Command disabled: backlink
 

CISCO: Baseline Configation

During first time boot-up of Cisco Device when configuring from scratch you need to decline Device's prompt to “auto-configure” it. Answer “No”.

Would you like to enter the initial dialog? [yes]: no

Then comply the following most common configurations steps. Here is an example of Router CISCO2821 at Gogolya.Pushkino Site configuration. Below you will find detailed explanation of each step.

Router>enable
Router#configure terminal - entering
Router(config)#hostname sr-2821.gogolya.pushkino
sr-2821.gogolya.push(config)#username vpupkin password GijkLK34Vtt8suW01
sr-2821.gogolya.push(config)#username vpupkin password GijkLK34Vtt8suW01
sr-2821.gogolya.push(config)#enable secret FoiHGt76Vb4ks57SdUmn45
sr-2821.gogolya.push(config)#service password-encryption
sr-2821.gogolya.push(config)#access-list 1 172.16.0.0 0.15.255.255
sr-2821.gogolya.push(config)#line con 0
sr-2821.gogolya.push(config-line)#login local
sr-2821.gogolya.push(config-line)#logging synchronous
sr-2821.gogolya.push(config-line)#exec-timeout 1440 0
sr-2821.gogolya.push(config-line)#line vty 0 15
sr-2821.gogolya.push(config-line)#login local
sr-2821.gogolya.push(config-line)#logging synchronous
sr-2821.gogolya.push(config-line)#exec-timeout 1440 0
sr-2821.gogolya.push(config-line)#access-class 1 in
sr-2821.gogolya.push(config-line)#ip domain-name united-networks.ru
sr-2821.gogolya.push(config)#ip domain-name united-networks.ru
sr-2821.gogolya.push(config)#ip name-server 172.16.0.1
sr-2821.gogolya.push(config)#ip name-server 172.16.0.1
sr-2821.gogolya.push(config)#end
sr-2821.gogolya.pushkino#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...

[OK]
sr-2821.gogolya.pushkino#

Some comments.

  • enable - entering privileged mode (en is a reduced form);
  • configure terminal - entering configuration mode (conf t);
  • hostname … - assignment of a Host's name according to ”Naming Convention” (host …);
  • username … password … - creating of a new user, which these credentials will be used during log in procedure. Notice, that credentials're fictional in example above (user and pass);
  • enable secret … - creating password for “enable” command. In contrast with “enable password” which is encrypts entered password in “show running-config” only if “service password-encryption” entered earlier considered command will encrypt Enable Password always (ena secr).
  • service password-encryption - hides all credentials which entered in plain-text and opened for Rogue's eyes during “show running-config” output. All passwords will be encrypted and encoded via Base64 (serv passw);
  • access-list 1 permit 172.16.0.0 0.15.255.255 - defines Access Control List (ACL) which when applied in suitable place of configuration restricts access to the device. Notice that 1 is ACL Number in configuration, and 0.15.255.255 is a bitwise inversion of mask 255.240.0.0 (in another words it is called “inverse mask” or “wildcard”).
  • line con 0 - entering Console Line configuration. Here we make Cisco Device to ask for Username and Password (recall above “username … password …”) even for wired Console connection. Also we will make period of inactivity arter which Cisco Device resets your Telnet connection to itself (exec-timeout) longer and we will make all Console output more synchronous.
    • login local - this makes your Cisco Device to ask for username and password when initial connection to it occurs. Cisco Device looks up username and password in locally created database (when we use “username … password …”) due to “local” clause in command;
    • logging synchronous - makes all output synchronous with Command Line where you are typing commands. When you begin entering new command and Cisco begins some output (for example you want to “show running-config” after leaving “conf t” mode by Control+C and your Router writes “Configured from console…”) - it bothers me strong for my own (logg sync);
    • exec-timeout 1440 0 - encreases timeout of inactivity after which Cisco Device resets connection to itself for 1440 minutes 0 seconds or 24 hours. Default period is near 10 mins (exec-t);
  • line vty 0 15 - entering Terminal Lines configuration. There are 16 simultaneous Telnet-connections possible to Cisco Device. They are called “lines” as Console connection. You can configure 0 14 lines (line vty 0 14) in the same manner and 16th (line vty 15) in another one. Last line will become Hot-line for Mega-System-Administrator when all other lines will be exceeded by different users, students and technical support engineers of lower rank. This VTY lines are configured much like Console Line with all the same commands with the same sence.
  • access-class 1 in is a binding of previously defined access list 1 to lines of VTY. Pay attention to “in” clause. It defines a direction in which access-list acts. When a packet arrives via telnet connection access-list is applied, both source and destination IP address from packet's header are compared with IPs/Wildcards and if they are matched packet's data goes to processing by CPU. In means that comparision takes place before processing that is for incoming packets.
  • ip domain-name … - specifies DNS Domain for this device. Hostname with DNS Domain form FQDN (Fully Qualified Domain Name). It is not matter to omit it but it will be used when SSH-connection to this Cisco Device will be configured (ip domain-n).
  • ip name-server … - specifies DNS-server's IP which will be used by Cisco Device to resolve names entered by User in CLI to IPs. It's a good manner to specify two DNS-servers. And you simpy must choose nearest to this Cisco Device IP of DNS server. For instance some Srvgate (gateway in the same subnet with Cisco Device) which also running Bind may have two interfaces, so you need to point the nearest one (ip nam).
  • copy running-config startup-config - after each modification of Cisco Config you must save your changes in nvram to avoid questions why your router works strange after restart and what was in configuration before reboot??? (copy run start).

That is all about initial configuration..

CISCO: Baseline Switch

sw-2960.gogolya.pushkino>enable
sw-2960.gogolya.pushkino#configure terminal
sw-2960.gogolya.push(config)#access-list 1 permit 172.16.0.0 0.15.255.255
sw-2960.gogolya.push(config)#interface vlan 10
sw-2960.gogolya.push(config-if)#ip address 172.16.0.21 255.255.255.0
sw-2960.gogolya.push(config-if)#no shutdown
sw-2960.gogolya.push(config-if)#ip access-group 1 in
sw-2960.gogolya.push(config-if)#exit
sw-2960.gogolya.push(config)#ip default-gateway 172.16.0.1
sw-2960.gogolya.push(config)#end
sw-2960.gogolya.pushkino#copy running-configstartup-config
Destination filename [startup-config]?
Building configuration...

[OK]
sw-2960.gogolya.pushkino#

Some comments.

  • interface vlan 10 - all Switches work at second level of ISO/OSI. They forward packets instead of route ones as Routers do. But nevertheless almost all Switches have third-level interfaces. Some enchanced Switches can route packets between them in addition to its main forwarding function. But as opposed to Routers they can do this restrictively, they have no most or Router functions. And all Switches have at least one 3-d level interface for control purposes. These interfaces are called Switched Virtual Interfaces (SVI). SVI is assigned an IP address and it is placed in one of VLANs that present on a Switch. Pay attention to SVI name which is the same as VLAN name where SVI is placed. This interface processes packets with this certain 802.1q tag. It is said that SVI terminates its VLAN. Often on third-level Switches SVIs are Default Gateways for networks located in corresponding VLANs. In our case as was said SVI serves the goal of control the Switch. When a packet with IP address indicated in SVI settings arrives to the Switch the latter takes it to processing at its CPU. Switch “thinks” that this packet is addressed to it.
  • ip address … - here all is obvious.
  • no shutdown - in some versions of IOS interfaces are in shutdown state by default. That is “shutdown” command was entered earlier. This example demonstrates how to negate command - just prepend command by “no” word and it will be cancelled.
  • ip access-group 1 in - it is example only. Real access-list will be much more large. Here we could see how access-list can be bound to the interface. As access-lists at VTY lines restrict access to the Switch itself as access-lists at interface are destined to restrict trafic flows transversal the Switch at level “Three”. ACLs can be bound in both directions: IN and OUT. It is better to restrict traffic before it comes into Switch. That is in IN direction.
  • ip default-gateway … - simple Switches live on different laws then Routers or Third-level Switches do. They don't maintain the routing table at all. They only need one route - Default Route. It is specified by this command. Pay attention to IP address of Default Gateway. It must be the nearest IP of the closest Router which leads to other networks.

CISCO: Baseline Router

Router has some specific features inherent in their destination to route packets.

sr-2821.gogolya.pushkino>enable
sr-2821.gogolya.pushkino#configure terminal
sr-2821.gogolya.push(config)#access-list 1 permit 172.16.0.0 0.15.255.255
sr-2821.gogolya.push(config)#interface GigabitEthernet 0/0
sr-2821.gogolya.push(config-if)#ip address 172.16.0.24 255.255.255.0
sr-2821.gogolya.push(config-if)#duplex auto
sr-2821.gogolya.push(config-if)#speed auto
sr-2821.gogolya.push(config-if)#ip access-group 1 in
sr-2821.gogolya.push(config-if)#no shutdown
sr-2821.gogolya.push(config-if)#exit
sr-2821.gogolya.push(config)#ip route 0.0.0.0 0.0.0.0 172.16.0.1
sr-2821.gogolya.pushkino#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...

[OK]
sr-2821.gogolya.pushkino#

Some comments.

  • interface GigabitEthernet0/0 - to make Router interconnect with Network we need to configure one or more its interfaces with IP address. After the Router's interface is assigned IP we can establish to it Telnet session. This one will be controlled by the settings of VTY lines (line vty 0 15) defined above.
  • ip address … - here all is obvious.
  • duplex … and speed … - it is strongly recommended to place speed and duplex settings in auto mode.
  • ip access-group 1 in - it is example only. Real access-list will be much more large. Here we could see how access-list can be bound to the interface. As access-lists at VTY lines restrict access to the Router itself as access-lists at interface are destined to restrict trafic flows transversal the Router. ACLs can be bound in both directions: IN and OUT. It is better to restrict traffic before it comes into Router. That is in IN direction.
  • no shutdown - in some versions of IOS interfaces are in shutdown state by default. That is “shutdown” command was entered earlier. This example demonstrates how to negate command - just prepend command by “no” word and it will be cancelled.
  • exit - it will exit from current configuration mode (in that case from interface configuration mode) and places back Router to previously entered configuration (that is in global configuration mode). Otherwise end breaks configuration at all and returns Router to privileged mode where only show and debug commands are available.
  • ip route … - in contrast to Switches Routers maintain many routes. Switches “satisfied” with one single router - the Default Route. Routers are destined to choose one from great number of routes. Routes can be inserted in routing table (which can be shown by show ip route by the way) by one of three ways:
    • all IP subnets assigned to Router's interfaces are automatically inserted in Routing Table as “Directly Connected”;
    • they can be manually inserted by ip route … these are called “static routes”;
    • and at the end they can be gathered by Routing Protocols such as RIP, OSPF or BGP running on this Router;

Different sources of routes have different priority called “Administrative Distance”:

Source of route Administrative distance
Directly interface 0
Static route 1
EIGRP summary 5
External BGP 20
Internal EIGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIP 120
EGP 140
On Demand Routing 160
External EIGRP 170
Internal BGP 200
Unknown 255

As can be seen Directly connected subnet has the highest priority. But Administrative Distance is considered by a Router in the second place only. The first criteria if two routes to the same destination point exist is prefix length. For example in the Router's routing table exist two routes: 192.168.0.0/29 which is gathered by the RIP and static route 192.168.0.0/24, RIP will be preferred because its mask (29 unit bits) is longer then 24 unit bits of Static Route. That is RIP offers “more specific route”. And in the third place metric of routing protocol is considered. For example metric in RIP measures path in hops (other Routers) which are overcome by the IP-packet on its way to target. OSPF has cost metric which is inversly proportional to speed of links. Static routes have the same metric as RIP.

Order Factor
1 Prefix length
2 Administrative distance
3 Protocol Metric

It is a brief excursus into routing theory. But let's return to our certain route. Address with all zeros means “all possible addresses” and zero-length mask means “all possible masks”. Generally speaking the above route is the Default Route which is less specific then all other routes in Routing Table. If no other routes found in Routing Table the Default Path is chosen. Pay attention to IP address of Default Gateway. It must be the nearest IP of the closest Router which leads to other networks.

  • copy running-config startup-config - don't forget save changes!

CISCO: NTP Configuration

There is a need to synchronise internal clock on each Cisco Device with a Network. Each Srvgate has running NTP software synchronized with Central Site, and Central Site synchronizes its own clock with some good quality (stratum 1 or 2) NTP-servers somwhere in Internet. There is a line of causes why this is important. For example network tracing of two non-phased network devices will lead to mismatching events happend with them. Let's look at a situation when one of them sends a packet to another. If we are sniffing network on this devices we can easily encounter that packet arrives earlier then it is sent. The second cause consists in interaction with ISPs when there is a need to compare logs both ISP's and ours.

There is simple configuration for Cisco Devices.

sr-2821.gogolya.pushkino>enable
sr-2821.gogolya.pushkino#configure terminal
sr-2821.gogolya.push(config)#ntp server 172.16.0.1
sr-2821.gogolya.push(config)#clock timezone MSK 3
sr-2821.gogolya.push(config)#clock summer-time MSK recurring last Sat Mar 2:00 last Sat Oct 2:00
sr-2821.gogolya.push(config)#service timestamps debug datetime localtime
sr-2821.gogolya.push(config)#service timestamps log datetime localtime
sr-2821.gogolya.push(config)#end
sr-2821.gogolya.pushkino#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...

[OK]
sr-2821.gogolya.pushkino#

Some comments.

  • ntp server … - specifies IP or Hostname (FQDN) of NTP server in Network. On some versions of IOS this command can differ: “sntp server …” - be attentive. Also be attentive to specify nearest NTP-server.
  • clock timezone … - defines Time Zone for current region. MSK - symbolic name (there is no matter what it is) and 3 is a time shift from UTC.
  • clock summer-time … recurring … indicates that Autumn/Spring Time reccuring presents in MSK Region. And both “last Sat Mar 2:00” and “last Sat Oct 2:00” are certain dates/times whan it will happen.
  • service timestamps … datetime localtime specifies that for “debug” and “log” Cisco will use local time instead UTC. Warning! This leads to changes of startup-config each time when you doing idle “copy run start”:
sr-2821.gogolya.pushkino#show running-config
Building configuration...
Current configuration : 3362 bytes
!
! Last configuration change at 21:08:35 MSK Mon May 30 2011 by eyatsko
! NVRAM config last updated at 13:29:05 MSK Mon May 30 2011 by eyatsko
!
version 12.4
...

These two lines will change every time when configuration save occurs (because they contain Date/Time and Changer Name):

Last configuration change at 21:08:35 MSK Mon May 30 2011 by eyatsko
NVRAM config last updated at 13:29:05 MSK Mon May 30 2011 by eyatsko

CISCO: SSH support

It is more secure transport for connection to Cisco devices. It is standardized in United Networks.

sr-2821.gogolya.pushkino>enable
sr-2821.gogolya.pushkino#configure terminal
sr-2821.gogolya.push(config)#ip domain-name united-networks.ru
sr-2821.gogolya.push(config)#crypto key generate rsa modulus 768
The name for the keys will be: sr-2821.medvedkovo.msk.united-networks.ru
% You already have RSA keys defined for sr-2821.medvedkovo.msk.united-networks.ru.
% They will be replaced.

% The key modulus size is 768 bits
Generating RSA keys ...
[OK]
sr-2821.gogolya.push(config)#ip ssh version 2
sr-2821.gogolya.push(config)#line vty 0 15
sr-2821.gogolya.push(config-line)#transport input ssh
sr-2821.gogolya.push(config-line)#end
sr-2821.gogolya.pushkino#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...

[OK]
sr-2821.gogolya.pushkino#

Some comments.

  • ip domain-name … - recall, DNS name is needed for RSA Key Generation.
  • crypto key generate rsa modulus 768 - generates RSA Key for SSH tunnel encryption, modulus defines Key length, default is 512 what is acceptable for PuTTY Client, but it is not good for SSH-client under Linux. The latter requires longer Key and does not run.
  • ip ssh version 2 - enables SSH-server on Cisco Device and assumes its version is 2.
  • transport input ssh - defines SSH transport for incoming connections to the Device. It disables all other “input” transports.
  • Don't forget to “copy run start”.

CISCO: SYSLOG logging

There are some reasons for centralized logging. SYSLOG is a daemon on Linux/FreeBSD which is responsible for accepting events from other daemons classifying them and writing in different log-files. On the other hand SYSLOG is a protocol using UDP/514 which can accept events from other systems and write them to logs too. It would be convinient to gather all events happening on Cisco Devices to single centralized log. Do you remember console messages like this:

May 31 11:00:12: %SYS-5-CONFIG_I: Configured from console by eyatsko on vty0 (172.16.128.150)
May 31 11:16:38: %OSPF-5-ADJCHG: Process 1, Nbr 172.31.99.99 on GigabitEthernet0/0.10 from LOADING to FULL, Loading Done

First of all, there will no need to visit each Router or Switch to look at local Log which is rather limited in size by the way, because any Cisco has no HDD in contrast to Linux-server and logs are stored in memory. Second, additional opportunities to process messages arise. For example, to track who (and how?) has changed configuration. This can be completed via SNMP Traps. Another example is to parse logs periodically and send e-mail to network operators as reaction on critical messages.

sr-2821.gogolya.pushkino>enable
sr-2821.gogolya.pushkino#configure terminal
sr-2821.gogolya.push(config)#logging facility local2
sr-2821.gogolya.push(config)#logging 172.16.0.1
sr-2821.gogolya.push(config)#end
sr-2821.gogolya.pushkino#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...

[OK]
sr-2821.gogolya.pushkino#

Some comments.

  • logging facility local2 - local2 is a log selector. SYSLOG is guided by this to select proper LOG-file.
  • logging 172.16.0.1 - specification of SYSLOG server. Be attentive to specify nearest SYSLOG-server.

Some actions must be done on server-side - Cisco is a client in that case. The following line must be added into /etc/syslog.conf:

# $FreeBSD: src/etc/syslog.conf,v 1.28.20.1 2009/04/15 03:14:26 kensmith Exp $
#
#       Spaces ARE valid field separators in this file. However,
#       other *nix-like systems still insist on using tabs as field
#       separators. If you are sharing this file between systems, you
#       may want to use only tabs as field separators here.
#       Consult the syslog.conf(5) manpage.

local2.*                                                        /var/log/network_hardware.log
*.err;kern.warning;auth.notice;mail.crit                        /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
...

Pay attention that line is the first (uncommented) one in the file. This is to avoid intersection with other selectors. This configuration file processed subsequently from top to bottom. local2 is a log selector, .* is a template for ALL event classes (Errors, Notifications, Debugs and so on). In principle, we can use different files for different events, or can filter events (log only certain events). As you can see this file from FreeBSD (Central Site), but it is the same and on Linux.

The next step is actually creation of log file:

touch /var/log/network_hardware.log

By default SYSLOG daemon does not accept network messages at all (it doesn't listen to UDP/514) or messages from Network side accepting connections only at 127.0.0.1. The first behaviour is observed on Ubuntu the second one is on FreeBSD.

On FreeBSD to make SYSLOG daemon accept messages from Network side we need to add/modify lines in /etc/rc.conf

...
syslogd_enable="YES"
syslogd_flags=""
...

On Ubuntu we must modify file /etc/default/syslogd to make SYSLOG accepting external connections (it will be started with flag ”-r”).

 ...
 SYSLOGD="-r"
 ...

After that you need to restart syslog daemon:

FreeBSD:

/etc/rc.d/syslogd restart 

or Ubuntu:

/etc/init.d/sysklogd restart

And do “conf t” and “end” on Cisco for checking that new lines have appeared in /var/log/network_hardware.log.

CISCO: SNMP and SNMP Traps

sr-2821.gogolya.pushkino>enable
sr-2821.gogolya.pushkino#configure terminal
sr-2821.gogolya.push(config)#access-list 10 permit 172.16.0.1
sr-2821.gogolya.push(config)#snmp-server community public RO
sr-2821.gogolya.push(config)#snmp-server community SomeWriteCommunity RW 10
sr-2821.gogolya.push(config)#snmp-server host 172.16.0.1 SomeTrapCommunity tty config
sr-2821.gogolya.push(config)#snmp-server enable traps config
sr-2821.gogolya.push(config)#snmp-server tftp-server-list 10
sr-2821.gogolya.push(config)#snmp-server file-transfer access-group 10 protocol tftp
sr-2821.gogolya.push(config)#snmp-server location medvedkovo.msk
sr-2821.gogolya.push(config)#snmp-server contact root@united-networks.ru
sr-2821.gogolya.pushkino#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...

[OK]
sr-2821.gogolya.pushkino#

Some comments.

  • access-list 10 permit 172.16.0.1 - this is the list who can work with this Cisco Device via SNMP. We must restrict access because used SNMPv2 is not steady protocol.
  • snmp-server community public RO - defining Read-Only community to read information by Monitoring Systems. It's a standard “public” name.
  • snmp-server community SomeWriteCommunity RW 10 - this is more serious, Community Name is simultaneously password for writing operations and there is a place for hacking attempts. Therefore it must be enough defficult for stupid brute force attacks. Here we additionally restrict access by ACL with number “10”. This community will be used for making backup by sending certain snmp commands (.1.3.6.1.4.1.9.9.96.1.1.1.1.*) from server to this Cisco Device. Notice: for safety reasons community name has changed.
  • snmp-server host 172.16.0.1 SomeTrapCommunity tty config - here we define Trap-receiver IP, Community Name for traps authentication (it also must be strong and steady because it is used as password between Server and this Cisco) and Cathegory of Traps which will be sent to Server. This cathegory must be additionally enabled (see next command). Notice: for safety reasons community name has changed.
  • snmp-server enable traps config - enables generation of certain traps. Without this traps will not be sent to Trap-receiver even if they are enabled in previous command. One more time: here we enable generation, and at the above step we enable sending of ones.
  • snmp-server tftp-server-list 10 and snmp-server file-transfer access-group 10 protocol tftp - both are the same. The first is superceded by the latter. We define protocol and list (using access-list) of TFTP-servers which can interoperate with this Cisco Device via TFTP protocol.
  • snmp-server location medvedkovo.msk and snmp-server contact root@united-networks.ru - are usual SNMP settings for each network device. Take a notice of location format. It's a meaningful Site's part (without hostname).

