VLAN Summary Status

Click the link to access the VLAN Summary Status page, which lists the VLANs created on this access point.

■ VLAN (802.1Q) Tagging: This setting determines whether the IEEE 802.1Q protocol is used to tag VLAN packets. IEEE 802.1Q protocol is used to connect multiple switches and routers and for defining VLAN topologies.

■ 802.1Q Encapsulation Mode: This setting indicates the presence of VLANs on the access point. When you create and enable a VLAN, this setting changes from Disabled to Hybrid Trunk.

■ Maximum Number of Enabled VLAN IDs: Indicates the maximum allowable number of VLANs for the access point. The current maximum is 16.

■ Native VLAN ID: Indicates the identification number of the VLAN you designate as the Native VLAN.

© 2003, Cisco Systems, Inc. All rights re

■ Single VLAN ID which allows Unencrypted packets: Identifies the number of the VLAN on which unencrypted packets can pass between the access point and the switch. This setting is configurable.

■ Optionally allow Encrypted packets on the unencrypted VLAN: Determines whether the access point passes encrypted packets on an unencrypted VLAN. This setting permits a client device to associate to the access point allowing both WEP and non-WEP associations.

■ VLAN ID: A unique number that identifies a VLAN. This number must match VLANs set on the switch. The user configures the setting.

■ VLAN Name: A unique name for a VLAN configured on the access point. The user configures this setting. The VLAN name is for information only and is not used by the switch or access point as a parameter for determining the destination of data.

© 2003, Cisco Systems, Inc. All rights re

Existing VLANs

The window contains a list of VLANs created on this access point. Use the window as a starting point to edit or remove the VLAN you select.

■ Click Edit to access the VLAN ID page for the highlighted VLAN.

■ Click Remove to remove a highlighted VLAN.

■ VLAN Enable: Enables or disables the VLAN.

■ Default Priority: Use the drop-down menu to select the default priority you want the VLAN to use.

■ Default Policy Group: Use the drop-down menu to assign a policy group (set of Layer 2, 3, and 4 filters) for each VLAN. Each filter within a policy group can be configured to allow or deny a certain type of traffic.

■ Enhanced MIC Verification for WEP: This setting enables Message Integrity Check (MIC), a security feature that protects your WEP keys by preventing attacks on encrypted packets called bit-flip attacks. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receive accepts the retransmitted message as legitimate. The MIC, implemented on both the access point and all associated client devices, adds a few bytes to each packet to make the packets tamperproof. Select MMH from the drop-down menu to enable MIC or select None.

■ Temporal Key Integrity Protocol: TKIP, also known as WEP key hashing, is an additional WEP security feature that defends against an attack on WEP in which the intruder uses an encrypted segment called the initialization vector (IV) in encrypted packets to calculate the WEP key. Use the drop-down menu to choose either None or Cisco.

■ WEP Key Rotation Interval: This option enables broadcast key rotation by setting a key rotation interval. With broadcast, or multicast, WEP key rotation enabled, the access point provides a dynamic broadcast WEP key and changes it at the interval you select. To enable key rotation, enter the rotation interval in seconds. Enter a 0 to turn key rotation off.

■ Alert?: Determine if you want to print the packet data to the console log for troubleshooting.

■ Encryption Key: For 40-bit encryption, enter 10 hexadecimal digits; for 128-bit encryption, enter 26 hexadecimal digits. Hexadecimal digits include the numbers 0 through 9 and the letters A through F. The WEP key you use to transmit data must be set up exactly the same on your access point and any wireless devices with which it associates. For example, if you set WEP Key 3 on your wireless LAN adapter to 0987654321 and select it as the transmit key, you must also set WEP Key 3 on the access point to exactly the same value.

■ Key Size: Use the drop-down menu to select 40-bit or 128-bit encryption for each key. The not set option clears the key. You can disable WEP altogether by selecting not set for each key.

© 2003, Cisco Systems, Inc. All rights re

This page displays a list of VLANs created on the access point. The list contains pertinent data about each VLAN.

■ ID: The identification number of the VLAN.

■ Def. Pol. Grp.: The default policy group for the VLAN. 0 = no policy group

■ MIC: Determines whether MIC is being used on this VLAN.

■ TKIP: Determines whether TKIP is being used on this VLAN.

