-
Cisco Wireless LAN Controller Command Reference, Release 7.5
-
Preface
-
Using the Command-Line Interface
- System Management Commands
- Ports and Interfaces Commands
- VideoStream Commands
- Security Commands
- WLAN Commands
- Lightweight Access Point Commands
- Mesh Access Point Commands
- Radio Resource Management Commands
- CleanAir Commands
- FlexConnect Commands
- Mobility Commands
-
Index
-
Feedback
Contents
CLI Commands
The Cisco Wireless LAN solution command-line interface (CLI) enables operators to connect an ASCII console to the Cisco Wireless LAN Controller and configure the controller and its associated access points.
show Commands
- show 802.11
- show aaa auth
- show acl
- show advanced eap
- show database summary
- show exclusionlist
- show ike
- show IPsec
- show ipv6 acl
- show ipv6 summary
- show l2tp
- show ldap
- show ldap statistics
- show ldap summary
- show local-auth certificates
- show local-auth config
- show local-auth statistics
- show nac statistics
- show nac summary
- show netuser
- show netuser guest-roles
- show network
- show network summary
- show ntp-keys
- show policy
- show profiling policy summary
- show rules
- show switchconfig
- show rogue adhoc custom summary
- show rogue adhoc detailed
- show rogue adhoc friendly summary
- show rogue adhoc malicious summary
- show rogue adhoc unclassified summary
- show rogue adhoc summary
- show rogue ap custom summary
- show rogue ap clients
- show rogue ap detailed
- show rogue ap summary
- show rogue ap friendly summary
- show rogue ap malicious summary
- show rogue ap unclassified summary
- show rogue auto-contain
- show rogue client detailed
- show rogue client summary
- show rogue ignore-list
- show rogue rule detailed
- show rogue rule summary
- show tacacs acct statistics
- show tacacs athr statistics
- show tacacs auth statistics
- show tacacs summary
- show wps ap-authentication summary
- show wps cids-sensor
- show wps mfp
- show wps shun-list
- show wps signature detail
- show wps signature events
- show wps signature summary
- show wps summary
- show wps wips statistics
- show wps wips summary
show 802.11
Syntax Description
Examples
This example shows to display basic 802.11a network settings:
> show 802.11a 802.11a Network.................................. Enabled 11nSupport....................................... Enabled 802.11a Low Band........................... Enabled 802.11a Mid Band........................... Enabled 802.11a High Band.......................... Enabled 802.11a Operational Rates 802.11a 6M Rate.............................. Mandatory 802.11a 9M Rate.............................. Supported 802.11a 12M Rate............................. Mandatory 802.11a 18M Rate............................. Supported 802.11a 24M Rate............................. Mandatory 802.11a 36M Rate............................. Supported 802.11a 48M Rate............................. Supported 802.11a 54M Rate............................. Supported 802.11n MCS Settings: MCS 0........................................ Supported MCS 1........................................ Supported MCS 2........................................ Supported MCS 3........................................ Supported MCS 4........................................ Supported MCS 5........................................ Supported MCS 6........................................ Supported MCS 7........................................ Supported MCS 8........................................ Supported MCS 9........................................ Supported MCS 10....................................... Supported MCS 11....................................... Supported MCS 12....................................... Supported MCS 13....................................... Supported MCS 14....................................... Supported MCS 15....................................... Supported 802.11n Status: A-MPDU Tx: Priority 0............................... Enabled Priority 1............................... Disabled Priority 2............................... Disabled Priority 3............................... Disabled Priority 4............................... Disabled Priority 5............................... Disabled Priority 6............................... Disabled Priority 7............................... Disabled Beacon Interval.................................. 100 CF Pollable mandatory............................ Disabled CF Poll Request mandatory........................ Disabled --More-- or (q)uit CFP Period....................................... 4 CFP Maximum Duration............................. 60 Default Channel.................................. 36 Default Tx Power Level........................... 0 DTPC Status..................................... Enabled Fragmentation Threshold.......................... 2346 TI Threshold..................................... -50 Legacy Tx Beamforming setting.................... Disabled Traffic Stream Metrics Status.................... Enabled Expedited BW Request Status...................... Disabled World Mode....................................... Enabled EDCA profile type................................ default-wmm Voice MAC optimization status.................... Disabled Call Admission Control (CAC) configuration Voice AC: Voice AC - Admission control (ACM)............ Disabled Voice max RF bandwidth........................ 75 Voice reserved roaming bandwidth.............. 6 Voice load-based CAC mode..................... Disabled Voice tspec inactivity timeout................ Disabled Voice Stream-Size............................. 84000 Voice Max-Streams............................. 2 Video AC: Video AC - Admission control (ACM)............ Disabled Video max RF bandwidth........................ Infinite Video reserved roaming bandwidth.............. 0This example shows how to display basic 802.11h network settings:
> show 802.11h 802.11h ......................................... powerconstraint : 0 802.11h ......................................... channelswitch : Disable 802.11h ......................................... channelswitch mode : 0show aaa auth
To display the configuration settings for the AAA authentication server database, use the show aaa auth command.
Command History
Examples
The following example shows how to display the configuration settings for the AAA authentication server database:
(Cisco Controller) > show aaa auth Management authentication server order: 1............................................ local 2............................................ tacacsshow acl
To display the access control lists (ACLs) that are configured on the controller, use the show acl command.
Syntax Description
cpu
Displays the ACLs configured on the Cisco WLC's central processing unit (CPU).
detailed
Displays detailed information about a specific ACL.
acl_name
ACL name. The name can be up to 32 alphanumeric characters.
summary
Displays a summary of all ACLs configured on the controller.
Command History
Examples
The following example shows how to display the access control lists on the CPU.
(Cisco Controller) >show acl cpu CPU Acl Name................................ Wireless Traffic............................ Disabled Wired Traffic............................... Disabled Applied to NPU.............................. NoThe following example shows how to display a summary of the access control lists.
(Cisco Controller) > show acl summary ACL Counter Status Disabled ---------------------------------------- IPv4 ACL Name Applied -------------------------------- ------- acl1 Yes acl2 Yes acl3 Yes ---------------------------------------- IPv6 ACL Name Applied -------------------------------- ------- acl6 NoThe following example shows how to display the detailed information of the access control lists.
(Cisco Controller) > show acl detailed acl_name Source Destination Source Port Dest Port I Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter - --- ------------------ ------------------ ---- --------- --------- ----- ------ ------- 1 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 0 Deny 0 2 In 0.0.0.0/0.0.0.0 200.200.200.0/ 6 80-80 0-65535 Any Permit 0 255.255.255.0 DenyCounter : 0
Note
The Counter field increments each time a packet matches an ACL rule, and the DenyCounter field increments each time a packet does not match any of the rules.
show advanced eap
Command History
Examples
The following example shows how to display the EAP settings:
(Cisco Controller) > show advanced eap EAP-Identity-Request Timeout (seconds)........... 1 EAP-Identity-Request Max Retries................. 20 EAP Key-Index for Dynamic WEP.................... 0 EAP Max-Login Ignore Identity Response........... enable EAP-Request Timeout (seconds).................... 1 EAP-Request Max Retries.......................... 20 EAPOL-Key Timeout (milliseconds)................. 1000 EAPOL-Key Max Retries............................ 2show database summary
Examples
The following is a sample output of the show database summary command:
(Cisco Controller) > show database summary Maximum Database Entries......................... 2048 Maximum Database Entries On Next Reboot.......... 2048 Database Contents MAC Filter Entries........................... 2 Exclusion List Entries....................... 0 AP Authorization List Entries................ 1 Management Users............................. 1 Local Network Users.......................... 1 Local Users.............................. 1 Guest Users.............................. 0 Total..................................... 5show exclusionlist
To display a summary of all clients on the manual exclusion list (blacklisted) from associating with this Cisco wireless LAN controller, use the show exclusionlist command.
Command History
Examples
The following example shows how to display the exclusion list:
(Cisco Controller) > show exclusionlist No manually disabled clients. Dynamically Disabled Clients ---------------------------- MAC Address Exclusion Reason Time Remaining (in secs) ----------- ---------------- ------------------------ 00:40:96:b4:82:55 802.1X Failure 51show ike
show IPsec
To display active Internet Protocol Security (IPsec) security associations (SAs), use the show IPsec command.
Syntax Description
Command History
Examples
The following example shows how to display brief information about the active Internet Protocol Security (IPsec) security associations (SAs):
(Cisco Controller) > show IPsec brief 209.165.200.254Related Commands
config radius acct ipsec authentication
config radius acct ipsec disable
config radius acct ipsec enable
config radius acct ipsec encryption
config radius auth IPsec encryption
config radius auth IPsec authentication
config radius auth IPsec disable
config radius auth IPsec encryption
config radius auth IPsec ike
config trapflags IPsec
config wlan security IPsec disable
config wlan security IPsec enable
config wlan security IPsec authentication
config wlan security IPsec encryption
config wlan security IPsec config
config wlan security IPsec ike authentication
config wlan security IPsec ike dh-group
config wlan security IPsec ike lifetime
config wlan security IPsec ike phase1
config wlan security IPsec ike contivity
show ipv6 acl
To display the IPv6 access control lists (ACLs) that are configured on the controller, use the show ipv6 acl command.
Syntax Description
Command History
Examples
The following example shows how to display the detailed information of the access control lists:
(Cisco Controller) >show ipv6 acl detailed acl6 Rule Index....................................... 1 Direction........................................ Any IPv6 source prefix............................... ::/0 IPv6 destination prefix.......................... ::/0 Protocol......................................... Any Source Port Range................................ 0-65535 Destination Port Range........................... 0-65535 DSCP............................................. Any Flow label....................................... 0 Action........................................... Permit Counter.......................................... 0 Deny Counter................................... 0show ipv6 summary
Command History
Examples
The following example displays the output of the show ipv6 summary command:
(Cisco Controller) >show ipv6 summary Global Config............................... Enabled Reachable-lifetime value.................... 300 Stale-lifetime value........................ 86400 Down-lifetime value......................... 86400 RA Throttling............................... Enabled RA Throttling allow at-least................ 1 RA Throttling allow at-most................. no-limit RA Throttling max-through................... no-limit RA Throttling throttle-period............... 60 RA Throttling interval-option............... throttle NS Mulitcast CacheMiss Forwarding........... Disabledshow ldap
To display the Lightweight Directory Access Protocol (LDAP) server information for a particular LDAP server, use the show ldap command.
Syntax Description
Command History
Examples
The following example shows how to display the detailed LDAP server information:
(Cisco Controller) > show ldap 1 Server Index..................................... 1 Address.......................................... 2.3.1.4 Port............................................. 389 Enabled.......................................... Yes User DN.......................................... name1 User Attribute................................... attr1 User Type........................................ username1 Retransmit Timeout............................... 3 seconds Bind Method ..................................... Anonymousshow ldap statistics
To display all Lightweight Directory Access Protocol (LDAP) server information, use the show ldap statistics command.
Command History
Examples
The following example shows how to display the LDAP server statistics:
(Cisco Controller) > show ldap statistics Server Index..................................... 1 Server statistics: Initialized OK................................. 0 Initialization failed.......................... 0 Initialization retries......................... 0 Closed OK...................................... 0 Request statistics: Received....................................... 0 Sent........................................... 0 OK............................................. 0 Success........................................ 0 Authentication failed.......................... 0 Server not found............................... 0 No received attributes......................... 0 No passed username............................. 0 Not connected to server........................ 0 Internal error................................. 0 Retries........................................ 0 Server Index..................................... 2 ...show ldap summary
To display the current Lightweight Directory Access Protocol (LDAP) server status, use the show ldap summary command.
