The Cisco Wireless LAN solution command-line interface (CLI) enables operators to connect an ASCII console to the Cisco Wireless LAN Controller and configure the controller and its associated access points.
The following is a
sample output of the
show avc statistics wlan
command.
(Cisco Controller) >show avc statistics wlan 1 application ftp
Description Upstream Downstream
=========== ======== ==========
Number of Packtes(n secs) 0 0
Number of Bytes(n secs) 0 0
Average Packet size(n secs) 0 0
Total Number of Packtes 32459 64888
Total Number of Bytes 274 94673983
show call-control ap
Note
The show call-control ap command is applicable only for SIP based calls.
To see the metrics for successful calls or the traps generated for failed calls, use the show call-control ap command.
show call-control ap {
802.11a |
802.11b}
cisco_ap {
metrics |
traps}
Syntax Description
802.11a
Specifies the 802.11a network
802.11b
Specifies the 802.11b/g network.
cisco_ap
Cisco access point name.
metrics
Specifies the call metrics information.
traps
Specifies the trap information for call control.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
To aid in troubleshooting, the output of this command shows an error code for any failed calls. This table explains the possible error codes for failed calls.
Table 1 Error Codes for Failed VoIP Calls
Error Code
Integer
Description
1
unknown
Unknown error.
400
badRequest
The request could not be understood because of malformed syntax.
401
unauthorized
The request requires user authentication.
402
paymentRequired
Reserved for future use.
403
forbidden
The server understood the request but refuses to fulfill it.
404
notFound
The server has information that the user does not exist at the domain specified in the Request-URI.
405
methodNotallowed
The method specified in the Request-Line is understood but not allowed for the address identified by the Request-URI.
406
notAcceptable
The resource identified by the request is only capable of generating response entities with content characteristics that are not acceptable according to the Accept header field sent in the request.
407
proxyAuthenticationRequired
The client must first authenticate with the proxy.
408
requestTimeout
The server could not produce a response within a suitable amount of time.
409
conflict
The request could not be completed due to a conflict with the current state of the resource.
410
gone
The requested resource is no longer available at the server, and no forwarding address is known.
411
lengthRequired
The server is refusing to process a request because the request entity-body is larger than the server is willing or able to process.
413
requestEntityTooLarge
The server is refusing to process a request because the request entity-body is larger than the server is willing or able to process.
414
requestURITooLarge
The server is refusing to service the request because the Request-URI is longer than the server is willing to interpret.
415
unsupportedMediaType
The server is refusing to service the request because the message body of the request is in a format not supported by the server for the requested method.
420
badExtension
The server did not understand the protocol extension specified in a Proxy-Require or Require header field.
480
temporarilyNotAvailable
The callee’s end system was contacted successfully, but the callee is currently unavailable.
481
callLegDoesNotExist
The UAS received a request that does not match any existing dialog or transaction.
482
loopDetected
The server has detected a loop.
483
tooManyHops
The server received a request that contains a Max-Forwards header field with the value zero.
484
addressIncomplete
The server received a request with a Request-URI that was incomplete.
485
ambiguous
The Request-URI was ambiguous.
486
busy
The callee’s end system was contacted successfully, but the callee is currently not willing or able to take additional calls at this end system.
500
internalServerError
The server encountered an unexpected condition that prevented it from fulfilling the request.
501
notImplemented
The server does not support the functionality required to fulfill the request.
502
badGateway
The server, while acting as a gateway or proxy, received an invalid response from the downstream server it accessed in attempting to fulfill the request.
503
serviceUnavailable
The server is temporarily unable to process the request because of a temporary overloading or maintenance of the server.
504
serverTimeout
The server did not receive a timely response from an external server it accessed in attempting to process the request.
505
versionNotSupported
The server does not support or refuses to support the SIP protocol version that was used in the request.
600
busyEverywhere
The callee’s end system was contacted successfully, but the callee is busy or does not want to take the call at this time.
603
decline
The callee’s machine was contacted successfully, but the user does not want to or cannot participate.
604
doesNotExistAnywhere
The server has information that the user indicated in the Request-URI does not exist anywhere.
606
notAcceptable
The user’s agent was contacted successfully, but some aspects of the session description (such as the requested media, bandwidth, or addressing style) were not acceptable.
Examples
The following is a sample output of the show call-controller ap command that displays successful calls generated for an access point:
(Cisco Controller) >show call-control ap 802.11a Cisco_AP metrics
Total Call Duration in Seconds................... 120
Number of Calls.................................. 10
Number of calls for given client is................. 1
The following is a sample output of the show call-control ap command that displays metrics of traps generated for an AP.
(Cisco Controller) >show call-control ap 802.11a Cisco_AP traps
Number of traps sent in one min.................. 2
Last SIP error code.............................. 404
Last sent trap timestamp...................... Jun 20 10:05:06
show call-control client
To see call information for a call-aware client when Voice-over-IP (VoIP) snooping is enabled and the call is active, use the show call-control client command
show call-control client callInfo client_MAC_address
Syntax Description
callInfo
Specifies the call-control information.
client_MAC_address
Client MAC address.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example is a sample output of the show call-controller client command:
> show call-control client callInfo 10.10.10.10.10.10
Uplink IP/port................................... 0.0.0.0 / 0
Downlink IP/port................................ 9.47.96.107 / 5006
UP............................................... 6
Calling Party.................................... sip:1021
Called Party..................................... sip:1000
Call ID.......................................... 38423970c3fca477
Call on hold: ................................... FALSE
Number of calls for given client is.............. 1
show client ccx
client-capability
To display the client’s
capability information, use the
show client ccx
client-capability command.
show client ccx client-capability
client_mac_address
Syntax Description
client_mac_address
MAC address of the client.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
This command displays the
client’s available capabilities, not the current settings for the capabilities.
Examples
The following is a sample
output of the
show client ccx client-capability command:
(Cisco Controller) >show client ccx client-capability 00:40:96:a8:f7:98
Service Capability.................................. Voice, Streaming(uni-directional) Video, Interactive(bi-directional) Video
Radio Type.......................................... DSSS OFDM(802.11a) HRDSSS(802.11b) ERP(802.11g)
Radio Type.......................................... DSSS
Radio Channels.................................. 1 2 3 4 5 6 7 8 9 10 11
Tx Power Mode................................... Automatic
Rate List(MB)................................... 1.0 2.0
Radio Type.......................................... HRDSSS(802.11b)
Radio Channels.................................. 1 2 3 4 5 6 7 8 9 10 11
Tx Power Mode................................... Automatic
Rate List(MB)................................... 5.5 11.0
Radio Type.......................................... ERP(802.11g)
Radio Channels.................................. 1 2 3 4 5 6 7 8 9 10 11
Tx Power Mode................................... Automatic
Rate List(MB)................................... 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Are you sure you want to start? (y/N)y Are you sure you want to start? (y/N)
show client ccx
frame-data
To display the data frames
sent from the client for the last test, use the
show client ccx
frame-data command.
show client ccx frame-data
client_mac_address
Syntax Description
client_mac_address
MAC address of the client.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following is a sample
output of the
show client ccx frame-data command:
To display the status of the
last test response, use the
show client ccx
last-response-status command.
show client ccx last-response-status
client_mac_address
Syntax Description
client_mac_address
MAC address of the client.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following is a sample
output of the
show client ccx last-response-status command:
(Cisco Controller) >show client ccx last-response-status Test Status ........................ Success
Response Dialog Token.............. 87
Response Status.................... Successful
Response Test Type................. 802.1x Authentication Test
Response Time...................... 3476 seconds since system boot
show client ccx
last-test-status
To display the status of the
last test, use the
show client ccx
last-test-status command.
show client ccx last-test-status
client_mac_address
Syntax Description
client_mac_address
MAC address of the client.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following is a sample
output of the
show client ccx last-test-status command:
(Cisco Controller) >show client ccx last-test-status
Test Type ........................ Gateway Ping Test
Test Status ...................... Pending/Success/Timeout
Dialog Token ..................... 15
Timeout .......................... 15000 ms
Request Time ..................... 1329 seconds since system boot
show client ccx
log-response
To display a log response,
use the
show client ccx
log-response command.
(Optional) Displays the CCX
client roaming log response.
rsna
(Optional) Displays the CCX
client RSNA log response.
syslog
(Optional) Displays the CCX
client system log response.
client_mac_address
Inventory for the specified
access point.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following is a sample
output of the
show client ccx log-response syslog command:
(Cisco Controller) >show client ccx log-response syslog 00:40:96:a8:f7:98
Tue Jun 26 18:07:48 2007 Syslog Response LogID=131: Status=Successful
Event Timestamp=0d 00h 19m 42s 278987us
Client SysLog = ‘<11> Jun 19 11:49:47 unraval13777 Mandatory elements missing in the OID response’
Event Timestamp=0d 00h 19m 42s 278990us
Client SysLog = ‘<11> Jun 19 11:49:47 unraval13777 Mandatory elements missing in the OID response’
Tue Jun 26 18:07:48 2007 Syslog Response LogID=131: Status=Successful
Event Timestamp=0d 00h 19m 42s 278987us
Client SysLog = ‘<11> Jun 19 11:49:47 unraval13777 Mandatory elements missing in the OID response’
Event Timestamp=0d 00h 19m 42s 278990us
Client SysLog = ‘<11> Jun 19 11:49:47 unraval13777 Mandatory elements missing in the OID response’
The following example shows
how to display the client roaming log response:
(Cisco Controller) >show client ccx log-response roam 00:40:96:a8:f7:98
Thu Jun 22 11:55:14 2007 Roaming Response LogID=20: Status=Successful
Event Timestamp=0d 00h 00m 13s 322396us Source BSSID=00:40:96:a8:f7:98
Target BSSID=00:0b:85:23:26:70, Transition Time=100(ms)
Transition Reason: Normal roam, poor link Transition Result: Success
Thu Jun 22 11:55:14 2007 Roaming Response LogID=133: Status=Successful
Event Timestamp=0d 00h 00m 16s 599006us Source BSSID=00:0b:85:81:06:c2
Target BSSID=00:0b:85:81:06:c2, Transition Time=3235(ms)
Transition Reason: Normal roam, poor link Transition Result: Success
Thu Jun 22 18:28:48 2007 Roaming Response LogID=133: Status=Successful
Event Timestamp=0d 00h 00m 08s 815477us Source BSSID=00:0b:85:81:06:c2
Target BSSID=00:0b:85:81:06:d2, Transition Time=3281(ms)
Transition Reason: First association to WLAN Transition Result: Success
show client ccx
manufacturer-info
To display the client
manufacturing information, use the
show client ccx
manufacturer-info command.
