Cisco Cisco Access Registrar 4.2 Specifikace Strana 245
- Strana / 636
- Tabulka s obsahem
- ŘEŠENÍ PROBLÉMŮ
- KNIHY
Hodnocené. / 5. Na základě hodnocení zákazníků
5-61
Cisco Wireless LAN Controller Configuration Guide
OL-13826-01
Chapter 5 Configuring Security Solutions
Configuring Identity Networking
The RADIUS server typically indicates the desired VLAN by including tunnel attributes within the
Access-Accept. However, the IEEE 802.1X Authenticator may also provide a hint as to the VLAN to be
assigned to the Supplicant by including Tunnel attributes within the Access- Request.
For use in VLAN assignment, the following tunnel attributes are used:
• Tunnel-Type=VLAN (13)
• Tunnel-Medium-Type=802
• Tunnel-Private-Group-ID=VLANID
Note that the VLANID is 12-bits, taking a value between 1 and 4094, inclusive. Since the
Tunnel-Private-Group-ID is of type String as defined in RFC2868, for use with IEEE 802.1X, the
VLANID integer value is encoded as a string.
When Tunnel attributes are sent, it is necessary to fill in the Tag field. As noted in RFC2868, section 3.1:
• The Tag field is one octet in length and is intended to provide a means of grouping attributes in the
same packet which refer to the same tunnel. Valid values for this field are 0x01 through 0x1F,
inclusive. If the Tag field is unused, it must be zero (0x00).
• For use with Tunnel-Client-Endpoint, Tunnel-Server-Endpoint, Tunnel-Private-Group-ID,
Tunnel-Assignment-ID, Tunnel-Client-Auth-ID or Tunnel-Server-Auth-ID attributes (but not
Tunnel-Type, Tunnel-Medium-Type, Tunnel-Password, or Tunnel-Preference), a tag field of greater
than 0x1F is interpreted as the first octet of the following field.
• Unless alternative tunnel types are provided, (e.g. for IEEE 802.1X Authenticators that may support
tunneling but not VLANs), it is only necessary for tunnel attributes to specify a single tunnel. As a
result, where it is only desired to specify the VLANID, the tag field should be set to zero (0x00) in
all tunnel attributes. Where alternative tunnel types are to be provided, tag values between 0x01 and
0x1F should be chosen.
Configuring AAA Override
The Allow AAA Override option of a WLAN allows you to configure the WLAN for identity
networking. It allows you to apply VLAN tagging, QoS, and ACLs to individual clients based on the
returned RADIUS attributes from the AAA server.
Note If a client moves to a new interface due to the AAA override and then you apply an ACL to that interface,
the ACL does not take effect until the client reauthenticates. To work around this issue, apply the ACL
and then enable the WLAN so that all clients connect to the ACL already configured on the interface, or
disable and then re-enable the WLAN after you apply the interface so that the clients can reauthenticate.
Most of the configuration for allowing AAA override is done at the RADIUS server, where you should
configure the Access Control Server (ACS) with the override properties you would like it to return to the
controller (for example, Interface-Name, QoS-Level, and VLAN-Tag).
On the controller, simply enable the Allow AAA Override configuration parameter using the GUI or
CLI. Enabling this parameter allows the controller to accept the attributes returned by the RADIUS
server. The controller then applies these attributes to its clients.
- Configuration Guide 1
- CONTENTS 3
- Contents 10
- OL-13826-01 10
- Audience 22
- Organization 22
- Conventions 23
- Related Publications 25
- Overview 27
- Chapter 1 Overview 28
- Single-Controller Deployments 29
- Operating System Software 31
- Operating System Security 31
- Operational Requirements 33
- Configuration Requirements 33
- Controller Platforms 34
- Features Not Supported 35
- Cisco 4400 Series Controllers 36
- Cisco UWN Solution WLANs 40
- Identity Networking 40
- File Transfers 42
- Power over Ethernet 42
- Startup Wizard 43
- Rogue Access Points 47
- • Using the CLI, page 2-7 49
- Guidelines for Using the GUI 50
- Opening the GUI 50
- Using the CLI 55
- Logging Out of the CLI 56
- CLI Interfaces 57
- Controller console 61
- Distribution System Ports 62
- Interfaces 63
- Management Interface 64
- AP-Manager Interface 64
- Virtual Interface 65
- Service-Port Interface 66
- Dynamic Interface 66
- Service-Port Interfaces 68
- Configuring Ports 76
- Configuring Port Mirroring 80
- Enabling Link Aggregation 87
- Link Aggregation Guidelines 89
- Step 3 Reboot the controller 92
- Connecting Additional Ports 98
- Before You Start 100
- Configuring 802.11 Bands 106
- Configuring DHCP Proxy 116
- Configuring RADIUS Settings 117
- Configuring SNMP 118
- Enabling System Logging 124
- Enabling 802.3x Flow Control 124
- Configuring 802.3 Bridging 127
- Configuring Multicast Mode 129
- Configuring Client Roaming 134
- Intra-Controller Roaming 135
- Inter-Controller Roaming 135
- Inter-Subnet Roaming 135
