Cisco Prime Network Control System Configuration Guide, Release 1.1

Performing Administrative Tasks

The Administration enables you to schedule tasks, administer accounts, and configure local and external authentication and authorization. Also, set logging options, configure mail servers, and data management related to configuring the data retain periods. Information is available about the types of NCS licenses and how to install a license.

This chapter describes the Cisco NCS administrative tasks. It contains the following sections:

•Performing Background Tasks, page 15-1

•Configuring a Virtual Domain, page 15-41

•Configuring Administrative Settings, page 15-51

•Setting User Preferences, page 15-82

•Viewing Appliance Details, page 15-84

•Configuring AAA, page 15-86

•Establishing Logging Options, page 15-121

•Configuring High Availability, page 15-126

•Managing Licenses, page 15-131

Performing Background Tasks

You can use the NCS Background Tasks page to schedule and monitor data collection tasks and other background tasks.

This section contains the following topics:

•About Background Tasks, page 15-2

•Performing a Data Collection Task, page 15-3

•Performing Other Background Tasks, page 15-7

For more information on data collection and other background tasks, see the "Data Collection Tasks" section on page 15-5 and "Other Background Tasks" section on page 15-32.

About Background Tasks

A background task is a scheduled program running in the background with no visible pages or other user interfaces. In NCS background tasks can be anything from data collection to taking backups of the configurations.

Note Choose Administration > Background Tasks to view several scheduled tasks. The Background Tasks page appears (see Figure 15-1).

Figure 15-1 Background Tasks Page

You can view the administrative and operating status, task interval, and time of day in which the task occurs. To execute a particular task, select the check box of the desired task and choose Execute Now from the Select a command drop-down list. The task is executed based on what you have configured for the specific task.

The tasks are listed in tables with the following columns:

•Check box—Select to choose the desired task. Chosen tasks are targets for operations initiated from the Select a command drop-down list including the following:

–Execute Now—Run all of the data sets with a selected check box.

–Enable Collection—Enable the data set to run at its scheduled interval.

–Disable Collection—Prevent the data set from running at its scheduled interval.

•Task—Task name that serves as a link to a configuration page. Click a task name to go to that task configuration page.

•Enabled—Indicates that the task is enabled or disabled.

•Interval—Time period between executions of task.

•Status—Indicates that the task is idle, disabled, or executing.

•Data Aggregation (Data Collections only)—If set to Yes, the data set is aggregate data.

•Non-Aggregation Data Retain Period (Days) (Data Collections only)—The number of days that non-aggregated data is retained.

Note See the "NCS Historical Data" section on page 15-60 for more information on aggregated and non-aggregated data in NCS.

•Last Execution Time—The date and time the task was executed.

•Last Execution Status—Indicates that the task executed was a success, failure, or a partial success.

This page enables you to view the status of scheduled NCS tasks. Scheduled tasks are divided into two types: for more information, see the "Data Collection Tasks" section on page 15-5 and the "Other Background Tasks" section on page 15-32.

Performing a Data Collection Task

Data collection tasks are data-set tasks that collect and organize information that might be useful for creating reports.

Note All tasks related to collecting data or any other background task are handled in a similar manner.

Step 1 Choose Administration > Background Tasks to display the Background Tasks page (see Figure 15-1). This page displays the following information:

•Enabled—Whether the tasks have been enabled or disabled.

•Interval—Indicates the time period (in minutes) between task executions. You can set the interval from the data collection configuration page for the task.

•Status—The present state of the task.

•Data Aggregation (Data Collection Tasks only)—If set to Yes, the data set combines data.

•Non-Aggregation Data Retain Period (Days) (Data Collection Tasks only)—The number of days that the non-aggregated data is retained. You can set the retention period from the data collection configuration page of the task.

•Last Execution Time—The time and date when the task was last run.

•Last Execution Status—The status after the last task was run.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the check box of the task you want to execute. From the Select a command drop-down list, choose Execute Now, and click Go.

•Enable the task.

Select the check box of the task you want to enable. From the Select a command drop-down list, choose Enable Task, and click Go. The task changes from dimmed to available after enabling is complete.

•Disable the task.

Select the check box of the task you want to disable. From the Select a command drop-down list, choose Disable Task, and click Go. The task is dimmed after the disabling is complete.

•View details of a task.

Click a URL in the Data Collection Tasks or Other Background Tasks column to view a specific task. The details on that task appear. Data collections are data-set tasks that collect and organize a specific type of information useful for creating reports. For more information on the various Data Collection Tasks, see "Data Collection Tasks" section on page 15-5.

To access the configuration page of a data set, select the name of the data set in the Data Collection page. Each data set configuration page displays a table of the executions of the data set. The table has following columns:

•Executed task information includes the following:

–Last Execution Start Time—Indicates the date and time that the data-set task began running.

–End Time—Indicates the date and time that the data-set task stopped running.

–Elapsed Time (secs)—Indicates the amount of time (in seconds) it took to complete the task.

–Result—Indicates the success or failure of the task.

–Additional Information—Provides any additional information regarding a specific task.

Each data set configuration page contains the following parameters and information in the Collection Set Details group box:

•Description—Provides a brief display only description of the data set.

•Data Aggregation—Indicates whether or not data collected by the data set is aggregated.

•Used By Report(s)—Displays names of the reports that use the data set.

–CleanAir Air Quality—This data set is used for Worst Air Quality APs and Air Quality versus Time reports.

–Interferers—This data set us used for Worst Interferers reports.

•Collection Status—Select the Enabled check box to enable data collection.

Interval (min.)—Enter the time (in minutes) for the data set execution interval. The valid value is 1 to 120 minutes.

Each data set configuration page contains the following parameters in the Data Management group box:

•Non-Aggregation Data Retain Period (Days)—Enter the number of days to retain non-aggregated data collected by the data set. The valid value is 1 to 31 days.

•Retain Aggregation Raw Data—Select the Enable check box to enable the retention of aggregated raw data.

Note The Aggregation Raw Data Retain Period setting is for polled raw data. To configure the retention period for aggregated trend data, choose Administration > Settings, then choose Data Management from the left sidebar menu.

Note See the "Configuring Auto Provisioning for Controllers" section on page 9-230 for more information on aggregated and non-aggregated data.

Note For this example, performing an NCS server backup was selected as the task. The information entered in the fields for each page vary based on the task you choose.

Step 3 Select the Enabled check box.

Step 4 Select the Report History Backup check box.

Step 5 In the Max Backups to Keep text box, enter the maximum number of backup files to save on the server.

Range: 7 to 50

Default: 7

Note To prevent the NCS platform from running out of disk space, the server automatically deletes old backup files when the number of files exceeds the value entered for this text box.

Step 6 In the Interval (Days) text box, enter the number of days between each backup. For example, 1 = a daily backup, 2 = a backup every other day, 7 = a weekly backup, and so on.

Range: 1 to 360

Default: 7

Step 7 In the Time of Day text box, enter the backup start time. It must be in this format: hh:mm AM/PM (for example: 03:00 AM). If no AM/PM notation is designated, the entered hour is always AM. If you want to specify 5PM, you can enter 17:00 or 5:00 PM. When the page is revisited after saving, the time is displayed as hh:mm (in this case 17:00), without the PM designation.

Note Backing up a large database affects the performance of the NCS server. Therefore, we recommend that you schedule backups to run when the NCS server is idle (for example, in the middle of the night).

Step 8 Click Submit to save your settings. The backup file is saved as a .zip file in the ftp-install-dir/ftp-server/root/NCSBackup directory using this format: dd-mmm-yy_ hh-mm-ss.zip
(for example, 11-Nov-05_10-30-00.zip).

Data Collection Tasks

Table 15-1 lists and describes the various data collection tasks in the NCS.

Performing Other Background Tasks

You can also perform other background tasks using the NCS Administration.

This section contains the procedures for the other NCS background tasks and contains the following topics:

•Viewing Appliance Status, page 15-7

•Viewing Autonomous AP Client Status, page 15-8

•Viewing Autonomous AP Operational Status, page 15-9

•Performing a Configuration Sync, page 15-10

•Viewing Lightweight Client Status, page 15-12

•Viewing Controller Configuration Backup Status, page 15-13

•Viewing Controller Operational Status, page 15-15

•Viewing Data Cleanup Status, page 15-16

•Performing Device Data Collection, page 15-16

•Performing Guest Accounts Sync, page 15-17

•Viewing Identity Services Engine Status, page 15-18

•Updating License Status, page 15-19

•Lightweight AP Operational Status, page 15-21

•Lightweight AP Client Status, page 15-22

•Performing Location Appliance Backup, page 15-23

•Viewing Location Appliance Status, page 15-24

•Performing Location Appliance Synchronization, page 15-25

•Performing NCS Server Backup, page 15-26

•Viewing OSS Server Status, page 15-27

•Viewing the Switch NMSP and Location Status, page 15-28

•Viewing Switch Operational Status, page 15-29

•Performing wIPS Alarm Synchronization, page 15-30

•Wired Client Status, page 15-31

For more information on the other background tasks, see the "Other Background Tasks" section on page 15-32.

Viewing Appliance Status

To view the appliance status, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the Appliance Status check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the Appliance Status check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the Appliance Status check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task is dimmed in the Enabled column after the disabling is complete.

Step 3 To modify the task, click the Appliance Status link in the Background Tasks column. The Task > Appliance Status page appears.

Step 4 Click the background task in the Task column to open the task details page.

The Appliance Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time (in seconds) of the task.

–Result—Success or error.

–Message—Text message regarding this task.

Step 5 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select the check box to enable this task.

•Interval—Indicates the frequency (in minutes) of the task.

Step 6 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Viewing Autonomous AP Client Status

To view the Autonomous AP Client Status page, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the Autonomous AP Client Status check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the Autonomous AP Client Status check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the Autonomous AP Client Status check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task is dimmed in the Enabled column after the disabling is complete.

Step 3 To modify the task, click the Autonomous AP Client Status link in the Background Tasks column. The Task > Autonomous AP Client Status page appears.

Step 4 Click the background task in the Task column to open the task details page.

The Autonomous AP Client Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time (in seconds) of the task.

–Result—Success or error.

–Message—Text message regarding this task.

Step 5 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select the check box to enable this task.

•Interval—Indicates the frequency (in minutes) of the task.

Step 6 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Viewing Autonomous AP Operational Status

To view the Autonomous AP Operational Status page, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the Autonomous AP Operational Status check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the Autonomous AP Operational Status check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the Autonomous AP Operational Status check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task is dimmed in the Enabled column after the disabling is complete.

Step 3 To modify the task, click the Autonomous AP Operational Status link in the Background Tasks column. The Task > Autonomous AP Operational Status page appears.

Step 4 Click the background task in the Task column to open the task details page.

The Appliance Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time (in seconds) of the task.

–Result—Success or error.

–Message—Text message regarding this task.

Step 5 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select the check box to enable this task.

•Interval—Indicates the frequency (in minutes) of the task.

Step 6 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Performing a Configuration Sync

To perform a configuration sync, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the Configuration Sync check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the Configuration Sync check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the Configuration Sync check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task is dimmed in the Enabled column after the disabling is complete.

Step 3 To modify the task, click the Configuration Sync link in the Background Tasks column. The Task > Configuration Sync page appears (see Figure 15-2).

Figure 15-2 Task > Configuration Sync

Step 4 Click the background task in the Task column to open the task details page.

The Configuration Sync page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time (in seconds) of the task.

–Result—Success, warning, or error.

–Message—Text message regarding this task.

Note If the Result is a Warning and the Message appears as Failed, the device is unreachable.

Step 5 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Used By Report(s)—Indicates the NCS reports that use these task results.

•Enabled—Select the check box to enable this task.

•Network Audit—Select the check box to enable the secondary network audit.

•Security Index Calculation—Select the check box to enable security index calculation. The Security Index is available in the Monitor > Security page.

•RRM Audit—Select the check box to enable an RRM audit.

Note The controller audit finds the discrepancies between the values in the NCS database with the device.

