combination with another method), then use the AP Authentication feature.

In this page, you define credentials and method. You can pick up several methods if you want.
Then from the SSID page, you can call these methods:

In the CLI, this is:
dot11 ssid whatever
   dot1x credentials jerome
   dot1x eap profile Myfast
exit
eap profile Myfast
 method fast
dot1x credentials jerome
 username cisco
 password cisco
So you offer both LEAP and Open with EAP, and using the newer AP Authentication method allows you to to use the credentials you defined, and use the most secure method selected. In this example, we use EAP FAST only, so that's the one we'll use. Of course, the RADIUS to which you main AP points (local RADIUS on the main APor external RADIUS) needs to allow that method.
Careful when testing, it is only from the non-root AP / WGB /  repeater CLI that you will use, at authentication time, which method was used. The main AP CLI will just tell you "WPA", or "Open", etc., but not the details of the authentication method used.
If you offer just Open with EAP, as the AP expects LEAP (Network LEAP) among the possibilities, then the EAP part is discarded. Although your link may come up, if you look carefully at your non-root AP CLI, you will see that the authentication is going to be "Open" (NOT with EAP), so there is no real authentication there. As soon as you also offer Network EAP, the non-root AP is happy, being offered LEAP, btu also something stronger, and is going to use the stronger method (EAP-FAST in our example)>
Give it a try in your lab!
;-)

Monday, 7 February 2011

short-slot-time

short-slot-time (default)

Use to enhance 802.11g performance

Use the short-slot-time configuration interface command to enable short slot time on the 802.11g, 2.4-GHz radio. Short slot time reduces the slot time from 20 microseconds to 9 microseconds, thereby increasing throughput. The access point uses short slot time only when all clients that are associated to the 802.11g radio can support short slot time.
short-slot-time

Note This command is supported only on 802.11g, 2.4-GHz radios.

Syntax Description

This command has no arguments or keywords.

Defaults

Short slot time is disabled by default.

Command Modes

Configuration interface

Command History

Release
Modification
12.2(13)JA
This command was introduced.

Examples

This example shows how to enable short slot time:
AP(config-if)# short-slot-time

dot11 extension aironet

dot11 extension aironet 

There are several additional attributes provided with AE. Can be disabled sometimes for legacy clients to connect. 

Use the dot11 extension aironet configuration interface command to enable or disable Cisco Aironet extensions to the IEEE 802.11b standard. Use the no form of this command to disable the Cisco Aironet extensions.
[no] dot11 extension aironet

Note You cannot disable Cisco Aironet extensions on bridges.

Syntax Description

This command has no arguments or keywords.

Defaults

Cisco Aironet extensions are enabled by default.

Command Modes

Configuration interface

Command History

Release
Modification
12.2(4)JA
This command was introduced.

Usage Guidelines

The Cisco Aironet extensions help clients choose the best access point. You must enable these extensions to use advanced features such as Cisco MIC and key hashing. Disable these extensions for non-Cisco clients that misinterpret the extensions.

Examples

This example shows how to enable Cisco Aironet extensions for the radio interface:
AP(config-if)# dot11 extension aironet
This example shows how to disable Cisco Aironet extensions for the radio interface:
AP(config-if)# no dot11 extension aironet


What are the features supported by the Aironet Extension option?

A. The Aironet extension is a proprietary feature implemented by Cisco. Aironet extensions contains information elements that support these features.
Devices that are CCX compatible also can take advantage of some of the Aironet Extension features. Here is a list of the features available with the different versions of Cisco Compatible Extensions:
Cisco Compatible Extensions - Versions and Features


preamble-short

preamble-short (default)

Can be used to improve the performance of 802.11g clients capable of supporting short preambles and less overhead.



Use the preamble-short configuration interface command to enable short radio preambles. The radio preamble is a selection of data at the head of a packet that contains information that the access point and client devices need when sending and receiving packets. Use the no form of the command to change back to default values.

[no] preamble-short


Note This command is not supported on the 5-GHz access point radio interface (dot11radio1).


Syntax Description


This command has no arguments or keywords.

Defaults


The default is short radio preamble.

Command Modes


Configuration interface

Command History


Release

Modification

12.2(4)JA

This command was introduced.


Usage Guidelines


If short radio preambles are enabled, clients may request either short or long preambles and the access point formats packets accordingly. Otherwise, clients are told to use long preambles.

Examples


This example shows how to set the radio packet to use a short preamble.

AP(config-if)# preamble-short




Part of the frame that is transmitted by an 802.11 station is called the preamble. The original 802.11 specification (which defined only 1 and 2Mbps operation), defined only a long preamble that uses a 128 bit sync field. When the "high rate", i.e. 11Mbps, 802.11b standard was created, an optional short preamble using a 56 bit "sync" field was added. This was intended to improve the efficiency of the wireless network for more "real-time" applications such as streaming video and Voice-over-IP telephony applications. Figure 1 has the gory details on the two preambles if you're interested.