How does this work? When network operator issues command “conf t” or “copy run start” Cisco Device generates and sends traps to Trap-receiver specified in “snmp-server host …” directive. Traps are supplied with three parameters: where (how) change was made (CLI or via SNMP-Set), Source from changes were arisen (running- or startup-config) and where they were destined (startup- or running-config). It is needed to capture this trap on Trap-receiver side and process it.

The pair of communities Read-only and Read-Write are destined for SNMP Monitoring and producing SNMP-driven backups of Cisco's configurations accordingly. Monitoring system (Cacti at present moment) sends regularly (with defined period of time which equals 1 minute) SNMP-Get requests to PUBLIC community, and Cisco Device returns different counters in responses, and corresponding Graphics are built on a Cacti Server based on these counters.

Backup of configurations can be made as follows (via Linux/FreeBSD with Net-SNMP installed):

snmpset -v2c -c SomeWriteCommunity 172.16.0.24 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.9 i 6
snmpset -v2c -c SomeWriteCommunity 172.16.0.24 .1.3.6.1.4.1.9.9.96.1.1.1.1.2.9 i 1
snmpset -v2c -c SomeWriteCommunity 172.16.0.24 .1.3.6.1.4.1.9.9.96.1.1.1.1.3.9 i 4
snmpset -v2c -c SomeWriteCommunity 172.16.0.24 .1.3.6.1.4.1.9.9.96.1.1.1.1.4.9 i 1
snmpset -v2c -c SomeWriteCommunity 172.16.0.24 .1.3.6.1.4.1.9.9.96.1.1.1.1.5.9 a "172.16.0.1"
snmpset -v2c -c SomeWriteCommunity 172.16.0.24 .1.3.6.1.4.1.9.9.96.1.1.1.1.6.9 s "msk.medvedkovo.sr-2821.bak"
snmpset -v2c -c SomeWriteCommunity 172.16.0.24 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.9 i 1

     Here:

  • last digit of every .1.3.6.1.4.1.9.9.96.1.1.1.1.14.9 (“9” in that case) is an arbitrary (random) number.
  • last but one digit is Cisco Command:
    • 2 - ccCopyProtocol, “1” means “TFTP” (type INTEGER);
    • 3 - ccCopySourceFileType, “4” means “runningConfig” (type INTEGER);
    • 4 - ccCopyDestFileType, “1” means “networkFile” (type INTEGER);
    • 5 - ccCopyServerAddress - TFTP's IP (type IPADDRESS);
    • 6 - ccCopyFileName - Filename possibly with existing Path on TFTP-server (type OCTET_STRING);
    • 14 - ccCopyEntryRowStatus, “1” means “active”, “6” means “destroy” (type INTEGER). Actually SNMP-object at Cisco created by above commands destroys itself with time but if there are several simultaneous or even followed one by one SNMP-commands, Cisco rejects all subsequent requests. So it is good idea destroy all previous backup attempts and then create a new.

Notice: TFTP must be run with possibility to create new files automatically. By default TFTPD (at least at FreeBSD) doesn't do that. Be sure that it is running with flag “-w”. File /etc/inetd.conf which starts TFTPD on demand:

...
#ntalk          dgram   udp     wait    tty:tty /usr/libexec/ntalkd     ntalkd
tftp            dgram   udp     wait    root    /usr/libexec/tftpd      tftpd -l -w -s /var/tftp
#tftp-proxy     dgram   udp     wait    root    /usr/libexec/tftp-proxy tftp-proxy -w 5
#tftp           dgram   udp6    wait    root    /usr/libexec/tftpd      tftpd -l -s /tftpboot
#bootps         dgram   udp     wait    root    /usr/libexec/bootpd     bootpd
...

Don't forget restart INETD Daemon after changing its config: /etc/rc.d/inetd restart

 

In addition to above some setting must be done on server's side. First, Net-SNMP package must be installed. Daemon SNMPTRAPD must be set up. Here is its configuration:

#logoption s 2
#logoption f /var/log/snmptrapd-direct.log
  
authCommunity log,execute,net SomeTrapCommunity
  
traphandle .1.3.6.1.4.1.9.9.43.2.0.1 /root/system_scripts/trap_handler.pl

#traphandle default /root/system_scripts/trap_handler.pl

Some comments.

  • #logoption s 2 - commented, this makes SNMPTRAPD to send messages to SYSLOG, “s” in the aggregate with “2” means “facility LOCAL2”.
  • logoption f /var/log/snmptrapd-direct.log - specifies LOG-filename.
  • authCommunity … - defines Trap Community (“SomeTrapCommunity” in that case) and enables types of processing of received messages.
    • log - enables logging via SYSLOG or directly in file;
    • execute - enables trap handling by third-party programs and user scripts;
    • net - enables to send trap to further Trap-receiver.
  • traphandle - defines a handler for particular trap. In that case “/root/system_scripts/trap_handler.pl” is a script which handles Trap, and “.1.3.6.1.4.1.9.9.43.2.0.1” is the SNMP OID of the Trap, which Cisco sends to Trap-receiver as reaction on configured “snmp-server host 172.16.0.1 SomeTrapCommunity tty config” and User's commands “conf t” or “copy run start”.

Take into consideration last line. It isn't known initially what a Trap number to expect. Just uncomment “traphandle default…” and add corresponding lines in trap handler in cycle of reading Trap Information from script's STDIN to print out its content to LOG-file (/var/log/snmptrapd.log). Trap will be logged and there will be seen what OID was. If you use above trap_handler.pl look at commented lines:

...
while (<STDIN>)
 {
  chomp;
  $strLine=$_;

# For debug use
#
#  printf(LOG, "%s\n", $strLine);
...

Just the time for trap handler script. It is rather large, so just see the link: /root/system_scripts/trap_handler.pl

CISCO: Radius Authentication

Some decryptions:

  • RADIUS - Remote Authentication in Dial-In User Service.
  • IAS - Internet Authentication Service (Microsoft's RADIUS implementations).
  • AAA - Authentication, Authorization and Accounting. Firstly user must confirm that he is he. When you visit Bank you athenticate by Passport (It's much like entering Username and Password in command prompt). Then you are restricted when you are trying to access some rooms with the table: “Authorized personnel only!” - some doors in building will be void for your guest pass-card. And finally when you go out Bank gives you a check for some operations which it accounted.
  • NAS - Network Access Server. Front-end devices which meet users in the first place. Typically Cisco Switches, Access Points - that is any border hardware. Another name of NAS is “client” - in a sence “relatively to RADIUS”.
  • TLV - Type-Length-Value. All attributes are sent in a form of structure: the byte of TYPE, the byte of LENGTH and 1..255 bytes of VALUE. For example: 0406ac108001 (in hexadecimal). Here: 04 - type which has decoded meaning 'NAS-IP-Address', 06 - means that total length of TLV (including Type and Length bytes) is 6 bytes, and value itself: ac=172, 10=16, 80=128, 01=1, that is 172.16.128.1.

Due to Network changes I have got tied to add or remove new administrators to different Cisco Devices' configurations! I began to think about centralized mechanism for administrators authentication. I recalled my early experiments in RADIUS, read some articles about TACACS+, compared their characteristics and decided to stop on RFC-compliant, Standard-based solution. So it is RADIUS.

Implemented scheme can be described as follows:

Cisco when receiving Authentication Request (which usually begins SSH-session) from remote User forwards it to FreeRADIUS. FreeRADIUS firstly checks for received account information against its local database (MySQL in above example). If it finds appropriate data in MySQL, it composes and send its own answer (probably it is “Access-Acept”) to NAS (Cisco). Its mission is completed! If no - if it cannot find user in local database, it proxies request further - to Domain Controller's IAS (Internet Athentications Service - Microsoft's RADIUS implementation). The last checks Active Directory for received user information and acts similarly FreeRADIUS. In that case FreeRADIUS becomes client relatively to IAS and acts like NAS.

Substantiation of such compexity is based on several things. When a new site is created all Windows-computers are included in existing domain “DOMAIN.UNITED-NETWORKS.RU” in which corresponding user accounts are created. Depending on planned size, remoteness from Central Site and hardware (and/or financial) resources of a new site additional (“caching”) Domain Controller may be or may not be installed. But local Srvgate will definitely be! So as the minimum FreeRADIUS we can count on! Its database must contain at least one account to authenticate Cisco's requests. And it is very desirable that local database has in-service process of replication with Central one. Replication is performed in background, so at the moment of Authentication local database will presumably be in actual state. And user will not feel any delays. This allows to synchronize creation process of RADIUS users between all sites. When we create a user at the newly deployed site the one is able in few moments required for replcation to login to all devices at all sites which support described RADIUS authentication method.

Since Site has Windows machines it must keep connection to DC (where by the way IAS can be set up) - to authenticate Windows users. And since we need maintain records of Windows users it is very big temptation to use the same records for Cisco user authentication. So order of inquiring is crystallized: the first RADIUS is asked (because it is the nearest point, and consequently more fast). If it can it authenticate. If RADIUS did not find user it forwards request to Windows Domain Controller with IAS deployed, it doesn't matter local it or not (there is no choice I suppose :-) ).

In principle Cisco still can authenticate users locally if no other methods are available. This method must be used along with RADIUS authentication. Local Cisco's configuration must contain at least one account. Usually this is a local administrator's (or Site-keeper's) login.

Let's switch over to configuration issuses immediately.

On the Cisco side

sw-2940.sokol.msk>enable
sw-2940.sokol.msk#configure terminal
sw-2940.sokol.msk(config)#aaa new-model
sw-2940.sokol.msk(config)#aaa authentication login default group radius local
sw-2940.sokol.msk(config)#aaa authentication enable default group radius enable
sw-2940.sokol.msk(config)#radius-server host 172.16.128.1 auth-port 1812 acct-port 1813 key some_pass
sw-2940.sokol.msk(config)#ip radius source-interface vlan19
sw-2940.sokol.msk(config)#^C
sw-2940.sokol.msk#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...

[OK]
sw-2940.sokol.msk#

Some comments.

  • aaa new-model - enables IEEE 802.1x (RADIUS protocol) globally. Usually you can see reverted form of the command: “no aaa new-model” (in the default configuration). Note that all RADIUS related commands begin with “aaa” or “radius”.
  • aaa authentication login default group radius local - here we define authentications methods for login action. “Default group RADIUS” is existing predefined group for all RADIUS-servers where they are placed if no explicit group is defined. As you define RADIUS-server by “radius-server” command as it is already in “Default Group RADIUS”. Groups are needed to organize some pools of server for redundancy purposes. You can define 10 server but you probably need make first five servers to authenticate and authorize, and the reminder of five servers make to account - so you need two equal RADIUS-groups. Within the group servers are polled in order - if the first is not answer the next is asked and so on. Server by server. Pay attention to local keyword. The second method if RADIUS is failed will be local (Cisco's own) user database (look at “username xxx password yyy” clauses in Cisco configuration). You feel terrible delay promptly as RADIUS fails.
  • aaa authentication enable default group radius enable - here the method of authentication for entering in privileged mode is defined. And again: firstly this is “default radius group which is described above in detail, and then keyword - enable - which means to use locally configured “enable secret” password just in case.
  • Now look at radius-server host 172.16.128.1 auth-port 1812 acct-port 1813 key some_pass. This is RADIUS-server definition. Its IP address and its ports for auhtentication/authorization (1812) and accounting (1813). And in the same place password for encryption of connection between Cisco and RADIUS. This password must be configured the same on both ends (on RADIUS-server too). Otherwise RADIUS will not be able to decrypt what Cisco sends to it. :-)
  • And finally take a glance on ip radius source-interface. Sometimes in asymmetric routing conditions it may be VERY useful! If a device gets answers from RADIUS on some of its interfaces it makes a lot of sence to use the same interface for sending requests. Another side of this medal is to fix address from which device will request because RADIUS awaits it from certain address, not from any one.
  • This method is checked against Cisco 2960/2940 switches, Cisco 2821 Router and Cisco 1131 Access Points. It works in the same way and fine everywhere on Cisco.

That's all for Cisco. Its task is to translate user's request to RADIUS and back again. We indicate to it what methods for what situations it must use, and where RADIUS is.

 

On the RADIUS side

Most of actions will be made right here. All considerations are done with account that RADIUS is fresh-deployed without other configurations.

IMPORTANT! For Ubuntu we were forced to use FreeRADIUS version 2.1.12, because previous versions led to Segmentation Fault if configured Proxy was unavailable from FreeRADIUS viewpoint. Thanks a lot to Alan DeKoK for his advises!

Firstly, we describe briefly installed packages:

Package Description Platform Dependencies
freeradius-common Common files x32
libfreeradius2 Shared library x32 x64
freeradius FreeRADIUS itself x32 x64 libpython2.6 python2.6 ssl-cert and all of the these
freeradius-utils Client utilities x32 x64
freeradius-mysql MySQL integration x32 x64

Next, we create MySQL Tables required to RADIUS for operation. All table structures are placed in directory /etc/freeradius/sql/mysql. There are scripts for automatic table creation:

Script Description Tables Table Purpose
schema.sql Common Tables radcheck Check User Properties
radreply Reply User Attributes
radusergroup Grouping RADIUS Users
radgroupcheck Check User Group Properties
radgroupreply Reply User Group Attributes
nas.sql Clients table nas NAS Name, Password, IP, etc.

Suppose MySQL is already set up and operational. It is highly recommended to create separate administrator account (for example 'root_radius' in code below) to control radius-database.

~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 40
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database radius;
Query OK, 1 row affected (0.00 sec)

mysql> grant all privileges on radius.* to root_radius identified by 'some_strong_password'
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye
~#

First of all we create database named “radius”. Then we grant all privileges to some user which is created if it is still not exist. Take attention on “flush privileges” which applies rights granted by “grant all…” immediately. Otherwise they are not applied until MySQL is restarted.

To use above mentioned scripts we need issue command like this:

~# mysql -u root -psome_pass radius < /etc/freeradius/sql/mysql/schema.sql
~# mysql -u root -psome_pass radius < /etc/freeradius/sql/mysql/nas.sql
~#

Pay attention to spelling of password: it is written tight to ”-p” key!

So. Let's add a pair of rows into pair of tables to test above schema.

mysql> insert into radcheck set username='=24enab15=24',attribute='SHA-Password',op=':=',Value=SHA1('some_pass_1');
Query OK, 1 row affected (0.00 sec)

mysql> insert into radcheck set username='eyatsko',attribute='SHA-Password',op=':=',Value=SHA1('some_pass_2');
Query OK, 1 row affected (0.00 sec)

mysql> insert into radcheck set username='=24enab15=24',attribute='Service-Type',op='==',Value='Administrative-User';
Query OK, 1 row affected (0.00 sec)
mysql> select * from radcheck;
+----+--------------+--------------+----+------------------------------------------+
| id | username     | attribute    | op | value                                    |
+----+--------------+--------------+----+------------------------------------------+
|  1 | =24enab15=24 | SHA-Password | := | dfgkh58hkfg843kjhgf834khg845kjhds0vblj34 |
|  2 | eyatsko      | SHA-Password | := | g5hnpoirt923oje0k4kjl345l3kfef0844j0894u |
|  3 | =24enab15=24 | Service-Type | == | Administrative-User                      |
+----+--------------+--------------+----+------------------------------------------+
2 rows in set (0.00 sec)

mysql> insert into nas set nasname='172.16.128.21',shortname='sw-2940.sokol.msk',type='cisco',secret='some_pass';
Query OK, 1 row affected (0.00 sec)

mysql> select * from nas;
+----+---------------+-------------------+-------+-------+-----------+--------+-----------+---------------+
| id | nasname       | shortname         | type  | ports | secret    | server | community | description   |
+----+---------------+-------------------+-------+-------+-----------+--------+-----------+---------------+
|  1 | 172.16.128.21 | sw-2940.sokol.msk | cisco |  NULL | some_pass | NULL   | NULL      | RADIUS Client |
+----+---------------+-------------------+-------+-------+-----------+--------+-----------+---------------+
1 row in set (0.00 sec)

mysql>

Some comments.

  • RADIUS operates with concept of TLV. The main idea was shown briefly at the top of this chapter. TLVs are present in packets and MySQL tables are organized in a way to store operations over these TLVs.
  • One User can match more than one row in the tables. See output of 'select * from radcheck'. All these rows take part in processing of arrived Access-Request.
  • Table radcheck is used for checking if there User is and some of its attributes and table radreply is used to return to NAS some attributes. For example IP-settings. RADIUS's destiny is more wide then to serve our particular tasks… :-) In our case there is no need in returning any parameters to NAS. It's enough to check and give empty Accecc-Accept packet which will enable completion of SSH-session between User and Cisco.
  • Users can be grouped (table radusergroup) for minimizing attributes which are need to be entered in table radcheck. Common attributes for group are taken away into corresponding group: radgroupcheck and radgroupreply are involved. When Access-Request is arriving all its TLVs are checked against radgroupcheck (depending on group from radusergroup where user is included) and radcheck. In Access-Accept attributes from radgroupreply and radreply are included. “Personal” User's attributes have precedence over Group's attributes if the same Attribute is found in both corresponding tables.
  • SHA1() is a function of Unix in common and MySQL in particular. It calculates irreversible Hash for some value. When RADIUS receives Access-Request packet it finds Username from packet in Database. If it meets “SHA-Password” instead of simply “Password”, it understands that it needs to calculate hash for password from packet via SHA1 and compare with value from database. This is done to hide personal User passwords in database.
  • =24enab15=24” - this is account for “enable” authentication which is sent by Cisco when User attempts to enter the privileged mode level 15. “=24” is a substitution of symbol “$” which is met in original (from NAS) packet: Username=$enab15$.
  • RADIUS has the number of operators such as “==” or “:=”. They have different meaning and one of them are permitted for checking, others are for replies, and some of them are for both - checking and reply. For example operator ”:=” checks value for existing attribute in Access-Request. If Attribute is absent in Access-Request it added to list of Request Attributes with no value. Operator ”==” check value only for existing Attribute. If attribute is absent Access-Reject is generated. Complete list of operator can be found in documentation on RADIUS Protocol.
  • In our case we need to restrict first time login to Cisco for user $enab15$. Otherwise everyone who knows password for privileged mode can login to Cisco as $enab15$. That is without such restriction I don't need to have any initial account to enter the Cisco - it's enough login as $enab15$ with password for privileged mode and then enter “enable” and repeat password for privileged mode again. And Cisco is in the power of mine! It is insecure. Cisco gives us a trick: when the first time login is coming and when User enters “enable” - packets will differ by presence of Attribute “Service-Type” with value “Administrative-User”. So in our situation RADIUS looking at “$enab15$” username finds in table two rows corresponding to it. It checks both attributes combining them via logical “AND”. Presence of ”==” for Service-Type makes it mandatory for “$enab15$ authentication!
  • If we have already packed Users into MySQL so this is a good idea to move there and NAS definitions. By default Users are stored by RADIUS in files /etc/freeradius/users and NASes are in /etc/freeradius/clients.conf. It's needed to note that creation of tables is not enough to make RADIUS to work with MySQL. There is a need in several configuration files correction. Please note that IP Address of NAS is indicated in field “nasname”. It's because IP address is treated not as IP-address but as text-string-ID of NAS, which is sent as text in Access-Request Packet. Field “shortname” is absolutely inessential. Whole list of NAS types may be found in /etc/freeradius/clients.conf near “nastype = other” directive (“cisco” in our case).

 

Let's move on. Let's tell RADIUS to use MySQL instead of file-database in /etc/freeradius. Open in VIM /etc/freeradius/sql.conf file and check the below options against the indicated values (comments in file are omitted).

~# vi /etc/freeradius/sql.conf
...
sql {
        database = "mysql"
        driver = "rlm_sql_${database}"
        server = "localhost"
        login = "root_radius"
        password = "some_pass"
        radius_db = "radius"
...
        readclients = yes
        nas_table = "nas"
...
}
:wq
~#

File sql.conf is responsible for how RADIUS will work with MySQL: what type of driver, accounting information (login/password for database access), database and tables names and so on. Take a notice to “readclients”. It is commented usually - RADIUS read NAS-related informations from file clients.conf in its catalogue /etc/freeradius.

In main configuration file radiusd.conf we must uncomment line $INCLUDE sql.conf in section modules - by default SQL-configurations are not included in runtime config. If there is no such line, there is no sql.conf in run-time at all! Notice that radiusd.conf is main because it aggregates all other configs.

~# vi /etc/freeradius/radiusd.conf
...
modules {
...
        $INCLUDE sql.conf
...
}
...
:wq
~#

NOTE: NAS table is read during FreeRADIUS startup! NOTE: if indicated line “$INCLUDE sql.conf” is absent (commented) FreeRADIUS stops its execution with incomprehensible: Error: /etc/freeradius/sites-enabled/default[177]: Failed to load module “sql”. There was much time wasted! Don't repeat my mistakes! :-)  

The second step is to make RADIUS read User information from MySQL during receiving Access-Request Packets. Just uncomment sql directive in section auth { … } of the file /etc/freeradius/sites-enabled/defult. It is necessary to notice that this file is the biggest portion of RADIUS configurations.

~# vi /etc/freeradius/sites-enabled/default
authorize {
...
        files
        sql
...
}
:wq
~#

Notice that it still reads information from files - along with MySQL (directive “files”). It tries “files” and then it use MySQL database.

Let's check! Just stop FreeRADIUS service and start FreeRADIUS in debug mode by the following commands:

~# /etc/init.d/freeradius stop
* Stopping FreeRADIUS daemon freeradius    [ OK ]
~#freeradius -X
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Oct  7 2011 at 10:59:41
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf

...

radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 18120
}
 ... adding new socket proxy address * port 46402
 ... adding new socket proxy address * port 60405
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.

