Wireless controller system configuration guide 7 0cg

Enabling Mobility Services and HA with WCSPLUS License 1-4Using WCS Cisco Location Appliances 1-4 Comparison of WCS Base and WCS Location Features 1-6 Embedded Access Points 1-6 Access P

Americas Headquarters

Cisco Systems, Inc

170 West Tasman Drive

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system All rights reserved Copyright © 1981, Regents of the University of California

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc and/or its affiliates in the U.S and other countries A listing of Cisco's trademarks can be found at

www.cisco.com/go/trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (1005R)

Copyright © 2010 Cisco Systems, Inc

All rights reserved.

Enabling Mobility Services and HA with WCSPLUS License 1-4

Using WCS Cisco Location Appliances 1-4

Comparison of WCS Base and WCS Location Features 1-6

Embedded Access Points 1-6

Access Point Communication Protocols 1-8

Guidelines and Restrictions for Using CAPWAP 1-8

The Controller Discovery Process 1-8

Unified Computing System 2-4

Supported Operating Systems 2-4

Installing WCS for Windows 2-5

Before You Begin 2-6

Configuring WCS to Run as a Domain User 2-13

Installing WCS for Linux 2-14

Configuring TFTP as a Network Drive 2-16

Customizing Home Page Tabs 2-23

Creating a New Tab 2-23

Customizing Home Page Content 2-24

Editing Content 2-25

Additional Edit Content Page Components 2-26

Guest Components for WCS Home Page 2-27

Using the Cisco WCS User Interface 2-28

Configuring the Search Results Display 2-44

Cisco Unified Wireless Network Solution Security 3-1

Layer 1 Solutions 3-2

Layer 2 Solutions 3-2

Layer 3 Solutions 3-2

Single Point of Configuration Policy Manager Solutions 3-2

Rogue Access Point Solutions 3-2

Rogue Access Point Challenges 3-3

Tagging and Containing Rogue Access Points 3-3

Securing Your Network Against Rogue Access Points 3-3

Interpreting the Security Tab 3-4

Security Index 3-5

Malicious Rogue Access Points 3-5

Adhoc Rogues 3-6

CleanAir Security 3-6

Unclassified Rogue Access Points 3-7

Friendly Rogue Access Points 3-7

Access Point Threats or Attacks 3-8

MFP Attacks 3-8

Attacks Detected 3-9

Recent Rogue AP Alarms 3-9

Recent Adhoc Rogue Alarm 3-9

Most Recent Security Alarms 3-9

Monitoring Rogue Access Points, Ad hoc Events, and Clients 3-9

Rogue Access Points 3-9

Monitoring Rogue AP Alarms 3-10

Classifying Rogue Access Points 3-11

Rogue Access Point Classification Types 3-13

Viewing Rogue AP Alarm Details 3-14

Viewing Rogue Client Details 3-17

Adhoc Rogue Alarms 3-17

Monitoring Adhoc Rogue Alarms 3-17

Viewing Adhoc Rogue Alarm Details 3-18

Rogue Access Point Location, Tagging, and Containment 3-19

Detecting Access Points 3-20

Working with Alarms 3-21

Monitoring Rogue Alarm Events 3-22

Viewing Rogue AP Event Details 3-23

Monitoring Adhoc Rogue Events 3-24

Viewing Adhoc Rogue Event Details 3-25

Security Overview 3-25

Security Vulnerability Assessment 3-26

Security Index 3-26

Top Security Issues 3-27

Switch Port Tracing 3-33

Integrated Security Solutions 3-34

Using WCS to Convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 Mode 3-34

Configuring a Firewall for WCS 3-35

Access Point Authorization 3-36

Management Frame Protection (MFP) 3-36

Guidelines for Using MFP 3-38

Configuring Intrusion Detection Systems (IDS) 3-38

Viewing IDS Sensors 3-38

Configuring IDS Signatures 3-38

Uploading IDS Signatures 3-41

Downloading IDS Signatures 3-42

Enabling or Disabling IDS Signatures 3-43

Enabling Web Login 3-46

Downloading Customized Web Authentication 3-47

Connecting to the Guest WLAN 3-49

Certificate Signing Request (CSR) Generation 3-49

Adding a Controller to the WCS Database 4-1

Additional Functionality with Location Appliance 4-2

Using WCS to Update System Software 4-2

Downloading Vendor Device Certificates 4-3

Downloading Vendor CA Certificates 4-4

Using WCS to Enable Long Preambles for SpectraLink NetLink Phones 4-5

Creating an RF Calibration Model 4-6

Monitoring Maps Overview 5-2

Configuring Edit View 5-3

Edit View Command Buttons 5-3

Select a Command for Maps 5-4

Adding a Campus Map 5-4

Adding Buildings 5-5

Adding a Building to a Campus Map 5-5

Adding a Standalone Building 5-9

Managing a Current Campus 5-10

Editing a Current Campus 5-11

Managing Location Presence Information 5-16

Enabling Location Presence for Mobility Services 5-18

Adding Outdoor Areas 5-19

Deleting Outdoor Areas 5-21

Searching Maps 5-21

Adding and Enhancing Floor Plans 5-22

Adding Floor Plans to a Campus Building 5-22

Adding Floor Plans to a Standalone Building 5-27

Using the Map Editor 5-29

Map Editor Functions 5-29

Using the Map Editor to Draw Polygon Areas 5-30

Planning Mode 5-36

Accessing Planning Mode 5-36

Using Planning Mode to Calculate Access Point Requirements 5-37

Inspecting VoWLAN Location Readiness 5-43

Troubleshooting Voice RF Coverage Issues 5-44

Adding Access Points 5-44

Placing Access Points 5-49

Guidelines for Placing Access Points 5-49

Import Map and AP Location Data 5-51

Positioning Access Points, Wi-Fi TDOA Receivers, and Chokepoints by Importing or Exporting a File 5-53