Command History
show local-auth certificates
show local-auth config
Command History
Examples
The following example shows how to display the local authentication configuration information:
(Cisco Controller) > show local-auth config User credentials database search order: Primary ................................... Local DB Configured EAP profiles: Name ...................................... fast-test Certificate issuer .................... default Enabled methods ....................... fast Configured on WLANs ................... 2 EAP Method configuration: EAP-TLS: Certificate issuer .................... default Peer verification options: Check against CA certificates ..... Enabled Verify certificate CN identity .... Disabled Check certificate date validity ... Enabled EAP-FAST: TTL for the PAC ....................... 3 600 Initial client message ................ <none> Local certificate required ............ No Client certificate required ........... No Vendor certificate required ........... No Anonymous provision allowed ........... Yes Authenticator ID ...................... 7b7fffffff0000000000000000000000 Authority Information ................. Test EAP Profile.................................... tls-prof Enabled methods for this profile .......... tls Active on WLANs ........................... 1 3EAP Method configuration: EAP-TLS: Certificate issuer used ............... cisco Peer verification options: Check against CA certificates ..... disabled Verify certificate CN identity .... disabled Check certificate date validity ... disabledshow local-auth statistics
To display local Extensible Authentication Protocol (EAP) authentication statistics, use the show local-auth statistics command:
Command History
Examples
The following example shows how to display the local authentication certificate statistics:
(Cisco Controller) > show local-auth statistics Local EAP authentication DB statistics: Requests received ............................... 14 Responses returned .............................. 14 Requests dropped (no EAP AVP) ................... 0 Requests dropped (other reasons) ................ 0 Authentication timeouts ......................... 0 Authentication statistics: Method Success Fail ------------------------------------ Unknown 0 0 LEAP 0 0 EAP-FAST 2 0 EAP-TLS 0 0 PEAP 0 0 Local EAP credential request statistics: Requests sent to LDAP DB ........................ 0 Requests sent to File DB ........................ 2 Requests failed (unable to send) ................ 0 Authentication results received: Success ....................................... 2 Fail .......................................... 0 Certificate operations: Local device certificate load failures .......... 0 Total peer certificates checked ................. 0 Failures: CA issuer check ............................... 0 CN name not equal to identity ................. 0 Dates not valid or expired .................... 0show nac statistics
To display detailed Network Access Control (NAC) information about a Cisco wireless LAN controller, use the show nac statistics command.
Command History
Examples
The following example shows how to display detailed statistics of network access control settings:
(Cisco Controller) > show nac statistics Server Index....................................................... 1 Server Address..................................................... xxx.xxx.xxx.xxx Number of requests sent............................................ 0 Number of retransmissions.......................................... 0 Number of requests received........................................ 0 Number of malformed requests received.............................. 0 Number of bad auth requests received............................... 0 Number of pending requests......................................... 0 Number of timed out requests....................................... 0 Number of misc dropped request received............................ 0 Number of requests sent............................................ 0show nac summary
To display NAC summary information for a Cisco wireless LAN controller, use the show nac summary command.
Command History
Examples
The following example shows how to display a summary information of network access control settings:
(Cisco Controller) > show nac summary NAC ACL Name ............................................... Index Server Address Port State ----- ---------------------------------------- ---- ----- 1 xxx.xxx.xxx.xxx 13336 Enabledshow netuser
To display the configuration of a particular user in the local user database, use the show netuser command.
Syntax Description
Command History
Examples
The following is a sample output of the show netuser summary command:
(Cisco Controller) > show netuser summary Maximum logins allowed for a given username ........UnlimitedThe following is a sample output of the show netuser detail command:
(Cisco Controller) > show netuser detail john10 username........................................... abc WLAN Id............................................. Any Lifetime............................................ Permanent Description......................................... test usershow netuser guest-roles
To display a list of the current quality of service (QoS) roles and their bandwidth parameters, use the show netuser guest-roles command.
Examples
This example shows how to display a QoS role for the guest network user:
> show netuser guest-roles Role Name.............................. Contractor Average Data Rate.................. 10 Burst Data Rate.................... 10 Average Realtime Rate.............. 100 Burst Realtime Rate................ 100 Role Name.............................. Vendor Average Data Rate.................. unconfigured Burst Data Rate.................... unconfigured Average Realtime Rate.............. unconfigured Burst Realtime Rate................ unconfiguredshow network summary
To display the network configuration of the Cisco wireless LAN controller, use the show network summary command.
Examples
This example shows how to display a summary configuration:
> show network summary RF-Network Name............................. RF Web Mode.................................... Disable Secure Web Mode............................. Enable Secure Web Mode Cipher-Option High.......... Disable Secure Web Mode Cipher-Option SSLv2......... Disable Secure Web Mode RC4 Cipher Preference....... Disable OCSP........................................ Disabled OCSP responder URL.......................... Secure Shell (ssh).......................... Enable Telnet...................................... Enable Ethernet Multicast Mode..................... Disable Mode: Ucast Ethernet Broadcast Mode..................... Disable Ethernet Multicast Forwarding............... Disable Ethernet Broadcast Forwarding............... Disable AP Multicast/Broadcast Mode................. Unicast IGMP snooping............................... Disabled IGMP timeout................................ 60 seconds IGMP Query Interval......................... 20 seconds MLD snooping................................ Disabled MLD timeout................................. 60 seconds MLD query interval.......................... 20 seconds User Idle Timeout........................... 300 seconds AP Join Priority............................ Disable ARP Idle Timeout............................ 300 seconds ARP Unicast Mode............................ Disabled Cisco AP Default Master..................... Disable Mgmt Via Wireless Interface................. Disable Mgmt Via Dynamic Interface.................. Disable Bridge MAC filter Config.................... Enable Bridge Security Mode........................ EAP Over The Air Provisioning of AP's........... Enable Apple Talk ................................. Disable Mesh Full Sector DFS........................ Enable AP Fallback ................................ Disable Web Auth CMCC Support ...................... Disabled Web Auth Redirect Ports .................... 80 Web Auth Proxy Redirect ................... Disable Web Auth Captive-Bypass .................. Disable Web Auth Secure Web ....................... Enable Fast SSID Change ........................... Disabled AP Discovery - NAT IP Only ................. Enabled IP/MAC Addr Binding Check .................. Enabled CCX-lite status ............................ Disable oeap-600 dual-rlan-ports ................... Disable oeap-600 local-network ..................... Enable mDNS snooping............................... Disabled mDNS Query Interval......................... 15 minutesshow ntp-keys
show policy
To display the summary of the configured policies, and the details and statistics of a policy, use the show policy command.
Syntax Description
summary Displays the summary of configured policies.
policy-name Name of the policy.
statistics (Optional) Displays the statistics of a policy.
Command History
Examples
The following is a sample output of the show policy summary command:
(Cisco Controller) > show policy summary Number of Policies............................. 2 Policy Index Policy Name ------------ ---------------- 1 student-FullAccess 2 teacher-FullAccessThe following example shows how to display the details of a policy:
(Cisco Controller) > show policy student-FullAccess Policy Index..................................... 1 Match Role....................................... <none> Match Eap Type................................... EAP-TLS ACL.............................................. <none> QOS.............................................. <none> Average Data Rate................................ 0 Average Real Time Rate........................... 0 Burst Data Rate.................................. 0 Burst Real Time Rate............................. 0 Vlan Id.......................................... 155 Session Timeout.................................. 1800 Sleeping client timeout.......................... 12 Active Hours ------------ Start Time End Time Day ---------- -------- --- Match Device Types ------------------ AndroidThe following example shows how to display the statistics of a policy:
(Cisco Controller) > show policy student-FullAccess statistics Policy Index..................................... student-FullAccess Matching Attributes None......................... 619 No Policy Match.................................. 224 Device Type Match................................ 0 EAP Type Match................................... 0 Role Type Match.................................. 0 Client Disconnected.............................. 4 Acl Applied...................................... 0 Vlan changed..................................... 614 Session Timeout Applied.......................... 4 QoS Applied...................................... 0 Avg Data Rate Applied............................ 0 Avg Real Time Rate Applied....................... 0 Burst Data Rate Applied.......................... 0 Burst Real Time Rate Applied..................... 0 Sleeping-Client-Timeout Applied.................. 0show profiling policy summary
To display local device classification of the Cisco Wireless LAN Controller (WLC), use the show profiling policy summary command.
Command History
Examples
The following is a sample output of the show profiling policy summary command:
(Cisco Controller) > show profiling policy summary Number of Builtin Classification Profiles: 88 ID Name Parent Min CM Valid ==== ================================================ ====== ====== ===== 0 Android None 30 Yes 1 Apple-Device None 10 Yes 2 Apple-MacBook 1 20 Yes 3 Apple-iPad 1 20 Yes 4 Apple-iPhone 1 20 Yes 5 Apple-iPod 1 20 Yes 6 Aruba-Device None 10 Yes 7 Avaya-Device None 10 Yes 8 Avaya-IP-Phone 7 20 Yes 9 BlackBerry None 20 Yes 10 Brother-Device None 10 Yes 11 Canon-Device None 10 Yes 12 Cisco-Device None 10 Yes 13 Cisco-IP-Phone 12 20 Yes 14 Cisco-IP-Phone-7945G 13 70 Yes 15 Cisco-IP-Phone-7975 13 70 Yes 16 Cisco-IP-Phone-9971 13 70 Yes 17 Cisco-DMP 12 20 Yes 18 Cisco-DMP-4400 17 70 Yes 19 Cisco-DMP-4310 17 70 Yes 20 Cisco-DMP-4305 17 70 Yes 21 DLink-Device None 10 Yes 22 Enterasys-Device None 10 Yes 23 HP-Device None 10 Yes 24 HP-JetDirect-Printer 23 30 Yes 25 Lexmark-Device None 10 Yes 26 Lexmark-Printer-E260dn 25 30 Yes 27 Microsoft-Device None 10 Yes 28 Netgear-Device None 10 Yes 29 NintendoWII None 10 Yes 30 Nortel-Device None 10 Yes 31 Nortel-IP-Phone-2000-Series 30 20 Yes 32 SonyPS3 None 10 Yes 33 XBOX360 27 20 Yes 34 Xerox-Device None 10 Yes 35 Xerox-Printer-Phaser3250 34 30 Yes 36 Aruba-AP 6 20 Yes 37 Cisco-Access-Point 12 10 Yes 38 Cisco-IP-Conference-Station-7935 13 70 Yes 39 Cisco-IP-Conference-Station-7936 13 70 Yes 40 Cisco-IP-Conference-Station-7937 13 70 Yesshow rules
Command History
Examples
The following example shows how to display active internal firewall rules:
(Cisco Controller) > show rules -------------------------------------------------------- Rule ID.............: 3 Ref count...........: 0 Precedence..........: 99999999 Flags...............: 00000001 ( PASS ) Source IP range: (Local stack) Destination IP range: (Local stack) -------------------------------------------------------- Rule ID.............: 25 Ref count...........: 0 Precedence..........: 99999999 Flags...............: 00000001 ( PASS ) Service Info Service name........: GDB Protocol............: 6 Source port low.....: 0 Source port high....: 0 Dest port low.......: 1000 Dest port high......: 1000 Source IP range: IP High............: 0.0.0.0 Interface..........: ANY Destination IP range: (Local stack) --------------------------------------------------------show switchconfig
To display parameters that apply to the Cisco wireless LAN controller, use the show switchconfig command.
Examples
This example shows how to display parameters that apply to the Cisco wireless LAN controller:
> show switchconfig 802.3x Flow Control Mode......................... Disabled FIPS prerequisite features....................... Enabled Boot Break....................................... Enabled secret obfuscation............................... Enabled Strong Password Check Features: case-check ...........Disabled consecutive-check ....Disabled default-check .......Disabled username-check ......Disabledshow rogue adhoc custom summary
To display information about custom rogue ad-hoc rogue access points, use the show rogue adhoc custom summary command.
Command History
Examples
The following example shows how to display details of custom rogue ad-hoc rogue access points:
(Cisco Controller) > show rogue adhoc custom summary Number of Adhocs............................0 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- -----------------------show rogue adhoc detailed
To display details of an ad-hoc rogue access point detected by the Cisco wireless LAN controller, use the show rogue adhoc client detailed command.
Syntax Description
Command History
Examples
The following example shows how to display detailed ad-hoc rogue MAC address information:
(Cisco Controller) > show rogue adhoc client detailed 02:61:ce:8e:a8:8c Adhoc Rogue MAC address.......................... 02:61:ce:8e:a8:8c Adhoc Rogue BSSID................................ 02:61:ce:8e:a8:8c State............................................ Alert First Time Adhoc Rogue was Reported.............. Tue Dec 11 20:45:45 2007 Last Time Adhoc Rogue was Reported............... Tue Dec 11 20:45:45 2007 Reported By AP 1 MAC Address.............................. 00:14:1b:58:4a:e0 Name..................................... AP0014.1ced.2a60 Radio Type............................... 802.11b SSID..................................... rf4k3ap Channel.................................. 3 RSSI..................................... -56 dBm SNR...................................... 15 dB Encryption............................... Disabled ShortPreamble............................ Disabled WPA Support.............................. Disabled Last reported by this AP............... Tue Dec 11 20:45:45 2007show rogue adhoc friendly summary
To display information about friendly rogue ad-hoc rogue access points, use the show rogue adhoc friendly summary command.
Command History
Examples
The following example shows how to display information about friendly rogue ad-hoc rogue access points:
(Cisco Controller) > show rogue adhoc friendly summary Number of Adhocs............................0 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- -----------------------show rogue adhoc malicious summary
To display information about malicious rogue ad-hoc rogue access points, use the show rogue adhoc malicious summary command.