- CCX Layer 2 Client Roaming 136
- Call Admission Control 146
- Expedited Bandwidth Requests 147
- Traffic Stream Metrics 148
- Figure 4-19 Clients Page 152
- (see Figure 4-25) 156
- Configuring EDCA Parameters 162
- Configuring RFID Tag Tracking 173
- General WiSM Guidelines 181
- Configuring the Supervisor 182
- Cisco UWN Solution Security 186
- Layer 3 Solutions 187
- Rogue Access Point Solutions 187
- Configuring TACACS+ 188
- Configuring LDAP 203
- Configuring Local EAP 207
- Figure 5-16 Local EAP Example 208
- Configuring DHCP Option 82 220
- Validating SSIDs 221
- Guidelines for Using MFP 234
- Identity Networking Overview 242
- ACL-Name 243
- Interface-Name 243
- VLAN-Tag 244
- Tunnel Attributes 244
- Configuring AAA Override 245
- Configuring IDS 248
- Viewing Shunned Clients 251
- Configuring IDS Signatures 252
- Configuring AES Key Wrap 260
- WLAN Overview, page 6-2 265
- Configuring WLANs, page 6-2 265
- WLAN Overview 266
- Configuring WLANs 266
- Using the GUI to Create WLANs 267
- Using the CLI to Create WLANs 269
- Configuring DHCP 270
- Security Considerations 271
- Configuring DHCP Scopes 273
- Enabling MAC Filtering 276
- Creating a Local MAC Filter 276
- Assigning WLANs to Interfaces 277
- Configuring Layer 2 Security 280
- WPA1 and WPA2 282
- Configuring a Session Timeout 287
- Configuring Layer 3 Security 288
- VPN Passthrough 289
- Web Authentication 289
- Configuring QoS Enhanced BSS 293
- Configuring IPv6 Bridging 296
- Configuring WLAN Override 301
- Creating Access Point Groups 304
- Configuring the RADIUS Server 307
- External Antenna Connectors 316
- Antenna Sectorization 317
- Wireless Mesh 320
- Configuring Mesh Parameters 324
- MESH MESH 331
- MESH MESH MESH 331
- MESHMESH 331
- Figure 7-10 All APs Page 334
- Figure 7-12 All APs Page 340
- Background Scanning Scenarios 344
- Channel 1 = 153 345
- Channel 2 = 161 345
- Routing Around Interference 346
- Authorizing Access Points 349
- Using DHCP Option 43 351
- • Type: 0xf1 (decimal 241) 352
- Lightweight Mode 356
- Local Core Files: 357
- Cisco Workgroup Bridges 359
- Guidelines for Using WGBs 360
- Sample WGB Configuration 362
- Figure 7-24 Clients Page 363
- Configuring Country Codes 367
- -U Regulatory Domain 373
- Guidelines for Migration 374
- Dynamic Frequency Selection 376
- Access Points 377
- Figure 7-30 Inventory Page 378
- Performing a Link Test 379
- Figure 7-32 Clients Page 380
- Figure 7-33 Link Test Page 381
- Configuring Flashing LEDs 384
- Viewing Clients 385
- Using the CLI to View Clients 388
- Configurations 391
- Upgrading Controller Software 392
- Downloading CA Certificates 400
- Uploading PACs 402
- Using the GUI to Upload PACs 403
- Using the CLI to Upload PACs 403
- Uploading Configuration Files 404
- Saving Configurations 408
- Resetting the Controller 409
- Managing User Accounts 411
- Creating Guest User Accounts 412
- Viewing Guest User Accounts 416
- Web Authentication Process 417
- Configuration Overview 434
- Configuration Guidelines 435
- Configuring Radio Resource 443
- Radio Resource Monitoring 444
- Dynamic Channel Assignment 445
- Overview of RF Groups 447
- Configuring an RF Group 448
- Viewing RF Group Status 450
- Figure 10-3 All APs Page 453
- Configuring Dynamic RRM 456
- Table 10-1 RRM Parameters 457
- Overriding Dynamic RRM 466
- Radio Measurement Requests 472
- Location Calibration 472
- Configuring Pico Cell Mode 476
- Overview of Mobility 484
- Overview of Mobility Groups 487
- Configuring Mobility Groups 490
- Prerequisites 491
- Running Mobility Ping Tests 508
- Overview of Hybrid REAP 510
- Hybrid REAP Guidelines 512
- Configuring Hybrid REAP 513
- Figure 12-6) 520
- Safety Considerations and 529
- Translated Safety Warnings 529
- Safety Considerations 530
- Warning Definition 530
- Varoitus 531
- Attention 531
- Avvertenza 531
- Advarsel 531
- ¡Advertencia! 532
- Varning! 532
- Class 1 Laser Product Warning 533
- Produto a laser de classe 1 534
- Klasse 1 laserprodukt 534
- Ground Conductor Warning 535
- Waarschuwing 546
- Controllers 551
- Information 555
- Statement 556
- Canadian Compliance Statement 557
- • Safety: EN 60950 558
- • Radio: EN 301.893 559
- Japanese Translation 560
- English Translation 560
- All Access Points 561
- End User License and Warranty 565
- End User License Agreement 566
- Limited Warranty 568
- Disclaimer of Warranty 570
- Additional Open Source Terms 571
- Troubleshooting 573
- Interpreting LEDs 574
- System Messages 574
- Monitoring Memory Leaks 582
- Diagnostic Channel 584
- Client Reporting 584
- Figure D-3) 591
- Using the Debug Facility 599
- Logical Connectivity Diagrams 605
- Cisco WiSM 606
- Controller Switch 608
- • debug wcp ? 609
- Numerics 611
© 2020, manymanuals.cz. Všechna práva vyhrazena. | 0.073 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Komentáře k této Příručce