Cisco Wireless Controller Online Help, Release 8.1

WLAN ID

ID of the WLAN.

Type

Type of LAN: WLAN, Guest LAN, or Remote LAN.

Profile Name

Profile name of the WLAN.

WLAN SSID

Definable name of the WLAN (text string).

Admin Status

Status of the WLAN is either enabled or disabled.

Security Policies

Security policies enabled on the WLAN.

Type

Type of WLAN: Guest WLAN, WLAN, or Remote LAN.

Note Cisco 2504 Controllers does not support wired guest services.

Profile Name

Profile name of the WLAN.

SSID

SSID field is displayed if you choose WLAN from the Type drop-down list. Definable name of the WLAN (text string). This is the SSID broadcast name for the WLAN.

ID

ID number for the WLAN.

Guest LAN—Enter guest LAN identifier between 1 and 5.

WLAN—Enter WLAN identifier between 1 and 512. If there is more than one two WLANs enabled for an AP group, disable all WLANs and then enable only two of them.

Remote LAN—Enter remote LAN identifier between 1 and 512. If there is more than one remote LAN enabled for an AP group, disable all remote LANs and then enable only one of them.

Note If the Cisco OEAP 600 is in the default group, the WLAN/Remote LAN IDs must be set as less than ID 8.

Profile Name

Configured profile name of the WLAN.

Type

Type of LAN that is configured in the WLANs > New page: WLAN, Guest LAN, or Remote LAN.

SSID

SSID of the WLAN.

Status

WLAN that you want to enable or disable. The default is enabled.

Security Policies

Security policies for a WLAN that you set from the Security tab.

Note This field appears when you choose WLAN as the Type in the WLANs > New page.

Radio Policy

WLAN radio policy to apply to All (802.11a/b/g), 802.11a only, 802.11g only, 802.11b/g only, or 802.11a/g only. This setting requires that the selected bands be enabled on the 802.11a/n/ac Global Parameters and 802.11a/n/ac Client Roaming pages.

Note This field appears only when you choose WLAN as the Type in the WLANs > New page.

Interface/Interface Group (G)

Limited to the nonservice port and nonvirtual interface names configured on the Interfaces page.

Note This field appears only when you choose WLAN as the Type in the WLANs > New page.

Multicast Vlan Feature

Check box that you can select to enable the multicast VLAN feature. The default option is none.

Note The Multicast Interface field appears only after you enable the Multicast VLAN feature text box.

Note You have to configure the multicast VLAN feature only once if you want to use the multicast feature.

Broadcast SSID

Service Set Identifier for this WLAN.

Ingress Interface

Guest LAN’s ingress interface. By default, None is selected.

Note This field is available only for guest LANs.

Egress Interface

Remote LAN’s or guest LAN’s egress interface. By default, management is selected.

Note This field is available only for remote LANs and guest LANs.

NAS-ID

Network Access Server identifier. The NAS-ID is sent to the RADIUS server by the controller (as a RADIUS client) using the authentication request, which is used to classify users to different groups. You can enter up to 32 alphanumeric characters.

Beginning in Release 7.4 and later releases, you can configure the NAS-ID on the interface, WLAN, or an access point group. The order of priority is AP Group NAS-ID > WLAN NAS-ID > Interface NAS-ID.

Layer 2 Security

None

No Layer 2 security selected.

WPA+WPA2

Wi-Fi Protected Access.

For information on these settings, see the Layer 2 WPA + WPA2 Parameters topic.

802.1X

WEP 802.1X data encryption type.

For information on these settings, see the Layer 2 802.1X Parameters topic.

Static WEP

Static WEP encryption parameters.

For information on these settings, see the Layer 2 Static WEP Parameters topic.

Static WEP + 802.1X

Both Static WEP and 802.1X parameters.

For information on these settings, see the Layer 2 Static WEP Parameters and Layer 2 802.1X Parameters topics.

CKIP

Cisco Key Integrity Protocol (CKIP). Functional on AP Models 1100, 1130, and 1200, but not AP 1000. Aironet IE needs to be enabled for this feature to work. CKIP expands the encryption keys to 16 bytes.

For information on these settings, see the Layer 2 CKIP Parameters topic.

None + EAP Passthrough

Both None and Extensible Authentication Protocol Passthrough parameters.

If EAP-Passthrough on the WLAN is enabled, the WLAN might be exposed to security attacks on the network.

MAC Filtering

MAC address filtering. You can locally configure clients by their MAC addresses in the Adding MAC Filters page. Otherwise, configure the clients on a RADIUS server.

Mac Auth or Dot1x

MAC authentication failover to Dot1x authentication for the WLAN. The prerequisites for the failover to work are as follows:

• MAC Filtering must be enabled.
• Layer 2 security must be 802.1X and Static WEP.

The failover does not work with Radius NAC feature.

If MAC authentication is successful and the client sends an EAP start request to start 802.1X authentication, the client must pass 802.1X authentication to send data traffic, or the client is deauthenticated.

When MAC Auth fails, the client authenticates using 802.1X or it is deauthenticated. If MAC Auth passes, then the client authenticates using 802.1X if required (for Static WEP Clients) depending on the client configuration.

Fast Transition

Check box to enable or disable a fast transition between access points.

Over the DS

Check box to enable or disable a fast transition over a distributed system.

Reassociation Timeout

Time in seconds after which a fast transition reassociation times out.

Fast Transition

Check box to enable or disable a fast transition between access points.

Over the DS

Check box to enable or disable a fast transition over a distributed system.