Command History
Examples
The following example shows how to display details of malicious rogue ad-hoc rogue access points:
(Cisco Controller) > show rogue adhoc malicious summary Number of Adhocs............................0 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- -----------------------show rogue adhoc unclassified summary
To display information about unclassified rogue ad-hoc rogue access points, use the show rogue adhoc unclassified summary command.
Command History
Examples
The following example shows how to display information about unclassified rogue ad-hoc rogue access points:
(Cisco Controller) > show rogue adhoc unclassified summary Number of Adhocs............................0 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- -----------------------show rogue adhoc summary
To display a summary of the ad-hoc rogue access points detected by the Cisco wireless LAN controller, use the show rogue adhoc summary command.
Command History
Examples
The following example shows how to display a summary of all ad-hoc rogues:
(Cisco Controller) > show rogue adhoc summary Detect and report Ad-Hoc Networks................ Enabled Client MAC Address Adhoc BSSID State # APs Last Heard ------------------ ----------- ----- --- ------- xx:xx:xx:xx:xx:xx super Alert 1 Sat Aug 9 21:12:50 2004 xx:xx:xx:xx:xx:xx Alert 1 Aug 9 21:12:50 2003 xx:xx:xx:xx:xx:xx Alert 1 Sat Aug 9 21:10:50 2003show rogue ap custom summary
To display information about custom rogue ad-hoc rogue access points, use the show rogue ap custom summary command.
Command History
Examples
The following example shows how to display details of custom rogue ad-hoc rogue access points:
(Cisco Controller) > show rogue ap custom summary Number of APs............................0 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- -----------------------Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap clients
To display details of rogue access point clients detected by the Cisco wireless LAN controller, use the show rogue ap clients command.
Syntax Description
Command History
Examples
The following example shows how to display details of rogue access point clients:
(Cisco Controller) > show rogue ap clients xx:xx:xx:xx:xx:xx MAC Address State # APs Last Heard ----------------- ------------------ ----- ------------------------- 00:bb:cd:12:ab:ff Alert 1 Fri Nov 30 11:26:23 2007Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap detailed
To display details of a rogue access point detected by the Cisco wireless LAN controller, use the show rogue-ap detailed command.
Syntax Description
Command History
Examples
The following example shows how to display detailed information of a rogue access point:
(Cisco Controller) > show rogue ap detailed xx:xx:xx:xx:xx:xx Rogue BSSID...................................... 00:0b:85:63:d1:94 Is Rogue on Wired Network........................ No Classification................................... Unclassified State............................................ Alert First Time Rogue was Reported.................... Fri Nov 30 11:24:56 2007 Last Time Rogue was Reported..................... Fri Nov 30 11:24:56 2007 Reported By AP 1 MAC Address.............................. 00:12:44:bb:25:d0 Name..................................... flexconnect Radio Type............................... 802.11g SSID..................................... edu-eap Channel.................................. 6 RSSI..................................... -61 dBm SNR...................................... -1 dB Encryption............................... Enabled ShortPreamble............................ Enabled WPA Support.............................. Disabled Last reported by this AP.............. Fri Nov 30 11:24:56 2007This example shows how to display detailed information of a rogue access point with a customized classification:
(Cisco Controller) > show rogue ap detailed xx:xx:xx:xx:xx:xx Rogue BSSID...................................... 00:17:0f:34:48:a0 Is Rogue on Wired Network........................ No Classification................................... custom Severity Score .................................. 1 Class Name........................................VeryMalicious Class Change by.................................. Rogue Rule Classified at ................................... -60 dBm Classified by.................................... c4:0a:cb:a1:18:80 State............................................ Contained State change by.................................. Rogue Rule First Time Rogue was Reported.................... Mon Jun 4 10:31:18 2012 Last Time Rogue was Reported..................... Mon Jun 4 10:31:18 2012 Reported By AP 1 MAC Address.............................. c4:0a:cb:a1:18:80 Name..................................... SHIELD-3600-2027 Radio Type............................... 802.11g SSID..................................... sri Channel.................................. 11 RSSI..................................... -87 dBm SNR...................................... 4 dB Encryption............................... Enabled ShortPreamble............................ Enabled WPA Support.............................. Enabled Last reported by this AP................. Mon Jun 4 10:31:18 2012Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap summary
To display a summary of the rogue access points detected by the Cisco wireless LAN controller, use the show rogue-ap summary command.
Command History
Examples
The following example shows how to display a summary of all rogue access points:
(Cisco Controller) > show rogue ap summary Rogue Location Discovery Protocol................ Disabled Rogue ap timeout................................. 1200 Rogue on wire Auto-Contain....................... Disabled Rogue using our SSID Auto-Contain................ Disabled Valid client on rogue AP Auto-Contain............ Disabled Rogue AP timeout................................. 1200 Rogue Detection Report Interval.................. 10 Rogue Detection Min Rssi......................... -128 Rogue Detection Transient Interval............... 0 Rogue Detection Client Num Thershold............. 0 Total Rogues(AP+Ad-hoc) supported................ 2000 Total Rogues classified.......................... 729 MAC Address Classification # APs # Clients Last Heard ----------------- ------------------ ----- --------- ----------------------- xx:xx:xx:xx:xx:xx friendly 1 0 Thu Aug 4 18:57:11 2005 xx:xx:xx:xx:xx:xx malicious 1 0 Thu Aug 4 19:00:11 2005 xx:xx:xx:xx:xx:xx malicious 1 0 Thu Aug 4 18:57:11 2005 xx:xx:xx:xx:xx:xx malicious 1 0 Thu Aug 4 18:57:11 2005Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap friendly summary
To display a list of the friendly rogue access points detected by the controller, use the show rogue ap friendly summary command.
Command History
Examples
The following example shows how to display a summary of all friendly rogue access points:
(Cisco Controller) > show rogue ap friendly summary Number of APs.................................... 1 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- --------------------------- XX:XX:XX:XX:XX:XX Internal 1 0 Tue Nov 27 13:52:04 2007Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap malicious summary
To display a list of the malicious rogue access points detected by the controller, use the show rogue ap malicious summary command.
Command History
Examples
The following example shows how to display a summary of all malicious rogue access points:
(Cisco Controller) > show rogue ap malicious summary Number of APs.................................... 2 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- --------------------------- XX:XX:XX:XX:XX:XX Alert 1 0 Tue Nov 27 13:52:04 2007 XX:XX:XX:XX:XX:XX Alert 1 0 Tue Nov 27 13:52:04 2007Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap unclassified summary
To display a list of the unclassified rogue access points detected by the controller, use the show rogue ap unclassified summary command.
Command History
Examples
The following example shows how to display a list of all unclassified rogue access points:
(Cisco Controller) > show rogue ap unclassified summary Number of APs.................................... 164 MAC Address State # APs # Clients Last Heard ----------------- ------------- ----- --------- --------------- XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:12:52 2007 XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:29:01 2007 XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:26:23 2007 XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:26:23 2007show rogue auto-contain
show rogue client detailed
To display details of a rogue client detected by a Cisco wireless LAN controller, use the show rogue client detailed command.
Syntax Description
Command History
Examples
The following example shows how to display detailed information for a rogue client:
(Cisco Controller) > show rogue client detailed xx:xx:xx:xx:xx:xx Rogue BSSID...................................... 00:0b:85:23:ea:d1 State............................................ Alert First Time Rogue was Reported.................... Mon Dec 3 21:50:36 2007 Last Time Rogue was Reported..................... Mon Dec 3 21:50:36 2007 Rogue Client IP address.......................... Not known Reported By AP 1 MAC Address.............................. 00:15:c7:82:b6:b0 Name..................................... AP0016.47b2.31ea Radio Type............................... 802.11a RSSI..................................... -71 dBm SNR...................................... 23 dB Channel.................................. 149 Last reported by this AP.............. Mon Dec 3 21:50:36 2007show rogue client summary
To display a summary of the rogue clients detected by the Cisco wireless LAN controller, use the show rogue client summary command.
Command History
Examples
The following example shows how to display a list of all rogue clients:
(Cisco Controller) > show rogue client summary Validate rogue clients against AAA............... Disabled Total Rogue Clients supported.................... 2500 Total Rogue Clients present...................... 3 MAC Address State # APs Last Heard ----------------- ------------------ ----- ----------------------- xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:09:11 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:03:11 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:03:11 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:09:11 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 18:57:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:12:08 2005show rogue ignore-list
To display a list of rogue access points that are configured to be ignored, use the show rogue ignore-list command.
Command History
Examples
The following example shows how to display a list of all rogue access points that are configured to be ignored.
(Cisco Controller) > show rogue ignore-list MAC Address ----------------- xx:xx:xx:xx:xx:xxRelated Commands
config rogue adhoc
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue rule
config trapflags rogueap
show rogue ignore-list
show rogue client summary
show rogue ap unclassified summary
show rogue ap malicious summary
show rogue ap friendly summary
config rogue client
show rogue ap summary
show rogue ap clients
show rogue ap detailed
config rogue rule
show rogue rule detailed
To display detailed information for a specific rogue classification rule, use the show rogue rule detailed command.
Syntax Description
Command History
Examples
The following example shows how to display detailed information on a specific rogue classification rule:
(Cisco Controller) > show rogue rule detailed Rule2 Priority......................................... 2 Rule Name........................................ Rule2 State............................................ Enabled Type............................................. Malicious Severity Score................................... 1 Class Name....................................... Very_Malicious Notify........................................... All State ........................................... Contain Match Operation.................................. Any Hit Count........................................ 352 Total Conditions................................. 2 Condition 1 type......................................... Client-count value........................................ 10 Condition 2 type......................................... Duration value (seconds).............................. 2000 Condition 3 type......................................... Managed-ssid value........................................ Enabled Condition 4 type......................................... No-encryption value........................................ Enabled Condition 5 type......................................... Rssi value (dBm).................................. -50 Condition 6 type......................................... Ssid SSID Count................................... 1 SSID 1.................................... testshow rogue rule summary
To display the rogue classification rules that are configured on the controller, use the show rogue rule summary command.
Command History
Examples
The following example shows how to display a list of all rogue rules that are configured on the controller:
(Cisco Controller) > show rogue rule summary Priority Rule Name State Type Match Hit Count -------- ----------------------- -------- ------------- ----- --------- 1 mtest Enabled Malicious All 0 2 asdfasdf Enabled Malicious All 0The following example shows how to display a list of all rogue rules that are configured on the controller:
(Cisco Controller) > show rogue rule summary Priority Rule Name Rule state Class Type Notify State Match Hit Count -------- -------------------------------- ----------- ----------- -------- -------- ------ --------- 1 rule2 Enabled Friendly Global Alert All 234 2 rule1 Enabled Custom Global Alert All 0show tacacs acct statistics
To display detailed radio frequency identification (RFID) information for a specified tag, use the show tacacs acct statistics command.
Command History
Examples
The following example shows how to display detailed RFID information:
(Cisco Controller) > show tacacs acct statistics Accounting Servers: Server Index..................................... 1 Server Address................................... 10.0.0.0 Msg Round Trip Time.............................. 0 (1/100 second) First Requests................................... 1 Retry Requests................................... 0 Accounting Response.............................. 0 Accounting Request Success....................... 0 Accounting Request Failure....................... 0 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. -1 Timeout Requests................................. 1 Unknowntype Msgs................................. 0 Other Drops...................................... 0show tacacs athr statistics
Command History
Examples
The following example shows how to display TACACS server authorization statistics:
(Cisco Controller) > show tacacs athr statistics Authorization Servers: Server Index..................................... 3 Server Address................................... 10.0.0.3 Msg Round Trip Time.............................. 0 (1/100 second) First Requests................................... 0 Retry Requests................................... 0 Received Responses............................... 0 Authorization Success............................ 0 Authorization Failure............................ 0 Challenge Responses.............................. 0 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 0 Timeout Requests................................. 0 Unknowntype Msgs................................. 0 Other Drops...................................... 0show tacacs auth statistics
Command History
Examples
The following example shows how to display TACACS server authentication statistics:
(Cisco Controller) > show tacacs auth statistics Authentication Servers: Server Index..................................... 2 Server Address................................... 10.0.0.2 Msg Round Trip Time.............................. 0 (msec) First Requests................................... 0 Retry Requests................................... 0 Accept Responses................................. 0 Reject Responses................................. 0 Error Responses.................................. 0 Restart Responses................................ 0 Follow Responses................................. 0 GetData Responses................................ 0 Encrypt no secret Responses...................... 0 Challenge Responses.............................. 0 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 0 Timeout Requests................................. 0 Unknowntype Msgs................................. 0 Other Drops...................................... 0show tacacs summary
Command History
Examples
The following example shows how to display TACACS server summary information:
(Cisco Controller) > show tacacs summary Authentication Servers Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 2 10.0.0.2 6 Enabled 30 Accounting Servers Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 1 10.0.0.0 10 Enabled 2 Authorization Servers Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 3 10.0.0.3 4 Enabled 2 ...show wps ap-authentication summary
To display the access point neighbor authentication configuration on the controller, use the show wps ap-authentication summary command.