Note To query the SNMP values from the device, you can use the https://<NCS-IP>/webacs/manObjDiagQueryAction.do URL in the NCS.

Note The Network Audit audits all controllers in the network, and also runs the RRM audit and Security audit. These options are selectable from the Administration > Background Tasks > Other Background Tasks > Configuration Sync page.

•Time of Day (hh:mm AM|PM)—Indicate the time of day (AM or PM) for the execution of this task.

Note Time of Day (hh:mm AM|PM) must be in this format: hh:mm AM/PM (for example: 03:00 AM). If no AM/PM notation is designated, the entered hour is always AM. If you want to specify 5PM, you can enter 17:00 or 5:00 PM. When the page is revisited after saving, the time is displayed as hh:mm (in this case 17:00), without the PM designation.

Step 6 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Viewing Lightweight Client Status

Choose Administration > Background Tasks, then click Lightweight Client Status to access this page.

This page enables you to view the history and current status of lightweight client status polling backups.

In the Administration > Background Tasks page, you can execute, enable, or disable this task. To execute, enable, or disable this task from the Administration > Background Tasks page, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 Select the check box(es) of the Background Task(s) that you want to execute, enable, or disable.

Step 3 Use the Select a command drop-down list to perform one of the following tasks:

•Execute the task now—Select the check box of the task you want to execute. From the Select a command drop-down list, choose Execute Now, and click Go. The status changes in the Enabled column.

or

•Enable the task—Select the check box of the task you want to enable. From the Select a command drop-down list, choose Enable Task, and click Go.

or

•Disable the task—Select the check box of the task you want to disable. From the Select a command drop-down list, choose Disable Task, and click Go.

To modify the task, follow these steps:

Step 1 Click the background task in the Task column to open the task details page.

The Lightweight Client Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 2 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval—Indicates the frequency (in days) of the task.

Step 3 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Viewing Controller Configuration Backup Status

Choose Administration > Background Tasks, then click Controller Configuration Backup to access this page.

This page enables you to view the history and current status of Cisco WLAN Solution configuration backups.

From the Administration > Background Tasks page, you can execute, enable, or disable this task. To execute, enable, or disable this task from the Administration > Background Tasks page, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 Select the check box(es) of the Background Task(s) that you want to execute, enable, or disable.

Step 3 Use the Select a command drop-down list to perform one of the following tasks:

•Execute the task now—Select the check box of the task you want to execute. From the Select a command drop-down list, choose Execute Now, and click Go. The status changes in the Enabled column.

or

•Enable the task—Select the check box of the task you want to enable. From the Select a command drop-down list, choose Enable Task, and click Go.

or

•Disable the task—Select the check box of the task you want to disable. From the Select a command drop-down list, choose Disable Task, and click Go.

To modify the task, follow these steps:

Step 1 Click the background task in the Task column to open the task details page.

The Controller Configuration Backup page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 2 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval—Indicates the frequency (in days) of the task.

•Time of Day (hh:mm AM|PM)

Note Time of Day (hh:mm AM|PM) must be in this format: hh:mm AM/PM (for example: 03:00 AM). If no AM/PM notation is designated, the entered hour is always AM. If you want to specify 5PM, you can enter 17:00 or 5:00 PM. When the page is revisited after saving, the time is displayed as hh:mm (in this case 17:00), without the PM designation.

•TFTP Server or FTP Server—Select either of the following:

–TFTP Server—If you select TFTP Server, choose the server or Default Server from the drop-down list.

–FTP Server—If you select FTP Server, choose the server or Default Server from the drop-down list, enter the FTP Username, FTP Password and FTP port information in the respective text box.

Note TFTP must be enabled in Administration > Settings > Server Settings for 'Default Server' options. For more information, see the "Configuring Server Settings" section on page 15-71.

Note The Server drop-down list is populated with the server names only if you add FTP or TFTP servers in the NCS. To add an FTP or TFTP server, see the "Configuring TFTP or FTP Servers" section on page 9-247.

Step 3 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Viewing Controller Operational Status

Device status polls controller reachability and WiSM peer information.

Choose Administration > Background Tasks, then click Controller Operational Status to access this page.

From the Administration > Background Tasks page, you can execute, enable, or disable this task. To execute, enable, or disable Controller Operational Status task from the Administration > Background Tasks page, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 Select the check box(es) of the Background Task(s) that you want to execute, enable, or disable.

Step 3 Use the Select a command drop-down list to perform one of the following tasks:

•Execute the task now—Select the Controller Operational Status check box to execute. From the Select a command drop-down list, choose Execute Now, and click Go. The status changes in the Enabled column.

or

•Enable the task—Select the Controller Operational Status check box. From the Select a command drop-down list, choose Enable Task, and click Go.

or

•Disable the task—Select the Controller Operational Status check box. From the Select a command drop-down list, choose Disable Task, and click Go.

To modify the Controller Operational Status task, follow these steps:

Step 1 Click the Controller Operational Status background task in the Task column to open the task details page.

The Controller Operational Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 2 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval—Indicates the frequency (in minutes) of the task.

Step 3 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Viewing Data Cleanup Status

Choose Administration > Background Tasks, then click Database Cleanup to access this page.

This page enables you to view the history and current status of Cisco WLAN Solution database cleanups.

To modify this task, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 Click the background task in the Task column to open the task details page.

The Data Cleanup page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 3 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Time of Day (hh:mm AM|PM)

Note Time of Day (hh:mm AM|PM) must be in this format: hh:mm AM/PM (for example: 03:00 AM). If no AM/PM notation is designated, the entered hour is always AM. If you want to specify 5PM, you can enter 17:00 or 5:00 PM. When the page is revisited after saving, the time is displayed as hh:mm (in this case 17:00), without the PM designation.

Step 4 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Performing Device Data Collection

To perform a device data collection, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the Device Data Collection check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the Device Data Collection check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the Device Data Collection check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task is dimmed in the Enabled column after the disabling is complete.

Step 3 To modify the task, click the Device Data Collection link in the Background Tasks column. The Task > Device Data Collector page appears.

Step 4 Click the background task in the Task column to open the task details page.

The Device Data Collector page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time (in seconds) of the task.

–Result—Success or error.

–Message—Text message regarding this task.

Step 5 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select the check box to enable this task.

•Controller IP address—The IP address of the controller to collect data from.

•CLI Commands—Enter the command-line interface commands separated by comma, which you would want to run on the specified controller.

•Clean Start—Select or unselect this check box to enable or disable a clean start before data collection.

•Repeat—Enter the number of times you would want the data collection to happen.

•Interval—Enter the interval, in days, that you would want the data collection to happen. The valid range is 1 to 360 days.

Step 6 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Performing Guest Accounts Sync

Choose Administration > Background Tasks, then click Guest Accounts Sync to access this page.

This page enables you to view the history and current status of Guest Accounts Synchronization tasks.

From the Administration > Background Tasks page, you can execute, enable, or disable this task. To execute, enable, or disable this task from the Administration > Background Tasks page, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 Select the check box(es) of the Background Task(s) that you want to execute, enable, or disable.

Step 3 Use the Select a command drop-down list to perform one of the following tasks:

•Execute the task now—Select the check box of the task you want to execute. From the Select a command drop-down list, choose Execute Now, and click Go. The status changes in the Enabled column.

or

•Enable the task—Select the check box of the task you want to enable. From the Select a command drop-down list, choose Enable Task, and click Go.

or

•Disable the task—Select the check box of the task you want to disable. From the Select a command drop-down list, choose Disable Task, and click Go.

To modify the task, follow these steps:

Step 1 Click the background task in the Task column to open the task details page.

The Guest Accounts Synchronization page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 2 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval—Indicates the frequency (in days) of the task.

•Time of Day (hh:mm AM|PM)

Note Time of Day (hh:mm AM|PM) must be in this format: hh:mm AM/PM (for example: 03:00 AM). If no AM/PM notation is designated, the entered hour is always AM. If you want to specify 5PM, you can enter 17:00 or 5:00 PM. When the page is revisited after saving, the time is displayed as hh:mm (in this case 17:00), without the PM designation.

Step 3 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Viewing Identity Services Engine Status

To update the identity services engine status, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the Identity Services Engine Status check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the Identity Services Engine Status check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the Identity Services Engine Status check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task converts from dimmed to available in the Enabled column after the disabling is complete.

Step 3 To modify the Identity Services Engine Status task, click the Identity Services Engine Status link in the Background Tasks column. The Identity Services Engine Status page appears.

Step 4 Click the Identity Services Engine Status background task in the Task column to open the task details page.

Step 5 The Identity Services Engine Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 6 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval—Indicates the frequency (in days) of the task.

Step 7 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Updating License Status

To update the license status, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the License Status check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the License Status check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the License Status check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task converts from dimmed to available in the Enabled column after the disabling is complete.

Step 3 To modify the controller license reset task, click the License Status link in the Background Tasks column. The License Status page appears (see Figure 15-3).

Figure 15-3 License Status Page

This page shows when the latest license resynchronizations occurred. By default, it runs every 4 hours. From this page, you can disable this task or change the interval.

Step 4 Click the background task in the Task column to open the task details page.

Step 5 The License Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 6 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable the task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval—Indicates the frequency (in days) of the task.

Step 7 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Lightweight AP Operational Status

To view the Lightweight AP Operational status, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the Lightweight AP Operational Status check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the Lightweight AP Operational Status check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the Lightweight AP Operational Status check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task converts from dimmed to available in the Enabled column after the disabling is complete.

Step 3 To modify the controller license reset task, click the Lightweight AP Operational Status link in the Background Tasks column. The License Status page appears.

Step 4 Click the background task in the Task column to open the task details page.

Step 5 The Lightweight AP Operational Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 6 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable the task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval—Indicates the frequency (in days) of the task.

Step 7 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Lightweight AP Client Status

To view the Lightweight AP Client status, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the Lightweight AP Client Status check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the Lightweight AP Client Status check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the Lightweight AP Client Status check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task converts from dimmed to available in the Enabled column after the disabling is complete.

Step 3 To modify the controller license reset task, click the Lightweight AP Client Status link in the Background Tasks column. The License Status page appears.

Step 4 Click the background task in the Task column to open the task details page.

Step 5 The Lightweight AP Client Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 6 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval—Indicates the frequency (in days) of the task.

Step 7 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Performing Location Appliance Backup

Choose Administration > Background Tasks, then click Location Appliance Backup to access this page.

This page enables you to schedule a backup of the mobility services engine database.

From the Administration > Background Tasks page, you can execute, enable, or disable this task. To execute, enable, or disable this task from the Administration > Background Tasks page, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 Select the check box(es) of the Background Task(s) that you want to execute, enable, or disable.

Step 3 Use the Select a command drop-down list to perform one of the following tasks:

•Execute the task now—Select the check box of the task you want to execute. From the Select a command drop-down list, choose Execute Now, and click Go. The status changes in the Enabled column.

or

•Enable the task—Select the check box of the task you want to enable. From the Select a command drop-down list, choose Enable Task, and click Go.

or

•Disable the task—Select the check box of the task you want to disable. From the Select a command drop-down list, choose Disable Task, and click Go.

To modify the task, follow these steps:

Step 1 Click the background task in the Task column to open the task details page.

The Mobility Service Backup page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 2 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Max backups to keep—Enter the maximum number of location backups to be kept on the backup server.

•Interval (days)—Enter the frequency of backup.

•Time of the Day (hh:mm AM/PM)—Enter the time at which the backup starts on the scheduled day.

Note Time of Day (hh:mm AM|PM) must be in this format: hh:mm AM/PM (for example: 03:00 AM). If no AM/PM notation is designated, the entered hour is always AM. If you want to specify 5PM, you can enter 17:00 or 5:00 PM. When the page is revisited after saving, the time is displayed as hh:mm (in this case 17:00), without the PM designation.

•When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Viewing Location Appliance Status

Choose Administration > Background Tasks, then click Location Appliance Status to access this page.

This page displays the status of the mobility services engine.

