- show Commands
- show 802.11
- show aaa auth
- show advanced eap
- show client detail
- show database summary
- show exclusionlist
- show local-auth certificates
- show local-auth config
- show local-auth statistics
- show netuser
- show network
- show network summary
- show ntp-keys
- show radius acct detailed
- show radius acct statistics
- show radius auth detailed
- show radius auth statistics
- show radius avp-list
- show radius summary
- show rules
- show rogue adhoc custom summary
- show rogue adhoc detailed
- show rogue adhoc friendly summary
- show rogue adhoc malicious summary
- show rogue adhoc unclassified summary
- show rogue adhoc summary
- show rogue ap custom summary
- show rogue ap clients
- show rogue ap detailed
- show rogue ap summary
- show rogue ap friendly summary
- show rogue ap malicious summary
- show rogue ap unclassified summary
- show rogue client detailed
- show rogue client summary
- show rogue ignore-list
- show rogue rule detailed
- show rogue rule summary
- show tacacs acct statistics
- show tacacs athr statistics
- show tacacs auth statistics
- show tacacs summary
- config Commands
- config 802.11b preamble
- config aaa auth
- config aaa auth mgmt
- config auth-list add
- config auth-list ap-policy
- config auth-list delete
- config advanced eap
- config advanced timers auth-timeout
- config advanced timers eap-timeout
- config advanced timers eap-identity-request-delay
- config database size
- config exclusionlist
- config local-auth active-timeout
- config local-auth eap-profile
- config local-auth method fast
- config local-auth user-credentials
- config netuser add
- config netuser delete
- config netuser description
- config network web-auth captive-bypass
- config network web-auth secureweb
- config network webmode
- config network web-auth
- config radius acct
- config radius acct mac-delimiter
- config radius acct network
- config radius acct realm
- config radius acct retransmit-timeout
- config radius auth
- config radius auth callStationIdType
- config radius auth keywrap
- config radius auth mac-delimiter
- config radius auth management
- config radius auth mgmt-retransmit-timeout
- config radius auth network
- config radius auth realm
- config radius auth retransmit-timeout
- config radius auth rfc3576
- config radius auth retransmit-timeout
- config radius aggressive-failover disabled
- config radius backward compatibility
- config radius callStationIdCase
- config radius callStationIdType
- config radius dns
- config radius fallback-test
- config rogue adhoc
- config rogue ap classify
- config rogue ap friendly
- config rogue ap rldp
- config rogue ap ssid
- config rogue ap timeout
- config rogue ap valid-client
- config rogue client
- config rogue detection
- config rogue detection client-threshold
- config rogue detection min-rssi
- config rogue detection monitor-ap
- config rogue detection report-interval
- config rogue detection security-level
- config rogue detection transient-rogue-interval
- config rogue rule
- config rogue rule condition ap
- config tacacs acct
- config tacacs athr
- config tacacs athr mgmt-server-timeout
- config tacacs auth
- config tacacs auth mgmt-server-timeout
- config tacacs dns
- config tacacs fallback-test interval
- config wlan radius_server realm
- config wlan security eap-params
- clear Commands
- debug Commands
Security
Commands
show Commands
This section lists the show commands to display information about your security configuration settings for the controller.
- show 802.11
- show aaa auth
- show advanced eap
- show client detail
- show database summary
- show exclusionlist
- show local-auth certificates
- show local-auth config
- show local-auth statistics
- show netuser
- show network
- show network summary
- show ntp-keys
- show radius acct detailed
- show radius acct statistics
- show radius auth detailed
- show radius auth statistics
- show radius avp-list
- show radius summary
- show rules
- show rogue adhoc custom summary
- show rogue adhoc detailed
- show rogue adhoc friendly summary
- show rogue adhoc malicious summary
- show rogue adhoc unclassified summary
- show rogue adhoc summary
- show rogue ap custom summary
- show rogue ap clients
- show rogue ap detailed
- show rogue ap summary
- show rogue ap friendly summary
- show rogue ap malicious summary
- show rogue ap unclassified summary
- show rogue client detailed
- show rogue client summary
- show rogue ignore-list
- show rogue rule detailed
- show rogue rule summary
- show tacacs acct statistics
- show tacacs athr statistics
- show tacacs auth statistics
- show tacacs summary
show 802.11
To display basic 802.11a, 802.11b/g, or 802.11h network settings, use the show 802.11 command.
show 802.11{ a | b | h}
Syntax Description
Command Default
None.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
This example shows to display basic 802.11a network settings:
> show 802.11a 802.11a Network.................................. Enabled 11nSupport....................................... Enabled 802.11a Low Band........................... Enabled 802.11a Mid Band........................... Enabled 802.11a High Band.......................... Enabled 802.11a Operational Rates 802.11a 6M Rate.............................. Mandatory 802.11a 9M Rate.............................. Supported 802.11a 12M Rate............................. Mandatory 802.11a 18M Rate............................. Supported 802.11a 24M Rate............................. Mandatory 802.11a 36M Rate............................. Supported 802.11a 48M Rate............................. Supported 802.11a 54M Rate............................. Supported 802.11n MCS Settings: MCS 0........................................ Supported MCS 1........................................ Supported MCS 2........................................ Supported MCS 3........................................ Supported MCS 4........................................ Supported MCS 5........................................ Supported MCS 6........................................ Supported MCS 7........................................ Supported MCS 8........................................ Supported MCS 9........................................ Supported MCS 10....................................... Supported MCS 11....................................... Supported MCS 12....................................... Supported MCS 13....................................... Supported MCS 14....................................... Supported MCS 15....................................... Supported 802.11n Status: A-MPDU Tx: Priority 0............................... Enabled Priority 1............................... Disabled Priority 2............................... Disabled Priority 3............................... Disabled Priority 4............................... Disabled Priority 5............................... Disabled Priority 6............................... Disabled Priority 7............................... Disabled Beacon Interval.................................. 100 CF Pollable mandatory............................ Disabled CF Poll Request mandatory........................ Disabled --More-- or (q)uit CFP Period....................................... 4 CFP Maximum Duration............................. 60 Default Channel.................................. 36 Default Tx Power Level........................... 0 DTPC Status..................................... Enabled Fragmentation Threshold.......................... 2346 TI Threshold..................................... -50 Legacy Tx Beamforming setting.................... Disabled Traffic Stream Metrics Status.................... Enabled Expedited BW Request Status...................... Disabled World Mode....................................... Enabled EDCA profile type................................ default-wmm Voice MAC optimization status.................... Disabled Call Admission Control (CAC) configuration Voice AC: Voice AC - Admission control (ACM)............ Disabled Voice max RF bandwidth........................ 75 Voice reserved roaming bandwidth.............. 6 Voice load-based CAC mode..................... Disabled Voice tspec inactivity timeout................ Disabled Voice Stream-Size............................. 84000 Voice Max-Streams............................. 2 Video AC: Video AC - Admission control (ACM)............ Disabled Video max RF bandwidth........................ Infinite Video reserved roaming bandwidth.............. 0
This example shows how to display basic 802.11h network settings:
> show 802.11h 802.11h ......................................... powerconstraint : 0 802.11h ......................................... channelswitch : Disable 802.11h ......................................... channelswitch mode : 0
Related Commands
show ap summary
show client summary
show network
show network summary
show port
show wlan
show aaa auth
To display the configuration settings for the AAA authentication server database, use the show aaa auth command.
show aaa auth
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display the configuration settings for the AAA authentication server database:
(Cisco Controller) > show aaa auth Management authentication server order: 1............................................ local 2............................................ tacacs
Related Commands
config aaa auth mgmt
show advanced eap
To display Extensible Authentication Protocol (EAP) settings, use the show advanced eap command.
show advanced eap
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display the EAP settings:
(Cisco Controller) > show advanced eap EAP-Identity-Request Timeout (seconds)........... 1 EAP-Identity-Request Max Retries................. 20 EAP Key-Index for Dynamic WEP.................... 0 EAP Max-Login Ignore Identity Response........... enable EAP-Request Timeout (seconds).................... 1 EAP-Request Max Retries.......................... 20 EAPOL-Key Timeout (milliseconds)................. 1000 EAPOL-Key Max Retries............................ 2
Related Commands
config advanced eap
config advanced timers eap-identity-request-delay
config advanced timers eap-timeout
show client detail
To display IP addresses per client learned through DNS snooping (DNS-based ACL), use the show client detail mac_address command.
show client detail mac_address
Syntax Description
mac_address |
MAC address of the client. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following is a sample output of the show client detail mac_address command.
(Cisco Controller) > show client detail 01:35:6x:yy:21:00
Client MAC Address............................... 01:35:6x:yy:21:00
Client Username ................................. test
AP MAC Address................................... 00:11:22:33:44:x0
AP Name.......................................... AP0011.2020.x111
AP radio slot Id................................. 1
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 7
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 00:11:22:33:44:xx
Connected For ................................... 28 secs
Channel.......................................... 56
IP Address....................................... 10.0.0.1
Gateway Address.................................. Unknown
Netmask.......................................... Unknown
IPv6 Address..................................... xx20::222:6xyy:zeeb:2233
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Client CCX version............................... No CCX support
Re-Authentication Timeout........................ 1756
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... ON
Current Rate..................................... m7
Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
............................................. 48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ No
Policy Manager State............................. SUPPLICANT_PROVISIONING
Policy Manager Rule Created...................... Yes
AAA Override ACL Name............................ android
AAA Override ACL Applied Status.................. Yes
AAA Override Flex ACL Name....................... none
AAA Override Flex ACL Applied Status............. Unavailable
AAA URL redirect................................. https://10.0.0.3:8443/guestportal/gateway?sessionId=0a68aa72000000015272404e&action=nsp
Audit Session ID................................. 0a68aa72000000015272404e
AAA Role Type.................................... none
Local Policy Applied............................. p1
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
Client Type...................................... SimpleIP
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface......................................
.. management
VLAN............................................. 0
Quarantine VLAN.................................. 0
Access VLAN...................................... 0
Client Capabilities:
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Not implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented
Listen Interval............................ 10
Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
Number of Bytes Received................... 123659
Number of Bytes Sent....................... 120564
Number of Packets Received................. 1375
Number of Packets Sent..................... 276
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 2
Number of EAP Request Msg Failures......... 0
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 82
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 0
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -51 dBm
Signal to Noise Ratio...................... 46 dB
Client Rate Limiting Statistics:
Number of Data Packets Recieved............ 0
Number of Data Rx Packets Dropped.......... 0
Number of Data Bytes Recieved.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Recieved........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Recieved.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
AP0022.9090.c545(slot 0)
antenna0: 26 secs ago.................... -33 dBm
antenna1: 26 secs ago.................... -35 dBm
AP0022.9090.c545(slot 1)
antenna0: 25 secs ago.................... -41 dBm
antenna1: 25 secs ago.................... -44 dBm
APc47d.4f3a.35c2(slot 0)
antenna0: 26 secs ago.................... -30 dBm
antenna1: 26 secs ago.................... -36 dBm
APc47d.4f3a.35c2(slot 1)
antenna0: 24 secs ago.................... -43 dBm
antenna1: 24 secs ago.................... -45 dBm
DNS Server details:
DNS server IP ............................. 0.0.0.0
DNS server IP ............................. 0.0.0.0
Client Dhcp Required: False
Allowed (URL)IP Addresses
-------------------------
209.165.200.225
209.165.200.226
209.165.200.227
209.165.200.228
209.165.200.229
209.165.200.230
209.165.200.231
209.165.200.232
209.165.200.233
209.165.200.234
209.165.200.235
209.165.200.236
209.165.200.237
209.165.200.238
209.165.201.1
209.165.201.2
209.165.201.3
209.165.201.4
209.165.201.5
209.165.201.6
209.165.201.7
209.165.201.8
209.165.201.9
209.165.201.10
show database summary
To display the maximum number of entries in the database, use the show database summary command.
show database summary
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following is a sample output of the show database summary command:
(Cisco Controller) > show database summary Maximum Database Entries......................... 2048 Maximum Database Entries On Next Reboot.......... 2048 Database Contents MAC Filter Entries........................... 2 Exclusion List Entries....................... 0 AP Authorization List Entries................ 1 Management Users............................. 1 Local Network Users.......................... 1 Local Users.............................. 1 Guest Users.............................. 0 Total..................................... 5
Related Commands
show exclusionlist
To display a summary of all clients on the manual exclusion list (blacklisted) from associating with this Cisco wireless LAN controller, use the show exclusionlist command.
show exclusionlist
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
Examples
The following example shows how to display the exclusion list:
(Cisco Controller) > show exclusionlist No manually disabled clients. Dynamically Disabled Clients ---------------------------- MAC Address Exclusion Reason Time Remaining (in secs) ----------- ---------------- ------------------------ 00:40:96:b4:82:55 802.1X Failure 51
Related Commands
show local-auth certificates
To display local authentication certificate information, use the show local-auth certificates command:
show local-auth certificates
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display the authentication certificate information stored locally:
(Cisco Controller) > show local-auth certificates
Related Commands
config local-auth active-timeout
config local-auth eap-profile
config local-auth method fast
config local-auth user-credentials
debug aaa local-auth
show local-auth config
show local-auth statistics
show local-auth config
To display local authentication configuration information, use the show local-auth config command.