Command History
show wps cids-sensor
To display Intrusion Detection System (IDS) sensor summary information or detailed information on a specified Wireless Protection System (WPS) IDS sensor, use the show wps cids-sensor command.
Syntax Description
Command History
Examples
The following example shows how to display all settings for the selected sensor:
(Cisco Controller) > show wps cids-sensor detail1 IP Address....................................... 10.0.0.51 Port............................................. 443 Query Interval................................... 60 Username......................................... Sensor_user1 Cert Fingerprint................................. SHA1: 00:00:00:00:00:00:00:00: 00:00:00:00:00:00:00:00:00:00:00:00 Query State...................................... Disabled Last Query Result................................ Unknown Number of Queries Sent........................... 0show wps mfp
Syntax Description
Command History
Examples
The following example shows how to display a summary of the MFP configuration and status:
(Cisco Controller) > show wps mfp summary Global Infrastructure MFP state.................. DISABLED (*all infrastructure settings are overridden) Controller Time Source Valid..................... False WLAN Infra. Client WLAN ID WLAN Name Status Protection Protection ------- ------------------------- --------- ---------- ---------- 1 homeap Disabled *Enabled Optional but inactive (WPA2 not configured) 2 7921 Enabled *Enabled Optional but inactive (WPA2 not configured) 3 open1 Enabled *Enabled Optional but inactive (WPA2 not configured) 4 7920 Enabled *Enabled Optional but inactive (WPA2 not configured) Infra. Operational --Infra. Capability-- AP Name Validation Radio State Protection Validation -------------------- ---------- ----- -------------- ---------- ---------- AP1252AG-EW *Enabled b/g Down Full Full a Down Full FullThe following example shows how to display the MFP statistics:
(Cisco Controller) > show wps mfp statistics BSSID Radio Validator AP Last Source Addr Found Error Type Count Frame Types ----------------- ----- -------------------- ----------------- ------ ---------- ---- ---------- ----------- no errorsshow wps shun-list
show wps signature detail
Syntax Description
Command History
Examples
This example shows how to display information on the attacks detected by standard signature 1:
(Cisco Controller) > show wps signature detail 1 Signature-ID..................................... 1 Precedence....................................... 1 Signature Name................................... Bcast deauth Type............................................. standard FrameType........................................ management State............................................ enabled Action........................................... report Tracking......................................... per Signature and Mac Signature Frequency.............................. 500 pkts/interval Signature Mac Frequency.......................... 300 pkts/interval Interval......................................... 10 sec Quiet Time....................................... 300 sec Description...................................... Broadcast Deauthentication Frame Patterns: 0(Header):0x0:0x0 4(Header):0x0:0x0show wps signature events
To display more information about the attacks detected by a particular standard or custom signature, use the show wps signature events command.
Syntax Description
Command History
Examples
The following example shows how to display the number of attacks detected by all enabled signatures:
(Cisco Controller) > show wps signature events summary Precedence Signature Name Type # Events ---------- -------------------- -------- -------- 1 Bcast deauth Standard 2 2 NULL probe resp 1 Standard 1This example shows how to display a summary of information on the attacks detected by standard signature 1:
(Cisco Controller) > show wps signature events standard 1 summary Precedence....................................... 1 Signature Name................................... Bcast deauth Type............................................. Standard Number of active events.......................... 2 Source MAC Addr Track Method Frequency # APs Last Heard ----------------- -------------- --------- ----- ------------------------ 00:a0:f8:58:60:dd Per Signature 50 1 Wed Oct 25 15:03:05 2006 00:a0:f8:58:60:dd Per Mac 30 1 Wed Oct 25 15:02:53 2006show wps signature summary
To see individual summaries of all of the standard and custom signatures installed on the controller, use the show wps signature summary command.
Command History
Examples
The following example shows how to display a summary of all of the standard and custom signatures:
(Cisco Controller) > show wps signature summary Signature-ID..................................... 1 Precedence....................................... 1 Signature Name................................... Bcast deauth Type............................................. standard FrameType........................................ management State............................................ enabled Action........................................... report Tracking......................................... per Signature and Mac Signature Frequency.............................. 50 pkts/interval Signature Mac Frequency.......................... 30 pkts/interval Interval......................................... 1 sec Quiet Time....................................... 300 sec Description...................................... Broadcast Deauthentication Frame Patterns: 0(Header):0x00c0:0x00ff 4(Header):0x01:0x01 ...show wps summary
Command History
Examples
The following example shows how to display WPS summary information:
(Cisco Controller) > show wps summary Auto-Immune Auto-Immune.................................... Disabled Client Exclusion Policy Excessive 802.11-association failures.......... Enabled Excessive 802.11-authentication failures....... Enabled Excessive 802.1x-authentication................ Enabled IP-theft....................................... Enabled Excessive Web authentication failure........... Enabled Trusted AP Policy Management Frame Protection.................... Disabled Mis-configured AP Action....................... Alarm Only Enforced encryption policy................... none Enforced preamble policy..................... none Enforced radio type policy................... none Validate SSID................................ Disabled Alert if Trusted AP is missing................. Disabled Trusted AP timeout............................. 120 Untrusted AP Policy Rogue Location Discovery Protocol.............. Disabled RLDP Action.................................. Alarm Only Rogue APs Rogues AP advertising my SSID................ Alarm Only Detect and report Ad-Hoc Networks............ Enabled Rogue Clients Validate rogue clients against AAA........... Enabled Detect trusted clients on rogue APs.......... Alarm Only Rogue AP timeout............................... 1300 Signature Policy Signature Processing........................... Enabled ...show wps wips statistics
To display the current state of the Cisco Wireless Intrusion Prevention System (wIPS) operation on the controller, use the show wps wips statistics command.
Command History
Examples
The following example shows how to display the statistics of the wIPS operation:
(Cisco Controller) > show wps wips statistics Policy Assignment Requests............ 1 Policy Assignment Responses........... 1 Policy Update Requests................ 0 Policy Update Responses............... 0 Policy Delete Requests................ 0 Policy Delete Responses............... 0 Alarm Updates......................... 13572 Device Updates........................ 8376 Device Update Requests................ 0 Device Update Responses............... 0 Forensic Updates...................... 1001 Invalid WIPS Payloads................. 0 Invalid Messages Received............. 0 NMSP Transmitted Packets.............. 22950 NMSP Transmit Packets Dropped......... 0 NMSP Largest Packet................... 1377show wps wips summary
To display the adaptive Cisco Wireless Intrusion Prevention System (wIPS) configuration that the Wireless Control System (WCS) forwards to the controller, use the show wps wips summary command.
Command History
config Commands
- config 802.11b preamble
- config aaa auth
- config aaa auth mgmt
- config acl apply
- config acl counter
- config acl create
- config acl cpu
- config acl delete
- config acl layer2
- config acl rule
- config auth-list add
- config auth-list ap-policy
- config auth-list delete
- config advanced eap
- config advanced timers auth-timeout
- config advanced timers eap-timeout
- config advanced timers eap-identity-request-delay
- config cts sxp
- config database size
- config exclusionlist
- config ldap
- config local-auth active-timeout
- config local-auth eap-profile
- config local-auth method fast
- config local-auth user-credentials
- config ipv6 acl
- config netuser add
- config netuser delete
- config netuser description
- config network bridging-shared-secret
- config network web-auth captive-bypass
- config network web-auth port
- config network web-auth proxy-redirect
- config network web-auth secureweb
- config network webmode
- config network web-auth
- config policy
- config radius acct
- config radius acct ipsec authentication
- config radius acct ipsec disable
- config radius acct ipsec enable
- config radius acct ipsec encryption
- config radius acct ipsec ike
- config radius acct mac-delimiter
- config radius acct network
- config radius acct retransmit-timeout
- config radius auth
- config radius auth IPsec authentication
- config radius auth IPsec disable
- config radius auth IPsec encryption
- config radius auth IPsec ike
- config radius auth keywrap
- config radius auth mac-delimiter
- config radius auth management
- config radius auth mgmt-retransmit-timeout
- config radius auth network
- config radius auth retransmit-timeout
- config radius auth rfc3576
- config radius auth server-timeout
- config radius aggressive-failover disabled
- config radius backward compatibility
- config radius callStationIdCase
- config radius callStationIdType
- config radius dns
- config radius fallback-test
- config rogue adhoc
- config rogue ap classify
- config rogue ap friendly
- config rogue ap rldp
- config rogue ap ssid
- config rogue ap timeout
- config rogue auto-contain level
- config rogue ap valid-client
- config rogue client
- config rogue containment
- config rogue detection
- config rogue detection client-threshold
- config rogue detection min-rssi
- config rogue detection monitor-ap
- config rogue detection report-interval
- config rogue detection security-level
- config rogue detection transient-rogue-interval
- config rogue rule
- config rogue rule condition ap
- config tacacs acct
- config tacacs athr
- config tacacs athr mgmt-server-timeout
- config tacacs auth
- config tacacs auth mgmt-server-timeout
- config tacacs dns
- config wps ap-authentication
- config wps auto-immune
- config wps cids-sensor
- config wps client-exclusion
- config wps mfp
- config wps shun-list re-sync
- config wps signature
- config wps signature frequency
- config wps signature interval
- config wps signature mac-frequency
- config wps signature quiet-time
- config wps signature reset
config 802.11b preamble
To change the 802.11b preamble as defined in subclause 18.2.2.2 to long (slower, but more reliable) or short (faster, but less reliable), use the config 802.11b preamble command.
Syntax Description
Command History
Usage Guidelines
Note
You must reboot the Cisco Wireless LAN Controller (reset system) with save to implement this command.
This parameter must be set to long to optimize this Cisco wireless LAN controller for some clients, including SpectraLink NetLink telephones.
This command can be used any time that the CLI interface is active.
config aaa auth
To configure the AAA authentication search order for management users, use the config aaa auth command.
Syntax Description
Command History
Usage Guidelines
You can enter two AAA server types as long as one of the server types is local. You cannot enter radius and tacacs together.
config aaa auth mgmt
To configure the order of authentication when multiple databases are configured, use the config aaa auth mgmt command.
Syntax Description
(Optional) Configures the order of authentication for RADIUS servers.
(Optional) Configures the order of authentication for TACACS servers.
Command History
config acl apply
Syntax Description
Command History
Usage Guidelines
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
config acl counter
To see if packets are hitting any of the access control lists (ACLs) configured on your controller, use the config acl counter command.
Syntax Description
Command History
Usage Guidelines
ACL counters are available only on the following controllers: 4400 series, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch.
config acl create
Syntax Description
Command History
Usage Guidelines
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
config acl cpu
To create a new access control list (ACL) rule that restricts the traffic reaching the CPU, use the config acl cpu command.
Syntax Description
Command History
config acl delete
Syntax Description
Command History
Usage Guidelines
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
config acl layer2
config acl layer2 { apply acl_name | create acl_name | delete acl_name | rule { action acl_name index { permit | deny} | add acl_name index | change index acl_name old_index new_index | delete acl_name index | etherType acl_name index etherType etherTypeMask | swap index acl_name index1 index2}}
Syntax Description
apply Applies a Layer 2 ACL to the data path.
acl_name Layer 2 ACL name. The name can be up to 32 alphanumeric characters.
create Creates a Layer 2 ACL.
delete Deletes a Layer 2 ACL.
rule Configures a Layer 2 ACL rule.
action Configures the action for the Layer 2 ACL rule.
index Index of the Layer 2 ACL rule.
permit Permits rule action.
deny Denies rule action.
add Creates a Layer 2 ACL rule.
change index Changes the index of the Layer 2 ACL rule.
old_index Old index of the Layer 2 ACL rule.
new_index New index of the Layer 2 ACL rule.
delete Deletes a Layer 2 ACL rule.
etherType Configures the EtherType of a Layer 2 ACL rule.
etherType EtherType of a Layer 2 ACL rule. EtherType is used to indicate the protocol that is encapsulated in the payload of an Ethernet frame. The range is a hexadecimal value from 0x0 to 0xffff.
etherTypeMask Netmask of the EtherType. The range is a hexadecimal value from 0x0 to 0xffff.
swap index Swaps the index values of two rules.
index1 index2 Index values of two Layer 2 ACL rules.