show client ccx manufacturer-info
client_mac_address
Syntax Description
client_mac_address
MAC address of the client.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following is a sample
output of the
show client ccx manufacturer-info command:
(Cisco Controller) >show client ccx manufacturer-info 00:40:96:a8:f7:98
Manufacturer OUI .............................. 00:40:96
Manufacturer ID ............................... Cisco
Manufacturer Model ............................ Cisco Aironet 802.11a/b/g Wireless Adapter
Manufacturer Serial ........................... FOC1046N3SX
Mac Address ................................... 00:40:96:b2:8d:5e
Radio Type .................................... DSSS OFDM(802.11a) HRDSSS(802.11b)
ERP(802.11g)
Antenna Type .................................. Omni-directional diversity
Antenna Gain .................................. 2 dBi
Rx Sensitivity:
Radio Type ...................................... DSSS
Rx Sensitivity .................................. Rate:1.0 Mbps, MinRssi:-95, MaxRss1:-30
Rx Sensitivity .................................. Rate:2.0 Mbps, MinRssi:-95, MaxRss1:-30
Radio Type ...................................... HRDSSS(802.11b)
Rx Sensitivity .................................. Rate:5.5 Mbps, MinRssi:-95, MaxRss1:-30
Rx Sensitivity .................................. Rate:11.0 Mbps, MinRssi:-95, MaxRss1:-30
Radio Type ...................................... ERP(802.11g)
Rx Sensitivity .................................. Rate:6.0 Mbps, MinRssi:-95, MaxRss1:-30
Rx Sensitivity .................................. Rate:9.0 Mbps, MinRssi:-95, MaxRss1:-30
Rx Sensitivity .................................. Rate:12.0 Mbps, MinRssi:-95, MaxRss1:-30
Rx Sensitivity .................................. Rate:18.0 Mbps, MinRss1:-95, MaxRss1:-30
show client ccx
operating-parameters
To display the client
operating-parameters, use the
show client ccx
operating-parameters command.
show client ccx operating-parameters
client_mac_address
Syntax Description
client_mac_address
MAC address of the client.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following is a sample
output of the
show client ccx operating-parameters command:
(Cisco Controller) >show client ccx operating-parameters 00:40:96:b2:8d:5e
Client Mac ......................................... 00:40:96:b2:8d:5e
Radio Type ......................................... OFDM(802.11a)
Radio Type ......................................... OFDM(802.11a)
Radio Channels ................................. 36 40 44 48 52 56 60 64 100 104 108 112 116 120 124 128 132 136 140 149 153 157 161 165
Tx Power Mode .................................. Automatic
Rate List(MB)................................... 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Power Save Mode .................................... Normal Power Save
SSID ............................................... wifi
Security Parameters[EAP Method, Credential]......... None
Auth Method ........................................ None
Key Management...................................... None
Encryption ......................................... None
Device Name ........................................ Wireless Network Connection 15
Device Type ........................................ 0
OS Id .............................................. Windows XP
OS Version ......................................... 5.1.6.2600 Service Pack 2
IP Type ............................................ DHCP address
IPv4 Address ....................................... Available
IP Address ......................................... 70.0.4.66
Subnet Mask ........................................ 255.0.0.0
Default Gateway .................................... 70.1.0.1
IPv6 Address ....................................... Not Available
IPv6 Address ....................................... 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:
IPv6 Subnet Mask ................................... 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:
DNS Servers ........................................ 103.0.48.0
WINS Servers .......................................
System Name ........................................ URAVAL3777
Firmware Version ................................... 4.0.0.187
Driver Version ..................................... 4.0.0.187
show client ccx
profiles
To display the client
profiles, use the
show client ccx
profiles command.
show client ccx profiles
client_mac_address
Syntax Description
client_mac_address
MAC address of the client.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following is a sample
output of the
show client ccx profiles command:
(Cisco Controller) >show client ccx profiles 00:40:96:15:21:ac
Number of Profiles .................................. 1
Current Profile ..................................... 1
Profile ID .......................................... 1
Profile Name ........................................ wifiEAP
SSID ................................................ wifiEAP
Security Parameters [EAP Method, Credential]......... EAP-TLS, Host OS Login Credentials
Auth Method ......................................... EAP
Key Management ...................................... WPA2+CCKM
Encryption .......................................... AES-CCMP
Power Save Mode ..................................... Constantly Awake
Radio Configuration:
Radio Type........................................... DSSS
Preamble Type.................................... Long preamble
CCA Method....................................... Energy Detect + Carrier
Detect/Correlation
Data Retries..................................... 6
Fragment Threshold............................... 2342
Radio Channels................................... 1 2 3 4 5 6 7 8 9 10 11
Tx Power Mode.................................... Automatic
Rate List (MB)................................... 1.0 2.0
Radio Type........................................... HRDSSS(802.11b)
Preamble Type.................................... Long preamble
CCA Method....................................... Energy Detect + Carrier
Detect/Correlation
Data Retries..................................... 6
Fragment Threshold............................... 2342
Radio Channels................................... 1 2 3 4 5 6 7 8 9 10 11
Tx Power Mode.................................... Automatic
Rate List(MB).................................... 5.5 11.0
Radio Type........................................... ERP(802.11g)
Preamble Type.................................... Long preamble
CCA Method....................................... Energy Detect + Carrier
Detect/Correlation
Data Retries..................................... 6
Fragment Threshold............................... 2342
Radio Channels................................... 1 2 3 4 5 6 7 8 9 10 11
Tx Power Mode.................................... Automatic
Rate List (MB)................................... 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Radio Type........................................... OFDM(802.11a)
Preamble Type.................................... Long preamble
CCA Method....................................... Energy Detect + Carrier
Detect/Correlation
Data Retries..................................... 6
Fragment Threshold............................... 2342
Radio Channels................................... 36 40 44 48 52 56 60 64 149 153 157 161 165
Tx Power Mode.................................... Automatic
Rate List (MB)................................... 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
show client ccx
results
To display the results from
the last successful diagnostic test, use the
show client ccx
results command.
show client ccx results
client_mac_address
Syntax Description
client_mac_address
MAC address of the client.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following is a sample
output of the
show client ccx results command:
To display detailed information for a client on a Cisco lightweight access point, use the show client detail command.
show client detail mac_address
Syntax Description
mac_address
Client MAC address.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
The show client ap command may list the status of automatically disabled clients. Use the show exclusionlist command to display clients on the exclusion list (blacklisted).
Examples
The following example shows how to display the client detailed information:
(Cisco Controller) >show client detail 00:0c:41:07:33:a6
Policy Manager State..............................POSTURE_REQD
Policy Manager Rule Created.......................Yes
Client MAC Address............................... 00:16:36:40:ac:58
Client Username.................................. N/A
Client State..................................... Associated
Client NAC OOB State............................. QUARANTINE
Guest LAN Id..................................... 1
IP Address....................................... Unknown
Session Timeout.................................. 0
QoS Level........................................ Platinum
802.1P Priority Tag.............................. disabled
KTS CAC Capability............................... Yes
WMM Support...................................... Enabled
Power Save....................................... ON
Diff Serv Code Point (DSPC)...................... disabled
Mobility State................................... Local
Internal Mobility State.......................... apfMsMmInitial
Security Policy Completed........................ No
Policy Manager State............................. WEBAUTH_REQD
Policy Manager Rule Created...................... Yes
NPU Fast Fast Notified........................... Yes
Last Policy Manager State........................ WEBAUTH_REQD
Client Entry Create Time......................... 460 seconds
Interface........................................ wired-guest
FlexConnect Authentication....................... Local
FlexConnect Data Switching....................... Local
VLAN............................................. 236
Quarantine VLAN.................................. 0
Client Statistics:
Number of Bytes Received................... 66806
Number of Data Bytes Received................... 160783
Number of Realtime Bytes Received............... 160783
Number of Data Bytes Sent....................... 23436
Number of Realtime Bytes Sent................... 23436
Number of Data Packets Received................. 592
Number of Realtime Packets Received............. 592
Number of Data Packets Sent..................... 131
Number of Realtime Packets Sent................. 131
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Key Msg Timeouts............. 0
Number of Data Retries..................... 0
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 3
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 6
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -50 dBm
Signal to Noise Ratio...................... 43 dB
...
show client
location-calibration summary
To display client location
calibration summary information, use the
show client
location-calibration summary command.
show client location-calibration summary
Syntax Description
This command has no arguments
or keywords.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows
how to display the location calibration summary information:
To display a summary of clients associated with a Cisco lightweight access point, use the show client summary command.
show client summary [
devicetype device]
Syntax Description
This command has no arguments or keywords up to Release 7.4.
Syntax Description
devicetype
(Optional) Displays all clients with the specified device type.
device
Device type such as Samsung-Device, or WindowsXP-Workstation.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
Use show client ap command to list the status of automatically disabled clients. Use the show exclusionlist command to display clients on the exclusion list (blacklisted).
Examples
The following example shows how to display a summary of the active clients:
(Cisco Controller) >show client summary
Number of Clients................................ 24
Number of PMIPV6 Clients......................... 200
MAC Address AP Name Status WLAN/GLAN/RLAN Auth Protocol Port Wired PMIPV6
----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- ------
00:00:15:01:00:01 NMSP-TalwarSIM1-2 Associated 1 Yes 802.11a 13 No Yes
00:00:15:01:00:02 NMSP-TalwarSIM1-2 Associated 1 Yes 802.11a 13 No No
00:00:15:01:00:03 NMSP-TalwarSIM1-2 Associated 1 Yes 802.11a 13 No Yes
00:00:15:01:00:04 NMSP-TalwarSIM1-2 Associated 1 Yes 802.11a 13 No No
Examples
The following example shows how to display all clients that are WindowsXP-Workstation device types:
(Cisco Controller) >show client devicetype WindowsXP-Workstation
Number of Clients in WLAN........................ 0
MAC Address AP Name Status Auth Protocol Port Wired Mobility Role
----------------- -------- ------------- ---------------- ---------- --------------
Number of Clients with requested device type..... 0
show client wlan
To display the summary of clients associated with a WLAN, use the show client wlan command.
show client wlan wlan_id [
devicetype device]
Syntax Description
wlan_id
Wireless LAN identifier from 1 to 512.
devicetype
(Optional) Displays all clients with the specified device type.
device
Device type. For example, Samsung-Device or WindowsXP-Workstation.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following are sample outputs of the show client wlan command:
(Cisco Controller) >show client wlan 1
Number of Clients in WLAN........................ 0
(Cisco Controller) >show client devicetype WindowsXP-Workstation
Number of Clients in WLAN........................ 0
MAC Address AP Name Status Auth Protocol Port Wired Mobility Role
----------------- -------- ------------- ---------------- ---------- --------------
Number of Clients with requested device type..... 0
show dhcp
To display the internal Dynamic Host Configuration Protocol (DHCP) server configuration, use the show dhcp command.
show dhcp {
leases |
summary |
scope}
Syntax Description
leases
Displays allocated DHCP leases.
summary
Displays DHCP summary information.
scope
Name of a scope to display the DHCP information for that scope.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to display the allocated DHCP leases:
(Cisco Controller) >show dhcp leases
No leases allocated.
The following example shows how to display the DHCP summary information:
(Cisco Controller) >show dhcp summary
Scope Name Enabled Address Range
003 No 0.0.0.0 -> 0.0.0.0
The following example shows how to display the DHCP information for the scope 003:
(Cisco Controller) >show dhcp 003
Enabled....................................... No
Lease Time.................................... 0
Pool Start.................................... 0.0.0.0
Pool End...................................... 0.0.0.0
Network....................................... 0.0.0.0
Netmask....................................... 0.0.0.0
Default Routers............................... 0.0.0.0 0.0.0.0 0.0.0.0
DNS Domain....................................
DNS........................................... 0.0.0.0 0.0.0.0 0.0.0.0
Netbios Name Servers.......................... 0.0.0.0 0.0.0.0 0.0.0.0
show dhcp proxy
To display the status of DHCP proxy handling, use the show dhcp proxy command.
show dhcp proxy
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to display the status of DHCP proxy information:
To display the configuration
of a specific wired guest LAN, use the
show guest-lan
command.
show guest-lan
guest_lan_id
Syntax Description
guest_lan_id
ID of the selected wired
guest LAN.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
To display all wired guest
LANs configured on the controller, use the
show guest-lan
summary command.