Floor Area Map Overview 5-54

Floor Settings 5-54

Viewing Floor Component Details 5-61

Floor View Navigation 5-70

Select a Command for Floor Areas 5-71

Refresh Options 5-72

Creating a Network Design 5-73

Designing a Network 5-73

Changing Access Point Positions by Importing and Exporting a File 5-78

Importing or Exporting WLSE Map Data 5-79

Rogue Access Point Location, Tagging, and Containment 6-1

Configuring ACS View Server Credentials 6-2

Receiving Radio Measurements 6-2

Monitoring Mesh Networks Using Maps 6-3

Monitoring Mesh Link Statistics Using Maps 6-3

Monitoring Mesh Access Points Using Maps 6-6

Monitoring Mesh Access Point Neighbors Using Maps 6-8

Monitoring Mesh Health 6-11

Mesh Statistics for an Access Point 6-15

Viewing the Mesh Network Hierarchy 6-19

Using Mesh Filters to Modify Map Display of Maps and Mesh Links 6-21

Monitoring Channel Width 6-23

Viewing Google Earth Maps 6-26

Google Earth Settings 6-27

Viewing Clients Identified as WGBs 6-28

Retrieving the Unique Device Identifier on Controllers and Access Points 6-29

Channel Change Notifications 6-37

Transmission Power Change Notifications 6-38

RF Grouping Notifications 6-38

Viewing the RRM Dashboard 6-38

Adding WCS User Accounts 7-1

Deleting WCS User Accounts 7-4

Changing Passwords 7-4

Monitoring Active Sessions 7-4

Viewing or Editing User Information 7-6

Setting the Lobby Ambassador Defaults 7-7

Viewing or Editing Group Information 7-8

Editing the Guest User Credentials 7-9

Viewing the Audit Trail 7-9

Creating Guest User Accounts 7-10

Logging in to the WCS User Interface as a Lobby Ambassador 7-11

Managing WCS Guest User Accounts 7-12

Scheduling WCS Guest User Accounts 7-12

Printing or E-mailing WCS Guest User Details 7-14

Saving Guest Accounts on a Device 7-14

Editing the Guest User Credentials 7-14

Adding a New User 7-15

Adding User Names, Passwords, and Groups 7-15

Assigning a Virtual Domain 7-16

Virtual Domain RADIUS and TACACS+ Attributes 7-18

Understanding Virtual Domains as a User 7-18

Symmetric Tunneling 8-5

Overview of Mobility Groups 8-5

When to Include Controllers in a Mobility Group 8-7

Messaging among Mobility Groups 8-7

Configuring Mobility Groups 8-8

Prerequisites 8-8

Setting the Mobility Scalability Parameters 8-12

Mobility Anchors 8-13

Configuring Mobility Anchors 8-13

Configuring Multiple Country Codes 8-16

Creating Config Groups 8-19

Adding New Group 8-20

Configuring Config Groups 8-21

Adding or Removing Controllers from Config Group 8-22

Adding or Removing Templates from the Config Group 8-23

Applying or Scheduling Config Groups 8-23

Auditing Config Groups 8-24

Rebooting Config Groups 8-25

Reporting Config Groups 8-26

Downloading Software 8-26

Downloading IDS Signatures 8-27

Downloading Customized WebAuth 8-27

Setting AP Failover Priority 9-1

Configuring Global Credentials for Access Points 9-2

Configuring Ethernet Bridging and Ethernet VLAN Tagging 9-3

Enabling Ethernet Bridging and VLAN Tagging 9-7

Autonomous to Lightweight Migration Support 9-9

Adding Autonomous Access Points to WCS 9-10

Adding Autonomous Access Points by Device Information 9-10

Adding Autonomous Access Points by CSV File 9-10

Viewing Autonomous Access Points in WCS 9-12

Downloading Images to Autonomous Access Points 9-12

Work Group Bridge (WGB) Mode 9-12

Autonomous Access Point to Lightweight Access Point Migration 9-13

Viewing the Migration Analysis Summary 9-14

Upgrading Autonomous Access Points 9-14

Changing Station Role to Root Mode 9-15

Running Migration Analysis 9-15

Generating the Migration Analysis Report 9-15

Adding/Modifying a Migration Template 9-15

Configuring Access Points 9-17

Downloading Images 9-25

Importing Access Point Configuration 9-25

11n Antenna Selection 9-25

Configuring Access Point Radios for Tracking Optimized Monitor Mode 9-33

Scheduling Radio Status 9-34

Viewing Scheduled Tasks 9-34

Viewing Audit Status (for Access Points) 9-35

Searching Access Points 9-35

Viewing Mesh Link Details 9-36

Viewing or Editing Rogue Access Point Rules 9-36

Configuring Spectrum Experts 9-37

Adding a Spectrum Expert 9-37

Monitoring Spectrum Experts 9-38

Spectrum Experts > Summary 9-38

Interferers > Summary 9-38

Spectrum Experts Details 9-39

OfficeExtend Access Point 9-39

Licensing for an OfficeExtend Access Point 9-40

Configuring Link Latency Settings for Access Points 9-40

Adding Controllers 10-2

Downloading Software to Controllers 10-4

Discovering Templates from Controllers 10-9

Displaying Templates Applied to Controller 10-10

Configuring Controllers and Switches 10-10

Configuring DHCP Scopes 10-10

Configuring DHCP Proxy 10-11

Configuring IGMP Snooping 10-12

Configuring AP Timers 10-12

Configuring Controller WLANs 10-13

Viewing WLAN Details 10-14

Managing WLAN Status Schedules 10-25

Viewing WLAN Configuration Scheduled Task Results 10-26

Mobility Anchors 10-26

Configuring AAA General Parameters 10-27

Configuring Local Network Users 10-28

Configuring New LDAP Bind Requests 10-28

