Cisco 1200 Access Point

Cisco's 1200 Series access point is the standard-bearer for standalone access points. It runs a version of Cisco's Internetwork Operating System (IOS). At first, 1200s ran a system based on VxWorks, but Cisco released an IOS upgrade to bring the 1200 in to the fold. The upgrade tool is available from Cisco's support web site. No new features or continuing development has been done on VxWorks for quite some time.

On an individual basis, the Cisco 1200 can be managed from either a web interface or an IOS command-line interface. Larger installations can be managed through the Wireless LAN Solutions Engine (WLSE). The command-line interface is available through a local console serial cable with a Cisco RJ-45 pinout, or once the network interface is configured, telnet or SSH.

Setting Up the 1200

Hardware setup on the 1200 is straightforward. It may be powered either from a local power supply or with a Cisco-specific power injector. The power circuitry is the same. The power supply puts out 48 volts, just as a power injector would.

The 1200 uses a Bridge-group Virtual Interface (BVI). BVIs are a software construct used in IOS that allows routing and bridging of protocols over the same interface. APs need to bridge 802.11 frames to 802.3, but also need to route IP for management purposes, which makes BVIs the obvious choice. Configure the IP address on a BVI from the global configuration prompt. APs may get their IP address either from a static assignment, or from a built-in DHCP client. Both commands are shown below:

ap1200# configure terminal ap1200(config)# interface BVI1 ap1200(config-if)# ip address 192.168.1.5 255.255.255.0 ap1200(config-if)# ip address dhcp client-id FastEthernet0

To check on the status of the interface and see what addresses have been assigned, use show ip interface:

ap1200#show ip interface brief Interface IP-Address OK? Method Status Protocol Dot11Radio0 unassigned YES TFTP up up FastEthernet0 unassigned YES NVRAM up up Virtual-Dot11Radio0 unassigned YES TFTP down down BVI1 192.168.5.191 YES DHCP up up

 

Configuring Radio Interfaces

The 1200 has two radios. Radio 0 is the 2.4 GHz radio, which is usually 802.11g, but may be 802.11b in older hardware. Radio 1 is the 5 GHz radio. Each radio can be configured independently by using the interface configuration commands. Data rates can be allowed simply by entering them with the speed command, or they may be labeled as required by prefacing them with basic-. In the following command list, the first speed command allows all data rates. The second requires 1 Mbps and 2 Mbps operation, but allows 5.5 Mbps and 11 Mbps operation. The last two are special. speed range allows all, but requires only the slowest speed. speed throughput sets all data rates to required.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# speed 1.0 2.0 5.5 11.0 ap1200(config-if)# speed basic-1.0 basic-2.0 5.5 11.0 ap1200(config-if)# speed range ap1200(config-if)# speed throughput

Transmission power may be configured for each radio by setting a local maximum power in milliwatts. Like speed, power is an interface-specific configuration command. 802.11b/g radios are capable of up to 100 mW power. Due to limitations in chip design with OFDM, 802.11a radios are only capable of 40 mW transmission.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# power local 100

In addition to power settings, the operating channel may be configured for each radio with the channel command. As an argument, channel takes the frequency in MHz. Alternatively, using the least-congested keyword will force the AP to monitor all channels and pick the clearest one.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# channel 2412 ap1200(config-if)# channel least-congested

Two different types of 802.11b preambles are used. Long preambles are more compatible, but short preambles give much better performance. Generally, this option should be set to short unless there is a known older device that needs to use the network. To disable short preamble, use the no preamble-short interface command.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# no preamble-short

Beacon frames are used to announce the existence of a network, as well as announce buffered with DTIM information elements. The Beacon interval can be tuned to balance delivery of buffered frames with battery consumption using the beacon period and beacon dtim-period commands.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# beacon period 100 ap1200(config-if)# beacon dtim-period 5

In addition to the Beacon interval, the RTS/CTS threshold can be configured. Lower values will cause RTS/CTS handshaking to occur. Depending on the environment, it might also be worth altering the number of times a frame will be retransmitted, or the threshold at which it will be fragmented using the following commands.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# rts threshold 2000 ap1200(config-if)# rts retries 2 ap1200(config-if)# packet retries 8 ap1200(config-if)# fragment-threshold 1500

 

Internetworking

Different clients will encapsulate frames in different ways. By far the most common is to use RFC 1042 SNAP encapsulation, which is the default. IOS allows configuration of 802.1H as well. The setting is global for a radio, and cannot be configured on a per-protocol basis.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# payload-encapsulation snap ap1200(config-if)# payload-encapsulation dot1h

With dynamic VLAN assignment, the use of VLANs on the wired side is becoming increasingly common. IOS on the 1200 supports both native and tagged VLANs. It is important to assign VLAN 1, the native VLAN, to the same IP network as other devices on the network to ensure communication across the so-called native VLAN. The native VLAN is noted by adding the keyword native at the end of an encapsulation command for the subinterface.

ap1200# configure terminal ap1200(config)# interface dot11radio0.1 ap1200(config-subif)# encapsulation dot1q 1 native ap1200(config-subif)# interface fastethernet0.1 ap1200(config-subif)# encapsulation dot1q 1 native

Further VLANs can be configured in a similar way, omitting the native. It is common practice to keep the subinterface number equal to the VLAN tag. For example, to configure VLAN 10, the following commands would be used. To configure VLAN 20, all the references to 10 would be replaced with 20.