Re-association Timeout

Time in seconds after which a fast transition reassociation times out.

PMF

Drop-down list from which you can choose the following:

• Disabled—Disables 802.11w MFP protection on a WLAN.
• Optional—Enables 802.11w MFP protection on a WLAN.
• Required—Requires clients to negotiate 802.11w MFP protection on a WLAN.

802.11w introduces an Integrity Group Temporal Key (IGTK) that is used to protect broadcast or multicast management frames. IGTK is a random value, assigned by the authenticator station (Cisco WLC) used to protect MAC management protocol data units (MMPDUs) from the source STA. The 802.11w IGTK key is derived using the 4 way handshake and is used only on WLANs configured with WPA or WPA2 security at Layer 2.

Comeback Timer

Association comeback interval, in seconds. This is the interval for which an associated client must wait for before the association is tried again after it is denied with the status code 30 message:

The range is from 1 to 20. The default value is 1.

SA Query Timeout

Security Association (SA) query interval, in ms. The timeout is an interval identified in the association response to an already associated client before the association can be tried again. This time interval checks if the client is a real client and not a rogue client during the association comeback time. If the client does not respond within this time, the client association is deleted from the Cisco WLC.

The range is from 100 to 500. The default value is 200.

WPA Policy

Check box to enable or disable the WPA Policy.

WPA2 Policy

Check box to enable or disable the WPA2 Policy.

WPA2 Encryption

WPA2 encryption type: TKIP or AES. Available only if the WPA2 Policy is enabled.

802.1x

An access point that supports 802.1X acts as the interface between a wireless client and an authentication server, such as a RADIUS server, to which the access point communicates over the wired network. If 802.1X is selected, only 802.1X clients are supported.

CCKM

Cisco Centralized Key Management (CCKM) uses a fast rekeying technique that enables clients to roam from one access point to another without going through the controller, typically in under 150 ms.

PSK

ASCII or HEX format that you can choose, after which you enter the preshared key.

FT 802.1x

Authentication key management for fast transition using 802.1X.

Note You can configure FT 802.1X only if you enable the WPA2 policy.

FT PSK

ASCII or HEX format that you can choose, after which you enter the preshared key for fast transition.

Note You can configure FT PSK only if you enable the WPA2 policy.

PMF 802.1x

802.1X authentication for protection of management frames (PMF).

PMF PSK

Preshared keys (PSK) for PMF. Select an ASCII or HEX format, and enter the preshared key for fast transition.

WPA gtk-randomize State

Drop-down list to enable or disable the WPA group temporal key (GTK) randomize state.

Note For the Cisco OEAP 600 Series access points, do not choose CCKM. Choose either 802.1X or PSK.

Note For the Cisco OEAP 600 Series access point, security encryption settings must be identical for WPA and WPA2 for TKIP and AES.

Note Fast roaming for clients is not supported on the Cisco OEAP 600 Series access points. Dual mode voice clients might experience reduced call quality when they roam between the two spectrum's on the Cisco OEAP 600 Series access point. We recommend that you configure voice devices to only connect on one band, either the 2.4-GHz to 5.0-GHz radio.

802.11 data encryption

WEP 802.11 data encryption type.

Type

Security type.

Key size

Key size that you can choose:

• None
• 40 bits
• 104 bits

Note The third-party AP WLAN (17) can only be configured with 802.1X encryption. Drop-down configurable 802.1X parameters are not available for this WLAN.

802.11 Data Encryption

Static WEP encryption type.

Type

Security type.

Key size

Key size that you can choose:

• not set
• 40 bits
• 104 bits

Key Index

Key index, from 1 to 4.

Note One unique WEP key index can be applied to each WLAN. Because there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer 2 encryption.

Encryption Key

Encryption key.

Key Format

Encryption key format in ASCII or HEX.

Allow Shared Key Authentication

Key authentication that you can enable or disable.

802.11 Data Encryption

Current key information.

Key size

Key size that you can choose:

• not set
• 40 bits
• 104 bits

Key Index

Key index, from 1 to 4.

Note One unique WEP key index can be applied to each WLAN. Because there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer 2 encryption.

Encryption Key

Encryption key.

Key Format

Encryption key format in ASCII or HEX.

MMH Mode

Multimodular Hash (MMH) mode that you can enable; the default is enabled.

Key Permutation

Key permutation that you can enable or disable. The default is enabled. Key permutation is a data encryption technique that uses the basic encryption key and the current initialization vector (IV) to create a new key.

Layer 3 Security

None

Setting that indicates that no Layer 3 security is selected.

IPSec

Setting to enable IPsec. Check software availability and client hardware compatibility before implementing IPsec.

Note You must have the optional VPN/Enhanced Security Module (crypto processor card) installed to enable IPsec. Verify that it is installed on your Cisco WLC using the Inventory page.

VPN Pass-Through

VPN pass-through that you can enable or disable.

Note This option is not available on Cisco 5500 Series Controllers. However, you can replicate this functionality on the Cisco 5500 Series Controllers by creating an open WLAN using an ACL.

For information on these settings, see Layer 3 VPN Pass-Through Parameters .

Web Policy

Check box that you can select to enable Web Policy.

Note The Cisco WLC forwards DNS traffic to and from wireless clients prior to authentication if there is no explicit deny rule for DNS traffic in the Pre-Auth ACL.

Note Web Policy cannot be used with IPsec or VPN pass-through options.

