Cisco Router 860, 880 Series User Manual

							17-13
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Controlling Access Point Access with RADIUS
To remove the specified RADIUS server, use the no radius-server host hostname | ip-address command 
in global configuration mode. To remove a server group from the configuration list, use the no aaa group 
server radius group-name command in global configuration mode. To remove the IP address of a 
RADIUS server, use the no server ip-address server group configuration command in sg-radius 
configuration mode.
In this example, the wireless device is configured to recognize two different RADIUS group servers 
(group1 and group2). Group1 has two different host entries on the same RADIUS server configured for 
the same services. The second host entry acts as a failover backup to the first entry.
AP(config)# aaa new-model
AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646AP(config)# aaa group server radius group1
AP(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001
AP(config-sg-radius)# exitAP(config)# aaa group server radius group2
AP(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001
AP(config-sg-radius)# exit
Configuring RADIUS Authorization for User Privileged Access and  
Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the 
wireless device uses information retrieved from the user’s profile, which is in the local user database or 
on the security server, to configure the user’s session. The user is granted access to a requested service 
only if the information in the user profile allows it.
You can use the aaa authorization command in global configuration mode with the radius keyword to 
set parameters that restrict a user’s network access to privileged EXEC mode. 
The aaa authorization exec radius local command sets these authorization parameters:
 Use RADIUS for privileged EXEC access authorization if authentication was performed by using 
RADIUS.
 Use the local database if authentication was not performed by using RADIUS.
NoteAuthorization is bypassed for authenticated users who log in through the CLI even if authorization has 
been configured.
Tto specify RADIUS authorization for privileged EXEC access and network services, follow these steps 
beginning in privileged EXEC mode: 
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2aaa authorization network radiusConfigures the wireless device for user RADIUS authorization for all 
network-related service requests.
Step 3aaa authorization exec radiusConfigures the wireless device for user RADIUS authorization to 
determine if the user has privileged EXEC access. 
The exec keyword might return user profile information (such as 
autocommand information).  
						

							17-14
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Controlling Access Point Access with TACACS+
To disable authorization, use the no aaa authorization {network | exec} method1 command in global 
configuration mode. 
Displaying the RADIUS Configuration
To display the RADIUS configuration, use the show running-config command in privileged EXEC 
mode.
Controlling Access Point Access with TACACS+ 
This section describes how to control administrator access to the wireless device using Terminal Access 
Controller Access Control System Plus (TACACS+). For complete instructions on configuring the 
wireless device to support TACACS+, see the 
“Configuring Radius and TACACS+ Servers” chapter in 
the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points.
TACACS+ provides detailed accounting information and flexible administrative control over 
authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled 
only through AAA commands.
NoteFor complete syntax and usage information for the commands used in this section, refer to the Cisco IOS 
Security Command Reference.
These sections describe TACACS+ configuration:
 Default TACACS+ Configuration, page 17-14
 Configuring TACACS+ Login Authentication, page 17-15
 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, 
page 17-16
 Displaying the TACACS+ Configuration, page 17-17
Default TACACS+ Configuration
TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management 
application.When enabled, TACACS+ can authenticate administrators accessing the wireless device 
through the CLI.
Step 4endReturns to privileged EXEC mode.
Step 5show running-configVerifies your entries.
Step 6copy running-config startup-config(Optional) Saves your entries in the configuration file.
Command Purpose 
						

							17-15
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Controlling Access Point Access with TACACS+
Configuring TACACS+ Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that 
list to various interfaces. The method list defines the types of authentication to be performed and the 
sequence in which they are performed; it must be applied to a specific interface before any defined 
authentication methods are performed. The only exception is the default method list (which, by 
coincidence, is named default). The default method list is automatically applied to all interfaces except 
those that have a named method list explicitly defined. A defined method list overrides the default 
method list.
A method list describes the sequence and authentication methods to be queried to authenticate a user. 
You can designate one or more security protocols to be used for authentication, thus ensuring a backup 
system for authentication in case the initial method fails. The software uses the first method listed to 
authenticate users; if that method fails, the software selects the next authentication method in the method 
list. This process continues until there is successful communication with a listed authentication method 
or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that 
the security server or local username database responds by denying the user access—the authentication 
process stops, and no other authentication methods are attempted.
Tto configure login authentication, follow these steps beginning in privileged EXEC mode. This 
procedure is required.
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2aaa new-modelEnables AAA.
Step 3aaa authentication login {default | 
list-name} method1 [method2...]Creates a login authentication method list.
 To create a default list that is used when a named list is not specified 
in the login authentication command, use the default keyword 
followed by the methods that are to be used in default situations. The 
default method list is automatically applied to all interfaces.
 For list-name, specify a character string to name the list you are 
creating. 
 For method1..., specify the actual method the authentication 
algorithm tries. The additional methods of authentication are used 
only if the previous method returns an error, not if it fails.
Select one of these methods:
 local—Use the local username database for authentication. You must 
enter username information into the database. Use the username 
password command in global configuration mode.
 tacacs+—Use TACACS+ authentication. You must configure the 
TACACS+ server before you can use this authentication method.
Step 4line [console | tty | vty] line-number 
[ending-line-number]Enters line configuration mode, and configure the lines to which you want 
to apply the authentication list.
Step 5login authentication {default | 
list-name}Applies the authentication list to a line or set of lines.
 If you specify default, use the default list created with the aaa 
authentication login command.
 For list-name, specify the list created with the aaa authentication 
login command. 
						