Examples
The following is a sample
output of the
show guest-languest_lan_id
command:
(Cisco Controller) >show guest-lan 2
Guest LAN Identifier........................... 1
Profile Name................................... guestlan
Network Name (SSID)............................ guestlan
Status......................................... Enabled
AAA Policy Override............................ Disabled
Number of Active Clients....................... 1
Exclusionlist Timeout.......................... 60 seconds
Session Timeout................................ Infinity
Interface...................................... wired
Ingress Interface.............................. wired-guest
WLAN ACL....................................... unconfigured
DHCP Server.................................... 10.20.236.90
DHCP Address Assignment Required............... Disabled
Quality of Service............................. Silver (best effort)
Security
Web Based Authentication................... Enabled
ACL........................................ Unconfigured
Web-Passthrough............................ Disabled
Conditional Web Redirect................... Disabled
Auto Anchor................................ Disabled
Mobility Anchor List
GLAN ID IP Address Status
show ipv6 acl
To display the IPv6 access control lists (ACLs) that are configured on the controller, use the show ipv6 acl command.
show ipv6 acl detailed {
acl_name |
summary}
Syntax Description
acl_name
IPv6 ACL name. The name can be up to 32 alphanumeric characters.
detailed
Displays detailed information about a specific ACL.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to display the detailed information of the access control lists:
(Cisco Controller) >show ipv6 acl detailed acl6
Rule Index....................................... 1
Direction........................................ Any
IPv6 source prefix............................... ::/0
IPv6 destination prefix.......................... ::/0
Protocol......................................... Any
Source Port Range................................ 0-65535
Destination Port Range........................... 0-65535
DSCP............................................. Any
Flow label....................................... 0
Action........................................... Permit
Counter.......................................... 0
Deny Counter................................... 0
show ipv6 neighbor-binding
To display the IPv6 neighbor binding data that are configured on the controller, use the show ipv6 neighbor-binding command.
show ipv6 neighbor-binding {
capture-policy|
counters |
detailed {
mac mac_address|
port port_number|
vlanvlan_id} |
features |
policies |
ra-throttle {
statistics vlan_id |
routers vlan_id} |
summary}
Syntax Description
capture-policy
Displays IPv6 next-hop message capture policies.
counters
Displays IPv6 next-hop counters.
detailed
Displays the IPv6 neighbor binding table.
mac
Displays the IPv6 binding table entries for a specific MAC address.
mac_address
Displays the IPv6 binding table entries for a specific MAC address.
port
Displays the IPv6 binding table entries for a specific port.
port_number
Port Number. You can enter ap for an access point or LAG for a LAG port.
vlan
Displays the IPv6 neighbor binding table entries for a specific VLAN.
vlan_id
VLAN identifier.
features
Displays IPv6 next-hop registered features.
policies
Displays IPv6 next-hop policies.
ra-throttle
Displays RA throttle information.
statistics
Displays RA throttle statistics.
routers
Displays RA throttle routers.
summary
Displays the IPv6 neighbor binding table.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following is the output of the show ipv6 neighbor-binding summary command:
(Cisco Controller) >show ipv6 neighbor-binding summary
Binding Table has 6 entries, 5 dynamic
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DDCP
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted access 0010:Orig trusted trunk 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
IPv6 address MAC Address Port VLAN Type prlvl age state Time left
-- ---------------------------------------- ----------------- ---- ---- -------- ----- ---- --------- ----------
ND fe80::216:46ff:fe43:eb01 00:16:46:43:eb:01 1 980 wired 0005 2 REACHABLE 157
ND fe80::9cf9:b009:b1b4:1ed9 70:f1:a1:dd:cb:d4 AP 980 wireless 0005 2 REACHABLE 157
ND fe80::6233:4bff:fe05:25ef 60:33:4b:05:25:ef AP 980 wireless 0005 2 REACHABLE 203
ND fe80::250:56ff:fe8b:4a8f 00:50:56:8b:4a:8f AP 980 wireless 0005 2 REACHABLE 157
ND 2001:410:0:1:51be:2219:56c6:a8ad 70:f1:a1:dd:cb:d4 AP 980 wireless 0005 5 REACHABLE 157
S 2001:410:0:1::9 00:00:00:00:00:08 AP 980 wireless 0100 1 REACHABLE 205
The following is the output of the show ipv6 neighbor-binding detailed command:
(Cisco Controller) >show ipv6 neighbor-binding detailed mac 60:33:4b:05:25:ef
macDB has 3 entries for mac 60:33:4b:05:25:ef, 3 dynamic
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DDCP
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted access 0010:Orig trusted trunk 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
IPv6 address MAC Address Port VLAN Type prlvl age state Time left
-- ---------------------------------------- ----------------- ---- ---- -------- ----- ---- --------- ----------
ND fe80::6233:4bff:fe05:25ef 60:33:4b:05:25:ef AP 980 wireless 0009 0 REACHABLE 303
ND 2001:420:0:1:6233:4bff:fe05:25ef 60:33:4b:05:25:ef AP 980 wireless 0009 0 REACHABLE 300
ND 2001:410:0:1:6233:4bff:fe05:25ef 60:33:4b:05:25:ef AP 980 wireless 0009 0 REACHABLE 301
show ipv6 ra-guard
To display the RA guard statistics, use the show ipv6 ra-guard command.
show ipv6 ra-guard {
ap |
wlc}
summary
Syntax Description
ap
Displays Cisco access point details.
wlc
Displays Cisco controller details.
summary
Displays RA guard statistics.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example show the output of the show ipv6 ra-guard ap summary command:
(Cisco Controller) >show ipv6 ra-guard ap summary
IPv6 RA Guard on AP..................... Enabled
RA Dropped per client:
MAC Address AP Name WLAN/GLAN Number of RA Dropped
----------------- ----------------- -------------- ---------------------
00:40:96:b9:4b:89 Bhavik_1130_1_p13 2 19
----------------- ----------------- -------------- ---------------------
Total RA Dropped on AP...................... 19
The following example shows how to display the RA guard statistics for a controller:
(Cisco Controller) >show ipv6 ra-guard wlc summary
IPv6 RA Guard on WLC.................... Enabled
show ipv6 summary
To display the IPv6 configuration settings, use the show ipv6 summary command.
show ipv6 summary
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example displays the output of the show ipv6 summary command:
(Cisco Controller) >show ipv6 summary
Global Config............................... Enabled
Reachable-lifetime value.................... 300
Stale-lifetime value........................ 86400
Down-lifetime value......................... 86400
RA Throttling............................... Enabled
RA Throttling allow at-least................ 1
RA Throttling allow at-most................. no-limit
RA Throttling max-through................... no-limit
RA Throttling throttle-period............... 60
RA Throttling interval-option............... throttle
NS Mulitcast CacheMiss Forwarding........... Disabled
show macfilter
To display the MAC filter parameters, use the show macfilter command.
show macfilter {
summary |
detail MAC}
Syntax Description
summary
Displays a summary of all MAC filter entries.
detailMAC
Displays details of a MAC filter entry.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
The MAC delimiter (none, colon, or hyphen) for MAC addresses sent to RADIUS servers is displayed. The MAC filter table lists the clients that are always allowed to associate with a wireless LAN.
Examples
The following example shows how to display the detailed display of a MAC filter entry:
(Cisco Controller) >show macfilter detail xx:xx:xx:xx:xx:xx
MAC Address...................................... xx:xx:xx:xx:xx:xx
WLAN Identifier.................................. Any
Interface Name................................... management
Description...................................... RAP
The following example shows how to display a summary of the MAC filter parameters:
(Cisco Controller) >show macfilter summary
MAC Filter RADIUS Compatibility mode............. Cisco ACS
MAC Filter Delimiter............................. None
Local Mac Filter Table
MAC Address WLAN Id Description
----------------------- -------------- --------------------------------
xx:xx:xx:xx:xx:xx Any RAP
xx:xx:xx:xx:xx:xx Any PAP2 (2nd hop)
xx:xx:xx:xx:xx:xx Any PAP1 (1st hop)
show pmk-cache
To display information about the pairwise master key (PMK) cache, use the show pmk-cache command.
show pmk-cache {
all |
MAC}
Syntax Description
all
Displays information about all entries in the PMK cache.
MAC
Information about a single entry in the PMK cache.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to display information about a single entry in the PMK cache:
The following example shows how to display information about all entries in the PMK cache:
(Cisco Controller) >show pmk-cache all
PMK Cache
Entry
Station Lifetime VLAN Override IP Override
----------------- -------- -------------------- ---------------
show remote-lan
To display information about remote LAN configuration, use the show remote-lan command.
show remote-lan {
summary |
remote-lan-id }
Syntax Description
summary
Displays a summary of all remote LANs.
remote-lan-id
Remote LAN identifier.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to display a summary of all remote LANs:
(Cisco Controller) >show remote-lan summary
Number of Remote LANS............................ 2
RLAN ID RLAN Profile Name Status Interface Name
------- ------------------------------------- -------- --------------------
2 remote Disabled management
8 test Disabled management
The following example shows configuration information about the remote LAN with the remote-lan-id 2:
(Cisco Controller) >show remote-lan 2
Remote LAN Identifier............................ 2
Profile Name..................................... remote
Status........................................... Disabled
MAC Filtering.................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist.................................... Disabled
Session Timeout.................................. Infinity
CHD per Remote LAN............................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Remote LAN ACL................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Security
Web Based Authentication...................... Enabled
ACL............................................. Unconfigured
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
show rf-profile summary
To display a summary of RF profiles in the controller, use the show rf-profile summary command.
show rf-profile summary
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following is the output of the show rf-profile summary command:
(Cisco Controller) >show rf-profile summary
Number of RF Profiles............................ 2
Out Of Box State................................. Disabled
RF Profile Name Band Description Applied
------------------------- ------- ------------------------- -------
T1a 5 GHz <none> No
T1b 2.4 GHz <none> No
show rf-profile details
To display the RF profile details in the Cisco wireless LAN controller, use the show rf-profile details command.
show rf-profile details rf-profile-name
Syntax Description
rf-profile-name
Name of the RF profile.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following is the output of the show rf-profile details command::
To display configuration information for a specified wireless LAN or a foreign access point, or to display wireless LAN summary information, use the show wlan command.