The following parameters are displayed:

• Authentication—Prompts the user for username and password while connecting the client to the wireless network.
• Passthrough—Enables the user to access the network directly without entering the username and password.
• Conditional Web Redirect—Enables the user to be conditionally redirected to a particular web page after 802.1X authentication has completed successfully. You can specify the redirect page and the conditions under which the redirect occurs on your RADIUS server.
• Splash Page Web Redirect—Redirects the user to a particular web page after 802.1X authentication has completed successfully. After the redirect, the user has full access to the network. You can specify the splash web page on your RADIUS server.
• On MAC Filter failure—Enables web authentication MAC filter failures.

Preauthentication ACL

IPv4 or IPv6 ACLs to be used for traffic between the client and the Cisco WLC. Refer to the Access Control Lists topic for more information.

WebAuth FlexACL

Drop-down list from which you can choose the FlexConnect ACL for external web authentication in locally switched WLANs.

For more information about creating FlexConnect ACLs, see Adding Access Control Lists.

Note The FlexConnect ACLs that are specific to an AP have the highest priority. The FlexConnect ACLs that are specific to WLANs have the lowest priority.

Sleeping Client

Check box that you can select to enable support for sleeping clients. This feature is not applicable for remote LANs and guest LANs.

Sleeping Client Timeout

Maximum amount of time after the idle timeout, in hours, before a sleeping client is forced to reauthenticate. The range is from 1 to 720. The default value is 12. This field is enabled only when you select the Sleeping Client check box. Also, the clients need not provide the login credentials when they move from one Cisco WLC to another (if Cisco WLCs are in the same mobility group) between the sleep and wake up times.

Over-ride Global Config

Setting that is displayed if you choose Authentication.

Select this check box to override the global authentication configuration set on the Web Login Page.

Web Auth type

Setting that is displayed if you choose Web Policy and Over-ride Global Config.

Type of web authentication:

• Internal
• Customized (Downloaded)

– Login Page—Choose a login page from the drop-down list.

– Login Failure page—Choose a login page that displays to the client if web authentication fails.

– Logout page—Choose a login page that displays to the client when the user logs out of the system.

• External (Redirect to external server)

– URL—Enter the URL of the external server.

Email Input

Setting that is displayed if you choose Passthrough.

If you choose this option, you are prompted to specify your e-mail address when you try to connect to the network.

Layer 3 Security

None

Indicates that no Layer 3 security is selected.

Web authentication

Prompts you for your username and password while connecting the client to the network.

Web Passthrough

Enables you to access the network directly without entering the username and password.

Preauthentication ACL

IPv4 or IPv6 ACLs to be used for traffic between the client and the Cisco WLC. See the Access Control Lists topic for more information.

Over-ride Global Config

Check box that you enable to override the global authentication configuration set on the Web Login Page.

Web Auth type

Setting that is displayed if you selected Over-ride Global Config.

Type of web authentication:

• Internal
• Customized (Downloaded)

– Login Page—Choose a login page from the drop-down list.

– Login Failure page—Choose a login page that displays to the client if web authentication fails.

– Logout page—Choose a login page that displays to the client when the user logs out of the system.

• External (Redirect to external server)

– URL—Enter the URL of the external server.

Email Input

Setting that is displayed if you selected Web Passthrough.

If you choose this option, you will be prompted for your e-mail address while connecting to the network.

VPN Gateway Address

VPN gateway IPsec pass-through address.

RADIUS Server Overwrite Interface

RADIUS Server Overwrite Interface that you can enable or disable. The default is disabled.

When you enable the RADIUS Server Overwrite Interface, the client authentication request is sent through the dynamic interface that is set on the WLAN. The Cisco WLC sources all RADIUS traffic to a WLAN using the dynamic interface configured on the WLAN.

Note You cannot enable the Radius Server Overwrite Interface when a diagnostic channel is enabled.

RADIUS Server Client Interface

RADIUS Server Client Interface that you can enable or disable on the WLAN. The default is disabled.

When you enable the RADIUS Server Client Interface, the RADIUS server packets pass through the same VLAN as the data traffic of the client.

RADIUS Servers

RADIUS server (configured from the RADIUS Authentication Servers page) that you choose from the drop-down lists.

If this server is chosen, it will be the default RADIUS authentication server for the specified WLAN and overrides the RADIUS server that is configured for the network.

You can choose up to three RADIUS servers, which are tried in priority order.

RADIUS accounting server that you can enable or disable. The default is Enabled.

Choose a RADIUS server (configured from the RADIUS Accounting Servers page) from the drop-down lists.

If this server is chosen, it is the default RADIUS accounting server for the specified WLAN and overrides the RADIUS server that is configured for the network.

You can choose up to six RADIUS servers, which are tried in priority order.

RADIUS Server Accounting

If you select the Interim Update check box, the statistical usage information about the client is sent in the interim interval that you specify. By default, the statistical information is sent every 600 seconds (10 minutes).

Note The Interim Update check box can be selected only if you have the RADIUS accounting servers enabled.

LDAP Servers

LDAP server (configured from the LDAP Servers page) that you can choose from the drop-down list.

You can choose up to three LDAP servers, which are tried in a priority order.

Local EAP Authentication¹

Local EAP authentication that you can enable or disable. The default is disabled.

EAP Profile Name ¹

EAP profile name (configured from the Local EAP Profiles page).

Authentication priority order for web-auth user

Order in which user credentials are retrieved from the back-end database servers.

Highlight the desired database from the left box.

Use the left and right arrows and the Up and Down buttons to move the desired database to the top of the right box.

If you select the RADIUS NAC feature for authentication, the priority for web authentication must only contain RADIUS.