Command History
Command History
Usage Guidelines
You can create a maximum of 16 rules for a Layer 2 ACL.
You can create a maximum of 64 Layer 2 ACLs on a Cisco WLC.
A maximum of 16 Layer 2 ACLs are supported per access point because an access point supports a maximum of 16 WLANs.
Ensure that the Layer 2 ACL names do not conflict with the FlexConnect ACL names because an access point does not support the same Layer 2 and Layer 3 ACL names.
config acl rule
config acl rule { action rule_name rule_index { permit | deny} | add rule_name rule_index | change index rule_name old_index new_index | delete rule_name rule_index | destination address rule_name rule_index ip_address netmask | destination port range rule_name rule_index start_port end_port | direction rule_name rule_index { in | out | any} | dscp rule_name rule_index dscp | protocol rule_name rule_index protocol | source address rule_name rule_index ip_address netmask | source port range rule_name rule_index start_port end_port | swap index rule_name index_1 index_2}
Syntax Description
Command History
Usage Guidelines
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN pre-authentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
config auth-list add
Syntax Description
Command History
config auth-list ap-policy
Syntax Description
Command History
Examples
The following example shows how to enable an access point authorization policy:
(Cisco Controller) > config auth-list ap-policy authorize-ap enableThe following example shows how to enable an access point with a self-signed certificate to connect:
(Cisco Controller) > config auth-list ap-policy ssc disableconfig auth-list delete
config advanced eap
To configure advanced extensible authentication protocol (EAP) settings, use the config advanced eap command.
config advanced eap { bcast-key-interval seconds | eapol-key-timeout timeout | eapol-key-retries retries | identity-request-timeout timeout | identity-request-retries retries | key-index index | max-login-ignore-identity-response { enable | disable} request-timeout timeout | request-retries retries}
Syntax Description
Command History
config advanced timers eap-timeout
config advanced timers eap-identity-request-delay
config cts sxp
To configure Cisco TrustSec SXP (CTS) connections on the controller, use the config cts sxp command.
config cts sxp { enable | disable | connection { delete | peer} | default password password | retry period time-in-seconds}
Syntax Description
Command History
config database size
config exclusionlist
Syntax Description
Command History
Examples
The following example shows how to create a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:
(Cisco Controller) > config exclusionlist add xx:xx:xx:xx:xx:xx labThe following example shows how to delete a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:
(Cisco Controller) > config exclusionlist delete xx:xx:xx:xx:xx:xx labconfig ldap
To configure the Lightweight Directory Access Protocol (LDAP) server settings, use the config ldap command.
config ldap { add | delete | enable | disable | retransmit-timeout | retry | user | simple-bind} index
Syntax Description
Command History
config local-auth active-timeout
To specify the amount of time in which the controller attempts to authenticate wireless clients using local Extensible Authentication Protocol (EAP) after any pair of configured RADIUS servers fails, use the config local-auth active-timeout command.
Syntax Description
Command History
config local-auth eap-profile
To configure local Extensible Authentication Protocol (EAP) authentication profiles, use the config local-auth eap-profile command.
config local-auth eap-profile {[ add | delete] profile_name | cert-issuer { cisco | vendor} | method method local-cert { enable | disable} profile_name | method method client-cert { enable | disable} profile_name | method method peer-verify ca-issuer { enable | disable} | method method peer-verify cn-verify{ enable | disable} | method method peer-verify date-valid { enable | disable}
Syntax Description
Command History
Examples
The following example shows how to create a local EAP profile named FAST01:
(Cisco Controller) > config local-auth eap-profile add FAST01The following example shows how to add the EAP-FAST method to a local EAP profile:
(Cisco Controller) > config local-auth eap-profile method add fast FAST01The following example shows how to specify Cisco as the issuer of the certificates that will be sent to the client for an EAP-FAST profile:
(Cisco Controller) > config local-auth eap-profile method fast cert-issuer ciscoThe following example shows how to specify that the incoming certificate from the client be validated against the CA certificates on the controller:
(Cisco Controller) > config local-auth eap-profile method fast peer-verify ca-issuer enableconfig local-auth method fast
config local-auth method fast { anon-prov [ enable | disable] | authority-id auth_id pac-ttl days | server-key key_value}
Syntax Description
Command History
Examples
The following example shows how to disable the controller to allows anonymous provisioning:
(Cisco Controller) > config local-auth method fast anon-prov disableThe following example shows how to configure the authority identifier 0125631177 of the local EAP-FAST server:
(Cisco Controller) > config local-auth method fast authority-id 0125631177The following example shows how to configure the number of days to 10 for the PAC to remain viable:
(Cisco Controller) > config local-auth method fast pac-ttl 10config local-auth user-credentials
To configure the local Extensible Authentication Protocol (EAP) authentication database search order for user credentials, use the config local-auth user credentials command.
Syntax Description
Specifies that the local database is searched for the user credentials.
(Optional) Specifies that the Lightweight Directory Access Protocol (LDAP) database is searched for the user credentials.
Command History
config ipv6 acl
To create or delete an IPv6 ACL on the Cisco wireless LAN controller, use the config ipv6 acl command.
config ipv6 acl { apply ipv6_acl_name | create ipv6_acl_name | delete ipv6_acl_name | rule { action rule_name rule_index { permit | deny} | add rule_name rule_index | change index rule_name old_index new_index | delete rule_name rule_index | destination address rule_name rule_index ip_address netmask | destination port range rule_name rule_index start_port end_port | direction rule_name rule_index { in | out | any} | dscp rule_name rule_index dscp | protocol rule_name rule_index protocol | source address rule_name rule_index ip_address netmask | source port range rule_name rule_index start_port end_port | swap index rule_name index_1 index_2}}
Syntax Description
IPv6 ACL name that contains up to 32 alphanumeric characters.
destination port range
Configure a rule's destination port range.
Command History
Usage Guidelines
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
config netuser add
To add a guest user on a WLAN or wired guest LAN to the local user database on the controller, use the config netuser add command.
config netuser add username password { wlan wlan_id | guestlan guestlan_id} userType guest lifetime lifetime description description
Syntax Description
Command History
Usage Guidelines
Local network usernames must be unique because they are stored in the same database.
Examples
The following example shows how to add a permanent username Jane to the wireless network for 1 hour:
(Cisco Controller) > config netuser add jane able2 1 wlan_id 1 userType permanentThe following example shows how to add a guest username George to the wireless network for 1 hour:
(Cisco Controller) > config netuser add george able1 guestlan 1 3600config netuser delete
Syntax Description
Command History
Usage Guidelines
Local network usernames must be unique because they are stored in the same database.
config netuser description
Syntax Description
Network username. The username can contain up to 24 alphanumeric characters.
(Optional) User description. The description can be up to 32 alphanumeric characters enclosed in double quotes.
Command History
config network bridging-shared-secret
Syntax Description
Command History
Usage Guidelines
This command creates a secret that encrypts backhaul user data for the mesh access points that connect to the switch.
The zero-touch configuration must be enabled for this command to work.
config network web-auth captive-bypass
To configure the controller to support bypass of captive portals at the network level, use the config network web-auth captive-bypass command.
Syntax Description
config network web-auth port
To configure an additional port to be redirected for web authentication at the network level, use the config network web-auth port command.
Syntax Description
Command History
config network web-auth proxy-redirect
To configure proxy redirect support for web authentication clients, use the config network web-auth proxy-redirect command.
Syntax Description
Allows proxy redirect support for web authentication clients.
Disallows proxy redirect support for web authentication clients.
Command History
config network web-auth secureweb
To configure the secure web (https) authentication for clients, use the config network web-auth secureweb command.
Syntax Description
Disallows secure web (https) authentication for clients. Enables http web authentication for clients.
Command History
Usage Guidelines
Note
If you configure the secure web (https) authentication for clients using the config network web-auth secureweb disable command, then you must reboot the Cisco WLC to implement the change.
config network webmode
config network web-auth
Syntax Description
Configures additional ports for web authentication redirection.
Configures proxy redirect support for web authentication clients.
Enables proxy redirect support for web authentication clients.
Note Web-auth proxy redirection will be enabled for ports 80, 8080, and 3128, along with user defined port 345.
Disables proxy redirect support for web authentication clients.
Command History
config policy
To configure a native profiling policy on the Cisco Wireless LAN Controller (WLC), use the config policy command.
config policypolicy_name { action { acl { enable | disable} acl_name | { average-data-rate | average-realtime-rate | burst-data-rate | burst-realtime-rate | qos | session-timeout | sleeping-client-timeout | vlan} { enable | disable}}} | active { add hours start _time end _time days day | delete days day} | create | delete | match { device-type { add | delete} device-type | eap-type { add | delete} { eap-fast | eap-tls | leap | peap} | role { role_name | none}}
Syntax Description
policy_name Name of a profiling policy.
action Configures an action for the policy.
acl Configures an ACL for the policy
enable Enables an action for the policy.
disable Disables an action for the policy.
acl_name Name of an ACL.
average-data-rate Configures the QoS average data rate.
average-realtime-rate Configures the QoS average real-time rate.
burst-data-rate Configures the QoS burst data rate.
burst-realtime-rate Configures the QoS burst real-time rate.
qos Configures a QoS action for the policy.
session-timeout Configures a session timeout action for the policy.
sleeping-client-timeout Configures a sleeping client timeout for the policy.
vlan Configures a VLAN action for the policy.
active Configures the active hours and days for the policy.
add Adds active hours and days.
hours Configures active hours for the policy.
start _time Start time for the policy.
end _time End time for the policy.
days Configures the day on the policy must work.
day Day of the week, such as mon, tue, wed, thu, fri, sat, sun. You can also specify daily or weekdays for the policy to occur daily or on all weekdays.
delete Deletes active hours and days.
create Creates a policy.
match Configures a match criteria for the policy.
device-type Configures a device type match.
device-type Device type on which the policy must be applied. You can configure up to 16 devices types for a policy.
eap-type Configures the Extensible Authentication Protocol (EAP) type as a match criteria.
eap-fast Configures the EAP type as EAP Flexible Authentication via Secure Tunneling (FAST).
eap-tls Configures the EAP type as EAP Transport Layer Security (TLS).
leap Configures the EAP type as Lightweight EAP (LEAP).
peap Configures the EAP type as Protected EAP (PEAP).
role Configures the user type or user group for the user.
role_name User type or user group of the user, for example, student, employee.
You can configure only one role per policy.
none Configures no user type or user group for the user.
Command History
config radius acct
To add, delete, or configure settings for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct command.
config radius acct {{ enable | disable | delete} index} | add index server_ip port { ascii | hex} secret}
Syntax Description
RADIUS server index. The controller begins the search with 1.
RADIUS server’s UDP port number for the interface protocols.
Command Default
When adding a RADIUS server, the port number defaults to 1813 and the state is enabled.
Command History
config radius acct ipsec authentication
To configure IPsec authentication for the Cisco wireless LAN controller, use the config radius acct ipsec authentication command.
Syntax Description
Command History
config radius acct ipsec disable
To disable IPsec support for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec disable command.
Syntax Description
Command History
config radius acct ipsec enable
To enable IPsec support for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec enable command.
Syntax Description
Command History
config radius acct ipsec encryption
To configure IPsec encryption for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec encryption command.
Syntax Description
Command History
config radius acct ipsec ike
To configure Internet Key Exchange (IKE) for the Cisco WLC, use the config radius acct ipsec ike command.
config radius acct ipsec ike dh-group { group-1 | group-2 | group-5 | group-14} | lifetime seconds | phase1 { aggressive | main}} index
Syntax Description
Command History
config radius acct mac-delimiter
To specify the delimiter to be used in the MAC addresses that are sent to the RADIUS accounting server, use the config radius acct mac-delimiter command.
Syntax Description
Sets the delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).
Sets the delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).
Sets the delimiter to a single hyphen (for example, xxxxxx-xxxxxx).
Command History
config radius acct network
Syntax Description
Enables the server as a network user’s default RADIUS server.
Disables the server as a network user’s default RADIUS server.
Command History
config radius acct retransmit-timeout
To change the default transmission timeout for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct retransmit-timeout command.
Syntax Description
Command History
config radius auth
To add, delete, or configure settings for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth command.
config radius auth {{ enable | disable | delete} index | add index server_ip port { ascii | hex} secret}
Syntax Description
RADIUS server index. The controller begins the search with 1.
Adds a RADIUS authentication server. See the “Defaults” section.
RADIUS server’s UDP port number for the interface protocols.
Command Default
When adding a RADIUS server, the port number defaults to 1813 and the state is enabled.
Command History
config radius auth IPsec authentication
To configure IPsec support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec authentication command.