It has started successfully. Now try to login to Cisco from any computer. You will see something like this:

rad_recv: Access-Request packet from host 172.16.128.21 port 1812, id=162, length=81
        NAS-IP-Address = 172.16.128.21
        NAS-Port = 2
        NAS-Port-Type = Virtual
        User-Name = "eyatsko"
        Calling-Station-Id = "172.16.128.150"
        User-Password = "some_pass"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "eyatsko", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql]   expand: %{User-Name} -> eyatsko
[sql] sql_set_user escaped user --> 'eyatsko'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}'
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}'
[sql]   expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' 
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SHA-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "some_pass"
[pap] Using SHA1 encryption.
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 162 to 172.16.128.21 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 162 with timestamp +207
Ready to process requests.

Here key words are: “returns ok” (some part of RADIUS configurations gave positive result of identification) and “returns noop” (and some another part gave negative identification). Just see what steps RADIUS made when it was analyzing arrived packet. This is the best way to debug what's wrong if something is not succeeded. Just add one trait: sometimes it would be appropriate to run FreeRADIUS in full debug mode. Like this: freeradius -XXX (porno-mode) ;-)  

The next step. Let's indicate RADIUS to forward requests to next RADIUS (Microsoft IAS in this case) if User is not found locally. Edit file /etc/freeradius/sites-enabled/default again. Add the following lines after “ldap” in section “authorize”. This is recipe of Alan DeKoK. He didn't explain why we must do in a such manner, but it works and I believe him because he is “forefather” of RADIUS. :-) :-) :-)

~# vi /etc/freeradius/sites-enabled/default
authorize {
...
#       ldap
      if (notfound) {
              update control {
                      Proxy-To-Realm := "domain"
              }
      }
...
}
:wq
~#

I think this means something why we must do exactly that. It could be order of processing or something else. Just do it! :-) And we try to explain what happens. When RADIUS goes to this place in configuration it does that how it is written. If User is “not found” RADIUS updates its own process flow changing its parameters. Precisely it changes “realm” of User from NULL (no realm - see lines ”[suffix] No '@' in User-Name = “eyatsko”, looking up realm NULL” and ”[suffix] No such realm “NULL”” in debug above) to realm “domain”.

Realm” is a such entity in RADIUS's interpretation which is like e-mail domain. Take attention to ”@” which is found by RADIUS in Username :-) (it's joke!). Depending on realm RADIUS can choose different algorythms of processing. For example it can use CHAP for one realm, PAP for another and forward request to another RADIUS for the third realm. Realm can be entered by User when he types username in “login” prompt in the following manner: eyatsko@domain. Or it can be complemented by Cisco or even RADIUS itself. Nevermind! It's absolutely inessential for our purposes! In our configuration if we type eyatsko@domain - such user will “not be found” and process will be directed to proxy in any way! :-)

Here we make RADIUS to proxy (forward) request to “domain” which is derivative from “domain.united-networks.ru”. RADIUS does it immediately due to directive “Proxy-To-Realm”. That is it does not just change realm it proxies request at once. Now we have to define realm domain with corresponding IP address.

If you look at the drawing on the left you can see that FreeRADIUS has rather complex hierarchy of related objects: realm itself is in the top of one. Realm operates by pool of servers, named “home servers”. And servers are already identified by IP addresses. Servers are grouped in a pool for redundancy purposes.

We need to edit file /etc/freeradius/proxy.conf - add definition for hierarchy “realm/server pool/server” on the drawing above. At the end of file we need to add:

~# vi /etc/freeradius/proxy.conf
home_server srvbackup {
      type = auth
      ipaddr = 172.16.128.2
      # ipv6addr = ::1
      # virtual_server = foo
      port = 1812
      secret = some_pass
      # src_ipaddr = 127.0.0.1
      require_message_authenticator = yes
      response_window = 20
      # no_response_fail = no
      zombie_period = 40
      revive_interval = 120
      status_check = request
      username = "test_user_please_reject_me"
      password = "this is really secret"
      num_answers_to_alive = 3
      max_outstanding = 65536
}

home_server_pool domain_pool {
      type = fail-over
      # virtual_server = pre_post_proxy_for_pool
      home_server = srvbackup
      # fallback = virtual.example.com
}
realm domain {
      auth_pool = domain_pool
      # acct_pool = acct
      # nostrip
}
:wq
~#

These parameters were got (duplicated) from sample definitions from top of the same file. Just most of comments are omitted. There are important parameters: “type = auth”, “ipaddrr = 172.16.128.2” and “secret = some_pass”. The last will be used for encryption connection between this RADIUS and Microsoft IAS (172.16.128.2). This RADIUS will play role of NAS for IAS much like Cisco plays the same role relatively to this server. The reminder of parameters is default.

NOTE: it is strongly recommended to change default value ”status-server” on “request” in the directive “status_check = …”! This is because IAS doesn't understand FreeRADIUS status checks. The procedure of Proxy server recovery is initiated by FreeRADIUS when one does not answer even a time. But because IAS does not process Status packet from FreeRADIUS correctly this process lasts, lasts and lasts.. And finally FreeRADIUS identifies IAS as dead. Even if IAS did not answer once. For example I was restarting IAS server just at the moment when Cisco sent its Access-Request. FreeRADIUS stop sending useful packets to IAS's side but continues to “peck” IAS by status packets. Additionally we need give FreeRADIUS Username and Password. FreeRADIUS will generate Access-Request using ones and send it to IAS for checking alive it or not instead of Status Checks. Just uncomment corresponding lines.  

On the IAS side

On the Windows 2003 we firstly need to install IAS. It can be done via Control Panel → Add/Remove Programs → Add/Remove Windows Components → Networking Services → Details → Internet Authentications Services. Then we must customize IAS itself.

  1. Adding a client:
    • Run IAS Wizard via Start → Programs → Administrative Tools → Internet Authentication Service.
    • In a tree view on the left side of IAS Wizard right-click RADIUS Clients, in context menu choose New RADIUS Client.
    • In Client Wizard enter Friendly name, something like: “srvgate.sokol.msk” and its Client address (IP or DNS): “172.16.128.1”, click Next.
    • On the next page choose in drop-down combo Client-Vendor: “Radius Standard” (since it is RADIUS as NAS), and twice enter Shared Secret - exactly the same as configured on FreeRADIUS side.
    • So now IAS will recognize our FreeRADIUS.
  2. Defining Remote Access Policy:
    • In a tree view on the left side of IAS Wizard choose Remote Access Policy. There are several deault policies. They are not suitable for our puposes - no one of them will permit FreeRADIUS to authenticate, so we need our oun policy. Also we need that OUR policy is processed first.
    • Right click on the left part of Wizard on item Remote Access Policy, and choose in context menu New Remote Access Policy.
    • In the Policy Wizard choose Set up a custom policy, enter its name, something like: FreeRADIUS Client Remote Access Policy and then click “Next”.
    • On the next page Add in Conditions list attribute Client-IP-Address with the mask: “172.16.128.*” which means “all IPs like this”. Click “Next”.
    • Then select Grant remote access permission and click Next.
    • On the next page click Edit profile button.
    • Then choose Authentication Tab and select check box Unencrypted authentication (PAP, SPAP).
    • If you are asked about “additional help” reject ckicking “No”.
    • Finish Wizard of Remote access policy and close IAS snap-in.

It seems that is all about IAS customizations.

And a feather in a cup - we need to add permission to user in Active Directory who will login in a such way.

  • Open Active Directory Users and Computers.
  • Find corresponding user in OU tree and open its properties.
  • Move to Dial-in Tab.
  • Select Allow access in Remote Access Permission (Dial-in or VPN) section.
  • Leave all other settings intact.

Try! :-)

It's good idea to install temporarily Wireshark on DC to capture and view requests from FreeRADIUS and answers from IAS. For example you can observe the situation when local computer (DC) receives RADIUS-packets and does not generates ICMP port unreachable (that is somebody listening on UDP/1812 port) but there are no answers. Such behaviour of IAS (RADIUS server generally speaking) tells us about configured passwords mismatch on FreeRADIUS side and on IAS.

Take a note that IAS stores its logs in C:\WINDOWS\system32\LogFiles. You can see that in Remote Access Logging, Local File properties. Learn it! It may be useful. In particular you can change logging options - to add or remove for example Accounting requests. In the above example varying these options you can ascertain that IAS receives packets att all.

Here is some engine for Web to edit FreeRADIUS tables conviniently: freeradius_engine.tar.gz. Adjust files which begin with literal under your local conditions and do not touch files like ”_*.php” (beginning with “underscoring” symbol). The last are auxiliary files! You will examine file structure easily. I'm sure! :-)

t

CISCO: Autonomous AP1130

Access Point (AP) base-line configuration much like Cisco Switch. Let's look fluently at the basic actions.

ap>enable
Password: <- "**Cisco**" by default (case sencitive!)
ap#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ap(config)#hostname ap-1131.sokol.msk
ap-1131.sokol.msk(config)#username some_user password some_password
ap-1131.sokol.msk(config)#enable secret some_enable_secret
ap-1131.sokol.msk(config)#service password-encryption
ap-1131.sokol.msk(config)#ip default-gateway 172.16.16.1
ap-1131.sokol.msk(config)#ip domain-name sokol.msk.united-networks.ru
ap-1131.sokol.msk(config)#ip name-server 172.16.16.2
ap-1131.sokol.msk(config)#access-list 1 permit 172.16.0.0 0.15.255.255
ap-1131.sokol.msk(config)#line con 0
ap-1131.sokol.msk(config-line)#login local
ap-1131.sokol.msk(config-line)#logging synchronous
ap-1131.sokol.msk(config-line)#exec-timeout 1440 0
ap-1131.sokol.msk(config-line)#line vty 0 15
ap-1131.sokol.msk(config-line)#logging synchronous
ap-1131.sokol.msk(config-line)#login local
ap-1131.sokol.msk(config-line)#exec-timeout 1440 0
ap-1131.sokol.msk(config-line)#access-class 1 in
ap-1131.sokol.msk(config-line)#exit
ap-1131.sokol.msk(config)#

All these options and commands are explained in CISCO: Baseline Configuration and CISCO: Baseline Switch.

Next we set up logging and SNMP parameters, RADIUS Authentication, NTP and SSH.

ap-1131.sokol.msk(config)#logging facility local2
ap-1131.sokol.msk(config)#logging 172.31.0.1
ap-1131.sokol.msk(config)#access-list 10 permit 172.16.0.0 0.15.255.255
ap-1131.sokol.msk(config)#snmp-server community SomeRdCommunity RO
ap-1131.sokol.msk(config)#snmp-server community SomeWrCommunity RW 10
ap-1131.sokol.msk(config)#snmp-server location sokol.msk
ap-1131.sokol.msk(config)#snmp-server contact root@united-networks.ru
ap-1131.sokol.msk(config)#snmp-server enable traps config
ap-1131.sokol.msk(config)#snmp-server host 172.31.0.1 SomeTrap_Community  tty config
ap-1131.sokol.msk(config)#snmp-server file-transfer access-group 10 protocol tftp
ap-1131.sokol.msk(config)#snmp-server tftp-server-list 10
ap-1131.sokol.msk(config)#aaa new-model
ap-1131.sokol.msk(config)#aaa authentication login default group radius local
ap-1131.sokol.msk(config)#aaa authentication enable default group radius enable
ap-1131.sokol.msk(config)#radius-server host 172.16.16.1 auth-port 1812 acct-port 1813 key 7 022503591C005E731F
ap-1131.sokol.msk(config)#clock timezone MSK 3
*Feb  8 11:33:08.781: %SYS-6-CLOCKUPDATE: System clock has been updated from 11:33:08 UTC Wed Feb 8 2012 to 14:33:08 MSK Wed Feb 8 2012, configured from console by console.

*Feb  8 11:33:09.781: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 172.31.0.1 started - CLI initiated

ap-1131.sokol.msk(config)#clock summer-time MSK recurring last Sat Mar 2:00 last Sat Oct 2:00

*Feb  8 11:33:29.213: %SYS-6-CLOCKUPDATE: System clock has been updated from 14:33:29 MSK Wed Feb 8 2012 to 14:33:29 MSK Wed Feb 8 2012, configured from console by console.

ap-1131.sokol.msk(config)#service timestamps debug datetime localtime
ap-1131.sokol.msk(config)#service timestamps log datetime localtime
ap-1131.sokol.msk(config)#sntp server 172.16.16.1
ap-1131.sokol.msk(config)#crypto key generate rsa
The name for the keys will be: ap-1131.sokol.msk.sokol.msk.united-networks.ru
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 768
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Feb 10 11:23:34: %SSH-5-ENABLED: SSH 2.0 has been enabled
ap-1131.sokol.msk(config)#ip ssh version 2
ap-1131.sokol.msk(config)#

Next we must configure IP connectivity between AP and United Networks. It is rather difficult. Just look at the drawing. Inspite of its complexity it's the most representative. The speach is about functionality of AP1130. So we will implement this diagram. Here we can see an AP that will hold two Wireless LANs (WLANs) which are characterized by their SSID (Service Set IDentifier, of simply Wireless Network Identifier). “Service Set” is used because Wireless is not only Network in common sence, it gives to its clients some additional features such as “mobility” and “roaming” for example. WLAN can be described as “isolated group of Wireless Users” it's much like VLAN on ordinary Ethernet Network.

Continue looking at the diagram we see that we need to place traffic from Wireless Clients of these different WLANs onto different VLANs of usual Ethernet (Switched) Network. Access Point has single Fast Ethernet Interface (with speed 10/100 Mbit/s) through which it connected to Workgroup Switch which carries VLANs through the rest of Network. So it must to be a “TRUNK” (one AP can hold up to 16 SSIDs/WLANs, and FastEthernet is the only port) or in the other words “Switched Interface”. Let's understand what it means. Main difference between Fa0/1 on a Switch and Fa0/1 on a Router is in manner of how interface processes received packet. They say: “what is the Layer of ISO/OSI of that interface?”. Switched Interface analyzes L2-header looking for destination MAC-address and compares it against Forwarding Database (MAC-address Table). Based on Destinaton MAC-address it determines egress (output) port for that packet. Routed Interface looks at L3-header (which is incapsulated in payload of L2-packet), analyzes IP-address of destination (L3 address) and compares it agains Routing Table finding the best route and corresponding to it output IP-interface. Simply the difference of Switched and Routed interfaces is in possibility to assign IP address to that interface.

Look at “show running-config” of AP. Theoretically FastEthernet0 and dot11Radio0 and dot11Radio1 (the first is IEEE802.11b/g standard and the second is IEEE802.11a one) can have an IP-address (clause “no ip address” speaks about that) but must not due to requirement of “Switching”! Because we need to separate two WLANs onto two VLANs of the Ethernet Network AP cannot terminate IP traffic on itself. It is only needed to forward packets from Wireless Users to corresponding VLAN. No more. Therefore we need to organize switching between “trunked” FastEthernet0 and dot11Radio0/dot11Radio1. But at the same time AP need to accept packets which are addressed to itself. That is it's need to terminate own IP traffic. Additional complexity is introduced by the need to manage AP from one of VLANs connected to it (more exactly VLAN19)! Just look at the drawing one more time. Two trasparently BRIDGED VLANs and from one of them we need to access to Access Point. How can interfaces be Switched and Routed simultaneously?

All of above is achived by using so-called “bridge-groups”. Bridge Groups is the way to combine two IP (Routed) Interfaces into group and make them act as ports of virtal mini-switch. Being merged into Bridge Group Interfaces forward packets (not route!) much like usual Switch. But if they (if all interfaces of AP) only forward (switch) packets and do not look at IP-packet's header in Etherernet payload where could we assign IP address for AP itself??? :-) Indeed be careful with the following words: we mark one interface (or if more exactly: “subinterface”) as belonging to one Bridge Group the second one we mark as belonging to another Bridge Group hence they both cannot have IP-addresses! Who will get IP for AP itself? :-) BVI-interface is coming to us to help! “BVI” is decrypted as “Bridged Virtual Interface”. It listens to transient packets (intentionally hided what type of packet: L2 or L3) looking for suitable IP or MAC addresses (own or broadcast). If it intercepts packed addressed to AP in does not forward it but lifts it to CPU throught ISO/OSI stack. Just BVI-interface accepts IP address intended to AP.

  1. First of all we must enable Bridge groups on AP globally:
    ap-1131.sokol.msk#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    ap-1131.sokol.msk(config)#bridge irb
    ap-1131.sokol.msk(config)#bridge 1 protocol ieee
    ap-1131.sokol.msk(config)#bridge 1 route ip
    ap-1131.sokol.msk(config)#bridge 2 protocol ieee
    ap-1131.sokol.msk(config)#

    Some comments:

    • bridge irb - Integrated Routing and Bridging - enables globally work of bridge-groups;
    • bridge 1 protocol ieee - defines version of Spanning-Tree Protocol for bridge-group 1. Because we are trying to create a “Switch”, there is a need in STP instance for it!
    • bridge 1 route ip - enables carrying IP to AP for the first Bridge Group. Recall that “Mind” (its own IP-address) of AP is placed on one of two VLANs for which AP will forward packets. To allow terminate IP-traffic on itself in this Bridge Group we must enable this option. For the second Bridge Group there is no need in “route ip”.

  2. Next we need to remove initially configured “bridge-group 1” on physical interfaces FastEthernet0 dot11Radio0 and dot11Radio1 because we will use their subinterfaces. We cannot removebridge-group 1” directly. It does not allow us to do this. It likes “bridge-group 1” :-) probably because it is necessary to existence of BVI1-interface. But we can assign “bridge-group 2” to interface and then remove it yet. Just look at that:
    ap-1131.sokol.msk#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    ap-1131.sokol.msk(config)#interface FastEthernet0
    ap-1131.sokol.msk(config-if)#no bridge-group 1
    %command not allowed, cannot remove bridge-group 1
    ap-1131.sokol.msk(config-if)#bridge-group 2
    ap-1131.sokol.msk(config-if)#no bridge-group 2
    Feb 13 19:14:29: %LINK-3-UPDOWN: Interface BVI1, changed state to down
    Feb 13 19:14:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
    ap-1131.sokol.msk(config-if)#do show running-config interface FastEthernet 0
    Building configuration...
    
    Current configuration : 90 bytes
    !
    interface FastEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
    end
    
    ap-1131.sokol.msk(config-if)#interface dot11Radio0
    ap-1131.sokol.msk(config-if)#bridge-group 2
    ap-1131.sokol.msk(config-if)#no bridge-group 2
    ap-1131.sokol.msk(config-if)#interface dot11Radio1
    ap-1131.sokol.msk(config-if)#bridge-group 2
    ap-1131.sokol.msk(config-if)#no bridge-group 2
    ap-1131.sokol.msk(config-if)#end
    Feb 13 19:21:47: %SYS-5-CONFIG_I: Configured from console by eyatsko on console
    ap-1131.sokol.msk#show running-config interface dot11Radio0
    Building configuration...
    
    Current configuration : 92 bytes
    !
    interface Dot11Radio0
     no ip address
     no ip route-cache
     shutdown
     station-role root
    end
    
    ap-1131.sokol.msk#show running-config interface dot11Radio1
    Building configuration...
    
    Current configuration : 124 bytes
    !
    interface Dot11Radio1
     no ip address
     no ip route-cache
     shutdown
     no dfs band block
     channel dfs
     station-role root
    end
    ap-1131.sokol.msk#
  3. Next we create subinterfaces and place them to corresponding VLANs.
    ap-1131.sokol.msk#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    ap-1131.sokol.msk(config)#interface FastEthernet0.19
    ap-1131.sokol.msk(config-subif)#encapsulation dot1q 19 native
    Feb 13 19:27:38: %LINK-3-UPDOWN: Interface BVI1, changed state to up
    Feb 13 19:27:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
    Feb 13 19:27:42: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 172.16.16.100, mask 255.255.255.0, hostname ap-1131.sokol.msk
    
    ap-1131.sokol.msk(config-subif)#bridge-group 1
    ap-1131.sokol.msk(config-subif)#exit
    ap-1131.sokol.msk(config)#interface Dot11Radio0.19
    ap-1131.sokol.msk(config-subif)#encapsulation dot1q 19 native
    ap-1131.sokol.msk(config-subif)#bridge-group 1
    ap-1131.sokol.msk(config-subif)#exit
    ap-1131.sokol.msk(config)#interface Dot11Radio1.19
    ap-1131.sokol.msk(config-subif)#encapsulation dot1q 19 native
    ap-1131.sokol.msk(config-subif)#bridge-group 1
    ap-1131.sokol.msk(config-subif)#exit
    ap-1131.sokol.msk(config)#interface FastEthernet0.16
    ap-1131.sokol.msk(config-subif)#encapsulation dot1q 16
    ap-1131.sokol.msk(config-subif)#bridge-group 2
    ap-1131.sokol.msk(config-subif)#exit
    ap-1131.sokol.msk(config)#interface Dot11Radio0.16
    ap-1131.sokol.msk(config-subif)#encapsulation dot1q 16
    ap-1131.sokol.msk(config-subif)#bridge-group 2
    ap-1131.sokol.msk(config-subif)#exit
    ap-1131.sokol.msk(config)#interface Dot11Radio1.16
    ap-1131.sokol.msk(config-subif)#encapsulation dot1q 16
    ap-1131.sokol.msk(config-subif)#bridge-group 2
    ap-1131.sokol.msk(config-subif)#end
    ap-1131.sokol.msk#
    Feb 13 23:42:30: %SYS-5-CONFIG_I: Configured from console by eyatsko on console
    ap-1131.sokol.msk#show running-config | begin Dot11Radio0
    interface Dot11Radio0
     no ip address
     no ip route-cache
     shutdown
     station-role root
    !
    interface Dot11Radio0.16
     encapsulation dot1Q 16
     no ip route-cache
     bridge-group 2
     bridge-group 2 subscriber-loop-control
     bridge-group 2 block-unknown-source
     no bridge-group 2 source-learning
     no bridge-group 2 unicast-flooding
     bridge-group 2 spanning-disabled
    !
    interface Dot11Radio0.19
     encapsulation dot1Q 19 native
     no ip route-cache
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
     bridge-group 1 spanning-disabled
    !
    interface Dot11Radio1
     no ip address
     no ip route-cache
     shutdown
     no dfs band block
     channel dfs
     station-role root
    !
    interface Dot11Radio1.16
     encapsulation dot1Q 16
     no ip route-cache
     bridge-group 2
     bridge-group 2 subscriber-loop-control
     bridge-group 2 block-unknown-source
     no bridge-group 2 source-learning
     no bridge-group 2 unicast-flooding
     bridge-group 2 spanning-disabled
    !
    interface Dot11Radio1.19
     encapsulation dot1Q 19 native
     no ip route-cache
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
     bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
    !
    interface FastEthernet0.16
     encapsulation dot1Q 16
     no ip route-cache
     bridge-group 2
     no bridge-group 2 source-learning
     bridge-group 2 spanning-disabled
    !
    interface FastEthernet0.19
     encapsulation dot1Q 19 native
     no ip route-cache
     bridge-group 1
     no bridge-group 1 source-learning
     bridge-group 1 spanning-disabled
    ^C
    ap-1131.sokol.msk#

    Some comments:

    • Look at “encapsulation dot1q native” - it is very important! The trick is that BVI gets UNTAGGED traffic. But FastEthernet0 is TRUNK-interface and by default VLAN1 is native (and untagged) for Cisco's Trunk-interfaces. So if we want to make BVI to exchange packets with VLAN19 we need to make VLAN19 untagged and native for AP. It is made from both ends of Trunk! We need to add something like this to the Interface configuration on the Workgroup Switch where AP is connected to:
      switchport trunk native vlan 19
    • Look at “bridge-group” options which appeared in Subinterfaces configuration.
    • Pay attention to physical interfaces Dot11Radio0 and Dot11Radio1 which are in “disabled” state. While we don't set up SSIDs and their security they must be shut down, we will be in time to activate them later.