Setting Multiple Country Codes 10-29

Configuring Aggressive Load Balancing 10-30

Configuring Band Selection 10-31

Guidelines for Using Band Selection 10-32

Configuration Steps 10-32

Searching Controllers 10-33

Managing User Authentication Order 10-34

Viewing Audit Status (for Controllers) 10-34

Viewing Latest Network Audit Report 10-37

Configuring 802.3 Bridging 10-37

Setting AP Failover Priority 10-38

Sending Primary Discovery Requests 10-38

Pinging a Network Device from a Controller 10-39

Enabling Load-Based CAC for Controllers 10-39

Configuring CleanAir Parameters (for 802.11a/n or 802.11b/g/n) 10-41

Configuring an RRM Threshold Controller (for 802.11a/n or 802.11b/g/n) 10-42

Configuring 40-MHz Channel Bonding 10-42

Configuring EDCA Parameters for Individual Controller 10-44

Configuring SNMPv3 10-44

Viewing All Current Templates 10-45

Configuring NAC Out-of-Band Integration 10-45

Guidelines for Using NAC Out-of-Band Integration 10-46

Configuring NAC Out-of-Band Integration 10-47

Configuring Wired Guest Access 10-51

Creating an Ingress Interface 10-52

Creating an Egress Interface 10-53

Creating a Wired LAN for Guest Access 10-54

Using Switch Port Tracing 10-57

Switch VLANs 10-60

Removing Switches 10-61

Shutting a Switch Port 10-61

Client Access on 1524SB Dual Backhaul 10-62

Configuring Client Access using WCS 10-62

Backhaul Channel Deselection Using WCS 10-63

Configuring Mesh DCA Flag on Controllers Using WCS 10-63

Changing the Channel List Using Config Groups 10-63

Background Scanning on 1510s in Mesh Networks 10-64

Background Scanning Scenarios 10-64

Enabling Background Scanning 10-65

Configuring QoS Profiles 10-66

Client Authentication Type Distribution 11-6

AP Join Taken Time 11-7

AP Threats/Attacks 11-7

Client Detail Page 11-8

Running a Link Test 11-9

Enabling Automatic Client Troubleshooting 11-10

Client Details from Access Point Page 11-11

Running Client Reports 11-11

Client Troubleshooting 11-11

Troubleshooting from the Client Tab Dashboard 11-11

Troubleshooting Using the Search Feature 11-12

Controller Template Launch Pad 12-1

Adding Controller Templates 12-3

Configuring General Templates 12-4

Configuring an NTP Server Template 12-8

Configuring AP 802.1X Supplicant Credentials 12-9

Configuring DHCP Template 12-10

Configuring Dynamic Interface Templates 12-11

Configuring QoS Templates 12-13

Configuring AP Timers 12-15

Configuring a Traffic Stream Metrics QoS Template 12-16

Configuring WLAN Templates 12-18

Security 12-20

QoS 12-28

Advanced 12-29

Configuring WLAN AP Groups 12-32

Adding Access Point Groups 12-33

Deleting Access Point Groups 12-34

Configuring H-REAP AP Groups 12-34

Configuring a File Encryption Template 12-36

Configuring a RADIUS Authentication Template 12-37

Configuring a RADIUS Accounting Template 12-40

Configuring a RADIUS Fallback Template 12-41

Configuring a LDAP Server Template 12-43

Configuring a TACACS+ Server Template 12-45

Configuring a Local EAP General Template 12-46

Configuring a Local EAP Profile Template 12-47

Configuring an EAP-FAST Template 12-49

Configuring Network User Credential Retrieval Priority Templates 12-51

Configuring a Local Network Users Template 12-52

Configuring Guest User Templates 12-54

Configuring a User Login Policies Template 12-56

Configuring a MAC Filter Template 12-57

Configuring an Access Point or MSE Authorization 12-59

Configuring a Manually Disabled Client Template 12-60

Configuring a Client Exclusion Policies Template 12-61

Configuring an Access Point Authentication and MFP Template 12-63

Configuring a Web Authentication Template 12-64

Downloading a Customized Web Authentication Page 12-67

Configuring External Web Auth Server 12-69

Configuring Access Control List Templates 12-69

Configuring a CPU Access Control List (ACL) Template 12-74

Configuring a Rogue AP Rules Template 12-77

Configuring a Rogue AP Rule Groups Template 12-79

Configuring a Friendly Access Point Template 12-81

Configuring Radio Templates (for 802.11a/n or 802.11b/g/n) 12-83

Configuring a Voice Parameter Template (for 802.11a/n or 802.11b/g/n) 12-86

Configuring a Video Parameter Template (for 802.11a/n or 802.11b/g/n) 12-87

Configuring EDCA Parameters through a Controller Template 12-88

Configuring a Roaming Parameters Template (for 802.11a/n or 802.11b/g/n) 12-90

Configuring an RRM Threshold Template (for 802.11a/n or 802.11b/g/n) 12-91

Configuring an RRM Interval Template (for 802.11a/n or 802.11b/g/n) 12-93

Configuring an 802.11h Template 12-94

Configuring a High Throughput Template (for 802.11a/n or 802.11b/g/n) 12-95

Configuring CleanAir Controller Templates (for 802.11a/n or 802.11b/g/n) 12-96

Editing Existing CleanAir Controller Templates (802.11a/n or 802.11 b/g/n) 12-97

Adding a New CleanAir Controller Template (802.11a/n or 802.11 b/g/n) 12-97

Configuring a Mesh Template 12-98

Configuring a Trap Receiver Template 12-100

Configuring a Trap Control Template 12-101

Configuring a Telnet SSH Template 12-104