From the Administration > Background Tasks page, you can execute, enable, or disable this task. To execute, enable, or disable this task from the Administration > Background Tasks page, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 Select the check box(es) of the Background Task(s) that you want to execute, enable, or disable.

Step 3 Use the Select a command drop-down list to perform one of the following tasks:

•Execute the task now—Select the check box of the task you want to execute. From the Select a command drop-down list, choose Execute Now, and click Go. The status changes in the Enabled column.

or

•Enable the task—Select the check box of the task you want to enable. From the Select a command drop-down list, choose Enable Task, and click Go.

or

•Disable the task—Select the check box of the task you want to disable. From the Select a command drop-down list, choose Disable Task, and click Go.

To modify the task, follow these steps:

Step 1 Click the background task in the Task column to open the task details page.

The Mobility Service Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 2 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval (days)—Enter the frequency of backup.

Step 3 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Performing Location Appliance Synchronization

Choose Administration > Background Tasks, then click Location Appliance Synchronization to access this page.

This page enables you to synchronize mobility services engine(s).

From the Administration > Background Tasks page, you can execute, enable, or disable this task. To execute, enable, or disable this task from the Administration > Background Tasks page, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 Select the check box(es) of the Background Task(s) that you want to execute, enable, or disable.

Step 3 Use the Select a command drop-down list to perform one of the following tasks:

•Execute the task now—Select the check box of the task you want to execute. From the Select a command drop-down list, choose Execute Now, and click Go. The status changes in the Enabled column.

or

•Enable the task—Select the check box of the task you want to enable. From the Select a command drop-down list, choose Enable Task, and click Go.

or

•Disable the task—Select the check box of the task you want to disable. From the Select a command drop-down list, choose Disable Task, and click Go.

To modify the task, follow these steps:

Step 1 Click the background task in the Task column to open the task details page.

The Mobility Service Synchronization page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 2 View or modify the following in the Edit Task group box:

–Description—Display only. Displays the name of the task.

–Out of Sync Alerts—When enabled, this generates minor alarms when location server is not synchronized with the NCS changes that you have made.

–Auto Synchronization—Use this setting to enable auto synchronization of the location server. This ensures that when you make changes to the NCS, the location server auto synchronizes with the changes.

–Interval (minutes)—Specify the auto synchronization interval.

Step 3 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Performing NCS Server Backup

Choose Administration > Background Tasks, then click NCS Server Backup to access this page.

This page enables you to schedule a backup of the NCS server.

From the Administration > Background Tasks page, you can execute, enable, or disable this task. To execute, enable, or disable this task from the Administration > Background Tasks page, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 Select the check box(es) of the Background Task(s) that you want to execute, enable, or disable.

Step 3 Use the Select a command drop-down list to perform one of the following tasks:

•Execute the task now—Select the check box of the task you want to execute. From the Select a command drop-down list, choose Execute Now, and click Go. The status changes in the Enabled column.

or

•Enable the task—Select the check box of the task you want to enable. From the Select a command drop-down list, choose Enable Task, and click Go.

or

•Disable the task—Select the check box of the task you want to disable. From the Select a command drop-down list, choose Disable Task, and click Go.

To modify the task, follow these steps:

Step 1 Click the background task in the Task column to open the task details page.

The NCS Server Backup page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 2 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Report History Backup—Select the check box to enable the NCS to back up report histories.

•Max Backups to Keep—Enter the maximum number of NCS server backups to be kept on the backup server.

•Backup Repository—Select an existing backup repository or click Create to create a new backup repository.

•Interval (days)—Enter a value between 1 and 360. The NCS server data is backed up every n days, where n is the value that you have specified in this field.

•Time of the Day (hh:mm AM/PM)—Enter the time at which the backup starts on the scheduled day.

Note Time of Day (hh:mm AM|PM) must be in this format: hh:mm AM/PM (for example: 03:00 AM). If no AM/PM notation is designated, the entered hour is always AM. If you want to specify 5PM, you can enter 17:00 or 5:00 PM. When the page is revisited after saving, the time is displayed as hh:mm (in this case 17:00), without the PM designation.

•When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Viewing OSS Server Status

To view the OSS Server status, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the OSS Server Status check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the OSS Server Status check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the OSS Server Status check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task converts from dimmed to available in the Enabled column after the disabling is complete.

Step 3 To modify the controller license reset task, click the OSS Server Status link in the Background Tasks column. The OSS Server Status page appears.

Step 4 Click the background task in the Task column to open the task details page.

Step 5 The OSS Server Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 6 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval—Indicates the frequency (in days) of the task.

Step 7 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Viewing the Switch NMSP and Location Status

You can view the Switch NMSP and Location Status using the Switch NMSP and Location Status option under Cisco NCS Administration.

To view the Switch NMSP and Location Status, follow these steps:

Step 1 Choose NCS > Administration > Background Tasks.

Step 2 From the Other Background Tasks table, click the Switch NMSP and Location Status link.

The Switch NMSP and Location Status page appears.

The Switch NMSP and Location Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 3 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval (hours)—Enter the frequency of backup.

Step 4 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Viewing Switch Operational Status

To view the Switch Operational status, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the Switch Operational Status check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the Switch Operational Status check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the Switch Operational Status check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task converts from dimmed to avaialble in the Enabled column after the disabling is complete.

Step 3 To modify the Switch Operational Status task, click the Switch Operational Status link in the Background Tasks column. The Switch Operational Status page appears.

Step 4 Click the background task in the Task column to open the task details page.

Step 5 The Switch Operational Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 6 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval—Indicates the frequency (in days) of the task.

Step 7 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Performing wIPS Alarm Synchronization

To perform wIPS Alarm Synchronization, follow these steps :

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the wIPS Alarm Sync check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the wIPS Alarm Sync check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the wIPS Alarm Sync check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task converts from dimmed to available in the Enabled column after the disabling is complete.

Step 3 To modify the wIPS Alarm Sync task, click the wIPS Alarm Sync link in the Background Tasks column. The wIPS Alarm Sync page appears.

Step 4 Click the background task in the Task column to open the task details page.

Step 5 The wIPS Alarm Sync page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 6 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval—Indicates the frequency (in days) of the task.

Step 7 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Wired Client Status

To view the Wired Client status, follow these steps:

Step 1 Choose Administration > Background Tasks.

Step 2 In this page, perform one of the following:

•Execute the task now.

Select the Wired Client Status check box. From the Select a command drop-down list, choose Execute Now, and click Go. You see the status change in the Enabled column.

or

•Enable the task.

Select the Wired Client Status check box. From the Select a command drop-down list, choose Enable Task, and click Go. The task converts from dimmed to available in the Enabled column.

or

•Disable the task.

Select the Wired Client Status check box. From the Select a command drop-down list, choose Disable Task, and click Go. The task converts from dimmed to available in the Enabled column after the disabling is complete.

Step 3 To modify the Wired Client Status task, click the Wired Client Status link in the Background Tasks column. The Wired Client Status page appears.

Step 4 Click the background task in the Task column to open the task details page.

Step 5 The Wired Client Status page displays the following information:

•Last Execution Information

–Start and end times.

–Elapsed time in seconds.

–Result—Success or error.

–Message—Text message regarding the task execution.

Step 6 View or modify the following in the Edit Task group box:

•Description—Display only. Displays the name of the task.

•Enabled—Select this check box to enable this task.

Note If the Enabled check box is not selected, the task is not executed at the specified time.

•Interval—Enter the interval, in hours, that you want the wired client status polling to happen. The valid range is 1 to 8640 hours.

•Major Polling—Specify two time periods at which you want the major pollings to happen. Valid format: hh:mm AM|PM. Example: 12:49 AM.

For wired clients, the NCS polls managed switches at regular interval to discover new clients or changes to the existing clients. To find this, the NCS caches the last change time of the interface. In the next poll, it checks the new value of the change time of the interface with the cached value to determine whether there is any change on any interface. Then polling happens only for the interfaces where there is a change. If there is no change on an interface between the polling, no polling happens for that interface. When polling happens during major polling schedule, a complete polling is done irrespective of whether there is a change on the interface or not. The reason for having major and minor polling is because, polling the switches for wired clients on all interfaces is expensive and resource-intensive for the NCS and switches. So then, the major polling happens only twice a day.

Step 7 When finished, click Submit to confirm task changes or Cancel to return to the Administration > Background Tasks page with no changes made.

Other Background Tasks

Table 15-2 describes the other background tasks that are available in the NCS:

Configuring a Virtual Domain

An NCS Virtual Domain consists of a set of NCS devices and/or maps and restricts the user view to information relevant to these managed objects.

Through a virtual domain, an administrator can ensure that users are only able to view the devices and maps for which they are responsible. In addition, because of the virtual domain filters, users are able to configure, view alarms, and generate reports for only their assigned part of the network.

Note The following elements can be partitioned in a virtual domain: maps, controllers, access points, templates, and config groups.
The following cannot be partitioned in a virtual domain (and are only available from the root partition: Google Earth Maps, Auto Provisioning, and Mobility Services).

The administrator specifies a set of allowed virtual domains for each user. Only one of these can be active for that user at login. The user can change the current virtual domain by choosing a different allowed virtual domain from the Virtual Domain drop-down list. All reports, alarms, and other functionality are now filtered by that virtual domain.

In the NCS Release 1.0 and later, you are required to add a virtual domain in ACS when exporting the task list to ACS. This might be the default ROOT-DOMAIN virtual domain. If you do not add a virtual domain to ACS then you are not permitted to log in. This applies regardless of whether you have a single or multiple domains.

Use the Administration > Virtual Domain page to create, edit, delete, import, or export virtual domains. Each virtual domain might contain a subset of the elements included with its parent virtual domain. You can assign additional maps, controllers, access points, and switches to the new virtual domain. See the "Managing a Virtual Domain" section on page 15-47 for more information on managing virtual domains.

The following buttons are available in the Virtual Domain page:

•New—Click to create a new virtual domain. See the "Creating a New Virtual Domain" section on page 15-46 for more information.

•Delete—Click to delete the selected virtual domain from the hierarchy.

•Import—Click to import a CSV file.

•Export—Click to configure custom attributes for the selected virtual domain. See the "Virtual Domain RADIUS and TACACS+ Attributes" section on page 15-49 for more information.

This section contains the following topics:

•Understanding Virtual Domain Hierarchy, page 15-42

•Creating a New Virtual Domain, page 15-46

•Managing a Virtual Domain, page 15-47

•Virtual Domain RADIUS and TACACS+ Attributes, page 15-49

•Understanding Virtual Domains as a User, page 15-50

Understanding Virtual Domain Hierarchy

Virtual domains are organized hierarchically. Subsets of an existing virtual domain contain the network elements that are contained in the parent virtual domain.

Note The default or "ROOT-DOMAIN" domain includes all virtual domains.

Because network elements are managed hierarchically, some features and components such as report generation, searches, templates, config groups, and alarms are affected.

Note If you create a virtual domain with only access points and no controllers assigned, you lose some ability to choose controller-based features. For example, some options require you to drill down from controller to access points. Because controllers are not in the virtual domain, you are not able to generate associated reports. If you create a partition with only a few controllers, choose Configure > Access Points, and click an individual link in the AP Name column, the complete list of NCS-assigned controllers is displayed for primary, secondary, and tertiary controllers rather than the limited number specified in the partition.

Note If the configuration of a controller is modified by multiple virtual domains, complications might arise. To avoid this, manage each controller from only one virtual domain at a time.

This section describes the effects of partitioning and contains the following topics:

•Reports, page 15-43

•Search, page 15-43

•Alarms, page 15-44

•Templates, page 15-44

•Config Groups, page 15-44

•Maps, page 15-44

•Access Points, page 15-45

•Controllers, page 15-46

•Email Notification, page 15-46

Reports

Reports only include components assigned to the current virtual domain. For example, if you create a virtual domain with only access points and no controllers assigned, all controllers are not displayed when you generate a controller inventory report.