Quality of Service (QoS)

Quality of Service Level, set on the Editing QoS Profile page:

• Platinum (voice)—Assures a high Quality of Service for Voice over Wireless.
• Gold (video)—Supports the high-quality video applications.
• Silver (best effort)—Supports the normal bandwidth for clients.
• Bronze (background)— Supports the lowest bandwidth for guest services.

VoIP clients should be set to Platinum, Gold, or Silver, while low-bandwidth clients can be set to Bronze.

Note Media Session Snooping is supported only for Platinum QoS profiles.

Application Visibility

Check box that you can select to view the classification of applications based on the Network Based Application Recognition (NBAR) deep packet inspection technology.

To view all the supported applications, choose WIRELESS > Application Visibility and Control > Applications.

To view all classified applications, choose Monitor > Applications and click the WLAN ID to navigate to the Monitor > Clients page.

AVC Profile

Drop-down list from which you can choose an Application Visibility and Control (AVC) profile for the WLAN. To configure a new AVC profile, choose WIRELESS > Application Visibility and Control > Applications and click New.

You can configure only one AVC profile per WLAN and each AVC profile can have up to 32 rules. Each rule states a Mark or a Drop action for one application, which allows you to configure up to 32 application actions per WLAN. You can configure up to 16 AVC profiles on a controller and associate an AVC profile with multiple WLANs. Only WLANS on local mode access points, or centrally switched on FlexConnect access points can have applications recognized by NBAR.

NetFlow Monitor

Drop-down list from which you can choose a NetFlow monitor for the WLAN. To configure a new NetFlow monitor, choose WIRELESS > Netflow > Monitor and click New.

Note When you set the Per-User Bandwidth Contracts parameters to 0 (OFF), the traffic allowed is unlimited and is restricted by only other 802.11 limitations. The values that you set override the values configured in the QoS profile page.

Average Data Rate

User-defined average data rate (kbps) for non-UDP traffic.

The range is from 0 to 60,000; the default is 0 (OFF).

Burst Data Rate

User-defined peak data rate (kbps) for non-UDP traffic.

Valid values are from 0 to 60,000; the default is 0 (OFF).

Average Real-Time Rate

User-defined average data rate (kbps) for UDP traffic.

Valid values are from 0 to 60,000; the default is 0 (OFF).

Burst Real-Time Rate

User-defined peak data rate (kbps) for UDP traffic.

Valid values are from 0 to 60,000; the default is 0 (OFF).

Note The values that you set override the values configured in the QoS profile page.

Average Data Rate

User-defined average data rate (kbps) for non-UDP traffic.

The range is from 0 to 60,000; the default is 0 (OFF).

Burst Data Rate

User-defined peak data rate (kbps) for non-UDP traffic.

The range is from 0 to 60,000; the default is 0 (OFF).

Average Real-Time Rate

User-defined average data rate (kbps) for UDP traffic.

The range is from 0 to 60,000; the default is 0 (OFF).

Burst Real-Time Rate

User-defined peak data rate (kbps) for UDP traffic.

The range is from 0 to 60,000; the default is 0 (OFF).

WMM Policy²

WMM Policy. Choose one of the following:

• Disabled—Disables this WMM policy.
• Allowed—Allows the clients to communicate with the WLAN.
• Required—Ensures that it is mandatory for the clients to have WMM features enabled on them to communicate with the WLAN.

7920 AP CAC ¹

Cisco 7920 AP CAC that you can enable or disable. Use this setting if you want the WLAN to support the newer version of the software on your Cisco 7920 phones. In newer versions, the CAC limit is advertised by the access points.

7920 Client CAC ¹

Cisco 7920 client CAC. Use this setting if you want the WLAN to support the older version of the software on your Cisco 7920 phones. In older versions, the CAC limit is set on the client.

Multicast Direct

Check box to enable Multicast Direct on the WLAN.

• Audio
• Video
• Application-Sharing
• File-Transfer

The following QoS policies can be applied for each of the Lync policies:

• Bronze
• Silver
• Gold
• Platinum

Note WLAN QoS must meet or exceed Lync policy QoS settings in order for Lync priorities to achieve the configured levels.

Priority Index

Priority index of the policy configured on the WLAN. The policies are applied to the clients according to the priority index. The range is from 1 to 16.

Local Policy

Policy applied on the WLAN. To define new policies, choose Security > Local Policies > New.

Allow AAA Override

AAA Override for global WLAN parameters that you can enable or disable.

When AAA Override is enabled, and a client has conflicting AAA and Cisco WLC WLAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the operating system moves clients from the default Cisco WLAN Solution WLAN VLAN to a VLAN returned by the AAA server and predefined in the Cisco WLC interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system also uses QoS, DSCP, 802.1p priority tag values, and ACLs provided by the AAA server, if they are predefined in the Cisco WLC interface configuration. (This VLAN switching by AAA Override is also referred to as Identity Networking.)

If the Corporate WLAN primarily uses a Management Interface assigned to VLAN 2, and if AAA Override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.

When AAA Override is disabled, all client authentication defaults to the Cisco WLC authentication parameter settings, and authentication is only performed by the AAA server if the Cisco WLC WLAN does not contain any client-specific authentication parameters.

The AAA Override values may come from a RADIUS server, for example.

Note AAA Override is not supported with FlexConnect.

Coverage Hole Detection

Coverage hole detection (CHD) on this WLAN that you can enable or disable.

By default, CHD is enabled on all WLANs on the Cisco WLC. You can disable CHD on a WLAN.