Configuring a Legacy Syslog Template 12-105

Configuring a Multiple Syslog Template 12-106

Configuring a Local Management User Template 12-107

Configuring a User Authentication Priority Template 12-108

Applying a Set of CLI Commands 12-109

Configuring Location Settings 12-110

Applying Controller Templates 12-112

Deleting a Controller Template 12-113

Adding Access Point Templates 12-113

Configuring Access Point Templates 12-113

Applying or Scheduling Templates 12-119

Configuring Scheduled Configuration Tasks 12-121

AP Template Tasks 12-121

Config Group Tasks 12-123

WLAN Configuration 12-124

Download Software 12-125

Configuring Radio Templates 12-130

Selecting Access Points 12-132

Applying the Report 12-133

CAS 13-1

wIPS 13-1

MSE Services Co-Existence 13-2

Adding a Mobility Services Engine to Cisco WCS 13-2

Deleting a Mobility Services Engine from the Cisco WCS 13-4

Keeping the Mobility Services Engines Synchronized 13-4

Synchronizing Cisco WCS and a Mobility Services Engine 13-4

Configuring Automatic Database Synchronization and Out of Sync Alerts 13-6

Smart Controller Assigment and Selection Scenarios 13-8

Out-of-Sync Alarms 13-8

Viewing Synchronization Information 13-9

Viewing Mobility Services Engine Synchronization Status 13-9

Viewing Synchronization History 13-9

Adding and Deleting Event Groups 13-10

Adding Event Groups 13-10

Deleting Event Groups 13-11

Adding Event Definitions 13-11

Planning for and Configuring Context-Aware Software 13-14

wIPS Planning and Configuring 13-16

Verifying the Status of WCS 14-1

Checking the Status of WCS on Windows 14-1

Checking the Status of WCS on Linux 14-2

Stopping WCS 14-2

Stopping WCS on Windows 14-2

Stopping WCS on Linux 14-3

Backing Up the WCS Database 14-3

Scheduling Automatic Backups 14-3

Performing a Manual Backup 14-4

Backing Up the WCS Database (for Windows) 14-4

Backing Up the WCS Database (for Linux) 14-5

Restoring the WCS Database 14-5

Restoring the WCS Database (for Windows) 14-6

Restoring the WCS Database (for Linux) 14-7

Restoring the WCS Database in a High Availability Environment 14-8

Using the Installer to Upgrade WCS for Windows 14-10

Using the Installer to Upgrade WCS for Linux 14-13

Manually Upgrading WCS on Windows 14-14

Manually Upgrading WCS on Linux 14-14

Upgrading WCS in a High Availability Environment 14-15

Upgrading the Network 14-15

Reinitializing the Database 14-15

Recovering the WCS Password 14-16

Overview of Hybrid REAP 15-1

Hybrid-REAP Authentication Process 15-2

Hybrid REAP Guidelines 15-4

Configuring Hybrid REAP 15-4

Configuring the Switch at the Remote Site 15-4

Configuring the Controller for Hybrid REAP 15-5

Configuring an Access Point for Hybrid REAP 15-9

Connecting Client Devices to the WLANs 15-12

Hybrid REAP Access Point Groups 15-12

Hybrid-REAP Groups and Backup RADIUS Servers 15-13

Hybrid-REAP Groups and CCKM 15-13

Hybrid-REAP Groups and Local Authentication 15-14

Configuring Hybrid-REAP Groups 15-14

Auditing an H-REAP Group 15-16

Using the Alarm Summary 16-1

Customizing Alarm Summary Results 16-4

Monitoring Alarms 16-5

Monitoring Alarm Overview 16-5

Select a Command Menu 16-8

Using Edit View for Alarms 16-8

Viewing Alarm Details 16-9

Monitoring Rogue Access Point Alarms 16-10

Select a Command 16-11

Using Advanced Search 16-12

Configuring Alarm Severity 16-14

Viewing Rogue Access Point Details 16-14

Acknowledging Alarms 16-16

Monitoring Air Quality Alarms 16-16

Monitoring CleanAir Security Alarms 16-18

Monitoring Adhoc Rogue Alarms 16-19

Monitoring Adhoc Rogue Details 16-20

Rogue Access Point Location, Tagging, and Containment 16-21

Detecting Access Points 16-21

Monitoring Rogue Alarm Events 16-22

Monitoring E-mail Notifications 16-23

Monitoring Severity Configurations 16-23

Monitoring CleanAir Air Quality Events 16-24

Viewing Air Quality Event Details 16-24

Monitoring Interferer Security Risk Events 16-25

Viewing Interferer Security Risk Event Details 16-26

Alarm and Event Dictionary 16-26

LINK_DOWN (FROM MIB-II STANDARD) 16-32

LINK_UP (FROM MIB-II STANDARD) 16-32

LRAD_ASSOCIATED 16-32

LRAD_DISASSOCIATED 16-33

LRADIF_COVERAGE_PROFILE_FAILED 16-33

LRADIF_COVERAGE_PROFILE_PASSED 16-33

Report Launch Pad 17-2

Creating and Running a New Report 17-2

Managing Current Reports 17-8

Managing Scheduled Run Results 17-9

Sorting Scheduled Run Results 17-10

Viewing or Editing Scheduled Run Details 17-10

Managing Saved Reports 17-11

Sorting Saved Reports 17-11

Viewing or Editing Saved Report Details 17-12

Running a Saved Report 17-12

Specific WCS Reports 17-13

CleanAir Reports 17-14

Air Quality vs Time 17-14

Security Risk Interferers 17-16

Worst Air Quality APs 17-18

Packet Error Statistics 17-75

Packet Queue Statistics 17-77

Traffic Stream Metrics 17-93

Tx Power and Channel 17-96

VoIP Calls Graph 17-97

VoIP Calls Table 17-99

Voice Statistics 17-100

Security Reports 17-102

Adaptive wIPS Alarms 17-103

Adaptive wIPS Top 10 Access Points 17-105

Adhoc Rogue Events 17-107