							17-16
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Controlling Access Point Access with TACACS+
To disable AAA, use the no aaa new-model command in global configuration mode. To disable AAA 
authentication, use the no aaa authentication login {default | list-name} method1 [method2...] 
command in global configuration mode. To either disable TACACS+ authentication for logins or to 
return to the default value, use the no login authentication {default | list-name} command in line 
configuration mode.
Configuring TACACS+ Authorization for Privileged EXEC Access and Network 
Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the 
wireless device uses information retrieved from the user’s profile, which is located either in the local 
user database or on the security server, to configure the user’s session. The user is granted access to a 
requested service only if the information in the user profile allows it.
You can use the aaa authorization command in global configuration mode with the tacacs+ keyword 
to set parameters that restrict a user’s network access to privileged EXEC mode. 
The aaa authorization exec tacacs+ local command sets these authorization parameters:
 Use TACACS+ for privileged EXEC access authorization if authentication was performed by using 
TA C A C S + .
 Use the local database if authentication was not performed by using TACACS+.
NoteAuthorization is bypassed for authenticated users who log in through the CLI even if authorization has 
been configured.
To specify TACACS+ authorization for privileged EXEC access and network services, follow these steps 
beginning in privileged EXEC mode: 
Step 6endRetursn to privileged EXEC mode.
Step 7show running-configVerifies your entries.
Step 8copy running-config startup-config(Optional) Saves your entries in the configuration file.
Command Purpose
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2aaa authorization network tacacs+Configures the wireless device for user TACACS+ authorization for all 
network-related service requests.
Step 3aaa authorization exec tacacs+Configures the wireless device for user TACACS+ authorization to 
determine if the user has privileged EXEC access. 
The exec keyword might return user profile information (such as 
autocommand information). 
Step 4endReturns to privileged EXEC mode.
Step 5show running-configVerifies your entries.
Step 6copy running-config startup-config(Optional) Saves your entries in the configuration file. 
						

							17-17
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Administering the Wireless Hardware and Software
To disable authorization, use the no aaa authorization {network | exec} method1 command in global 
configuration mode. 
Displaying the TACACS+ Configuration
To display TACACS+ server statistics, use the show tacacs command in privileged EXEC mode.
Administering the Wireless Hardware and Software
This section provides instructions for performing the following tasks:
 Resetting the Wireless Device to Factory Default Configuration, page 17-17
 Rebooting the Wireless Device, page 17-17
 Upgrading Software on the Access Point, page 17-18
 Downgrading Software on the Access Point, page 17-20
 Recovering Software on the Access Point, page 17-20
 Monitoring the Wireless Device, page 17-20
Resetting the Wireless Device to Factory Default Configuration
To reset the wireless device hardware and software back to its factory default configuration, use the 
service-module wlan-ap0 reset default-config command in the router’s Cisco
 IOS privileged EXEC 
mode.
CautionBecause you may lose data, use only the service-module wlan-ap0 reset command to recover from a 
shutdown or failed state. 
Rebooting the Wireless Device
To perform a graceful shutdown and reboot the wireless device, use the 
service-module
 wlan-ap0 reload command in the router’s Cisco IOS privileged EXEC mode. At the 
confirmation prompt, press Enter to confirm the action or enter n to cancel. 
When running in autonomous mode, the reload command saves the configuration before rebooting. If 
the attempt is unsuccessful, the following message displays:
Failed to save service module configuration.
 