When you disable CHD on a WLAN, a coverage hole alert is still sent to the Cisco WLC, but no other processing is done to mitigate the coverage hole. This feature is useful for guest WLANs where guests are connected to your network for short periods of time and are likely to be highly mobile.

Note For the Cisco OEAP 600 Series access point, do not enable Coverage Hole Detection.

Enable Session Timeout

Session timeout that you can enable or disable. Maximum time in seconds for a client session before requiring reauthorization.

Aironet IE

Support of Aironet IEs on a per WLAN basis that you can enable or disable. The default is disabled. This option is not available for guest LANs and remote LANs.

Note For the Cisco OEAP 600 Series access point, do not enable Aironet IE.

Diagnostic Channel

Diagnostic channel support on the WLAN that you can enable or disable. The default is disabled. This option is not available for guest LANs and remote LANs.

Override Interface ACL

Access Control List (ACL) that overrides the ACL configured for the interface on this WLAN. ACLs are configured on the Access Control Lists page.

• IPv4 ACL—Lists the IPv4 ACL that needs to be applied on this WLAN. ACLs are configured on the Access Control Lists page.
• IPv6 ACL—Lists the IPv6 ACL that needs to be applied on this WLAN. ACLs are configured on the Access Control Lists page.

Layer 2 ACL

List the layer 2 ACL that needs to be applied to the WLAN. ACLs are configured on the Access Control Lists page.

P2P Blocking Action

Peer-to-peer blocking settings that you can choose.

• Disabled—(Default) Disables peer-to-peer blocking and bridges traffic locally within the Cisco WLC whenever possible.

Note Traffic is never bridged across VLANs in the Cisco WLC.

• Drop—Causes the Cisco WLC to discard the packets.
• Forward-UpStream—Causes the packets to be forwarded on the upstream VLAN. The device above the Cisco WLC decides what action to take regarding the packets.

For FlexConnect local switching WLANs, the settings are as follows:

• Disabled—(Default) Disables peer-to-peer blocking and bridges traffic locally within the AP whenever possible.
• Drop—Causes the AP to discard the packets.
• Forward-UpStream—Causes the AP to discard the packets.

Client Exclusion

Timeout in seconds for disabled client machines that you can enable or disable. Client machines are disabled by their MAC address and their status can be observed on the Client Details page. A timeout setting of 0 indicates that administrative control is required to re-enable the client. The default is enabled and the timeout setting configured as 60 seconds.

Maximum Allowed Clients

Maximum clients allowed per Cisco WLC.

You can set a limit to the number of clients that can connect to a WLAN. This feature is useful in scenarios where you have a limited number of clients that can connect to a Cisco WLC. For example, consider a scenario where the Cisco WLC can server up to 256 clients on a WLAN that can be shared between enterprise users (employees) and guest users. You can set a limit on the number of guest clients that can access a given WLAN. The number of clients that you can configure per WLAN depends on the platform that you are using. The range is from 1 to 200.

The number of clients that you can configure for a specific platform is as follows:

• Cisco 5500 Series Controller—7000
• Cisco 7500 Series Controller—30000
• WiSM2—15000

Note The maximum number of clients per WLAN feature is supported only for access points that are in connected mode.

Note This feature is not supported when you use FlexConnect local authentication and is not applicable for remote and guest LANs.

Static IP Tunneling

Check box that you enable to configure static IP client tunneling support on a WLAN. The following restrictions apply when configuring Static IP tunneling in coordination with other features on the same WLAN:

• Auto anchoring mobility (guest tunneling) cannot be configured for the same WLAN.
• FlexConnect local authentication cannot be configured for the same WLAN.
• DHCP required option cannot be configured for the same WLAN.

Note Dynamic anchoring of static IP clients cannot be configured with FlexConnect local switching.

Wi-Fi Direct Clients Policy

Drop-down list from which you can choose a Wi-Fi Direct Clients Policy for a WLAN.

Devices that are Wi-Fi Direct capable can connect directly to each other quickly and conveniently to do tasks such as printing, synchronization, and sharing of data. Wi-Fi Direct devices may associate with multiple peer-to-peer (P2P) devices and with infrastructure WLANs concurrently. Use the Cisco WLC to configure the Wi-Fi Direct Clients Policy, on a per WLAN basis, where you can allow or disallow the association of Wi-Fi devices with infrastructure WLANs, or disable the Wi-Fi Direct Clients Policy for WLANs.

Note Wi-Fi Direct Clients Policy is applicable to WLANs that have APs in local mode only.

The following options are available:

• Disabled —Disables the Wi-Fi Direct Clients Policy for the WLAN and deauthenticates all Wi-Fi Direct clients
• Allow —Allows Wi-Fi Direct clients to associate with the WLAN
• Not-Allow —Disallows the Wi-Fi Direct clients from associating with the WLAN

Maximum Allowed Clients Per AP Radio

Maximum number of clients that are allowed to connect to an AP.

The maximum number you can configure is 200.

Clear HotSpot Configuration

WLAN HotSpot configuration that you can clear.

Client User Idle Timeout

Timeout for idle client sessions for a WLAN. This value overrides the global timeout value. The range is from 15 to 100000 seconds. The default value is 300 seconds.

Client User Idle Threshold

Threshold data sent by the client during the idle timeout for the client session. If the client send traffic less than the defined threshold, the client is removed on timeout. The range is from 0 bytes to 10 MB. The default value is 0 bytes.

Radius NAI-Realm

Enable this to match any incoming EAP request from clients that contain relam with the realm configured on RADIUS authentication and accounting servers.