Displays the configuration for support of foreign access points.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to display a summary of wireless LANs for wlan_id 1:
(Cisco Controller) >show wlan 1
WLAN Identifier.................................. 1
Profile Name..................................... aicha
Network Name (SSID).............................. aicha
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
RADIUS Profiling Status ...................... Disabled
DHCP ......................................... Disabled
HTTP ......................................... DisabledClient Profiling Status ...................... Disabled
DHCP ......................................... Disabled
HTTP ......................................... Disabled
Radius-NAC State.............................. Enabled
SNMP-NAC State................................ Enabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ 300 seconds
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... Talwar1
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Enabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Silver (best effort)
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Interim Update............................. Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Enabled (Profile 'Controller_Local_EAP')
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Enabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Enabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
IP Security................................... Disabled
IP Security Passthru.......................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------
802.11u........................................ Enabled
Network Access type............................ Chargeable Public Network
Internet service............................... Enabled
Network Authentication type.................... Not Applicable
HESSID......................................... 00:00:00:00:00:00
IP Address Type Configuration
IPv4 Address type............................ Available
IPv6 Address type............................ Not Known
Roaming Consortium List
Index OUI List In Beacon
----- -------------- ---------
1 313131 Yes
2 DDBBCC No
3 DDDDDD Yes
Realm configuration summary
Realm index.................................. 1
Realm name................................... jobin
EAP index.................................. 1
EAP method................................. Unsupported
Index Inner Authentication Authentication Method
----- -------------------- ---------------------
1 Credential Type SIM
2 Tunneled Eap Credential Type SIM
3 Credential Type SIM
4 Credential Type USIM
5 Credential Type Hardware Token
6 Credential Type SoftToken
Domain name configuration summary
Index Domain name
-------------------
1 rom3
2 ram
3 rom1Hotspot 2.0.................................... Enabled
Operator name configuration summary
Index Language Operator name
----- -------- -------------
1 ros Robin
Port config summary
Index IP protocol Port number Status
----- ----------- ----------- -------
1 1 0 Closed
2 1 0 Closed
3 1 0 Closed
4 1 0 Closed
5 1 0 Closed
6 1 0 Closed
7 1 0 Closed
WAN Metrics Info
Link status.................................. Up
Symmetric Link............................... No
Downlink speed............................... 4 kbps
Uplink speed................................. 4 kbps
MSAP Services.................................. DisabledLocal Policy
----------------
Priority Policy Name
-------- ---------------
1 Teacher_access_policy
The following example shows how to display a summary of all WLANs:
(Cisco Controller) >show wlan summary
Number of WLANs.................................. 1
WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility
------- ------------------------------------- -------- -------------------- ---------------
1 apsso / apsso Disabled management none
The following example shows how to display the configuration for support of foreign access points:
(Cisco Controller) >show wlan foreignap
Foreign AP support is not enabled.
The following example shows how to display the AP groups:
(Cisco Controller) >show wlan apgroups
Total Number of AP Groups........................ 1
Site Name........................................ APuser
Site Description................................. <none>
Venue Name....................................... Not configured
Venue Group Code..................................Unspecified
Venue Type Code...................................Unspecified
Language Code.................................... Not configured
AP Operating Class............................... 83,84,112,113,115,116,117,118,123
RF Profile
----------
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
------- ----------- -------------------------- ------------
14 int_4 Disabled All
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
------------------ ----- ------------------- ----------------- ---------------- ---- ------- --------
Ibiza 2 AIR-CAP2602I-A-K9 44:2b:03:9a:8a:73 default location 1 US 1
Larch 2 AIR-CAP3502E-A-K9 f8:66:f2:ab:23:95 default location 1 US 1
Zest 2 AIR-CAP3502I-A-K9 00:22:90:91:6d:b6 ren 1 US 1
Number of Clients................................ 1
MAC Address AP Name Status Device Type
----------------- ------------- ------------- -----------------
24:77:03:89:9b:f8 ap2 Associated Android
config Commands
This section lists the config commands to configure WLANs.
Auto-configure WLAN for voice deployment of Cisco end points.
wlan_id
Wireless LAN identifier from 1 to 512 (inclusive).
radio
Auto-configures voice deployment for a radio in a WLAN.
802.11a
Auto-configures voice deployment for 802.11a in a WLAN.
802.11b
Auto-configures voice deployment for 802.11b in a WLAN.
all
Auto-configures voice deployment for all radios in a WLAN.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
When you configure this command, all WLANs and radios are automatically disabled. After the completion of the configuration, the previous state of the WLANs and radios is restored.
Examples
The following example shows how to
auto-configure voice deployment for all radios in a WLAN:
(Cisco Controller) >config auto-configure voice cisco 2 radio all
Warning! This command will automatically disable all WLAN's and Radio's.
It will be reverted to the previous state once configuration is complete.
Are you sure you want to continue? (y/N)y
Auto-Configuring these commands in WLAN for Voice..
wlan qos 2 platinum
- Success
wlan call-snoop enable 2
- Success
wlan wmm allow 2
- Success
wlan session-timeout 2 86400
- Success
wlan peer-blocking disable 2
- Success
wlan security tkip hold-down 0 2
- Success
wlan exclusionlist 2 disable
- Success
wlan mac-filtering disable 2
- Success
wlan dtim 802.11a 2 2
- Success
wlan dtim 802.11b 2 2
- Success
wlan ccx aironetIeSupport enabled 2
- Success
wlan channel-scan defer-priority 4 enable 2
- Success
wlan channel-scan defer-priority 5 enable 2
- Success
wlan channel-scan defer-priority 6 enable 2
- Success
wlan channel-scan defer-time 100 2
- Success
wlan load-balance allow disable 2
- Success
wlan mfp client enable 2
- Success
wlan security wpa akm cckm enable 2
- Success
wlan security wpa akm cckm timestamp-tolerance 5000 2
- Success
wlan band-select allow disable 2
- Success
***********************************************
Auto-Configuring these commands for Voice - Radio 802.11a.
advanced 802.11a edca-parameter optimized-voice
- Success
802.11a cac voice acm enable
- Success
802.11a cac voice max-bandwidth 75
- Success
802.11a cac voice roam-bandwidth 6
- Success
802.11a cac voice cac-method load-based
- Success
802.11a cac voice sip disable
- Success
802.11a tsm enable
- Success
802.11a exp-bwreq enable
- Success
802.11a txPower global auto
- Success
802.11a channel global auto
- Success
advanced 802.11a channel dca interval 24
- Success
advanced 802.11a channel dca anchor-time 0
- Success
qos protocol-type platinum dot1p
- Success
qos dot1p-tag platinum 6
- Success
qos priority platinum voice voice besteffort
- Success
802.11a beacon period 100
- Success
802.11a dtpc enable
- Success
802.11a Coverage Voice RSSI Threshold -70
- Success
802.11a txPower global min 11
- Success
advanced eap eapol-key-timeout 250
- Success
advanced 802.11a voice-mac-optimization disable
- Success
802.11h channelswitch enable 1
- Success
Note: Data rate configurations are not changed.
It should be changed based on the recommended values after analysis.
***********************************************
Auto-Configuring these commands for Voice - Radio 802.11b.
advanced 802.11b edca-parameter optimized-voice
- Success
802.11b cac voice acm enable
- Success
802.11b cac voice max-bandwidth 75
- Success
802.11b cac voice roam-bandwidth 6
- Success
802.11b cac voice cac-method load-based
- Success
802.11b cac voice sip disable
- Success
802.11b tsm enable
- Success
802.11b exp-bwreq enable
- Success
802.11b txPower global auto
- Success
802.11b channel global auto - Success
advanced 802.11b channel dca interval 24
- Success
advanced 802.11b channel dca anchor-time 0
- Success
802.11b beacon period 100
- Success
802.11b dtpc enable
- Success
802.11b Coverage Voice RSSI Threshold -70
- Success
802.11b preamble short
- Success
advanced 802.11a voice-mac-optimization disable
- Success
Note: Data rate configurations are not changed.
It should be changed based on the recommended values after analysis.
config client ccx clear-reports
To clear the client reporting information, use the config client ccx clear-reports command.
To send a request to the client to perform the Domain Name System (DNS) resolution test to the specified hostname, use the config client ccx dns-resolve command.
IPv6 ACL name that contains up to 32 alphanumeric characters.
create
Creates an IPv6 ACL.
delete
Deletes an IPv6 ACL.
rule
Configures the IPv6 ACL.
action
Configures whether to permit or deny access.
rule_name
ACL name that contains up to 32 alphanumeric characters.
rule_index
Rule index between 1 and 32.
permit
Permits the rule action.
deny
Denies the rule action.
add
Adds a new rule.
change
Changes a rule’s index.
index
Specifies a rule index.
delete
Deletes a rule.
destination address
Configures a rule’s destination IP address and netmask.
ip_address
IP address of the rule.
netmask
Netmask of the rule.
start_port
Start port number (between 0 and 65535).
end_port
End port number (between 0 and 65535).
direction
Configures a rule’s direction to in, out, or any.
in
Configures a rule’s direction to in.
out
Configures a rule’s direction to out.
any
Configures a rule’s direction to any.
dscp
Configures a rule’s DSCP.
dscp
Number between 0 and 63, or any.
protocol
Configures a rule’s DSCP.
protocol
Number between 0 and 255, or any.
source address
Configures a rule’s source IP address and netmask.
source port range
Configures a rule’s source port range.
swap
Swap’s two rules’ indices.
destination port range
Configure a rule's destination port range.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
Examples
The following example shows how to configure an IPv6 ACL to permit access:
If you enable Neighbor Advertisement multicast forwarding, all the unsolicited multicast Neighbor Advertisement from wired or wireless is not forwarded to wireless.
If you disable Neighbor Advertisement multicast forwarding, IPv6 Duplicate Address Detection (DAD) of the controller is affected.
Examples
The following example shows how to configure an Neighbor Advertisement multicast forwarding:
Configures the web authentication type for the remote LAN.
internal
Displays the default login page.
customized
Displays a downloaded login page.
external
Displays a login page that is on an external server.
name
Remote LAN name. Valid values are up to 32 alphanumeric characters.
remote-lan-id
Remote LAN identifier. Valid values are from 1 to 512.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
Follow these guidelines when you use the config remote-lan custom-web command:
When you configure the external Web-Auth URL, do the following:
Ensure that Web-Auth or Web-Passthrough Security is in enabled state. To enable Web-Auth, use the config remote-lan security web-auth enable command. To enable Web-Passthrough, use the config remote-lan security web-passthrough enable command.
Ensure that the global status of the remote LAN is in disabled state. To enable the global status of the remote LAN, use the config remote-lan custom-web global disable command.
Ensure that the remote LAN is in disabled state. To disable a remote LAN, use the config remote-lan disable command.
When you configure the Web-Auth type for the remote LAN, do the following:
When you configure a customized login page, ensure that you have a login page configured. To configure a login page, use the config remote-lan custom-web login-page command.
When you configure an external login page, ensure that you have configured preauthentication ACL for external web authentication to function.
Examples
The following example shows how to configure an external web authentication URL for a remote LAN with ID 3:
Configures the client Received Signal Strength Indicator (RSSI) threshold for the RF profile.
rssi
Minimum RSSI for a client to respond to a probe. The range is from -20 to -90 dBm.
cycle-count
Configures the probe cycle
count for the RF profile. The cycle count sets the number of suppression cycles for a new client.
cycles
Value of the cycle count. The range is from 1 to 10.
cycle-threshold
Configures the time threshold for a new scanning RF Profile band select cycle period. This setting determines the time threshold during which new probe requests from a client come in a new scanning cycle.
value
Value of the cycle threshold for the RF profile. The range is from 1 to 1000 milliseconds.
expire
Configures the expiration time of clients for band select.
dual-band
Configures the expiration time for pruning previously known dual-band clients. After this time elapses, clients become new and are subject to probe response suppression.
value
Value for a dual band. The range is from 10 to 300 seconds.
suppression
Configures the expiration time for pruning previously known 802.11b/g clients. After this time elapses, clients become new and are subject to probe response suppression.
value
Value for suppression. The range is from 10 to 200 seconds.
probe-response
Configures the probe response for a RF profile.
enable
Enables probe response suppression on clients operating in the 2.4-GHz band for a RF profile.
disable
Disables probe response suppression on clients operating in the 2.4-GHz band for a RF profile.
profile name
Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.