Syntax Description
Command History
config radius auth IPsec disable
To disable IPsec support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec disable command.
Syntax Description
Command History
Examples
This example shows how to enable the IPsec support for RADIUS authentication server index 1:
(Cisco Controller) > config radius auth IPsec enable 1This example shows how to disable the IPsec support for RADIUS authentication server index 1:
(Cisco Controller) > config radius auth IPsec disable 1config radius auth IPsec encryption
To configure IPsec encryption support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec encryption command.
Syntax Description
Command History
config radius auth IPsec ike
To configure Internet Key Exchange (IKE) for the Cisco wireless LAN controller, use the config radius auth IPsec ike command.
config radius auth IPsec ike { dh-group { group-1 | group-2 | group-5} | lifetime seconds | phase1 { aggressive | main}} index
Syntax Description
Command History
config radius auth keywrap
To enable and configure Advanced Encryption Standard (AES) key wrap, which makes the shared secret between the controller and the RADIUS server more secure, use the config radius auth keywrap command.
Syntax Description
Command History
config radius auth mac-delimiter
To specify a delimiter to be used in the MAC addresses that are sent to the RADIUS authentication server, use the config radius auth mac-delimiter command.
Syntax Description
Sets a delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).
Sets a delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).
Sets a delimiter to a single hyphen (for example, xxxxxx-xxxxxx).
Command History
config radius auth management
To configure a default RADIUS server for management users, use the config radius auth management command.
Syntax Description
Enables the server as a management user’s default RADIUS server.
Disables the server as a management user’s default RADIUS server.
Command History
config radius auth mgmt-retransmit-timeout
To configure a default RADIUS server retransmission timeout for management users, use the config radius auth mgmt-retransmit-timeout command.
Syntax Description
Command History
config radius auth network
config radius auth retransmit-timeout
To change a default transmission timeout for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth retransmit-timeout command.
Syntax Description
Command History
config radius auth rfc3576
To configure RADIUS RFC-3576 support for the authentication server for the Cisco wireless LAN controller, use the config radius auth rfc3576 command.
Syntax Description
Command History
Usage Guidelines
RFC 3576, which is an extension to the RADIUS protocol, allows dynamic changes to a user session. RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session. Disconnect messages cause a user session to be terminated immediately; CoA messages modify session authorization attributes such as data filters.
config radius auth server-timeout
To configure a retransmission timeout value for a RADIUS accounting server, use the config radius auth server-timeout command.
Syntax Description
Command History
config radius aggressive-failover disabled
To configure the controller to mark a RADIUS server as down (not responding) after the server does not reply to three consecutive clients, use the config radius aggressive-failover disabled command.
Command History
config radius backward compatibility
To configure RADIUS backward compatibility for the Cisco wireless LAN controller, use the config radius backward compatibility command.
Syntax Description
Command History
config radius callStationIdCase
To configure callStationIdCase information sent in RADIUS messages for the Cisco WLC, use the config radius callStationIdCase command.
Syntax Description
Command History
config radius callStationIdType
To configure the Called Station ID type information sent in RADIUS messages for the Cisco wireless LAN controller, use the config radius callStationIdType command.
config radius callStationIdType { ipaddr | macaddr | ap-macaddr | ap-macaddr-ssid | | ap-group-name | flex-group-name | ap-name | ap-name-ssid | ap-location| vlan-id}
Syntax Description
Configures the Call Station ID type to use the IP address (only Layer 3).
Configures the Call Station ID type to use the system’s MAC address (Layers 2 and 3).
Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3).
Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3) in the format AP MAC address:SSID.
ap-group-name
Configures the Call Station ID type to use the AP group name. If the AP is not part of any AP group, default-group is taken as the AP group name.
flex-group-name
Configures the Call Station ID type to use the FlexConnect group name. If the FlexConnect AP is not part of any FlexConnect group, the system MAC address is taken as the Call Station ID.
ap-name
Configures the Call Station ID type to use the access point’s name.
ap-name-ssid
Configures the Call Station ID type to use the access point’s name in the format AP name:SSID
ap-location
Configures the Call Station ID type to use the access point’s location.
vlan-id
Configures the Call Station ID type to use the system’s VLAN-ID.
Usage Guidelines
The controller sends the Called Station ID attribute to the RADIUS server in all authentication and accounting packets. The Called Station ID attribute can be used to classify users to different groups based on the attribute value. The command is applicable only for the Called Station and not for the Calling Station.
You cannot send only the SSID as the Called-Station-ID, you can only combine the SSID with either the access point MAC address or the access point name.
Command History
Release Modification 7.6 This command was introduced in a release earlier than Release 7.6. 7.6 The ap-ethmac-only and ap-ethmac-ssid keywords were added to support the access point’s Ethernet MAC address.
The ap-label-address and ap-label-address-ssid keywords were added.
Examples
The following example shows how to configure the call station ID type to use the IP address:
(Cisco Controller) > config radius callStationIdType ipAddrThe following example shows how to configure the call station ID type to use the system’s MAC address:
(Cisco Controller) > config radius callStationIdType macAddrThe following example shows how to configure the call station ID type to use the access point’s MAC address:
(Cisco Controller) > config radius callStationIdType ap-macAddrconfig radius dns
config radius dns { global port { ascii | hex} secret | queryurl timeout | serverip ip_address | disable | enable}
Syntax Description
global Configures the global port and secret to retrieve the RADIUS IP information from a DNS server.
port Port number for authentication. The range is from 1 to 65535. All the DNS servers should use the same authentication port.
ascii Format of the shared secret that you should set to ASCII.
hex Format of the shared secret that you should set to hexadecimal.
secret RADIUS server login secret.
query Configures the fully qualified domain name (FQDN) of the RADIUS server and DNS timeout.
url FQDN of the RADIUS server. The FQDN can be up to 63 case-sensitive, alphanumeric characters.
timeout Maximum time that the Cisco WLC waits for, in days, before timing out the request and resending it. The range is from 1 to 180.
serverip Configures the DNS server IP address.
ip_address DNS server IP address.
disable Disables the RADIUS DNS feature. By default, this feature is disabled.
enable Enables the Cisco WLC to retrieve the RADIUS IP information from a DNS server.
When you enable a DNS query, the static configurations are overridden, that is, the DNS list overrides the static AAA list.
Command Default
You cannot configure the global port and secret to retrieve the RADIUS IP information.
Command History
config radius fallback-test
config radius fallback-test mode { off | passive | active} | username username} | { interval interval}
Syntax Description
Causes the controller to revert to a preferable server (with a lower server index) from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
Causes the controller to revert to a preferable server (with a lower server index) from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller ignores all inactive servers for all active RADIUS requests.
Username. The username can be up to 16 alphanumeric characters.
Command History
Examples
The following example shows how to disable the RADIUS accounting server fallback behavior:
(Cisco Controller) > config radius fallback-test mode offThe following example shows how to configure the controller to revert to a preferable server from the available backup servers without using the extraneous probe messages:
(Cisco Controller) > config radius fallback-test mode passiveThe following example shows how to configure the controller to revert to a preferable server from the available backup servers by using RADIUS probe messages:
(Cisco Controller) > config radius fallback-test mode activeconfig rogue adhoc
To globally or individually configure the status of an Independent Basic Service Set (IBSS or ad-hoc) rogue access point, use the config rogue adhoc command.
config rogue adhoc { enable | disable | external rogue_MAC | alert { rogue_MAC | all} | auto-contain [ monitor_ap] | contain rogue_MAC 1234_aps| }
config rogue adhoc { delete { all | mac-address mac-address} | classify { friendly state { external | internal} mac-address | malicious state { alert | contain} mac-address | unclassified state { alert | contain } mac-address}
Syntax Description
Configure external state on the rogue access point that is outside the network and poses no threat to WLAN security. The controller acknowledges the presence of this rogue access point.
Generates an SMNP trap upon detection of the ad-hoc rogue, and generates an immediate alert to the system administrator for further action.
Contains all wired ad-hoc rogues detected by the controller.
Contains the offending device so that its signals no longer interfere with authorized clients.
Maximum number of Cisco access points assigned to actively contain the ad-hoc rogue access point (1 through 4, inclusive).
delete
Deletes ad-hoc rogue access points.
all
Deletes all ad-hoc rogue access points.
mac-address
Deletes ad-hoc rogue access point with the specified MAC address.
mac-address
MAC address of the ad-hoc rogue access point.
classify
Configures ad-hoc rogue access point classification.
friendly state
Classifies ad-hoc rogue access points as friendly.
internal
Configures alert state on rogue access point that is inside the network and poses no threat to WLAN security. The controller trusts this rogue access point.
malicious state
Classifies ad-hoc rogue access points as malicious.
alert
Configures alert state on the rogue access point that is not in the neighbor list or in the user configured friendly MAC list. The controller forwards an immediate alert to the system administrator for further action.
contain
Configures contain state on the rogue access point. Controller contains the offending device so that its signals no longer interfere with authorized clients.
unclassified state
Classifies ad-hoc rogue access points as unclassified.
Command Default
The default for this command is enabled and is set to alert. The default for auto-containment is disabled.
Command History
Usage Guidelines
The controller continuously monitors all nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses RLDP to determine if the rogue is attached to your wired network.
Note
RLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the DHCP Discover request sent by the RLDP client. Also, RLDP is not supported if the rogue access point channel requires dynamic frequency selection (DFS).
When you enter any of the containment commands, the following warning appears:
Using this feature may have legal consequences. Do you want to continue? (y/n) :The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Enter the auto-contain command with the monitor_ap argument to monitor the rogue access point without containing it. Enter the auto-contain command without the optional monitor_ap to automatically contain all wired ad-hoc rogues detected by the controller.
Examples
The following example shows how to enable the detection and reporting of ad-hoc rogues:
(Cisco Controller) > config rogue adhoc enableThe following example shows how to enable alerts for all ad-hoc rogue access points:
(Cisco Controller) > config rogue adhoc alert allThe following example shows how to classify an ad-hoc rogue access point as friendly and configure external state on it:
(Cisco Controller) > config rogue adhoc classify friendly state internal 11:11:11:11:11:11config rogue ap classify
Syntax Description
Configures the controller to acknowledge the presence of this access point.
Configures the controller to forward an immediate alert to the system administrator for further action.
Configures the controller to contain the offending device so that its signals no longer interfere with authorized clients.
Command Default
These commands are disabled by default. Therefore, all unknown access points are categorized as unclassified by default.
Command History
Usage Guidelines
A rogue access point cannot be moved to the unclassified class if its current state is contain.
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Examples
The following example shows how to classify a rogue access point as friendly and can be trusted:
(Cisco Controller) > config rogue ap classify friendly state internal 11:11:11:11:11:11The following example shows how to classify a rogue access point as malicious and to send an alert:
(Cisco Controller) > config rogue ap classify malicious state alert 11:11:11:11:11:11The following example shows how to classify a rogue access point as unclassified and to contain it:
(Cisco Controller) > config rogue ap classify unclassified state contain 11:11:11:11:11:11Related Commands
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap friendly
To add a new friendly access point entry to the friendly MAC address list, or delete an existing friendly access point entry from the list, use the config rogue ap friendly command.
Syntax Description
Adds this rogue access point from the friendly MAC address list.
Deletes this rogue access point from the friendly MAC address list.
MAC address of the rogue access point that you want to add or delete.
Command History
Examples
The following example shows how to add a new friendly access point with MAC address 11:11:11:11:11:11 to the friendly MAC address list.
(Cisco Controller) > config rogue ap friendly add 11:11:11:11:11:11Related Commands
config rogue ap classify
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap rldp
To enable, disable, or initiate the Rogue Location Discovery Protocol (RLDP), use the config rogue ap rldp command.
Syntax Description
When entered without the optional argument monitor_ap_only, enables RLDP on all access points.
When entered without the optional argument monitor_ap_only, automatically contains all rogue access points.
(Optional) RLDP is enabled (when used with alarm-only keyword), or automatically contained (when used with auto-contain keyword) is enabled only on the designated monitor access point.
Command History
Usage Guidelines
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Examples
The following example shows how to enable RLDP on all access points:
(Cisco Controller) > config rogue ap rldp enable alarm-onlyThe following example shows how to enable RLDP on monitor-mode access point ap_1:
(Cisco Controller) > config rogue ap rldp enable alarm-only ap_1The following example shows how to start RLDP on the rogue access point with MAC address 123.456.789.000:
(Cisco Controller) > config rogue ap rldp initiate 123.456.789.000The following example shows how to disable RLDP on all access points:
(Cisco Controller) > config rogue ap rldp disableRelated Commands
config rogue ap classify
config rogue ap friendly
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap ssid
To generate an alarm only, or to automatically contain a rogue access point that is advertising your network’s service set identifier (SSID), use the config rogue ap ssid command.