If you create a virtual domain with only access points and no controllers assigned, you lose some ability to choose controller-based features. For example, some options require you to drill down from controller to access points. Because controllers are not in the virtual domain, you are not able to generate associated reports.

Note Reports are only visible in the current virtual domain. The parent virtual domain cannot view the reports from its subvirtual domain.

Client reports such as Client Count only include clients that belong to the current virtual domain.

Note If new clients are assigned to this partition by the administrator, the previous reports do not reflect these additions. Only new reports reflect the new clients.

Search

Search results only include components that are assigned to the virtual domain in which the search is performed. Search results do not display floor areas when the campus is not assigned to the virtual domain.

Note The saved searches are only visible in the current virtual domain. The parent virtual domain cannot view these search results.

Note The NCS does not partition network lists. If you search a controller by network list, all controllers are returned.

Note Search results do not display floor areas when the campus is not assigned to the virtual domain.

Alarms

When a component is added to a virtual domain, no previous alarms for that component are visible to that virtual domain. Only newly-generated alarms are visible. For example, when a new controller is added to a virtual domain, any alarms generated for that controller prior to its addition do not appear in the current virtual domain.

Alarms are not deleted from a virtual domain when the associated controllers or access points are deleted from the same virtual domain.

Note Alarm Email Notifications—Only the ROOT-DOMAIN virtual domain can enable Location Notifications, Location Servers, and NCS e-mail notification.

Templates

When you create or discover a template in a virtual domain, it is only available to that virtual domain unless it is applied to a controller. If it is applied to a controller and that controller is assigned to a subvirtual domain, the template stays with the controller in the new virtual domain.

Note If you create a subvirtual domain and then apply a template to both network elements in the virtual domain, the NCS might incorrectly reflect the number of partitions to which the template was applied.

Config Groups

Config groups in a virtual domain can also be viewed by the parent virtual domain. A parent virtual domain can modify config groups for a sub (child) virtual domain. For example, the parent virtual domain can add or delete controllers from a subvirtual domain.

Maps

You can only view the maps that your administrator assigned to your current virtual domain.

•When a campus is assigned to a virtual domain, all buildings in that campus are automatically assigned to the same virtual domain.

•When a building is assigned to a virtual domain, it automatically includes all of the floors associated with that building.

•When a floor is assigned, it automatically includes all of the access points associated with that floor.

Note If only floors are assigned to a virtual domain, you lose some ability to choose map-based features. For example, some reports and searches require you to drill down from campus to building to floor. Because campuses and buildings are not in the virtual domain, you are not able to generate these types of reports or searches.

Note Coverage areas shown in the NCS are only applied to campuses and buildings. In a floor-only virtual domain, the NCS does not display coverage areas.

Note If a floor is directly assigned to a virtual domain, it cannot be deleted from the virtual domain which has the building to which the floor belongs.

Note Search results do not display floor areas when the campus is not assigned to the virtual domain.

Access Points

When a controller or map is assigned to a virtual domain, the access points associated with the controller or map are automatically assigned as well. Access points can also be assigned manually (separate from the controller or map) to a virtual domain.

Note If the controller is removed from the virtual domain, all of its associated access points are also removed. If an access point is manually assigned, it remains assigned even if its associated controller is removed from the current virtual domain.

Note If you create a virtual domain with only access points and no controllers assigned, you lose some ability to choose controller-based features. For example, some options require you to drill down from controller to access points. Because controllers are not in the virtual domain, you are not able to generate associated reports.

Note If a manually added access point is removed from a virtual domain but is still associated with a controller or map that is assigned to the same virtual domain, the access point remains visible in the virtual domain. Any alarms associated with this access point are not deleted with the deletion of the access point.

Note When maps are removed from a virtual domain, the access points on the maps can be removed from the virtual domain.

Note If you later move an access point to another partition, some events (such as generated alarms) might reside in the original partition location.

Note Rogue access point partitions are associated with one of the detecting access points (the one with the latest or strongest RSSI value). If there is detecting access point information, the NCS uses the detecting controller.
If the rogue access point is detected by two controllers which are in different partitions, the rogue access point partition might be changed at any time.

Controllers

Because network elements are managed hierarchically, controllers might be affected by partitioning. If you create a virtual domain with only access points and no controllers assigned, you lose some ability to choose controller-based features. For example, some options require you to drill down from controller to access points. Because controllers are not in the virtual domain, you are not able to generate associated reports.

If you create a partition with only a few controllers, choose Configure > Access Points, and click an individual link in the AP Name column, the complete list of NCS-assigned controllers is displayed for primary, secondary, and tertiary controllers rather than the limited number specified in the partition.

Note If a controller configuration is modified by multiple virtual domains, complications might arise. To avoid this, manage each controller from only one virtual domain at a time.

Email Notification

E-mail notification can be configured per virtual domain. An e-mail is sent only when alarms occur in that virtual domain.

Creating a New Virtual Domain

Note See the "Managing a Virtual Domain" section on page 15-47 for more information.

To create a new virtual domain, follow these steps:

Step 1 Choose Administration > Virtual Domains.

Step 2 From the Virtual Domain Hierarchy left sidebar menu, select the virtual domain to which you want to add a sub (child) virtual domain.

Note The selected virtual domain becomes the parent virtual domain of the newly created subvirtual domain.

Step 3 Click New (see Figure 15-4).

The Virtual Domain Creation pop-up dialog box appears.

Figure 15-4 Virtual Domains

Step 4 Enter the virtual domain name in the text box.

Step 5 Click Submit to create the virtual domain or Cancel to close the pop-up dialog box with no changes.

Note Each virtual domain might contain a subset of the elements included with its parent virtual domain. When a user is assigned a virtual domain, that user might view the same maps, controllers, and access points that are assigned to its parent virtual domain.

Note To modify or update a current virtual domain name or description, choose Administration > Virtual Domains. From the Virtual Domain Hierarchy left sidebar menu, choose the virtual domain you want to edit.

Managing a Virtual Domain

Choose a virtual domain from the Virtual Domain Hierarchy on the left sidebar menu to view or edit its assigned maps, controllers, access points, and switches. The Summary page appears. This page includes tabs for viewing the currently logged-in virtual domain-available maps, controllers, access points, and switches.

Note Because all maps, controllers, and access points are included in the partition tree, this page takes several seconds to load.

The Maps, Controllers, Access Points, and Switches tabs are used to add or remove components assigned to this virtual domain.

To assign a map, controller, or access point to this domain, follow these steps:

Step 1 Choose Administration > Virtual Domains.

Step 2 Choose a virtual domain hierarchy from the Virtual Domain Hierarchy left sidebar menu.

Note Because all maps, controllers, and access points are included in the partition tree, it takes several minutes to load. This time increases if you have a system with a significant number of controllers and access points.

Step 3 Click the applicable Maps, Controller, or Access Points tab.

Step 4 In the Available (Maps, Controllers, or Access Points) column, click to highlight the new component(s) you want to assign to the virtual domain.

Step 5 Click Add to move the component(s) to the Selected (Maps, Controllers, or Access Points) column (see Figure 15-5).

Figure 15-5 Virtual Domains Access Points Tab

Note To remove a component from the virtual domain, click to highlight the component in the Selected (Maps, Controllers, or Access Points) column, and click Remove. The component returns to the Available column.

Note If you delete a switch, a controller, or an autonomous AP from the ROOT-DOMAIN, the device is removed from the NCS. If the device is explicitly associated with the ROOT-DOMAIN or any other virtual domain that is not the child of the current virtual domain and if you delete the device from the current virtual domain, the device is removed from this virtual domain but it is not removed from the NCS.

Step 6 Click Submit to confirm the changes.

Note After assigning elements to a virtual domain and submitting the changes, the NCS might take some time to process these changes depending on how many elements are added.

Virtual Domain RADIUS and TACACS+ Attributes

The Virtual Domain Custom Attributes page allows you to indicate the appropriate protocol-specific data for each virtual domain. The Export button on the Virtual Domain Hierarchy left sidebar menu preformats the virtual domain RADIUS and TACACS+ attributes. You can copy and paste these attributes into the ACS server. This allows you to copy only the applicable virtual domains into the ACS server page and ensures that the users only have access to these virtual domains.

To apply the preformatted RADIUS and TACACS+ attributes to the ACS server, follow these steps:

Step 1 Choose Administration > Virtual Domains.

Step 2 From the Virtual Domain Hierarchy left sidebar menu, choose the virtual domain for which you want to apply the RADIUS and TACACS+ attributes.

Step 3 Click Export.

Step 4 Highlight the text in the RADIUS or TACACS+ Custom Attributes list (depending on which one you are currently configuring), go to menu of the browser, and choose Edit > Copy.

Step 5 Log in to ACS.

Step 6 Go to User or Group Setup.

Note If you want to specify virtual domains on a per-user basis, then you need to make sure you add all of the custom attributes (for example, tasks, roles, virtual domains) information to the User custom attribute page.

Step 7 For the applicable user or group, click Edit Settings.

Step 8 Use your browser Edit > Paste feature to place the RADIUS or TACACS+ custom attributes into the applicable field.

Step 9 Select the check boxes to enable these attributes.

Step 10 Click Submit + Restart.

Note For more information on adding RADIUS and TACACS+ attributes to the ACS server, see the "Adding NCS User Groups into ACS for TACACS+" section on page 15-105 or the "Adding NCS User Groups into ACS for RADIUS" section on page 15-109.

Understanding Virtual Domains as a User

When you log in, you can access any of the virtual domains that the administrator assigned to you.

Only one virtual domain can be active at login. You can change the current virtual domain by using the Virtual Domain drop-down list at the top of the page. Only virtual domains that have been assigned to you are available in the drop-down list.

When you select a different virtual domain from the drop-down list, all reports, alarms, and other functionality are filtered by the conditions of the new virtual domain.

Viewing Assigned Virtual Domain Components

To view all components (including maps, controllers, access points, and switches) assigned to the current virtual domain, choose Administration > Virtual Domains (see Figure 15-6). Click a link on the Summary tab to view the assigned components for your virtual domain.

Figure 15-6 Virtual Domains Summary Tab

Limited Menu Access

Non-ROOT-DOMAIN virtual domain users do not have access to the following NCS menus:

•Monitor > RRM

•Configure > Auto Provisioning

•Configure > ACS View Servers

•Mobility > Mobility Services

•Mobility > Synchronize Servers

•Administration > Background Tasks

•Administration > Settings

•Administration > User Preferences

•Tools > Voice Audit

•Tools > Config Audit

Configuring Administrative Settings

Settings contain options for managing the NCS data retention functions. This section describes the sets of options that are available and contains the following topics:

•Configuring Alarms, page 15-51

•Configuring an Audit, page 15-53

•Configuring Clients, page 15-55

•Configuring Protocols for CLI Sessions, page 15-58

•Configuring Controller Upgrade, page 15-58

•Configuring Data Management, page 15-59

•Configuring Guest Account Settings, page 15-61

•Configuring Login Disclaimer, page 15-62

•Configuring the Mail Server, page 15-62

•Configuring the Notification Receiver, page 15-64

•Configuring Reports, page 15-70

•Configuring Server Settings, page 15-71

•Configuring Alarm Severities, page 15-71

•Configuring SNMP Credentials, page 15-72

•Configuring SNMP Settings, page 15-76

•Configuring Switch Port Tracing, page 15-77

Configuring Alarms

This Alarms page enables you to handle old alarms and display assigned and acknowledged alarms in the Alarm Summary page.

To open this page, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Alarms. The Administration > Settings > Alarms page appears (see Figure 15-7).

Figure 15-7 Settings > Alarms Page

Step 3 Add or modify the following Alarms parameters:

•Alarm Cleanup Options

–Delete active and cleared alarms after—Enter the number of days after which active and cleared alarms are deleted. This option can be disabled by unselecting the check box.

–Delete cleared security alarms after—Enter the number of days after which Security, Rogue AP, and Adhoc Rogue alarms are deleted.