  4. Then we create “interface BVI1”:
    ap-1131.sokol.msk#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    ap-1131.sokol.msk(config)#int bvi1
    ap-1131.sokol.msk(config-if)#ip address 172.16.16.55 255.255.255.0
    ap-1131.sokol.msk(config-if)#end
    ap-1131.sokol.msk#
    Feb 14 10:06:23: %SYS-5-CONFIG_I: Configured from console by eyatsko on console
    ap-1131.sokol.msk#show running-config int bvi1
    Building configuration...
    
    Current configuration : 80 bytes
    !
    interface BVI1
     ip address 172.16.16.55 255.255.255.0
     no ip route-cache
    end
    
    ap-1131.sokol.msk#ping 172.16.16.1
    
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.16.16.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    ap-1131.sokol.msk#

    As you can see IP connectivity between this AP and Ethernet network “sokol.msk” is achieved.

  5. Now we can proceed to creating “SSIDs” and setting up “Radio-interfaces”.
    ap-1131.sokol.msk#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    ap-1131.sokol.msk(config)#dot11 ssid united-networks.ru
    ap-1131.sokol.msk(config-ssid)#vlan 19
    ap-1131.sokol.msk(config-ssid)#authentication open
    ap-1131.sokol.msk(config-ssid)#authentication key-management wpa
    ap-1131.sokol.msk(config-ssid)#wpa-psk ascii somestrongpassword
    ap-1131.sokol.msk(config-ssid)#mbssid guest-mode
    ap-1131.sokol.msk(config-ssid)#exit
    ap-1131.sokol.msk(config)#dot11 ssid free.united-networks.ru
    ap-1131.sokol.msk(config-ssid)#vlan 16
    ap-1131.sokol.msk(config-ssid)#authentication open
    ap-1131.sokol.msk(config-ssid)#mbssid guest-mode
    ap-1131.sokol.msk(config-ssid)#exit
    ap-1131.sokol.msk(config)#
    ap-1131.sokol.msk#
    Feb 14 10:37:43: %SYS-5-CONFIG_I: Configured from console by eyatsko on console
    ap-1131.sokol.msk#show running-config interface Dot11Radio0
    Building configuration...
    
    Current configuration : 214 bytes
    !
    interface Dot11Radio0
     no ip address
     no ip route-cache
     shutdown
     !
     encryption vlan 19 mode ciphers aes-ccm tkip
     !
     ssid free.united-networks.ru
     !
     ssid united-networks.ru
     !
     mbssid
     station-role root
    end
    
    ap-1131.sokol.msk#show running-config interface Dot11Radio1
    Building configuration...
    
    Current configuration : 246 bytes
    !
    interface Dot11Radio1
     no ip address
     no ip route-cache
     shutdown
     !
     encryption vlan 19 mode ciphers aes-ccm tkip
     !
     ssid free.united-networks.ru
     !
     ssid united-networks.ru
     !
     no dfs band block
     mbssid
     channel dfs
     station-role root
    end
    
    ap-1131.sokol.msk#show running-config | begin dot11 ssid
    dot11 ssid free.united-networks.ru
       vlan 16
       authentication open
       mbssid guest-mode
    !
    dot11 ssid united-networks.ru
       vlan 19
       authentication open
       authentication key-management wpa
       mbssid guest-mode
       wpa-psk ascii 7 063405274056021311464058
    ^C
    ap-1131.sokol.msk#

    Some comments:

    • dot11 ssid …” option defines SSID.
    • vlan …” assigns VLAN to SSID. This option set tight accordance between these two.
    • authentication open” determines the way of authentication which will be used between wireless Client and the AP. We select “open” that is with no encryption of the session between Client and the AP. WEP for example uses pre-defined keys which are stored on Client's PC and AP. There are some key exchange, refresh and revoke procedures in modern Wireless Networks. We don't use any of these because we will use WPA which has embedded powerful encryption and authentication mechanism. These are good described in article on cisco.com. Here we put some diagrams explaning difference.
    • authentication key-management wpa” means we will use WPA/WPA2 for that SSID.
    • wpa-psk ascii 7 …” - here we indicate Password which will be asked from Wireless Client when it will try to associate himself with the AP.
    • mbssid guest-mode” enables broadcasting of SSID (“guest-mode” speaks about that) through Wi-Fi media. MBSSID is decrypted as “Multiple Basic SSIDs”. From here we need to be absorbed in background theory. There are several ways to build Wireless LAN: “Independent Basic Service Set” (or Ad-Hoc) when two computers connect to each other without AP participation; “Infrastructure Basic Service Set” when there is an AP and computers connected to one. That was “Basic Service Set” (or BSS). Besides BSS there is an “Extended Service Set” when several BSS gathered into one common infrastructure. And at last there is “Multiple BSS” when one AP carries several independent BSS (our case). By the way “BSSID” is MAC-address of Access Point.
    • All remaining actions are made under Physical Radio-interfaces (not Subinterfaces!) configuration.
    • encryption vlan 19 mode ciphers aes-ccm tkip” here we set up some encryption parameters of data channel between Wireless Client and AP. It is concerned of WEP and WPA usually. Devote attention to “vlan 19” clause. Here implicitly SSID is mentioned (through corresponding VLAN) where encryption will be applied. Clause “mode ciphers” exactly means WPA because another alternative is WEP which is not a subject. Clauses “aes-ccm” and “tkip” are both encryption algorithms. “AES” is Advanced Encryption Standard which provides modern high-secrecy symmetrical encryption elgorithm. And “TKIP” is Temporal Key Integrity Protocol which offers besides strong encryption key management procedures which provide a new key generation for transmitting EVERY packet of data. Both of these protocols may be used by Wireless Clients. Well both of them we indicate.
    • mbssid” informs corresponding Radio-interface that it will hold several SSIDs.
    • ssid …” links SSID to Radio-interface.
    • Some additional predefined option which apears in interface configuration is Station Role: “station-role root”. It means that this certain Access Point is main point of reference of Wireless Network. It always connected to wired rest of Network and it aggregates own Wireless Clients and gets connections from other APs which are called “repeater”.

  6. Now we can bring Radio-interfaces UP and save configuration in NVRAM:
    ap-1131.sokol.msk#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    ap-1131.sokol.msk(config)#interface Dot11Radio0
    ap-1131.sokol.msk(config-if)#no shutdown
    Feb 14 10:40:09: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    ap-1131.sokol.msk(config-if)#
    Feb 14 10:40:48: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2467 selected
    ap-1131.sokol.msk(config-if)#
    Feb 14 10:40:48: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    Feb 14 10:40:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    ap-1131.sokol.msk(config-if)#
    Feb 14 10:40:09: %DOT11-6-FREQ_SCAN: Interface Dot11Radio0, Scanning frequencies for 35 seconds
    ap-1131.sokol.msk(config-if)#interface Dot11Radio1
    ap-1131.sokol.msk(config-if)#no shutdown
    ap-1131.sokol.msk(config-if)#
    Feb 14 10:40:21: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    ap-1131.sokol.msk(config-if)#
    Feb 14 10:40:24: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5240 selected
    ap-1131.sokol.msk(config-if)#
    Feb 14 10:40:24: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    Feb 14 10:40:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
    ap-1131.sokol.msk(config-if)#end
    ap-1131.sokol.msk#
    Feb 14 10:43:42: %SYS-5-CONFIG_I: Configured from console by eyatsko on console
    ap-1131.sokol.msk#copy running-config startup-config
    Destination filename [startup-config]?
    Building configuration...
    [OK]
    ap-1131.sokol.msk#

In conclusion we supply you with mple diagnostic tool:

ap-1131.sokol.msk#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [united-networks.ru] :

MAC Address    IP address      Device        Name            Parent         State
0016.cf20.8703 172.16.16.100   ccx-client    -               self           Assoc

ap-1131.sokol.msk#show dot11 associations 0016.cf20.8703
Address           : 0016.cf20.8703     Name             : NONE
IP Address        : 172.16.16.100      Interface        : Dot11Radio 0
Device            : ccx-client         Software Version : NONE
CCX Version       : 4                  Client MFP       : Off

State             : Assoc              Parent           : self
SSID              : united-networks.ru
VLAN              : 19
Hops to Infra     : 1                  Association Id   : 2
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : WPA PSK            Encryption       : TKIP
Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled
Signal Strength   : -54  dBm           Connected for    : 2917 seconds
Signal to Noise   : 38  dB            Activity Timeout : 11 seconds
Power-save        : Off                Last Activity    : 8 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 1992               Packets Output   : 60
Bytes Input       : 66728              Bytes Output     : 7304
Duplicates Rcvd   : 4                  Data Retries     : 5
Decrypt Failed    : 0                  RTS Retries      : 0
MIC Failed        : 0                  MIC Missing      : 0
Packets Redirected: 0                  Redirect Filtered: 0
Session timeout   : 0 seconds
Reauthenticate in : never

ap-1131.sokol.msk#

Information above can be aquired by SNMP and can be used in some Monitoring System like Cacti or Zabbix.

CISCO: Reset WLC6 to Factory

Sometimes a problem arises to reset “NM-AIR-WLC6-K9” (hereinafter referred to as “WLC6”) to factory defaults. Controller worked so long that nobody left who knows password to it, or in our case used WLC6 was bought with existing settings preveting access it. Specific is that WLC is installed into Multiservice Router Platform and has no own Console or independent Network connection. It is controlled from usual Telnet session to Cisco 2800 using special commands which set up session to WLC6's CPU. It looks like keypressings are intercepted and commands output redirected to VTY.

  1. Initial thing after WLC6 is installed into Router Cisco 2800 is assigning IP address to it. It is not required it to be Real IP. It's enough it will be Correct IP. I assigned “1.1.1.1/255.255.255.0” which guaranteed will never meet on my network. Such addresses will appear again futher.
    sr-2821.gogolya.pushkino#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    sr-2821.gogolya.push(config)#interface wlan-controller 1/0
    sr-2821.gogolya.push(config-if)#ip address 1.1.1.1 255.255.255.0
    sr-2821.gogolya.push(config-if)#no shutdown
    sr-2821.gogolya.push(config-if)#end
    sr-2821.gogolya.pushkino#

    Where “wlan-controller 1/0” is the name of corresponding interface which you can see in the output of “show running-config”. After WLC6 installation new configuration options and hardware will be added in the”running-config”.

  2. To begin work with WLC6 it is necessary to issue command:
    sr-2821.gogolya.pushkino#service-module wlan-controller 1/0 session
    Trying 1.1.1.1, 2066 ... Open
    
    User:
  3. 5”Ctrl+Shift+F6” and then “x” return you to Cisco 2821 terminal session temporarily (until you press “Enter” on the empty prompt). In the above example:
    sr-2821.gogolya.pushkino#service-module wlan-controller 1/0 session
    Trying 1.1.1.1, 2066 ... Open
    
    User: <<--Ctrl+Shift+F6,x
    sr-2821.gogolya.pushkino# <<--Enter 
    [Resuming connection 1 to 1.1.1.1 ... ]
  4. It may be needed to disable RADIUS Authentication for WLC6 (in out case RADIUS for authentication purposes is actually used). It is achieved by organization special authentication group and assigning this group to special “line 66” to avoid engaging authentication while internal (Router→WLC6) connection establishes.
    sr-2821.gogolya.pushkino#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    sr-2821.gogolya.push(config)#aaa authentication login wlc none
    sr-2821.gogolya.push(config)#line 66
    sr-2821.gogolya.push(config-line)#login authentication wlc
    sr-2821.gogolya.push(config-line)#end
    sr-2821.gogolya.pushkino#

    Some comments:

    • aaa authentication login wlc none” defines authentication group “wlc” and makes Cisco 2800 does not perform authentication during logins at all for that group (“none”).
    • login authentication wlc” in line 66 configuration makes Cisco 2800 to do authentication through authentication group “wlc”. That is do nothing!
      One important moment: before WLC6 authenticate users itself Cisco 2800 intercepts initiative and proceed authentication in accordance to configured rules.

  5. Next we must reboot (reload) WLC6, it is done by the following example. Be attentive during reboot process and don't miss right moment when you will be prompted to press ESC. Press real Escape key (top-left on your keyboard), not Ctrl+Shift+F6 how it is written in some sources. When Cisco 2800 will ask you to confirm reload command press Enter twice to see reboot process. Trick is that the first “Enter” is accepted by Cisco 2800 and the second “Enter” resumes previously established to WLC6 session (by issued “service-module wlan-controller 1/0 session” command) what allows you to see output in WLC6's console. Hence you need to be already in established to WLC6 session!
    sr-2821.gogolya.pushkino#service-module wlan-controller 1/0 session
    Trying 1.1.1.1, 2066 ... Open
    
    User: <<--Ctrl+Shift+F6, x
    sr-2821.gogolya.pushkino#service-module wlan-controller 1/0 reload
    Do you want to proceed with reload?[confirm]<<-- Enter, Enter
    
    sr-2821.gogolya.pushkino#
    [Resuming connection 1 to 1.1.1.1 ... ]
    Please stand by while rebooting the system.
    
    
    Initializing memory.  Please wait.  256 MB SDRAM detected
    BIOS Version: SM 02.00
    BIOS Build date: 09/17/02
    System Now Booting ...
    
    Booting from disk..., please wait.
    
    Cisco Bootloader Loading stage2...
    
        Cisco Bootloader (Version 5.0.148.0)
    
                          .o88b. d888888b .d8888.  .o88b.  .d88b.
                         d8P  Y8   `88'   88'  YP d8P  Y8 .8P  Y8.
                         8P         88    `8bo.   8P      88    88
                         8b         88      `Y8b. 8b      88    88
                         Y8b  d8   .88.   db   8D Y8b  d8 `8b  d8'
                          `Y88P' Y888888P `8888Y'  `Y88P'  `Y88P'
    
    Booting Primary Image...
    Press <ESC> now for additional boot options... <<-- You are looking for this line! Just press ESC how it is asking...
  6. Then select “5” in appeared menu
        Boot Options
    
    Please choose an option from below:
    
     1. Run primary image (Version 5.0.148.0) (active)
     2. Run backup image  (Version 4.1.185.0)
     3. Manually upgrade primary image
     4. Change active boot image
     5. Clear Configuration
    
    Please enter your choice: 5 <<-- Just type "5" and press Enter
    Detecting hardware . . . .
    
    Clearing System Configuration : done.
    
    Configuration has been cleared.  Restarting...
    
    
    Initializing memory.  Please wait.  256 MB SDRAM detected
    BIOS Version: SM 02.00
    BIOS Build date: 09/17/02
    System Now Booting ...
    
    Booting from disk..., please wait.
    
    Cisco Bootloader Loading stage2...
    
        Cisco Bootloader (Version 5.0.148.0)
    
                          .o88b. d888888b .d8888.  .o88b.  .d88b.
                         d8P  Y8   `88'   88'  YP d8P  Y8 .8P  Y8.
                         8P         88    `8bo.   8P      88    88
                         8b         88      `Y8b. 8b      88    88
                         Y8b  d8   .88.   db   8D Y8b  d8 `8b  d8'
                          `Y88P' Y888888P `8888Y'  `Y88P'  `Y88P'
    . . .

    WLC6 clears configuration and restarts.

    . . .
    Starting HREAP Group Features: ok
    Starting Management Services:
       Web Server: ok
       CLI: ok
       Secure Web: Web Authentication Certificate not found (error).
    
    (Cisco Controller)
    
    Welcome to the Cisco Wizard Configuration Tool
    Use the '-' character to backup
    
    Would you like to terminate autoinstall? [yes]:
  7. On the above question just press Enter (it makes no difference and ignores your answer) and you will find yourself in Cisco Wizard Configuration Tool. You will be asked a number of questions, give them some answers something like these. It is not a matter what an answer you entered on particular question. Wizard makes some configuration actions which you can re-define later when you will access completely WLC6. But “admin” account and its password you have to remember because without them you will not enter WLC6 after it will reboot.
    System Name [Cisco_e9:51:40] (31 characters max):
    AUTO-INSTALL: process terminated -- no configuration loaded
    
    Enter Administrative User Name (24 characters max): admin
    Enter Administrative Password (24 characters max): **************
    Re-enter Administrative Password                 : **************
    
    Management Interface IP Address: 172.16.0.55
    Management Interface Netmask: 255.255.255.0
    Management Interface Default Router: 172.16.0.1
    Management Interface VLAN Identifier (0 = untagged): 0
    Management Interface Port Num [1]:
    Management Interface DHCP Server IP Address: 172.16.0.2
    
    AP Manager Interface IP Address: 172.16.0.56
    
    AP-Manager is on Management subnet, using same values
    AP Manager Interface DHCP Server (172.16.0.2):
    
    Virtual Gateway IP Address: 1.1.1.1
    
    Mobility/RF Group Name: UN
    
    Enable Symmetric Mobility Tunneling [yes][NO]:
    
    Network Name (SSID): united-networks.ru
    Allow Static IP Addresses [YES][no]: no
    
    Configure a RADIUS Server now? [YES][no]: no
    Warning! The default WLAN security policy requires a RADIUS server.
    Please see documentation for more details.
    
    Enter Country Code list (enter 'help' for a list of countries) [US]: RU
    
    Enable 802.11b Network [YES][no]:
    Enable 802.11a Network [YES][no]:
    Enable 802.11g Network [YES][no]:
    Enable Auto-RF [YES][no]:
    
    Configure a NTP server now? [YES][no]:
    Enter the NTP server's IP address: 172.16.0.1
    Enter a polling interval between 3600 and 604800 secs: 3600
    
    Configuration correct? If yes, system will save it and reset. [yes][NO]: yes
    
    Configuration saved!
    Resetting system with new configuration...
    
    Initializing memory.  Please wait.  256 MB SDRAM detected
    BIOS Version: SM 02.00
    BIOS Build date: 09/17/02
    System Now Booting ...
    
    Booting from disk..., please wait.
    
    Cisco Bootloader Loading stage2...
    . . . 

    And so on… Pay attention to “Virtual Gateway IP Address. It is not necessary it must be real IP. It's enough if it will be some correct IP.

Another way to reset WLC6 to factory defaults is to enter special recovery username “Recover-Config” (attention! It is case-sencitive!) when you are prompted for “User:”.

Enter User Name (or 'Recover-Config' this one-time only to reset configuration to factory defaults)

User:  Recover-ConfigInitiating system recovery process... please wait

Rebooting system

Initializing memory.  Please wait.  256 MB SDRAM detected
BIOS Version: SM 02.00
BIOS Build date: 09/17/02
System Now Booting ...

Booting from disk..., please wait.

Cisco Bootloader Loading stage2...

    Cisco Bootloader (Version 5.0.148.0)

                      .o88b. d888888b .d8888.  .o88b.  .d88b.
                     d8P  Y8   `88'   88'  YP d8P  Y8 .8P  Y8.
                     8P         88    `8bo.   8P      88    88
                     8b         88      `Y8b. 8b      88    88
                     Y8b  d8   .88.   db   8D Y8b  d8 `8b  d8'
                      `Y88P' Y888888P `8888Y'  `Y88P'  `Y88P'

Booting Primary Image...
Press <ESC> now for additional boot options...

Normal result of above manipulations is the following:

Enter User Name (or 'Recover-Config' this one-time only to reset configuration to factory defaults)

User:  admin
Password:*********
(Cisco Controller) >

You are in Controller!

CISCO: Configuring WLC6

Intro and Main task

We need some background theory to set up NM-AIR-WLC6-K9 Lightweight Controller (WLC6) competently. You you woun't read large manuals (Cisco 2800 Series Hardware Installation, Cisco Wireless LAN Controller Configuration Guide 5.2, Cisco Wireless LAN Controller Configuration Guide 7.0, Configuring the Cisco Wireless controller Network Module on a Cisco Router) we put below essential “extract” from them.

The first thing to study is the WLC6's Ports and Interfaces.

Note: Service port in WLC6 is absent! It is intrinsic for all other WLC-controllers except Six-points one.

Look at the diagrams on the above drawing. WLCs has some different interfaces/ports which are intended for different purposes. Let's clarify what is a port and what is an interface in WLC terms. Port is a physical socket where RJ-45 is connected to. Interface is a virtual (logical) instance which may have IP-address (on the Layer 3 ISO/OSI) or may belongs to some VLAN (on Layer 2) through which exchange with Network is proceeded. The difference Let's begin “from end”.