When running in LWAPP mode, the reload function is typically handled by the Wireless LAN Controller 
(WLC). Therefore, if you enter the service-module wlan-ap0 reload command, you will be prompted 
with the following message:
The AP is in LWAPP mode. Reload is normally handled by WLC controller. 
 Still want to proceed? [yes] 
						

							17-18
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Administering the Wireless Hardware and Software
Upgrading Software on the Access Point
Software Prerequisites 
Cisco 880 Series routers with embedded access points are eligible to upgrade from autonomous image 
to Unified image, if the router is running advanced IP services feature set and Internet Operating System 
(IOS) software 12.4(20)T or 12.4(15) XZ1. Update the Wireless LAN Controller (WLC) software 
version to 5.1 or later.
Preparing for the Upgrade
Secure an IP Address on the Access Point
Secure an IP address on the access point so it can communicate with the WLC and download the Unified 
image upon boot up. The host router provides the access point DHCP server functionality through the 
DHCP pool, then the access point communicates with the WLC and setup option 43 for the controller IP 
address in the DHCP pool configuration.
A sample configuration is provided.
ip dhcp pool embedded-ap-poolnetwork 60.0.0.0 255.255.255.0
dns-server 171.70.168.183
default-router 60.0.0.1 option 43 hex  f104.0a0a.0a0f   (single WLC IP address(10.10.10.15) in hex format) 
int vlan1
   ip address 60.0.0.1 255.255.255.0
For more information about the WLC discovery process, refer to the Cisco Wireless LAN Configuration 
Guide on Cisco.com. 
http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/ccfig40.html
Prior to the Upgrade
Perform the following steps.
1.Ping the WLC from the router to confirm IP connectivity. 
2.Enter the service-module wlan-ap 0 session command to session into the access point.
3.Confirm the access point is running an autonomous boot image.
4.Enter the show boot command on the access point to confirm the mode setting is enabled. 
Autonomous-AP#show boot
BOOT path-list:      flash:ap801-k9w7-mx.124-10b.JA3/ ap801-k9w7-mx.124-10b.JA3
Config file:         flash:/config.txtPrivate Config file: flash:/private-config
Enable Break:        yes
Manual Boot:         yesEnable IOS Break:    no
HELPER path-list:    
NVRAM/Config filebuffer size:   32768
Mode Button:    on 
						

							17-19
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Administering the Wireless Hardware and Software
Performing the Upgrade
Upgrade the autonomous software image to a Unified software image on the access point.
Step 1Issue the service-module wlan-ap 0 bootimage unified command to change the access point boot image 
to a Unified upgrade image, which is also known as a recovery image. 
Router#conf terminal
Router(config)#service-module wlan-ap 0 bootimage unified
Router(config)#end
NoteIf the service-module wlan-ap 0 bootimage unified command does not work successfully, 
check if the software license is still eligible.
On the access point Console, use the show boot command to identify the access point’s boot 
image path:
autonomous-AP#show boot BOOT path-list:      flash:/ap801-rcvk9w8-mx/ap801-rcvk9w8-mx 
Step 2Issue the service-module wlan-ap 0 reload command to perform a graceful shutdown and reboot of the 
access point to complete the upgrade process. Then session into the access point and monitor the upgrade 
process.
NoteSee the 12.4(20)T Command Reference guides on Cisco.com for more information about the 
service-module wlan-ap 0 bootimage command.
 
Troubleshooting an Upgrade or Reverting the AP to Autonomous Mode
Q.My access point failed to upgrade to Unified software, and it appears stuck in recovery mode. What 
shall I do?
A.If the access point fails to upgrade to the Unified software, and it appears stuck in recovery mode;  
check connectivity between the router and WLC by issuing the ping command. Next, downgrade the 
access point software back to autonomous and perform troubleshooting. 
 
 
Issue the service-module wlan-ap0 bootimage autonomous command, and then issue the 
service-module wlan-ap0 reset bootloader command to return the access point to bootloader 
mode. 
 
 
Issue the service-module wlan-ap 0 session command to access the wireless device’s bootloader 
mode, then boot up the access point by loading the autonomous image.
c880#conf terminalc880(config)#service-module wlan-ap 0 bootimage  autonomous
c880(config)#end 
C880# service-module wlan-ap0 reset bootloaderC880# service-module wlan-ap0 session
ap: dir flash:
Directory of flash:/1    drwx  192                      ap801-k9w7-mx.124-16b.JA
2    drwx  192                      ap801-rcvk9w8-mx
ap: BOOT=flash:ap801-k9w7-mx.124-16b.JA/ap801-k9w7-mx.124-16b.JAap:  boot 
						