Adhoc Rogues 17-109

New Rogue Access Points 17-111

New Rogue Access Point Count 17-113

Rogue Access Points Events 17-115

Importing Tasks Into ACS 18-8

Adding WCS to an ACS Server 18-8

Adding WCS as a TACACS+ Server 18-9

Adding WCS UserGroups into ACS for TACACS+ 18-10

Adding WCS to ACS server for Use with RADIUS 18-13

Adding WCS UserGroups into ACS for RADIUS 18-14

Adding WCS to a Non-Cisco ACS Server for Use with RADIUS 18-17

Setting AAA Mode 18-18

Auto Provisioning 18-19

Auto Provisioning Device Management (Auto Provisioning Filter List) 18-20

Auto Provisioning Setting (Auto Provisioning Primary Search Key Setting) 18-28

Turning Password Rules On or Off 18-29

Configuring TACACS+ Servers 18-29

Configuring RADIUS Servers 18-31

Establishing Logging Options 18-32

Using Logging Options to Enhance Troubleshooting 18-34

Performing Data Management Tasks 18-34

Prerequisites and Limitations 18-63

Configuring High Availability 18-64

Deploying High Availability 18-65

Adding a New Primary WCS 18-66

Removing a Primary WCS 18-66

Setting User Preferences 18-66

Accessing the License Center 18-67

WCS License Information 18-68

Controller License Information 18-69

MSE License Information 18-70

Controller 18-71

MSE 18-72

Managing Individual Licenses 18-74

Managing Controller Licenses 18-74

Creating Policy Elements or Authorization Profiles 18-78

Creating Policy Elements or Authorization Profiles for RADIUS 18-78

Creating Policy Elements or Authorization Profiles For TACACS 18-79

Creating Authorization Rules 18-80

Creating Service Selection Rules for RADIUS 18-80

Creating Service Selection Rules for TACACS 18-81

Configuring Access Services 18-82

Configuring Access Services for RADIUS 18-82

Configuring Access Services for TACACS 18-83

Using Voice Audit 19-1

Controller Tab 19-1

Rules Tab 19-2

Reports Tab 19-5

Voice Audit Details 19-5

Voice Audit Report Results 19-5

Verifying Location Accuracy 19-5

Using the Location Accuracy Tool to Test Location Accuracy 19-6

Using Scheduled Accuracy Testing to Verify Accuracy of Current Location 19-6

Using On-Demand Location Accuracy Testing 19-8

Viewing Configuration Audit Summary 19-9

Configuring Migration Analysis 19-10

Upgrading Autonomous Access Points 19-11

Viewing a Firmware Upgrade Report 19-11

Changing Station Role to Root Mode 19-11

Viewing a Role Change Report 19-12

Running Migration Analysis 19-12

Viewing a Migration Analysis Report 19-12

Creating a Virtual Domain 20-1

Creating a New Virtual Domain 20-2

Understanding Virtual Domain Hierarchy 20-3

Modifying a Virtual Domain 20-7

Virtual Domain RADIUS and TACACS+ Attributes 20-9

Understanding Virtual Domains as a User 20-9

Viewing Assigned Virtual Domain Components 20-10

Creating an Outdoor Location Using Google Earth 21-1

Understanding Geographical Coordinates for Google Earth 21-1

Creating and Importing Coordinates in Google Earth (KML File) 21-2

Creating and Importing Coordinates as a CSV File 21-4

Importing a File into WCS 21-5

Viewing Google Earth Maps 21-6

Viewing Google Earth Map Details 21-6

Adding Google Earth Location Launch Points to Access Point Pages 21-7

Google Earth Settings 21-8

Troubleshooting Cisco Compatible Extensions Version 5 Client Devices A-1

Diagnostic Channel A-1

Configuring the Diagnostic Channel A-2

Web Auth Security on WLANs A-3

Debug Commands A-4

Debug Strategy A-4

Best Practices A-8

WCS Licenses B-1

Types of Licenses B-1

Licensing Enforcement B-2

Product Authorization Key Certificate B-3

Determining Which License To Use B-3

Installing a License B-4

Backup and Restore License B-4

Notices and Disclaimers B-5

Notices B-5

OpenSSL/Open SSL Project B-5

License Issues B-5

Disclaimers B-7

End-User License Agreement B-7

Supported Hardware C-2

Cisco WLSE Management Stations C-2

Autonomous Access Points Convertible to LWAPP C-2

Installation and Configuration C-2

The preface provides an overview of the Cisco Wireless Control System Configuration Guide, Release

7.0, references related publications, and explains how to obtain other documentation and technical

assistance, if necessary It contains these sections:

• Audience, page xxix

• Purpose, page xxix

• Conventions, page xxix

• Related Publications, page xxx

• Obtaining Documentation and Submitting a Service Request, page xxx

Audience

This guide describes the Cisco Wireless Control System (WCS) It is meant for networking professional who uses WCS to manage a Cisco Unified Wireless Network Solution To use this guide, you should be familiar with the concepts and terminology associated with wireless LANs

Purpose

This guide provides the information you need to manage a Cisco Unified Wireless Network Solution using WCS

Note This guide pertains specifically to WCS Release 7.0 Earlier versions of WCS software may look and

operate somewhat differently

Conventions

This publication uses the following conventions to convey instructions and information:

• Commands and keywords are in boldface text.