  • Service Port is an access port through which WLC is managed from separate network segment (VLAN) dedicated for only that purpose.
  • Service Interface is a logical instance hardly associated with Service Port” where IP-address is assigned to.
  • Physical Port is always Trunking port through which WLC is connected to Wired Network and where main packet exchange is accomplished. All Interfaces of different than “Service Type” kinds are associated with this Port.
  • Management Interface is an interface through System Administrator has access to WLC. It is for management purposes.
  • AP-manager Interface is a point where Lightweight Access Points connects to and with which they builds Lightweight Tunnel. Then all Wireless Client's traffic is directed to this tunnel up to WLC and latter outputs Client's packets through corresponding Dynamic Interface to target VLAN according to SSID.
  • Dynamic Interface is an designated interface for corresponding WLAN/SSID. They says it associated with SSID and appropriate VLAN. The number of Dynamic Interfaces corresponds to number of hold by WLC WLANs/VLANs.
  • Virtual Interface is the most obscure instance. It's written that it serves for the following: ”The virtual interface is used to support mobility management, Dynamic Host Configuration Protocol (DHCP) relay, and embedded Layer 3 security such as guest web authentication.” But it is not clear how.

We will implement further the diagram on the drawing. But now let's proceed to basic configuration of WLC6-controller. We need to learn how to configure simpliest things.

Repeat after Wizard in CLI

It's needed to say that WLC has two main commands to control it: show and config. CLI of any WLC differs from CLI of Cisco Router or Cisco Switch of even Autonomous AP! It's something with somewhat. Let's begin! Let's start with review of parameters are specified during work of Cisco Wizard Configuration Tool.

  1. Usernames who are allowed to login to WLC6:
    (Cisco Controller) >show mgmtuser
    User Name                 Permissions    Description
    -----------------------   ------------   --------------------------------
    admin                     read-write
    
    (Cisco Controller) >config mgmtuser add eyatsko somepassword read-write "Administrative person"
    (Cisco Controller) >show mgmtuser
    User Name                 Permissions    Description
    -----------------------   ------------   --------------------------------
    admin                     read-write
    eyatsko                   read-write     Administrative person
    
    (Cisco Controller) >config mgmtuser delete admin
    Deleted user admin
    
    (Cisco Controller) >

    It is strongly recommended to avoid special symbols like ”<” or “_” in passwords! Use regular lower-case and upper-case letters and digits (it is mandatory by the way) instead. We encounter that LAPs 1130 don't understand specials characters!

  2. Management and AP-manager interfaces IP-parameters:
    (Cisco Controller) >show interface summary
    Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
    -------------------------------- ---- -------- --------------- ------- ------ -----
    ap-manager                       1    untagged 172.16.0.51     Static  Yes    No
    management                       1    untagged 172.16.0.50     Static  No     No
    virtual                          N/A  N/A      1.1.1.1         Static  No     No
    
    (Cisco Controller) >config interface address management 172.16.0.50 255.255.255.0 172.16.0.1
    Request failed - Active WLAN using interface. Disable WLAN first.Error setting port number
    
    (Cisco Controller) >show wlan summary
    Number of WLANs.................................. 1
    WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
    -------  -------------------------------------  --------  --------------------
    1        united-networks.ru / united-networks.ru  Enabled   management
    
    (Cisco Controller) >config wlan disable 1
    (Cisco Controller) >show wlan summary
    Number of WLANs.................................. 1
    WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
    -------  -------------------------------------  --------  --------------------
    1        united-networks.ru / united-networks.ru  Disabled  management
    
    (Cisco Controller) >config interface address management 172.16.0.50 255.255.255.0 172.16.0.1
    (Cisco Controller) >config interface address ap-manager 172.16.0.51 255.255.255.0 172.16.0.1
    (Cisco Controller) >config interface vlan management 0
    (Cisco Controller) >config interface vlan ap-manager 0
    (Cisco Controller) >config wlan enable 1
    (Cisco Controller) >show interface detailed management
    Interface Name................................... management
    MAC Address...................................... 00:15:2c:e9:51:40
    IP Address....................................... 172.16.0.50
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 172.16.0.1
    VLAN............................................. untagged
    Physical Port.................................... 1
    Primary DHCP Server.............................. 172.16.0.2
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... No
    Guest Interface.................................. No
    
    (Cisco Controller) >

    Notice about: “config interface vlan management 0”. Assigning VLAN id=0 to the interface (in this certain case for “management”) means it will get untagged traffic.
    But let's return to above “show interface” output. To view the whole list of configurable parameters for interfaces issue the following:

    (Cisco Controller) >config interface ?
    acl            Configures an interface's Access Control List.
    address        Configures an interface's address information.
    create         Adds a new dynamic interface.
    delete         Deletes a dynamic interface.
    dhcp           Configures DHCP options on an interface.
    hostname       Configures the virtual interface's virtual DNS host name.
    port           Assign interface to physical port.
    vlan           Configures an interface's VLAN Identifier.
    quarantine     Configure quarantine vlan
    
    (Cisco Controller) >

    It correlates with above show options. What you view there you can configure via config in any event… By the way parameters of Virtual Interface are configured in the same manner with that exception that mask is not required for that kind of interface. To assign Physical Port to interface (on WLC6 Physical Port is the only and always has number “1”) and DHCP-server do the following:

    (Cisco Controller) >config wlan disable 1
    (Cisco Controller) >config interface port management 1
    (Cisco Controller) >config interface dhcp management primary 172.16.0.2
    (Cisco Controller) >config wlan enable 1
  3. Next configure RF-Network (“RF” is decrypted as “Radio Frequency”). RF-Network or how it also can be spoken: RF-Group is a group of WLC-controllers for which, quoting: ”for which Radio Resource Management (RRM) calculations are done on a whole. RF Groups also help you to discover Rogue APs”. I guess that some WLCs with the same RF-group exchange information about Air Parameters
    (Cisco Controller) >show network summary
    RF-Network Name............................. UN
    Web Mode.................................... Enable
    Secure Web Mode............................. Enable
    Secure Web Mode Cipher-Option High.......... Disable
    Secure Shell (ssh).......................... Enable
    Telnet...................................... Disable
    Ethernet Multicast Mode..................... Disable   Mode: Ucast
    Ethernet Broadcast Mode..................... Disable
    IGMP snooping............................... Disabled
    IGMP timeout................................ 60 seconds
    User Idle Timeout........................... 300 seconds
    ARP Idle Timeout............................ 300 seconds
    ARP Unicast Mode............................ Disabled
    Cisco AP Default Master..................... Disable
    Mgmt Via Wireless Interface................. Disable
    Mgmt Via Dynamic Interface.................. Enable
    Bridge MAC filter Config.................... Enable
    Bridge Security Mode........................ EAP
    Over The Air Provisioning of AP's........... Disable
    AP Fallback ................................ Enable
    Web Auth Redirect Ports .................... 80
    --More-- or (q)uit
    Fast SSID Change ........................... Disabled
    802.3 Bridging ............................. Disable
    
    (Cisco Controller) >config network rf-network-name united-networks.ru
    (Cisco Controller) >

    Loot at line “Telnet…Disable”. It will be useful when you wish to upgrade AP to Lightweight mode (to LAP). All you need is execute command “config network telnet enable”.

  4. Now we configure mobility group. During initial Wizard we indicated one name for both RF and Mobility Groups. Mobility Groups allow roaming of Wireless Client not only between LAPs within the same WLC, but even between WLC.
    (Cisco Controller) >show mobility summary
    Symmetric Mobility Tunneling (current) .......... Disabled
    Symmetric Mobility Tunneling (after reboot) ..... Disabled
    Mobility Protocol Port........................... 16666
    Default Mobility Domain.......................... united-networks.ru
    Multicast Mode .................................. Disabled
    Mobility Domain ID for 802.11r................... 0xf665
    Mobility Keepalive Interval...................... 10
    Mobility Keepalive Count......................... 3
    Mobility Group Members Configured................ 1
    Mobility Control Message DSCP Value.............. 0
    
    Controllers configured in the Mobility Group
     MAC Address        IP Address       Group Name         Multicast IP         Status
     00:15:2c:e9:51:40    172.16.0.50      united-networks.ru  0.0.0.0          Up
    
    (Cisco Controller) >config mobility group domain united-networks.ru
    (Cisco Controller) >
  5. Next we learn how we can manage WLANs. We have already seen something in the outputs of above bat those were auxiliary actions. Now we specifically configure Wireless LAN Parameters.
    (Cisco Controller) >config wlan create 2 ?
    <name>         Enter Profile Name up to 32 alphanumeric characters.
    
    (Cisco Controller) >config wlan create 2 free.united-networks.ru ?
    <ssid>         Enter SSID (Network Name) up to 32 alphanumeric characters.
    
    (Cisco Controller) >config wlan create 2 free.united-networks.ru free.united-networks.ru
    (Cisco Controller) >show wlan summary
    Number of WLANs.................................. 2
    WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
    -------  -------------------------------------  --------  --------------------
    1        united-networks.ru / united-networks.ru  Disabled  management
    2        free.united-networks.ru / free.united-networks.ru  Disabled  management
    
    (Cisco Controller) >config wlan interface 2 ?
    <interface-name> Enter the interface name.
    
    (Cisco Controller) >

    Then we can choose interface with which this WLAN will be associated to. And we already know how to change WLAN state (enable or disable). But we do these things later when we will assocate WLAN to VLAN.

  6. Allowing Static IP Addresses for WLAN. Sence is that if DHCP is obligatory then there will not be Wireless Users allowed with static IP configuration - WLC will track DHCP-traffic and block non-DHCP-addresses. It was checked it works! :-)
    (wifi-wlc6.gogolya.pushkino) >config wlan disable 1
    (wifi-wlc6.gogolya.pushkino) >config wlan dhcp_server 1 0.0.0.0 required
    (wifi-wlc6.gogolya.pushkino) >config wlan enable 1

    Look at “0.0.0.0” - indicate zeroes if you don't want redefine DHCP-server for this WLAN. By default DHCP is defined in interface settings. It above example “show wlan 1” will show you:

    (wifi-wlc6.gogolya.pushkino) >show wlan 1
    . . .
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Enabled
    . . .
    (wifi-wlc6.gogolya.pushkino) >

    Here “Default” which is opposite the “DHCP Server” means that DHCP-server's IP-address itself will be got from corresponding Interface (Management in this case) settings and word “Required” means that Wireless LAN will require DHCP assigned IP-address from Wireless Users, that is:

    (wifi-wlc6.gogolya.pushkino) >show interface detailed management
    . . .
    Primary DHCP Server.............................. 172.16.0.2
    Secondary DHCP Server............................ Unconfigured
    . . .
    (wifi-wlc6.gogolya.pushkino) >
  7. Enabling 802.11a, 802.11b and 802.11g is performed through the following CLI commands:
    (Cisco Controller) >show wlan summary
    Number of WLANs.................................. 2
    WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
    -------  -------------------------------------  --------  --------------------
    1        united-networks.ru / united-networks.ru  Disabled  management
    2        free.united-networks.ru / free.united-networks.ru  Disabled  management
    
    (Cisco Controller) >config wlan radio ?
    <WLAN id>      Enter WLAN Identifier between 1 and 16.
    
    (Cisco Controller) >config wlan radio 1 ?
    all            Configures the WLAN on all Radio bands.
    802.11a        Configures the WLAN on 802.11A only.
    802.11bg       Configures the WLAN on 802.11B/G only (802.11B only, if 802.11g is disabled).
    802.11g        Configures the WLAN on 802.11G only.
    802.11ag       Configures the WLAN on 802.11A and 802.11G only.
    
    (Cisco Controller) >

    Command “config wlan radio 1 all” enables WLAN/SSID with id=1 (“united-networks.ru”) on all Radio Bands. “Auto-RF” which appeared in Wizard is nothing more than generalization of group commands which tune Radio parameters like Radio-carrier (channel) beacon retransmit period and so on. These Radio Parameters are customized throug different ways. Some of them are configured via “wlan” parameters family. Others via “ap”. For example when first AP associates look at output of “show ap auto-rf 802.11a <Cisco AP>”.

  8. In conclusion of the first unit let's look at NTP configuration:
    (Cisco Controller) >show time
    Time............................................. Tue Jan 22 16:08:28 1980
    Timezone delta................................... 0:0
    Timezone location................................
    NTP Servers
        NTP Polling Interval.........................     3600
         Index              NTP Server
        -------  --------------------------------
           1     172.16.0.1
    
    (Cisco Controller) >config time ntp server ?
    <index>        Enter NTP server index.
    
    (Cisco Controller) >config time ntp server 1 172.16.0.1
    (Cisco Controller) >config time ntp interval ?
    <interval>     Enter NTP polling interval, between 3600 and 604800 (in seconds).
    (Cisco Controller) >config time ntp interval 3600
    (Cisco Controller) >config time ?
    manual         Configures the system time.
    ntp            Configures the Network Time Protocol.
    timezone       Configures the system's timezone.
    
    (Cisco Controller) >config time manual ?
    <MM/DD/YY>     MM/DD/YY - Date portion
    
    (Cisco Controller) >config time timezone ?
    delta          Configures the system's timezone delta.
    location       Configures the system's timezone location.
    
    (Cisco Controller) >config time timezone delta ?
    <delta_hours>  Enter the local hour difference from Universal Coordinated Time (UTC).
    
    (Cisco Controller) >config time timezone delta 4
    (Cisco Controller) >

    It is necessary to notice if you need to use Daylight Davings it is needed to use “location” instead of “delta”. In that case WLC will adjust time in Springand in Autumn.

 

Baseline tasks

Let's continue with some other useful things.

  1. System prompt:
    (Cisco Controller) >config prompt wifi-wlc6.gogolya.pushkino
    (wifi-wlc6.gogolya.pushkino) >
  2. Console Inactivity Timeout. We guess frequent forced console inactivity logouts bother not only us ;-) Are 160 (maximum) minutes enough?
    (wifi-wlc6.gogolya.pushkino) >config serial timeout 160
    (wifi-wlc6.gogolya.pushkino) >
  3. Saving configuration in NVRAM:
    (wifi-wlc6.gogolya.pushkino) >save config
    Are you sure you want to save? (y/n) y
    Configuration Saved!
    
    (wifi-wlc6.gogolya.pushkino) >
  4. Syslog logging:
    (wifi-wlc6.gogolya.pushkino) >config logging syslog host 172.16.0.1
    System logs will be sent to 172.16.0.1 from now on
    
    (wifi-wlc6.gogolya.pushkino) >config logging syslog level informational
    (wifi-wlc6.gogolya.pushkino) >config logging syslog facility local7
    (wifi-wlc6.gogolya.pushkino) >show logging
    Logging to buffer :
    - Logging filter level........................... errors
    - Number of lines logged......................... 57
    - Number of lines dropped........................ 147
    Logging to console :
    - Logging filter level........................... errors
    - Number of lines logged......................... 0
    - Number of lines dropped........................ 204
    Logging to syslog :
    - Logging filter level........................... informational
    - Syslog facility................................ local7
    - Number of lines logged......................... 189
    - Number of lines dropped........................ 15
    - Number of remote syslog hosts.................. 1
      - Host 0....................................... 172.16.0.1
      - Host 1....................................... Not Configured
      - Host 2....................................... Not Configured
    Logging of traceback............................. Enabled
    - Traceback logging level........................ errors
    Logging of process information................... Enabled
    Logging of source file informational............. Enabled
    --More-- or (q)uit
    Timestamping of messages......................... Enabled
    - Timestamp format............................... Date and Time
     Logging buffer (57 logged, 147 dropped)
    
    (wifi-wlc6.gogolya.pushkino) >
  5. SNMP (Sysname has already been created during Wizard):
    (wifi-wlc6.gogolya.pushkino) >config snmp syslocation gogolya.pushkino
    (wifi-wlc6.gogolya.pushkino) >config snmp syscontact eyatsko@ngs.ru
    (wifi-wlc6.gogolya.pushkino) >config snmp community create somewritecommunity
    (wifi-wlc6.gogolya.pushkino) >config snmp community accessmode rw somewritecommunity
    (wifi-wlc6.gogolya.pushkino) >config snmp community mode enable somewritecommunity
    (wifi-wlc6.gogolya.pushkino) >config snmp community create sometrapcommunity
    (wifi-wlc6.gogolya.pushkino) >config snmp community accessmode rw sometrapcommunity
    (wifi-wlc6.gogolya.pushkino) >config snmp community mode enable sometrapcommunity
    (wifi-wlc6.gogolya.pushkino) >config snmp trapreceiver create sometrapcommunity 172.16.0.1
    SNMP Trap Receiver added!
    
    (wifi-wlc6.gogolya.pushkino) >config snmp trapreceiver mode enable sometrapcommunity
    (wifi-wlc6.gogolya.pushkino) >show snmpcommunity
    
    SNMP Community Name Client IP Address Client IP Mask    Access Mode Status
    ------------------- ----------------- ----------------- ----------- --------
    public              0.0.0.0           0.0.0.0           Read Only   Enable
    **********          0.0.0.0           0.0.0.0           Read/Write  Enable
    **********          0.0.0.0           0.0.0.0           Read/Write  Enable
    **********          0.0.0.0           0.0.0.0           Read/Write  Enable
    
    (wifi-wlc6.gogolya.pushkino) >show snmptrap
    SNMP Trap Receiver Name    IP Address        Status
    ------------------------   ----------------- --------
    snmptrapcommunity          172.16.0.1        Enable
    
    (wifi-wlc6.gogolya.pushkino) >config trapflags configsave enable
    (wifi-wlc6.gogolya.pushkino) >show trapflags
    Authentication Flag.............................. Enable
    Link Up/Down Flag................................ Enable
    Multiple Users Flag.............................. Enable
    Client Related Traps
            802.11 Disassociation........................... Disable
            802.11 Association.............................. Disable
            802.11 Deauthenticate........................... Disable
            802.11 Authenticate Failure..................... Disable
            802.11 Association Failure...................... Disable
            Excluded........................................ Enable
    802.11 Security related traps
            WEP Decrypt Error............................... Enable
            IDS Signature Attack............................ Enable
    Cisco AP
            Register........................................ Enable
            InterfaceUp..................................... Enable
    Auto-RF Profiles
            Load............................................ Enable
            Noise........................................... Enable
            Interference.................................... Enable
            Coverage........................................ Enable
    Auto-RF Thresholds
            tx-power........................................ Enable
            channel......................................... Enable
    AAA
            auth............................................ Enable
            servers......................................... Enable
    rogueap.......................................... Enable
    configsave....................................... Enable
    
    (wifi-wlc6.gogolya.pushkino) >config snmp community delete private
    (wifi-wlc6.gogolya.pushkino) >

    Pay attention to last command. WLC has two SNMP-communities by default: public (read-only, ro) and private (read-write, rw). The latter is much unsecure and needs to be deleted (it is shown in line two in show snmpcommunity)!

 

Bridge Groups again...

Next task is bring up IP-connectivity between WLC6 and external World. And, again, Bridge-Groups come to us to help… :-) But now the task is more complex versus Access Point - here we need to set up two devices: Cisco 2800 as carrier of WLC and WLC itself. Look at the diagram. We need to organize Bridge Group on the Router (Cisco 2800) to pass Layer-2 traffic through its Routed Interface GigabitEthernet to WLC6's Wlan-controller interface. Also we must create BVI-interface and move to it IP-address from GigabitEthernet-interface to allow Cisco 2800 to communicate with VLAN 10 as previously. This is much like AP.

Then we need to inform WLC6 that it needs to receive tag 10 (VLAN 10) to its Management-interface. For now it thinks that traffic is untagged. Let's remember “VLAN 0” when we did customization of this interface.

sr-2821.gogolya.pushkino#show running-config interface GigabitEthernet 0/1.10
Building configuration...

Current configuration : 234 bytes
!
interface GigabitEthernet0/1.10
 description --- Administrative VLAN 10 ---
 encapsulation dot1Q 10
 ip address 172.16.0.6 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 vrrp 1 ip 172.16.0.1
 vrrp 1 priority 250
 vrrp 1 authentication vrrp1
end

Some comments:

  • Interface GigabitEthernet 0/1.10 participates in Local Network, VLAN 10.
  • It is “NATted” interface.
  • It is member of VRRP process between FreeBSD and Cisco 2800. Both of them supply LAN with redundant Gateway to Internet if one will become broken.

We need to move all of these settings to newly crated BVI-interface and put GigabitEthernet 0/1.10 into Bribge Group which must be preliminary created. Before that we need to enable Bridge Groups on the Router 2800. Let's begin!

sr-2821.gogolya.pushkino#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
sr-2821.gogolya.push(config)#bridge irb
sr-2821.gogolya.push(config)#bridge 10 protocol ieee
sr-2821.gogolya.push(config)#bridge 10 route ip
sr-2821.gogolya.push(config)#do show running-config | include bridge
bridge irb
bridge 10 protocol ieee
bridge 10 route ip
sr-2821.gogolya.push(config)#interface GigabitEthernet0/1.10
sr-2821.gogolya.push(config-subif)#no ip address
sr-2821.gogolya.push(config-subif)#no ip nat inside
sr-2821.gogolya.push(config-subif)#no ip virtual-reassembly
sr-2821.gogolya.push(config-subif)#no vrrp 1 ip 172.16.0.1
sr-2821.gogolya.push(config-subif)#no vrrp 1 priority 250
sr-2821.gogolya.push(config-subif)#no vrrp 1 authentication vrrp1
sr-2821.gogolya.push(config-subif)#bridge-group 10
sr-2821.gogolya.push(config-subif)#exit
sr-2821.gogolya.push(config)#interface wlan-controller1/0.10
sr-2821.gogolya.push(config-subif)#description --- wifi-wlc6.gogolya.pushkino
sr-2821.gogolya.push(config-subif)#encapsulation dot1Q 10
sr-2821.gogolya.push(config-subif)#bridge-group 10
sr-2821.gogolya.push(config-subif)#exit
sr-2821.gogolya.push(config)#interface bvi 10
sr-2821.gogolya.push(config-if)#ip address 172.16.0.6 255.255.255.0
sr-2821.gogolya.push(config-if)#ip nat inside
sr-2821.gogolya.push(config-if)#ip virtual-reassembly
sr-2821.gogolya.push(config-if)#vrrp 1 ip 172.16.0.1
sr-2821.gogolya.push(config-if)#vrrp 1 priority 250
sr-2821.gogolya.push(config-if)#vrrp 1 authentication vrrp1
sr-2821.gogolya.push(config-if)#end
sr-2821.gogolya.pushkino#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...