–Delete cleared non-security alarms after—Enter the number of days after which non-security alarms are deleted. Non-security alarms include all alarms that do not fall under the Security, Rogue AP, or Adhoc Rogue categories.

Note Data cleanup tasks run nightly to delete old alarms. In addition to the data cleanup task, the NCS has an hourly task to check alarm table size. When the alarm table size exceeds 300 K, the task deletes the oldest cleared alarms until the alarm table size is within 300 K.

Note If you want to keep the cleared alarms for more than 7 days, then you can specify a value more than 7 days in the Delete cleared non-security alarms after text box until the alarm table size reaches 300 K.

•Alarm Display Options

Note These preferences only apply to the Alarm Summary page. Quick searches or alarms for any entity display all alarms regardless of the acknowledged or assigned state.

–Hide acknowledged alarms—When the check box is selected, Acknowledged alarms do not appear on the Alarm Summary page. This option is enabled by default.

Note E-mails are not generated for acknowledged alarms regardless of severity change.

–Hide assigned alarms—When the check box is selected, assigned alarms do not appear in the Alarm Summary page.

–Add controller name to alarm messages—Select the check box to add the name of the controller to alarm messages.

–Add NCS address to e-mail notifications—Select the check box to add the NCS address to e-mail notifications.

•Alarm E-mail Options

–Include alarm severity in the e-mail subject line—Select the check box to include alarm severity in the e-mail subject line.

–Include alarm Category in the e-mail subject line—Select the check box to include alarm category in the e-mail subject line.

–Include prior alarm severity in the e-mail subject line—Select the check box to include prior alarm severity in the e-mail subject line.

–Include custom text in the e-mail subject line—Select the check box to add custom text in the e-mail subject line. You can also replace the e-mail subject line with custom text by selecting the Replace the e-mail subject line with custom text check box.

–Include custom text in body of e-mail—Select the check box to add custom text in the body of e-mail.

–Include alarm condition in body of e-mail—Select the check box to include alarm condition in the body of e-mail.

–Add link to Alarm detail page in body of e-mail—Select the check box to add a link to the Alarm detail page in the body of e-mail.

–Enable Secure Message Mode—Select the check box to enable a secure message mode. If you select the Mask IP Address and Mask Controller Name check boxes, the alarm e-mails are sent in secure mode where all the IP addresses and controller names are masked.

Step 4 Click Save.

Configuring an Audit

The Settings > Audit page allows you to determine the type of audit and on which parameters the audit is performed.

•Audit Mode—Choose between basic auditing and template based auditing.

•Audit On—Choose to audit on all parameters or on selected parameters for a global audit.

Audit Mode

The audit mode group box allows you to choose between basic auditing and template based auditing. Basic audit is selected by default.

•Basic Audit—Audits the configuration objects in the NCS database against current WLC device values. Prior to the 5.1.0.0 version of the NCS, this was the only audit mode available.

Note Configuration objects refer to the device configuration stored in the NCS database.

•Template-based Audit—Audits on the applied templates, config group templates (which have been selected for the background audit), and configuration audits (for which corresponding templates do not exist) against current Controller device values.

To indicate the type of audit you want to perform, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Audit. The Audit Setting page appears (see Figure 15-8).

Figure 15-8 Audit Settings Page

Step 3 Select the Basic Audit or Template Based Audit. A basic audit audits the device configuration in the NCS database against the current Controller configuration. A template-based audit audits the applied templates, config group templates, and configuration objects (for which corresponding templates do not exist) against current Controller configuration.

Step 4 Choose if you want the audit to run on all parameters or only on selected parameters. If you select the Selected Parameters radio button, you can access the Configure Audit Parameters configuration page. (See the "Configuring Audit Parameters" section on page 15-55). The Select audit parameters URL appears.

The selected audit parameters are used during network and controller audits.

Step 5 Click Save.

Note These settings are in effect when the controller audit or network audit is performed.

Audit On

The Audit On group box allows you to audit on all parameters or to select specific parameters for an audit. When the Selected Parameters radio button is selected, you can access the Select Audit Parameters configuration page.

The selected audit parameters are used during network and controller audits.

Configuring Audit Parameters

To configure the audit parameters for a global audit, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Audit.

Step 3 Select the Selected Parameters radio button to display the Select Audit Parameters link.

Step 4 Click Save.

Step 5 Click Select Audit Parameters to choose the required parameters for the audit in the Audit Configuration > Parameter Selection page.

Step 6 Select the parameters that you want audited from each of the tabs. The tabs include System, WLAN, Security, Wireless, and Selected Attributes.

Step 7 When all desired audit parameters are selected, click Submit to confirm the parameters or click Cancel to close the page without saving any audit parameters.

Once you click Submit, the selected audit parameters display on the Selected Attributes tab.

A current Controller Audit Report can be accessed from the Configure > Controllers page by selecting an object from the Audit Status column.

Note You can audit a controller by choosing Audit Now from the Select a command drop-down list in the Configure > Controllers page, or by clicking Audit Now directly from the Controller Audit report. See the "Viewing Audit Status (for Access Points)" section on page 9-196.

Configuring Clients

You can configure the following client processes to improve NCS performance and scalability. This section contains the following topics:

•Processing Diagnostic Trap, page 15-56

•Host Name Lookup, page 15-57

•Data Retention, page 15-57

•Client Traps and Syslogs, page 15-58

•Autonomous Client Traps, page 15-58

To confirm changes to these client configurations, click Save at the bottom of the page.

Note See the "Client Troubleshooting Dashlet" section on page 10-4 for further information on client troubleshooting.

Processing Diagnostic Trap

The Settings > Client page allows you to enable automatic client troubleshooting on a diagnostic channel.

Note Automatic client troubleshooting is only available for CCXV5 or CCXv6 clients.

To enable this automatic client troubleshooting, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Client. The Client page appears (see Figure 15-9).

Figure 15-9 Administration > Settings > Client Page

Step 3 Select the Automatically troubleshoot client on diagnostic channel check box.

Note If the check box is selected, the NCS processes the diagnostic association trap. If it is not selected, the NCS raises the trap, but automated troubleshooting is not initiated.

Note While processing the diagnostic association trap, the NCS invokes a series of tests on the client. The client is updated on all completed tasks. The automated troubleshooting report is placed in dist/acs/win/webnms/logs. When the test is complete, the location of the log is updated in client details pages:V5 tab:Automated Troubleshooting Report group box. An export button allows you to export the logs.

Step 4 Click Save.

Host Name Lookup

DNS lookup can take a considerable amount of time. Because of this, you can enable or disable the DNS lookup for client host name. It is set to Disable by default.

To enable host name lookup, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Client.

Step 3 Select the Lookup client host names from DNS server check box.

Step 4 Enter the number of days that you want the host name to remain in the cache.

Step 5 Click Save.

Data Retention

Client association history can take a lot of database and disk space. This can be an issue for database backup and restore functions. The retaining duration of a client association history can be configured to help manage this potential issue.

To configure data retention parameters, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Client.

Step 3 Enter or edit the following data retention parameters:

•Dissociated Clients (days)—Enter the number of days that you want NCS to retain the data. The default is 7 days. The valid range is 1 to 30 days.

•Client session history (days)—Enter the number of days that you want NCS to retain the data. The default is 32 days. The valid range is 7 to 365 days.

Step 4 Click Save.

Client Discovery

If you select the Poll clients when client traps/syslogs received check box, the NCS polls clients to quickly identify client sessions. In a busy network, you might want to disable polling while the client traps are received. This option is disabled by default.

Client Traps and Syslogs

In some deployments, the NCS might receive large amounts of client association and disassociation traps. Saving these traps as events might cause a slight performance issue. In such cases, other events that might be useful might be aged out sooner than expected.

To ensure that the NCS does not save client association and disassociation traps as events, unselect the Save client association and disassociation traps as events check box. Click Save to confirm this configuration change. This option is disabled by default.

For more information on traps and syslogs, see the "Enabling Traps and Syslogs on Switches for Wired Client Discovery" section on page 9-208.

Autonomous Client Traps

Select the Save 802.1x and 802.11 client authentication fail traps as events check box if you want to save the Save 802.1x and 802.11 client authentication failed traps as events.

Interval Time—Enter the time interval in seconds to poll for the failed traps.

Configuring Protocols for CLI Sessions

Many NCS features such as autonomous access point and controller command-line interface templates, along with migration templates require executing command-line interface commands on the autonomous access point or controller. These command-line interface commands can be executed by establishing Telnet or SSH sessions. The CLI session page allows you to select the session protocol. SSH is the default.

Note In command-line interface templates, you are not required to answer the question responses (such as Yes or No answer to a command, Press enter to continue, and so on.). This is automatically performed by the NCS.

To configure the protocols for CLI sessions, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose CLI Session.

Step 3 The default controller session protocol SSH is selected. To choose Telnet, select that radio button.

Step 4 The default autonomous access point session protocol SSH is selected. To choose Telnet, select the radio button.

Step 5 The Run Autonomous AP Migration Analysis on discovery radio button is set to No by default. Choose Yes if you want to discover the autonomous APs as well as perform migration analysis.

Step 6 Click Save.

Configuring Controller Upgrade

The Controller Upgrade Settings page allows you to auto-refresh after a controller upgrade. To perform an auto-refresh, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Controller Upgrade Settings (see Figure 15-10).

Figure 15-10 Controller Upgrade Settings

Step 3 Select the Auto refresh After Upgrade check box to automatically restore the configuration whenever there is a change in the controller image.

Step 4 Determine the action the NCS takes when a save config trap is received. When this check box is enabled, you can choose to retain or delete the extra configurations present on the device but not on the NCS. The setting is applied to all controllers managed by the NCS.

Note If you select the Auto Refresh on Save Config Trap check box in the Configure > Controllers > Properties > Settings page, it overrides this global setting.

Note It might take up to three minutes for the automatic refresh to occur.

Step 5 Click Save.

Whenever a save config trap is received by the NCS this check box is selected. When this check box is enabled, it determines the action taken by the NCS.

When this check box is enabled, the user can choose to retain or delete the extra configurations present on device and not on the NCS.

This setting is applied to all of the controllers managed by the NCS. The setting in the controller > properties page for processing the save config trap overrides this global setting.

When there is a change in the controller image, the configuration from the controller is automatically restored.

Configuring Data Management

You can configure retention periods on an hourly, daily, and weekly basis.

To set retention periods for aggregated data used in timed calculations and network audit calculations, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Data Management. The Data Management page appears (see Figure 15-11).

Figure 15-11 Data Management Page

Step 3 Specify the number of days to keep the hourly data. The valid range is 1 to 31. The default is 31 days.

Step 4 Specify the number of days to keep the daily data. The valid range is 7 to 365. The default is 90 days.

Step 5 Specify the number of weeks to keep the weekly data. The valid range is 2 to 108. The default is 54 weeks.

Step 6 Specify the number of days to retain the audit data collected by the Network Audit background task before purging. The limit is 365 days, and the minimum cleanup interval is 7 days. The default is 90 days.

Note For the best interactive graph data views, change the default settings to the maximum possible: 90 days for daily aggregated data and 54 weeks for weekly aggregated data. You must also make the appropriate measures to increase RAM and CPU capacity to compensate for these adjustments.

Step 7 Click Save.

NCS Historical Data

There are two types of historical data in the NCS, including the following:

•Aggregated historical data—Numeric data that can be gathered as a whole and aggregated to minimum, maximum, or average. Client count is one example of aggregated historical data.

Use the Administration > Settings > Data Management page to define the aggregated data retention period. Aggregation types include hourly, daily, and weekly.

The retention period for these aggregation types are defined as Default, Minimum, and Maximum (see Table 15-3).

•Non-aggregated historical data—Numeric data that cannot be gathered as a whole (or aggregated). Client association history is one example of non-aggregated historical data.

You can define a non-aggregated retention period in each data collection task and other settings.

For example, you define the retention period for client association history in Administration > Settings > Client. By default, the retention period is 31 days or 1 million records. This retention period can be increased to 365 days.

