Command Buttons
• Back: Return to the previous window.
• Apply: Data is sent to the controller and made to take effect, but not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.
WLANs > Edit
For existing WLANs, use WLANs >Edit to navigate to this page. For new WLANs, create a new WLAN as described in WLANs > New page, then click Apply to navigate to this page.
This page allows you to edit the configurable parameters for a WLAN. The WLAN ID and WLAN SSID
are displayed at the top of the page. The following tables describe the WLAN parameters.
Table 3-2 General Policies Parameter Description
Radio Policy Set the WLAN radio policy to apply to All = 802.11a/b/g, 802.11a only, 802.11g only, 802.11b/g only, or 802.11a/g only. This setting requires that the selected bands be enabled on the 802.11a Global Parameters and 802.11b/g Global Parameters pages.
Admin Status Set the status of the WLAN to either Enabled or Disabled.
Session Timeout Set the maximum time for a client session before requiring reauthorization. Default = 1800 seconds.
Quality of Service (QoS)
Quality of Service Level, set on the Edit QoS Profile page:
• Platinum (Voice)—This setting assures a high Quality of Service for Voice over Wireless.
• Gold (Video)—This setting supports high-quality video applications.
• Silver (Best Effort)— This is the default setting and supports normal bandwidth for clients.
• Bronze (Background)— Lowest bandwidth for guest services.
VoIP clients should be set to Platinum, Gold or Silver, while low-bandwidth clients can be set to Bronze.
WMM Policy Select one of the following:
• Disabled—Use this setting to disable this WMM policy.
• Allowed—Use this setting to allow the clients to communicate with the WLAN.
• Required—Use this setting to ensure that it is mandatory for the clients to have WMM feature enabled on them to communicate with the WLAN.
Chapter 3 WLANs Menu Bar Selection WLANs
7920 Phone Support
Select one of the following:
• Disabled—Use this setting to disable support for your Cisco 7920 phones on the WLAN.
• Client CAC Limit—Use this setting if you want the WLAN to support the older version of the software on your Cisco 7920 phones. In older versions, the CAC limit is set on the client.
• AP CAC Limit—Use this setting if you want the WLAN to support the newer version of the software on your Cisco 7920 phones. In newer versions, the CAC limit is advertised by the access points.
• All 7920 Phones—Use this setting to enable WLAN support for all Cisco 7920 phones.
Broadcast SSID Enable or Disable the Service Set Identifier broadcasts. Allow AAA
Override
Enable or disable AAA override for global WLAN parameters.
When AAA Override is enabled, and a client has conflicting AAA and controller WLAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the Operating System will move clients from the default Cisco WLAN Solution WLAN VLAN to a VLAN returned by the AAA server and predefined in the controller Interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the Operating System also uses QoS, DSCP, 802.1p priority tag values and ACLs provided by the AAA server, as long as they are predefined in the controller Interface configuration. (This VLAN switching by AAA Override is also referred to as Identity Networking.)
For instance, if the Corporate WLAN primarily uses a Management Interface assigned to VLAN 2, and if AAA Override returns a redirect to VLAN 100, the Operating System redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.
When AAA Override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is only performed by the AAA server if the controller WLAN do not contain any client-specific authentication parameters.
The AAA override values may come from a RADIUS server, for example. External Policy
Validation
External security policy validation. Enable or Disable.
Client Exclusion When automatic adding to the Exclusion List (disabling) is enabled, set the timeout in seconds for disabled client machines. Client machines are disabled by MAC address and their status can be observed on the Clients > Detail page. A timeout setting of 0 indicates that administrative control is required to re-enable the client.
Table 3-2 General Policies (continued) Parameter Description
Chapter 3 WLANs Menu Bar Selection
WLANs
You can choose both Layer 2 and Layer 3 security policies from the drop down list under the Security Policies heading. The selected security policy options are at the bottom of the page with the appropriate parameters listed. The following tables describe these parameters.
DHCP Server (Override)
When selected, you can enter the IP address of your DHCP server. This is a required field for some WLAN configurations. There are three valid configurations:
DHCP Server Override ON, a valid DHCP Server IP address, and DHCP Address Assignment Required: Requires all WLAN clients to obtain an IP address from the DHCP Server.
DHCP Server Override ON, a valid DHCP Server IP address, and DHCP Address Assignment Not Required: Allows all WLAN clients to obtain an IP address from the DHCP Server or use a static IP address.
DHCP Server Override OFF: Forces all WLAN clients to use the DHCP setting in the Management Interface, not the static address.
DHCP Addr. Assignment
Required check box.
Interface Name Limited to the non-service-port and non-virtual Interface Names configured on the
Interfaces page.
Table 3-2 General Policies (continued) Parameter Description
Table 3-3 Layer 2 Security Policies Parameter Description
None No Layer 2 security selected.
WPA Select to enable Wi-Fi Protected Access with TKIP-MIC Data Encryption. When WPA is selected as the Layer 2 security policy, you can choose to enable a Pre-Shared Key with or without a Passphrase.
RSN Robust Security Network (802.11i standard): WPA Compatibility Mode - Enable checkbox. Allow RSN TKIP Clients - Enable checkbox.