Figure 1: Short and long 802.11 preambles
From: 802.11 Wireless Networks: The Definitive Guide , used by permission [1]
All 802.11 devices in the 2.4 GHz band, including 802.11g devices, must be able to transmit and receive long preamble frames. 802.11g devices are required to be able to transmit and receive both long and short preambles, but support for short preamble in 802.11b devices is optional.
The problem occurs when an 802.11g AP allows the use of Short Preamble by the stations it communicates with (also known as its BSS - Basic Service Set). The AP may also choose to allow legacy stations that do not support Short Preamble to associate with the BSS. If both these conditions are allowed, the legacy stations that aren't short-preamble-capable will not be able to understand much of the communication in the BSS, and most importantly won't be able to receive the all-important "Protection" frames. This could result in legacy 11b stations transmitting at the same time as 11g stations, which doesn't help either one to properly get their data sent!
This 802.11b interoperability problem has been noted in recent articles on draft-802.11g, but it looks as though it may be getting somewhat overstated. First, the short-preamble problem affects only a subset of the 802.11b products in the field. Specifically, ORiNOCO and Symbol cards and those using the Intersil PRISM 2.0 and Agere Systems chipsets.
Second, manufacturers may already have incorporated a fix for this problem into their AP code. (I've used both ORiNOCO and PRISM 2.0 based cards in my testing and have yet to run across the problem.) And finally, another reason to relax is that I'm told that the IEEE Task Group g committee will probably address this issue in the 802.11g standard after some additional debate.

broadcast-key

broadcast-key 

All dot1x clients have a unique key but share a seperate broadcast key that is derived through the dot1x process. To rotate that key use this command on the radio interface.

Use the broadcast-key configuration interface command to configure the time interval between rotations of the broadcast encryption key used for clients. Use the no form of the command to disable broadcast key rotation.
[no] broadcast-key
[vlan vlan-id]
[change secs]
[
membership-termination ]
[
capability-change ]

Note Client devices using static WEP cannot use the access point when you enable broadcast key rotation. When you enable broadcast key rotation, only wireless client devices using 802.1x authentication (such as LEAP, EAP-TLS, or PEAP) can use the access point.


Note This command is not supported on bridges.

Syntax Description

vlan vlan-id
(Optional) Specifies the virtual LAN identification value
change secs
(Optional) Specifies the amount of time (in seconds) between the rotation of the broadcast encryption key
membership-termination
(Optional) If WPA authenticated key management is enabled, this option specifies that the access point generates and distributes a new group key when any authenticated client device disassociates from the access point. If clients roam frequently among access points, enabling this feature might generate significant overhead.
capability-change
(Optional) If WPA authenticated key management is enabled, this option specifies that the access point generates and distributes a dynamic group key when the last non-key management (static WEP) client disassociates, and it distributes the statically configured WEP key when the first non-key management (static WEP) client authenticates. In WPA migration mode, this feature significantly improves the security of key-management capable clients when there are no static-WEP clients associated to the access point.

Defaults

This command has no defaults.

Command Modes

Configuration interface

Command History

Release
Modification
12.2(4)JA
This command was introduced.

Examples

This example shows how to configure vlan10 to support broadcast key encryption with a 5-minute key rotation interval:
AP(config-if)# broadcast-key vlan 10 change 300
This example shows how to disable broadcast key rotation:
AP(config-if)# no broadcast-key

countermeasure tkip hold-time

countermeasure tkip hold-time 

Use this to freeze out clients that perform an attack such as a bit-flip. To be applied per radio.

Use the countermeasure tkip hold-time configuration interface command to configure a TKIP MIC failure holdtime. If the access point detects two MIC failures within 60 seconds, it blocks all the TKIP clients on that interface for the holdtime period.
countermeasure tkip hold-time seconds

Syntax Description

seconds
Specifies the length of the TKIP holdtime in seconds (if the holdtime is 0, TKIP MIC failure hold is disabled)

Defaults

TKIP holdtime is enabled by default, and the default holdtime is 60 seconds.

Command Modes

Configuration interface

Command History

Release
Modification
12.2(11)JA
This command was introduced.

Examples

This example shows how to configure the TKIP holdtime on the access point radio:
ap(config-if)# countermeasure tkip hold-time 120

dot11 holdoff-time

dot11 holdoff-time

This one threw me. You can use this with EAP and MAC auth to freeze out clients that fail to log in properly to prevent DoS.

Use the dot11 holdoff-time global configuration command to specify the hold-off time for EAP and MAC address authentication. The holdoff time is invoked when a client fails three login attempts or fails to respond to three authentication requests from the access point. Use the no form of the command to reset the parameter to defaults.
[no] dot11 holdoff-time seconds

Syntax Description


seconds

Specifies the hold-off time (1 to 65555 seconds)

Defaults

The default holdoff time is 0 (disabled).

Command Modes

Global configuration

Command History


Release

Modification

12.2(4)JA

This command was introduced.

Examples

This example shows how to specify a 2-minute hold-off time:
AP(config)# dot11 holdoff-time 120
This example shows how reset the hold-off time to defaults:
AP(config)# dot11 no holdoff-time