• Variables are in italicized text.

Preface

Note Means reader take note Notes contain helpful suggestions or references to material not contained in the

manual

Caution Means reader be careful In this situation, you might do something that could result in equipment

damage or loss of data

Related Publications

For more information about WCS and related products, see the following website:

http://www.cisco.com/cisco/web/psa/default.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional

information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and

revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed

and set content to be delivered directly to your desktop using a reader application The RSS feeds are a free service and Cisco currently supports RSS version 2.0

• Embedded Access Points, page 1-6

• WCS User Interface, page 1-9

• Cisco WCS Navigator, page 1-9

The Cisco Unified Wireless Network Solution

The Cisco Unified Wireless Network solution provides 802.11 wireless networking solutions for enterprises and service providers It simplifies the deployment and management of large-scale wireless LANs and enables a you to create a unique best-in-class security infrastructure The operating system manages all data client, communications, and system administration functions, performs radio resource management (RRM) functions, manages system-wide mobility policies using the operating system security solution, and coordinates all security functions using the operating system security framework.The Cisco Unified Wireless Network Solution consists of Cisco Unified Wireless Network Controllers

(hereafter called controllers) and their associated lightweight access points controlled by the operating

system, all concurrently managed by any or all of the operating system user interfaces:

• An HTTPS full-featured web user interface hosted by Cisco controllers can be used to configure and monitor individual controllers

• A full-featured command-line interface (CLI) can be used to configure and monitor individual controllers

• WCS can be used to configure and monitor one or more controllers and associated access points WCS has tools to facilitate large-system monitoring and control It runs on Windows 2003 and Red Hat Enterprise Linux ES/AS 5.X servers

• An industry-standard SNMP V1, V2c, and V3 interface can be used with any SNMP-compliant third-party network management system

The Cisco Unified Wireless Network Solution supports client data services, client monitoring and control, and all rogue access point detection, monitoring, and containment functions It uses lightweight access points, controllers, and the optional WCS to provide wireless services to enterprises and service providers

Chapter 1 Overview The WCS

Note Unless specified otherwise, information pertaining to controllers applies to all Cisco Unified Wireless

Network Controllers, including but not limited to Cisco 2000 and 2100 Series Unified Wireless Network Controllers, Cisco 4100 Series Unified Wireless Network Controllers, Cisco 4400 Series Unified Wireless Network Controllers, Cisco 5500 Series Wireless LAN Controllers, and controllers within the

Cisco Wireless Services Module (WiSM) and Cisco 26/28/37/38xx Series Integrated Services Routers.

Figure 1-1 shows the Cisco Unified Wireless Network Solution components, which can be simultaneously deployed across multiple floors and buildings

Figure 1-1 Cisco Unified Wireless Network Solution

The WCS

WCS enables you to configure and monitor one or more controllers and associated access points WCS includes the same configuration, performance monitoring, security, fault management, and accounting options used at the controller level and adds a graphical view of multiple controllers and managed access points

WCS runs on Windows 2003/SP2, Windows 2003 R2/SP2 32-bit installations, and Red Hat Linux Enterprise Server 5.X 32-bit installations On both Windows and Linux, WCS runs as a service, which runs continuously and resumes running after a reboot

Chapter 1 Overview

WCS Versions

You must use Internet Explorer 7.0 or later in order to control all permitted Cisco Unified Wireless Network Solution configuration, monitoring, and control functions through Internet Explorer 7.0 with the Flash plugin, or Mozilla Firefox 3.5 or later The administrator defines permissions from the Administration menu, which also enables the administrator to manage user accounts and schedule periodic maintenance tasks

Note You are strongly advised not to enable third-party browser extensions In Internet Explorer, you can

disable third-party browser extensions by choosing Tools > Internet Options and unselecting the Enable third-party browser extensions check box on the Advanced tab

WCS simplifies controller configuration and monitoring and reduces data entry errors WCS uses the industry-standard SNMP protocol to communicate with the controllers

This section contains the following topics:

• WCS Base, page 1-3

• WCS Base + Location, page 1-4

• Enabling Mobility Services and HA with WCSPLUS License, page 1-4

It also includes graphical views of the following:

• Autodiscovery of access points as they associate with controllers

• Autodiscovery and containment or notification of rogue access points

• Map-based organization of access point coverage areas, which is helpful when the enterprise spans more than one geographical area

• Ad hoc rogue detection

• User-supplied campus, building, and floor plan graphics, which show the following:

– Locations and status of managed access points

– Locations of rogue access points based on the signal strength received by the nearest managed Cisco access points

– Coverage hole alarm information for access points based on the received signal strength from clients This information appears in a table rather than map format

– RF coverage mapsThe WCS Base also provides system-wide control of the following:

Chapter 1 Overview WCS Versions

– Streamlined network, controller, and managed access point configuration using customer-defined templates