show local-auth config
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display the local authentication configuration information:
(Cisco Controller) > show local-auth config User credentials database search order: Primary ................................... Local DB Configured EAP profiles: Name ...................................... fast-test Certificate issuer .................... default Enabled methods ....................... fast Configured on WLANs ................... 2 EAP Method configuration: EAP-TLS: Certificate issuer .................... default Peer verification options: Check against CA certificates ..... Enabled Verify certificate CN identity .... Disabled Check certificate date validity ... Enabled EAP-FAST: TTL for the PAC ....................... 3 600 Initial client message ................ <none> Local certificate required ............ No Client certificate required ........... No Vendor certificate required ........... No Anonymous provision allowed ........... Yes Authenticator ID ...................... 7b7fffffff0000000000000000000000 Authority Information ................. Test EAP Profile.................................... tls-prof Enabled methods for this profile .......... tls Active on WLANs ........................... 1 3EAP Method configuration: EAP-TLS: Certificate issuer used ............... cisco Peer verification options: Check against CA certificates ..... disabled Verify certificate CN identity .... disabled Check certificate date validity ... disabled
Related Commands
config local-auth active-timeout
config local-auth eap-profile
config local-auth method fast
config local-auth user-credentials
debug aaa local-auth
show local-auth certificates
show local-auth statistics
show local-auth statistics
To display local Extensible Authentication Protocol (EAP) authentication statistics, use the show local-auth statistics command:
show local-auth statistics
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display the local authentication certificate statistics:
(Cisco Controller) > show local-auth statistics Local EAP authentication DB statistics: Requests received ............................... 14 Responses returned .............................. 14 Requests dropped (no EAP AVP) ................... 0 Requests dropped (other reasons) ................ 0 Authentication timeouts ......................... 0 Authentication statistics: Method Success Fail ------------------------------------ Unknown 0 0 LEAP 0 0 EAP-FAST 2 0 EAP-TLS 0 0 PEAP 0 0 Local EAP credential request statistics: Requests sent to LDAP DB ........................ 0 Requests sent to File DB ........................ 2 Requests failed (unable to send) ................ 0 Authentication results received: Success ....................................... 2 Fail .......................................... 0 Certificate operations: Local device certificate load failures .......... 0 Total peer certificates checked ................. 0 Failures: CA issuer check ............................... 0 CN name not equal to identity ................. 0 Dates not valid or expired .................... 0
Related Commands
config local-auth active-timeout
config local-auth eap-profile
config local-auth method fast
config local-auth user-credentials
debug aaa local-auth
show local-auth config
show local-auth certificates
show netuser
To display the configuration of a particular user in the local user database, use the show netuser command.
show netuser { detail user_name | guest-roles | summary}
Syntax Description
Displays detailed information about the specified network user. |
|
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following is a sample output of the show netuser summary command:
(Cisco Controller) > show netuser summary Maximum logins allowed for a given username ........Unlimited
The following is a sample output of the show netuser detail command:
(Cisco Controller) > show netuser detail john10 username........................................... abc WLAN Id............................................. Any Lifetime............................................ Permanent Description......................................... test user
Related Commands
config netuser delete
config netuser description
config netuser guest-role apply
config netuser wlan-id
config netuser guest-roles
show network
To display the current status of 802.3 bridging for all WLANs, use the show network command.
show network
Syntax Description
Command Default
None.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
This example shows how to display the network details:
(Cisco Controller) > show network
Related Commands
config network
show network summary
show network multicast mgid detail
show network multicast mgid summary
show network summary
To display the network configuration of the Cisco wireless LAN controller, use the show network summary command.
show network summary
Syntax Description
Command Default
None.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
This example shows how to display a summary configuration:
(Cisco Controller) >show network summary RF-Network Name............................. RF Web Mode.................................... Disable Secure Web Mode............................. Enable Secure Web Mode Cipher-Option High.......... Disable Secure Web Mode Cipher-Option SSLv2......... Disable Secure Web Mode RC4 Cipher Preference....... Disable OCSP........................................ Disabled OCSP responder URL.......................... Secure Shell (ssh).......................... Enable Telnet...................................... Enable Ethernet Multicast Mode..................... Disable Mode: Ucast Ethernet Broadcast Mode..................... Disable Ethernet Multicast Forwarding............... Disable Ethernet Broadcast Forwarding............... Disable AP Multicast/Broadcast Mode................. Unicast IGMP snooping............................... Disabled IGMP timeout................................ 60 seconds IGMP Query Interval......................... 20 seconds MLD snooping................................ Disabled MLD timeout................................. 60 seconds MLD query interval.......................... 20 seconds User Idle Timeout........................... 300 seconds AP Join Priority............................ Disable ARP Idle Timeout............................ 300 seconds ARP Unicast Mode............................ Disabled Cisco AP Default Master..................... Disable Mgmt Via Wireless Interface................. Disable Mgmt Via Dynamic Interface.................. Disable Bridge MAC filter Config.................... Enable Bridge Security Mode........................ EAP Over The Air Provisioning of AP's........... Enable Apple Talk ................................. Disable Mesh Full Sector DFS........................ Enable AP Fallback ................................ Disable Web Auth CMCC Support ...................... Disabled Web Auth Redirect Ports .................... 80 Web Auth Proxy Redirect ................... Disable Web Auth Captive-Bypass .................. Disable Web Auth Secure Web ....................... Enable Fast SSID Change ........................... Disabled AP Discovery - NAT IP Only ................. Enabled IP/MAC Addr Binding Check .................. Enabled CCX-lite status ............................ Disable oeap-600 dual-rlan-ports ................... Disable oeap-600 local-network ..................... Enable mDNS snooping............................... Disabled mDNS Query Interval......................... 15 minutes Web Color Theme............................. Red Web Color Theme............................. Default CAPWAP Prefer Mode.......................... IPv4
show ntp-keys
To display network time protocol authentication key details, use the show ntp-keys command.
show ntp-keys
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
7.6 | This command was introduced in a release earlier than Release 7.6. |
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
This example shows how to display NTP authentication key details:
(Cisco Controller) > show ntp-keys Ntp Authentication Key Details................... Key Index ----------- 1 3
Related Commands
show radius acct detailed
To display RADIUS accounting server information, use the show radius acct detailed command.
show radius acct detailed radius_index
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display RADIUS accounting server information:
(Cisco Controller) > show radius acct detailed 5 Radius Index........5 NAI Realms..........LAB.VTV.BLR.cisco.co.in
show radius acct statistics
To display the RADIUS accounting server statistics for the Cisco wireless LAN controller, use the show radius acct statistics command.
show radius acct statistics
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display RADIUS accounting server statistics:
(Cisco Controller) > show radius acct statistics Accounting Servers: Server Index..................................... 1 Server Address................................... 10.1.17.10 Msg Round Trip Time.............................. 0 (1/100 second) First Requests................................... 0 Retry Requests................................... 0 Accounting Responses............................. 0 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 0 Timeout Requests................................. 0 Unknowntype Msgs................................. 0 Other Drops...................................... 0
Related Commands
config radius acct ipsec authentication
config radius acct ipsec disable
config radius acct network
show radius auth statistics
show radius summary
show radius auth detailed
To display RADIUS authentication server information, use the show radius auth detailed command.
show radius auth detailed radius_index
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display RADIUS authentication server information:
(Cisco Controller) > show radius auth detailed 1 Radius Index........1 NAI Realms..........LAB.VTV.BLR.cisco.co.in
show radius auth statistics
To display the RADIUS authentication server statistics for the Cisco wireless LAN controller, use the show radius auth statistics command.
show radius auth statistics
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display RADIUS authentication server statistics:
(Cisco Controller) > show radius auth statistics Authentication Servers: Server Index..................................... 1 Server Address................................... 1.1.1.1 Msg Round Trip Time.............................. 0 (1/100 second) First Requests................................... 0 Retry Requests................................... 0 Accept Responses................................. 0 Reject Responses................................. 0 Challenge Responses.............................. 0 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 0 Timeout Requests................................. 0 Unknowntype Msgs................................. 0 Other Drops...................................... 0
Related Commands
config radius auth management
config radius auth network
show radius summary
show radius avp-list
To display RADIUS VSA AVPs, use the show radius avp-list command.
show radius avp-list profile-name
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display RADIUS VSA AVPs:
(Cisco Controller) > show radius avp-list
show radius summary
To display the RADIUS authentication and accounting server summary, use the show radius summary command.
show radius summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display a RADIUS authentication server summary:
(Cisco Controller) > show radius summary Vendor Id Backward Compatibility................. Disabled Credentials Caching.............................. Disabled Call Station Id Type............................. IP Address Administrative Authentication via RADIUS......... Enabled Authentication Servers Index Type Server Address Port State Tout RFC-3576 IPsec - AuthMod e/Phase1/Group/Lifetime/Auth/Encr ----- ---- ---------------- ------ -------- ---- -------- --------------- --------------------------------- Accounting Servers Index Type Server Address Port State Tout RFC-3576 IPsec - AuthMod e/Phase1/Group/Lifetime/Auth/Encr ----- ---- ---------------- ------ -------- ---- -------- --------------- ---------------------------------
Related Commands
show radius auth statistics
show radius acct statistics
show rules
To display the active internal firewall rules, use the show rules command.
show rules
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display active internal firewall rules:
(Cisco Controller) > show rules -------------------------------------------------------- Rule ID.............: 3 Ref count...........: 0 Precedence..........: 99999999 Flags...............: 00000001 ( PASS ) Source IP range: (Local stack) Destination IP range: (Local stack) -------------------------------------------------------- Rule ID.............: 25 Ref count...........: 0 Precedence..........: 99999999 Flags...............: 00000001 ( PASS ) Service Info Service name........: GDB Protocol............: 6 Source port low.....: 0 Source port high....: 0 Dest port low.......: 1000 Dest port high......: 1000 Source IP range: IP High............: 0.0.0.0 Interface..........: ANY Destination IP range: (Local stack) --------------------------------------------------------
show rogue adhoc custom summary
To display information about custom rogue ad-hoc rogue access points, use the show rogue adhoc custom summary command.
show rogue adhoc custom summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display details of custom rogue ad-hoc rogue access points:
(Cisco Controller) > show rogue adhoc custom summary
Number of Adhocs............................0
MAC Address State # APs # Clients Last Heard
----------------- ------------------ ----- --------- -----------------------
Related Commands
show rogue adhoc summary
show rogue adhoc friendly summary
show rogue adhoc malicious summary
show rogue adhoc unclassified summary
config rogue adhoc
show rogue adhoc detailed
To display details of an ad-hoc rogue access point detected by the Cisco wireless LAN controller, use the show rogue adhoc client detailed command.
show rogue adhoc detailed MAC_address
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display detailed ad-hoc rogue MAC address information:
(Cisco Controller) > show rogue adhoc client detailed 02:61:ce:8e:a8:8c Adhoc Rogue MAC address.......................... 02:61:ce:8e:a8:8c Adhoc Rogue BSSID................................ 02:61:ce:8e:a8:8c State............................................ Alert First Time Adhoc Rogue was Reported.............. Tue Dec 11 20:45:45 2007 Last Time Adhoc Rogue was Reported............... Tue Dec 11 20:45:45 2007 Reported By AP 1 MAC Address.............................. 00:14:1b:58:4a:e0 Name..................................... AP0014.1ced.2a60 Radio Type............................... 802.11b SSID..................................... rf4k3ap Channel.................................. 3 RSSI..................................... -56 dBm SNR...................................... 15 dB Encryption............................... Disabled ShortPreamble............................ Disabled WPA Support.............................. Disabled Last reported by this AP............... Tue Dec 11 20:45:45 2007
Related Commands
show rogue ignore-list
show rogue rule detailed
config rogue rule
show rogue adhoc summary
show rogue adhoc friendly summary
To display information about friendly rogue ad-hoc rogue access points, use the show rogue adhoc friendly summary command.
show rogue adhoc friendly summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display information about friendly rogue ad-hoc rogue access points:
(Cisco Controller) > show rogue adhoc friendly summary
Number of Adhocs............................0
MAC Address State # APs # Clients Last Heard
----------------- ------------------ ----- --------- -----------------------
Related Commands
show rogue adhoc custom summary
show rogue adhoc summary
show rogue adhoc malicious summary
show rogue adhoc unclassified summary
config rogue adhoc
show rogue adhoc malicious summary
To display information about malicious rogue ad-hoc rogue access points, use the show rogue adhoc malicious summary command.
show rogue adhoc malicious summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display details of malicious rogue ad-hoc rogue access points:
(Cisco Controller) > show rogue adhoc malicious summary
Number of Adhocs............................0
MAC Address State # APs # Clients Last Heard
----------------- ------------------ ----- --------- -----------------------
Related Commands
show rogue adhoc custom summary
show rogue adhoc summary
show rogue adhoc friendly summary
show rogue adhoc unclassified summary
config rogue adhoc
show rogue adhoc unclassified summary
To display information about unclassified rogue ad-hoc rogue access points, use the show rogue adhoc unclassified summary command.
show rogue adhoc unclassified summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display information about unclassified rogue ad-hoc rogue access points:
(Cisco Controller) > show rogue adhoc unclassified summary
Number of Adhocs............................0
MAC Address State # APs # Clients Last Heard
----------------- ------------------ ----- --------- -----------------------
Related Commands
show rogue adhoc custom summary
show rogue adhoc summary
show rogue adhoc friendly summary
show rogue adhoc malicious summary
config rogue adhoc
show rogue adhoc summary
To display a summary of the ad-hoc rogue access points detected by the Cisco wireless LAN controller, use the show rogue adhoc summary command.
show rogue adhoc summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display a summary of all ad-hoc rogues:
(Cisco Controller) > show rogue adhoc summary Detect and report Ad-Hoc Networks................ Enabled Client MAC Address Adhoc BSSID State # APs Last Heard ------------------ ----------- ----- --- ------- xx:xx:xx:xx:xx:xx super Alert 1 Sat Aug 9 21:12:50 2004 xx:xx:xx:xx:xx:xx Alert 1 Aug 9 21:12:50 2003 xx:xx:xx:xx:xx:xx Alert 1 Sat Aug 9 21:10:50 2003
Related Commands
show rogue ignore-list
show rogue rule detailed
config rogue rule
show rogue adhoc detailed
show rogue ap custom summary
To display information about custom rogue ad-hoc rogue access points, use the show rogue ap custom summary command.
show rogue ap custom summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display details of custom rogue ad-hoc rogue access points:
(Cisco Controller) > show rogue ap custom summary
Number of APs............................0
MAC Address State # APs # Clients Last Heard
----------------- ------------------ ----- --------- -----------------------
Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap clients
To display details of rogue access point clients detected by the Cisco wireless LAN controller, use the show rogue ap clients command.
show rogue ap clients ap_mac_address
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display details of rogue access point clients:
(Cisco Controller) > show rogue ap clients xx:xx:xx:xx:xx:xx MAC Address State # APs Last Heard ----------------- ------------------ ----- ------------------------- 00:bb:cd:12:ab:ff Alert 1 Fri Nov 30 11:26:23 2007
Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap detailed
To display details of a rogue access point detected by the Cisco wireless LAN controller, use the show rogue-ap detailed command.