Configuring Guest Account Settings

The Guest Account Settings page allows you to globally remove all expired templates. To configure guest account settings, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Guest Account Settings (see Figure 15-12).

Figure 15-12 Guest Account Settings Page

Step 3 When the Automatically remove expired guest accounts check box is selected, the guest accounts whose lifetime has ended are not retained, and they are moved to the Expired state. Those accounts in the expired state are deleted from the NCS.

Step 4 By default, the NCS Lobby Ambassador can access all guest accounts irrespective of who created them. If you select the Search and List only guest accounts created by this lobby ambassador check box, the Lobby Ambassadors can access only the guest accounts that have been created by them.

Step 5 Click Save.

Configuring Login Disclaimer

The Login Disclaimer page allows you to enter disclaimer text at the top of the Login page for all users.

To enter Login Disclaimer text, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Login Disclaimer. The Login Disclaimer page appears (see Figure 15-13).

Figure 15-13 Login Disclaimer Page

Step 3 Enter your Login Disclaimer text in the available text box.

Step 4 Click Save.

Configuring the Mail Server

You can configure global e-mail parameters for sending e-mails from NCS reports, alarm notifications, and so on. This mail server page enables you to configure e-mail parameters in one place. The Mail Server page enables you to set the primary and secondary SMTP server host and port, the e-mail address of the sender, and the e-mail addresses of the recipient.

To configure global e-mail parameters, follow these steps:

Note You must configure the global SMTP server before setting global e-mail parameters.

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Mail Server Configuration. The page in Figure 15-14 appears.

Figure 15-14 Mail Server Configuration Page

Step 3 Enter the hostname of the primary SMTP server.

Step 4 Enter the username of the SMTP server.

Step 5 Provide a password for logging on to the SMTP server and confirm it.

Note Both Username and Password are optional.

Step 6 Provide the same information for the secondary SMTP server (only if a secondary mail server is available).

Step 7 The From text box in the Sender and Receivers portion of the page is populated with NCS@<NCS server IP address>. You can change it to a different sender.

Step 8 Enter the e-mail addresses of the recipient in the To text box. The e-mail address you provide serves as the default value for other functional areas, such as alarms or reports. Multiple e-mail addresses can be added and should be separated by commas.

Note Global changes you make to the recipient e-mail addresses in Step 7 are disregarded if e-mail notifications were set.

You must indicate the primary SMTP mail server and fill the From address text boxes.

If you want all alarm categories applied to the provided recipient list, select the Apply recipient list to all alarm categories check box.

Step 9 Enter the text that you want to append to the e-mail subject.

Step 10 If you click the Configure e-mail notification for individual alarm categories link, you can specify the alarm categories and severity levels you want to enable. E-mail notifications are sent when an alarm occurs that matches categories and the severity levels you select.

Note You can set each alarm severity by clicking the alarm category, choosing Critical, Major, Minor, or Warning, and providing an e-mail address.

Step 11 Click the Test button to send a test e-mail using the parameters you configured. The results of the test operation appear on the same page. The test feature checks the connectivity to both primary and secondary mail servers by sending an e-mail with a "NCS test e-mail" subject line.

If the test results were satisfactory, click Save.

Configuring the Notification Receiver

The Notification Receiver page displays current notification receivers that support guest access. Alerts and events are sent as SNMPv2 notifications to configured notification receivers.

In this page, you can view current or add additional notification receivers.

This section contains the following topics:

•Adding a Notification Receiver to the NCS, page 15-65

•Removing a Notification Receiver, page 15-66

To access the Notification Receiver page, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Notification Receivers. All currently configured servers appear in this page. If you want to add one, choose Add Notification Receiver from the Select a command drop-down list, and click Go (see Figure 15-15).

Figure 15-15 Notification Receiver Page

Adding a Notification Receiver to the NCS

To view current or add additional notification receivers, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Notification Receivers. All currently configured servers appear on this page.

Step 3 From the Select a command drop-down list, choose Add Notification Receiver.

Step 4 Click Go (see Figure 15-15).

Figure 15-16 Notification Receiver Page

Step 5 Enter the server IP address and name.

Step 6 Select either the North Bound or Guest Access radio button.

The Notification Type automatically defaults to UDP.

Step 7 Enter the UDP parameters including Port Number and Community.

Note The receiver that you configure should be listening to UDP on the same port that is configured.

Step 8 If you selected North Bound as the receiver type, specify the criteria and severity.

Note Alarms for only the selected category are processed.

Note Alarms with only the selected severity matching the selected categories are processed.

Step 9 Click Save to confirm the Notification Receiver information.

Note•By default, only INFO level events are processed for the selected Category.

•Only SNMPV2 traps are considered for North Bound notification.

Removing a Notification Receiver

To delete a notification receiver, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Notification Receivers. All currently configured servers appear on this page.

Step 3 Select the check box(es) of the notification receiver(s) that you want to delete.

Step 4 From the Select a command drop-down list, click Remove Notification Receiver.

Step 5 Click Go.

Step 6 Click OK to confirm the deletion.

The sample display from a North Bound SNMP receiver that has received event traps from the NCS follows:

Figure 15-17 Sample Display from a North Bound SNMP Receiver

The following sample output shows the log file generated by the NCS. This log file is located in the log file directory on the NCS server (/opt/NCS 1.x/webnms/logs). The log output helps you troubleshoot when alarms are not being received by the North Bound SNMP receiver.

06/04/10 08:30:58.559 INFO[com.cisco.ncslogger.services] : 
[NBNotificationService$NbOrderQueue][addNbAlarm]Adding into queue

06/04/10 08:30:58.560 INFO[com.cisco.ncslogger.services] : 
[NBNotificationService$NbOrderQueue][addNbAlarm]incrTotalNotifications2

06/04/10 08:30:58.560 INFO[com.cisco.ncslogger.services] : 
[NBNotificationService$NbOrderQueue][addNbAlarm]incrHandledInNotification2

06/04/10 08:30:58.560 INFO[com.cisco.ncslogger.services] : 
[NBNotificationService$NbOrderQueue][addNbAlarm]incrNonCongestedIn2

06/04/10 08:30:58.560 INFO[com.cisco.ncslogger.services] : 
[NBNotificationService][addNBAlert]Added into queue

06/04/10 08:30:58.561 INFO[com.cisco.ncslogger.services] : 
[NBNotificationService$NbOrderQueue][getNbAlarm]incrHandledOutNotification2

06/04/10 08:30:58.561 INFO[com.cisco.ncslogger.services] : 
[NBNotificationService][startNotifier]Processing the 
alertNoiseProfile_LradIf!00:17:df:a9:c8:30!0

06/04/10 08:30:58.561 INFO[com.cisco.ncslogger.notification] : 
[NbAlertToNmsAlertCorrelator][formVarBindList]Generating the varbind list for NB

06/04/10 08:30:58.562 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.2.1.1.3.0 variable value: 10 days, 20:22:17.26

06/04/10 08:30:58.562 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.6.3.1.1.4.1.0 variable value: 
1.3.6.1.4.1.9.9.199991.0.1

06/04/10 08:30:58.562 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.4.1.9.9.199991.1.1.2.1.2 variable value: 
07:da:05:18:0c:30:0d:09:2d:07:00

06/04/10 08:30:58.563 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.4.1.9.9.199991.1.1.2.1.3 variable value: 
07:da:06:04:08:1e:3a:04:2d:07:00

06/04/10 08:30:58.563 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.4.1.9.9.199991.1.1.2.1.4 variable value: 
NoiseProfile_LradIf!00:17:df:a9:c8:30!0

06/04/10 08:30:58.563 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.4.1.9.9.199991.1.1.2.1.5 variable value: 2

06/04/10 08:30:58.563 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.4.1.9.9.199991.1.1.2.1.6 variable value: Radio 
load threshold violation

06/04/10 08:30:58.563 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.4.1.9.9.199991.1.1.2.1.7 variable value: 1

06/04/10 08:30:58.564 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.4.1.9.9.199991.1.1.2.1.8 variable value: 
172.19.29.112

06/04/10 08:30:58.564 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.4.1.9.9.199991.1.1.2.1.9 variable value: AP 
1250-LWAP-ANGN-170-CMR, Interface 802.11b/g/n

06/04/10 08:30:58.564 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.4.1.9.9.199991.1.1.2.1.10 variable value: 
Noise changed to acceptable level on '802.11b/g/n' interface of AP 
'1250-LWAP-ANGN-170-CMR', connected to Controller '172.19.29.112'. 

06/04/10 08:30:58.564 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.4.1.9.9.199991.1.1.2.1.11 variable value: 1

06/04/10 08:30:58.564 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.4.1.9.9.199991.1.1.2.1.12 variable value: 

06/04/10 08:30:58.565 INFO[com.cisco.ncslogger.notification] : 
[NBUtil][printVarBind]Variable OID: 1.3.6.1.4.1.9.9.199991.1.1.2.1.14 variable value: 

06/04/10 08:30:58.573 INFO[com.cisco.ncslogger.notification] : [NBUtil][sendTrap]OSS list 
size with reachability status as up1

06/04/10 08:30:58.573 INFO[com.cisco.ncslogger.notification] : [NBUtil][sendTrap]Sending 
UDP Notification for receiver:172.19.27.85 on port:162

MIB to NCS Alert/Event Mapping

Table 15-4 summarizes the Cisco-NCS-Notification-MIB to NCS alert/event mapping.

Configuring Reports

To indicate where the scheduled reports reside and for how many days, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Report. The Report page appears (see Figure 15-18).

Figure 15-18 Report Page

Step 3 Enter the path for saving report data files on a local PC. You can edit the existing default path.

Step 4 Specify the number of days to retain report data files.

Step 5 Click Save.

Configuring Server Settings

To turn TFTP, FTP, HTTP, or HTTPS on or off, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Server Setting. The Server Settings page appears (see Figure 15-19).

Figure 15-19 Server Settings Page

Step 3 If you want to modify the FTP and TFTP directories or the HTTP and HTTPS ports that were established during installation, enter the port number (or port number and root where required) that you want to modify and click Enable or Disable.

The changes are reflected after a restart.

Configuring Alarm Severities

You can change the severity level for newly generated alarms.

Note Existing alarms remain unchanged.

To change the severity level of newly generated alarms, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 Choose Severity Configuration from the left sidebar menu. The Severity Configuration page appears (see Figure 15-20).

Figure 15-20 Severity Configuration Page

Step 3 Select the check box of the alarm condition whose severity level you want to change.

Step 4 From the Configure Severity Level drop-down list, choose the new severity level (Critical, Major, Minor, Warning, Informational, Reset to Default).

Step 5 Click Go.

Step 6 Click OK to confirm the change.

Configuring SNMP Credentials

The SNMP Credentials page allows you to specify credentials to use for tracing the rogue access points. Use this option when you cannot find a specific entry using a number-based entry. When a switch credential is not added to the NCS, you can use SNMP credentials on this page to connect to the switch.

To configure SNMP credentials, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose SNMP Credentials. The SNMP Credentials page appears (see Figure 15-21).

Step 3 To view or edit details about a current SNMP entry, click the Network Address link. See the "Viewing Current SNMP Credential Details" section on page 15-73 for more information.

Note The default network address is 0.0.0.0 which indicates the entire network. An SNMP credential is defined per network so only network addresses are allowed. 0.0.0.0 is the SNMP credential default and is used when no specific SNMP credential is defined. The default community string is private for both read and write. You should update the prepopulated SNMP credential with your own SNMP information.

Figure 15-21 SNMP Credentials Page

Step 4 To add a new SNMP entry, choose Add SNMP Entries from the Select a command drop-down list, and click Go. See the "Adding a New SNMP Credential Entry" section on page 15-74 for more information.

Viewing Current SNMP Credential Details

To view or edit details for current SNMP credentials, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose SNMP Credentials.

Step 3 Click the Network Address link to open the SNMP Credential Details page. The details page displays the following information:

General Parameters

•Add Format Type—Display only. See the "Adding a New SNMP Credential Entry" section on page 15-74 for more information regarding Add Format Type.