Command Default
The default value for client RSSI is –80 dBm.
The default cycle count is 2.
The default cycle threshold is 200 milliseconds.
The default value for dual-band expiration is 60 seconds.
The default value for suppression expiration is 20 seconds.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
When you enable band select on a WLAN, the access point suppresses client probes on 2.4-GHz and moves the dual band clients to the 5-Ghz spectrum. The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running. Band selection can be used only with Cisco Aironet 1040, 1140, and 1250 Series and the 3500 series access points.
Examples
The following example shows how to configure the client RSSI:
To configure the threshold value of the number of clients that associate with an access point, after which an SNMP trap is sent to the controller, use the config rf-profile client-trap-threshold command.
Threshold value of the number of clients that associate with an access point, after which an SNMP trap is sent to the controller. The range is from 0 to 200. Traps are disabled if the threshold value is configured as zero.
profile_name
Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to configure the threshold value of the number of clients that associate with an access point:
To configure the RF profile coverage hole detection parameters, use the config rf-profile coverage command.
config rf-profile coverage {
data coverage_level |
exception clients |
level value |
voice coverage_level }
profile_name
Syntax Description
data
Configures the threshold value of the data RSSI.
coverage_level
Minimum receive signal strength indication (RSSI) value of data packets received by the access point. The value that
you configure is used to identify coverage holes within the network. If the access point receives a packet in the
data queue with an RSSI value below the value that you enter here, a potential coverage hole is detected. The range is from –90 to –60 dBm. The access point takes voice RSSI measurements every 5
seconds and reports them to the controller in 90-second intervals.
exception
Configures the coverage exception per access point.
clients
Minimum number of clients on an access point with an RSSI value at or below the data or voice RSSI threshold. The range is from 1 to 75. The default value is 3.
voice
Configures the threshold value of the voice RSSI.
coverage_level
Minimum receive signal strength indication (RSSI) value of voice packets received by the access point. The value that
you configure is used to identify coverage holes within the network. If the access point receives a packet in the
data queue with an RSSI value below the value that you enter here, a potential coverage hole is detected. The range is from –90 to –60 dBm. The access point takes voice RSSI measurements every 5
seconds and reports them to the controller in 90-second intervals.
level
Configures the coverage exception level per AP.
value
Coverage exception level per AP. Percentage of clients on an access point that are experiencing a low signal level but cannot roam to another access point.
The controller determines if the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.
profile_name
Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.
Command Default
The default value of the data coverage level is –80 dBm.
The default value of the minimum number of clients on an access point with an RSSI value at or below the data or voice RSSI threshold is 3.
The default value of the percentage of clients on an access point that are experiencing a low signal level is 25%.
The default value of the voice coverage level is –80 dBm.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to configure the threshold value of the data RSSI:
(Cisco Controller) >config rf-profile coverage data -80
The following example shows how to configure the minimum client coverage exception level:
Specifies 802.11a as the radio policy of the RF profile.
802.11b
Specifies 802.11b as the radio policy of the RF profile.
disabled
Disables a rate.
mandatory
Sets a rate to mandatory.
supported
Sets a rate to supported.
data-rate
802.11 operational rates, which are 1*, 2*, 5.5*, 6, 9, 11*, 12, 18, 24, 36, 48 and 54, where * denotes 802.11b only rates.
profile-name
Name of the RF profile.
Command Default
Default data rates for RF profiles are derived from the controller system defaults, the global data rate configurations. For example, if the RF profile's radio policy is mapped to 802.11a then the global 802.11a data rates are copied into the RF profiles at the time of creation.
The data rates set with this command are negotiated between the client and the Cisco wireless LAN controller. If the data rate is set to mandatory, the client must support it in order to use the network. If a data rate is set as supported by the Cisco wireless LAN controller, any associated client that also supports that rate may communicate with the Cisco lightweight access point using that rate. It is not required that a client is able to use all the rates marked supported in order to associate.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to set the 802.11b transmission of an RF profile at a mandatory rate at 12 Mbps:
Configures the client window for load balancing of an RF profile.
clients
Client window size that limits the number of client associations with an access point. The range is from 0 to 20. The default value is 5.
The window size is part of the algorithm that
determines whether an access point is too heavily loaded to accept more client associations:
load-balancing window + client associations on AP with lightest load = load-balancing threshold
Access points with more client associations than this threshold are considered busy, and clients can associate only to
access points with client counts lower than the threshold. This window also helps to disassociate sticky clients.
denial
Configures the client denial count for load balancing of an RF profile.
value
Maximum number of association denials during load balancing. The range is
from 1 to 10. The default value is 3.
When a client tries to associate on a wireless network, it sends an association request to the access point. If the access point is overloaded and load balancing is enabled on the controller, the access point sends a denial to the association request. If there are no other access points in the range of the client, the client tries to associate the same access point again. After the maximum denial count is reached, the client is able to associate. Association attempts on an access point from any client before associating any AP is called a sequence of association. The default is 3.
profile_name
Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to configure the client window size for an RF profile:
To configure the maximum number of client connections per access point of an RF profile, use the config rf-profile max-clients commands.
config rf-profile max-clients clients
Syntax Description
clients
Maximum number of client connections per access point of an RF profile. The range is from 1 to 200.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
You can use this command to configure the maximum number of clients on access points that are in client dense areas, or serving high bandwidth video or mission critical voice applications.
Examples
The following example shows how to set the maximum number of clients at 50:
To configure the minimum RF profile multicast data rate, use the config rf-profile multicast data-rate command.
config rf-profile multicast data-rate value profile_name
Syntax Description
value
Minimum RF profile multicast data rate. The options are 6, 9, 12, 18, 24, 36, 48, 54. Enter 0 to specify that access points will dynamically adjust the data rate.
profile_name
Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.
Command Default
The minimum RF profile multicast data rate is 0.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to set the multicast data rate for an RF profile:
To create an out-of-box AP group consisting of newly installed access points, use the config rf-profile out-of-box command.
config rf-profile out-of-box {
enable |
disable}
Syntax Description
enable
Enables the creation of an out-of-box AP group. When you enable this command, the following occurs:
Newly installed access points that are part of the default AP group will be part of the out-of-box AP group and their radios will be switched off, which eliminates any RF instability caused by the new access points.
All access points that do not have a group name become part of the out-of-box AP group.
Special RF profiles are created per 802.11 band. These RF profiles have default-settings for all the existing RF parameters and additional new configurations.
disable
Disables the out-of-box AP group. When you disable this feature, only the subscription of new APs to the out-of-box AP group stops. All APs that are subscribed to the out-of-box AP group remain in this AP group. You can move APs to the default group or a custom AP group upon network convergence.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
When an out-of-box AP associates with the controller for the first time, it will be redirected to a special AP group and the RF profiles applicable to this AP Group will control the radio admin state configuration of the AP. You can move APs to the default group or a custom group upon network convergence.
Examples
The following example shows how to enable the creation of an out-of-box AP group:
To add a watchlist entry for a wireless LAN, use the config watchlist add command.
config watchlist add {
mac MAC |
username username}
Syntax Description
macMAC
Specifies the MAC address of the wireless LAN.
usernameusername
Specifies the name of the user to watch.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to add a watchlist entry for the MAC address a5:6b:ac:10:01:6b:
(Cisco Controller) >config watchlist add mac a5:6b:ac:10:01:6b
config watchlist delete
To delete a watchlist entry for a wireless LAN, use the config watchlist delete command.
config watchlist delete {
mac MAC |
username username}
Syntax Description
macMAC
Specifies the MAC address of the wireless LAN to delete from the list.
usernameusername
Specifies the name of the user to delete from the list.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to delete a watchlist entry for the MAC address a5:6b:ac:10:01:6b:
(Cisco Controller) >config watchlist delete mac a5:6b:ac:10:01:6b
config watchlist disable
To disable the client watchlist, use the config watchlist disable command.
config watchlist disable
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to disable the client watchlist:
(Cisco Controller) >config watchlist disable
config watchlist enable
To enable a watchlist entry for a wireless LAN, use the config watchlist enable command.
config watchlist enable
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to enable a watchlist entry:
(Cisco Controller) >config watchlist enable
config wlan
To create, delete, enable, or disable a wireless LAN, use the config wlan command.
config wlan {
enable |
disable |
create |
delete}
wlan_id [
name |
foreignAp name ssid |
all]
Syntax Description
enable
Enables a wireless LAN.
disable
Disables a wireless LAN.
create
Creates a wireless LAN.
delete
Deletes a wireless LAN.
wlan_id
Wireless LAN identifier between 1 and 512.
name
(Optional) WLAN profile name up to 32 alphanumeric characters.
foreignAp
(Optional) Specifies the third-party access point settings.
ssid
SSID (network name) up to 32 alphanumeric characters.
all
(Optional) Specifies all wireless LANs.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
When you create a new WLAN using the config wlan create command, it is created in disabled mode. Leave it disabled until you have finished configuring it.
If you do not specify an SSID, the profile name parameter is used for both the profile name and the SSID.
If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.
An error message appears if you try to delete a WLAN that is assigned to an access point group. If you proceed, the WLAN is removed from the access point group and from the access point’s radio.
Examples
The following example shows how to enable wireless LAN identifier 16:
(Cisco Controller) >config wlan enable 16
config wlan 7920-support
To configure support for phones, use the config wlan 7920-support command.
Allows 802.11e-enabled clients on the wireless LAN.
disable
Disables 802.11e on the wireless LAN.
require
Requires 802.11e-enabled clients on the wireless LAN.
wlan_id
Wireless LAN identifier between 1 and 512.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
802.11e provides quality of service (QoS) support for LAN applications, which are critical for delay sensitive applications such as Voice over Wireless IP (VoWIP).
802.11e enhances the 802.11 Media Access Control layer (MAC layer) with a coordinated time division multiple access (TDMA) construct, and adds error-correcting mechanisms for delay sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability and is especially well suited for use in networks that include a multimedia capability.
Examples
The following example shows how to allow 802.11e on the wireless LAN with LAN ID 1:
(Cisco Controller) >config wlan 802.11e allow 1
config wlan aaa-override
To configure a user policy override via AAA on a wireless LAN, use the config wlan aaa-override command.
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
When AAA override is enabled and a client has conflicting AAA and Cisco wireless LAN controller wireless LAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the operating system will move clients from the default Cisco wireless LAN VLAN to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system will also use QoS, DSCP, 802.1p priority tag values, and ACLs provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as Identity Networking.)
If the corporate wireless LAN uses a management interface assigned to VLAN 2, and if AAA override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.
When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is performed by the AAA server if the controller wireless LAN does not contain any client-specific authentication parameters.
The AAA override values might come from a RADIUS server.
Examples
The following example shows how to configure user policy override via AAA on WLAN ID 1:
Configures a dual band 802.11k neighbor list for a WLAN. The default is the band that the client is currently associated with.
prediction
Configures an assisted roaming optimization prediction for a WLAN.
enable
Enables the configuration on the WLAN.
disable
Disables the configuration on the WLAN.
wlan_id
Wireless LAN identifier between 1 and 512 (inclusive).
Command Default
The 802.11k neighbor list is enabled for all WLANs.