show rogue ap detailed ap_mac_address
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display detailed information of a rogue access point:
(Cisco Controller) > show rogue ap detailed xx:xx:xx:xx:xx:xx Rogue BSSID...................................... 00:0b:85:63:d1:94 Is Rogue on Wired Network........................ No Classification................................... Unclassified State............................................ Alert First Time Rogue was Reported.................... Fri Nov 30 11:24:56 2007 Last Time Rogue was Reported..................... Fri Nov 30 11:24:56 2007 Reported By AP 1 MAC Address.............................. 00:12:44:bb:25:d0 Name..................................... flexconnect Radio Type............................... 802.11g SSID..................................... edu-eap Channel.................................. 6 RSSI..................................... -61 dBm SNR...................................... -1 dB Encryption............................... Enabled ShortPreamble............................ Enabled WPA Support.............................. Disabled Last reported by this AP.............. Fri Nov 30 11:24:56 2007
This example shows how to display detailed information of a rogue access point with a customized classification:
(Cisco Controller) > show rogue ap detailed xx:xx:xx:xx:xx:xx
Rogue BSSID...................................... 00:17:0f:34:48:a0
Is Rogue on Wired Network........................ No
Classification................................... custom
Severity Score .................................. 1
Class Name........................................VeryMalicious
Class Change by.................................. Rogue Rule
Classified at ................................... -60 dBm
Classified by.................................... c4:0a:cb:a1:18:80
State............................................ Contained
State change by.................................. Rogue Rule
First Time Rogue was Reported.................... Mon Jun 4 10:31:18 2012
Last Time Rogue was Reported..................... Mon Jun 4 10:31:18 2012
Reported By
AP 1
MAC Address.............................. c4:0a:cb:a1:18:80
Name..................................... SHIELD-3600-2027
Radio Type............................... 802.11g
SSID..................................... sri
Channel.................................. 11
RSSI..................................... -87 dBm
SNR...................................... 4 dB
Encryption............................... Enabled
ShortPreamble............................ Enabled
WPA Support.............................. Enabled
Last reported by this AP................. Mon Jun 4 10:31:18 2012
Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap summary
To display a summary of the rogue access points detected by the Cisco wireless LAN controller, use the show rogue-ap summary command.
show rogue ap summary { ssid | channel }
Syntax Description
ssid |
Displays specific user-configured SSID of the rogue access point. |
channel |
Displays specific user-configured radio type and channel of the rogue access point. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display a summary of all rogue access points:
(Cisco Controller) > show rogue ap summary Rogue Location Discovery Protocol................ Disabled Rogue ap timeout................................. 1200 Rogue on wire Auto-Contain....................... Disabled Rogue using our SSID Auto-Contain................ Disabled Valid client on rogue AP Auto-Contain............ Disabled Rogue AP timeout................................. 1200 Rogue Detection Report Interval.................. 10 Rogue Detection Min Rssi......................... -128 Rogue Detection Transient Interval............... 0 Rogue Detection Client Num Thershold............. 0 Total Rogues(AP+Ad-hoc) supported................ 2000 Total Rogues classified.......................... 729 MAC Address Classification # APs # Clients Last Heard ----------------- ------------------ ----- --------- ----------------------- xx:xx:xx:xx:xx:xx friendly 1 0 Thu Aug 4 18:57:11 2005 xx:xx:xx:xx:xx:xx malicious 1 0 Thu Aug 4 19:00:11 2005 xx:xx:xx:xx:xx:xx malicious 1 0 Thu Aug 4 18:57:11 2005 xx:xx:xx:xx:xx:xx malicious 1 0 Thu Aug 4 18:57:11 2005
The following example shows how to display a summary of all rogue access points with SSID as extended parameter.
(Cisco Controller) > show rogue ap summary ssid
MAC Address Class State SSID Security
--------------------------------------------------------------------------------------
xx:xx:xx:xx:xx:xx Unclassified Alert xxx Open
xx:xx:xx:xx:xx:xx Unclassified Alert xxx Open
xx:xx:xx:xx:xx:xx Pending Pending xxx Open
xx:xx:xx:xx:xx:xx Unclassified Alert xxx WEP/WPA
The following example shows how to display a summary of all rogue access points with channel as extended parameter.
(Cisco Controller) > show rogue ap summary channel
MAC Address Class State Det RadioType Channel RSSIlast/Max)
--------------------------------------------------------------------------------------------------------------------
xx:xx:xx:xx:xx:xx Unclassified Alert 802.11g 11 -53 / -48
xx:xx:xx:xx:xx:xx Unclassified Alert 802.11g 11 -53 / -48
xx:xx:xx:xx:xx:xx Unclassified Alert 802.11a 149 -74 / -69
xx:xx:xx:xx:xx:xx Unclassified Alert 802.11a 149 -74 / -69
xx:xx:xx:xx:xx:xx Unclassified Alert 802.11a 149 -74 / -69
The following example shows how to display a summary of all rogue access points with both SSID and channel as extended parameters.
(Cisco Controller) > show rogue ap summary ssid channel
MAC Address Class State SSID Security Det RadioType Channel RSSI(last/Max)
-----------------------------------------------------------------------------------------------------------------
xx:xx:xx:xx:xx:xx Unclassified Alert dd WEP/WPA 802.11n5G 56 -73 / -62
xx:xx:xx:xx:xx:xx Unclassified Alert SSID IS HIDDEN Open 802.11a 149 -68 / -66
xx:xx:xx:xx:xx:xx Unclassified Alert wlan16 WEP/WPA 802.11n5G 149 -71 / -71
xx:xx:xx:xx:xx:xx Unclassified Alert wlan15 WEP/WPA 802.11n5G 149 -71 / -71
xx:xx:xx:xx:xx:xx Unclassified Alert wlan14 WEP/WPA 802.11n5G 149 -71 / -71
xx:xx:xx:xx:xx:xx Unclassified Alert wlan13 WEP/WPA 802.11n5G 149 -71 / -70
xx:xx:xx:xx:xx:xx Unclassified Alert wlan12 WEP/WPA 802.11n5G 149 -71 / -71
Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap friendly summary
To display a list of the friendly rogue access points detected by the controller, use the show rogue ap friendly summary command.
show rogue ap friendly summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display a summary of all friendly rogue access points:
(Cisco Controller) > show rogue ap friendly summary Number of APs.................................... 1 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- --------------------------- XX:XX:XX:XX:XX:XX Internal 1 0 Tue Nov 27 13:52:04 2007
Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap malicious summary
To display a list of the malicious rogue access points detected by the controller, use the show rogue ap malicious summary command.
show rogue ap malicious summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display a summary of all malicious rogue access points:
(Cisco Controller) > show rogue ap malicious summary Number of APs.................................... 2 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- --------------------------- XX:XX:XX:XX:XX:XX Alert 1 0 Tue Nov 27 13:52:04 2007 XX:XX:XX:XX:XX:XX Alert 1 0 Tue Nov 27 13:52:04 2007
Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
show rogue ap unclassified summary
To display a list of the unclassified rogue access points detected by the controller, use the show rogue ap unclassified summary command.
show rogue ap unclassified summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display a list of all unclassified rogue access points:
(Cisco Controller) > show rogue ap unclassified summary Number of APs.................................... 164 MAC Address State # APs # Clients Last Heard ----------------- ------------- ----- --------- --------------- XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:12:52 2007 XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:29:01 2007 XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:26:23 2007 XX:XX:XX:XX:XX:XX Alert 1 0 Fri Nov 30 11:26:23 2007
show rogue client detailed
To display details of a rogue client detected by a Cisco wireless LAN controller, use the show rogue client detailed command.
show rogue client detailed Rogue_AP MAC_address
Syntax Description
Rogue_AP |
Rogue AP address. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display detailed information for a rogue client:
(Cisco Controller) > show rogue client detailed xx:xx:xx:xx:xx:xx Rogue BSSID...................................... 00:0b:85:23:ea:d1 State............................................ Alert First Time Rogue was Reported.................... Mon Dec 3 21:50:36 2007 Last Time Rogue was Reported..................... Mon Dec 3 21:50:36 2007 Rogue Client IP address.......................... Not known Reported By AP 1 MAC Address.............................. 00:15:c7:82:b6:b0 Name..................................... AP0016.47b2.31ea Radio Type............................... 802.11a RSSI..................................... -71 dBm SNR...................................... 23 dB Channel.................................. 149 Last reported by this AP.............. Mon Dec 3 21:50:36 2007
Related Commands
show rogue client summary
show rogue ignore-list
config rogue rule client
config rogue rule
show rogue client summary
To display a summary of the rogue clients detected by the Cisco wireless LAN controller, use the show rogue client summary command.
show rogue client summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display a list of all rogue clients:
(Cisco Controller) > show rogue client summary Validate rogue clients against AAA............... Disabled Total Rogue Clients supported.................... 2500 Total Rogue Clients present...................... 3 MAC Address State # APs Last Heard ----------------- ------------------ ----- ----------------------- xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:00:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:09:11 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:03:11 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:03:11 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:09:11 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 18:57:08 2005 xx:xx:xx:xx:xx:xx Alert 1 Thu Aug 4 19:12:08 2005
Related Commands
show rogue ignore-list
config rogue client
config rogue rule
show rogue ignore-list
To display a list of rogue access points that are configured to be ignored, use the show rogue ignore-list command.
show rogue ignore-list
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display a list of all rogue access points that are configured to be ignored.
(Cisco Controller) > show rogue ignore-list MAC Address ----------------- xx:xx:xx:xx:xx:xx
Related Commands
config rogue adhoc
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue rule
config trapflags rogueap
show rogue ignore-list
show rogue client summary
show rogue ap unclassified summary
show rogue ap malicious summary
show rogue ap friendly summary
config rogue client
show rogue ap summary
show rogue ap clients
show rogue ap detailed
config rogue rule
show rogue rule detailed
To display detailed information for a specific rogue classification rule, use the show rogue rule detailed command.
show rogue rule detailed rule_name
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display detailed information on a specific rogue classification rule:
(Cisco Controller) > show rogue rule detailed Rule2 Priority......................................... 2 Rule Name........................................ Rule2 State............................................ Enabled Type............................................. Malicious Severity Score................................... 1 Class Name....................................... Very_Malicious Notify........................................... All State ........................................... Contain Match Operation.................................. Any Hit Count........................................ 352 Total Conditions................................. 2 Condition 1 type......................................... Client-count value........................................ 10 Condition 2 type......................................... Duration value (seconds).............................. 2000 Condition 3 type......................................... Managed-ssid value........................................ Enabled Condition 4 type......................................... No-encryption value........................................ Enabled Condition 5 type......................................... Rssi value (dBm).................................. -50 Condition 6 type......................................... Ssid SSID Count................................... 1 SSID 1.................................... test
Related Commands
show rogue ignore-list
show rogue rule summary
To display the rogue classification rules that are configured on the controller, use the show rogue rule summary command.
show rogue rule summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display a list of all rogue rules that are configured on the controller:
(Cisco Controller) > show rogue rule summary Priority Rule Name State Type Match Hit Count -------- ----------------------- -------- ------------- ----- --------- 1 mtest Enabled Malicious All 0 2 asdfasdf Enabled Malicious All 0
The following example shows how to display a list of all rogue rules that are configured on the controller:
(Cisco Controller) > show rogue rule summary
Priority Rule Name Rule state Class Type Notify State Match Hit Count
-------- -------------------------------- ----------- ----------- -------- -------- ------ ---------
1 rule2 Enabled Friendly Global Alert All 234
2 rule1 Enabled Custom Global Alert All 0
Related Commands
show rogue ignore-list
show tacacs acct statistics
To display detailed radio frequency identification (RFID) information for a specified tag, use the show tacacs acct statistics command.
show tacacs acct statistics
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display detailed RFID information:
(Cisco Controller) > show tacacs acct statistics Accounting Servers: Server Index..................................... 1 Server Address................................... 10.0.0.0 Msg Round Trip Time.............................. 0 (1/100 second) First Requests................................... 1 Retry Requests................................... 0 Accounting Response.............................. 0 Accounting Request Success....................... 0 Accounting Request Failure....................... 0 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. -1 Timeout Requests................................. 1 Unknowntype Msgs................................. 0 Other Drops...................................... 0
Related Commands
config tacacs auth
show tacacs summary
show tacacs athr statistics
To display TACACS+ server authorization statistics, use the show tacacs athr statistics command.
show tacacs athr statistics
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display TACACS server authorization statistics:
(Cisco Controller) > show tacacs athr statistics Authorization Servers: Server Index..................................... 3 Server Address................................... 10.0.0.3 Msg Round Trip Time.............................. 0 (1/100 second) First Requests................................... 0 Retry Requests................................... 0 Received Responses............................... 0 Authorization Success............................ 0 Authorization Failure............................ 0 Challenge Responses.............................. 0 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 0 Timeout Requests................................. 0 Unknowntype Msgs................................. 0 Other Drops...................................... 0
Related Commands
config tacacs athr
config tacacs auth
show tacacs auth statistics
show tacacs summary
show tacacs auth statistics
To display TACACS+ server authentication statistics, use the show tacacs auth statistics command.
show tacacs auth statistics
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display TACACS server authentication statistics:
(Cisco Controller) > show tacacs auth statistics Authentication Servers: Server Index..................................... 2 Server Address................................... 10.0.0.2 Msg Round Trip Time.............................. 0 (msec) First Requests................................... 0 Retry Requests................................... 0 Accept Responses................................. 0 Reject Responses................................. 0 Error Responses.................................. 0 Restart Responses................................ 0 Follow Responses................................. 0 GetData Responses................................ 0 Encrypt no secret Responses...................... 0 Challenge Responses.............................. 0 Malformed Msgs................................... 0 Bad Authenticator Msgs........................... 0 Pending Requests................................. 0 Timeout Requests................................. 0 Unknowntype Msgs................................. 0 Other Drops...................................... 0
Related Commands
config tacacs auth
show tacacs summary
show tacacs summary
To display TACACS+ server summary information, use the show tacacs summary command.
show tacacs summary
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to display TACACS server summary information:
(Cisco Controller) > show tacacs summary Authentication Servers Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 2 10.0.0.1 49 Enabled 30 Accounting Servers Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 1 10.0.0.0 49 Enabled 5 Authorization Servers Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 3 10.0.0.3 49 Enabled 5 Idx Server Address Port State Tout --- ---------------- ------ -------- ---- 4 2001:9:6:40::623 49 Enabled 5 ...
Related Commands
config tacacs acct
config tacacs athr
config tacacs auth
show tacacs summary
show tacacs athr statistics
show tacacs auth statistics
config Commands
This section lists the config commands to configure security settings for the controller.