– Network, controller, and managed access point status and alarm monitoring

– Automated and manual data client monitoring and control functions

– Automated monitoring of rogue access points, rogue ad hoc events, coverage holes, security violations, controllers, and access points

– Full event logs for data clients, rogue access points, coverage holes, security violations, controllers, and access points

– Automatic channel and power level assignment by radio resource management (RRM)

– User-defined automatic controller status audits, missed trap polling, configuration backups, and policy cleanups

– Real-time location of rogue access points and rogue ad hoc events to the nearest Cisco access point

– Real-time and historical location of clients to the nearest Cisco access point

WCS Base + Location

WCS Location includes all the features of WCS Base as well as these enhancements:

• On-demand location of rogue access points and rogue ad hoc events to within 33 feet (10 meters)

• On-demand location of clients to within 33 feet (10 meters)

• Ability to use location appliances to collect and return historical location data viewable in the WCS Location user interface

Enabling Mobility Services and HA with WCSPLUS License

A Cisco WCS PLUS license supports Cisco WCS base license features and the following capabilities:

• Location services

• High availability

A Cisco WCS PLUS license is backward compatible to existing Cisco WCS location and enterprise licenses The process to provision a Cisco WCS PLUS license is the same as provisioning a current Cisco WCS license A PLUS license is required in order to enable mobility services engines which are launched with the Motion campaign

Using WCS Cisco Location Appliances

When WCS Location is used, you can also deploy Cisco 2700 Series Location Appliances The location appliance enhances WCS Location capabilities by computing, collecting, and storing historical location data, which can be displayed in WCS In this role, the location appliance acts as a server to a WCS server

by collecting, storing, and passing on data from its associated controllers

When WCS is enhanced with a location appliance, it can display historical location data for up to 2,500 laptop clients, palmtop clients, VoIP telephone clients, radio frequency identifier (Wi-Fi tags) asset tags, rogue access points, rogue ad hoc events, and rogue clients for each location appliance in the Cisco Unified Wireless Network Solution You can configure location appliances to collect this data and statistics at defined intervals

Chapter 1 Overview

WCS Versions

You can also use WCS to configure location appliance event notification parameters Event notification

is a feature that enables you to define conditions that cause the location appliance to send notifications

to the listeners that you specify in WCS

In this way, WCS acts as a notification listener It receives notifications from the location appliance in the form of the locationNotifyTrap trap as part of the bsnwras.my MIB file WCS translates the traps into user interface alerts and displays the alerts in the following format:

Note See the Cisco Location Application Configuration Guide for more detailed information about the

location appliance and its use with WCS

The location appliance can be backed up to any WCS server into an operator-defined FTP folder, and the location appliance can be restored from that server at any time and at defined intervals Also, the location appliance database can be synchronized with the WCS server database at any time Operators can use the location appliance features and download new application code to all associated appliances from any WCS server

Chapter 1 Overview Embedded Access Points

Comparison of WCS Base and WCS Location Features

Embedded Access Points

WCS software release 5.2 or later supports the AP801, which is the integrated access point on the Cisco

800 Series Integrated Services Routers (ISRs) This access point uses a Cisco IOS software image that

is separate from the router Cisco IOS software image It can operate as an autonomous access point that

is configured and managed locally, or it can operate as a centrally managed access point using CAPWAP

or LWAPP protocol The AP801 is preloaded with both an autonomous Cisco IOS release and a recovery image for the unified mode

Table 1-1 WCS Base and WCS Location Features

Features

WCS Base

WCS Location

Location and tracking

Client data services, security, and monitoring

Multiple wireless LANs (individual SSIDs and policies) Yes YesRogue access point detection and containment using access points Yes Yes

Radio resource managementReal-time channel assignment and rogue access point detection and containment

Real-time interference detection and avoidance, transmit power control, channel assignment, client mobility management, client load distribution, and coverage hole detection

Global and individual Access Point security policies Yes YesControls Cisco Unified Wireless Network Controllers Yes YesSupported workstations

Chapter 1 Overview

Embedded Access Points

When you want to use the AP801 with a controller, you must enable the recovery image for the unified mode on the access point by entering this CLI command on the router in privileged EXEC mode:

service-module wlan-ap 0 bootimage unified

Note If the service-module wlan-ap 0 bootimage unified command does not work, make sure that the

software license is still current

After enabling the recovery image, enter this CLI command on the router to shut down and reboot the

access point: service-module wlan-ap 0 reload After the access point reboots, it discovers the

controller, downloads the full CAPWAP or LWAPP software release from the controller, and acts as a lightweight access point

Note To use the CLI commands mentioned previously, the router must be running Cisco IOS Release

12.4(20)T or later If you experience any problems, refer to the “Troubleshooting an Upgrade or Reverting the AP to Autonomous Mode” section in the Integrated Services Router configuration guide

at this URL:

http://cisco.com/en/US/docs/routers/access/800/860-880-890/software/configuration/guide/admin_ap.html#wp1061143

In order to support CAPWAP or LWAPP, the router must be activated with at least the Cisco Advanced

IP Services IOS license-grade image A license is required in order to upgrade to this Cisco IOS image

on the router See this URL for licensing information:

http://cisco.com/en/US/docs/routers/access/800/860-880-890/software/activation/Software_Activation_on_Cisco_Integrated_Routers.html

After the AP801 boots up with the recovery image for the unified mode, it requires an IP address in order

to communicate with the controller and to download its unified image and configuration from the controller The router can provide DHCP server functionality, the DHCP pool to reach the controller, and setup option 43 for the controller IP address in the DHCP pool configuration Use the following configuration to perform this task

network ip_address subnet_mask dns-server ip_address

default-router ip_address option 43 hex controller_ip_address_in_hex

Example:

ip dhcp pool embedded-ap-pool network 209.165.200.224 255.255.255.224 dns-server 209.165.200.225

default-router 209.165.200.226 option 43 hex f104.0a0a.0a0f /* single WLC IP address (209.165.201.0) in hex format */