Syntax Description
Generates only an alarm when a rogue access point is discovered to be advertising your network’s SSID.
Automatically contains the rogue access point that is advertising your network’s SSID.
Command History
Usage Guidelines
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Examples
The following example shows how to automatically contain a rogue access point that is advertising your network’s SSID:
(Cisco Controller) > config rogue ap ssid auto-containRelated Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap timeout
To specify the number of seconds after which the rogue access point and client entries expire and are removed from the list, use the config rogue ap timeout command.
Syntax Description
Command Default
The default number of seconds after which the rogue access point and client entries expire is 1200 seconds.
Command History
Examples
The following example shows how to set an expiration time for entries in the rogue access point and client list to 2400 seconds:
(Cisco Controller) > config rogue ap timeout 2400Related Commands
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue auto-contain level
Syntax Description
Rogue auto-containment level in the range of 1 to 4. You can enter a value of 0 to enable the Cisco WLC to automatically select the number of APs used for auto containment. The controller chooses the required number of APs based on the RSSI for effective containment.
Note Up to four APs can be used to auto-contain when a rogue AP is moved to contained state through any of the auto-containment policies.
(Optional) Configures auto-containment using only monitor AP mode.
Command History
Usage Guidelines
The controller continuously monitors all nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses any of the configured auto-containment policies to start autocontainment. The policies for initiating autocontainment are rogue on wire (detected through RLDP or rogue detector AP), rogue using managed SSID, Valid client on Rogue AP, and AdHoc Rogue.
This table lists the RSSI value associated with each containment level.
Table 1 RSSI Associated with Each Containment Level Auto-containment Level RSSI 1 0 to –55 dBm 2 –75 to –55 dBm 3 –85 to –75 dBm 4 Less than –85 dBm
Note
RLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the DHCP Discover request sent by the RLDP client. Also, RLDP is not supported if the rogue access point channel requires dynamic frequency selection (DFS).
When you enter any of the containment commands, the following warning appears:
Using this feature may have legal consequences. Do you want to continue? (y/n) :The 2.4-GHz and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
config rogue ap valid-client
To generate an alarm only, or to automatically contain a rogue access point to which a trusted client is associated, use the config rogue ap valid-client command.
Syntax Description
Generates only an alarm when a rogue access point is discovered to be associated with a valid client.
Automatically contains a rogue access point to which a trusted client is associated.
Command History
Usage Guidelines
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Examples
The following example shows how to automatically contain a rogue access point that is associated with a valid client:
(Cisco Controller) > config rogue ap valid-client auto-containRelated Commands
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap ssid
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue client
config rogue client { aaa { enable | disable} | alert ap_mac | contain client_mac | delete { state { alert | any | contained | contained-pending} | all | mac-address client_mac} | mse{ enable | disable} } }
Syntax Description
Configures AAA server or local database to validate whether rogue clients are valid clients. The default is disabled.
Enables the AAA server or local database to check rogue client MAC addresses for validity.
Disables the AAA server or local database to check rogue client MAC addresses for validity.
Configures the controller to forward an immediate alert to the system administrator for further action.
Configures the controller to contain the offending device so that its signals no longer interfere with authorized clients.
delete
Deletes the rogue client.
state
Deletes the rogue clients according to their state.
alert
Deletes the rogue clients in alert state.
any
Deletes the rogue clients in any state.
contained
Deletes all rogue clients that are in contained state.
contained-pending
Deletes all rogue clients that are in contained pending state.
all
Deletes all rogue clients.
mac-address
Deletes a rogue client with the configured MAC address.
mse
Validates if the rogue clients are valid clients using MSE. The default is disabled.
Command History
Examples
The following example shows how to enable the AAA server or local database to check MAC addresses:
(Cisco Controller) > config rogue client aaa enableThe following example shows how to disable the AAA server or local database from checking MAC addresses:
(Cisco Controller) > config rogue client aaa disableconfig rogue containment
config rogue detection
To enable or disable rogue detection, use the config rogue detection command.
Note
If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.
Syntax Description
Command History
Usage Guidelines
Rogue detection is enabled by default for all access points joined to the controller except for OfficeExtend access points. OfficeExtend access points are deployed in a home environment and are likely to detect a large number of rogue devices.
config rogue detection client-threshold
To configure the rogue client threshold for access points, use the config rogue detection client-threshold command.
Syntax Description
value Threshold rogue client count on an access point after which a trap is sent from the Cisco Wireless LAN Controller (WLC). The range is from 1 to 256. Enter 0 to disable the feature.
Command History
config rogue detection min-rssi
To configure the minimum Received Signal Strength Indicator (RSSI) value at which APs can detect rogues and create a rogue entry in the controller, use the config rogue detection min-rssi command.
Syntax Description
Command History
Usage Guidelines
This feature is applicable to all the AP modes.
There can be many rogues with very weak RSSI values that do not provide any valuable information in rogue analysis. Therefore, you can use this option to filter rogues by specifying the minimum RSSI value at which APs should detect rogues.
config rogue detection monitor-ap
To configure the rogue report interval for all monitor mode Cisco APs, use the config rogue detection monitor-ap command.
Syntax Description
Specifies the interval at which rogues are consistently scanned for by APs after the first time the rogues are scanned.
Command History
Usage Guidelines
This feature is applicable to APs that are in monitor mode only.
Using the transient interval values, you can control the time interval at which APs should scan for rogues. APs can also filter the rogues based on their transient interval values.
Examples
The following example shows how to configure the rogue report interval to 60 seconds:
(Cisco Controller) > config rogue detection monitor-ap report-interval 60The following example shows how to configure the transient rogue interval to 300 seconds:
(Cisco Controller) > config rogue detection monitor-ap transient-rogue-interval 300config rogue detection report-interval
config rogue detection security-level
To configure the rogue detection security level, use the config rogue detection security-level command.
Syntax Description
critical Configures the rogue detection security level to critical.
custom Configures the rogue detection security level to custom, and allows you to configure the rogue policy parameters.
high Configures the rogue detection security level to high. This security level configures basic rogue detection and auto containment for medium-scale or less critical deployments. The Rogue Location Discovery Protocol (RLDP) is disabled for this security level.
low Configures the rogue detection security level to low. This security level configures basic rogue detection for small-scale deployments. Auto containment is not supported for this security level.
Command History
config rogue detection transient-rogue-interval
To configure the rogue-detection transient interval, use the config rogue detection transient-rogue-interval command.
Syntax Description
time Time interval, in seconds, at which a rogue should be consistently scanned by the access point after the rogue is scanned for the first time. The range is from 120 to 1800.
Command History
Usage Guidelines
This feature applies only to the access points that are in the monitor mode.
After the rogue is scanned consistently, updates are sent periodically to the Cisco Wireless LAN Controller (WLC). The access points filter the active transient rogues for a very short period and are then silent.
config rogue rule
config rogue rule { add ap priority priority classify { custom severity-score classification-name | friendly | malicious} notify { all | global | none | local} state { alert | contain | delete | internal | external} rule_name | classify { custom severity-score classification-name | friendly | malicious} rule_name | condition ap { set | delete} condition_type condition_value rule_name | { enable | delete | disable} { all | rule_name} | match { all | any} | priority priority| notify { all | global | none | local} rule_name | state { alert | contain | internal | external} rule_name}
Syntax Description
Adds a rule with match any criteria and the priority that you specify.
custom
Classifies devices matching the rule as custom.
severity-score
Custom classification severity score of the rule. The range is from 1 to 100.
classification-name
Custom classification name. The name can be up to 32 case-sensitive, alphanumeric characters.
notify
Configures type of notification upon rule match.
all
Notifies the controller and a trap receiver such as Cisco Prime Infrastructure.
global
Notifies only a trap receiver such as Cisco Prime Infrastructure.
local
Notifies only the controller.
none
Notifies neither the controller nor a trap receiver such as Cisco Prime Infrastructure.
state
Configures state of the rogue access point after a rule match.
alert
Configures alert state on the rogue access point that is not in the neighbor list or in the user configured friendly MAC list. The controller forwards an immediate alert to the system administrator for further action.
contain
Configures contain state on the rogue access point. Controller contains the offending device so that its signals no longer interfere with authorized clients.
delete
Configures delete state on the rogue access point.
external
Configures external state on the rogue access point that is outside the network and poses no threat to WLAN security. The controller acknowledges the presence of this rogue access point.
internal
Configures alert state on rogue access point that is inside the network and poses no threat to WLAN security. The controller trusts this rogue access point.
Rule to which the command applies, or the name of a new rule.
Specifies the conditions for a rule that the rogue access point must meet.
Adds conditions to a rule that the rogue access point must meet.
Removes conditions to a rule that the rogue access point must meet.
Type of the condition to be configured. The condition types are listed below:
- client-count—Requires that a minimum number of clients be associated to a rogue access point. The valid range is 1 to 10 (inclusive).
- duration—Requires that a rogue access point be detected for a minimum period of time. The valid range is 0 to 3600 seconds (inclusive).
- managed-ssid—Requires that a rogue access point’s SSID be known to the controller.
- no-encryption—Requires that a rogue access point’s advertised WLAN does not have encryption enabled.
- rssi—Requires that a rogue access point have a minimum RSSI value. The range is from –95 to –50 dBm (inclusive).
- ssid—Requires that a rogue access point have a specific SSID.
- substring-ssid—Requires that a rogue access point have a substring of a user-configured SSID.
Value of the condition. This value is dependent upon the condition_type. For instance, if the condition type is ssid, then the condition value is either the SSID name or all.
Specifies whether a detected rogue access point must meet all or any of the conditions specified by the rule in order for the rule to be matched and the rogue access point to adopt the classification type of the rule.
Changes the priority of a specific rule and shifts others in the list accordingly.
Command History
Usage Guidelines
For your changes to be effective, you must enable the rule. You can configure up to 64 rules.
Reclassification of rogue APs according to the RSSI condition of the rogue rule occurs only when the RSSI changes more than +/- 2 dBm of the configured RSSI value. Manual and automatic classification override custom rogue rules. Rules are applied to manually changed rogues if their class type changes to unclassified and state changes to alert. Adhoc rogues are classified and do not go to the pending state. You can have up to 50 classification types.Examples
The following example shows how to create a rule called rule_1 with a priority of 1 and a classification as friendly.
(Cisco Controller) > config rogue rule add ap priority 1 classify friendly rule_1The following example shows how to enable rule_1.
(Cisco Controller) > config rogue rule enable rule_1The following example shows how to change the priority of the last command.
(Cisco Controller) > config rogue rule priority 2 rule_1The following example shows how to change the classification of the last command.
(Cisco Controller) > config rogue rule classify malicious rule_1The following example shows how to disable the last command.
(Cisco Controller) > config rogue rule disable rule_1The following example shows how to delete SSID_2 from the user-configured SSID list in rule-5.
(Cisco Controller) > config rogue rule condition ap delete ssid ssid_2 rule-5The following example shows how to create a custom rogue rule.
(Cisco Controller) > config rogue rule classify custom 1 VeryMalicious rule6config rogue rule condition ap
To configure a condition of a rogue rule for rogue access points, use the config rogue rule condition ap command.
config rogue rule condition ap { set { client-count count | duration time | managed-ssid | no-encryption | rssi rssi | ssid ssid | substring-ssid substring-ssid} | delete { all | client-count | duration | managed-ssid | no-encryption | rssi | ssid | substring-ssid} rule_name
Syntax Description
set Configures conditions to a rule that the rogue access point must meet.
client-count Enables a minimum number of clients to be associated to the rogue access point.
count Minimum number of clients to be associated to the rogue access point. The range is from 1 to 10 (inclusive). For example, if the number of clients associated to a rogue access point is greater than or equal to the configured value, the access point is classified as malicious.
duration Enables a rogue access point to be detected for a minimum period of time.
time Minimum time period, in seconds, to detect the rogue access point. The range is from 0 to 3600.
managed-ssid Enables a rogue access point’s SSID to be known to the controller.
no-encryption Enables a rogue access point’s advertised WLAN to not have encryption enabled. If a rogue access point has encryption disabled, it is likely that more clients will try to associate to it.
rssi Enables a rogue access point to have a minimum Received Signal Strength Indicator (RSSI) value.
rssi Minimum RSSI value, in dBm, required for the access point. The range is from –95 to –50 (inclusive). For example, if the rogue access point has an RSSI that is greater than the configured value, the access point is classified as malicious.
ssid Enables a rogue access point have a specific SSID.
ssid SSID of the rogue access point.
substring-ssid Enables a rogue access point to have a substring of a user-configured SSID.
substring-ssid Substring of a user-configured SSID. For example, if you have an SSID as ABCDE, you can specify the substring as ABCD or ABC. You can classify multiple SSIDs with matching patterns.
delete Removes the conditions to a rule that a rogue access point must comply with.
all Deletes all the rogue rule conditions.
rule_name Rogue rule to which the command applies.