- config 802.11b preamble
- config aaa auth
- config aaa auth mgmt
- config auth-list add
- config auth-list ap-policy
- config auth-list delete
- config advanced eap
- config advanced timers auth-timeout
- config advanced timers eap-timeout
- config advanced timers eap-identity-request-delay
- config database size
- config exclusionlist
- config local-auth active-timeout
- config local-auth eap-profile
- config local-auth method fast
- config local-auth user-credentials
- config netuser add
- config netuser delete
- config netuser description
- config network web-auth captive-bypass
- config network web-auth secureweb
- config network webmode
- config network web-auth
- config radius acct
- config radius acct mac-delimiter
- config radius acct network
- config radius acct realm
- config radius acct retransmit-timeout
- config radius auth
- config radius auth callStationIdType
- config radius auth keywrap
- config radius auth mac-delimiter
- config radius auth management
- config radius auth mgmt-retransmit-timeout
- config radius auth network
- config radius auth realm
- config radius auth retransmit-timeout
- config radius auth rfc3576
- config radius auth retransmit-timeout
- config radius aggressive-failover disabled
- config radius backward compatibility
- config radius callStationIdCase
- config radius callStationIdType
- config radius dns
- config radius fallback-test
- config rogue adhoc
- config rogue ap classify
- config rogue ap friendly
- config rogue ap rldp
- config rogue ap ssid
- config rogue ap timeout
- config rogue ap valid-client
- config rogue client
- config rogue detection
- config rogue detection client-threshold
- config rogue detection min-rssi
- config rogue detection monitor-ap
- config rogue detection report-interval
- config rogue detection security-level
- config rogue detection transient-rogue-interval
- config rogue rule
- config rogue rule condition ap
- config tacacs acct
- config tacacs athr
- config tacacs athr mgmt-server-timeout
- config tacacs auth
- config tacacs auth mgmt-server-timeout
- config tacacs dns
- config tacacs fallback-test interval
- config wlan radius_server realm
- config wlan security eap-params
config 802.11b preamble
To change the 802.11b preamble as defined in subclause 18.2.2.2 to long (slower, but more reliable) or short (faster, but less reliable), use the config 802.11b preamble command.
config 802.11b preamble { long | short}
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
Note | You must reboot the Cisco Wireless LAN Controller (reset system) with save to implement this command. |
This parameter must be set to long to optimize this Cisco wireless LAN controller for some clients, including SpectraLink NetLink telephones.
This command can be used any time that the CLI interface is active.
Examples
The following example shows how to change the 802.11b preamble to short:
(Cisco Controller) >config 802.11b preamble short (Cisco Controller) >(reset system with save)
config aaa auth
To configure the AAA authentication search order for management users, use the config aaa auth command.
config aaa auth mgmt [ aaa_server_type1 | aaa_server_type2]
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
You can enter two AAA server types as long as one of the server types is local. You cannot enter radius and tacacs together.
Examples
The following example shows how to configure the AAA authentication search order for controller management users by the authentication server type local:
(Cisco Controller) > config aaa auth radius local
Related Commands
config aaa auth mgmt
To configure the order of authentication when multiple databases are configured, use the config aaa auth mgmt command.
config aaa auth mgmt [ radius | tacacs]
Syntax Description
(Optional) Configures the order of authentication for RADIUS servers. |
|
(Optional) Configures the order of authentication for TACACS servers. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure the order of authentication for the RADIUS server:
(Cisco Controller) > config aaa auth mgmt radius
The following example shows how to configure the order of authentication for the TACACS server:
(Cisco Controller) > config aaa auth mgmt tacacs
Related Commands
config auth-list add
To create an authorized access point entry, use the config auth-list add command.
config auth-list add { mic | ssc} AP_MAC [ AP_key]
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to create an authorized access point entry with a manufacturer-installed certificate on MAC address 00:0b:85:02:0d:20:
(Cisco Controller) > config auth-list add 00:0b:85:02:0d:20
Related Commands
config auth-list ap-policy
To configure an access point authorization policy, use the config auth-list ap-policy command.
config auth-list ap-policy { authorize-ap { enable | disable} | ssc { enable | disable}}
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable an access point authorization policy:
(Cisco Controller) > config auth-list ap-policy authorize-ap enable
The following example shows how to enable an access point with a self-signed certificate to connect:
(Cisco Controller) > config auth-list ap-policy ssc disable
Related Commands
config auth-list delete
To delete an access point entry, use the config auth-list delete command.
config auth-list delete AP_MAC
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to delete an access point entry for MAC address 00:1f:ca:cf:b6:60:
(Cisco Controller) > config auth-list delete 00:1f:ca:cf:b6:60
Related Commands
config advanced eap
To configure advanced extensible authentication protocol (EAP) settings, use the config advanced eap command.
config advanced eap { bcast-key-interval seconds | eapol-key-timeout timeout | eapol-key-retries retries | identity-request-timeout timeout | identity-request-retries retries | key-index index | max-login-ignore-identity-response { enable | disable} request-timeout timeout | request-retries retries}
Syntax Description
Command Default
NoneCommand History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure the key index used for dynamic wired equivalent privacy (WEP):
(Cisco Controller) > config advanced eap key-index 0
Related Commands
config advanced timers auth-timeout
To configure the authentication timeout, use the config advanced timers auth-timeout command.
config advanced timers auth-timeout seconds
Syntax Description
Authentication response timeout value in seconds between 10 and 600. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure the authentication timeout to 20 seconds:
(Cisco Controller) >config advanced timers auth-timeout 20
config advanced timers eap-timeout
To configure the Extensible Authentication Protocol (EAP) expiration timeout, use the config advanced timers eap-timeout command.
config advanced timers eap-timeout seconds
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure the EAP expiration timeout to 10 seconds:
(Cisco Controller) >config advanced timers eap-timeout 10
config advanced timers eap-identity-request-delay
To configure the advanced Extensible Authentication Protocol (EAP) identity request delay in seconds, use the config advanced timers eap-identity-request-delay command.
config advanced timers eap-identity-request-delay seconds
Syntax Description
Advanced EAP identity request delay in number of seconds between 0 and 10. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure the advanced EAP identity request delay to 8 seconds:
(Cisco Controller) >config advanced timers eap-identity-request-delay 8
config database size
To configure the local database, use the config database size command.
config database size count
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
Use the show database command to display local database configuration.
Examples
The following example shows how to configure the size of the local database:
(Cisco Controller) > config database size 1024
Related Commands
config exclusionlist
To create or delete an exclusion list entry, use the config exclusionlist command.
config exclusionlist { add MAC [ description] | delete MAC | description MAC [ description]}
Syntax Description
(Optional) Description, up to 32 characters, for an excluded entry. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to create a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:
(Cisco Controller) > config exclusionlist add xx:xx:xx:xx:xx:xx lab
The following example shows how to delete a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:
(Cisco Controller) > config exclusionlist delete xx:xx:xx:xx:xx:xx lab
Related Commands
config local-auth active-timeout
To specify the amount of time in which the controller attempts to authenticate wireless clients using local Extensible Authentication Protocol (EAP) after any pair of configured RADIUS servers fails, use the config local-auth active-timeout command.
config local-auth active-timeout timeout
Syntax Description
Command Default
The default timeout value is 100 seconds.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to specify the active timeout to authenticate wireless clients using EAP to 500 seconds:
(Cisco Controller) > config local-auth active-timeout 500
Related Commands
config local-auth eap-profile
config local-auth method fast
config local-auth user-credentials
debug aaa local-auth
show local-auth certificates
show local-auth config
show local-auth statistics
config local-auth eap-profile
To configure local Extensible Authentication Protocol (EAP) authentication profiles, use the config local-auth eap-profile command.
config local-auth eap-profile {[ add | delete] profile_name | cert-issuer { cisco | vendor} | method method local-cert { enable | disable} profile_name | method method client-cert { enable | disable} profile_name | method method peer-verify ca-issuer { enable | disable} | method method peer-verify cn-verify{ enable | disable} | method method peer-verify date-valid { enable | disable}
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to create a local EAP profile named FAST01:
(Cisco Controller) > config local-auth eap-profile add FAST01
The following example shows how to add the EAP-FAST method to a local EAP profile:
(Cisco Controller) > config local-auth eap-profile method add fast FAST01
The following example shows how to specify Cisco as the issuer of the certificates that will be sent to the client for an EAP-FAST profile:
(Cisco Controller) > config local-auth eap-profile method fast cert-issuer cisco
The following example shows how to specify that the incoming certificate from the client be validated against the CA certificates on the controller:
(Cisco Controller) > config local-auth eap-profile method fast peer-verify ca-issuer enable
Related Commands
config local-auth active-timeout
config local-auth method fast
config local-auth user-credentials
debug aaa local-auth
show local-auth certificates
show local-auth config
show local-auth statistics
config local-auth method fast
To configure an EAP-FAST profile, use the config local-auth method fast command.
config local-auth method fast { anon-prov [ enable | disable] | authority-id auth_id pac-ttl days | server-key key_value}
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to disable the controller to allows anonymous provisioning:
(Cisco Controller) > config local-auth method fast anon-prov disable
The following example shows how to configure the authority identifier 0125631177 of the local EAP-FAST server:
(Cisco Controller) > config local-auth method fast authority-id 0125631177
The following example shows how to configure the number of days to 10 for the PAC to remain viable:
(Cisco Controller) > config local-auth method fast pac-ttl 10
Related Commands
config local-auth eap-profile
config local-auth active-timeout
config local-auth user-credentials
debug aaa local-auth
show local-auth certificates
show local-auth config
show local-auth statistics
config local-auth user-credentials
To configure the local Extensible Authentication Protocol (EAP) authentication database search order for user credentials, use the config local-auth user credentials command.
config local-auth user-credentials { local [ ldap] | ldap [ local] }
Syntax Description
Specifies that the local database is searched for the user credentials. |
|
(Optional) Specifies that the Lightweight Directory Access Protocol (LDAP) database is searched for the user credentials. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
The order of the specified database parameters indicate the database search order.
Examples
The following example shows how to specify the order in which the local EAP authentication database is searched:
(Cisco Controller) > config local-auth user credentials local lda
In the above example, the local database is searched first and then the LDAP database.
Related Commands
config local-auth eap-profile
config local-auth method fast
config local-auth active-timeout
debug aaa local-auth
show local-auth certificates
show local-auth config
show local-auth statistics
config netuser add
To add a guest user on a WLAN or wired guest LAN to the local user database on the controller, use the config netuser add command.
config netuser add username password { wlan wlan_id | guestlan guestlan_id} userType guest lifetime lifetime description description
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
Local network usernames must be unique because they are stored in the same database.
Examples
The following example shows how to add a permanent username Jane to the wireless network for 1 hour:
(Cisco Controller) > config netuser add jane able2 1 wlan_id 1 userType permanent
The following example shows how to add a guest username George to the wireless network for 1 hour:
(Cisco Controller) > config netuser add george able1 guestlan 1 3600
Related Commands
config netuser delete
To delete an existing user from the local network, use the config netuser delete command.
config netuser delete { username username | wlan-id wlan-id}
Syntax Description
Network username. The username can be up to 24 alphanumeric characters. |
|
wlan-id |
WLAN identification number. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
Note | When a WLAN associated with network users is deleted, the system prompts to delete all network users associated with the WLAN first. After deleting the network users, you can delete the WLAN. |
Examples
The following example shows how to delete an existing username named able1 from the network:
(Cisco Controller) > config netuser delete able1 Deleted user able1
Related Commands
config netuser description
To add a description to an existing net user, use the config netuser description command.
config netuser description username description
Syntax Description
Network username. The username can contain up to 24 alphanumeric characters. |
|
(Optional) User description. The description can be up to 32 alphanumeric characters enclosed in double quotes. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to add a user description “HQ1 Contact” to an existing network user named able 1:
(Cisco Controller) > config netuser description able1 “HQ1 Contact”
Related Commands
config network web-auth captive-bypass
To configure the controller to support bypass of captive portals at the network level, use the config network web-auth captive-bypass command.
config network web-auth captive-bypass { enable | disable}
Syntax Description
Disallows the controller to support bypass of captive portals. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure the controller to support bypass of captive portals:
(Cisco Controller) > config network web-auth captive-bypass enable
Related Commands
config network web-auth cmcc-support
config network web-auth secureweb
To configure the secure web (https) authentication for clients, use the config network web-auth secureweb command.
config network web-auth secureweb { enable | disable}
Syntax Description
Disallows secure web (https) authentication for clients. Enables http web authentication for clients. |
Command Default
The default secure web (https) authentication for clients is enabled.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
If you configure the secure web (https) authentication for clients using the config network web-auth secureweb disable command, then you must reboot the Cisco WLC to implement the change.
Examples
The following example shows how to enable the secure web (https) authentication for clients:
(Cisco Controller) > config network web-auth secureweb enable
Related Commands
config network webmode
To enable or disable the web mode, use the config network webmode command.
config network webmode { enable | disable}
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to disable the web interface mode:
(Cisco Controller) > config network webmode disable
Related Commands
config network web-auth
To configure the network-level web authentication options, use the config network web-auth command.
config network web-auth { port port-number} | { proxy-redirect { enable | disable}}
Syntax Description
Configures additional ports for web authentication redirection. |
|||
Configures proxy redirect support for web authentication clients. |
|||
Enables proxy redirect support for web authentication clients.
|
|||
Disables proxy redirect support for web authentication clients. |
Command Default
The default network-level web authentication value is disabled.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
You must reset the system for the configuration to take effect.