By default, dual band list is enabled if the neighbor list feature is enabled for the WLAN.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
When you enable the assisted roaming prediction list, a warning appears and load balancing is disabled for the WLAN, if load balancing is already enabled on the WLAN.
Examples
The following example shows how to enable an 802.11k neighbor list for a WLAN:
Name of the AVC profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.
visibility
Configures application visibility on a WLAN.
enable
Enables application visibility on a WLAN.
You can view the classification of applications based on the Network Based Application Recognition (NBAR) deep packet inspection technology.
Use the show avc statistics client command to view the client AVC statistics.
disable
Disables application visibility on a WLAN.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
You can configure only one AVC profile per WLAN and each AVC profile can have up to 32 rules. Each rule states a Mark or Drop action for an application, which allows you to configure up to 32 application actions per WLAN. You can configure up to 16 AVC profiles on a controller and associate an AVC profile with multiple WLANs.
Examples
The following example shows how to associate an AVC profile with a WLAN:
(Optional) Assigns or removes a Wireless LAN from an AP group.
interface_name
(Optional) Interface to which you want to map an AP group.
nac-snmp
Configures NAC SNMP functionality on given AP group. Enables or disables Network Admission Control (NAC) out-of-band support on an access point group.
enable
Enables NAC out-of-band support on an AP group.
disable
Disables NAC out-of-band support on an AP group.
NAS-ID
Network Access Server identifier (NAS-ID) for the AP group. The NAS-ID is sent to the RADIUS server by the controller (as a RADIUS client) using the authentication request, which is used to classify users to different groups. You can enter up to 32 alphanumeric characters. Beginning in Release 7.4 and later releases, you can configure the NAS-ID on the interface, WLAN, or an access point group. The order of priority is AP group NAS-ID > WLAN NAS-ID > Interface NAS-ID.
none
Configures the controller system name as the NAS-ID.
profile-mapping
Configures RF profile mapping on an AP group.
profile_name
RF profile name for a specified AP group.
wlan-radio-policy
Configures WLAN radio policy on an AP group.
802.11a-only
Configures WLAN radio policy on an AP group.
802.11bg
Configures WLAN radio policy on an AP group.
802.11g-only
Configures WLAN radio policy on an AP group.
all
Configures WLAN radio policy on an AP group.
hotspot
Configures a HotSpot on an AP group.
venue
Configures venue information for an AP group.
type
Configures the type of venue for an AP group.
group_code
Venue group information for an AP group.
The following options are available:
0 : UNSPECIFIED
1 : ASSEMBLY
2 : BUSINESS
3 : EDUCATIONAL
4 : FACTORY-INDUSTRIAL
5 : INSTITUTIONAL
6 : MERCANTILE
7 : RESIDENTIAL
8 : STORAGE
9 : UTILITY-MISC
10 : VEHICULAR
11 : OUTDOOR
type_code
Venue type information for an AP group.
For venue group 1 (ASSEMBLY), the following options are available:
0 : UNSPECIFIED ASSEMBLY
1 : ARENA
2 : STADIUM
3 : PASSENGER TERMINAL
4 : AMPHITHEATER
5 : AMUSEMENT PARK
6 : PLACE OF WORSHIP
7 : CONVENTION CENTER
8 : LIBRARY
9 : MUSEUM
10 : RESTAURANT
11 : THEATER
12 : BAR
13 : COFFEE SHOP
14 : ZOO OR AQUARIUM
15 : EMERGENCY COORDINATION CENTER
For venue group 2 (BUSINESS), the following options are available:
0 : UNSPECIFIED BUSINESS
1 : DOCTOR OR DENTIST OFFICE
2 : BANK
3 : FIRE STATION
4 : POLICE STATION
6 : POST OFFICE
7 : PROFESSIONAL OFFICE
8 : RESEARCH AND DEVELOPMENT FACILITY
9 : ATTORNEY OFFICE
For venue group 3 (EDUCATIONAL), the following options are available:
0 : UNSPECIFIED EDUCATIONAL
1 : PRIMARY SCHOOL
2 : SECONDARY SCHOOL
3 : UNIVERSITY OR COLLEGE
For venue group 4 (FACTORY-INDUSTRIAL), the following options are available:
0 : UNSPECIFIED FACTORY AND INDUSTRIAL
1 : FACTORY
For venue group 5 (INSTITUTIONAL), the following options are available:
0 : UNSPECIFIED INSTITUTIONAL
1 : HOSPITAL
2 : LONG-TERM CARE FACILITY
3 : ALCOHOL AND DRUG RE-HABILITATION CENTER
4 :GROUP HOME
5 :PRISON OR JAIL
For venue group 6 (MERCANTILE), the following options are available:
0 : UNSPECIFIED MERCANTILE
1 : RETAIL STORE
2 : GROCERY MARKET
3 : AUTOMOTIVE SERVICE STATION
4 : SHOPPING MALL
5 : GAS STATION
For venue group 7 (RESIDENTIAL), the following options are available:
0 : UNSPECIFIED RESIDENTIAL
1 : PRIVATE RESIDENCE
2 : HOTEL OR MOTEL
3 : DORMITORY
4 : BOARDING HOUSE
For venue group 8 (STORAGE), the following options are available:
0 : UNSPECIFIED STORAGE
For venue group 9 (UTILITY-MISC), the following options are available:
0 : UNSPECIFIED UTILITY AND MISCELLANEOUS
For venue group 10 (VEHICULAR), the following options are available:
0 : UNSPECIFIED VEHICULAR
1 : AUTOMOBILE OR TRUCK
2 : AIRPLANE
3 : BUS
4 : FERRY
5 : SHIP OR BOAT
6 : TRAIN
7 : MOTOR BIKE
For venue group 11 (OUTDOOR), the following options are available:
0 : UNSPECIFIED OUTDOOR
1 : MINI-MESH NETWORK
2 : CITY PARK
3 : REST AREA
4 : TRAFFIC CONTROL
5 : BUS STOP
6 : KIOSK
name
Configures the name of venue for an AP group.
language_code
An ISO-639 encoded string defining the language used at the venue. This string is a three character language code. For example, you can enter ENG for English.
venue_name
Venue name for this AP group. This name is associated with the basic service set (BSS) and is used in cases where the SSID does not provide enough information about the venue. The venue name is case-sensitive and can be up to 252 alphanumeric characters.
add
Adds an operating class for an AP group.
delete
Deletes an operating class for an AP group.
operating_class_value
Operating class for an AP group. The available operating classes are 81, 83, 84, 112, 113, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127.
Command Default
AP Group VLAN is disabled.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
An error message appears if you try to delete an access point group that is used by at least one access point. Before you can delete an AP group in controller software release 6.0, move all APs in this group to another group. The access points are not moved to the default-group access point group as in previous releases. To see the APs, enter the show wlan apgroups command. To move APs, enter the config ap group-namegroupnamecisco_ap command.
The NAS-ID configured on the controller for AP group or WLAN or interface is used for authentication. The NAS-ID is not propagated across controllers.
Examples
The following example shows how to enable the NAC out-of band support on access point group 4:
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
When you enable band select on a WLAN, the access point suppresses client probes on 2.4-GHz and moves the dual band clients to the 5-Ghz spectrum. The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running. Band selection can be used only with Cisco Aironet 1040, 1140, and 1250 Series and the 3500 series access points.
Examples
The following example shows how to enable band selection on a WLAN:
To configure the controller to defer priority markings for packets that can defer off channel scanning, use the config wlan channel-scan defer-priority command.
(Optional) Enables packet at given priority to defer off channel scanning.
disable
(Optional) Disables packet at gven priority to defer off channel scanning.
wlan_id
Wireless LAN identifier (1 to 512).
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
The priority value should be set to 6 on the client and on the WLAN.
Examples
The following example shows how to enable the controller to defer priority markings that can defer off channel scanning with user priority value 6 and WLAN id 30:
Configures the name of the login page for an external web authentication URL.
page-name
Login page name for an external web authentication URL.
loginfailure-page
Configures the name of the login failure page for an external web authentication URL.
none
Does not configure a login failure page for an external web authentication URL.
logout-page
Configures the name of the logout page for an external web authentication URL.
sleep-client
Configures the sleep client feature on the WLAN.
timeout
Configures the sleep client timeout on the WLAN.
duration
Maximum amount of time after the idle timeout, in hours, before a sleeping client is forced to reauthenticate. The range is from 1 to 720. The default value is 12. When the sleep client feature is enabled, the clients need not provide the login credentials when they move from one Cisco WLC to another (if Cisco WLCs are in the same mobility group) between the sleep and wake up times.
webauth-type
Configures the type of web authentication for the WLAN.
internal
Displays the default login page.
customized
Displays a customized login page.
external
Displays a login page on an external web server.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to configure the web authentication type as an external.
IP address of the internal DHCP server (this parameter is required).
required
(Optional) Specifies whether DHCP address assignment is required.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
The preferred method for configuring DHCP is to use the primary DHCP address assigned to a particular interface instead of the DHCP server override. If you enable the override, you can use the show wlan command to verify that the DHCP server has been assigned to the WLAN.
Examples
The following example shows how to configure an IP address 10.10.2.1 of the internal DHCP server for wireless LAN ID 16:
Enables client IP address learning on a wireless LAN.
disable
Disables client IP address learning on a wireless LAN.
Command Default
Disabled when the config wlan flexconnect local-switching command is disabled. Enabled when the config wlan flexconnect local-switching command is enabled.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
If the client is configured with Layer 2 encryption, the controller cannot learn the client IP address, and the controller will periodically drop the client. Disable this option to keep the client connection without waiting to learn the client IP address.
Note
The ability to disable IP address learning is not supported with FlexConnect central switching.
Examples
The following example shows how to disable client IP address learning for WLAN 6:
To configure local switching, central DHCP, NAT-PAT, or the override DNS option on a FlexConnect WLAN, use the config wlan flexconnect local switching command.
Configures central switching of DHCP packets on the local switching FlexConnect WLAN. When you enable this feature, the DHCP packets received from the AP are centrally switched to the controller and forwarded to the corresponding VLAN based on the AP and the SSID.
enable
Enables central DHCP on a FlexConnect WLAN.
disable
Disables central DHCP on a FlexConnect WLAN.
nat-pat
Configures Network Address Translation (NAT) and Port Address Translation (PAT) on the local switching FlexConnect WLAN.
enable
Enables NAT-PAT on the FlexConnect WLAN.
disable
Disables NAT-PAT on the FlexConnect WLAN.
override
Specifies the DHCP override options on the FlexConnect WLAN.
option dns
Specifies the override DNS option on the FlexConnect WLAN. When you override this option, the clients get their DNS server IP address from the AP, not from the controller.
enable
Enables the override DNS option on the FlexConnect WLAN.
disable
Disables the override DNS option on the FlexConnect WLAN.
Command Default
This feature is disabled.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
When you enable the config wlan flexconnect local-switching command, the config wlan flexconnect learn-ipaddr command is enabled by default.
Note
The ability to disable IP address learning is not supported with FlexConnect central switching.
Examples
The following example shows how to enable WLAN 6 for local switching and enable central DHCP and NAT-PAT:
Enables central switching on a locally switched wireless LAN.
disable
Disables central switching on a locally switched wireless LAN.