[OK]
sr-2821.gogolya.pushkino#show running-config interface GigabitEthernet0/1.10
Building configuration...

Current configuration : 124 bytes
!
interface GigabitEthernet0/1.10
 description --- Administrative VLAN 10 ---
 encapsulation dot1Q 10
 bridge-group 10
end

sr-2821.gogolya.pushkino#show running-config interface Wlan-controller1/0.10
Building configuration...

Current configuration : 128 bytes
!
interface wlan-controller1/0.10
 description --- wifi-wlc6.gogolya.pushkino ---
 encapsulation dot1Q 10
 bridge-group 10
end

sr-2821.gogolya.pushkino#show running-config interface bvi10
Building configuration...

Current configuration : 170 bytes
!
interface BVI10
 ip address 172.16.0.6 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 vrrp 1 ip 172.16.0.1
 vrrp 1 priority 250
 vrrp 1 authentication vrrp1
end

sr-2821.gogolya.pushkino#show bridge group

Bridge Group 10 is running the IEEE compatible Spanning Tree protocol

   Port 12 (GigabitEthernet0/1.10 DOT1Q) of bridge group 10 is forwarding
   Port 14 (wlan-controller1/0.10 DOT1Q) of bridge group 10 is forwarding

sr-2821.gogolya.pushkino#show bridge

Total of 300 station blocks, 296 free
Codes: P - permanent, S - self

Bridge Group 10:

    Address       Action   Interface       Age   RX count   TX count
0000.5e00.0102   forward   Gi0/1.10          0    1576099     387040
0015.2ce9.5140   forward   wl1/0.10          0          3          1
000c.2984.0c12   forward   Gi0/1.10          0         25          0
001b.fc7d.88c8   forward   Gi0/1.10          0      13016          0

sr-2821.gogolya.pushkino#show bridge verbose

Total of 300 station blocks, 296 free
Codes: P - permanent, S - self

BG Hash      Address      Action  Interface      VC    Age   RX count   TX count
10 03/0   0000.5e00.0102 forward  Gi0/1.10        -      0    1576055     387024
10 11/0   0015.2ce9.5140 forward  wl1/0.10        -      0          3          1
10 1E/0   000c.2984.0c12 forward  Gi0/1.10        -      0         25          0
10 40/0   001b.fc7d.88c8 forward  Gi0/1.10        -      0      13000          0

Flood ports (BG 10)          RX count    TX count
GigabitEthernet0/1.10          988661          24
wlan-controller1/0.10               9      987907

sr-2821.gogolya.pushkino#

In common configuration of Bridging on a Router does not differ from analogous one on Access Point

Some comments:

  • All of the above actions you need to do on Cisco 2800 being connected to it by Console Cable because as soon as you enter “no ip address” you will fall off Telnet Connection.
  • bridge irb” - this command enables Integrated Routing and Bridging at all, globally on the Cisco 2800.
  • bridge 10 protocol ieee” defines Bridge Group with the number 10 and sets version of Spanning-Tree Protocol for it with accordance to IEEE Standards. Because you know we handle with switching yet!
  • bridge 10 route ip” allows for Bridge Group 10 to Cisco 2800 to inspect IP-protocol packets to look for ones destined to Cisco's IP 172.16.0.6. Simply speaking without this we will not ping Cisco. :-)
  • Then we remove all Cisco's attributes from subinterface GigabitEthernet 0/1.10 (group of “no …” commands) and include it to “bridge-group 10”.
  • Next we create subinterface Wlan-controller 1/0.10 and place it to “bridge-group 10. From that moment bridging mode between it and GigabitEthernet 0.1/10 is established.
  • At last we create “interface bvi 10” and “populate” it by commands which were previously at GigabitEthernet 0/1.10. By these we re-create connectivity between Cisco 2800 and LAN. BVI 10 is not tagged interface so it it is not needed “encapsulation dot1q 10”. The number “10” means that it belongs to bridge-group 10, not VLAN10 and number 10 has been choosen due to syntony reasons: Bridge Group 10 corresponds to VLAN 10.
  • In conclusion look at “show” commands which will help you to diagnose some abnormal situations related to the considered issue.

 

The last action we need to accomplish is to set up WLC6's Management-interface to accept tagged by “10” traffic from Physical Port. Just change VLAN number 0 (“untagged”) to VLAN 10.

(wifi-wlc6.gogolya.pushkino) >config interface vlan management 10
(wifi-wlc6.gogolya.pushkino) >ping 172.16.0.1
Send count=3, Receive count=3 from 172.16.0.1

(wifi-wlc6.gogolya.pushkino) >config interface vlan ap-manager 10
(wifi-wlc6.gogolya.pushkino) >save config
Are you sure you want to save? (y/n) y
Configuration Saved!

(wifi-wlc6.gogolya.pushkino) >show interface summary
Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
ap-manager                       1    10       172.16.0.51     Static  Yes    No
management                       1    10       172.16.0.50     Static  No     No
virtual                          N/A  N/A      1.1.1.1         Static  No     No

(wifi-wlc6.gogolya.pushkino) >

IP-connectivity is reached. And if WLAN “united-networks.ru” uses interface “Management” as terminating one Wireless Users will automatically be put into VLAN 10 after their association with LAP. Note that AP-manager interface is needed to changing VLAN too. Otherwise LAPs cannot access it and reboot cyclically.

 

Next we should disable configured above WLANs to avoid unauthorized Wireless access until we configure WLAN security and now let's set up Username/Password and Enable Secret for all LAPs.

(wifi-wlc6.gogolya.pushkino) >config wlan disable 1
Request failed - already in the requested state.

(wifi-wlc6.gogolya.pushkino) >config wlan disable 2
Request failed - already in the requested state.

(wifi-wlc6.gogolya.pushkino) >show wlan summary
Number of WLANs.................................. 2
WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
-------  -------------------------------------  --------  --------------------
1        united-networks.ru / united-networks.ru  Disabled  management
2        free.united-networks.ru / free.united-networks.ru  Disabled  management

(wifi-wlc6.gogolya.pushkino) >config ap mgmtuser add username admin password someadminpassword secret someenablesecret ?
all            Applies the configuration to every AP that does not have a specific user name.
<Cisco AP>     Enter the name of the Cisco AP.

(wifi-wlc6.gogolya.pushkino) >config ap mgmtuser add username admin password someadminpassword secret someenablesecret all
(wifi-wlc6.gogolya.pushkino) >

 

Joining LAP

Now upgrade AP to LAP. Ideally fresh upgraded LAP must get WLC6-controller's IP-address during upgrade process from Upgrate Tool then it gets its functional Image from WLC6, restarts one time or two and then it becomes fully operational. If it not let's diagnose the emerged situation.

First, make sure that AP does not show something like this:

...
%LWAPP-3-CLIENTERRORLOG: Set Transport Address: no more AP manager IP addresses remain
...

..what means that LAP cannot establish LWAPP-tunnel. It was once while I configure WLC6 for the first time - I forgot assign VLAN10 to AP-manager interface. Recent output of “show interface summary” is not accidental. This type of interface could not be pinged. So you can determine that there is no connectivity between LAP and AP-manager by “implicit” ways. Generally speaking normally joined LAP make WLC6 to produce such output:

(wifi-wlc6.gogolya.pushkino) >show ap summary
Number of APs.................................... 1
Global AP User Name.............................. root_wifi
AP Name             Slots  AP Model             Ethernet MAC       Location          Port  Country
------------------  -----  -------------------  -----------------  ----------------  ----  -------
APc47d.4f2f.428e     2     AIR-AP1131AG-E-K9    c4:7d:4f:2f:42:8e  default location  1     RU

(wifi-wlc6.gogolya.pushkino) >show ap join stats summary all
Number of APs.............................................. 2
00:26:99:f1:47:20.......................................... Joined
c4:7d:4f:2f:42:8e.......................................... Not joined

(wifi-wlc6.gogolya.pushkino) >

These commands are rather important so remember them securely. It is normally that LAP initially joins with one MAC-address (c4:7d:4f:2f:42:8e, FastEthernet0) with recovery image then with another MAC-address (00:26:99:f1:47:20, Dot11Radioxx) when it receives its working image from WLC6.

Due to some reasons AP can miss IP of WLC6-controller during upgrade (there was a case). So you need to provide one of the ways through which LAP can obtain Controller's IP.

  1. The first way is to place LAP on the same network segment with WLC6. LAP asks WLC6 by broadcast address 255.255.255.255 (LWAPP uses UDP ports 12222-12223 to build tunnel between LAP and WLC6).
  2. The second way is to register IP of WLC6 in DNS with the special name “CISCO-LWAPP-CONTROLLER” and domain which was indicated to Upgrade Tool: “sokol.msk.united-networks.ru”. It asks dirung startup:
    *Feb 19 16:23:27.171: %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for CISCO-LWAPP-CONTROLLER.sokol.msk.united-networks.ru
    *Feb 19 16:23:27.171: %LWAPP-3-CLIENTERRORLOG: DNS Name Lookup: could not resolve CISCO-LWAPP-CONTROLLER.sokol.msk.united-networks.ru
    *Feb 19 16:23:27.171: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
  3. The third way is to set up DHCP-server option 43 for subnet where LAP is located to provide WLC6's IP in DHCP-Offer packet coming from DHCP-server.
    %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 172.16.16.101, mask 255.255.255.0, hostname ap-1131.sokol.msk
    %LWAPP-3-CLIENTEVENTLOG: Did not get vendor specific options from DHCP.
    %LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP.

    To complete the above follow these steps (on Windows 2003 DHCP Server, it's supposed that DHCP-service is already operational, the bellow procedure is described in Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode):

    • Open DHCP snap-in, choose DHCP-server (for example “srvbackup.domain.united-networks.ru [172.16.16.2]”), right-click it and from Context Menu select “Define Vendor Classes…”.
    • Then Add a new class by clicking corresponding button.
    • In opened dialog: for “Display name” enter “Cisco Aironet 1130”, for “Description” enter “Vendor Class identifier for Cisco Aironet 1130 AP” and for ASCII-column enter “Cisco AP c1130”. Be careful! The latter must be exactly such, and it is case-sencitive!
    • Then right click again in the left portion of snap-in window on DHCP-server and from Context Menu select “Set Predefined Options…”.
    • In opened dialog select class “Cisco Aironet 1130” and Add a new predefined option.
    • In the second dialog fill in the following fields with the following parameters: fo “Name” enter “Option 43”, for “Data type” choose “IP Address”, for “Code” enter “241” and for “Description” enter “WLAN Controller IP Address”.
    • Next action is adding fresh created parameter to the scope where LAP is located in. Select the scope under DHCP-server (let's continue using exmaple “srvbackup.domain.united-networks.ru [172.16.16.2]”)) then right-click “Scope options”, in Context Menu select “Configure options”.
    • In dialog click on “Advanced” Tab, in drop-down combo “Vendor Class” select “Cisco Aironet 1130”.
    • Then check “241 option 43 – WLAN Controller IP Addresses” and IP confguration fields will appear.
    • In the field “IP Address”” enter IP-address of WLC6 and click Add button. Apply all changes.
    • Move to LAP's Console. You are possible be forced to login with default Cisco/Cisco/Cisco Username/Password and Secret.
    • In order to activate LAP's DHCP-client issue the following command(s) to change IP settings to DHCP (after that you can revert it back to static):
      APc47d.4f2f.428e#configure terminal
      Enter configuration commands, one per line.  End with CNTL/Z.
      APc47d.4f2f.428e(config)#interface FastEthernet0
      APc47d.4f2f.428e(config-if)#ip address dhcp
      APc47d.4f2f.428e(config-if)#end
      APc47d.4f2f.428e#
      %SYS-5-CONFIG_I: Configured from console by root_wifi on console
      APc47d.4f2f.428e#
      %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 172.16.16.101, mask 255.255.255.0, hostname APc47d.4f2f.428e
      APc47d.4f2f.428e#

      Note that after unsuccessful upgrade FastEthernet0 interface is used, but depending on situation maybe you are needed use BVI1 as usual! Or if it has already been set up to use DHCP just “renew”:

      APc47d.4f2f.428e#release dhcp FastEthernet0
      APc47d.4f2f.428e#renew dhcp FastEthernet0
      Not in Bound state.
      APc47d.4f2f.428e#
      %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 172.16.16.101, mask 255.255.255.0, hostname APc47d.4f2f.428e
      Translating "CISCO-LWAPP-CONTROLLER.domain.united-networks.ru"...domain server (172.16.16.2)
      %LWAPP-3-CLIENTEVENTLOG: Controller address 172.16.0.50 obtained through DHCP
      %LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP.
      %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for CISCO-LWAPP-CONTROLLER.domain.united-networks.ru
      %LWAPP-3-CLIENTERRORLOG: DNS Name Lookup: could not resolve CISCO-LWAPP-CONTROLLER.domain.united-networks.ru
      %LWAPP-5-CHANGED: LWAPP changed state to JOIN
      %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
      %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
      %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
      %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
      %LWAPP-3-CLIENTERRORLOG: Join Timer: did not recieve join response (controller - wifi-wlc6.gogolya.pushkino)
      %LWAPP-3-CLIENTERRORLOG: Set Transport Address: no more AP manager IP addresses remain
      %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.
      %LWAPP-5-CHANGED: LWAPP changed state to DOWN

      Look at “%LWAPP-3-CLIENTEVENTLOG: Controller address 172.16.0.50 obtained through DHCP” attentively. After it rebooted find out something like: “%LWAPP-3-CLIENTEVENTLOG: AP has joined controller wifi-wlc6.gogolya.pushkino” in produced output. That means the LAP is successfully joined and you can login LAP with configured on WLC6 Username/Password and Secret.

  4. The last way to tell the LAP WLC6's IP-address is the following command: “lwapp ap controller ip address 172.16.0.50” in the privileged (not configuration!) mode. Sometimes it passes silently, but sometimes, however, it can begin “resisting” speaking: “ERROR!!! Command is disabled.”. In this case LAP does not accept number of commands. This means that LAP has already contacted WLC6 and got configuration or a part of one from WLC6. The latter disables configuration changes on LAP instantly as it joins because all changes on LAPs must be made through commands issued in WLC6's command-line interface (CLI) and “pushed” through the LWAPP-tunnel. You need to clear imposed configurations by the command “cear lwapp private-config”. And reload to accomplish joining in any layout .
    APc47d.4f2f.428e#lwapp ap controller ip  address 172.16.0.50
    ERROR!!! Command is disabled.
    APc47d.4f2f.428e#clear lwapp private-config
    APc47d.4f2f.428e#lwapp ap controller ip address 172.16.0.50
    APc47d.4f2f.428e#show lwapp client config
    APc47d.4f2f.428e#show lwapp ip config
    LWAPP Static IP Configuration
    Default Gateway    172.16.16.1
    Primary Controller 172.16.0.50
    APc47d.4f2f.428e#reload
    Proceed with reload? [confirm]
    
    %SYS-5-RELOAD: Reload requested by root_wifi on console. Reload Reason: Reload Command.
    %LWAPP-5-CHANGED: LWAPP changed state to DOWN

    But sometimes even this strong command “clear lwapp private-config” doesn't work. In that case all what is left to us is to let LAP for all that to contact WLC6 and finish JOIN-procedure by one of described above methods and then to reset private-config.

In conclusion note that once LAP is joined it will remember WLC6 IP-address and you can change every setting from WLC6, even defining IP-address of another WLC6 for that particular LAP. Let's produce one important setting - let's change LAP's hostname:

(wifi-wlc6.gogolya.pushkino) >config ap name ap-1131.sokol.msk APc47d.4f2f.428e
(wifi-wlc6.gogolya.pushkino) >

On AP at the same time will happen that:

APc47d.4f2f.428e#
%LINK-3-UPDOWN: Interface Dot11Radio1, changed state to down
%LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
%LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
%LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
%LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
ap-1131.sokol.msk#

 

Configuring restricted WLAN

Now let's set up WLANs. Let's begin with restricted WLAN “united-networks.ru”. It is relatively simple procedure. Summary of the tasks is setting up WLAN's security (WPA/WPA2 in our case), disabling other authentication methods, and actually enabling it (remember it has been disabled while we were configuring other parramaters of WLC6-controller.

(wifi-wlc6.gogolya.pushkino) >show wlan 1
WLAN Identifier.................................. 1
Profile Name..................................... united-networks.ru
Network Name (SSID).............................. united-networks.ru
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
Quality of Service............................... Silver (best effort)
WMM.............................................. Allowed
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Local EAP Authentication......................... Disabled
Security
   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
      Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
   CKIP ......................................... Disabled
   IP Security Passthru.......................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)
   Client MFP.................................... Optional
   Tkip MIC Countermeasure Hold-down Timer....... 60
 Mobility Anchor List
 WLAN ID     IP Address            Status
 -------     ---------------       ------

(wifi-wlc6.gogolya.pushkino) >config wlan security wpa wpa1 enable 1
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa akm 802.1x disable 1
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa akm psk enable 1
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa akm psk set-key ascii SomeStrongKey 1
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa wpa1 ciphers aes enable 1
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa wpa1 ciphers tkip enable 1
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa wpa2 ciphers tkip enable 1
(wifi-wlc6.gogolya.pushkino) >config wlan enable 1
(wifi-wlc6.gogolya.pushkino) >show wlan summary
Number of WLANs.................................. 2
WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
-------  -------------------------------------  --------  --------------------
1        united-networks.ru / united-networks.ru  Enabled   management
2        free.united-networks.ru / free.united-networks.ru  Disabled  management

(wifi-wlc6.gogolya.pushkino) >

Some comments:

  • Since WLAN “united-networks.ru” is the same with VLAN10 which is out LAN we must provide satisfactory level of security. Anyone can move to our building in a car, open his notebook and associate with it. He is immediately granted unlimited access to computers, user data and so on. Hence this WLAN must be protected by password at least and WPA/WPA2 give us safety that is not the worst.
  • show wlan 2” - let's get to know what is current state of WLAN.
  • config wlan security wpa wpa1 enable 1” - enables basic WPA (WPA1) authentication algorithm for WLAD id=1. As you can see it is in disabled state. But some old devices does not support WPA2. We will miximize compatibility.
  • config wlan security wpa akm 802.1x disable 1” - it disables Auth Key Management (“akm”) using RADIUS-server - just a password during your tries to connect your notebook to this WLAN. 802.1x protocol (base protocol of RADIUS-server) asks Wireless user Username and Password and even Domain!
  • config wlan security wpa akm psk enable 1” - enables Personal Security Key (PSK). That is just mentioned password during authentication of your notebook.
  • config wlan security wpa akm psk set-key ascii SomeStrongKey 1” - evidently, it specifies Key itself.
  • config wlan security wpa wpa1 ciphers aes enable 1” - enables AES (Advanced Encryption Standard) for this WLAN with id=1. AES is the modern symmetric strong cryptographic algorithm.
  • config wlan security wpa wpa1 ciphers tkip enable 1” - enables TKIP (Temporal Key Integrity Protocol). This thing not only encrypts transpitted data but manages cryptographic keys. It changes key to new for each packet! Why do we use two algorithms? Because we don't know what exactly Wireless Device (Notebook) supports.
  • config wlan security wpa wpa2 ciphers tkip enable 1” - we enable TKIP for WPA2 too since the output of “show wlan 1” showed “TKIP Cipher…. Disabled
  • confid wlan enable 1” in conclusion we enable work of WLAN with id=1.
  • Look at “802.11 Authentication:…. Open System” what means that WEP is not used here. Not that this system does not require a password.

 

Configuring open (free) WLAN

As we configured restricted (requires password) WLAN “united-networks.ru” for administrative VLAN10 now we have to configure totally WLAN “free.united-networks.ru” for VLAN20 for “free” users of United Networks. This network segment is intended for test purposes. To test QoS for example. It has serious restrictions on use. There “Torrents”, Mail Servers and SSH are disabled. On one hand it is easy to configure WLAN with no authentications but on the other hand it is more difficult than VLAN10 because VLAN20 is not native relative to trunks and bridge-groups on which it is carried.