Examples
The following example shows how to enable proxy redirect support for web authentication clients:
(Cisco Controller) > config network web-auth proxy-redirect enable
Related Commands
show run-config
config qos protocol-type
config radius acct
To configure settings for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct command.
config radius acct{ { add index IP addr port { ascii | hex} secret} | delete index | disable index | enable index | ipsec { authentication { hmac-md5 index | hmac-sha1 index } | disable index | enable index | encryption { 256-aes | 3des | aes | des} index | ike { auth-mode { pre-shared-key index type shared_secret_key | certificate index } | dh-group { 2048bit-group-14 | group-1 | group-2 | group-5} index | lifetime seconds index | phase1 { aggressive | main} index } } | { mac-delimiter { colon | hyphen | none | single-hyphen} } | { network index { disable | enable} } | { region { group | none | provincial} } | retransmit-timeout index seconds | realm { add | delete} index realm-string}
Syntax Description
IP addr |
RADIUS server IP address (IPv4 or IPv6). |
||
RADIUS server’s UDP port number for the interface protocols. |
|||
ipsec |
|
||
authentication |
Configures IPSec Authentication. |
||
hmac-md5 |
Enables IPSec HMAC-MD5 authentication. |
||
hmac-sha1 |
Enables IPSec HMAC-SHA1 authentication. |
||
disable |
Disables IPSec support for an accounting server. |
||
enable |
Enables IPSec support for an accounting server. |
||
encryption |
Configures IPSec encryption. |
||
256-aes |
Enables IPSec AES-256 encryption. |
||
3des |
Enables IPSec 3DES encryption. |
||
aes |
Enables IPSec AES-128 encryption. |
||
des |
Enables IPSec DES encryption. |
||
ike |
Configures Internet Key Exchange (IKE). |
||
auth-mode |
Configures IKE authentication method. |
||
pre-shared-key |
Pre-shared key for authentication. |
||
certificate |
Certificate used for authentication. |
||
dh-group |
Configures IKE Diffie-Hellman group. |
||
2048bit-group-14 |
Configures DH group 14 (2048 bits). |
||
group-1 |
Configures DH group 1 (768 bits). |
||
group-2 |
Configures DH group 2 (1024 bits). |
||
group-5 |
Configures DH group 5 (1536 bits). |
||
lifetime seconds |
Configures IKE lifetime in seconds. The range is from 1800 to 57600 seconds and the default is 28800. |
||
phase1 |
Configures IKE phase1 mode. |
||
aggressive |
Enables IKE aggressive mode. |
||
main |
Enables IKE main mode. |
||
mac-delimiter |
Configures MAC delimiter for caller station ID and calling station ID. |
||
colon |
Sets the delimiter to colon (For example: xx:xx:xx:xx:xx:xx). |
||
hyphen |
Sets the delimiter to hyphen (For example: xx-xx-xx-xx-xx-xx). |
||
none |
Disables delimiters (For example: xxxxxxxxxx). |
||
single-hyphen |
Sets the delimiters to single hyphen (For example: xxxxxx-xxxxxx). |
||
network |
Configures a default RADIUS server for network users. |
||
group |
Specifies RADIUS server type group. |
||
none |
Specifies RADIUS server type none. |
||
provincial |
Specifies RADIUS server type provincial. |
||
retransmit-timeout |
Changes the default retransmit timeout for the server. |
||
seconds |
The number of seconds between retransmissions. |
||
realm |
Specifies radius acct realm. |
||
add |
Adds radius acct realm. |
||
delete |
Deletes radius acct realm. |
Command Default
When adding a RADIUS server, the port number defaults to 1813 and the state is enabled.
Usage Guidelines
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure a priority 1 RADIUS accounting server at 10.10.10.10 using port 1813 with a login password of admin:
(Cisco Controller) > config radius acct add 1 10.10.10.10 1813 ascii admin
The following example shows how to configure a priority 1 RADIUS accounting server at 2001:9:6:40::623 using port 1813 with a login password of admin:
(Cisco Controller) > config radius acct add 1 2001:9:6:40::623 1813 ascii admin
config radius acct mac-delimiter
To specify the delimiter to be used in the MAC addresses that are sent to the RADIUS accounting server, use the config radius acct mac-delimiter command.
config radius acct mac-delimiter { colon | hyphen | single-hyphen | none}
Syntax Description
Sets the delimiter to a colon (for example, xx:xx:xx:xx:xx:xx). |
|
Sets the delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx). |
|
Sets the delimiter to a single hyphen (for example, xxxxxx-xxxxxx). |
|
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to set the delimiter hyphen to be used in the MAC addresses that are sent to the RADIUS accounting server for the network users:
(Cisco Controller) > config radius acct mac-delimiter hyphen
Related Commands
config radius acct network
To configure a default RADIUS server for network users, use the config radius acct network command.
config radius acct network index { enable | disable}
Syntax Description
Enables the server as a network user’s default RADIUS server. |
|
Disables the server as a network user’s default RADIUS server. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure a default RADIUS accounting server for the network users with RADIUS server index1:
(Cisco Controller) > config radius acct network 1 enable
Related Commands
config radius acct realm
To configure realm on RADIUS accounting server, use the config radius acct realm command.
config radius acct realm{ add | delete} radius_index realm_string
Syntax Description
Add realm to RADIUS accounting server. |
|
delete |
Delete realm from RADIUS accounting server. |
realm_string |
Unique string associated to RADIUS accounting realm. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how add realm to the RADIUS accounting server:
(Cisco Controller) > config radius acct realm add 3 test
config radius acct retransmit-timeout
To change the default transmission timeout for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct retransmit-timeout command.
config radius acct retransmit-timeout index timeout
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure retransmission timeout value 5 seconds between the retransmission:
(Cisco Controller) > config radius acct retransmit-timeout 5
Related Commands
config radius auth
To configure settings for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth command.
config radius auth { add index IP addr portascii/hexsecret} | | delete index | disable index | enable index | framed-mtu mtu | { ipsec { authentication { hmac-md5 index | hmac-sha1 index } | disable index | enable index | encryption { 256-aes | 3des | aes | des} index | ike { auth-mode { pre-shared-key index ascii/hex shared_secret | certificate index } | dh-group { 2048bit-group-14 | group-1 | group-2 | group-5} index | lifetime seconds index | phase1 { aggressive | main} index } } | { { keywrap{ add ascii/hex kek mack index } | delete index | disable | enable} } | { mac-delimiter { colon | hyphen | none | single-hyphen} } | { { management index { enable | disable} } | { mgmt-retransmit-timeout index Retransmit Timeout } | { network index { enable | disable} } | { realm { add | delete} radius-index realm-string} } | { region { group | none | provincial} } | { retransmit-timeout index Retransmit Timeout} | { rfc3576 { enable | disable} index }
Syntax Description
RADIUS server index. The controller begins the search with 1. The server index range is from 1 to 17. |
|||
Adds a RADIUS authentication server. See the “Defaults” section. |
|||
RADIUS server’s UDP port number for the interface protocols. |
|||
callStationIdType |
Configures Called Station Id information sent in RADIUS authentication messages. |
||
framed-mtu |
Configures the Framed-MTU for all the RADIUS servers. The framed-mtu range is from 64 to 1300 bytes. |
||
ipsec |
Enables or disables IPSEC support for an authentication server.
|
||
keywrap |
Configures RADIUS keywrap. |
||
ascii/hex |
Specifies the input format of the keywrap keys. |
||
kek |
Enters the 16-byte key-encryption-key. |
||
mack |
Enters the 20-byte message-authenticator-code-key. |
||
mac-delimiter |
Configures MAC delimiter for caller station ID and calling station ID. |
||
management |
Configures a RADIUS Server for management users. |
||
mgmt-retransmit-timeout |
Changes the default management login retransmission timeout for the server. |
||
network |
Configures a default RADIUS server for network users. |
||
realm |
Configures radius auth realm. |
||
region |
Configures RADIUS region property. |
||
retransmit-timeout |
Changes the default network login retransmission timeout for the server. |
||
rfc3576 |
Enables or disables RFC-3576 support for an authentication server. |
Command Default
When adding a RADIUS server, the port number defaults to 1812 and the state is enabled.
Usage Guidelines
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure a priority 3 RADIUS authentication server at 10.10.10.10 using port 1812 with a login password of admin:
(Cisco Controller) > config radius auth add 3 10.10.10.10 1812 ascii admin
The following example shows how to configure a priority 3 RADIUS authentication server at 2001:9:6:40::623 using port 1812 with a login password of admin:
(Cisco Controller) > config radius auth add 3 2001:9:6:40::623 1812 ascii admin
config radius auth callStationIdType
To configure the RADIUS authentication server, use the config radius auth callStationIdType command.
config radius auth callStationIdType { ap-ethmac-only | ap-ethmac-ssid | ap-group-name | ap-label-address | ap-label-address-ssid| ap-location | ap-macaddr-only | ap-macaddr-ssid | ap-name | ap-name-ssid | flex-group-name | ipaddr | macaddr| vlan-id}
Syntax Description
Configures the Call Station ID type to use the IP address (only Layer 3). |
|
Configures the Call Station ID type to use the system’s MAC address (Layers 2 and 3). |
|
Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3). |
|
Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3) in the format AP MAC address:SSID. |
|
ap-ethmac-only |
Configures the Called Station ID type to use the access point’s Ethernet MAC address. |
ap-ethmac-ssid |
Configures the Called Station ID type to use the access point’s Ethernet MAC address in the format AP Ethernet MAC address:SSID. |
ap-group-name |
Configures the Call Station ID type to use the AP group name. If the AP is not part of any AP group, default-group is taken as the AP group name. |
flex-group-name |
Configures the Call Station ID type to use the FlexConnect group name. If the FlexConnect AP is not part of any FlexConnect group, the system MAC address is taken as the Call Station ID. |
ap-name |
Configures the Call Station ID type to use the access point’s name. |
ap-name-ssid |
Configures the Call Station ID type to use the access point’s name in the format AP name:SSID |
ap-location |
Configures the Call Station ID type to use the access point’s location. |
vlan-id |
Configures the Call Station ID type to use the system’s VLAN-ID. |
ap-label-address |
Configures the Call Station ID type to the AP MAC address that is printed on the AP label, for the accounting messages. |
ap-label-address-ssid |
Configures the Call Station ID type to the AP MAC address:SSID format. |
Command Default
The MAC address of the system.
Usage Guidelines
The controller sends the Called Station ID attribute to the RADIUS server in all authentication and accounting packets. The Called Station ID attribute can be used to classify users to different groups based on the attribute value. The command is applicable only for the Called Station and not for the Calling Station.
You cannot send only the SSID as the Called-Station-ID, you can only combine the SSID with either the access point MAC address or the access point name.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure the call station ID type to use the IP address:
(Cisco Controller) > config radius auth callStationIdType ipAddr
The following example shows how to configure the call station ID type to use the system’s MAC address:
(Cisco Controller) > config radius auth callStationIdType macAddr
The following example shows how to configure the call station ID type to use the access point’s MAC address:
(Cisco Controller) > config radius auth callStationIdType ap-macAddr
config radius auth keywrap
To enable and configure Advanced Encryption Standard (AES) key wrap, which makes the shared secret between the controller and the RADIUS server more secure, use the config radius auth keywrap command.
config radius auth keywrap { enable | disable | add { ascii | hex} kek mack | delete} index
Syntax Description
delete |
Deletes AES key wrap attributes. |
Index of the RADIUS authentication server on which to configure the AES key wrap. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable the AES key wrap for a RADIUS authentication server:
(Cisco Controller) > config radius auth keywrap enable
Related Commands
config radius auth mac-delimiter
To specify a delimiter to be used in the MAC addresses that are sent to the RADIUS authentication server, use the config radius auth mac-delimiter command.
config radius auth mac-delimiter { colon | hyphen | single-hyphen | none}
Syntax Description
Sets a delimiter to a colon (for example, xx:xx:xx:xx:xx:xx). |
|
Sets a delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx). |
|
Sets a delimiter to a single hyphen (for example, xxxxxx-xxxxxx). |
|
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to specify a delimiter hyphen to be used for a RADIUS authentication server:
(Cisco Controller) > config radius auth mac-delimiter hyphen
Related Commands
config radius auth management
To configure a default RADIUS server for management users, use the config radius auth management command.
config radius auth management index { enable | disable}
Syntax Description
Enables the server as a management user’s default RADIUS server. |
|
Disables the server as a management user’s default RADIUS server. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure a RADIUS server for management users:
(Cisco Controller) > config radius auth management 1 enable
Related Commands
config radius auth mgmt-retransmit-timeout
To configure a default RADIUS server retransmission timeout for management users, use the config radius auth mgmt-retransmit-timeout command.
config radius auth mgmt-retransmit-timeout index retransmit-timeout
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure a default RADIUS server retransmission timeout for management users:
(Cisco Controller) > config radius auth mgmt-retransmit-timeout 1 10
Related Commands
config radius auth network
To configure a default RADIUS server for network users, use the config radius auth network command.
config radius auth network index { enable | disable}
Syntax Description
Disables the server as a network user default RADIUS server. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure a default RADIUS server for network users:
(Cisco Controller) > config radius auth network 1 enable
Related Commands
config radius auth realm
To configure realm on RADIUS authentication server, use the config radius auth realm command.
config radius auth realm{ add | delete} radius_index realm_string
Syntax Description
Add realm to RADIUS authentication server. |
|
delete |
Delete realm from RADIUS authentication server. |
realm_string |
Unique string associated to RADIUS authentication realm. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how add realm to the RADIUS authentication server:
(Cisco Controller) > config radius auth realm add 3 test
config radius auth retransmit-timeout
To change a default transmission timeout for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth retransmit-timeout command.
config radius auth retransmit-timeout index timeout
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure a retransmission timeout of 5 seconds for a RADIUS authentication server:
(Cisco Controller) > config radius auth retransmit-timeout 5
Related Commands
config radius auth rfc3576
To configure RADIUS RFC-3576 support for the authentication server for the Cisco WLC, use the config radius auth rfc3576 command.
config radius auth rfc3576 { enable | disable} index
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
RFC 3576, which is an extension to the RADIUS protocol, allows dynamic changes to a user session. RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session. Disconnect messages cause a user session to be terminated immediately; CoA messages modify session authorization attributes such as data filters.