Pre-Shared Key - When Enabled, you can choose to enable a pre-shared key with or without an eight- to 63-character RSN Passphrase.
802.1X WEP 802.1X data encryption type (Note 1): 40/64 bit key.
104/128 bit key. 128/152 bit key.
Static WEP Static WEP encryption parameters:
Key sizes: 40/64, 104/128 and 128/152 bit key sizes. Key Index: 1 to 4 (Note 2).
Chapter 3 WLANs Menu Bar Selection WLANs
• Layer 3 security is available via IPSec, VPN Pass Through, or L2TP. Check software availability and client hardware compatibility before implementing IPSec. Layer 3 IPSec parameters are described in the following table.
Cranite Configure the WLAN to use the FIPS140-2 compliant Cranite WirelessWall Software Suite, which uses AES encryption and VPN tunnels to encrypt and verify all data frames carried by the Cisco WLAN Solution (Note 3). Fortress FIPS 40-2 compliant Layer 2 security feature.
MAC Filtering Select to filter clients by MAC address. Locally configure clients by MAC address in the MAC Filters > New page. Otherwise, configure the clients on a RADIUS server.
Static WEP + 802.1x Use this setting to enable both Static WEP and 802.1x parameters. If this option is selected, static WEP and 802.1x parameters are displayed at the bottom of the page.
Note The Third-Party AP WLAN (17) can only be configured with 802.1X encryption. Drop down configurable 802.1X parameters are not available for this WLAN.
Note One unique WEP Key Index can be applied to each WLAN. As there are only four WEP Key Indexes, only four WLANs can be configured for Static WEP Layer 2 encryption.
Note When Cranite is selected as the Layer 2 security policy, no Layer 3 security policies are allowed.
Table 3-3 Layer 2 Security Policies (continued) Parameter Description
Table 3-4 Layer 3 IPSec and L2TP Parameters Parameter (Note 1) Range
IPSec Authentication HMAC MD5; HMAC SHA1. IPSec Encryption DES; Triple DES; AES CBC.
IKE Authentication Certificates, Pre Shared Key, or XAuth Pre Shared Key (Notes 2, 3). IKE Phase 1 Aggressive or Main. When you select L2TP, only Main is allowed. Lifetime Timeout in seconds. Default = 28800 seconds.
IKE Diffie-Hellman Group Group 1, 2 or 5.
Contivity Mode Enabled or Disabled. Enable to allow the WLAN to use a Contivity IP Services Gateway for additional Cisco WLAN Solution security.
Chapter 3 WLANs Menu Bar Selection
WLANs
• When you select Layer 3 VPN Pass Through, fill in the VPN Gateway IPSec Pass Through Address.
• With VPN Pass Through, but not with IPSec or L2TP, you may also enable Web Authentication, also known as Web Auth.
• When you have Web Authentication enabled, you can also select a Preauthentication ACL, which allows you to assign any of the Access Control Lists displayed on the Access Control Lists page.
Note To enable Web Authentication, you MUST configure the Virtual Gateway Address in the Interfaces
page.
RADIUS Servers
You can configure up to three RADIUS servers for the WLAN. Table 3-5 describes the RADIUS server parameters.
Web Policy Select this check box to enable the Web Policy. The following parameters are displayed.
• Authentication - If you select this option, you will be prompted for user name and password while connecting the client to the wireless network.
• Passthrough - If you select this option, you can access the network directly without entering the user name and password.
• Preauthentication ACL – Select the ACL to be used for traffic between the client and the controller. Refer to Access Control Lists
for more information.
• Email Input – This option is available for the Passthrough option only. If you select this option, you will be prompted for your email address while connecting to the network.
Note You must have the optional VPN/Enhanced Security Module (crypto processor card) installed to enable IPSec. Verify it is installed on your controller using the Inventory page.
Note When you select IKE Authentication Pre Shared Key or XAuth Pre Shared Key, you must also enter a key.
Note When you select XAuth Pre Shared Key, the key must be at least eight bytes to interoperate with Cisco clients. Other tested clients function with a key of less than eight bytes.
Table 3-4 Layer 3 IPSec and L2TP Parameters (continued) Parameter (Note 1) Range
Chapter 3 WLANs Menu Bar Selection WLANs
Command Buttons
• Back: Return to the previous window.
• Apply: Data is sent to the controller and made to take effect, but not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.
• Help: Request that the help page be displayed in a new browser window.
Table 3-5 RADIUS Servers Parameters
Server Authentication Servers Accounting Servers
Server 1 Select a RADIUS server from the drop-down list.
If this server is selected, it will be the default RADIUS authentication server for the specified WLAN and will override the RADIUS server that is configured for the network.
Select a RADIUS server from the drop-down list.
If this server is selected, it will be the default RADIUS accounting server for the specified WLAN and will override the RADIUS server that is configured for the network.
Server 2 This server has the second highest priority.
This server has the second highest priority.
Server 3 This server is third in the order of priority.
This server is third in the order of priority.
Chapter 3 WLANs Menu Bar Selection