Command Default
Central switching is disabled.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
You must enable Flexconnect local switching to enable VLAN central switching. When you enable WLAN central switching, the access point bridges the traffic locally if the WLAN is configured on the local IEEE 802.1Q link. If the VLAN is not configured on the access point, the AP tunnels the traffic back to the controller and the controller bridges the traffic to the corresponding VLAN.
WLAN central switching does not support:
FlexConnect local authentication.
Layer 3 roaming of local switching client.
Examples
The following example shows how to enable WLAN 6 for central switching:
Mobile Country Code (MCC) in Binary Coded Decimal (BCD) format. The country code can be up to 3 characters. For example, the MCC for USA is 310.
network_code
Mobile Network Code (MNC) in BCD format. An MNC is used in combination with a Mobile Country Code (MCC) to uniquely identify a mobile phone operator or carrier. The network code can be up to 3 characters. For example, the MNC for T- Mobile is 026.
wlan_id
Wireless LAN identifier between 1 and 512.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
Number of mobile network codes supported is 32 per WLAN.
Examples
The following example shows how to configure 3GPP cellular network information on a WLAN:
To configure a Homogenous Extended Service Set Identifier (HESSID) on an 802.11u HotSpot WLAN, use the config wlan hotspot dot11u hessid command.
config wlan hotspot dot11u hessid hessid wlan_id
Syntax Description
hessid
MAC address that can be configured as an HESSID.
The HESSID is a 6-octet MAC address that uniquely identifies the network. For example, Basic Service Set Identification (BSSID) of the WLAN can be used as the HESSID.
wlan_id
Wireless LAN identifier between 1 and 512.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to configure an HESSID on an 802.11u HotSpot WLAN:
4—EAP-FAST (Flexible Authentication via Secure Tunneling)
5—EAP for GSM Subscriber Identity Module (EAP-SIM)
6—EAP-Tunneled Transport Layer Security (EAP-TTLS)
7—EAP for UMTS Authentication and Key Agreement (EAP-AKA)
realm-name
Specifies the name of the realm.
realm
Name of the realm. The realm name should be RFC 4282 compliant. For example, Cisco. The realm name is case-sensitive and can be up to 255 alphanumeric characters.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Adds the operator name, port configuration, or WAN metrics parameters to the WLAN configuration.
index
Index of the operator. The range is from 1 to 32.
operator-name
Name of the operator.
language-code
Language used. An ISO-14962-1997 encoded string that defines the language. This string is a three character language code. Enter the first three letters of the language in English. For example, eng for English.
delete
Deletes the operator name, port configuration, or WAN metrics parameters from the WLAN.
modify
Modifies the operator name, port configuration, or WAN metrics parameters of the WLAN.
port-config
Configures the port configuration values.
port_config_index
Port configuration index. The range is from 1 to 32. The default value is 1.
ip-protocol
Protocol to use. This parameter provides information on the connection status of the most commonly used communication protocols and ports. The following options are available:
1—ICMP
6—FTP/SSH/TLS/PPTP-VPN/VoIP
17—IKEv2 (IPSec-VPN/VoIP/ESP)
50—ESP (IPSec-VPN)
port-number
Port number. The following options are available:
0—ICMP/ESP (IPSec-VPN)
20—FTP
22—SSH
443—TLS-VPN
500—IKEv2
1723—PPTP-VPN
4500—IKEv2
5060—VoIP
status
Status of the IP port. The following options are available:
0—Closed
1—Open
2—Unknown
wan-metrics
Configures the WAN metrics.
link-status
Link status. The following options are available:
0—Unknown
1—Link up
2—Link down
3—Link in test state
symet-link
Symmetric link status. The following options are available:
0—Link speed is different for uplink and downlink. For example: ADSL
1—Link speed is the same for uplink and downlink. For example: DS1
downlink-speed
Downlink speed of the WAN backhaul link in kbps. Maximum value is 4,194,304 kbps.
uplink-speed
Uplink speed of the WAN backhaul link in kbps. The maximum value is 4,194,304 kbps.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to configure the WAN metrics parameters:
To configure the Key Telephone System-based CAC policy for a WLAN, use the config wlan kts-cac command.
config wlan kts-cac {
enable |
disable}
wlan_id
Syntax Description
enable
Enables the KTS-based CAC policy.
disable
Disables the KTS-based CAC policy.
wlan_id
Wireless LAN identifier between 1 and 512.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
To enable the KTS-based CAC policy for a WLAN, ensure that you do the following:
Configure the QoS profile for the WLAN to Platinum by entering the following command:
config wlan qoswlan-idplatinum
Disable the WLAN by entering the following command:
config wlan disablewlan-id
Disable FlexConnect local switching for the WLAN by entering the following command:
config wlan flexconnect local-switchingwlan-iddisable
Examples
The following example shows how to enable the KTS-based CAC policy for a WLAN with the ID 4:
(Cisco Controller) >config wlan kts-cac enable 4
config wlan layer2 acl
To configure a Layer 2 access control list (ACL) on a centrally switched WLAN, use the config wlan acl layer2 command.
config wlan layer2 aclwlan_id {
acl_name |
none}
Syntax Description
wlan_id
Wireless LAN identifier. The range is from 1 to 512.
acl_name
Layer2 ACL name. The name can be up to 32 alphanumeric characters.
none
Clears any Layer2 ACL mapped to the WLAN.
Command Default
None
Command History
Release
Modification
7.5
This command was introduced.
Usage Guidelines
You can create a maximum of 16 rules for a Layer 2 ACL.
You can create a maximum of 64 Layer 2 ACLs on a Cisco WLC.
A maximum of 16 Layer 2 ACLs are supported per access point because an access point supports a maximum of 16 WLANs.
Ensure that the Layer 2 ACL names do not conflict with the FlexConnect ACL names because an access point does not support the same Layer 2 and Layer 3 ACL names.
Examples
The following example shows how to
apply a Layer 2 ACL on a WLAN:
Enables
client IP address learning on the centrally switched WLAN
disable
Disables client IP address learning on the centrally switched WLAN
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
If the client is configured with Layer 2 encryption, the Cisco WLC cannot learn the client IP address and will periodically drop the client. Disable this option so that the Cisco WLC maintains the client connection without waiting to learn the client IP address.
Examples
The following example shows how to
enable client IP address learning on a centrally switched WLAN:
Name of the mDNS profile to be associated with a WLAN.
none
Removes all existing mDNS profiles from the WLAN. You cannot configure mDNS profiles on the WLAN.
wlan_id
Wireless LAN identifier from 1 to 512.
all
Configures the mDNS profile for all WLANs.
Command Default
By default, mDNS snooping is enabled on WLANs.
Command History
Release
Modification
7.4
This command was introduced.
Usage Guidelines
You must disable the WLAN before you use this command. Clients receive service advertisements only for the services associated with the profile. The controller gives the highest priority to the profiles associated to interface groups, followed by the interface profiles, and then the WLAN profiles. Each client is mapped to a profile based on the order of priority.
Examples
The following example shows how to configure an mDNS profile for a WLAN.
Configures multicast-direct for a wireless LAN media stream.
wlan_id
Wireless LAN identifier between 1 and 512.
all
Configures the wireless LAN on all media streams.
enable
Enables global multicast to unicast conversion.
disable
Disables global multicast to unicast conversion.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
Media stream multicast-direct requires load based Call Admission Control (CAC) to run. WLAN quality of service (QoS) needs to be set to either gold or platinum.
Examples
The following example shows how to enable the global multicast-direct media stream with WLAN ID 2:
Adds an interface or interface group to the map of foreign controllers.
delete
Deletes an interface or interface group from the map of foreign controllers.
wlan_id
Wireless LAN identifier from 1 to 512.
foreign_mac_address
Foreign switch MAC address on a WLAN.
interface_name
Interface name up to 32 alphanumeric characters.
interface_group_name
Interface group name up to 32 alphanumeric characters.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to add an interface group for foreign Cisco WLCs with WLAN ID 4 and a foreign switch MAC address on WLAN 00:21:1b:ea:36:60:
Enables the multicast interface feature for a wireless LAN.
disable
Disables the multicast interface feature on a wireless LAN.
buffer-size
Radio multicast packet buffer size. The range is from 30 to 60. Enter 0 to indicate APs will dynamically adjust the number of buffers allocated for multicast.
wlan_id
Wireless LAN identifier between 1 and 512.
Command Default
The default buffer size is 30
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to configure radio multicast buffer settings:
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
You should enable AAA override before you enable the RADIUS NAC state. You also should disable FlexConnect local switching before you enable the RADIUS NAC state.
Examples
The following example shows how to configure SNMP NAC support for WLAN 13:
To override the bandwidth limits for upstream and downstream traffic per user and per service set identifier (SSID) defined in the QoS profile, use the config wlan override-rate-limit command.
Specifies the average data rate for TCP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.
average-realtime-rate
Specifies the average real-time data rate for UDP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.
burst-data-rate
Specifies the peak data rate for TCP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.
burst-realtime-rate
Specifies the peak real-time data rate for UDP traffic per user or per SSID. The range is from 0 to 51,2000 Kbps.
per-ssid
Configures the rate limit for an SSID per radio. The combined traffic of all clients will not exceed this limit.
per-client
Configures the rate limit for each client associated with the SSID.
downstream
Configures the rate limit for downstream traffic.
upstream
Configures the rate limit for upstream traffic.
rate
Data rate for TCP or UDP traffic per user or per SSID. The range is form 0 to 51,2000 Kbps. A value of 0 imposes no bandwidth restriction on the QoS profile.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
The rate limits are enforced by the controller and the AP. For central switching, the controller handles the downstream enforcement of per-client rate limit and the AP handles the enforcement of the upstream traffic and per-SSID rate limit for downstream traffic. When the AP enters standalone mode it handles the downstream enforcement of per-client rate limits too.
In FlexConnect local switching and standalone modes, per-client and per-SSID rate limiting is done by the AP for downstream and upstream traffic. However, in FlexConnect standalone mode, the configuration is not saved on the AP, so when the AP reloads, the configuration is lost and rate limiting does not happen after reboot.
For roaming clients, if the client roams between the APs on the same controller, same rate limit parameters are applied on the client. However, if the client roams from an anchor to a foreign controller, the per-client downstream rate limiting uses the parameters configured on the anchor controller while upstream rate limiting uses the parameters of the foreign controller.
Examples
The following example shows how to configure the burst real-time actual rate 2000 Kbps for the upstream traffic per SSID:
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
You need to enable the global multicast mode and multicast-multicast mode by using the config network multicast global and config network multicast mode commands before entering this command.
Note
You should configure the multicast in multicast-multicast mode only not in unicast mode. The passive client feature does not work with multicast-unicast mode in this release.
Examples
The following example shows how to configure the passive client on wireless LAN ID 2:
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
This command binds a profile name to the PMIPv6 WLAN or SSID. Each time that a mobile node associates with the controller, it uses the profile name and NAI in the trigger to the PMIPV6 module. The PMIPV6 module extracts all the profile specific parameters such as LMA IP, APN, and NAI and sends the PBU to the ASR5K.
Examples
The following example shows how to create a profile named ABC01 on a PMIPv6 WLAN:
Priority index of the policy to be configured on the WLAN. The policies are applied to the clients according to the priority index.
The range is from 1 to 16.
policy_name
Name of the profiling policy.
wlan-id
WLAN identifier from 1 to 512.
Command Default
There is no WLAN policy.
Command History
Release
Modification
7.5
This command was introduced.
Usage Guidelines
You can apply up to 16 policies on a WLAN.