Examples
The following example shows how to enable the RADIUS RFC-3576 support for a RADIUS authentication server:
(Cisco Controller) > config radius auth rfc3576 enable 2
Related Commands
config radius auth retransmit-timeout
To configure a retransmission timeout value for a RADIUS accounting server, use the config radius auth server-timeout command.
config radius auth retransmit-timeout index timeout
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure a server timeout value of 2 seconds for RADIUS authentication server index 10:
(Cisco Controller) > config radius auth retransmit-timeout 2 10
Related Commands
config radius aggressive-failover disabled
To configure the controller to mark a RADIUS server as down (not responding) after the server does not reply to three consecutive clients, use the config radius aggressive-failover disabled command.
config radius aggressive-failover disabled
Syntax Description
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure the controller to mark a RADIUS server as down:
(Cisco Controller) > config radius aggressive-failover disabled
Related Commands
config radius backward compatibility
To configure RADIUS backward compatibility for the Cisco wireless LAN controller, use the config radius backward compatibility command.
config radius backward compatibility { enable | disable}
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable the RADIUS backward compatibility settings:
(Cisco Controller) > config radius backward compatibility disable
Related Commands
config radius callStationIdCase
To configure callStationIdCase information sent in RADIUS messages for the Cisco WLC, use the config radius callStationIdCase command.
config radius callStationIdCase { legacy | lower | upper}
Syntax Description
Configures Call Station IDs for Layer 2 authentication to RADIUS in uppercase. |
|
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to send the call station ID in lowercase:
(Cisco Controller) > config radius callStationIdCase lower
Related Commands
config radius callStationIdType
To configure the Called Station ID type information sent in RADIUS accounting messages for the Cisco wireless LAN controller, use the config radius callStationIdType command.
config radius callStationIdType { ap-ethmac-only | ap-ethmac-ssid | ap-group-name | ap-label-address | ap-label-address-ssid| ap-location | ap-macaddr-only | ap-macaddr-ssid | ap-name | ap-name-ssid | flex-group-name | ipaddr | macaddr| vlan-id}
Syntax Description
Configures the Call Station ID type to use the IP address (only Layer 3). |
|
Configures the Call Station ID type to use the system’s MAC address (Layers 2 and 3). |
|
Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3). |
|
Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3) in the format AP MAC address:SSID. |
|
ap-ethmac-only |
Configures the Called Station ID type to use the access point’s Ethernet MAC address. |
ap-ethmac-ssid |
Configures the Called Station ID type to use the access point’s Ethernet MAC address in the format AP Ethernet MAC address:SSID. |
ap-group-name |
Configures the Call Station ID type to use the AP group name. If the AP is not part of any AP group, default-group is taken as the AP group name. |
flex-group-name |
Configures the Call Station ID type to use the FlexConnect group name. If the FlexConnect AP is not part of any FlexConnect group, the system MAC address is taken as the Call Station ID. |
ap-name |
Configures the Call Station ID type to use the access point’s name. |
ap-name-ssid |
Configures the Call Station ID type to use the access point’s name in the format AP name:SSID |
ap-location |
Configures the Call Station ID type to use the access point’s location. |
ap-mac-ssid-ap-group |
Sets Called Station ID type to the format <AP MAC address>:<SSID>:<AP Group> |
vlan-id |
Configures the Call Station ID type to use the system’s VLAN-ID. |
ap-label-address |
Configures the Call Station ID type to the AP MAC address that is printed on the AP label, for the accounting messages. |
ap-label-address-ssid |
Configures the Call Station ID type to the AP MAC address:SSID format. |
Command Default
The IP address of the system.
Usage Guidelines
The controller sends the Called Station ID attribute to the RADIUS server in all authentication and accounting packets. The Called Station ID attribute can be used to classify users to different groups based on the attribute value. The command is applicable only for the Called Station and not for the Calling Station.
You cannot send only the SSID as the Called-Station-ID, you can only combine the SSID with either the access point MAC address or the access point name.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure the call station ID type to use the IP address:
(Cisco Controller) > config radius callStationIdType ipaddr
The following example shows how to configure the call station ID type to use the system’s MAC address:
(Cisco Controller) > config radius callStationIdType macaddr
The following example shows how to configure the call station ID type to use the access point’s MAC address:
(Cisco Controller) > config radius callStationIdType ap-macaddr-only
config radius dns
To retrieve the RADIUS IP information from a DNS server, use the config radius dns command.
config radius dns { global port { ascii | hex} secret | queryurl timeout | serverip ip_address | disable | enable}
Syntax Description
global |
Configures the global port and secret to retrieve the RADIUS IP information from a DNS server. |
port |
Port number for authentication. The range is from 1 to 65535. All the DNS servers should use the same authentication port. |
ascii |
Format of the shared secret that you should set to ASCII. |
hex |
Format of the shared secret that you should set to hexadecimal. |
secret |
RADIUS server login secret. |
query |
Configures the fully qualified domain name (FQDN) of the RADIUS server and DNS timeout. |
url |
FQDN of the RADIUS server. The FQDN can be up to 63 case-sensitive, alphanumeric characters. |
timeout |
Maximum time that the Cisco WLC waits for, in days, before timing out the request and resending it. The range is from 1 to 180. |
serverip |
Configures the DNS server IP address. |
ip_address |
DNS server IP address. |
disable |
Disables the RADIUS DNS feature. By default, this feature is disabled. |
enable |
Enables the Cisco WLC to retrieve the RADIUS IP information from a DNS server. When you enable a DNS query, the static configurations are overridden, that is, the DNS list overrides the static AAA list. |
Command Default
You cannot configure the global port and secret to retrieve the RADIUS IP information.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
The accounting port is derived from the authentication port. All the DNS servers should use the same secret.
Examples
The following example shows how to enable the RADIUS DNS feature on the Cisco WLC:
(Cisco Controller) > config radius dns enable
config radius fallback-test
To configure the RADIUS server fallback behavior, use the config radius fallback-test command.
config radius fallback-test mode { off | passive | active} | username username} | { interval interval}
Syntax Description
Causes the controller to revert to a preferable server (with a lower server index) from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent. |
|
Causes the controller to revert to a preferable server (with a lower server index) from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller ignores all inactive servers for all active RADIUS requests. |
|
Username. The username can be up to 16 alphanumeric characters. |
|
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to disable the RADIUS accounting server fallback behavior:
(Cisco Controller) > config radius fallback-test mode off
The following example shows how to configure the controller to revert to a preferable server from the available backup servers without using the extraneous probe messages:
(Cisco Controller) > config radius fallback-test mode passive
The following example shows how to configure the controller to revert to a preferable server from the available backup servers by using RADIUS probe messages:
(Cisco Controller) > config radius fallback-test mode active
Related Commands
config advanced probe limit
show advanced probe
show radius acct statistics
config rogue adhoc
To globally or individually configure the status of an Independent Basic Service Set (IBSS or ad-hoc) rogue access point, use the config rogue adhoc command.
config rogue adhoc { enable | disable | external rogue_MAC | alert { rogue_MAC | all} | auto-contain [ monitor_ap] | contain rogue_MAC 1234_aps| }
config rogue adhoc { delete { all | mac-address mac-address} | classify { friendly state { external | internal} mac-address | malicious state { alert | contain} mac-address | unclassified state { alert | contain } mac-address}
Syntax Description
Configure external state on the rogue access point that is outside the network and poses no threat to WLAN security. The controller acknowledges the presence of this rogue access point. |
|
Generates an SMNP trap upon detection of the ad-hoc rogue, and generates an immediate alert to the system administrator for further action. |
|
Contains all wired ad-hoc rogues detected by the controller. |
|
Contains the offending device so that its signals no longer interfere with authorized clients. |
|
Maximum number of Cisco access points assigned to actively contain the ad-hoc rogue access point (1 through 4, inclusive). |
|
delete |
Deletes ad-hoc rogue access points. |
all |
Deletes all ad-hoc rogue access points. |
mac-address |
Deletes ad-hoc rogue access point with the specified MAC address. |
mac-address |
MAC address of the ad-hoc rogue access point. |
classify |
Configures ad-hoc rogue access point classification. |
friendly state |
Classifies ad-hoc rogue access points as friendly. |
internal |
Configures alert state on rogue access point that is inside the network and poses no threat to WLAN security. The controller trusts this rogue access point. |
malicious state |
Classifies ad-hoc rogue access points as malicious. |
alert |
Configures alert state on the rogue access point that is not in the neighbor list or in the user configured friendly MAC list. The controller forwards an immediate alert to the system administrator for further action. |
contain |
Configures contain state on the rogue access point. Controller contains the offending device so that its signals no longer interfere with authorized clients. |
unclassified state |
Classifies ad-hoc rogue access points as unclassified. |
Command Default
The default for this command is enabled and is set to alert. The default for auto-containment is disabled.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
The controller continuously monitors all nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses RLDP to determine if the rogue is attached to your wired network.
Note | RLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the DHCP Discover request sent by the RLDP client. Also, RLDP is not supported if the rogue access point channel requires dynamic frequency selection (DFS). |
When you enter any of the containment commands, the following warning appears:
Using this feature may have legal consequences. Do you want to continue? (y/n) :
The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Enter the auto-contain command with the monitor_ap argument to monitor the rogue access point without containing it. Enter the auto-contain command without the optional monitor_ap to automatically contain all wired ad-hoc rogues detected by the controller.
Examples
The following example shows how to enable the detection and reporting of ad-hoc rogues:
(Cisco Controller) > config rogue adhoc enable
The following example shows how to enable alerts for all ad-hoc rogue access points:
(Cisco Controller) > config rogue adhoc alert all
The following example shows how to classify an ad-hoc rogue access point as friendly and configure external state on it:
(Cisco Controller) > config rogue adhoc classify friendly state internal 11:11:11:11:11:11
Related Commands
config rogue auto-contain level
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap classify
To classify the status of a rogue access point, use the config rogue ap classify command.
config rogue ap classify { friendly state { internal | external} ap_mac }
config rogue ap classify { malicious | unclassified} state { alert | contain} ap_mac
Syntax Description
Configures the controller to acknowledge the presence of this access point. |
|
Configures the controller to forward an immediate alert to the system administrator for further action. |
|
Configures the controller to contain the offending device so that its signals no longer interfere with authorized clients. |
Command Default
These commands are disabled by default. Therefore, all unknown access points are categorized as unclassified by default.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
A rogue access point cannot be moved to the unclassified class if its current state is contain.
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Examples
The following example shows how to classify a rogue access point as friendly and can be trusted:
(Cisco Controller) > config rogue ap classify friendly state internal 11:11:11:11:11:11
The following example shows how to classify a rogue access point as malicious and to send an alert:
(Cisco Controller) > config rogue ap classify malicious state alert 11:11:11:11:11:11
The following example shows how to classify a rogue access point as unclassified and to contain it:
(Cisco Controller) > config rogue ap classify unclassified state contain 11:11:11:11:11:11
Related Commands
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap friendly
To add a new friendly access point entry to the friendly MAC address list, or delete an existing friendly access point entry from the list, use the config rogue ap friendly command.
config rogue ap friendly { add | delete} ap_mac
Syntax Description
Adds this rogue access point from the friendly MAC address list. |
|
Deletes this rogue access point from the friendly MAC address list. |
|
MAC address of the rogue access point that you want to add or delete. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to add a new friendly access point with MAC address 11:11:11:11:11:11 to the friendly MAC address list.
(Cisco Controller) > config rogue ap friendly add 11:11:11:11:11:11
Related Commands
config rogue ap classify
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap rldp
To enable, disable, or initiate the Rogue Location Discovery Protocol (RLDP), use the config rogue ap rldp command.
config rogue ap rldp enable { alarm-only | auto-contain} [ monitor_ap_only]
config rogue ap rldp initiate rogue_mac_address
config rogue ap rldp disable
Syntax Description
When entered without the optional argument monitor_ap_only, enables RLDP on all access points. |
|
When entered without the optional argument monitor_ap_only, automatically contains all rogue access points. |
|
(Optional) RLDP is enabled (when used with alarm-only keyword), or automatically contained (when used with auto-contain keyword) is enabled only on the designated monitor access point. |
|
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Examples
The following example shows how to enable RLDP on all access points:
(Cisco Controller) > config rogue ap rldp enable alarm-only
The following example shows how to enable RLDP on monitor-mode access point ap_1:
(Cisco Controller) > config rogue ap rldp enable alarm-only ap_1
The following example shows how to start RLDP on the rogue access point with MAC address 123.456.789.000:
(Cisco Controller) > config rogue ap rldp initiate 123.456.789.000
The following example shows how to disable RLDP on all access points:
(Cisco Controller) > config rogue ap rldp disable
Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap ssid
To generate an alarm only, or to automatically contain a rogue access point that is advertising your network’s service set identifier (SSID), use the config rogue ap ssid command.
config rogue ap ssid { alarm | auto-contain}
Syntax Description
Generates only an alarm when a rogue access point is discovered to be advertising your network’s SSID. |
|
Automatically contains the rogue access point that is advertising your network’s SSID. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Examples
The following example shows how to automatically contain a rogue access point that is advertising your network’s SSID:
(Cisco Controller) > config rogue ap ssid auto-contain
Related Commands
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap timeout
To specify the number of seconds after which the rogue access point and client entries expire and are removed from the list, use the config rogue ap timeout command.
config rogue ap timeout seconds
Syntax Description
Value of 240 to 3600 seconds (inclusive), with a default value of 1200 seconds. |
Command Default
The default number of seconds after which the rogue access point and client entries expire is 1200 seconds.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to set an expiration time for entries in the rogue access point and client list to 2400 seconds:
(Cisco Controller) > config rogue ap timeout 2400
Related Commands
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue ap valid-client
To generate an alarm only, or to automatically contain a rogue access point to which a trusted client is associated, use the config rogue ap valid-client command.
config rogue ap valid-client { alarm | auto-contain}
Syntax Description
Generates only an alarm when a rogue access point is discovered to be associated with a valid client. |
|
Automatically contains a rogue access point to which a trusted client is associated. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Examples
The following example shows how to automatically contain a rogue access point that is associated with a valid client:
(Cisco Controller) > config rogue ap valid-client auto-contain
Related Commands
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap ssid
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue client
To configure rogue clients, use the config rogue client command.
config rogue client { aaa { enable | disable} | alert ap_mac | contain client_mac | delete { state { alert | any | contained | contained-pending} | all | mac-address client_mac} | mse{ enable | disable} } }
Syntax Description
Configures AAA server or local database to validate whether rogue clients are valid clients. The default is disabled. |
|
Enables the AAA server or local database to check rogue client MAC addresses for validity. |
|
Disables the AAA server or local database to check rogue client MAC addresses for validity. |
|
Configures the controller to forward an immediate alert to the system administrator for further action. |
|
Configures the controller to contain the offending device so that its signals no longer interfere with authorized clients. |
|
delete |
Deletes the rogue client. |
state |
Deletes the rogue clients according to their state. |
alert |
Deletes the rogue clients in alert state. |
any |
Deletes the rogue clients in any state. |
contained |
Deletes all rogue clients that are in contained state. |
contained-pending |
Deletes all rogue clients that are in contained pending state. |
all |
Deletes all rogue clients. |
mac-address |
Deletes a rogue client with the configured MAC address. |
mse |
Validates if the rogue clients are valid clients using MSE. The default is disabled. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
You cannot validate rogue clients against MSE and AAA at the same time.
Examples
The following example shows how to enable the AAA server or local database to check MAC addresses:
(Cisco Controller) > config rogue client aaa enable
The following example shows how to disable the AAA server or local database from checking MAC addresses:
(Cisco Controller) > config rogue client aaa disable
Related Commands
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue detection
To enable or disable rogue detection, use the config rogue detection command.