•Network Address

•Network Mask

SNMP Parameters—Select the applicable version(s) for SNMP parameters. The SNMP credentials are validated according to which SNMP version(s) are selected.

Note Enter SNMP parameters for write access, if available. With Display only access parameters, the switch is added but you cannot modify its configuration in the NCS. Device connectivity tests use the SNMP retries and timeout parameters configured in Administration > Settings > SNMP Settings.

•Retries—The number of times that attempts are made to discover the switch.

•Timeout—The session timeout value in seconds. This determines the maximum amount of time allowed for a client before it is forced to reauthenticate.

•SNMP v1 Parameters or v2 Parameters—If selected, enter the applicable community in the available text box.

•SNMP v3 Parameters—If selected, configure the following parameters:

–Username

–Auth. Type

–Auth. Password

–Privacy Type

–Privacy Password

Note If SNMP v1 or v2 with default community is configured, the network is open to easy attacks because default communities are well known. SNMP v1 or v2 with a non-default community is more secure than a default community, but SNMP v3 with Auth and Privacy type and no default user is the most secure SNMP connection.

Step 4 Click OK to save changes or Cancel to return to the SNMP Credentials page without making any changes to the SNMP credential details.

Adding a New SNMP Credential Entry

To add a new SNMP credential entry, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose SNMP Credentials.

Step 3 From the Select a command drop-down list, choose Add SNMP Entries.

Step 4 Click Go. The SNMP Credentials page opens (see Figure 15-21).

Step 5 Choose one of the following:

To manually enter SNMP credential information, leave the Add Format Type drop-down list at SNMP Credential Info. To add multiple network addresses, use a comma between each address. Go to Step 7.

If you want to add multiple switches by importing a CSV file, choose File from the Add Format Type drop-down list. The CSV file allows you to generate your own import file and add the devices you want. Go to Step 6.

Step 6 If you chose File, click Browse to find the location of the CSV file you want to import. Skip to Step 11.

The first row of the CSV file is used to describe the columns included. The IP Address column is mandatory.

Sample File:

ip_address,snmp_version,snmp_community,snmpv3_user_name,snmpv3_auth_type,snmpv3_auth_passw
ord,snmpv3_privacy_type,snmpv3_privacy_password,network_mask  
1.1.1.0,v2,private,user1,HMAC-MD5,12345,DES,12345,255.255.255.0  
2.2.2.0,v2,private,user1,HMAC-MD5,password3,DES,password4,255.255.255.0  
10.77.246.0,v2,private,user1,HMAC-MD5,12345,DES,12345,255.255.255.0 

The CSV file can contain the following fields:

•ip_address:IP address

•snmp_version:SNMP version

•network_mask:Network mask

•snmp_community:SNMP V1/V2 community

•snmpv3_user_name:SNMP V3 username

•snmpv3_auth_type:SNMP V3 authorization type. Can be None or HMAC-MD5 or HMAC-SHA

•snmpv3_auth_password:SNMP V3 authorization password

•snmpv3_privacy_type:SNMP V3 privacy type. Can be None or DES or CFB-AES-128

•snmpv3_privacy_password:SNMP V3 privacy password

•snmp_retries:SNMP retries

•snmp_timeout:SNMP timeout

Step 7 If you chose SNMP Credential Info, enter the IP address of the switch you want to add. If you want to add multiple switches, use a comma between the string of IP addresses.

Step 8 In the Retries field, enter the number of times that attempts are made to discover the switch.

Step 9 Provide the session timeout value in seconds. This determines the maximum amount of time allowed for a client before it is forced to reauthenticate.

Step 10 Select the applicable version(s) for SNMP parameters. The SNMP credentials are validated according to which SNMP version(s) are selected.

•If SNMP v1 Parameters or v2 Parameters is selected, enter the applicable community in the available text box.

•If SNMP v3 Parameters is selected, configure the following parameters:

–Username

–Auth. Type

–Auth. Password

–Privacy Type

–Privacy Password

Note If SNMP v1 or v2 with default community is configured, the network is open to easy attacks because default communities are well known. SNMP v1 or v2 with a non-default community is more secure than a default community, but SNMP v3 with Auth and Privacy type and no default user is the most secure SNMP connection.

Step 11 Click OK.

If the NCS can use the SNMP credential listed to access the switch, the switch is added for later use and appears in the Configure > Ethernet Switches page.

Note If you manually added switches through the Configure > Ethernet Switches page, then switch port tracing uses the credentials from that page, not the ones listed in the SNMP Credentials page. If the manually-added switch credentials have changed, you need to update them from the Configure > Ethernet page.

Configuring SNMP Settings

The SNMP Settings page allows you to configure global SNMP settings from the NCS.

Note Any changes you make on this page affects the NCS globally. The changes are saved across restarts as well as across backups and restores.

To configure global SNMP settings, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose SNMP Settings. The SNMP Settings page appears (see Figure 15-22).

Figure 15-22 SNMP Settings Page

Step 3 If the Trace Display Values check box is selected, mediation trace-level logging shows data values fetched from the controller using SNMP. If unselected, the values do not appear.

Note The default is unselected for security reasons.

Step 4 For the Backoff Algorithm, choose either Exponential or Constant Timeout from the drop-down list. If you choose Exponential (the default value), each SNMP try waits twice as long as the previous try, starting with the specified timeout for the first try. If you choose Constant Timeout, each SNMP try waits the same, specified amount of time.

Note Constant Timeout is useful on unreliable networks (such as satellite networks) where the desired number of retries is large. Because it does not double the timeout per try, it does not take as long to timeout with a high number of retries.

Step 5 Determine if you want to use reachability parameters. If selected, the NCS defaults to the global Reachability Retries and Timeout that you configure. If unselected, the NCS always uses the timeout and retries specified per-controller or per-IOS access point. The default is selected.

Note Adjust this setting downward if switch port tracing is taking a long time to complete.

Step 6 For the Reachability Retries field, enter the number of global retries used for determining device reachability. The default number is 2. This field is only available if the Use Reachability Parameters check box is selected.

Note Adjust this setting downward if switch port tracing is taking a long time to complete.

Step 7 For the Reachability Timeout field, enter a global timeout used for determining device reachability. The default number is 2. This field is only available if the Use Reachability Parameters check box is selected.

Step 8 At the Maximum VarBinds per PDU field, enter a number to indicate the largest number of SNMP variable bindings allowed in a request or response PDU. The default is 100.

Note For customers who have issues with PDU fragmentation in their network, this number can be reduced to 50, which typically eliminates the fragmentation.

Step 9 The maximum rows per table field is configurable and the default value is 50000 rows. The configured value is retained even if you upgrade the NCS version.

Step 10 Click Save to confirm these settings.

Configuring Switch Port Tracing

Currently, the NCS provides rogue access point detection by retrieving information from the controller. The rogue access point table is populated with any detected BSSID addresses from any frames that are not present in the neighbor list. At the end of a specified interval, the contents of the rogue table are sent to the controller in a CAPWAP Rogue AP Report message. With this method, the NCS simply gathers the information received from the controllers; but with software Release 5.1, you can now incorporate switch port tracing of Wired Rogue Access Point Switch Ports. This enhancement allows you to react to found wired rogue access points and prevent future attacks. The trace information is available only in the NCS log and only for rogue access points, not rogue clients.

Note Rogue Client connected to the Rogue Access point information is used to track the switch port to which the Rogue Access point is connected in the network.

Note If you try to set tracing for a friendly or deleted rogue, a warning message appears.

Note For Switch Port Tracing to successfully trace the switch ports using v3, all of the OIDs should be included in the SNMP v3 view and VLAN content should be created for each VLAN in the SNMP v3 group.

Note See the "Configuring Switch Port Tracing" section on page 15-77 for information on configuring Switch Port Tracing settings.

The Switch Port Trace page allows you to run a trace on detected rogue access points on the wire.

To correctly trace and contain rogue access points, you must correctly provide the following information.

•Reporting APs—A rogue access point has to be reported by one or more managed access points.

•AP CDP Neighbor—Access point CDP neighbor information is required to determine the seed switches.

•Switch IP address and SNMP credentials—All switches to be traced must have a management IP address and SNMP management enabled. You can add network address based entries instead of only adding individual switches. The correct write community string must be specified to enable/disable switch ports. For tracing, read community strings are sufficient.

•Switch port configuration—Trunking switch ports must be correctly configured. Switch port security must be turned off.

•Only Cisco Ethernet switches are supported.

•Switch VLAN settings must be properly configured.

•CDP protocol must be enabled on all switches.

•An Ethernet connection must exist between the rogue access point and the Cisco switch.

•You should have some traffic between rogue access points and the Ethernet switch.

•The rogue access point must be connected to a switch within the max hop limit. The default hop count is 2, and the maximum is 10.

•If SNMPv3 is chosen, use the context option and create one for each VLAN, in addition to the one for the main group (which is required for non-VLAN-based MIBs).

To specify options for switch port tracing, follow these steps:

Step 1 Choose Administration > Settings.

Step 2 From the left sidebar menu, choose Switch Port Trace (see Figure 15-23).

Figure 15-23 Switch Port Trace Page

Step 3 Configure the following basic settings as needed:

•MAC address +1/-1 search—Select the check box to enable.

This search involves the MAC address +1/-1 convention where the wired-side MAC address of the rogue access point is obtained by adding or subtracting the radio MAC address by one.

•Rogue client MAC address search—Select the check box to enable.

When a rogue access point client exists, the MAC address of the client is added to the searchable MAC address list.

•Vendor (OUI) search—Select the check box to enable. OUI refers to Organizational Unique Identifier search which searches the first 3 bytes in a MAC address.

•Exclude switch trunk ports—Select the check box to exclude switch trunk ports from the switch port trace.

Note When more than one port is traced for a given MAC address, additional checks are performed to improve accuracy. These checks include: trunk port, non-AP CDP neighbors present on the port, and whether or not the MAC address is the only one on this port.

•Exclude device list—Select the check box to exclude additional devices from the trace. Enter into the device list text box each device that you want to exclude from the switch port trace. Separate each device names with commas.

•Max hop count—Enter the maximum number of hops for this trace. Keep in mind that the greater the hop count, the longer the switch port trace takes to perform.

•Exclude vendor list—Enter in the vendor list text box any vendors that you want to exclude from the switch port trace. Separate vendor names with commas. The vendor list is not case sensitive.

Step 4 Configure the following advanced settings as needed:

•TraceRogueAP task max thread—Switch port tracing uses multiple threads to trace rogue access points. This field indicates the maximum number of rogue access points that can be traced on parallel threads.

•TraceRogueAP max queue size—Switch port tracing maintains a queue to trace rogue access points. Whenever you select a rogue access point for tracing, it is queued for processing. This field indicates the maximum number of entries that you can store in the queue.

•SwitchTask max thread—Switch port tracing uses multiple threads to query switch devices. This field indicates the maximum number of switch devices that you can query on parallel threads.

Note The default value for these parameters should be good for normal operations. These parameters directly impact the performance of switch port tracing and NCS. Unless required, We do not recommend that you alter these parameters.

•Select CDP device capabilities—Select the check box to enable.

Note The NCS uses CDP to discover neighbors during tracing. When the neighbors are verified, the NCS uses the CDP capabilities field to determine whether or not the neighbor device is a valid switch. If the neighbor device is not a valid switch, it is not traced.

Step 5 Click Save to confirm changes made. Click Reset to return the page to the original settings. Click Factory Reset to return settings to the factory defaults.

Establishing Switch Port Tracing

To establish switch port tracing, follow these steps:

Step 1 In the NCS home page, click the Security dashboard.

Step 2 In the Rogue APs and Adhoc Rogues section, click the number URL which specifies the number of rogues in the last hour, last 24 hours, or total active.

Step 3 Choose for which rogue you are setting switch port tracking by clicking the URL in the MAC Address column. The Alarms > Rogue AP details page opens.