Scan Defer Priority

Assign a defer priority for the channel scan by clicking on the priority argument. The valid range for the priority is 0 to 7. The priority is 0 to 7 (this value should be set to 6 on the client and on the WLAN).

Scan Defer Time (msecs)

Assign the channel scan defer time in milliseconds. The valid range is 100 (default) to 60000 (60 seconds). This setting should match the requirements of the equipment on your wireless LAN.

FlexConnect Local Switching

FlexConnect local switching that you can enable or disable. Any remote access point that advertises this WLAN, instead of tunneling to the Cisco WLC, can locally switch data packets.

Note In a network architecture where the WLAN is configured in FlexConnect local switching mode, if the client and Cisco WLC are in the same VLAN, a ping action will fail. Ping actions from the client to the Cisco WLC will work if both the client and Cisco WLC are on different VLANs.

Note The FlexConnect Local Switching text box must be enabled to enable local authentication.

FlexConnect Local Auth

FlexConnect local authentication that you can enable or disable.

Learn Client IP Address

Client IP address learning (this option is available when you enable FlexConnect Local Switching) that you can enable or disable.

Note If the client is configured with Fortress Layer 2 encryption, the Cisco WLC cannot learn the client IP address and will periodically drop the client. Disable this option so that the Cisco WLC maintains the client connection without waiting to learn the client IP address.

VLAN based Central Switching

VLAN central switching that you can enable or disable on the WLAN. You must enable FlexConnect local switching and an AAA override on the WLAN.

When you enable VLAN central switching, the access point bridges the traffic locally if the AAA override VLAN for the client is configured on the local IEEE 802.1Q link. If the AAA override VLAN is not configured on the access point, the AP tunnels the traffic back to the Cisco WLC and the Cisco WLC bridges the traffic to the corresponding VLAN.

VLAN central switching does not support:

• FlexConnect Local Authentication
• Layer 3 roaming of local switching client

Central Assoc

Check box to maintain the association table centrally on the controller. Disable this check box to maintain the association table locally on the AP.

Lync Server

To enable or disable WLAN Lync SDN service.

Assisted Roaming Prediction Optimization

Check box to enable or disable assisted roaming prediction optimization for the WLAN.

Neighbor List

Check box to enable or disable 802.11k neighbor list for the WLAN.

Neighbor List Dual Band

Check box to enable or disable a dual-band 802.11k neighbor list for the WLAN.

DHCP Server

When Override is selected, you can enter the IPv4 address of a DHCP server to be used by overriding the Primary/Secondary DHCP servers specified within the interface configuration.

Note IPv6 is not supported for DHCP Server override.

DHCP Addr. Assignment (Required)

Requires all WLAN clients to obtain an IP address from the DHCP Server.

Note DHCP address assignment (Required) is not supported for wired Guest LANs.

Note DHCP Server override is applicable only for the default group.

Split Tunnel

Check box to enable split tunneling on OEAP access points.

MFP Client Protection

Disabled, Optional, or Required.

The client MFP will only be active for a session if the client supports Cisco Compatible eXtensions (CCX) MFP, and if WPA2 is negotiated with the client. If Optional is selected, clients that do not negotiate MFP will be allowed to associate. If Required is selected, only clients that successfully negotiate MFP will be allowed to associate.

This option is not available for guest LANs and remote LANs.

Note The Cisco OEAP 600 Series access point does not support MFP.

Note This check box represents the status of the Cisco MFP and not the status of 802.11w, introduced in Release 7.4

802.11a/n (1 - 255)

Delivery Traffic Indication Map (DTIM) Period. Number of beacon intervals that elapse between the transmission of beacon frames that contain a TIM element whose DTIM Count field is 0. Valid values are from 1 to 255; the default value is 1. This option is not available for guest LANs and remote LANs.

802.11b/g/n (1 - 255)

NAC State

Enables SNMP NAC or RADIUS NAC.

• SNMP—Enables SNMP NAC support for the WLAN.
• Radius NAC—Enables RADIUS NAC support for the WLAN.

Cisco Identity Services Engine (ISE) is a next-generation, context-based access control solution that provides the functions of Cisco secure Access Control System (ACS) and Cisco Network Admission Control (NAC) in one integrated platform.

Cisco ISE can be used to provide advanced security for your deployed network. It is an authentication server that you can configure on your Cisco WLC. When a client associates to the Cisco WLC on a RADIUS NAC-enabled WLAN, the Cisco WLC forwards the request to the ISE server.

The ISE server validates the user in the database and on successful authentication, the URL and pre-AUTH ACL is sent to the client. The client then moves to the “Posture Required” state and is redirected to the URL returned by the ISE server. The NAC agent in the client triggers the posture validation process. On a successful posture validation by the ISE server, the client is moved to the RUN state.

This feature enables you to create a RADIUS NAC-enabled WLAN with open authentication and MAC filtering. If you are using local web authentication with RADIUS NAC, the Layer 3 web authentication must also be enabled. Both internal and external web authentication are supported.

The following restrictions apply:

• RADIUS NAC functionality with VLAN override is not available.
• During slow roaming, the client goes through posture validation.
• Guest tunneling mobility is supported for ISE NAC-enabled WLANs.
• The VLAN select feature is not supported.
• The NAC agent may also be available in a non-NAC-enabled WLAN.
• The workgroup bridges are not supported.
• The AP group over NAC feature is not supported over RADIUS NAC.

Note Do not swap AAA server indexes in a live network. This action might result in clients being disconnected and having to reconnect to the RADIUS server and log messages to be appended to the ISE server logs.