Note | If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all. |
config rogue detection { enable | disable} { cisco_ap | all}
Syntax Description
Command Default
The default rogue detection value is enabled.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
Rogue detection is enabled by default for all access points joined to the controller except for OfficeExtend access points. OfficeExtend access points are deployed in a home environment and are likely to detect a large number of rogue devices.
Examples
The following example shows how to enable rogue detection on the access point Cisco_AP:
(Cisco Controller) > config rogue detection enable Cisco_AP
Related Commands
config rogue rule
config trapflags rogueap
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue detection client-threshold
To configure the rogue client threshold for access points, use the config rogue detection client-threshold command.
config rogue detection client-threshold value
Syntax Description
value |
Threshold rogue client count on an access point after which a trap is sent from the Cisco Wireless LAN Controller (WLC). The range is from 1 to 256. Enter 0 to disable the feature. |
Command Default
The default rogue client threshold is 0.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure the rogue client threshold:
(Cisco Controller) >config rogue detection client-threshold 200
config rogue detection min-rssi
To configure the minimum Received Signal Strength Indicator (RSSI) value at which APs can detect rogues and create a rogue entry in the controller, use the config rogue detection min-rssi command.
config rogue detection min-rssi rssi-in-dBm
Syntax Description
Minimum RSSI value. The valid range is from –70 dBm to –128 dBm, and the default value is –128 dBm. |
Command Default
The default RSSI value to detect rogues in APs is -128 dBm.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
This feature is applicable to all the AP modes.
There can be many rogues with very weak RSSI values that do not provide any valuable information in rogue analysis. Therefore, you can use this option to filter rogues by specifying the minimum RSSI value at which APs should detect rogues.
Examples
The following example shows how to configure the minimum RSSI value:
(Cisco Controller) > config rogue detection min-rssi –80
Related Commands
config rogue detection
show rogue ap clients
config rogue rule
config trapflags rogueap
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue detection monitor-ap
To configure the rogue report interval for all monitor mode Cisco APs, use the config rogue detection monitor-ap command.
config rogue detection monitor-ap { report-interval | transient-rogue-interval} time-in-seconds
Syntax Description
Specifies the interval at which rogues are consistently scanned for by APs after the first time the rogues are scanned. |
|
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
This feature is applicable to APs that are in monitor mode only.
Using the transient interval values, you can control the time interval at which APs should scan for rogues. APs can also filter the rogues based on their transient interval values.
Examples
The following example shows how to configure the rogue report interval to 60 seconds:
(Cisco Controller) > config rogue detection monitor-ap report-interval 60
The following example shows how to configure the transient rogue interval to 300 seconds:
(Cisco Controller) > config rogue detection monitor-ap transient-rogue-interval 300
Related Commands
config rogue detection
config rogue detection min-rssi
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
config rogue detection report-interval
To configure the rogue detection report interval, use the config rogue detection report-interval command.
config rogue detection report-interval time
Syntax Description
time |
Time interval, in seconds, at which the access points send the rogue detection report to the controller. The range is from 10 to 300. |
Command Default
The default rogue detection report interval is 10 seconds.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
This feature is applicable only to the access points that are in the monitor mode.
Examples
The following example shows how to configure the rogue detection report interval:
(Cisco Controller) >config rogue detection report-interval 60
config rogue detection security-level
To configure the rogue detection security level, use the config rogue detection security-level command.
config rogue detection security-level { critical | custom | high | low}
Syntax Description
critical |
Configures the rogue detection security level to critical. |
custom |
Configures the rogue detection security level to custom, and allows you to configure the rogue policy parameters. |
high |
Configures the rogue detection security level to high. This security level configures basic rogue detection and auto containment for medium-scale or less critical deployments. The Rogue Location Discovery Protocol (RLDP) is disabled for this security level. |
low |
Configures the rogue detection security level to low. This security level configures basic rogue detection for small-scale deployments. Auto containment is not supported for this security level. |
Command Default
The default rogue detection security level is custom.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure the rogue detection security level to high:
(Cisco Controller) > config rogue detection security-level high
config rogue detection transient-rogue-interval
To configure the rogue-detection transient interval, use the config rogue detection transient-rogue-interval command.
config rogue detection transient-rogue-interval time
Syntax Description
time |
Time interval, in seconds, at which a rogue should be consistently scanned by the access point after the rogue is scanned for the first time. The range is from 120 to 1800. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
This feature applies only to the access points that are in the monitor mode.
After the rogue is scanned consistently, updates are sent periodically to the Cisco Wireless LAN Controller (WLC). The access points filter the active transient rogues for a very short period and are then silent.
Examples
The following example shows how to configure the rogue detection transient interval:
(Cisco Controller) > config rogue detection transient-rogue-interval 200
config rogue rule
To add and configure rogue classification rules, use the config rogue rule command.
config rogue rule { add ap priority priority classify { custom severity-score classification-name | friendly | malicious} notify { all | global | none | local} state { alert | contain | delete | internal | external} rule_name | classify { custom severity-score classification-name | friendly | malicious} rule_name | condition ap { set | delete} condition_type condition_value rule_name | { enable | delete | disable} { all | rule_name} | match { all | any} | priority priority| notify { all | global | none | local} rule_name | state { alert | contain | internal | external} rule_name}
Syntax Description
Adds a rule with match any criteria and the priority that you specify. |
|
custom |
Classifies devices matching the rule as custom. |
severity-score |
Custom classification severity score of the rule. The range is from 1 to 100. |
classification-name |
Custom classification name. The name can be up to 32 case-sensitive, alphanumeric characters. |
notify |
Configures type of notification upon rule match. |
all |
Notifies the controller and a trap receiver such as Cisco Prime Infrastructure. |
global |
Notifies only a trap receiver such as Cisco Prime Infrastructure. |
local |
Notifies only the controller. |
none |
Notifies neither the controller nor a trap receiver such as Cisco Prime Infrastructure. |
state |
Configures state of the rogue access point after a rule match. |
alert |
Configures alert state on the rogue access point that is not in the neighbor list or in the user configured friendly MAC list. The controller forwards an immediate alert to the system administrator for further action. |
contain |
Configures contain state on the rogue access point. Controller contains the offending device so that its signals no longer interfere with authorized clients. |
delete |
Configures delete state on the rogue access point. |
external |
Configures external state on the rogue access point that is outside the network and poses no threat to WLAN security. The controller acknowledges the presence of this rogue access point. |
internal |
Configures alert state on rogue access point that is inside the network and poses no threat to WLAN security. The controller trusts this rogue access point. |
Rule to which the command applies, or the name of a new rule. |
|
Specifies the conditions for a rule that the rogue access point must meet. |
|
Adds conditions to a rule that the rogue access point must meet. |
|
Removes conditions to a rule that the rogue access point must meet. |
|
Type of the condition to be configured. The condition types are listed below:
|
|
Value of the condition. This value is dependent upon the condition_type. For instance, if the condition type is ssid, then the condition value is either the SSID name or all. |
|
Specifies whether a detected rogue access point must meet all or any of the conditions specified by the rule in order for the rule to be matched and the rogue access point to adopt the classification type of the rule. |
|
Changes the priority of a specific rule and shifts others in the list accordingly. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
For your changes to be effective, you must enable the rule. You can configure up to 64 rules.
Reclassification of rogue APs according to the RSSI condition of the rogue rule occurs only when the RSSI changes more than +/- 2 dBm of the configured RSSI value. Manual and automatic classification override custom rogue rules. Rules are applied to manually changed rogues if their class type changes to unclassified and state changes to alert. Adhoc rogues are classified and do not go to the pending state. You can have up to 50 classification types.Examples
The following example shows how to create a rule called rule_1 with a priority of 1 and a classification as friendly.
(Cisco Controller) > config rogue rule add ap priority 1 classify friendly rule_1
The following example shows how to enable rule_1.
(Cisco Controller) > config rogue rule enable rule_1
The following example shows how to change the priority of the last command.
(Cisco Controller) > config rogue rule priority 2 rule_1
The following example shows how to change the classification of the last command.
(Cisco Controller) > config rogue rule classify malicious rule_1
The following example shows how to disable the last command.
(Cisco Controller) > config rogue rule disable rule_1
The following example shows how to delete SSID_2 from the user-configured SSID list in rule-5.
(Cisco Controller) > config rogue rule condition ap delete ssid ssid_2 rule-5
The following example shows how to create a custom rogue rule.
(Cisco Controller) > config rogue rule classify custom 1 VeryMalicious rule6
config rogue rule condition ap
To configure a condition of a rogue rule for rogue access points, use the config rogue rule condition ap command.
config rogue rule condition ap { set { client-count count | duration time | managed-ssid | no-encryption | rssi rssi | ssid ssid | substring-ssid substring-ssid} | delete { all | client-count | duration | managed-ssid | no-encryption | rssi | ssid | substring-ssid} rule_name
Syntax Description
set |
Configures conditions to a rule that the rogue access point must meet. |
client-count |
Enables a minimum number of clients to be associated to the rogue access point. |
count |
Minimum number of clients to be associated to the rogue access point. The range is from 1 to 10 (inclusive). For example, if the number of clients associated to a rogue access point is greater than or equal to the configured value, the access point is classified as malicious. |
duration |
Enables a rogue access point to be detected for a minimum period of time. |
time |
Minimum time period, in seconds, to detect the rogue access point. The range is from 0 to 3600. |
managed-ssid |
Enables a rogue access point’s SSID to be known to the controller. |
no-encryption |
Enables a rogue access point’s advertised WLAN to not have encryption enabled. If a rogue access point has encryption disabled, it is likely that more clients will try to associate to it. |
rssi |
Enables a rogue access point to have a minimum Received Signal Strength Indicator (RSSI) value. |
rssi |
Minimum RSSI value, in dBm, required for the access point. The range is from –95 to –50 (inclusive). For example, if the rogue access point has an RSSI that is greater than the configured value, the access point is classified as malicious. |
ssid |
Enables a rogue access point have a specific SSID. |
ssid |
SSID of the rogue access point. |
substring-ssid |
Enables a rogue access point to have a substring of a user-configured SSID. |
substring-ssid |
Substring of a user-configured SSID. For example, if you have an SSID as ABCDE, you can specify the substring as ABCD or ABC. You can classify multiple SSIDs with matching patterns. |
delete |
Removes the conditions to a rule that a rogue access point must comply with. |
all |
Deletes all the rogue rule conditions. |
rule_name |
Rogue rule to which the command applies. |
Command Default
The default value for RSSI is 0 dBm.
The default value for duration is 0 seconds.
The default value for client count is 0.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
You can configure up to 25 SSIDs per rogue rule. You can configure up to 25 SSID substrings per rogue rule.
Examples
The following example shows how to configure the RSSI rogue rule condition:
(Cisco Controller) > config rogue rule condition ap set rssi –50
config tacacs acct
To configure TACACS+ accounting server settings, use the config tacacs acct command.
config tacacs acct { add1-3 IP addr port ascii/hex secret | delete 1-3 | disable 1-3 | enable 1-3 | server-timeout 1-3 seconds}
Syntax Description
Specifies IPv4 or IPv6 address of the TACACS+ accounting server. |
|
Specifies type of TACACS+ server's secret being used (ASCII or HEX). |
|
Specifies the number of seconds before the TACACS+ server times out. The server timeout range is from 5 to 30 seconds. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to add a new TACACS+ accounting server index 1 with the IPv4 address 10.0.0.0, port number 49, and secret key 12345678 in ASCII:
(Cisco Controller) > config tacacs acct add 1 10.0.0.0 10 ascii 12345678
The following example shows how to add a new TACACS+ accounting server index 1 with the IPv6 address 2001:9:6:40::623, port number 49, and secret key 12345678 in ASCII:
(Cisco Controller) > config tacacs acct add 1 2001:9:6:40::623 10 ascii 12345678
The following example shows how to configure the server timeout of 5 seconds for the TACACS+ accounting server:
(Cisco Controller) > config tacacs acct server-timeout 1 5
config tacacs athr
To configure TACACS+ authorization server settings, use the config tacacs athr command.
config tacacs athr { add1-3 IP addr port ascii/hex secret | delete 1-3 | disable 1-3 | enable 1-3 | mgmt-server-timeout 1-3 seconds | server-timeout 1-3 seconds}
Syntax Description
mgmt-server-timeout 1-3seconds |
Changes the default management login server timeout for the server. The number of seconds before server times out is from 1 to 30 seconds. |
Changes the default network login server timeout for the server. The number of seconds before server times out is from 5 to 30 seconds. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to add a new TACACS+ authorization server index 1 with the IPv4 address 10.0.0.0, port number 49, and secret key 12345678 in ASCII:
(Cisco Controller) > config tacacs athr add 1 10.0.0.0 49 ascii 12345678
The following example shows how to add a new TACACS+ authorization server index 1 with the IPv6 address 2001:9:6:40::623, port number 49, and secret key 12345678 in ASCII:
(Cisco Controller) > config tacacs athr add 1 2001:9:6:40::623 49 ascii 12345678
The following example shows how to configure the retransmit timeout of 5 seconds for the TACACS+ authorization server:
(Cisco Controller) > config tacacs athr server-timeout 1 5
config tacacs athr mgmt-server-timeout
To configure a default TACACS+ authorization server timeout for management users, use the config tacacs athr mgmt-server-timeout command.
config tacacs athr mgmt-server-timeout index timeout
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure a default TACACS+ authorization server timeout for management users:
(Cisco Controller) > config tacacs athr mgmt-server-timeout 1 10
config tacacs auth
To configure TACACS+ authentication server settings, use the config tacacs auth command.
config tacacs auth{ add1-3 IP addr port ascii/hex secret | delete 1-3 | disable 1-3 | enable 1-3 | mgmt-server-timeout 1-3 seconds | server-timeout 1-3seconds}
Syntax Description
mgmt-server-timeout 1-3 seconds |
Changes the default management login server timeout for the server. The number of seconds before server times out is from 1 to 30 seconds. |
Changes the default network login server timeout for the server. The number of seconds before server times out is from 5 to 30 seconds. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to add a new TACACS+ authentication server index 1 with the IPv4 address 10.0.0.3, port number 49, and secret key 12345678 in ASCII:
(Cisco Controller) > config tacacs auth add 1 10.0.0.3 49 ascii 12345678
The following example shows how to add a new TACACS+ authentication server index 1 with the IPv6 address 2001:9:6:40::623, port number 49, and secret key 12345678 in ASCII:
(Cisco Controller) > config tacacs auth add 1 2001:9:6:40::623 49 ascii 12345678
The following example shows how to configure the server timeout for TACACS+ authentication server:
(Cisco Controller) > config tacacs auth server-timeout 1 5
config tacacs auth mgmt-server-timeout
To configure a default TACACS+ authentication server timeout for management users, use the config tacacs auth mgmt-server-timeout command.
config tacacs auth mgmt-server-timeout index timeout
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure a default TACACS+ authentication server timeout for management users:
(Cisco Controller) > config tacacs auth mgmt-server-timeout 1 10
Related Commands
config tacacs dns
To retrieve the TACACS IP information from a DNS server, use the config radius dns command.
config radius dns { global port { ascii | hex} secret | query url timeout | serverip ip_address | disable | enable}
Syntax Description
global |
Configures the global port and secret to retrieve the TACACS IP information from a DNS server. |
port |
Port number for authentication. The range is from 1 to 65535. All the DNS servers should use the same authentication port. |
ascii |
Format of the shared secret that you should set to ASCII. |
hex |
Format of the shared secret that you should set to hexadecimal. |
secret |
TACACS server login secret. |
query |
Configures the fully qualified domain name (FQDN) of the TACACS server and DNS timeout. |
url |
FQDN of the TACACS server. The FQDN can be up to 63 case-sensitive, alphanumeric characters. |
timeout |
Maximum time that the Cisco Wireless LAN Controller (WLC) waits for, in days, before timing out a request and resending it. The range is from 1 to 180. |
serverip |
Configures the DNS server IP address. |
ip_address |
DNS server IP address. |
disable |
Disables the TACACS DNS feature. The default is disabled. |
enable |
Enables the Cisco WLC to retrieve the TACACS IP information from a DNS server. |
Command Default
You cannot retrieve the TACACS IP information from a DNS server.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
The accounting port is derived from the authentication port. All the DNS servers should use the same secret. When you enable a DNS query, the static configurations will be overridden. The DNS list overrides the static AAA list.