Step 4 From the Select a command drop-down list, choose Trace Switch Port. The Trace Switch Port page opens and NCS runs a switch port trace.

When one or more searchable MAC addresses are available, the NCS uses CDP to discover any switches connected up to two hops away from the detecting access point. The MIBs of each CDP discovered switch is examined to see if it contains any of the target MAC addresses. If any of the MAC addresses are found, the corresponding port number is returned and reported as the rogue switch port.

The SNMP communities for the switches are provided in the "Configuring Switches" section on page 9-200.

See the "Switch Port Tracing Details" section on page 15-81 for additional information on the Switch Port Tracing Details dialog box.

Switch Port Tracing Details

In the Switch Port Tracing Details dialog box, you can enable or disable switch ports, trace switch ports, and view detail status of the access point switch trace. For more information on Switch Port Tracing, see the following topics:

•Configuring Switch Port Tracing—Provides information on configuring switch port trace settings.

•Configuring Switches—Provides information on configuring SNMP switches.

•Configuring SNMP Credentials—Provides information on configuring SNMP switch credentials.

In the Switch Port tracing Details dialog box, do one of the following:

•Click Enable/Disable Switch Port(s)—Enables or disables any selected ports.

•Click Trace Switch Port(s)—Runs another switch port trace.

•Click Show Detail Status—Displays details regarding the switch port traces for this access point.

•Click Close.

Switch Port Tracing Troubleshooting

Switch Port Tracing (SPT) works on a best-effort-basis. SPT depends on the following information to correctly trace and contain rogue APs:

•Reporting access points—A rogue access point must be reported by one or more managed access points.

•Access point CDP neighbor—Access point CDP neighbor information is required to determine the seed switches.

•Switch IP address and SNMP credentials

–All the switches that need to be traced should have a management IP address and SNMP management enabled.

–With the new SNMP credential changes, instead of adding the individual switches to the NCS, network address based entries can be added.

–The new SNMP credential feature has a default entry 0.0.0.0 with default community string as 'private' for both read/write.

–Correct write community string has to be specified to enable/disable switch ports. For tracing, read community string should be sufficient.

•Switch port configuration

–Switch ports that are trunking should be correctly configured as trunk ports.

–Switch port security should be turned off.

•Only Cisco Ethernet switches are supported.

Note The following switches are supported: 3750, 3560, 3750E, 3560E, and 2960.

•Switch VLAN settings should be properly configured.

•CDP protocol should be enabled for all the switches.

•An Ethernet connection should exist between the rogue access point and the Cisco switch.

•There should be some traffic between the rogue access point and the Ethernet switch.

•The rogue access point should be connected to a switch within the max hop limit. Default hop is 2. Max hop is 10.

•If SNMPv3 is used, then make sure you use the context option and create one for each VLAN in addition to the one for the main group (which is required for non-VLAN based MIBs).

Setting User Preferences

Choose Administration > User Preferences to open the User Preferences page. The User Preferences page enables you to control certain display options in the NCS.

Note When the non-root users log into NCS and try to modify the user preferences, the "Permission Denied" message appears, which is an expected behavior.

List Pages

•Items Per List—You can set the number of items, such as controllers or access points, to display in pages that list these items. Choose the number of items to display from the Items Per List Page drop-down list.

User Idle Timeout

•Logout idle user—Select the check box if you want to configure the amount of time, in minutes, that a user session can be idle before the server cancels the session.

•Logout idle user after—Select the maximum number of minutes that a server waits for an idle user. The default value is 60 minutes. The minimum value is 15 minutes. The maximum value is 120 minutes.

Note If the Logout idle user check box is unselected, the user session does not time out.

Alarms

•Refresh Map/Alarms page on new alarm—Select the check box to refresh map and alarm pages each time a new alarm is generated.

•Refresh Alarm count in the Alarm Summary every—Choose the frequency of the Alarm Summary refresh from the drop-down list (every 5, seconds, 15 seconds, 30 seconds, 1 minute, 2 minutes, or 5 minutes).

•Display Alarm Category in Alarm Summary page—Choose the alarm category that you want to display in the minimized Alarm Summary (Alarm Summary, Malicious AP, Unclassified AP, Coverage Holes, Security, Controllers, Access Points, Mobility Services, Mesh Links, NCS, or Performance).

•Disable Alarm Acknowledge Warning Message—When you acknowledge an alarm, a warning displays as a reminder that a recurrence of the problem does not generate another alarm unless this functionality is disabled. Select this check box to stop the warning message from displaying.

•Select alarms for Alarm Summary Toolbar—To select alarms for the Alarm Summary Toolbar, click Edit Alarm Categories and choose the required alarm categories and subcategories.

This page contains user-specific settings you might want to adjust.

To change the user-specific settings, follow these steps:

Step 1 Choose Administration > User Preferences. The User Preferences Page appears (see Figure 15-24).

Figure 15-24 User Preferences Page

Step 2 Use the Items Per List Page drop-down list to configure the number of entries shown on a given list page (such as alarms, events, AP list, and so on).

Step 3 Specify how often you want the home page refreshed by selecting the Refresh home page check box and choosing a time interval from the Refresh home page every drop-down list.

Step 4 Select the Logout idle user check box and configure the Logout idle user after text box, in minutes, that a user session can be idle before the server cancels the session.

Step 5 If you want the maps and alarms page to automatically refresh when a new alarm is raised by the NCS, select the Refresh Map/Alarms page on new alarm check box in the Alarms portion of the page.

Step 6 From the Refresh Alarm count in the Alarm Summary every drop-down list choose a time interval to to specify how often to reset.

Step 7 If you do not want the alarm acknowledge warning message to appear, select the Disable Alarm Acknowledge Warning Message check box.

Step 8 Click Edit Alarm Categories to select the alarm categories to display in the Alarm Summary page.

Step 9 In the Select Alarms page, choose the default category to display from the drop-down list, and select the alarm categories and sub categories to display from the alarm toolbar. Click Save to save the alarm category list. The selected alarm category and sub categories appears in the User Preferences page.

Step 10 Click Save to save the User Preference settings.

Viewing Appliance Details

This section provides the Appliance details. This section contains the following topics:

•Viewing Appliance Status Details, page 15-84

•Viewing Appliance Interface Details, page 15-85

Viewing Appliance Status Details

To view the appliance status, perform the following steps:

Step 1 Choose Administration > Appliance.

Step 2 Choose Appliance Status from the left sidebar menu. The Appliance Status page appears (see Figure 15-25) with the following details, see Table 15-5 for more information.

Figure 15-25 Appliance Status Page

Viewing Appliance Interface Details

To view the Appliance Interface details, follow these steps:

Step 1 Choose Administration > Appliance.

Step 2 Choose Appliance Interface from the left sidebar menu. The Interfaces page appears (see Figure 15-26).

Figure 15-26 Appliance Interface Details

Step 3 Click the Interface Type to configure if the interface belongs to peer server or to the management interfaces.

Configuring AAA

This section contains the following topics:

•Configuring AAA in the NCS, page 15-103

•Configuring ACS 4.x, page 15-103

•Configuring ACS 5.x, page 15-113

Configuring AAA Using the NCS

From Administration > AAA, authentication, authorization, and accounting (AAA) can be configured for the NCS. The only username that has permissions to configure NCS AAA is root or SuperUser. Any changes to local users accounts are in effect when configured for local mode. If using external authentication, for example RADIUS or TACACS+, the user changes must be done on the remote server.

This section contains the following topics:

•Changing Password, page 15-87

•Configuring Local Password Policy, page 15-88

•Configuring AAA Mode, page 15-87

•Configuring Users, page 15-89

•Configuring Groups, page 15-93

•Viewing Active Sessions, page 15-95

•Configuring TACACS+ Servers, page 15-95

•Configuring RADIUS Servers, page 15-98

•Authenticating AAA Users Through RADIUS Using Cisco Identity Services Engine (ISE), page 15-100

Changing Password

Choose Administration > AAA > Change Password from the left sidebar menu to access this page.

This page enables you to change the password for current logged in User.

•User—Applies to the logged in User.

•Old Password—Current password.

•New Password—Enter the new password using ASCII characters.

•Confirm password—Reenter the new password.

•Submit—Click Submit to confirm password change.

Configuring AAA Mode

Choose Administration > AAA > AAA Mode from the left sidebar menu to access this page.

This page enables you to configure the authentication mode for all users.

•AAA Mode Settings

–Local—Authenticate users to a local database.

–RADIUS—Authenticate users to an external RADIUS server.

–TACACS+—Authenticate users to an external TACACS+ server.

•Enable fallback to Local—If an external authentication server is down, this provides the option to authenticate users locally. This check box is only available for RADIUS and TACACS+.

–Choose ONLY on no server response or on auth failure or no server response from the drop-down list.

See also the "Configuring TACACS+ Servers" section on page 15-95 and the "Configuring RADIUS Servers" section on page 15-98.

AAA Mode Settings

To choose a AAA mode, follow these steps:

Step 1 Choose Administration > AAA.

Step 2 Choose AAA Mode from the left sidebar menu. The AAA Mode Settings page appears (see Figure 15-27).

Figure 15-27 AAA Mode Settings Page

Step 3 Choose which AAA mode you want to use. Only one can be selected at a time.

Any changes to local user accounts are effective only when you are configured for local mode (the default). If you use remote authentication, changes to the credentials are made on a remote server. The two remote authentication types are RADIUS and TACACS+. RADIUS requires separate credentials for different locations (East and West Coast). TACACS+ is an effective and secure management framework with a built-in failover mechanism.

Step 4 Select the Enable Fallback to Local check box if you want the administrator to use the local database when the external AAA server is down.

Note This check box is unavailable if Local was selected as a AAA mode type.

Step 5 Click OK.

Configuring Local Password Policy

Choose Administration > AAA > Local Password Policy from the left sidebar menu to access this page.This page enables you to determine your local password policy.

You can enable or disable the following policies for your local password:

•Set the minimum length of your password. By default it is set as 8.

•Password cannot be the username or the reverse of the username.

•Password cannot be the word cisco or ocsic (cisco reversed) or any special characters replaced for the same.

•Root password cannot be the word public.

•No character can be repeated more than three time consecutively in the password.

•Password must contain character from three of the character classes: upper case, lower case, digits, and special characters.

Click Save to confirm the Local Password Policy changes.

Configuring Users

This section describes how to configure an NCS user. Besides complete access, you can give administrative access with differentiated privileges to certain user groups.

Choose Administration > AAA > Users from the left sidebar menu to access this page. You can use this page to view the User details, create a User, delete a User as well as edit User details.

This section contains the following topics:

•Viewing User Details, page 15-89

•Edit Current Users - Passwords and Assigned Groups, page 15-89

•Edit Current Users - Permitted Tasks, page 15-90

•Edit Current Users - Groups Assigned to this User, page 15-90

•Adding a New User, page 15-91

•Add User Name, Password, and Groups, page 15-91

•Assign a Virtual Domain, page 15-92

•Audit User Operations, page 15-92

Viewing User Details

You can view the NCS user details in the Users page. The following information is available in the Administration > AAA > Users page:

•Current User Names

•Member Of—Groups with which the user is associated. Click an item in the Member Of column to view permitted tasks for this user.

•Audit Trail—Click the Audit Trail icon for a specific user to view or clear current audit trails. See the "Audit User Operations" section on page 15-92.

Note The NCS supports a maximum of 25 concurrent User logins at any point in time.

Edit Current Users - Passwords and Assigned Groups

To edit current user account passwords and assigned groups, follow these steps:

Step 1 Choose Administration > AAA.

Step 2 From the left sidebar menu, choose Users.

Step 3 Select a specific user from the User Name column.

Step 4 (Optional) Enter and confirm a new password, if necessary.

Step 5 If necessary, make changes to the Groups Assigned to this User check box selections.

Note If the user belongs to Lobby Ambassador, Monitor Lite, North Bound API, or User Assistant group, the user cannot belong to any other group.

Step 6 Select Submit to confirm the changes or Cancel to close the page without activating any changes.