■ Key Rotate: Determines the interval that the WEP key will be rotated. The ability to enable WEP key rotation for each VLAN is supported only for wireless VLANs with IEEE 802.1X protocols enabled.

■ Alert?: Determines if you want to print the packet data to the console log for troubleshooting.

■ Encryption: Determines if the VLAN is using no encryption, optional, or full encryption.

— No encryption: The device communicates only with client devices that are not using WEP.

— Optional: Client devices can communicate with this access point or bridge either with or without WEP.

— Full encryption: Client devices must use WEP when communicating with the access point or bridge. Devices not using WEP are not allowed to communicate.

© 2003, Cisco Systems, Inc. All rights re

From Services> VLAN Menu tab, you are able to configure VLAN's on access point, which may then be assigned encryption policies and may have SSID's assigned.

Note that from "VLAN ID" textbox, the VLAN's are defined and are assigned as either:

■ Native VLAN: This checkbox denotes the Native VLAN for the access point. Only one VLAN ID may be defined as the Native VLAN.

■ Enable Publicly Secure Packet Forwarding: This checkbox permits the application of PSPF on each VLAN, as requirements dictate. PSPF prevents client devices from linking to other WLAN-associated client

■ Radio0-802.11B: Assign VLAN to 802.11B interface

■ Radio1-802.11A: Assign VLAN to 802.11A interface

© 2003, Cisco Systems, Inc. All rights re

After VLAN's are defined from the "Assign VLAN" interface and they are assigned to Radio interfaces, the throughput statistics for the specified VLAN are visible form the "VLAN Information" menu at the bottom of the VLAN Setup screen. The transmit and receive statistics are obtainable for each interface and for each configured VLAN.

© 2003, Cisco Systems, Inc. All rights re

Encryption Manager screen permits the assignment of Encryption parameters either globally, or per VLAN, dependent on whether VLAN function is enabled on AP.

■ Set Encryption Mode and Keys for VLAN dropdown box is used to select VLAN for which encryption parameters are to be set

■ Encryption Modes permits the assignment of:

■ None: no encryption applied

■ WEP Encryption: WEP encryption, either Mandatory or optional

■ Encryption Keys permits the assignment of static WEP keys in each of the 4 encryption key fields

■ Global Properties permits the configuration of the AP broadcast key operation:

■ Broadcast Key Rotation Interval permits the definition of the interval at which the key used to encrypt broadcast traffic will be refreshed

■ WPA Group Key Update permits the configuration of Group (broadcast) key negotiation, either 1) upon client association termination and/or 2) upon client capability change.

© 2003, Cisco Systems, Inc. All rights re

After configuration of VLAN, assignment of encryption parameters, and assignment of those encryption and VLAN parameters to an SSID, the details on the configured parameters are available in a tabular summary page from the "Security" menu tab.

Specific configured parameters, including VLAN and authentication methods configured for each SSID on each Radio interface, as well as Encryption Settings for each VLAN are visible from this screen.

Use this page to create multiple SSIDs. Click the Service Set Summary Status link to display a list of SSIDs created on the access point. The list also displays configuration information for each SSID.

■ Device: This field is an information field that shows the device for which the settings on the page apply.

■ SSID for use by Infrastructure Stations (such as Repeaters): This setting identifies the SSID to be used by repeaters and workgroup bridges to associate with the access point. It is also the SSID used by a non-root bridge to associate to a root bridge. The SSID should be mapped to the native VLAN ID in order to facilitate communications between infrastructure devices and a non-root access point or bridge.

■ Disallow Infrastructure Stations on any other SSID: Prevents repeaters or workgroup bridges from associating to SSIDs other than the infrastructure SSID. The default setting is No, so to invoke this condition, you must change the setting to Yes.

■ Service Set ID(SSID): Use this field to name and create a new SSID. When you click Add New, the AP Radio SSID setup screen appears. You configure the new SSID on that page.

© 2003, Cisco Systems, Inc. All rights re

■ Existing SSIDs: This field contains a list of SSIDs that have been created on this access point. The numbers in brackets to the left of each SSID indicates the VLAN to which the SSID is mapped.

To edit an existing SSID, highlight the SSID and click Edit. The AP Radio SSID setup screen for that SSID appears. Make any changes and click Apply or OK to save them.

To remove an existing SSID, highlight the SSID you wish to remove and click Remove. The SSID and its configuration is removed.