Examples
The following example shows how to enable the TACACS DNS feature on the Cisco WLC:
(Cisco Controller) > config tacacs dns enable
config tacacs fallback-test interval
To configure TACACS+ probing interval, use the config tacacs fallback-test interval command.
config tacacs fallback-test interval { seconds }
Syntax Description
TACACS+ probing interval in seconds. Disable is 0, Range from 180 to 3600 seconds. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure TACACS+ probing interval:
(Cisco Controller) > config tacacs fallback-test interval 200
config wlan radius_server realm
To configure realm on a WLAN, use the config wlan radius_server realm command.
config wlan radius_serverrealm{ enable | disable} wlan-id
Syntax Description
Enable realm on a WLAN. |
|
disable |
Disable realm on a WLAN. |
wlan-id |
WLAN ID. The range is from 1 to 512. |
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable realm on a WLAN:
(Cisco Controller) > config wlan 2 realm enable 50
config wlan security eap-params
To configure local EAP timers on a WLAN, use the config wlan security eap-params command.
config wlan security eap-params{ { enable| disbale} | eapol-key-timeouttimeout| eap-key-retries retries | identity-request-timeout timeout | identity-request-retries retries | request-timeout timeout | request-retries retries} wlan_id
Syntax Description
{enable |disable } |
Specifies to enable or disable SSID specific EAP timeouts or retries. The default value is disabled. |
Specifies the amount of time (200 to 5000 milliseconds) that the controller attempts to send an EAP key over the WLAN to wireless clients using local EAP. The valid range is 200 to 5000 milliseconds. The default value is 1000 milliseconds. |
|
Specifies the maximum number of times (0 to 4 retries) that the controller attempts to send an EAP key over the WLAN to wireless clients using local EAP. The default value is 2. |
|
Specifies the amount of time (1 to 120 seconds) that the controller attempts to send an EAP identity request to wireless clients within WLAN using local EAP. The default value is 30 seconds. |
|
Specifies the maximum number of times (0 to 4 retries) that the controller attempts to retransmit the EAP identity request to wireless clients within WLAN using local EAP. The default value is 2. |
|
Specifies the amount of time (1 to 120 seconds) in which the controller attempts to send an EAP parameter request to wireless clients within WLAN using local EAP. The default value is 30 seconds. |
|
Specifies the maximum number of times (0 to 20 retries) that the controller attempts to retransmit the EAP parameter request to wireless clients within WLAN using local EAP. The default value is 2. |
|
wlan-id |
WLAN identification number. |
Command Default
The default EAPOL key timeout is 1000 milliseconds.
The default for EAPOL key retries is 2.
The default identity request timeout is 30 seconds.
The default identity request retries is 2.
The default request timeout is 30 seconds.
The default request retries is 2.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable SSID specific EAP parameters on a WLAN:
(Cisco Controller) > config wlan security eap-params enable 4
The following example shows how to set EAPOL key timeout parameter on a WLAN:
(Cisco Controller) > config wlan security eap-params eapol-key-retries 4
The following example shows how to set EAPOL key retries on a WLAN:
(Cisco Controller) > config wlan security eap-params eapol-key-retries 4
clear Commands
This section lists the clear commands to clear existing security configurations of the controller.
- clear radius acct statistics
- clear tacacs auth statistics
- clear stats local-auth
- clear stats radius
- clear stats tacacs
clear radius acct statistics
To clear the RADIUS accounting statistics on the controller, use the clear radius acc statistics command.
clear radius acct statistics [ index | all]
Syntax Description
(Optional) Specifies the index of the RADIUS accounting server. |
|
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to clear the RADIUS accounting statistics:
(Cisco Controller) >clear radius acc statistics
Related Commands
clear tacacs auth statistics
To clear the RADIUS authentication server statistics in the controller, use the clear tacacs auth statistics command.
clear tacacs auth statistics [ index | all]
Syntax Description
(Optional) Specifies the index of the RADIUS authentication server. |
|
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to clear the RADIUS authentication server statistics:
(Cisco Controller) >clear tacacs auth statistics
Related Commands
clear stats local-auth
To clear the local Extensible Authentication Protocol (EAP) statistics, use the clear stats local-auth command.
clear stats local-auth
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to clear the local EAP statistics:
(Cisco Controller) >clear stats local-auth Local EAP Authentication Stats Cleared.
Related Commands
config local-auth active-timeout
config local-auth eap-profile
config local-auth method fast
config local-auth user-credentials
debug aaa local-auth
show local-auth certificates
show local-auth config
show local-auth statistics
clear stats radius
To clear the statistics for one or more RADIUS servers, use the clear stats radius command.
clear stats radius { auth | acct} { index | all}
Syntax Description
Specifies the index number of the RADIUS server to be cleared. |
|
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to clear the statistics for all RADIUS authentication servers:
(Cisco Controller) >clear stats radius auth all
Related Commands
clear download datatype
clear download filename
clear download mode
clear download serverip
clear download start
clear upload datatype
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
clear stats port
clear stats tacacs
To clear the TACACS+ server statistics on the controller, use the clear stats tacacs command.
clear stats tacacs [ auth | athr | acct] [ index | all]
Syntax Description
(Optional) Clears the TACACS+ authentication server statistics. |
|
(Optional) Clears the TACACS+ authorization server statistics. |
|
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to clear the TACACS+ accounting server statistics for index 1:
(Cisco Controller) >clear stats tacacs acct 1
Related Commands
debug Commands
This section lists the debug commands to manage debugging of security settings of the controller.
Caution | Debug commands are reserved for use only under the direction of Cisco personnel. Do not use these commands without direction from Cisco-certified staff. |
- debug 11w-pmf
- debug aaa
- debug aaa events
- debug aaa local-auth
- debug bcast
- debug cckm
- debug client
- debug dns
- debug dot1x
- debug dtls
- debug pm
- debug web-auth
debug 11w-pmf
To configure the debugging of 802.11w, use the debug 11w-pmf command.
debug 11w-pmf { all | events| keys} { enable | disable}
Syntax Description
all |
Configures the debugging of all 802.11w messages. |
keys |
Configures the debugging of 802.11w keys. |
events |
Configures the debugging of 802.11w events. |
enable |
Enables the debugging of 802.1w options. |
disable | Disables the debugging of 802.1w options. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable the debugging of 802.11w keys:
(Cisco Controller) >debug 11w-pmf keys enable
debug aaa
To configure the debugging of AAA settings, use the debug aaa command.
debug aaa {[ all | detail | events | packet | local-auth | tacacs] [ enable | disable]}
Syntax Description
(Optional) Configures debug of AAA Avp xml events. |
|
(Optional) Configures the debugging of the AAA local Extensible Authentication Protocol (EAP) events. |
|
(Optional) Configures the debugging of the AAA TACACS+ events. |
|
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
8.6 |
The command is enhanced with new keyword. The new keyword is avp-xml. |
Related Commands
debug aaa events
To configure the debugging related to DNS-based ACLs, use the debug aaa events enable command.
debug aaa events enable
Syntax Description
events |
Configures the debugging of DNS-based ACLs. |
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable the debugging for DNS-based ACLs:
(Cisco Controller) > debug aaa events enble
debug aaa local-auth
To configure the debugging of AAA local authentication on the Cisco WLC, use the debug aaa local-auth command.
debug aaa local-auth { db | shim | eap { framework | method} { all | errors | events | packets | sm}} { enable | disable}
Syntax Description
Configures the debugging of the AAA local authentication back-end messages and events. |
|
Configures the debugging of the AAA local authentication shim layer events. |
|
Configures the debugging of the AAA local Extensible Authentication Protocol (EAP) authentication. |
|
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable the debugging of the AAA local EAP authentication:
(Cisco Controller) > debug aaa local-auth eap method all enable
Related Commands
config local-auth active-timeout
config local-auth eap-profile
config local-auth method fast
config local-auth user-credentials
show local-auth certificates
show local-auth config
show local-auth statistics
debug bcast
To configure the debugging of broadcast options, use the debug bcast command.
debug bcast { all | error | message | igmp | detail} { enable | disable}
Syntax Description
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable the debugging of broadcast messages:
(Cisco Controller) > debug bcast message enable
The following example shows how to disable the debugging of broadcast mesages:
(Cisco Controller) > debug bcast message disable
Related Commands
show sysinfo
debug cckm
To configure the debugging of the Cisco Centralized Key Management options, use the debug cckm
debug cckm { client | detailed} { enable| disable}
Syntax Description
client |
Configures debugging of the Cisco Centralized Key Management of clients. |
detailed |
Configures detailed debugging of Cisco Centralized Key Management. |
enable |
Enables debugging of Cisco Centralized Key Management. |
disable |
Disables debugging of Cisco Centralized Key Management. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable detailed debugging of Cisco Centralized Key Management:
(Cisco Controller) > debug cckm detailed enable
debug client
To configure the debugging for a specific client, use the debug client command.
debug client mac_address
Syntax Description
Command Default
Usage Guidelines
After entering the debug client mac_address command, if you enter the debug aaa events enable command, then the AAA events logs are displayed for that particular client MAC address.
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to debug a specific client:
(Cisco Controller) > debug client 01:35:6x:yy:21:00
debug dns
To configure debugging of Domain Name System (DNS) options, use the debug dns command.
debug dns { all | detail | error | message} { enable | disable}
Syntax Description
all |
Configures debugging of all the DNS options. |
detail |
Configures debugging of the DNS details. |
error |
Configures debugging of the DNS errors. |
message |
Configures debugging of the DNS messages. |
enable |
Enables debugging of the DNS options. |
disable |
Disables debugging of the DNS options. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable DNS error debugging:
(Cisco Controller) > debug dns error enable
debug dot1x
To configure debugging of the 802.1X options, use the debug dot1x command.
debug dot1x { aaa | all | events | packets | states} { enable | disable}
Syntax Description
aaa |
Configures debugging of the 802.1X AAA interactions. |
all |
Configures debugging of all the 802.1X messages. |
events |
Configures debugging of the 802.1X events. |
packets |
Configures debugging of the 802.1X packets. |
states |
Configures debugging of the 802.1X state transitions. |
enable |
Enables debugging of the 802.1X options. |
disable |
Disables debugging of the 802.1X options. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable 802.1X state transitions debugging:
(Cisco Controller) > debug dot1x states enable
debug dtls
To configure debugging of the Datagram Transport Layer Security (DTLS) options, use the debug dtls command.
debug dtls { all | event | packet | trace} { enable | disable}
Syntax Description
all |
Configures debugging of all the DTLS messages. |
event |
Configures debugging of the DTLS events. |
packet |
Configures debugging of the DTLS packets. |
trace |
Configures debugging of the DTLS trace messages. |
enable |
Enables debugging of the DTLS options. |
disable |
Disables debugging of the DTLS options. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Usage Guidelines
The debug actions described here are used in conjunction with CAPWAP troubleshooting.
Examples
The following example shows how to enable DTLS packet debugging:
(Cisco Controller) > debug dtls packet enable
debug pm
To configure the debugging of the security policy manager module, use the debug pm command.
debug pm { all disable | { config | hwcrypto | ikemsg | init | list | message | pki | rng | rules | sa-export | sa-import | ssh-l2tp | ssh-appgw | ssh-engine | ssh-int | ssh-pmgr | ssh-ppp | ssh-tcp} { enable | disable}}
Syntax Description
Configures the debugging of the policy manager configuration. |
|
Configures the debugging of Internet Key Exchange (IKE) messages. |
|
Configures the debugging of policy manager initialization events. |
|
Configures the debugging of policy manager message queue events. |
|
Configures the debugging of Public Key Infrastructure (PKI) related events. |
|
Configures the debugging of policy manager Layer 2 Tunneling Protocol (l2TP) handling. |
|
Configures the debugging of policy manager Point To Point Protocol (PPP) handling. |
|
Command Default
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to configure the debugging of PKI-related events:
(Cisco Controller) > debug pm pki enable
Related Commands
debug web-auth
To configure debugging of web-authenticated clients, use the debug web-auth command.
debug web-auth { redirect{ enable mac mac_address | disable} | webportal-server { enable | disable}}
Syntax Description
redirect |
Configures debugging of web-authenticated and redirected clients. |
enable |
Enables the debugging of web-authenticated clients. |
mac |
Configures the MAC address of the web-authenticated client. |
mac_address |
MAC address of the web-authenticated client. |
disable |
Disables the debugging of web-authenticated clients. |
webportal-server |
Configures the debugging of portal authentication of clients. |
Command Default
None
Command History
Release | Modification |
---|---|
8.3 | This command was introduced. |
Examples
The following example shows how to enable the debugging of a web authenticated and redirected client:
(Cisco Controller) > debug web-auth redirect enable mac xx:xx:xx:xx:xx:xx