When clients move from one WLAN to another, the Cisco WLC retains the client’s audit session ID if it returns to the WLAN before the idle timeout occurs. As a result, when clients join back to the Cisco WLC before the idle timeout session expires, they are immediately moved to the RUN state. The clients are validated if they reassociate with the Cisco WLC after the session timeout.

Suppose you have two WLANs, where WLAN 1 is configured on a Cisco WLC (WLC1) and WLAN2 configured on another Cisco WLC (WLC2) and both are RADIUS NAC-enabled. The client first connects to WLC1 and moves to the RUN state after posture validation. Assume that the client now moved to WLC2. If the client connects back to WLC1 before the PMK expires for this client in WLC1, the posture validation is skipped for the client. The client directly moves to the RUN state bypassing posture validation as the Cisco WLC retains the old audit session ID for the client that is already known to ISE.

When deploying RADIUS NAC in your wireless network, do not configure a primary and secondary ISE server. Instead, we recommend that you configure HA between the two ISE servers. Having a primary and secondary ISE setup will require a posture validation to happen before the clients move to the RUN state. If HA is configured, the client is automatically moved to the RUN state in the fallback ISE server.

Cisco WLC software configured with RADIUS NAC does not support change of authorization (CoA) on the service port.

Note Client Load Balancing and Client Band Select is not available for the Cisco OEAP 600.

Client Load Balancing

Client load balancing that you can enable or disable.

Client Band Select

Client radio band that you can enable or disable.

Note Band Select is configurable only when the radio policy is set to All in the General Tab.

Passive Client

Passive clients that you can enable or disable on your WLAN.

Passive clients are wireless devices such as scales and printers that are configured with a static IP address. These clients do not transmit any IP information such as IP address, subnet mask, and gateway information when they associate with an access point. As a result, when passive clients are used, the Cisco WLC will never know the IP address unless they use DHCP.

Cisco WLC currently act as a proxy for ARP requests. On receiving an ARP request, the Cisco WLC responds with an ARP response instead of passing the request directly to the client. This has two advantages:

• The upstream device that sends out the ARP request to the client cannot know where the client is located.
• Power for battery-operated devices such as mobile phones and printers is preserved because they do not need to respond to every ARP request.

Since the wireless Cisco WLC does not have any IP-related information about passive clients, it cannot respond to any ARP requests. The current behavior does not allow the transfer of ARP requests to passive clients. Any application that tries to access a passive client results in a failure.

This feature enables ARP requests and responses to be exchanged between wired and wireless clients.

This feature when enabled allows the Cisco WLC to pass ARP requests from wired to wireless clients until the desired wireless client gets to RUN state.

Note This feature is supported only on the Cisco 5500 Series Controllers.

Note Passive clients are not supported with AP groups and FlexConnect centrally switched WLANs.

This feature works on the multicast-multicast mode of multicast operation.

Media Session Snooping

Access points that you can enable or disable to detect the establishment, termination, and failure of Session Initiation Protocol (SIP) voice calls and then report them to the Cisco WLC and PI.

See the Radio Statistics page to see the VoIP statistics for your access point radios.

See the SNMP Trap Logs page to see the traps generated for failed calls.

Re-anchor Roamed Voice Clients

Reanchoring of roamed voice clients that you can enable or disable.

This feature allows the voice client to get anchored on the best suited and nearest available Cisco WLC. In the case of inter Cisco WLC roaming, it avoids the use of tunnels to carry traffic between the foreign Cisco WLC and the anchor Cisco WLC, which removes unnecessary traffic from the network.

The ongoing call during roaming is not affected and it continues without any problem. The traffic passes through proper tunnels that are established between the foreign Cisco WLC and the anchor Cisco WLC. When the call ends, disassociation occurs and the client gets reassociated to a new Cisco WLC. By default, this feature is disabled.

Note The ongoing data session may be affected due to dissociation and reassociation.

Note This feature is supported for TSPEC-based calls and non-TSPEC-SIP based calls only when admission control is enabled.

Note You can reanchor roaming of voice clients for each WLAN.

Note This feature is not recommended for use on the Cisco 792x phone.

KTS based CAC Policy

To enable or disable CAC that is based on Key Telephone System (KTS) for the WLAN.

KTS-based CAC is a protocol that is used in NEC MH240 wireless IP telephones. You can configure the Cisco WLC to support CAC on KTS-based SIP clients, to process bandwidth request message from such clients, to allocate required bandwidth on the AP radio, and to handle other messages that are part of the protocol.

When a call is initiated, the KTS-based CAC client sends a Bandwidth Request message to which the Cisco WLC responds with a Bandwidth Confirm message indicating whether the bandwidth is allocated or not. The call is allowed only if the bandwidth is available. If the client roams from one AP to another, then the client sends another Bandwidth Request message to the Cisco WLC.

Bandwidth allocation depends on the medium time calculated using the data rate from the Bandwidth Request message and the packetization interval. For KTS-based CAC clients, G.711 codec with 20 milliseconds as packetization interval is used for computing the medium time.

The Cisco WLC releases the bandwidth after it receives the bandwidth release message from the clients. When the client roams to another AP, the Cisco WLC takes care of releasing the bandwidth on the previous AP and allocates bandwidth on the new AP, in both intra Cisco WLC and inter Cisco WLC roaming scenarios. The bandwidth is released if the client is dissociated or if there is inactivity for 120 seconds. The Cisco WLC does not inform the client when the bandwidth is released for the client due to inactivity or dissociation of the client.