Command Default
The default value for RSSI is 0 dBm.
The default value for duration is 0 seconds.
The default value for client count is 0.
Command History
config tacacs acct
config tacacs acct add { server_index ip_address port type secret_key} | delete server_index | disable server_index | enable server_index | retransmit-timeout { server_index seconds}
Syntax Description
Command History
Examples
The following example shows how to add a new TACACS+ accounting server index 3 with the IP address 10.0.0.0, port number 10, and secret key 12345678 in ASCII:
(Cisco Controller) > config tacacs acct add 1 10.0.0.0 10 ascii 12345678The following example shows how to change the default retransmit timeout of 30 seconds for the TACACS+ accounting server:
(Cisco Controller) > config tacacs acct retransmit-timeout 30config tacacs athr
config tacacs athr add { server_index ip_address port type secret_key} | delete server_index | disable server_index | enable server_index | retransmit-timeout { server_index seconds}
Syntax Description
Command History
Examples
The following example shows how to add a new TACACS+ authorization server index 3 with the IP address 10.0.0.0, port number 4, and secret key 12345678 in ASCII:
(Cisco Controller) > config tacacs athr add 3 10.0.0.0 4 ascii 12345678The following example shows how to change the default retransmit timeout of 30 seconds for the TACACS+ authorization server:
(Cisco Controller) > config tacacs athr retransmit-timeout 30config tacacs athr mgmt-server-timeout
To configure a default TACACS+ authorization server timeout for management users, use the config tacacs athr mgmt-server-timeout command.
Syntax Description
Command History
config tacacs auth
config tacacs auth add { server_index ip_address port type secret_key} | delete server_index | disable server_index | enable server_index | retransmit-timeout { server_index seconds}
Syntax Description
Command History
Examples
The following example shows how to add a new TACACS+ authentication server index 2 with the IP address 10.0.0.3, port number 6, and secret key 12345678 in ASCII:
(Cisco Controller) > config tacacs auth add 2 10.0.0.3 6 ascii 12345678The following example shows how to change the default retransmit timeout of 30 seconds for TACACS+ authentication server:
(Cisco Controller) > config tacacs auth retransmit-timeout 30config tacacs auth mgmt-server-timeout
To configure a default TACACS+ authentication server timeout for management users, use the config tacacs auth mgmt-server-timeout command.
Syntax Description
Command History
config tacacs dns
config radius dns { global port { ascii | hex} secret | query url timeout | serverip ip_address | disable | enable}
Syntax Description
global Configures the global port and secret to retrieve the TACACS IP information from a DNS server.
port Port number for authentication. The range is from 1 to 65535. All the DNS servers should use the same authentication port.
ascii Format of the shared secret that you should set to ASCII.
hex Format of the shared secret that you should set to hexadecimal.
secret TACACS server login secret.
query Configures the fully qualified domain name (FQDN) of the TACACS server and DNS timeout.
url FQDN of the TACACS server. The FQDN can be up to 63 case-sensitive, alphanumeric characters.
timeout Maximum time that the Cisco Wireless LAN Controller (WLC) waits for, in days, before timing out a request and resending it. The range is from 1 to 180.
serverip Configures the DNS server IP address.
ip_address DNS server IP address.
disable Disables the TACACS DNS feature. The default is disabled.
enable Enables the Cisco WLC to retrieve the TACACS IP information from a DNS server.
Command History
config wps ap-authentication
config wps auto-immune
To enable or disable protection from Denial of Service (DoS) attacks, use the config wps auto-immune command.
Syntax Description
Command History
Usage Guidelines
A potential attacker can use specially crafted packets to mislead the Intrusion Detection System (IDS) into treating a legitimate client as an attacker. It causes the controller to disconnect this legitimate client and launch a DoS attack. The auto-immune feature, when enabled, is designed to protect against such attacks. However, conversations using Cisco 792x phones might be interrupted intermittently when the auto-immune feature is enabled. If you experience frequent disruptions when using 792x phones, you might want to disable this feature.
config wps cids-sensor
To configure Intrusion Detection System (IDS) sensors for the Wireless Protection System (WPS), use the config wps cids-sensor command.
config wps cids-sensor { [ add index ip_address username password] | [ delete index] | [ enable index] | [ disable index] | [ port index port] | [ interval index query_interval] | [ fingerprint sha1 fingerprint] }
Syntax Description
Command History
config wps client-exclusion
config wps client-exclusion { 802.11-assoc | 802.11-auth | 802.11x-auth | ip-theft | web-auth | all} { enable | disable}
Syntax Description
Specifies that the controller excludes clients on the sixth 802.11 association attempt, after five consecutive failures.
Specifies that the controller excludes clients on the sixth 802.11 authentication attempt, after five consecutive failures.
Specifies that the controller excludes clients on the sixth 802.11X authentication attempt, after five consecutive failures.
Specifies that the control excludes clients if the IP address is already assigned to another device.
Specifies that the controller excludes clients on the fourth web authentication attempt, after three consecutive failures.
Specifies that the controller excludes clients for all of the above reasons.
Command History
config wps mfp
config wps shun-list re-sync
To force the controller to synchronization with other controllers in the mobility group for the shun list, use the config wps shun-list re-sync command.
Command History
config wps signature
To enable or disable Intrusion Detection System (IDS) signature processing, or to enable or disable a specific IDS signature, use the config wps signature command.
Syntax Description
Enables the IDS signature processing or a specific IDS signature.
Disables IDS signature processing or a specific IDS signature.
Command History
Usage Guidelines
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
Examples
The following example shows how to enable IDS signature processing, which enables the processing of all IDS signatures:
(Cisco Controller) >config wps signature enableThe following example shows how to disable a standard individual IDS signature:
(Cisco Controller) > config wps signature standard state 15 disableconfig wps signature frequency
To specify the number of matching packets per interval that must be identified at the individual access point level before an attack is detected, use the config wps signature frequency command.
Syntax Description
Number of matching packets per interval that must be at the individual access point level before an attack is detected. The range is 1 to 32,000 packets per interval.
Command History
Usage Guidelines
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
config wps signature interval
To specify the number of seconds that must elapse before the signature frequency threshold is reached within the configured interval, use the config wps signature interval command.
Syntax Description
Number of seconds that must elapse before the signature frequency threshold is reached. The range is 1 to 3,600 seconds.
Command History
Usage Guidelines
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
config wps signature mac-frequency
To specify the number of matching packets per interval that must be identified per client per access point before an attack is detected, use the config wps signature mac-frequency command.
Syntax Description
Number of matching packets per interval that must be identified per client per access point before an attack is detected. The range is 1 to 32,000 packets per interval.
Command History
Usage Guidelines
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
config wps signature quiet-time
To specify the length of time after which no attacks have been detected at the individual access point level and the alarm can stop, use the config wps signature quiet-time command.
Syntax Description
Length of time after which no attacks have been detected at the individual access point level and the alarm can stop. The range is 60 to 32,000 seconds.
Command History
Usage Guidelines
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
config wps signature reset
To reset a specific Intrusion Detection System (IDS) signature or all IDS signatures to default values, use the config wps signature reset command.
Syntax Description
Command History
Usage Guidelines
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
clear Commands
- clear acl counters
- clear radius acct statistics
- clear tacacs auth statistics
- clear stats local-auth
- clear stats radius
- clear stats tacacs
clear acl counters
clear radius acct statistics
To clear the RADIUS accounting statistics on the controller, use the clear radius acc statistics command.
Syntax Description
Command History
clear tacacs auth statistics
To clear the RADIUS authentication server statistics in the controller, use the clear tacacs auth statistics command.
Syntax Description
Command History
clear stats local-auth
clear stats radius
clear stats tacacs
Syntax Description
(Optional) Clears the TACACS+ authentication server statistics.
(Optional) Clears the TACACS+ authorization server statistics.
Command History
debug Commands
- debug 11w-pmf
- debug aaa
- debug aaa local-auth
- debug bcast
- debug cckm
- debug cts sxp
- debug dns
- debug dot1x
- debug dtls
- debug nac
- debug policy
- debug pm
- debug web-auth
- debug wips
- debug wps sig
- debug wps mfp
debug 11w-pmf
debug aaa
Syntax Description
(Optional) Configures the debugging of the AAA Lightweight Directory Access Protocol (LDAP) events.
(Optional) Configures the debugging of the AAA local Extensible Authentication Protocol (EAP) events.
(Optional) Configures the debugging of the AAA TACACS+ events.
Command History
debug aaa local-auth
To configure the debugging of AAA local authentication on the Cisco WLC, use the debug aaa local-auth command.
debug aaa local-auth { db | shim | eap { framework | method} { all | errors | events | packets | sm}} { enable | disable}
Syntax Description
Configures the debugging of the AAA local authentication back-end messages and events.
Configures the debugging of the AAA local authentication shim layer events.
Configures the debugging of the AAA local Extensible Authentication Protocol (EAP) authentication.
Command History
debug bcast
debug cckm
Syntax Description
client Configures debugging of the Cisco Centralized Key Management of clients.
detailed Configures detailed debugging of Cisco Centralized Key Management.
enable Enables debugging of Cisco Centralized Key Management.
disable Disables debugging of Cisco Centralized Key Management.
Command History
debug cts sxp
To configure debugging of Cisco TrustSec (CTS) Security Group Tag (SGT) Exchange Protocol (SXP) options, use the debug cts sxp command.
Syntax Description
all Configures debugging of all the CTS SXP options.
errors Configures debugging of the CTS SXP errors.
events Configures debugging of the CTS SXP events.
framework Configures debugging of the CTS SXP framework.
message Configures debugging of the CTS SXP messages.
enable Enables debugging of the CTS SXP options.
disable Disables debugging of the CTS SXP options.
Command History
debug dns
Syntax Description
all Configures debugging of all the DNS options.
detail Configures debugging of the DNS details.
error Configures debugging of the DNS errors.
message Configures debugging of the DNS messages.
enable Enables debugging of the DNS options.
disable Disables debugging of the DNS options.
Command History
debug dot1x
Syntax Description
aaa Configures debugging of the 802.1X AAA interactions.
all Configures debugging of all the 802.1X messages.
events Configures debugging of the 802.1X events.
packets Configures debugging of the 802.1X packets.
states Configures debugging of the 802.1X state transitions.
enable Enables debugging of the 802.1X options.
disable Disables debugging of the 802.1X options.
Command History
debug dtls
To configure debugging of the Datagram Transport Layer Security (DTLS) options, use the debug dtls command.
Syntax Description
all Configures debugging of all the DTLS messages.
event Configures debugging of the DTLS events.
packet Configures debugging of the DTLS packets.
trace Configures debugging of the DTLS trace messages.
enable Enables debugging of the DTLS options.
disable Disables debugging of the DTLS options.
Command History
debug nac
debug pm
debug pm { all disable | { config | hwcrypto | ikemsg | init | list | message | pki | rng | rules | sa-export | sa-import | ssh-l2tp | ssh-appgw | ssh-engine | ssh-int | ssh-pmgr | ssh-ppp | ssh-tcp} { enable | disable}}
Syntax Description
Configures the debugging of the policy manager configuration.
Configures the debugging of Internet Key Exchange (IKE) messages.
Configures the debugging of policy manager initialization events.
Configures the debugging of policy manager message queue events.
Configures the debugging of Public Key Infrastructure (PKI) related events.
Configures the debugging of policy manager Layer 2 Tunneling Protocol (l2TP) handling.
Configures the debugging of policy manager Point To Point Protocol (PPP) handling.
Command History
debug web-auth
debug web-auth { redirect{ enable mac mac_address | disable} | webportal-server { enable | disable}}
Syntax Description
redirect Configures debugging of web-authenticated and redirected clients.
enable Enables the debugging of web-authenticated clients.
mac Configures the MAC address of the web-authenticated client.
mac_address MAC address of the web-authenticated client.
disable Disables the debugging of web-authenticated clients.
webportal-server Configures the debugging of portal authentication of clients.
Command History
debug wips
debug wps sig
debug wps mfp
To configure the debugging of WPS Management Frame Protection (MFP) settings, use the debug wps mfp command.
Syntax Description
Configures the debugging for MFP messages between the controller and access points.
Configures the debugging for MFP mobility (inter-Cisco WLC) messages.
Command History