							17-20
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Administering the Wireless Hardware and Software
NoteThe service-module wlan-ap0 bootimage command does not take effect when the access point 
is in bootloader or Unified recovery mode.   
Q.My access point is attempting to boot, but keeps failing. Why? My access point is stuck in the 
recovery image and will not upgrade to the Unified software. Why?
A.When the access point tries to boot but fails, or when it is stuck in the recovery image and fails to 
upgrade to the Unified software; use the service-module wlan-ap0 reset bootloader command to 
return it to bootloader for manual image recovery. 
Downgrading Software on the Access Point
Use the service-module wlan-ap0 bootimage autonomous command to reset the access point BOOT 
back to the last autonomous image. Follow up with the service-module wlan-ap 0 reload command to 
reload the access point with the autonomous software image.
Recovering Software on the Access Point
Recover the image on the access point with the service-module wlan-ap0 reset bootloader command. 
This command returns the access point to the bootloader for manual image recovery.
CautionUse this command with caution. It does not provide an orderly shutdown and consequently 
may impact file operations that are in progress. Use this command only to recover from a 
shutdown or failed state.
Monitoring the Wireless Device
This section provides commands for monitoring hardware on the router.
 Displaying Wireless Device Statistics, page 17-20
 Displaying Wireless Device Status, page 17-21
Displaying Wireless Device Statistics
Use the service-module wlan-ap0 statistics command in the router’s Cisco IOS privileged EXEC mode 
to display wireless device statistics. The following is sample output for the command:
  CLI reset count = 0
  CLI reload count = 1
  Registration request timeout reset count = 0  Error recovery timeout reset count = 0
  Module registration count = 10
The last IOS initiated event was a cli reload at *04:27:32.041 UTC Fri Mar 8 2007 
						

							17-21
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Managing the System Time and Date
Displaying Wireless Device Status
Use the service-module wlan-ap0 status command in the router’s Cisco IOS privileged EXEC mode to 
display the status of the wireless device and its configuration information. The following is sample 
output for the command:
Service Module is Cisco wlan-ap0 
Service Module supports session via TTY line 2 
Service Module is in Steady state Service Module reset on error is disabled 
Getting status from the Service Module, please wait..
 Image path = flash:c8xx_19xx_ap-k9w7-mx.acregr/c8xx_19xx_ap-k9w7-mx.acre 
gr 
System uptime = 0 days, 4 hours, 28 minutes, 5 secondsRouter#d was introduced for embedded wireless LAN access points on Cisco 860 and 880 
Series Integrated Services Routers.
Managing the System Time and Date
You can manage the system time and date on the wireless device automatically, using the Simple 
Network Time Protocol (SNTP), or manually, by setting the time and date on the wireless device.
NoteFor complete syntax and usage information for the commands used in this section, refer to the Cisco IOS 
Configuration Fundamentals Command Reference for Release 12.4.
This section contains the following configuration information:
 Understanding Simple Network Time Protocol, page 17-21
 Configuring SNTP, page 17-22
 Configuring Time and Date Manually, page 17-22
Understanding Simple Network Time Protocol
Simple Network Time Protocol (SNTP) is a simplified, client-only version of NTP. SNTP can only 
receive the time from NTP servers; it cannot be used to provide time services to other systems. SNTP 
typically provides time within 100 milliseconds of the accurate time, but it does not provide the complex 
filtering and statistical mechanisms of NTP. 
You can configure SNTP to request and accept packets from configured servers or to accept NTP 
broadcast packets from any source. When multiple sources are sending NTP packets, the server with the 
best stratum is selected. Click this URL for more information on NTP and strata:
http://www.cisco.com/en/US/docs/ios/12_1/configfun/configuration/guide/fcd303.html#wp1001075 
If multiple servers are at the same stratum, a configured server is preferred over a broadcast server. If 
multiple servers pass both tests, the first one to send a time packet is selected. SNTP will choose a new 
server only if it stops receiving packets from the currently selected server, or if a better server (according 
to the above criteria) is discovered. 
						

							17-22
Book Title
OL-xxxxx-xx
Chapter 17      Administering the Wireless Device
  Managing the System Time and Date
Configuring SNTP
SNTP is disabled by default. To enable SNTP on the access point, use one or both of these commands 
in global configuration mode:
Enter the sntp server command once for each NTP server. The NTP servers must be configured to 
respond to the SNTP messages from the access point.
If you enter both the sntp server command and the sntp broadcast client command, the access point 
accepts time from a broadcast server but prefers time from a configured server, assuming the strata are 
equal. To display information about SNTP, use the show sntp EXEC command.
Configuring Time and Date Manually
If no other source of time is available, you can manually configure the time and date after the system is 
restarted. The time remains accurate until the next system restart. We recommend that you use manual 
configuration only as a last resort. If you have an outside source to which the wireless device can 
synchronize, you do not need to manually set the system clock. 
This section contains the following configuration information:
 Setting the System Clock, page 17-22
 Displaying the Time and Date Configuration, page 17-23
 Configuring the Time Zone, page 17-23
 Configuring Summer Time (Daylight Saving Time), page 17-24
Setting the System Clock
If you have an outside source on the network that provides time services, such as an NTP server, you do 
not need to manually set the system clock.
To set the system clock, follow these steps beginning in privileged EXEC mode:
Ta b l e 17-2 SNTP Commands
CommandPurpose
sntp server {address | hostname}  
[version number]
Configures SNTP to request NTP packets from an 
NTP server.
sntp broadcast clientConfigures SNTP to accept NTP packets from any 
NTP broadcast server.