Limitations:

• KTS-based CAC is not supported on FlexConnect access points with the WLAN in the local switching mode.
• The Cisco WLC ignores the SSID capability check request message from the clients.
• Preferred call is not supported for KTS CAC clients.
• Reason code 17 is not supported in inter Cisco WLC roaming scenarios.
• This feature is applicable only when the QoS profile is set to Platinum for the WLAN.

DHCP Profiling

Check box to enable or disable DHCP profiling of all the clients that are associated with the WLAN. When you enable DHCP profiling, the Cisco WLC collects the DHCP attributes of clients for profiling.

HTTP Profiling

Check box to enable or disable HTTP profiling of all the clients that are associated with the WLAN. When you enable HTTP profiling, the Cisco WLC collects the HTTP attributes of clients for profiling.

PMIP Mobility Type

Choose the type of PMIP mobility for the WLAN.

The following options are available:

• None—Configures the WLAN with Simple IP.
• PMIPv6—Configures the WLAN with only PMIPv6.

PMIP NAI Type

Drop-down list from which you can choose the PMIP NAI Type as Hexadecimal or Decimal.

PMIP Profile

Drop-down list from which you can choose a PMIP profile. You can configure the PMIP profile irrespective of the mobility type.

PMIP Realm

Default realm of the PMIPv6 WLAN.

mDNS Snooping

Check box to enable or disable mDNS snooping on the WLAN. To check if global mDNS snooping is enabled, choose CONTROLLER > mDNS > General. mDNS snooping works on guest LANs and not on remote LANs.

mDNS Profile

Drop-down list from which you can choose the mDNS profile for the WLAN. Clients receive service advertisements only for the services associated with the profile.

AP Group Name

AP group name.

AP Group Description

AP group description.

NAS-ID

Network Access Server identifier. The NAS-ID is sent to the RADIUS server by the controller (as a RADIUS client) using the authentication request, which is used to classify users to different groups. You can enter up to 32 alphanumeric characters.

Beginning in Release 7.4 and later releases, you can configure the NAS-ID on the interface, WLAN, or an access point group. The order of priority is AP Group NAS-ID > WLAN NAS-ID > Interface NAS-ID.

Enable Client Traffic QinQ

When enabled, double 802.1q tagging is enabled for client traffic associated to APs that are part of the WLAN and AP-Group.

QinQ Service VLAN ID must be configured for this to work.

Enable DHCPv4 QinQ

When enabled, double 802.1q tagging is enabled for client DHCPv4 packets associated to APs that are part of the WLAN and AP-Group.

QinQ Service VLAN ID must be configured for this to work.

QinQ Service VLAN ID

QinQ Service VLAN ID is the outer VLAN ID and the Interface mapped to WLAN in AP-Group will act as inner VLAN ID.

CAPWAP Preferred Mode

Select the check box to configure the CAPWAP Preferred mode for the AP Group. You can select between an IPv4 or IPv6. By field is by default un-configured.

Note The CAPWAP Preferred Mode can either be configured Globally (Controller > General Tab > CAPWAP Preferred Mode) or on a AP Group. If you unselect the check box, global configuration will take precedence.

Note The above configuration will be displayed in the Wireless > ALL APs > General Tab > IP Config.

Note The CAPWAP Preferred Mode field does not appear under the default-group. The APs by default are part of the default-group.

WLAN SSID

WLAN SSID that you can select from the drop-down list.

Interface/Interface Group (G)

Interface name that you can select from the drop-down list.

SNMP NAC State

SNMP NAC out-of-band support for this access point group that you can enable or disable.

Note If you enable SNMP NAC out-of-band support, be sure to choose the quarantine VLAN from the Interface Name drop-down list.

Add button/Cancel button

Click Add to add this WLAN to the access point group. Click Cancel to close the Add New area without making any changes.

WLAN ID

Information about the WLANs that are currently assigned to this access point group.

WLAN SSID

Information about the WLAN SSID.

Interface Name/Interface Group (G)

Interface name or interface group that you can select from the drop-down list.

SNMP NAC State

SNMP NAC state that you can enable or disable.

802.11a

Drop-down list from which you can choose an RF profile for APs with 802.11a radios.

802.11b

Drop-down list from which you can choose an RF profile for APs with 802.11b radios.

APs currently in the Group

Access points that are currently assigned to this group.

To remove an access point, select the check box to the left of the AP name or select the AP Name check box to select all APs, and click Remove APs.

Add APs to the Group

Access points that are available to be added to the group.

To add an access point, select the check box to the left of the AP Name or select the AP Name check box to select all APs, and click Add APs.

Venue Group

Drop-down list from which you can choose a Hotspot group that groups similar Hotspot venues. The following options are available:

• Unspecified
• Assembly
• Business
• Educational
• Factory and Industrial
• Institutional
• Mercantile
• Residential
• Storage
• Utility and Misc
• Vehicular
• Outdoor

Venue Type

Drop-down list from which you can choose the type of venue based on the Venue Group that you choose.

Venue Name

Venue name that you can provide for this access point. This name is associated with the basic service set (BSS). This name is used in cases where the SSID does not provide enough information about the venue. The venue name is case sensitive and can be up to 252 alphanumeric characters.

Language

Language used at the venue. You must specify the language before you specify the venue name. ISO-639 encoded string defining the language used at the venue. This string is a three-character language code. For example, you can enter ENG for English.

Operating class

Select the check box to choose the 802.11u operating class. The different operating classes are 81, 83, 84, 112, 113, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127.

You can add a maximum of 10 operating classes.