© 2003, Cisco Systems, Inc. All rights re

© 2003, Cisco Systems, Inc. All rights re

This screen appears when you click Add New from the AP Radio Service Set screen.

■ Device: The name of the device you are configuring.

■ Service Set ID (SSID): Identifies the SSID to be used by repeaters and workgroup bridges to associate with the access point.

■ Current Number of Associations

■ Maximum Number of Associations

■ Default VLAN ID: Use the drop-down menu to determine which VLAN will be the default.

■ Default Policy Group ID: Use the drop-down menu to determine which policy group will be the default.

■ Accept Authentication Type: Select which authentication type the access point recognizes.

■ Require EAP: If you want to force all client devices to perform EAP authentication before joining the network, select either the Open or Shared check box.

■ Default Unicast Address Filter: Use the drop-down to determine whether you want to allow a default unicast address filter for each authentication type.

© 2003, Cisco Systems, Inc. All rights re

This screen displays the status of service sets.

Settings

■ Idx: The index number of the service set. You can click this number to move to the Repeater Radio Primary SSID page.

■ Curr. Assoc: Current Associations.

■ Max Assoc: Maximum Associations.

■ Auth Alg.: Displays whether Open, Shared Key, or Network EAP is the authentication the access point recognizes.

■ Def. Pol. Grp.: Displays which policy group is applied for each VLAN. VLAN: Displays which VLAN configuration is being used.

■ Enabled?: Displays whether VLANs are enabled or not.

■ MIC: Determines whether MIC is being used on this VLAN.

■ TKIP: Determines whether TKIP is being used on this VLAN.

■ Key Rotate: Determines the interval that the WEP key will be rotated. The ability to enable WEP key rotation for each VLAN is supported only for wireless VLANs with IEEE 802.1x protocols enabled.

■ Encryption: Determines if the VLAN is using no, optional, or full encryption.

© 2003, Cisco Systems, Inc. All rights re

The SSID Manager screen permits the configuration of SSID (System Service ID) after VLAN and Encryption parameters have been setup on the Access Point.

The Authentication Methods Accepted selections for "Open Authentication", "Shared Authentication", and "Network EAP" authentication permit the types of authentication available on the SSID to be specified. Either MAC or EAP authentication may be added to Open or Shared authentication. MAC authentication may be added to Network EAP authentication to permit adding a MAC authentication step to the LEAP authentication process.

AWLF v3.1

© 2003, Cisco Systems, Inc. All rights re

AWLF v3.1

On the bottom of the SSID Manager screen, additional authentication parameters may be configured for the selected SSID.

■ Authenticated Key Management, either for Cisco Centralized Key Management (CCKM) or for WiFi Protected Access (WPA) may be configured as "Optional" or "Mandatory", depending on the desired system operation and client capabilities. If using WPA, the WPA Pre-shared Key (used as to authenticate the encryption parameters between client and AP in non-802.1X environment) may be entered from this interface.

■ EAP Client Username and Password, which are used to authenticate the AP to a LEAP server, for operation of the AP/Bridge in repeater or non-root mode is entered from this interface.

■ Association Limit determines the maximum number of client associations that the AP will permit to the specified SSID.

■ Enable Proxy Mobile IP allows the Proxy Mobile IP protocol to be enabled for the specified SSID. Note that Proxy Mobile IP is not used with VLAN's enabled.

■ Enable Accounting allows client accounting to be recorded and transmit to a AAA accounting server for the specified SSID.

■ Under Global Radio SSID Properties, the properties used for ALL 802.11 interfaces may be configured. Set Guest Mode SSID configures the single SSID that the AP transmits in its beacon information. Set Infrastructure SSID configures the SSID for use by repeaters and WGB, and permits restriction of these infrastructure devices to this SSID only via the "Force Infrastructure Devices to associate only to this SSID" selection box.

© 2003, Cisco Systems, Inc. All rights re

The SSID Summary and Administrators user information is available from the Security menu selection and is shown under "Security Summary".

The administrative users configured from the "Admin Access" menu and their capabilities (Read-Only or Read-Write)

Note that VLAN's and SSID's associated to each Radio interface and their configured authentication mechanisms are indicated on this screen.

SSID's may also be configured from this Summary screen. The configuration menu for each Radio Interface is accessible from either "Radio0-802.11 B-SSIDs" or "Radio1-802.11A-SSIDs" link.

Was this article helpful?

0 0

Post a comment