The AP801 802.11n radio supports lower power levels than the 802.11n radio in the Cisco Aironet 1250 series access points The AP801 stores the radio power levels and passes them to the controller when the access point joins the controller The controller uses the supplied values to limit the user configuration.The AP801 can be used in hybrid-REAP mode See “Configuring Hybrid REAP” section on page 15-1

for more information on hybrid REAP

Note For more information on the AP801, refer to the documentation for the Cisco 800 Series ISRs at this

URL:

Chapter 1 Overview Access Point Communication Protocols

http://www.cisco.com/en/US/products/hw/routers/ps380/tsd_products_support_series_home.html

Access Point Communication Protocols

In controller software release 5.2 or later, Cisco lightweight access points use the IETF standard Control and Provisioning of Wireless Access Points Protocol (CAPWAP) to communicate between the controller and other lightweight access points on the network Controller software releases prior to 5.2 use the Lightweight Access Point Protocol (LWAPP) for these communications

CAPWAP, which is based on LWAPP, is a standard, interoperable protocol that enables a controller to manage a collection of wireless access points CAPWAP is being implemented in controller software release 5.2 for these reasons:

• To provide an upgrade path from Cisco products that use LWAPP to next-generation Cisco products that use CAPWAP

• To manage RFID readers and similar devices

• To enable controllers to interoperate with third-party access points in the futureLWAPP-enabled access points are compatible with CAPWAP, and conversion to a CAPWAP controller

is seamless For example, the controller discovery process and the firmware downloading process when using CAPWAP are the same as when using LWAPP The one exception is for Layer 2 deployments, which are not supported by CAPWAP

Deployments can combine CAPWAP and LWAPP software on the controllers The CAPWAP-enabled software allows access points to join either a controller running CAPWAP or LWAPP The only exception is the Cisco Aironet 1140 Series Access Point, which supports only CAPWAP and therefore joins only controllers running CAPWAP

Note The 1142 series access point will only associate with CAPWAP controllers needs to be updated to say

1140 and 3500 series, and should go on to state 3500 will only connect with WLC running 7.0 code or above

Guidelines and Restrictions for Using CAPWAP

• CAPWAP and LWAPP controllers cannot be used in the same mobility group Therefore, client mobility between CAPWAP and LWAPP controllers is not supported

• If your firewall is currently configured to allow traffic only from access points using LWAPP, you must change the rules of the firewall to allow traffic from access points using CAPWAP

• Make sure that the CAPWAP ports are enabled and are not blocked by an intermediate device that could prevent an access point from joining the controller

• Any access control lists (ACLs) in your network might need to be modified if CAPWAP uses different ports than LWAPP

The Controller Discovery Process

In a CAPWAP environment, a lightweight access point discovers a controller by using CAPWAP discovery mechanisms and then sends it a CAPWAP join request The controller sends the access point a CAPWAP

• Locally stored controller IP address discovery—If the access point was previously associated to a controller, the IP addresses of the primary, secondary, and tertiary controllers are stored in the access point’s non-volatile memory This process of storing controller IP addresses on access points for

later deployment is called priming the access point.

• DHCP server discovery—This feature uses DHCP option 43 to provide controller IP addresses to the access points Cisco switches support a DHCP server option that is typically used for this capability

• DNS discovery—The access point can discover controllers through your domain name server (DNS) For the access point to do so, you must configure your DNS to return controller IP addresses

in response to CISCO-CAPWAP-CONTROLLER.localdomain or CISCO-LWAPP-CONTROLLER.localdomain, where localdomain is the access point domain name

When an access point receives an IP address and DNS information from a DHCP server, it contacts

the DNS to resolve CISCO-CAPWAP-CONTROLLER.localdomain or CISCO-LWAPP-CONTROLLER.localdomain When the DNS sends a list of controller IP

addresses, the access point sends discovery requests to the controllers

WCS User Interface

The WCS user interface enables the network operator to create and configure Cisco Unified Wireless Network Solution coverage area layouts, configure system operating parameters, monitor real-time Cisco Unified Wireless Network Solution operation, and perform troubleshooting tasks using an HTTPS web browser window The WCS user interface also enables the WCS administrator to create, modify, and delete user accounts; change passwords; assign permissions; and schedule periodic maintenance tasks The administrator creates new usernames and passwords and assigns them to predefined permissions groups

Note The Cisco WCS user interface requires Internet Explorer 7.0 or later, or Firefox 3.5 or later Cisco

recommends Firefox 3.5 or later on a Windows workstation for full access to WCS functionality Internet Explorer 6.0 is not supported

Cisco WCS Navigator

The Cisco Wireless Control System Navigator (Cisco WCS Navigator) manages multiple Cisco WCSs (running the same version as Navigator) and provides a unified view of the network It uses SOAP/XML over HTTPs to communicate with individual WCSs With WCS Navigator, there is monitoring

Chapter 1 Overview Cisco WCS Navigator

functionality and reporting capability across all WCSs In addition, network wide searches are available

In Windows and Linux, Cisco WCS Navigator runs as a service, which runs continuously and resumes running after a reboot

In order for the WCS Navigator to detect the regional WCSs, you must manually add them to the system using either the IP address or hostname and specify the login credentials for each of the regional WCSs After being added, WCS Navigator provides summary information and links to the regional WCS systems