Summary of tasks:

  • First, we need to create new Bridge Group, Number 20, for VLAN20. It also needs “route ip” and BVI-interface. Without this Cisco 2800 does not pass IP traffic. BVI may have not IP-address along with that. It is needed its presence only.
  • Next question is in organization of a Bridge in WLC6 itself. WLANs are needed to be terminated on some kind of Interface within WLC6. In the case of VLAN10 we used Management which belongs to VLAN10. But in cases with other VLANs we need to create corresponding so-called “Dynamic Interfaces”, to assign them VLANs and then to use them in WLAN settings as “wired” interfaces. This association of WLAN with Dynamic Interface determines WLAN belonging to VLAN. There is no way to assing VLAN to WLAN directly as on Autonomous AP. In a such a way Cisco foresee an opportunity to terminate IP-traffic of Wireless Clients on WLC via assigning IP address to Dynamic Interface. In that case WLC begins to act as Router. But.. We're distracted.. To build “pure bridging” scheme we don't need to assign any IP to Dynamic Interface and it then acts like “Bridge Port”. But here is one snag! WLC6 works as so-called DHCP-proxy by default. And this mode can be switched off for whole WLC only. If we disable DHCP-proxy mode by command “config dhcp proxy disable” we disable it for all WLANs! If we are required for just a single WLAN to use DHCP-proxy we need to leave this mode on. So let's begin consideration from the most complex case. We need to assign an IP to Dynamic Interface and for the only goal - to let WLC6 to retransmit intercepted Client's DHCP-requests to the DHCP-server. After that as DHCP procedure is accomplished Dynamic Interface's IP is never needed further. But as we have IP-address on Dynamic Interface as it is visible for these WLAN and VLAN! We need to rescrict access to it. So we need to configure Access Control List (ACL) and apply it to Dynamic Interface. By ACL we need leave interconnection between VLAN's Gateway and Dynamic interface unrestricted (Gateway has IP 192.168.0.1 and acts as DHCP-relay to 172.16.0.2 which is real DHCP-server) and disable any other activity on Dynamic interface. When WLC6 detects on corresponding WLAN DHCP-packet it catches the last and re-sends it to Gateway and retransmits answers back. Any other packets are retransmitted by WLC6 between Gateway and Wireless Client through Dynamic Interface on Layer-2 of ISO/OSI. That is “bridged”.
  • The last we must do is setting up Wireless Parameters (essentially security) for this WLAN.
sr-2821.gogolya.pushkino#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
sr-2821.gogolya.push(config)#bridge 20 protocol ieee
sr-2821.gogolya.push(config)#bridge 20 route ip
sr-2821.gogolya.push(config)#interface GigabitEthernet0/1.20
sr-2821.gogolya.push(config-subif)#description --- Free Users VLAN 20 ---
sr-2821.gogolya.push(config-subif)#encapsulation dot1q 20
sr-2821.gogolya.push(config-subif)#bridge-group 20
sr-2821.gogolya.push(config-subif)#exit
sr-2821.gogolya.push(config)#interface Wlan-controller 1/0.20
sr-2821.gogolya.push(config-subif)#description --- Free Users VLAN 20 ---
sr-2821.gogolya.push(config-subif)#encapsulation dot1q 20
sr-2821.gogolya.push(config-subif)#bridge-group 20
sr-2821.gogolya.push(config-subif)#exit
sr-2821.gogolya.push(config)#interface bvi 20
sr-2821.gogolya.push(config-if)#exit
sr-2821.gogolya.push(config)#end
sr-2821.gogolya.pushkino#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
sr-2821.gogolya.pushkino#

Some comments:

  • bridge 20 protocol ieee” - defines IEEE version of Spanning-Tree Protocol (STP) for Bridge Group number 20.
  • bridge 20 route ip” - enables carrying of IP-traffic through this Bridge Group.
  • Then we create two subinterfaces “interface GigabitEthernet0/1.20” and “interface Wlan-controller 1/0.20” for VLAN20 and assign them to newly created Bridge Group 20.
  • interface bvi 20” - creates BVI interface for Bridge Group 20 (not for VLAN20, VLAN20 figures as a part of above subinterfaces configurations only).
(wifi-wlc6.gogolya.pushkino) >config wlan disable 2
(wifi-wlc6.gogolya.pushkino) >config interface create vlan20 20
(wifi-wlc6.gogolya.pushkino) >config interface port vlan20 1
(wifi-wlc6.gogolya.pushkino) >config interface address dynamic-interface vlan20 192.168.0.2 255.255.255.0 192.168.0.1
(wifi-wlc6.gogolya.pushkino) >config interface dhcp dynamic-interface vlan20 primary 172.16.0.2
(wifi-wlc6.gogolya.pushkino) >config acl create vlan20-acl
(wifi-wlc6.gogolya.pushkino) >config acl rule add vlan20-acl 1
(wifi-wlc6.gogolya.pushkino) >config acl rule source address vlan20-acl 1 192.168.0.1 255.255.255.255
(wifi-wlc6.gogolya.pushkino) >config acl rule destination address vlan20-acl 1 192.168.0.2 255.255.255.255
(wifi-wlc6.gogolya.pushkino) >config acl rule direction vlan20-acl 1 in
(wifi-wlc6.gogolya.pushkino) >config acl rule action vlan20-acl 1 permit
(wifi-wlc6.gogolya.pushkino) >config acl rule add vlan20-acl 2
(wifi-wlc6.gogolya.pushkino) >config acl rule destination address vlan20-acl 2 192.168.0.2 255.255.255.255
(wifi-wlc6.gogolya.pushkino) >config acl rule direction vlan20-acl 2 in
(wifi-wlc6.gogolya.pushkino) >config acl rule action vlan20-acl 2 deny
(wifi-wlc6.gogolya.pushkino) >config acl rule add vlan20-acl 3
(wifi-wlc6.gogolya.pushkino) >config acl rule action vlan20-acl 3 permit
(wifi-wlc6.gogolya.pushkino) >config interface acl vlan20 vlan20-acl
(wifi-wlc6.gogolya.pushkino) >config acl apply vlan20-acl
(wifi-wlc6.gogolya.pushkino) >show acl detailed vlan20-acl
                   Source                        Destination                Source Port  Dest Port
I  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP Action
-- --- ------------------------------- ------------------------------- ---- ----------- ----------- ---- ------
 1  In     192.168.0.1/255.255.255.255     192.168.0.2/255.255.255.255  Any     0-65535     0-65535  Any Permit 
 2  In         0.0.0.0/0.0.0.0             192.168.0.2/255.255.255.255  Any     0-65535     0-65535  Any   Deny 
 3 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any Permit

(wifi-wlc6.gogolya.pushkino) >show interface summary
Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
ap-manager                       1    10       172.16.0.51     Static  Yes    No
management                       1    10       172.16.0.50     Static  No     No
virtual                          N/A  N/A      1.1.1.1         Static  No     No
vlan20                           1    20       192.168.0.2     Dynamic No     No

(wifi-wlc6.gogolya.pushkino) >show interface detailed vlan20
Interface Name................................... vlan20
MAC Address...................................... 00:15:2c:e9:51:40
IP Address....................................... 192.168.0.2
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.0.1
VLAN............................................. 20
Quarantine-vlan.................................. no
Physical Port.................................... 1
Primary DHCP Server.............................. 172.16.0.2
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. vlan20-acl
AP Manager....................................... No
Guest Interface.................................. No

(wifi-wlc6.gogolya.pushkino) >config wlan interface 2 vlan20
(wifi-wlc6.gogolya.pushkino) >show wlan 2
WLAN Identifier.................................. 2
Profile Name..................................... free.united-networks.ru
Network Name (SSID).............................. free.united-networks.ru
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
Webauth DHCP exclusion........................... Disabled
Interface........................................ vlan20
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Quality of Service............................... Silver (best effort)
WMM.............................................. Allowed
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Local EAP Authentication......................... Disabled
Security
   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
      Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
   CKIP ......................................... Disabled
   IP Security Passthru.......................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)
   Client MFP.................................... Optional
   Tkip MIC Countermeasure Hold-down Timer....... 60
 Mobility Anchor List
 WLAN ID     IP Address            Status
 -------     ---------------       ------

(wifi-wlc6.gogolya.pushkino) >config wlan security wpa wpa2 ciphers aes disable 2
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa wpa2 disable 2
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa akm 802.1x disable 2
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa disable 2
(wifi-wlc6.gogolya.pushkino) >config wlan enable 2
(wifi-wlc6.gogolya.pushkino) >show wlan 2
WLAN Identifier.................................. 2
Profile Name..................................... free.united-networks.ru
Network Name (SSID).............................. free.united-networks.ru
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
Webauth DHCP exclusion........................... Disabled
Interface........................................ vlan20
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Quality of Service............................... Silver (best effort)
WMM.............................................. Allowed
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Local EAP Authentication......................... Disabled
Security
   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Disabled
   CKIP ......................................... Disabled
   IP Security Passthru.......................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)
   Client MFP.................................... Optional but inactive (WPA2 not configured)
   Tkip MIC Countermeasure Hold-down Timer....... 60
 Mobility Anchor List
 WLAN ID     IP Address            Status
 -------     ---------------       ------

(wifi-wlc6.gogolya.pushkino) >show wlan summary
Number of WLANs.................................. 2
WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
-------  -------------------------------------  --------  --------------------
1        united-networks.ru / united-networks.ru  Enabled   management
2        free.united-networks.ru / free.united-networks.ru  Enabled   vlan20

(wifi-wlc6.gogolya.pushkino) >

Some comments:

  • config wlan disable 2” - we must disable WLAN to allow its changes.
  • config interface create vlan20 20” - now we create interface named “vlan20” which will accept VLAN tag “20”.
  • config interface port vlan20 1” - assigns Physical Port 1 to Interface “vlan20”.
  • config interface address dynamic-interface vlan20 192.168.0.2 255.255.255.0 192.168.0.1” - here we assigning IP-address, mask and Default Gateway to Interface “vlan20”.
  • config interface dhcp dynamic-interface vlan20 primary 172.16.0.2” - assigns DHCP-server IP address “172.16.0.2” to Interface “vlan20”. Because Interface “vlan20” has no idea where 172.16.0.2 is located it send a packet to its Default Gateway, that is t0 192.168.0.1. The latter resends it to destination acting as DHCP-rtelay.
  • config acl create vlan20-acl” - we creating ACL. At this time just ACL itself. It has arbitrary choosen name “vlan20-acl”. I called it so in syntony to Interface name where ASL will be assigned to.
  • config acl rule add vlan20-acl 1” - this adds a rule with index “1” to previously created ACL “vlan20-acl”.
  • config acl rule source address vlan20-acl 1 192.168.0.1 255.255.255.255” - it is not Cisco's Router or Switch where we was able enter an antry at once! Here we must configure different parts of single rule by separate commands. Here source IP-address for Rule 1 is defined.
  • config acl rule destination address vlan20-acl 1 192.168.0.2 255.255.255.255” - Here destination IP-address for Rule 1 is defined.
  • config acl rule direction vlan20-acl 1 in” - this is direction in which Rule is aplied. That is for only incoming traffic (to Dynamic from VLAN20 Subnet)
  • config acl rule action vlan20-acl 1 permit” - this is action which is taken by WLC if all above parameters are matched.
  • Additionally we configure extra two rules by the same way and all of them in total enable access via whole IP-stack from “host” 192.168.0.1 to ” host” 192.168.0.2, disable access from others to 192.168.0.2 and enable any other activity. And all is in “IN”-direction. Consider that Client could send packets to 192.168.0.1 (DNS-request for example) through this Dynamic Interface and this type of traffic must be enabled for normal Client's work.
  • config interface acl vlan20 vlan20-acl” assigns ACL named as “vlan20-acl” to dynamic interface “vlan20”.
  • config acl apply vlan20-acl” will check this indicated ACL and apply it to interface in which settings this ACL figures.
  • config wlan interface 2 vlan20” - it assigns Dynamic Interface “vlan20” to WLAN with id=2 (“free.united-networks.ru”).
  • show wlan 2” - it shows that some authentication methods are enabled for WLAN 2. They must be disabled to leave WLAN totally open (with no auth).
  • config wlan security wpa wpa2 ciphers aes disable 2” - let's begin from end to beginning. First disable detailed parameters then global option. This disables AES encryption for WPA2 of WLAN 2.
  • config wlan security wpa wpa2 disable 2” - disables WPA2 at all.
  • config wlan security wpa akm 802.1x disable 2” - disables 802.1x (RADIUS) authentication for WLAN 2.
  • config wlan security wpa disable 2” - disables WPA as class.
  • config wlan enable 2” - enables work of WLAN 2 “free.united-networks.ru”.

If we however decided to disable “DHCP-proxy” mode for whole WLC6 then some of above actions is not required. The same listing demonstrates commands. It is essentially shorter. :-)

(wifi-wlc6.gogolya.pushkino) >config dhcp proxy disable
(wifi-wlc6.gogolya.pushkino) >show dhcp proxy
DHCP Proxy Behaviour: disabled

(wifi-wlc6.gogolya.pushkino) >config wlan disable 2
(wifi-wlc6.gogolya.pushkino) >config interface create vlan20 20
(wifi-wlc6.gogolya.pushkino) >config interface port vlan20 1
(wifi-wlc6.gogolya.pushkino) >config wlan interface 2 vlan20
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa wpa2 ciphers aes disable 2
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa wpa2 disable 2
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa akm 802.1x disable 2
(wifi-wlc6.gogolya.pushkino) >config wlan security wpa disable 2
(wifi-wlc6.gogolya.pushkino) >config wlan enable 2

Because there is no need to provide Dynamic Interface Security and there is no need to assign an IP to it. The rest of WLAN-related commands is much the same. Thereupon I have to mention about expert in WLC6 Justin Kurinny (https://supportforums.cisco.com/people/airframes?view=profile). He helped me very much. My special appreciation to him! Generally speaking http://supportforums.cisco.com is a powerful tool for resolution of “strange things” take. It to notice! Another source of knowledge was documentation: DHCP with the WLC.

All above is good but the best practice would be assigning bogus IP-address to Dynamic Interface and configuring and ACL to disable any access to this bogus address and enabling any other activity. Some WLC6's firmwares require that Dynamic Interface has an IP address filtering all traffic in one directon otherwise. Remember about implicit deny any any at the end of all Cisco's Access-lists!

(wifi-wlc6.gogolya.pushkino) >config wlan disable 2
(wifi-wlc6.gogolya.pushkino) >config interface address vlan20 3.3.3.3 255.255.255.0 3.3.3.1
(wifi-wlc6.gogolya.pushkino) >config acl create vlan20-acl
(wifi-wlc6.gogolya.pushkino) >config acl rule add vlan20-acl 1
(wifi-wlc6.gogolya.pushkino) >config acl rule destination address vlan20-acl 3.3.3.3 255.255.255.255
(wifi-wlc6.gogolya.pushkino) >config acl rule direction vlan20-acl 1 in
(wifi-wlc6.gogolya.pushkino) >config acl rule action 1 deny
(wifi-wlc6.gogolya.pushkino) >config acl rule add vlan20-acl 2
(wifi-wlc6.gogolya.pushkino) >config acl rule source address vlan20-acl 3.3.3.3 255.255.255.255
(wifi-wlc6.gogolya.pushkino) >config acl rule direction vlan20-acl 2 out
(wifi-wlc6.gogolya.pushkino) >config acl rule action vlan20-acl 2 deny
(wifi-wlc6.gogolya.pushkino) >config acl rule add vlan20-acl 3
(wifi-wlc6.gogolya.pushkino) >config acl rule action vlan20-acl 3 permit
(wifi-wlc6.gogolya.pushkino) >show acl detailed vlan20-acl
Index  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action      Counter
------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
     1  In         0.0.0.0/0.0.0.0                 3.3.3.3/255.255.255.255  Any     0-65535     0-65535  Any   Deny           0
     2 Out         3.3.3.3/255.255.255.255         0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any   Deny           0
     3 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any Permit           0
 DenyCounter : 0

(wifi-wlc6.gogolya.pushkino) >config interface acl vlan20 vlan20-acl
(wifi-wlc6.gogolya.pushkino) >config acl apply vlan20-acl
(wifi-wlc6.gogolya.pushkino) >config wlan enable 2

If we don't restrict access to “vlan20”'s IP somebody could see in Wireshark on his notebook something like this:

/root> tshark -ni vlan20 -R "not stp"
. . .
4145.347890 00:15:2c:e9:51:40 -> ff:ff:ff:ff:ff:ff ARP Who has 3.3.3.1?  Tell 3.3.3.3
. . .

and he can try to scan it assigning alias IP “3.3.3.1” on his notebook's interface! And Dynamis Interface is unprotected! Notice that “0.0.0.0” indicated as Gateway means that there is no LAN exit!

WLC6 Security issues

It's very desirable to restrict some types of access to avoid your network being crashed by Chineese hackers. :-) The first and indispensable thing is disabling management possibility from Wireless side and in our certain case additionally disabling management from VLAN 20 that is from Free WiFi Network.

(wifi-wlc6.gogolya.pushkino) >show network summary
. . .
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Enable
. . .

(wifi-wlc6.gogolya.pushkino) >config network mgmt-via-dynamic-interface disable
(wifi-wlc6.gogolya.pushkino) >show network summary
. . .
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Disable
. . .

(wifi-wlc6.gogolya.pushkino) >

The second important thing is configuring ACL for CPU to restrict access for only trusted networks and/or hosts.

(wifi-wlc6.gogolya.pushkino) >config acl create cpu-acl
(wifi-wlc6.gogolya.pushkino) >config acl rule add cpu-acl 1
(wifi-wlc6.gogolya.pushkino) >config acl rule source address cpu-acl 1 172.16.0.0 255.240.0.0
(wifi-wlc6.gogolya.pushkino) >config acl rule action cpu-acl 1 permit
(wifi-wlc6.gogolya.pushkino) >config acl rule add cpu-acl 2
(wifi-wlc6.gogolya.pushkino) >config acl rule action cpu-acl 2 deny
(wifi-wlc6.gogolya.pushkino) >config acl apply cpu-acl
(wifi-wlc6.gogolya.pushkino) >config acl cpu cpu-acl

Some comments:

  • config acl cpu cpu-acl - assigns ACL with name “cpu-acl” to the CPU.
  • config acl cpu none - removes ACL from CPU.

Just look at the results. Before:

/root> ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: icmp_seq=0 ttl=128 time=0.883 ms^C
--- 192.168.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.883/0.883/0.883/0.000 ms
/root>

Right after:

/root> ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes^C
--- 192.168.0.2 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
/root> ping 192.168.0.2

These results were in VLAN20.

Another trick is disabling broadcasting SSID in regularly spreaded by LAPs beacons - to hide network this from public media. APs announce in beacons (service 802.11 frames) all informations about Infrastructure BSSID such as Network Name (SSID), data rates supported, frequency channel and so on. Hiding Network Name we remove it from list of Wireless networks appeared in Wireless adapter parameters. We chop off the mass of poor-hackers, but there is still remaining possibility to interception Associations requests from my notebook by rogue professionals. SSID is transmitted in open-text during association.

(wifi-wlc6.gogolya.pushkino) >config wlan disable 2
(wifi-wlc6.gogolya.pushkino) >config wlan broadcast-ssid disable 2
(wifi-wlc6.gogolya.pushkino) >config wlan enable 2

But here some problem arises: some Wireless clients for example Nokia smartphones could not associate with such netwotks!

One more moment is to disable Web configuration and Telnet possibility.

(wifi-wlc6.gogolya.pushkino) >config network webmode disable
(wifi-wlc6.gogolya.pushkino) >config network telnet disable
(wifi-wlc6.gogolya.pushkino) >show network summary
. . .
Web Mode.................................... Disable
Secure Web Mode............................. Enable
. . .
Telnet...................................... Disable
. . .
(wifi-wlc6.gogolya.pushkino) >config network secureweb disable
You must reboot for the change to take effect.
(wifi-wlc6.gogolya.pushkino) >save config
Are you sure you want to save? (y/n) y
Configuration Saved!

(wifi-wlc6.gogolya.pushkino) >reset system
Are you sure you would like to reset the system? (y/N)y
. . .

You may or may not to disable HTTPS (Secure Web). If you disable Web access at whole the only CLI (Command-line Interface) will remain (for example ACL is gonfigured much more difficult through CLI!). Secure Web establishes between Web-server and Web-client encrypted channel through which usernames and passwords are transmitted. This excepts possibility of their interception. In general this is to you discretion.

Some conclusion aspects

Remember to do the following regularly:

 Remember
(wifi-wlc6.gogolya.pushkino) >save config
Are you sure you want to save? (y/n) y
Configuration Saved!

(wifi-wlc6.gogolya.pushkino) >

Otherwise WLC6's Console loves to hang sometimes and all configuration get lost.

In conclusion look at “show ..” and “debug …” command families. I actively used debug, for example, while studied DHCP-proxy on WLC6:

(wifi-wlc6.gogolya.pushkino) >debug dhcp packet enable
(wifi-wlc6.gogolya.pushkino) >
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP received op BOOTREQUEST (1) (len 308, port 1, encap 0xec03)
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP processing DHCP DISCOVER (1)
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   xid: 0x1ba17fa7 (463568807), secs: 0, flags: 0
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   chaddr: 00:16:cf:20:87:03
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP successfully bridged packet to DS

Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP received op BOOTREPLY (2) (len 321, port 1, encap 0xec00)
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP processing DHCP OFFER (2)
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   xid: 0x1ba17fa7 (463568807), secs: 0, flags: 0
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   chaddr: 00:16:cf:20:87:03
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   ciaddr: 0.0.0.0,  yiaddr: 192.168.0.16
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   siaddr: 172.16.0.2,  giaddr: 192.168.0.1
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   server id: 172.16.0.2  rcvd server id: 172.16.0.2
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP successfully bridged packet to STA

Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP received op BOOTREQUEST (1) (len 322, port 1, encap 0xec03)
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP processing DHCP REQUEST (3)
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   xid: 0x1ba17fa7 (463568807), secs: 0, flags: 0
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   chaddr: 00:16:cf:20:87:03
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   requested ip: 192.168.0.16
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   server id: 172.16.0.2  rcvd server id: 172.16.0.2
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP successfully bridged packet to DS

Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP received op BOOTREPLY (2) (len 326, port 1, encap 0xec00)
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP processing DHCP ACK (5)
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   xid: 0x1ba17fa7 (463568807), secs: 0, flags: 0
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   chaddr: 00:16:cf:20:87:03
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   ciaddr: 0.0.0.0,  yiaddr: 192.168.0.16
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   siaddr: 0.0.0.0,  giaddr: 192.168.0.1
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP   server id: 172.16.0.2  rcvd server id: 172.16.0.2
Mon Feb 27 18:35:31 2012: 00:16:cf:20:87:03 DHCP successfully bridged packet to STA

(wifi-wlc6.gogolya.pushkino) >debug disable-all
(wifi-wlc6.gogolya.pushkino) >debug ?
aaa            Configures the AAA debug options.
airewave-director Configures the Airewave Director debug options
ap             Configures debug of Cisco AP.
arp            Configures debug of ARP.
bcast          Configures debug of broadcast.
cac            Configures the call admission control (CAC) debug options.
cckm           Configures the CCKM debug options.
ccxdiag        Configures the CCX Diagnostic debug options.
ccxrm          Configures the CCX_RM debug options.
cdp            Configures debug of cdp.
client         Enables debugs for common client problems.
dhcp           Configures the DHCP debug options.
disable-all    Disables all debug messages.
dot1x          Configures the 802.1X debug options.
dot11          Configures the 802.11 events debug options.
emweb          Configures the WEB debug options.
ft             Configures the 802.11r debug options.
hreap          Configures debug of HREAP.
iapp           Configures the IAPP debug options.
locp           Configures the LOCP debug options.
lwapp          Configures the LWAPP debug options
l2age          Configures debug of Layer 2 Ago Timeout Messages.
l2roam         Configures the L2 Roam debug options.
mac            Configures MAC debugging
mesh           Configures the Mesh debug options.
mobility       Configures the Mobility debug options.
nac            Configures debug of Network Access Control (NAC).
ntp            Configures debug of NTP.
packet         Configures packet debugging options.
pem            Configures the access policy manager debug options.
pm             Configures debug of security policy manager module
rbcp           Configures the RBCP debug options
snmp           Configures the SNMP debug options.
transfer       Configures the transfer debug options.
wcp            Configures debug of WLAN Control Protocol (WCP).
wps            Configures debug of WPS.
(wifi-wlc6.gogolya.pushkino) >

There are numerous possibilities to debug as you have seen.