Examples
The following example shows how to
configure a policy on a WLAN:
Enables AP group's interface for all RADIUS traffic on the WLAN.
enable
Enables RADIUS dynamic interface for this WLAN.
disable
Disables RADIUS dynamic interface for this WLAN.
wlan
Enables WLAN's interface for all RADIUS traffic on the WLAN.
wlan_id
Wireless LAN identifier between 1 and 512.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
The controller uses the management interface as identity. If the RADIUS server is on a directly connected dynamic interface, the traffic is sourced from the dynamic interface. Otherwise, the management IP address is used.
If the feature is enabled, controller uses the interface specified on the WLAN configuration as identity and source for all RADIUS related traffic on the WLAN.
Examples
The following example shows how to enable RADIUS dynamic interface for a WLAN with an ID 1:
To configure the proprietary Internet Key Exchange (IKE) CFG-Mode parameters used on the wireless LAN, use the config wlan security IPsec config command.
Configures the quote-of-the day server IP for cfg-mode.
ip_address
Quote-of-the-day server IP for cfg-mode.
wlan_id
Wireless LAN identifier between 1 and 512.
foreignAp
Specifies third-party access points.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
IKE is used as a method of distributing the session keys (encryption and authentication), as well as providing a way for the VPN endpoints to agree on how the data should be protected. IKE keeps track of connections by assigning a bundle of Security Associations (SAs), to each connection.
Examples
The following example shows how to configure the quote-of-the-day server IP 44.55.66.77 for cfg-mode for WLAN 1:
To modify the IPsec Internet Key Exchange (IKE) authentication protocol used on the wireless LAN, use the config wlan security IPsec ike authentication command.
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to configure the IKE certification mode:
(Cisco Controller) >config wlan security IPsec ike authentication certificates 16
config wlan security IPsec ike dh-group
To modify the IPsec Internet Key Exchange (IKE) Diffie Hellman group used on the wireless LAN, use the config wlan security IPsec ike dh-group command.
Requires clients to negotiate 802.11w MFP protection on a WLAN.
association-comeback
Configures the 802.11w association comeback time.
association-comeback_timeout
Association comeback interval in seconds. Time interval that an associated client must wait before the association is tried again after it is denied with a status code 30.
The status code 30 message is "Association request rejected temporarily; Try again later”.
The range is from 1 to 20 seconds.
saquery-retrytimeout
Configures the 802.11w Security Association (SA) query retry timeout.
saquery-retry_timeout
Time interval identified in the association response to an already associated client before the association can be tried again. This time interval checks if the client is a real client and not a rogue client during the association comeback time. If the client does not respond within this time, the client association is deleted from the controller.
The range is from 100 to 500 ms.
wlan_id
Wireless LAN identifier from 1 to 512.
Command Default
Default SA query retry timeout is 200 milliseconds.
Default association comeback timeout is 1 second.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
802.11w introduces an Integrity Group Temporal Key (IGTK) that is used to protect broadcast or multicast robust management frames. IGTK is a random value, assigned by the authenticator station (controller) used to protect MAC management protocol data units (MMPDUs) from the source STA. The 802.11w IGTK key is derived using the four way handshake and is used only on WLANs that are configured with WPA or WPA2 security at Layer 2.
Examples
The following example shows how to enable 802.11w MFP protection on a WLAN:
To configure static Wired Equivalent Privacy (WEP) key 802.11 authentication on a wireless LAN, use the config wlan security static-wep-key authentication command.
Specifies to use hexadecimal characters to enter key.
ascii
Specifies whether to use ASCII characters to enter key.
key
WEP key in ASCII.
key-index
Key index (1 to 4).
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
One unique WEP key index can be applied to each wireless LAN. Because there are only four WEP key indexes, only four wireless LANs can be configured for static WEP Layer 2 encryption.
Make sure to disable 802.1X before using this command.
Examples
The following example shows how to configure the static WEP keys for WLAN ID 1 that uses hexadecimal character 0201702001 and key index 2:
To configure the Temporal Key Integrity Protocol (TKIP) Message Integrity Check (MIC) countermeasure hold-down timer, use the config wlan security tkip command.
config wlan security tkip hold-down time wlan_id
Syntax Description
hold-down
Configures the TKIP MIC countermeasure hold-down timer.
time
TKIP MIC countermeasure hold-down time in seconds. The range is from 0 to 60 seconds.
wlan_id
Wireless LAN identifier from 1 to 512.
Command Default
The default TKIP countermeasure is set to 60 seconds.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
TKIP countermeasure mode can occur if the access point receives 2 MIC errors
within a 60 second period. When this situation occurs, the access point deauthenticates all TKIP clients that are associated to that 802.11 radio
and holds off any clients for the countermeasure holdoff time.
Examples
The following example shows how to configure the TKIP MIC countermeasure hold-down timer:
(Cisco Controller) >config wlan security tkip
config wlan security web-auth
To change the status of web authentication used on a wireless LAN, use the config wlan security web-auth command.
To enable the randomization of group temporal keys (GTK) between access points and clients on a WLAN, use the config wlan security wpa gtk-random command.
Enables the randomization of GTK keys between the access point and clients.
disable
Disables the randomization of GTK keys between the access point and clients.
wlan_id
WLAN identifier between 1 and 512.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
When you enable this command, the clients in the Basic Service Set (BSS) get a unique GTK key. The clients do not receive multicast or broadcast traffic.
Examples
The following example shows how to enable the GTK randomization for each client associated on a WLAN:
Configures Sticky Key Caching (SKC) roaming support on the WLAN.
enable
Enables SKC roaming support on the WLAN.
disable
Disables SKC roaming support on the WLAN.
wlan_id
Wireless LAN identifier between 1 and 512.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
In SKC (Sticky Key caching) also known as PKC (Pro Active Key caching), the client stores each Pairwise Master Key (PMK) ID (PMKID) against a Pairwise Master Key Security Association (PMKSA). When a client finds an AP for which it has a PMKSA, it sends the PMKID in the association request to the AP. If the PMKSA is alive in the AP, the AP provides support for fast roaming. In SKC, full authentication is done on each new AP to which the client associates and the client must keep the PMKSA associated with all APs.
Examples
The following example shows how to enable SKC roaming support on a WLAN:
Wireless LAN identifier between 1 and 512 (inclusive).
Command Default
Stkcky PMKID Caching is disabled.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
Beginning in Release 7.2 and later releases, the controller supports Sticky PMKID Caching (SKC). With sticky PMKID caching, the client receives and stores a different PMKID for every AP it associates with. The APs also maintain a database of the PMKID issued to the client. In SKC also known as PKC (Pro Active Key caching), the client stores each Pairwise Master Key (PMK) ID (PMKID) against a Pairwise Master Key Security Association (PMKSA). When a client finds an AP for which it has the PMKSA, it sends the PMKID in the association request to the AP. If the PMKSA is alive in the AP, the AP provides support for fast roaming. In SKC, full authentication is done on each new AP to which the client associates and the client must keep the PMKSA associated with all APs. For SKC, PMKSA is a per AP cache that the client stores and PMKSA is precalculated based on the BSSID of the new AP.
You cannot use SKC for large scale deployments as the controller supports SKC only up to eight APs.
SKC does not work across controllers in a mobility group.
SKC works only on WPA2-enabled WLANs.
SKC works only on local mode APs.
Examples
The following example shows how to enable Sticky PMKID Caching on WLAN 5:
To configure WPA2 ciphers and enable or disable Advanced Encryption Standard (AES) or Temporal Key Integrity Protocol (TKIP) data encryption for WPA2, use theconfig wlan security wpa wpa2 cipherscommand
To enable client disassociation in case of session initiation protocol (SIP) call admission control (CAC) failure, use the config wlan sip-cac disassoc-client command.
To configure sending session initiation protocol (SIP) 486 busy message if a SIP call admission control (CAC) failure occurs, use the config wlan sip-cac send-486busy command:
To configure the threshold data sent by the client during the idle timeout for client sessions for a WLAN, use the config wlan user-idle-threshold command.
config wlan user-idle-threshold bytes wlan_id
Syntax Description
bytes
Threshold data sent by the client during the idle timeout for the client session for a WLAN. If the client send traffic less than the defined threshold, the client is removed on timeout. The range is from 0 to 10000000 bytes.
wlan_id
Wireless LAN identifier between 1 and 512.
Command Default
The default timeout for threshold data sent by client during the idle timeout is 0 bytes.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to configure the threshold data sent by the client during the idle timeout for client sessions for a WLAN:
To configure the timeout for idle client sessions for a WLAN, use the config wlan usertimeout command.
config wlan usertimeout timeout wlan_id
Syntax Description
timeout
Timeout for idle client sessions for a WLAN. If the client sends traffic less than the threshold, the client is removed on timeout. The range is from 15 to 100000 seconds.
wlan_id
Wireless LAN identifier between 1 and 512.
Command Default
The default client session idle timeout is 300 seconds.
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
The timeout value that you configure here overrides the global timeout that you define using the command config network usertimeout.
Examples
The following example shows how to
configure the idle client sessions for a WLAN:
(Cisco Controller) >config wlan usertimeout 100 1
config wlan webauth-exclude
To release the guest user IP address when the web authentication policy time expires and exclude the guest user from acquiring an IP address for three minutes, use the config wlan webauth-exclude command.
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
You can use this command for guest WLANs that are configured with web authentication.
This command is applicable when you configure the internal DHCP scope on the controller.
By default, when the web authentication timer expires for a guest user, the guest user can immediately reassociate with the same IP address before another guest user can acquire the IP address. If there are many guest users or limited IP address in the DHCP pool, some guest users might not be able to acquire an IP address.
When you enable this feature on the guest WLAN, the guest user’s IP address is released when the web authentication policy time expires and the guest user is excluded from acquiring an IP address for three minutes. The IP address is available for another guest user to use. After three minutes, the excluded guest user can reassociate and acquire an IP address, if available.
Examples
The following example shows how to enable the web authentication exclusion for WLAN ID 5:
Specifies that clients use WMM on the specified wireless LAN.
wlan_id
Wireless LAN identifier (1 to 512).
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Usage Guidelines
When the controller is in Layer 2 mode and WMM is enabled, you must put the access points on a trunk port in order to allow them to join the controller.
Examples
The following example shows how to configure wireless LAN ID 1 to allow WMM:
(Cisco Controller) >config wlan wmm allow 1
The following example shows how to configure wireless LAN ID 1 to specify that clients use WMM:
(Cisco Controller) >config wlan wmm require 1
clear Commands
This section lists the clear commands to clear existing configurations, log files, and other functions for WLANs
.
This section lists the debug commands to manage debugging of WLANs managed by the controller.
Caution
Debug commands are reserved for use only under the direction of Cisco personnel. Do not use these commands without direction from Cisco-certified staff.
To delete an entry in the Pairwise Master Key (PMK) cache from all Cisco wireless LAN controllers in the mobility group, use the test pmk-cache delete command.
test pmk-cache delete {
all |
mac_address}
Syntax Description
all
Deletes PMK cache entries from all Cisco wireless LAN controllers.
mac_address
MAC address of the Cisco wireless LAN controller from which PMK cache entries have to be deleted.
Command Default
None
Command History
Release
Modification
7.6
This command was introduced in a release earlier than Release 7.6.
Examples
The following example shows how to delete all entries in the PMK cache:
Feedback