ap1200# configure terminal ap1200(config)# interface dot11radio0.10 ap1200(config-subif)# encapsulation dot1q 10 ap1200(config-subif)# interface fastethernet0.10 ap1200(config-subif)# encapsulation dot1q 10

 

Configuring Security

Radio networks are broadcast from an AP as an SSID. Each SSID acts somewhat like its own virtual self-contained access point within the 1200. Each SSID can have its own security configuration, as well as its own VLAN mapping. Interestingly enough, the VLAN mapping is slightly spongy. A default VLAN can be assigned to an SSID. If the RADIUS server in use returns a different VLAN, the client device will be re-mapped on to the specified VLAN.[] The per-SSID default will only be used when nothing is supplied by the RADIUS server. (This approach is not quite as clean as many other products on the market, which work on an either/or basis with default VLANs and RADIUS servers.)

[] Cisco APs require a set of RADIUS tunnel attributes to be supplied, and they must be tagged. It requires the Tunnel-Type attribute to be set to "VLAN", the Tunnel-Medium-Type attribute to be set to IEEE-802, and the Tunnel-Private-Group-ID attribute to be set to the VLAN ID.

Authentication to each SSID is configured using the authentication command. In general, this command will be set to "open" authentication, but may add EAP authentication as an optional method. The following commands configure an SSID of babelfish to map to VLAN 42 while requiring EAP authentication against the server group rad_eap.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# ssid babelfish ap1200(config-ssid)# vlan 42 ap1200(config-ssid)# authentication open eap rad_eap

To define the RADIUS server for EAP authentication, define each server, and associate it with a group. By default, RADIUS servers that are not assigned UDP ports are assigned to the old RADIUS ports (1645 and 1646), so they must be explicitly assigned to the new ports.

ap1200# configure terminal ap1200(config)#radius-server host 192.168.200.187 auth-port 1645 acct-port 1646 key MySecret ap1200(config)#radius-server host 192.168.200.188 auth-port 1812 acct-port 1813 key MySecret ap1200(config)#aaa group server radius rad_eap ap1200(config-sg-radius)#server 192.168.200.187 auth-port 1645 acct-port 1646 ap1200(config-sg-radius)#server 192.168.200.188 auth-port 1812 acct-port 1813

 

Configuring WPA-PSK

WPA preshared keys are configured through the SSID command. By setting the SSID up for WPA key management, it is possible to specify either an ASCII or hexadecimal pre-shared key for use with WPA.

ap1200(config)#interface dot11radio 0 ap1200(config-if)#ssid LuminiferousEther ap1200(config-ssid)#authentication key-management wpa optional ap1200(config-ssid)#wpa-psk ascii Thisisaverylongsecretpresharedkey!

 

Monitoring

A basic monitoring tool is the list of associated stations, which can be obtained from an unprivileged prompt:

ap1200> show dot11 association 802.11 Client Stations on Dot11Radio0: SSID [LuminiferousEther] : MAC Address IP address Device Name Parent State 0002.2d6e.abda 192.168.200.150 - - self Assoc

To view details on a particular association, ask for it by MAC address. The complete association record will be printed out, including the types of encryption in use. This station is associated and uses TKIP for encryption.

ap1200> show dot11 association 0002.2d6e.abda Address : 0002.2d6e.abda Name : IP Address : 192.168.200.150 Interface : Dot11Radio 0 Device : - Software Version : CCX Version : State : Assoc Parent : self SSID : LuminiferousEther VLAN : 0 Hops to Infra : 1 Association Id : 120 Clients Associated: 0 Repeaters associated: 0 Tunnel Address :0.0.0.0 Key Mgmt type : WPA PSK Encryption : TKIP Current Rate : 11.0 Capability : Supported Rates : 1.0 2.0 5.5 11.0 Signal Strength : -39 dBm Connected for : 1463 seconds Signal Quality : 79 % Activity Timeout : 55 seconds Power-save : Off Last Activity : 4 seconds ago Packets Input : 535 Packets Output : 245 Bytes Input : 61629 Bytes Output : 137018 Duplicates Rcvd : 0 Data Retries : 18 Decrypt Failed : 0 RTS Retries : 0 MIC Failed : 0 MIC Missing : 0

 

Troubleshooting

IOS has extensive debugging facilities that can be used to troubleshoot problems. Tracing is activated by the debug command, which is followed by the area to perform tracing on. By default, tracing is sent to the console. If you are attached to the device over the network, you will need to send the debugging output to the current login screen with the following command:

ap1200# terminal monitor

The most troublesome part of working with secure 802.11 networks is the initial association and key distribution phase. Troubleshooting of these actions can be accomplished with debug dot11 and its subcommands. Some common troubleshooting debugging commands are shown in Table 20-2.

Table 20-2. Cisco 1200 debugging commands

Debug area

Commands

Remarks

EAP authentication

debug radius authentication

debug dot11 aaa authenticator process

debug dot11 aaa authenticator state-machine

Prints out RADIUS packets; decodes attributes; explains actions

May show servers timeout or fail

MAC filtering

debug dot11 aaa authenticator mac-authen

Shows MAC addresses and response from authentication system

WPA

debug dot11 aaa authenticator process

debug dot11 aaa authenticator state-machine

debug dot11 aaa manager keys

Shows key exchange

Turning off debugging is simple. Just enter the following command:

ap1200# undebug all

Категории