And also there are show command(s) to view Wireless Clients associated with a LAP:

(wifi-wlc6.gogolya.pushkino) >show client summary
Number of Clients................................ 3
MAC Address       AP Name           Status        WLAN/Guest-Lan Auth Protocol Port Wired
----------------- ----------------- ------------- -------------- ---- -------- ---- -----
00:16:cf:20:87:03 ap-1131.sokol.msk Associated    2              Yes  802.11g  1    No
00:22:b0:07:e3:21 ap-1131.sokol.msk Probing       N/A            No   802.11b  1    No
f0:cb:a1:ae:75:60 ap-1131.sokol.msk Probing       N/A            No   802.11b  1    No

(wifi-wlc6.gogolya.pushkino) >show client detail 00:16:cf:20:87:03
Client MAC Address............................... 00:16:cf:20:87:03
Client Username ................................. N/A
AP MAC Address................................... 00:26:99:f1:47:20
Client State..................................... Associated
Wireless LAN Id.................................. 2
BSSID............................................ 00:26:99:f1:47:21
Channel.......................................... 11
IP Address....................................... 192.168.0.16
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 0
Status Code...................................... 0
Session Timeout.................................. 0
Client CCX version............................... 4
Client E2E version............................... No E2E support
QoS Level........................................ Silver
Diff Serv Code Point (DSCP)...................... disabled
802.1P Priority Tag.............................. disabled
WMM Support...................................... Enabled
U-APSD Support................................... Disabled
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ vlan20
VLAN............................................. 20
Client Capabilities:
      CF Pollable................................ Not implemented
      CF Poll Request............................ Not implemented
      Short Preamble............................. Implemented
      PBCC....................................... Not implemented
      Channel Agility............................ Not implemented
      Listen Interval............................ 0
Client Statistics:
      Number of Bytes Received................... 43739
      Number of Bytes Sent....................... 917
      Number of Packets Received................. 1135
      Number of Packets Sent..................... 4
      Number of Policy Errors.................... 0
      Radio Signal Strength Indicator............ -51 dBm
      Signal to Noise Ratio...................... 45 dB
Nearby AP Statistics:
        TxExcessiveRetries: 0
        TxRetries: 0
        RtsSuccessCnt: 0
        RtsFailCnt: 0
        TxFiltered: 0
        TxRateProfile: [0,0,0,0,0,0,0,0,0,0,0,0]
      ap-1131.sokol.msk(slot 0) .................
antenna0: 36 seconds ago -50 dBm................. antenna1: 37 seconds ago -42 dBm

(wifi-wlc6.gogolya.pushkino) >show ap summary
Number of APs.................................... 1
Global AP User Name.............................. root_wifi
AP Name             Slots  AP Model             Ethernet MAC       Location          Port  Country
------------------  -----  -------------------  -----------------  ----------------  ----  -------
ap-1131.sokol.msk    2     AIR-AP1131AG-E-K9    c4:7d:4f:2f:42:8e  default location  1     RU

(wifi-wlc6.gogolya.pushkino) >show ap join stats summary all
Number of APs.............................................. 1
00:26:99:f1:47:20.......................................... Joined

(wifi-wlc6.gogolya.pushkino) >

CISCO: Upgrading WLC6 IOS

CAUTION! Upgrading NM-AIR-WLC6-K9 to version above 4.x.x.x is very dangerous by crashing IOS, denial to LAP to join or even denial to Wireless Clients to associate and so on! Especially it is dangerous if WLC6 is migrating from version 4.x.x.x on higher one. My WLC6 had 5.0.148.0 and I have run risk.

(wifi-wlc6.gogolya.pushkino) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 5.0.148.0
RTOS Version..................................... 5.0.148.0
Bootloader Version............................... 5.0.148.0
Build Type....................................... DATA + WPS

System Name...................................... wifi-wlc6.gogolya.pushkino
System Location.................................. gogolya.pushkino
System Contact................................... eyatsko@ngs.ru
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.5
IP Address....................................... 172.16.0.50
System Up Time................................... 1 days 18 hrs 43 mins 1 secs
System Timezone Location......................... (GMT +4:00) Muscat, Abu Dhabi

Configured Country............................... RU  - Russian Federation

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 2
3rd Party Access Point Support................... Disabled
--More-- or (q)uit
Number of Active Clients......................... 1

Burned-in MAC Address............................ 00:15:2C:E9:51:40

(wifi-wlc6.gogolya.pushkino) >

Procedure is rather simple. It is documented in detail on http://cisco.com in article: wireless_lan_controller_wlc_software_upgrade.rar.

  1. First, ensure that there is connectivity between WLC6's Management Interface and TFTP-server
    (wifi-wlc6.gogolya.pushkino) >ping 172.16.0.1
    Send count=3, Receive count=3 from 172.16.0.1
    
    (wifi-wlc6.gogolya.pushkino) >
  2. Then we put on TFTP-server an IOS file. My WLC6 rejected 7-th version because its size was 64M - there was simply no space on embedded flash! That is it downloaded image but could not store it generating corresponding SYSLOG error. Actually I knew about this in a such way :-), output of WLC6 itself is rather poor in this sence:
    (wifi-wlc6.gogolya.pushkino) >transfer download start
    Mode............................................. TFTP
    Data Type........................................ Code
    TFTP Server IP................................... 172.16.0.1
    TFTP Packet Timeout.............................. 6
    TFTP Max Retries................................. 10
    TFTP Path........................................
    TFTP Filename.................................... AIR-WLCM-K9-7-0-98-0.aes
    This may take some time.
    Are you sure you want to start? (y/N) y
    TFTP Code transfer starting.
    Code file transfer failed - Error while writing output file
    
    (wifi-wlc6.gogolya.pushkino) >

    And output produced by tshark on TFTP-server (due to SYSLOG set up on WLC6, see the above chapter for help on how to set it up) during transfer is:

    /root> tshark -ni vlan10 host 172.16.0.50
    . . .
    2033.084090  172.16.0.50 -> 172.16.0.1   UDP Source port: 7704  Destination port: 53024
    2033.084149   172.16.0.1 -> 172.16.0.50  UDP Source port: 53024  Destination port: 7704
    2033.085134  172.16.0.50 -> 172.16.0.1   UDP Source port: 7704  Destination port: 53024
    2033.085180   172.16.0.1 -> 172.16.0.50  UDP Source port: 53024  Destination port: 7704
    2033.086180  172.16.0.50 -> 172.16.0.1   UDP Source port: 7704  Destination port: 53024
    2033.086230   172.16.0.1 -> 172.16.0.50  UDP Source port: 53024  Destination port: 7704
    2033.087200  172.16.0.50 -> 172.16.0.1   UDP Source port: 7704  Destination port: 53024
    2033.087242   172.16.0.1 -> 172.16.0.50  UDP Source port: 53024  Destination port: 7704
    2033.089262  172.16.0.50 -> 172.16.0.1   Syslog LOCAL7.ERR:  Feb 29 10:12:18.810 osapi_file.c:569 OSAPI-3-FILE_WRITENOCLOSE_FAILED: Failed to write 512 bytes (FileDesc:11). file write no close failed.
    2033.089889  172.16.0.50 -> 172.16.0.1   Syslog LOCAL7.ERR:  - Traceback:  08259687 08291370 08059e89 0805883d 0805616f 0805a68d 0825d861 40178d67 4027edca
    2033.090805  172.16.0.50 -> 172.16.0.1   Syslog LOCAL7.ERR:  Feb 29 10:12:18.812 tftp_client.c:147 TFTP-3-WRITE_NOCLOSE_FAIL: Error while writing the local file: No space left on device
    2033.091508  172.16.0.50 -> 172.16.0.1   Syslog LOCAL7.ERR:  Feb 29 10:12:18.813 tftp_client.c:517 TFTP-3-FILE_WRITE_FAIL: Error while writing 512 bytes to file. Tftp error.
    2037.833455 00:15:2c:e9:51:40 -> 00:00:5e:00:01:02 ARP Who has 172.16.0.1?  Tell 172.16.0.50
    2037.833474 00:00:5e:00:01:02 -> 00:15:2c:e9:51:40 ARP 172.16.0.1 is at 00:00:5e:00:01:02^C
    /root>

    Look at “No space left on device” and compare it with WLC6's “Error while writing output file”. Key words are “output files”!

  3. Next we have to set up transfer parameters:
    (wifi-wlc6.gogolya.pushkino) >transfer download mode tftp
    (wifi-wlc6.gogolya.pushkino) >transfer download serverip 172.16.0.1
    (wifi-wlc6.gogolya.pushkino) >transfer download path
    (wifi-wlc6.gogolya.pushkino) >transfer download filename AIR-WLCM-K9-7-0-98-0.aes

    Note, that “path” parameter is empty!

  4. Then issue the last command:
    (wifi-wlc6.gogolya.pushkino) >transfer download start
    Mode............................................. TFTP
    Data Type........................................ Code
    TFTP Server IP................................... 172.16.0.1
    TFTP Packet Timeout.............................. 6
    TFTP Max Retries................................. 10
    TFTP Path........................................
    TFTP Filename.................................... AIR-WLCM-K9-6-0-199-4.aes
    This may take some time.
    Are you sure you want to start? (y/N) y
    TFTP Code transfer starting.
    TFTP receive complete... extracting components.
    Executing install_bootloader script.
    Writing new Code to flash disk.
    Executing install_code script.
    Writing new APIB to flash disk.
    Executing install_apib script.
    TFTP File transfer is successful.
      Reboot the switch for update to complete.
    
    (wifi-wlc6.gogolya.pushkino) >
  5. Reset WLC6 and begin to pray :-)
    (wifi-wlc6.gogolya.pushkino) >reset system
    The system has unsaved changes.
    Would you like to save them now? (y/N) y
    Configuration Saved!
    System will now restart!
    
    Initializing memory.  Please wait. .  256 MB SDRAM detected
    
    BIOS Version: SM 02.00
    BIOS Build date: 09/17/02
    System Now Booting ...
    Booting from disk..., please wait.
    Cisco Bootloader Loading stage2...
    
        Cisco Bootloader (Version 6.0.199.4)
    
                          .o88b. d888888b .d8888.  .o88b.  .d88b.
                         d8P  Y8   `88'   88'  YP d8P  Y8 .8P  Y8.
                         8P         88    `8bo.   8P      88    88
                         8b         88      `Y8b. 8b      88    88
                         Y8b  d8   .88.   db   8D Y8b  d8 `8b  d8'
                          `Y88P' Y888888P `8888Y'  `Y88P'  `Y88P'
    
    Booting Primary Image...
    Press <ESC> now for additional boot options...
    Detecting hardware . . . .
    
    . . .

    and so on… Look at “Cisco Bootloader (Version 6.0.199.4)” line. And look at Image filename: “AIR-WLCM-K9-6-0-199-4.aes”.

Take a note that while you are upgrading WLC6 an embedded into WLC6's IOS LAP IOS is changing too. After upgrade all previously joined LAPs will upgrade taking from WLC6 new version of operating system. There was “c1130-k9w8-mx.124-13d.JA” on a LAP before and “c1130-k9w8-mx.124-21a.JHB1” became the working IOS after the WLC6's upgrade.

Another positive moment in this story is that I can ping ap-manager IP. In version “5.0.148.0” I could not!

/root> ping 172.16.0.50
PING 172.16.0.50 (172.16.0.50): 56 data bytes
64 bytes from 172.16.0.50: icmp_seq=0 ttl=128 time=0.823 ms^C
--- 172.16.0.50 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.823/0.823/0.823/0.000 ms
/root> ping 172.16.0.51
PING 172.16.0.51 (172.16.0.51): 56 data bytes
64 bytes from 172.16.0.51: icmp_seq=0 ttl=128 time=0.834 ms^C
--- 172.16.0.51 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.834/0.834/0.834/0.000 ms
/root>

Additionally a pair of useful commands: “transfer download datatype code” - make transfer in binary (this is by default but for some TFTP-servers maybe actual) and “debug transfer trace enable” which gives much more details of downloading and upgrading process (switched off by ”debug disable-all”).

Are you sure you want to start? (y/N) y
*Mar 01 09:27:57.882: RESULT_STRING: TFTP Code transfer starting.
*Mar 01 09:27:57.882: RESULT_CODE:1
TFTP Code transfer starting.
*Mar 01 09:28:00.769: Still waiting!  Status = 2
*Mar 01 09:28:01.884: Locking tftp semaphore, pHost=172.16.0.1 pFilename=./AIR-WLCM-K9-6-0-199-4.aes
*Mar 01 09:28:01.892: Semaphore locked, now unlocking, pHost=172.16.0.1 pFilename=./AIR-WLCM-K9-6-0-199-4.aes
*Mar 01 09:28:01.892: Semaphore successfully unlocked, pHost=172.16.0.1 pFilename=./AIR-WLCM-K9-6-0-199-4.aes
*Mar 01 09:28:03.768: Still waiting!  Status = 1
*Mar 01 09:28:06.768: Still waiting!  Status = 1
*Mar 01 09:28:09.767: Still waiting!  Status = 1

This diagnostic messages can help to understand what's wrong.

Another important moment - not all firmwares can be upgraded to any other. For example 5.2.193.0 didn't “want” to load 6.0.199.4. Download process finised with error. It is strongly recommended to disable work of all previousely LAPs - they try to download their firmwares immediately after WLC6 has been upgraded. This bothers very much, especially if there are all six LAPs :-).

 

P.s. By the way! Versions after 5.0.148.0 require Dynamic Interface must have IP-address even if it is a bogus one. Without this connectivity becomes unidirectional: Gateway gets packets from Wireless Clients but the latter do not.

CISCO: Upgrade 1130 AP->LAP

Stated below procedure is described in detail in the followind document: Upgrading Autonomous Cisco Aironet Access_Points to Lightweight Mode. To spare you from long and tiring reading we gathered here essentials of this article.

  • To convert Autonomous Access Point (AP) to Access Point which supports LightWeight Access Point (LAP) Protocol we need special software: “Cisco IOS Access Points Upgrade Tool”. It's need to be installed on a Windows (XP) PC through simple clicks “Next”, “Next”… and “Install”.
  • To make it to upgrade our AP we need to compile special text-file named “ip file”. It is an ordinary text file with rather simple structure:
<ip-of-ap-1>,<username-1>,<password-1>,<enable-secret-1><cr>
<ip-of-ap-2>,<username-2>,<password-2>,<enable-secret-2><cr>
...
<ip-of-ap-n>,<username-n>,<password-n>,<enable-secret-n><cr>

Simple “ip file” looks loke this (for default just-out-of-box AIR-AP1131AG-E-K9 with “interface bvi1” assigned IP address only!):

172.16.16.55,Cisco,Cisco,Cisco
  • Attention! Discussed “Upgrade tool” works with both Controller and AP via Telnet protocol (it issues IOS commands during upgrade process), so this one must be enabled as input transport on both access point and WLC!

    For AP:
    AP#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    AP(config)#line vty 0 15
    AP(config-line)#transport input telnet
    AP(config-line)#end
    AP#copy running-config startup-config
    Destination filename [startup-config]?
    Building configuration...
    [OK]
    AP#


    For WLC6:

    sr-2821.gogolya.pushkino#service-module wlan-controller 1/0 session
    Trying 1.1.1.1, 2066 ... Open
    User:admin
    Password:**************
    (wifi-wlc6.gogolya.pushkino) >config network telnet enable
    (wifi-wlc6.gogolya.pushkino) >save config
    Are you sure you want to save? (y/n) y
    Configuration Saved!
    
    (wifi-wlc6.gogolya.pushkino) >
  • Next action is obtaining Lightweight IOS Image for AP 1130, it's something like this: “c1130-rcvk9w8-tar.124-10b.jda.tar” or “c1130-rcvk9w8-tar.124-21a.ja2.tar”. Upgrade Tool will upload one of these images onto AP and make necessary manipulations to deploy it as working IOS. These images are named “recovery images” - they only search on a network and connect to WLC-controller which in order uploads actual image on LAP.
  • Next step is run Upgrade Tool and supply it with necessary parameters in its dialog form.
    • IP File” is mentioned IP file;
    • Check “Retain Hostname on APs” to retain Hostname after upgrading. It doesn't work for indicated IOSes. But.. for complcency.. :-)
    • Select “Use UpgradeTool TFTP Server” to Upgrade Tool's embedded TFTP. To avoid messing with TFTP/Firewall.
    • Choose in “LWAPP Recovery Image” Image file through correspinding file selection dialog.
    • Fill in “Controller Details”: just Management Interface's IP, Username/Password to login to WLC-controller via Telnet.
    • Indicate “Use Controller Time” in Time Details. It is very needed to synchronize time between AP and WLC-controller because IPSec-Tunnel is set up between them. And Time Difference is very critical for this purposes.
    • Enter the nearest to AP “DNS” IP-address and DNSDomain” which is local for it.
    • Select from drop-down list “Detailed Logging Level” when you perform this upgrade for the first time. To view what is the reason if a problem occurs.
    • Press “Start”.
  • Process starts. After it's finished, buttons “Config”, “APConfig”, “Summary log” and “Detailed log” will become active and you can see details of applied actions.
  • Next we need to enter AP via Console (Serial Cable) and change its IP-settings and indicate IP-address of WLC-controller to it.

Comprehensive list of actions which “Upgrade Tool” performs is here.

Be attentive! Being upgraded LAP immediately gets own settings from WLC-controller! In particular User accounts and Enable password.

P.s. Note that default Username and Password are “Cisco”/“Cisco”, Enable Secret is “Cisco” too.

CISCO: Reverting 1130 LAP->AP

Stated below procedure is described (without some important details in the followind document: Upgrading Autonomous Cisco Aironet Access_Points to Lightweight Mode in the section “Converting a Lightweight Access Point Back to Autonomous Mode”.

  • First of all you need TFTP-Server, something like usual tftpd32-4.00-setup.rar which was deployed under usual Windows XP. Alternatively you can use ATFTPD under Ubuntu for example.
  • Then you need to alias your Windows XP's interface with 10.0.0.2/255.0.0.0 address additionally to your usual IP address (ifconfig eth1:0 10.0.0.2 netmask 255.0.0.0).
  • Next you have to move Lightweight Access Point (LAP) onto the same subnet with TFTP-Server.
  • When process starts LAP chooses automatically address 10.0.0.1 to request TFTP-Server on address 255.255.255.255. It could lead to confusion because not all TFTP Servers respond to such request.
  • Then you need an image for Autonomous Access Point (AP). Be careful! It must be a Tarball! Something like: c1130-k9w7-tar.124-10b.jda3.tar while IOS on AP is binary file: c1130-k9w7-mx.124-10b.JDA3. Pay attention to difference between …k9w7-tar.124… and …k9w7-mx.124…
  • Put AP image file into TFTP-Server's root directory and rename it as “c1130-k9w7-tar.default
  • Then turn off power on LAP - unlug power supply or Ethernet cable if it gets PoE through it.
  • Press and hold button “Mode”, it's under the cover of LAP. Plug back power and continue hold mentioned button until “E” LED will become off and “R” LED will become red in color. It takes approximately 20-30 seconds.
  • Nothing prevents to control the process being connected to LAP via console cable plugged to COM-port on the same Windows XP. Use PuTTY with version above 0.58 to connect to Serial. While you're holding a button down after power cord is plugged you can see the following in console:
flashfs[0]: 11 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 15998976
flashfs[0]: Bytes used: 6340096
flashfs[0]: Bytes available: 9658880
flashfs[0]: flashfs fsck took 33 seconds.
Base ethernet MAC Address: c4:7d:4f:2f:42:8e
Initializing ethernet port 0...
Reset ethernet port 0...
Reset done!
ethernet link up, 100 mbps, full-duplex
Ethernet port 0 initialized: link is up
button is pressed, wait for button to be released...

When it has finished you can see:

Deleting current version...
Deleting flash:/c1130-rcvk9w8-mx...done.
New software image installed in flash:/c1130-k9w7-mx.124-10b.JDA3
Configuring system to use new image...done.
Requested system reload in progress...download took about 301 seconds
  • Wait until process is finished. LAP reboots and voila you have Autonomous AP. It's conviniently if you still connected to AP through the concole. You can begin to configure it immediately! :-)

Another way to downgrade LAP is issuing command “config ap tftp-downgrade c1130-k9w7-tar.default <TFTP Server's IP> <AP Name>”. Practical example of use of such command was:

controller >show ap summary

Number of APs.................................... 1
Global AP User Name.............................. some_user

AP Name             Slots  AP Model             Ethernet MAC       Location          Port  Country
------------------  -----  -------------------  -----------------  ----------------  ----  -------
APc47d.4f2f.428e

controller >config ap tftp-downgrade c1130-k9w7-tar.default 172.16.16.1 APc47d.4f2f.428e
controller >

Comprehensive list of LAP's actions on downgrade is here.

P.s. Note that default Username and Password are “Cisco”/“Cisco”, Enable Secret is “Cisco” too.

hardware_configuration.txt · Last modified: 2016/01/31 11:14 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki