Security Commands

show Commands

This section lists the show commands to display information about your security configuration settings for the controller.

show 802.11

To display basic 802.11a, 802.11b/g, or 802.11h network settings, use the show 802.11 command.

show 802.11{ a | b | h}

Syntax Description

a

Specifies the 802.11a network.

b

Specifies the 802.11b/g network.

h

Specifies the 802.11h network.

Command Default

None.

Command History

Release Modification
8.3 This command was introduced.

Examples

This example shows to display basic 802.11a network settings:


>  show 802.11a
802.11a Network.................................. Enabled
11nSupport....................................... Enabled
      802.11a Low Band........................... Enabled
      802.11a Mid Band........................... Enabled
      802.11a High Band.......................... Enabled
802.11a Operational Rates
    802.11a 6M Rate.............................. Mandatory
    802.11a 9M Rate.............................. Supported
    802.11a 12M Rate............................. Mandatory
    802.11a 18M Rate............................. Supported
    802.11a 24M Rate............................. Mandatory
    802.11a 36M Rate............................. Supported
    802.11a 48M Rate............................. Supported
    802.11a 54M Rate............................. Supported
802.11n MCS Settings:
    MCS 0........................................ Supported
    MCS 1........................................ Supported
    MCS 2........................................ Supported
    MCS 3........................................ Supported
    MCS 4........................................ Supported
    MCS 5........................................ Supported
    MCS 6........................................ Supported
    MCS 7........................................ Supported
    MCS 8........................................ Supported
    MCS 9........................................ Supported
    MCS 10....................................... Supported
    MCS 11....................................... Supported
    MCS 12....................................... Supported
    MCS 13....................................... Supported
    MCS 14....................................... Supported
    MCS 15....................................... Supported
802.11n Status:
    A-MPDU Tx:
        Priority 0............................... Enabled
        Priority 1............................... Disabled
        Priority 2............................... Disabled
        Priority 3............................... Disabled
        Priority 4............................... Disabled
        Priority 5............................... Disabled
        Priority 6............................... Disabled
        Priority 7............................... Disabled
Beacon Interval.................................. 100
CF Pollable mandatory............................ Disabled
CF Poll Request mandatory........................ Disabled
--More-- or (q)uit
CFP Period....................................... 4
CFP Maximum Duration............................. 60
Default Channel.................................. 36
Default Tx Power Level........................... 0
DTPC Status..................................... Enabled
Fragmentation Threshold.......................... 2346
TI Threshold..................................... -50
Legacy Tx Beamforming setting.................... Disabled
Traffic Stream Metrics Status.................... Enabled
Expedited BW Request Status...................... Disabled
World Mode....................................... Enabled
EDCA profile type................................ default-wmm
Voice MAC optimization status.................... Disabled
Call Admission Control (CAC) configuration
Voice AC:
   Voice AC - Admission control (ACM)............ Disabled
   Voice max RF bandwidth........................ 75
   Voice reserved roaming bandwidth.............. 6
   Voice load-based CAC mode..................... Disabled
   Voice tspec inactivity timeout................ Disabled
   Voice Stream-Size............................. 84000
   Voice Max-Streams............................. 2
Video AC:
   Video AC - Admission control (ACM)............ Disabled
   Video max RF bandwidth........................ Infinite
   Video reserved roaming bandwidth.............. 0

This example shows how to display basic 802.11h network settings:


>  show 802.11h
802.11h ......................................... powerconstraint : 0
802.11h ......................................... channelswitch : Disable
802.11h ......................................... channelswitch mode : 0

Related Commands

show ap stats

show ap summary

show client summary

show network

show network summary

show port

show wlan

show aaa auth

To display the configuration settings for the AAA authentication server database, use the show aaa auth command.

show aaa auth

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display the configuration settings for the AAA authentication server database:


(Cisco Controller) > show aaa auth 
Management authentication server order:
    1............................................ local
    2............................................ tacacs

Related Commands

config aaa auth

config aaa auth mgmt

show advanced eap

To display Extensible Authentication Protocol (EAP) settings, use the show advanced eap command.

show advanced eap

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display the EAP settings:


(Cisco Controller) > show advanced eap
EAP-Identity-Request Timeout (seconds)........... 1
EAP-Identity-Request Max Retries................. 20
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 1
EAP-Request Max Retries.......................... 20
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2

Related Commands

config advanced eap

config advanced timers eap-identity-request-delay

config advanced timers eap-timeout

show client detail

To display IP addresses per client learned through DNS snooping (DNS-based ACL), use the show client detail mac_address command.

show client detail mac_address

Syntax Description

mac_address

MAC address of the client.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following is a sample output of the show client detail mac_address command.

(Cisco Controller) > show client detail 01:35:6x:yy:21:00
 Client MAC Address............................... 01:35:6x:yy:21:00
Client Username ................................. test
AP MAC Address................................... 00:11:22:33:44:x0
AP Name.......................................... AP0011.2020.x111
AP radio slot Id................................. 1
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 7
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 00:11:22:33:44:xx
Connected For ................................... 28 secs
Channel.......................................... 56
IP Address....................................... 10.0.0.1
Gateway Address.................................. Unknown
Netmask.......................................... Unknown
IPv6 Address..................................... xx20::222:6xyy:zeeb:2233
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Client CCX version............................... No CCX support
Re-Authentication Timeout........................ 1756
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
  APSD ACs.......................................  BK  BE  VI  VO
Power Save....................................... ON
Current Rate..................................... m7
Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
    ............................................. 48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ No
Policy Manager State............................. SUPPLICANT_PROVISIONING
Policy Manager Rule Created...................... Yes
AAA Override ACL Name............................ android
AAA Override ACL Applied Status.................. Yes
AAA Override Flex ACL Name....................... none
AAA Override Flex ACL Applied Status............. Unavailable
AAA URL redirect................................. https://10.0.0.3:8443/guestportal/gateway?sessionId=0a68aa72000000015272404e&action=nsp
Audit Session ID................................. 0a68aa72000000015272404e
AAA Role Type.................................... none
Local Policy Applied............................. p1
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
Client Type...................................... SimpleIP
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface......................................
.. management
VLAN............................................. 0
Quarantine VLAN.................................. 0
Access VLAN...................................... 0
Client Capabilities:
      CF Pollable................................ Not implemented
      CF Poll Request............................ Not implemented
      Short Preamble............................. Not implemented
      PBCC....................................... Not implemented
      Channel Agility............................ Not implemented
      Listen Interval............................ 10
      Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
      WFD capable................................ No
      Manged WFD capable......................... No
      Cross Connection Capable................... No
      Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
      Number of Bytes Received................... 123659
      Number of Bytes Sent....................... 120564
      Number of Packets Received................. 1375
      Number of Packets Sent..................... 276
      Number of Interim-Update Sent.............. 0
      Number of EAP Id Request Msg Timeouts...... 0
      Number of EAP Id Request Msg Failures...... 0
      Number of EAP Request Msg Timeouts......... 2
      Number of EAP Request Msg Failures......... 0
      Number of EAP Key Msg Timeouts............. 0
      Number of EAP Key Msg Failures............. 0
      Number of Data Retries..................... 82
      Number of RTS Retries...................... 0
      Number of Duplicate Received Packets....... 0
      Number of Decrypt Failed Packets........... 0
      Number of Mic Failured Packets............. 0
      Number of Mic Missing Packets.............. 0
      Number of RA Packets Dropped............... 0
      Number of Policy Errors.................... 0
      Radio Signal Strength Indicator............ -51 dBm
      Signal to Noise Ratio...................... 46 dB
Client Rate Limiting Statistics:
      Number of Data Packets Recieved............ 0
      Number of Data Rx Packets Dropped.......... 0
      Number of Data Bytes Recieved.............. 0
      Number of Data Rx Bytes Dropped............ 0
      Number of Realtime Packets Recieved........ 0
      Number of Realtime Rx Packets Dropped...... 0
      Number of Realtime Bytes Recieved.......... 0
      Number of Realtime Rx Bytes Dropped........ 0
      Number of Data Packets Sent................ 0
      Number of Data Tx Packets Dropped.......... 0
      Number of Data Bytes Sent.................. 0
      Number of Data Tx Bytes Dropped............ 0
      Number of Realtime Packets Sent............ 0
      Number of Realtime Tx Packets Dropped...... 0
      Number of Realtime Bytes Sent.............. 0
      Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
      AP0022.9090.c545(slot 0)
        antenna0: 26 secs ago.................... -33 dBm
        antenna1: 26 secs ago.................... -35 dBm
      AP0022.9090.c545(slot 1)
        antenna0: 25 secs ago.................... -41 dBm
        antenna1: 25 secs ago.................... -44 dBm
      APc47d.4f3a.35c2(slot 0)
        antenna0: 26 secs ago.................... -30 dBm
        antenna1: 26 secs ago.................... -36 dBm
      APc47d.4f3a.35c2(slot 1)
        antenna0: 24 secs ago.................... -43 dBm
        antenna1: 24 secs ago.................... -45 dBm
DNS Server details:
      DNS server IP ............................. 0.0.0.0
      DNS server IP ............................. 0.0.0.0

Client Dhcp Required:     False
Allowed (URL)IP Addresses
-------------------------
209.165.200.225
209.165.200.226
209.165.200.227
209.165.200.228
209.165.200.229
209.165.200.230
209.165.200.231
209.165.200.232
209.165.200.233
209.165.200.234
209.165.200.235
209.165.200.236
209.165.200.237
209.165.200.238
209.165.201.1
209.165.201.2
209.165.201.3
209.165.201.4
209.165.201.5
209.165.201.6
209.165.201.7
209.165.201.8
209.165.201.9
209.165.201.10

show database summary

To display the maximum number of entries in the database, use the show database summary command.

show database summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following is a sample output of the show database summary command:


(Cisco Controller) > show database summary
Maximum Database Entries......................... 2048
Maximum Database Entries On Next Reboot.......... 2048
Database Contents
    MAC Filter Entries........................... 2
    Exclusion List Entries....................... 0
    AP Authorization List Entries................ 1
    Management Users............................. 1
    Local Network Users.......................... 1
        Local Users.............................. 1
        Guest Users.............................. 0
    Total..................................... 5

Related Commands

config database size

show exclusionlist

To display a summary of all clients on the manual exclusion list (blacklisted) from associating with this Cisco wireless LAN controller, use the show exclusionlist command.

show exclusionlist

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

This command displays all manually excluded MAC addresses.

Examples

The following example shows how to display the exclusion list:


(Cisco Controller) > show exclusionlist
No manually disabled clients.
Dynamically Disabled Clients
----------------------------
  MAC Address             Exclusion Reason        Time Remaining (in secs)
  -----------             ----------------        ------------------------
00:40:96:b4:82:55         802.1X Failure          	51

Related Commands

config exclusionlist

show local-auth certificates

To display local authentication certificate information, use the show local-auth certificates command:

show local-auth certificates

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display the authentication certificate information stored locally:

(Cisco Controller) > show local-auth certificates

Related Commands

clear stats local-auth

config local-auth active-timeout

config local-auth eap-profile

config local-auth method fast

config local-auth user-credentials

debug aaa local-auth

show local-auth config

show local-auth statistics

show local-auth config

To display local authentication configuration information, use the show local-auth config command.

show local-auth config

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display the local authentication configuration information:


(Cisco Controller) > show local-auth config
User credentials database search order:
Primary ................................... Local DB
Configured EAP profiles:
Name ...................................... fast-test
Certificate issuer .................... default
Enabled methods ....................... fast
Configured on WLANs ................... 2
EAP Method configuration:
EAP-TLS:
Certificate issuer .................... default
Peer verification options:
	Check against CA certificates ..... Enabled
	Verify certificate CN identity .... Disabled
	Check certificate date validity ... Enabled
EAP-FAST:
TTL for the PAC ....................... 3 600
Initial client message ................ <none>
Local certificate required ............ No
Client certificate required ........... No
Vendor certificate required ........... No
Anonymous provision allowed ........... Yes
Authenticator ID ...................... 7b7fffffff0000000000000000000000
Authority Information ................. Test
EAP Profile.................................... tls-prof
Enabled methods for this profile .......... tls
Active on WLANs ........................... 1 3EAP Method configuration:
EAP-TLS:
Certificate issuer used ............... cisco
Peer verification options:
	Check against CA certificates ..... disabled
	Verify certificate CN identity .... disabled
	Check certificate date validity ... disabled

Related Commands

clear stats local-auth

config local-auth active-timeout

config local-auth eap-profile

config local-auth method fast

config local-auth user-credentials

debug aaa local-auth

show local-auth certificates

show local-auth statistics

show local-auth statistics

To display local Extensible Authentication Protocol (EAP) authentication statistics, use the show local-auth statistics command:

show local-auth statistics

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display the local authentication certificate statistics:


(Cisco Controller) > show local-auth statistics
Local EAP authentication DB statistics:
Requests received ............................... 14
Responses returned .............................. 14
Requests dropped (no EAP AVP) ................... 0
Requests dropped (other reasons) ................ 0
Authentication timeouts ......................... 0
Authentication statistics:
  Method          Success         Fail
  ------------------------------------
  Unknown               0            0
  LEAP                  0            0
  EAP-FAST              2				 	 	 	 	 	 0
  EAP-TLS               0            0
  PEAP                  0            0
Local EAP credential request statistics:
Requests sent to LDAP DB ........................ 0
Requests sent to File DB ........................ 2
Requests failed (unable to send) ................ 0
Authentication results received:
  Success ....................................... 2
  Fail .......................................... 0
Certificate operations:
Local device certificate load failures .......... 0
Total peer certificates checked ................. 0
Failures:
  CA issuer check ............................... 0
  CN name not equal to identity ................. 0
  Dates not valid or expired .................... 0

Related Commands

clear stats local-auth

config local-auth active-timeout

config local-auth eap-profile

config local-auth method fast

config local-auth user-credentials

debug aaa local-auth

show local-auth config

show local-auth certificates

show netuser

To display the configuration of a particular user in the local user database, use the show netuser command.

show netuser { detail user_name | guest-roles | summary}

Syntax Description

detail

Displays detailed information about the specified network user.

user_name

Network user.

guest_roles

Displays configured roles for guest users.

summary

Displays a summary of all users in the local user database.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following is a sample output of the show netuser summary command:


(Cisco Controller) > show netuser summary
Maximum logins allowed for a given username ........Unlimited


The following is a sample output of the show netuser detail command:


(Cisco Controller) > show netuser detail john10
username........................................... abc
WLAN Id............................................. Any
Lifetime............................................ Permanent
Description......................................... test user

Related Commands

config netuser add

config netuser delete

config netuser description

config netuser guest-role apply

config netuser wlan-id

config netuser guest-roles

show network

To display the current status of 802.3 bridging for all WLANs, use the show network command.

show network

Syntax Description

This command has no arguments or keywords.

Command Default

None.

Command History

Release Modification
8.3 This command was introduced.

Examples

This example shows how to display the network details:


(Cisco Controller) > show network 

Related Commands

config network

show network summary

show network multicast mgid detail

show network multicast mgid summary

show network summary

To display the network configuration of the Cisco wireless LAN controller, use the show network summary command.

show network summary

Syntax Description

This command has no arguments or keywords.

Command Default

None.

Command History

Release Modification
8.3 This command was introduced.

Examples

This example shows how to display a summary configuration:


(Cisco Controller) >show network summary 
RF-Network Name............................. RF
Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Disable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Enable
Ethernet Multicast Mode..................... Disable   Mode: Ucast
Ethernet Broadcast Mode..................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
AP Multicast/Broadcast Mode................. Unicast
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
MLD snooping................................ Disabled
MLD timeout................................. 60 seconds
MLD query interval.......................... 20 seconds
User Idle Timeout........................... 300 seconds
AP Join Priority............................ Disable
ARP Idle Timeout............................ 300 seconds
ARP Unicast Mode............................ Disabled
Cisco AP Default Master..................... Disable
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Over The Air Provisioning of AP's........... Enable
Apple Talk ................................. Disable
Mesh Full Sector DFS........................ Enable
AP Fallback ................................ Disable
Web Auth CMCC Support ...................... Disabled
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect  ................... Disable
Web Auth Captive-Bypass   .................. Disable
Web Auth Secure Web  ....................... Enable
Fast SSID Change ........................... Disabled
AP Discovery - NAT IP Only ................. Enabled
IP/MAC Addr Binding Check .................. Enabled
CCX-lite status ............................ Disable
oeap-600 dual-rlan-ports ................... Disable
oeap-600 local-network ..................... Enable
mDNS snooping............................... Disabled
mDNS Query Interval......................... 15 minutes
Web Color Theme............................. Red
Web Color Theme............................. Default
CAPWAP Prefer Mode.......................... IPv4

show ntp-keys

To display network time protocol authentication key details, use the show ntp-keys command.

show ntp-keys

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Command History

Release Modification
8.3 This command was introduced.

Examples

This example shows how to display NTP authentication key details:


(Cisco Controller) > show ntp-keys
Ntp Authentication Key Details...................
      Key Index
     -----------
         1
         3

Related Commands

config time ntp

show radius acct detailed

To display RADIUS accounting server information, use the show radius acct detailed command.

show radius acct detailed radius_index

Syntax Description

radius_index

Radius server index. The range is from 1 to 17.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display RADIUS accounting server information:


(Cisco Controller) > show radius acct detailed 5

Radius Index........5
NAI Realms..........LAB.VTV.BLR.cisco.co.in

show radius acct statistics

To display the RADIUS accounting server statistics for the Cisco wireless LAN controller, use the show radius acct statistics command.

show radius acct statistics

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display RADIUS accounting server statistics:


(Cisco Controller) > show radius acct statistics
Accounting Servers:
Server Index..................................... 1
Server Address................................... 10.1.17.10
Msg Round Trip Time.............................. 0 (1/100 second)
First Requests................................... 0
Retry Requests................................... 0
Accounting Responses............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0

Related Commands

config radius acct

config radius acct ipsec authentication

config radius acct ipsec disable

config radius acct network

show radius auth statistics



show radius summary

show radius auth detailed

To display RADIUS authentication server information, use the show radius auth detailed command.

show radius auth detailed radius_index

Syntax Description

radius_index

Radius server index. The range is from 1 to 17.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display RADIUS authentication server information:


(Cisco Controller) > show radius auth detailed 1

Radius Index........1
NAI Realms..........LAB.VTV.BLR.cisco.co.in

show radius auth statistics

To display the RADIUS authentication server statistics for the Cisco wireless LAN controller, use the show radius auth statistics command.

show radius auth statistics

This command has no arguments or keyword.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display RADIUS authentication server statistics:


(Cisco Controller) > show radius auth statistics
Authentication Servers:
  Server Index..................................... 1
  Server Address................................... 1.1.1.1
  Msg Round Trip Time.............................. 0 (1/100 second)
  First Requests................................... 0
  Retry Requests................................... 0
  Accept Responses................................. 0
  Reject Responses................................. 0
  Challenge Responses.............................. 0
  Malformed Msgs................................... 0
  Bad Authenticator Msgs........................... 0
  Pending Requests................................. 0
  Timeout Requests................................. 0
  Unknowntype Msgs................................. 0
  Other Drops...................................... 0

Related Commands

config radius auth

config radius auth management

config radius auth network

show radius summary

show radius avp-list

To display RADIUS VSA AVPs, use the show radius avp-list command.

show radius avp-list profile-name

Syntax Description

profile-name

Profile name for which downloaded AVPs to be shown.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display RADIUS VSA AVPs:


(Cisco Controller) > show radius avp-list


show radius summary

To display the RADIUS authentication and accounting server summary, use the show radius summary command.

show radius summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display a RADIUS authentication server summary:


(Cisco Controller) > show radius summary
Vendor Id Backward Compatibility................. Disabled
Credentials Caching.............................. Disabled
Call Station Id Type............................. IP Address
Administrative Authentication via RADIUS......... Enabled
Authentication Servers
Index  Type  Server Address    Port    State     Tout  RFC-3576  IPsec - AuthMod
e/Phase1/Group/Lifetime/Auth/Encr
-----  ----  ----------------  ------  --------  ----  --------  ---------------
---------------------------------
Accounting Servers
Index  Type  Server Address    Port    State     Tout  RFC-3576  IPsec - AuthMod
e/Phase1/Group/Lifetime/Auth/Encr
-----  ----  ----------------  ------  --------  ----  --------  ---------------
---------------------------------

Related Commands

show radius auth statistics

show radius acct statistics



show rules

To display the active internal firewall rules, use the show rules command.

show rules

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display active internal firewall rules:


(Cisco Controller) > show rules
--------------------------------------------------------
Rule ID.............: 3
Ref count...........: 0
Precedence..........: 99999999
Flags...............: 00000001 ( PASS )
Source IP range:
        (Local stack)
Destination IP range:
        (Local stack)
--------------------------------------------------------
Rule ID.............: 25
Ref count...........: 0
Precedence..........: 99999999
Flags...............: 00000001 ( PASS )
Service Info
        Service name........: GDB
        Protocol............: 6
        Source port low.....: 0
        Source port high....: 0
        Dest port low.......: 1000
        Dest port high......: 1000
Source IP range:
IP High............: 0.0.0.0
        Interface..........: ANY
Destination IP range:
        (Local stack)
--------------------------------------------------------

show rogue adhoc custom summary

To display information about custom rogue ad-hoc rogue access points, use the show rogue adhoc custom summary command.

show rogue adhoc custom summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display details of custom rogue ad-hoc rogue access points:

(Cisco Controller) > show rogue adhoc custom summary
Number of Adhocs............................0

MAC Address        State              # APs # Clients Last Heard
-----------------  ------------------ ----- --------- -----------------------

Related Commands

show rogue adhoc detailed

show rogue adhoc summary

show rogue adhoc friendly summary

show rogue adhoc malicious summary

show rogue adhoc unclassified summary

config rogue adhoc

show rogue adhoc detailed

To display details of an ad-hoc rogue access point detected by the Cisco wireless LAN controller, use the show rogue adhoc client detailed command.

show rogue adhoc detailed MAC_address

Syntax Description

MAC_address

Adhoc rogue MAC address.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display detailed ad-hoc rogue MAC address information:


(Cisco Controller) > show rogue adhoc client detailed 02:61:ce:8e:a8:8c
Adhoc Rogue MAC address.......................... 02:61:ce:8e:a8:8c
Adhoc Rogue BSSID................................ 02:61:ce:8e:a8:8c
State............................................ Alert
First Time Adhoc Rogue was Reported.............. Tue Dec 11 20:45:45 2007
Last Time Adhoc Rogue was Reported............... Tue Dec 11 20:45:45 2007
Reported By
AP 1
MAC Address.............................. 00:14:1b:58:4a:e0
Name..................................... AP0014.1ced.2a60
Radio Type............................... 802.11b
SSID..................................... rf4k3ap
Channel.................................. 3
RSSI..................................... -56 dBm
SNR...................................... 15 dB
Encryption............................... Disabled
ShortPreamble............................ Disabled
WPA Support.............................. Disabled
Last reported by this AP............... Tue Dec 11 20:45:45 2007

Related Commands

config rogue adhoc

show rogue ignore-list

show rogue rule summary

show rogue rule detailed

config rogue rule

show rogue adhoc summary

show rogue adhoc friendly summary

To display information about friendly rogue ad-hoc rogue access points, use the show rogue adhoc friendly summary command.

show rogue adhoc friendly summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display information about friendly rogue ad-hoc rogue access points:

(Cisco Controller) > show rogue adhoc friendly summary

Number of Adhocs............................0

MAC Address        State              # APs # Clients Last Heard
-----------------  ------------------ ----- --------- -----------------------

Related Commands

show rogue adhoc custom summary

show rogue adhoc detailed

show rogue adhoc summary

show rogue adhoc malicious summary

show rogue adhoc unclassified summary

config rogue adhoc

show rogue adhoc malicious summary

To display information about malicious rogue ad-hoc rogue access points, use the show rogue adhoc malicious summary command.

show rogue adhoc malicious summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display details of malicious rogue ad-hoc rogue access points:

(Cisco Controller) > show rogue adhoc malicious summary
Number of Adhocs............................0

MAC Address        State              # APs # Clients Last Heard
-----------------  ------------------ ----- --------- -----------------------

Related Commands

show rogue adhoc custom summary

show rogue adhoc detailed

show rogue adhoc summary

show rogue adhoc friendly summary

show rogue adhoc unclassified summary

config rogue adhoc

show rogue adhoc unclassified summary

To display information about unclassified rogue ad-hoc rogue access points, use the show rogue adhoc unclassified summary command.

show rogue adhoc unclassified summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display information about unclassified rogue ad-hoc rogue access points:

(Cisco Controller) > show rogue adhoc unclassified summary

Number of Adhocs............................0

MAC Address        State              # APs # Clients Last Heard
-----------------  ------------------ ----- --------- -----------------------

Related Commands

show rogue adhoc custom summary

show rogue adhoc detailed

show rogue adhoc summary

show rogue adhoc friendly summary

show rogue adhoc malicious summary

config rogue adhoc

show rogue adhoc summary

To display a summary of the ad-hoc rogue access points detected by the Cisco wireless LAN controller, use the show rogue adhoc summary command.

show rogue adhoc summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display a summary of all ad-hoc rogues:


(Cisco Controller) > show rogue adhoc summary
Detect and report Ad-Hoc Networks................ Enabled
Client MAC Address   Adhoc BSSID    State  # APs       Last Heard
------------------   -----------    -----    ---       -------
xx:xx:xx:xx:xx:xx    super          Alert    1         Sat Aug  9 21:12:50 2004
xx:xx:xx:xx:xx:xx                   Alert    1         Aug  9 21:12:50 2003
xx:xx:xx:xx:xx:xx                   Alert    1         Sat Aug  9 21:10:50 2003 

Related Commands

config rogue adhoc

show rogue ignore-list

show rogue rule summary

show rogue rule detailed

config rogue rule

show rogue adhoc detailed

show rogue ap custom summary

To display information about custom rogue ad-hoc rogue access points, use the show rogue ap custom summary command.

show rogue ap custom summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display details of custom rogue ad-hoc rogue access points:

(Cisco Controller) > show rogue ap custom summary

Number of APs............................0

MAC Address        State              # APs # Clients Last Heard
-----------------  ------------------ ----- --------- -----------------------			

Related Commands

config rogue adhoc

config rogue ap classify

config rogue ap friendly

config rogue ap rldp

config rogue ap timeout

config rogue ap valid-client

config rogue client

config trapflags rogueap

show rogue ap clients

show rogue ap detailed

show rogue ap summary

show rogue ap malicious summary

show rogue ap unclassified summary

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

show rogue ap clients

To display details of rogue access point clients detected by the Cisco wireless LAN controller, use the show rogue ap clients command.

show rogue ap clients ap_mac_address

Syntax Description

ap_mac_address

Rogue access point MAC address.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display details of rogue access point clients:


(Cisco Controller) > show rogue ap clients xx:xx:xx:xx:xx:xx
MAC Address State # APs Last Heard
----------------- ------------------ ----- -------------------------
00:bb:cd:12:ab:ff Alert 1 Fri Nov 30 11:26:23 2007

Related Commands

config rogue adhoc

config rogue ap classify

config rogue ap friendly

config rogue ap rldp

config rogue ap timeout

config rogue ap valid-client

config rogue client

config trapflags rogueap

show rogue ap detailed

show rogue ap summary

show rogue ap friendly summary

show rogue ap malicious summary

show rogue ap unclassified summary

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

show rogue ap detailed

To display details of a rogue access point detected by the Cisco wireless LAN controller, use the show rogue-ap detailed command.

show rogue ap detailed ap_mac_address

Syntax Description

ap_mac_address

Rogue access point MAC address.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display detailed information of a rogue access point:


(Cisco Controller) > show rogue ap detailed xx:xx:xx:xx:xx:xx
Rogue BSSID...................................... 00:0b:85:63:d1:94
Is Rogue on Wired Network........................ No
Classification................................... Unclassified
State............................................ Alert
First Time Rogue was Reported.................... Fri Nov 30 11:24:56 2007
Last Time Rogue was Reported..................... Fri Nov 30 11:24:56 2007
Reported By
AP 1
MAC Address.............................. 00:12:44:bb:25:d0
Name..................................... flexconnect
Radio Type............................... 802.11g
SSID..................................... edu-eap
Channel.................................. 6
RSSI..................................... -61 dBm
SNR...................................... -1 dB
Encryption............................... Enabled
ShortPreamble............................ Enabled
WPA Support.............................. Disabled
Last reported by this AP.............. Fri Nov 30 11:24:56 2007

This example shows how to display detailed information of a rogue access point with a customized classification:

(Cisco Controller) > show rogue ap detailed xx:xx:xx:xx:xx:xx
Rogue BSSID...................................... 00:17:0f:34:48:a0
Is Rogue on Wired Network........................ No
Classification................................... custom
Severity Score .................................. 1
Class Name........................................VeryMalicious
Class Change by.................................. Rogue Rule
Classified at ................................... -60 dBm
Classified by.................................... c4:0a:cb:a1:18:80       
State............................................ Contained
State change by.................................. Rogue Rule 
First Time Rogue was Reported.................... Mon Jun  4 10:31:18 2012
Last Time Rogue was Reported..................... Mon Jun  4 10:31:18 2012
Reported By
    AP 1
        MAC Address.............................. c4:0a:cb:a1:18:80  
        Name..................................... SHIELD-3600-2027
        Radio Type............................... 802.11g
        SSID..................................... sri
        Channel.................................. 11
        RSSI..................................... -87 dBm
        SNR...................................... 4 dB
        Encryption............................... Enabled
        ShortPreamble............................ Enabled
        WPA Support.............................. Enabled
        Last reported by this AP................. Mon Jun  4 10:31:18 2012

Related Commands

config rogue adhoc

config rogue ap classify

config rogue ap friendly

config rogue ap rldp

config rogue ap timeout

config rogue ap valid-client

config rogue client

config trapflags rogueap

show rogue ap clients

show rogue ap summary

show rogue ap friendly summary

show rogue ap malicious summary

show rogue ap unclassified summary

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

show rogue ap summary

To display a summary of the rogue access points detected by the Cisco wireless LAN controller, use the show rogue-ap summary command.

show rogue ap summary { ssid | channel }

Syntax Description

ssid

Displays specific user-configured SSID of the rogue access point.

channel

Displays specific user-configured radio type and channel of the rogue access point.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display a summary of all rogue access points:


(Cisco Controller) > show rogue ap summary

Rogue Location Discovery Protocol................  Disabled
Rogue ap timeout.................................  1200
Rogue on wire Auto-Contain....................... Disabled
Rogue using our SSID Auto-Contain................ Disabled
Valid client on rogue AP Auto-Contain............ Disabled
Rogue AP timeout................................. 1200
Rogue Detection Report Interval.................. 10
Rogue Detection Min Rssi......................... -128
Rogue Detection Transient Interval............... 0
Rogue Detection Client Num Thershold............. 0
Total Rogues(AP+Ad-hoc) supported................ 2000
Total Rogues classified.......................... 729

MAC Address        Classification     # APs # Clients Last Heard
-----------------  ------------------ ----- --------- -----------------------
xx:xx:xx:xx:xx:xx  friendly           1     0         Thu Aug  4 18:57:11 2005
xx:xx:xx:xx:xx:xx  malicious          1     0         Thu Aug  4 19:00:11 2005
xx:xx:xx:xx:xx:xx  malicious          1     0         Thu Aug  4 18:57:11 2005
xx:xx:xx:xx:xx:xx  malicious          1     0         Thu Aug  4 18:57:11 2005

The following example shows how to display a summary of all rogue access points with SSID as extended parameter.

(Cisco Controller) > show rogue ap summary ssid                   

MAC Address        Class              State      SSID  Security
--------------------------------------------------------------------------------------

xx:xx:xx:xx:xx:xx  Unclassified       Alert       xxx	  Open
xx:xx:xx:xx:xx:xx  Unclassified       Alert       xxx		 Open
xx:xx:xx:xx:xx:xx  Pending            Pending     xxx			Open
xx:xx:xx:xx:xx:xx  Unclassified       Alert       xxx			WEP/WPA

The following example shows how to display a summary of all rogue access points with channel as extended parameter.

(Cisco Controller) > show rogue ap summary channel               

MAC Address        Class              State  Det RadioType    Channel	RSSIlast/Max)
--------------------------------------------------------------------------------------------------------------------

xx:xx:xx:xx:xx:xx  Unclassified       Alert  802.11g           11    -53 / -48
xx:xx:xx:xx:xx:xx  Unclassified       Alert  802.11g           11    -53 / -48
xx:xx:xx:xx:xx:xx  Unclassified       Alert  802.11a           149    -74 / -69
xx:xx:xx:xx:xx:xx  Unclassified       Alert  802.11a           149    -74 / -69
xx:xx:xx:xx:xx:xx  Unclassified       Alert  802.11a           149    -74 / -69

The following example shows how to display a summary of all rogue access points with both SSID and channel as extended parameters.

(Cisco Controller) > show rogue ap summary ssid channel               

MAC Address        Class        State    SSID                  Security  Det RadioType Channel  RSSI(last/Max)
-----------------------------------------------------------------------------------------------------------------
xx:xx:xx:xx:xx:xx  Unclassified  Alert   dd                   WEP/WPA     802.11n5G      56    -73 / -62
xx:xx:xx:xx:xx:xx  Unclassified  Alert   SSID IS HIDDEN       Open        802.11a        149   -68 / -66
xx:xx:xx:xx:xx:xx  Unclassified  Alert   wlan16               WEP/WPA     802.11n5G      149   -71 / -71
xx:xx:xx:xx:xx:xx  Unclassified  Alert   wlan15               WEP/WPA     802.11n5G      149   -71 / -71
xx:xx:xx:xx:xx:xx  Unclassified  Alert   wlan14               WEP/WPA     802.11n5G      149   -71 / -71
xx:xx:xx:xx:xx:xx  Unclassified  Alert   wlan13               WEP/WPA     802.11n5G      149   -71 / -70
xx:xx:xx:xx:xx:xx  Unclassified  Alert   wlan12               WEP/WPA     802.11n5G      149   -71 / -71

Related Commands

config rogue adhoc

config rogue ap classify

config rogue ap friendly

config rogue ap rldp

config rogue ap timeout

config rogue ap valid-client

config rogue client

config trapflags rogueap

show rogue ap clients

show rogue ap detailed

show rogue ap friendly summary

show rogue ap malicious summary

show rogue ap unclassified summary

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

show rogue ap friendly summary

To display a list of the friendly rogue access points detected by the controller, use the show rogue ap friendly summary command.

show rogue ap friendly summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display a summary of all friendly rogue access points:


(Cisco Controller) > show rogue ap friendly summary
Number of APs.................................... 1
MAC Address 					State 				# APs	 # Clients Last Heard
----------------- ------------------ ----- --------- ---------------------------
XX:XX:XX:XX:XX:XX Internal 			1		 0 	Tue Nov 27 13:52:04 2007

Related Commands

config rogue adhoc

config rogue ap classify

config rogue ap friendly

config rogue ap rldp

config rogue ap timeout

config rogue ap valid-client

config rogue client

config trapflags rogueap

show rogue ap clients

show rogue ap detailed

show rogue ap summary

show rogue ap malicious summary

show rogue ap unclassified summary

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

show rogue ap malicious summary

To display a list of the malicious rogue access points detected by the controller, use the show rogue ap malicious summary command.

show rogue ap malicious summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display a summary of all malicious rogue access points:


(Cisco Controller) > show rogue ap malicious summary
Number of APs.................................... 2
MAC Address 					State 				# APs	 # Clients Last Heard
----------------- ------------------ ----- --------- ---------------------------
XX:XX:XX:XX:XX:XX Alert 										1		 0 	Tue Nov 27 13:52:04 2007
XX:XX:XX:XX:XX:XX Alert 										1		 0 	Tue Nov 27 13:52:04 2007

Related Commands

config rogue adhoc

config rogue ap classify

config rogue ap friendly

config rogue ap rldp

config rogue ap timeout

config rogue ap valid-client

config rogue client

config trapflags rogueap

show rogue ap clients

show rogue ap detailed

show rogue ap summary

show rogue ap friendly summary

show rogue ap unclassified summary

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

show rogue ap unclassified summary

To display a list of the unclassified rogue access points detected by the controller, use the show rogue ap unclassified summary command.

show rogue ap unclassified summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display a list of all unclassified rogue access points:


(Cisco Controller) > show rogue ap unclassified summary
Number of APs.................................... 164
MAC Address 	    State 	# APs # Clients Last Heard
----------------- ------------- ----- --------- ---------------
XX:XX:XX:XX:XX:XX Alert   1      	0 	  Fri Nov 30 11:12:52 2007
XX:XX:XX:XX:XX:XX Alert 	 1	      0 	  Fri Nov 30 11:29:01 2007
XX:XX:XX:XX:XX:XX Alert 	 1	      0 	  Fri Nov 30 11:26:23 2007
XX:XX:XX:XX:XX:XX Alert 	 1       0	   Fri Nov 30 11:26:23 2007

show rogue client detailed

To display details of a rogue client detected by a Cisco wireless LAN controller, use the show rogue client detailed command.

show rogue client detailed Rogue_AP MAC_address

Syntax Description

Rogue_AP

Rogue AP address.

MAC_address

Rogue client MAC address.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display detailed information for a rogue client:


(Cisco Controller) > show rogue client detailed xx:xx:xx:xx:xx:xx
Rogue BSSID...................................... 00:0b:85:23:ea:d1
State............................................ Alert
First Time Rogue was Reported.................... Mon Dec 3 21:50:36 2007
Last Time Rogue was Reported..................... Mon Dec 3 21:50:36 2007
Rogue Client IP address.......................... Not known
Reported By
AP 1
MAC Address.............................. 00:15:c7:82:b6:b0
Name..................................... AP0016.47b2.31ea
Radio Type............................... 802.11a
RSSI..................................... -71 dBm
SNR...................................... 23 dB
Channel.................................. 149
Last reported by this AP.............. Mon Dec 3 21:50:36 2007

Related Commands

show rogue client summary

show rogue ignore-list

config rogue rule client

config rogue rule

show rogue client summary

To display a summary of the rogue clients detected by the Cisco wireless LAN controller, use the show rogue client summary command.

show rogue client summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display a list of all rogue clients:


(Cisco Controller) > show rogue client summary
Validate rogue clients against AAA............... Disabled
Total Rogue Clients supported.................... 2500
Total Rogue Clients present...................... 3
MAC Address        State              # APs Last Heard
-----------------  ------------------ ----- -----------------------
xx:xx:xx:xx:xx:xx  Alert              1     Thu Aug  4 19:00:08 2005
xx:xx:xx:xx:xx:xx  Alert              1     Thu Aug  4 19:00:08 2005
xx:xx:xx:xx:xx:xx  Alert              1     Thu Aug  4 19:00:08 2005
xx:xx:xx:xx:xx:xx  Alert              1     Thu Aug  4 19:00:08 2005
xx:xx:xx:xx:xx:xx  Alert              1     Thu Aug  4 19:00:08 2005
xx:xx:xx:xx:xx:xx  Alert              1     Thu Aug  4 19:00:08 2005
xx:xx:xx:xx:xx:xx  Alert              1     Thu Aug  4 19:09:11 2005
xx:xx:xx:xx:xx:xx  Alert              1     Thu Aug  4 19:03:11 2005
xx:xx:xx:xx:xx:xx  Alert              1     Thu Aug  4 19:03:11 2005
xx:xx:xx:xx:xx:xx  Alert              1     Thu Aug  4 19:09:11 2005
xx:xx:xx:xx:xx:xx  Alert              1     Thu Aug  4 18:57:08 2005
xx:xx:xx:xx:xx:xx  Alert              1     Thu Aug  4 19:12:08 2005

Related Commands

show rogue client detailed

show rogue ignore-list

config rogue client



config rogue rule

show rogue ignore-list

To display a list of rogue access points that are configured to be ignored, use the show rogue ignore-list command.

show rogue ignore-list

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display a list of all rogue access points that are configured to be ignored.


(Cisco Controller) > show rogue ignore-list

MAC Address       
-----------------  
xx:xx:xx:xx:xx:xx

Related Commands

config rogue adhoc

config rogue ap classify



config rogue ap friendly

config rogue ap rldp

config rogue ap ssid

config rogue ap timeout

config rogue ap valid-client

config rogue rule



config trapflags rogueap







show rogue client detailed

show rogue ignore-list

show rogue rule summary

show rogue client summary

show rogue ap unclassified summary

show rogue ap malicious summary

show rogue ap friendly summary



config rogue client

show rogue ap summary

show rogue ap clients

show rogue ap detailed



config rogue rule

show rogue rule detailed

To display detailed information for a specific rogue classification rule, use the show rogue rule detailed command.

show rogue rule detailed rule_name

Syntax Description

rule_name

Rogue rule name.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display detailed information on a specific rogue classification rule:


(Cisco Controller) > show rogue rule detailed Rule2
Priority......................................... 2
Rule Name........................................ Rule2
State............................................ Enabled
Type............................................. Malicious
Severity Score................................... 1
Class Name....................................... Very_Malicious
Notify........................................... All
State ........................................... Contain
Match Operation.................................. Any
Hit Count........................................ 352
Total Conditions................................. 2
Condition 1
    type......................................... Client-count
    value........................................ 10
Condition 2
    type......................................... Duration
    value (seconds).............................. 2000
Condition 3
    type......................................... Managed-ssid
    value........................................ Enabled
Condition 4
    type......................................... No-encryption
    value........................................ Enabled
Condition 5
    type......................................... Rssi
    value (dBm).................................. -50
Condition 6
    type......................................... Ssid
    SSID Count................................... 1
    SSID 1.................................... test

Related Commands

config rogue rule

show rogue ignore-list

show rogue rule summary

show rogue rule summary

To display the rogue classification rules that are configured on the controller, use the show rogue rule summary command.

show rogue rule summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display a list of all rogue rules that are configured on the controller:


(Cisco Controller) > show rogue rule summary
Priority Rule Name               State    Type          Match Hit Count
-------- ----------------------- -------- ------------- ----- ---------
1        mtest                   Enabled  Malicious     All   0
2        asdfasdf                Enabled  Malicious     All   0

The following example shows how to display a list of all rogue rules that are configured on the controller:

(Cisco Controller) > show rogue rule summary
Priority         Rule Name                 Rule state Class Type   Notify   State    Match Hit Count
-------- -------------------------------- ----------- ----------- -------- -------- ------ ---------
1        rule2                            Enabled    Friendly     Global   Alert    All    234
2        rule1                            Enabled    Custom       Global   Alert    All    0

Related Commands

config rogue rule

show rogue ignore-list

show rogue rule detailed

show tacacs acct statistics

To display detailed radio frequency identification (RFID) information for a specified tag, use the show tacacs acct statistics command.

show tacacs acct statistics

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display detailed RFID information:


(Cisco Controller) > show tacacs acct statistics
Accounting Servers:
Server Index..................................... 1
Server Address................................... 10.0.0.0
Msg Round Trip Time.............................. 0 (1/100 second)
First Requests................................... 1
Retry Requests................................... 0
Accounting Response.............................. 0
Accounting Request Success....................... 0
Accounting Request Failure....................... 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. -1
Timeout Requests................................. 1
Unknowntype Msgs................................. 0
Other Drops...................................... 0

Related Commands

config tacacs acct

config tacacs auth

show tacacs summary

show tacacs athr statistics

To display TACACS+ server authorization statistics, use the show tacacs athr statistics command.

show tacacs athr statistics

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display TACACS server authorization statistics:


(Cisco Controller) > show tacacs athr statistics
Authorization Servers:
Server Index..................................... 3
Server Address................................... 10.0.0.3
Msg Round Trip Time.............................. 0 (1/100 second)
First Requests................................... 0
Retry Requests................................... 0
Received Responses............................... 0
Authorization Success............................ 0
Authorization Failure............................ 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0

Related Commands

config tacacs acct

config tacacs athr

config tacacs auth

show tacacs auth statistics

show tacacs summary

show tacacs auth statistics

To display TACACS+ server authentication statistics, use the show tacacs auth statistics command.

show tacacs auth statistics

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display TACACS server authentication statistics:


(Cisco Controller) > show tacacs auth statistics
Authentication Servers:
Server Index..................................... 2
Server Address................................... 10.0.0.2
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Error Responses.................................. 0
Restart Responses................................ 0
Follow Responses................................. 0
GetData Responses................................ 0
Encrypt no secret Responses...................... 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0

Related Commands

config tacacs acct

config tacacs auth

show tacacs summary

show tacacs summary

To display TACACS+ server summary information, use the show tacacs summary command.

show tacacs summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display TACACS server summary information:


(Cisco Controller) > show tacacs summary
Authentication Servers
Idx  Server Address    Port    State     Tout
---  ----------------  ------  --------  ----
2    10.0.0.1          49       Enabled   30
Accounting Servers
Idx  Server Address    Port    State     Tout
---  ----------------  ------  --------  ----
1    10.0.0.0          49      Enabled    5
Authorization Servers
Idx  Server Address    Port    State     Tout
---  ----------------  ------  --------  ----
3    10.0.0.3          49       Enabled   5
Idx  Server Address    Port    State     Tout
---  ----------------  ------  --------  ----
4    2001:9:6:40::623  49       Enabled   5
...

Related Commands

config tacacs acct

config tacacs athr

config tacacs auth

show tacacs summary

show tacacs athr statistics

show tacacs auth statistics

config Commands

This section lists the config commands to configure security settings for the controller.

config 802.11b preamble

To change the 802.11b preamble as defined in subclause 18.2.2.2 to long (slower, but more reliable) or short (faster, but less reliable), use the config 802.11b preamble command.

config 802.11b preamble { long | short}

Syntax Description

long

Specifies the long 802.11b preamble.

short

Specifies the short 802.11b preamble.

Command Default

The default 802.11b preamble value is short.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines


Note


You must reboot the Cisco Wireless LAN Controller (reset system) with save to implement this command.


This parameter must be set to long to optimize this Cisco wireless LAN controller for some clients, including SpectraLink NetLink telephones.

This command can be used any time that the CLI interface is active.

Examples

The following example shows how to change the 802.11b preamble to short:

  (Cisco Controller) >config 802.11b preamble short
  (Cisco Controller) >(reset system with save)

config aaa auth

To configure the AAA authentication search order for management users, use the config aaa auth command.

config aaa auth mgmt [ aaa_server_type1 | aaa_server_type2]

Syntax Description

mgmt

Configures the AAA authentication search order for controller management users by specifying up to three AAA authentication server types. The order that the server types are entered specifies the AAA authentication search order.

aaa_server_type

(Optional) AAA authentication server type (local, radius, or tacacs). The local setting specifies the local database, the radius setting specifies the RADIUS server, and the tacacs setting specifies the TACACS+ server.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

You can enter two AAA server types as long as one of the server types is local. You cannot enter radius and tacacs together.

Examples

The following example shows how to configure the AAA authentication search order for controller management users by the authentication server type local:

(Cisco Controller) > config aaa auth radius local

Related Commands

show aaa auth

config aaa auth mgmt

To configure the order of authentication when multiple databases are configured, use the config aaa auth mgmt command.

config aaa auth mgmt [ radius | tacacs]

Syntax Description

radius

(Optional) Configures the order of authentication for RADIUS servers.

tacacs

(Optional) Configures the order of authentication for TACACS servers.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the order of authentication for the RADIUS server:

(Cisco Controller) > config aaa auth mgmt radius

The following example shows how to configure the order of authentication for the TACACS server:

(Cisco Controller) > config aaa auth mgmt tacacs

Related Commands

show aaa auth order

config auth-list add

To create an authorized access point entry, use the config auth-list add command.

config auth-list add { mic | ssc} AP_MAC [ AP_key]

Syntax Description

mic

Specifies that the access point has a manufacture-installed certificate.

ssc

Specifies that the access point has a self-signed certificate.

AP_MAC

MAC address of a Cisco lightweight access point.

AP_key

(Optional) Key hash value that is equal to 20 bytes or 40 digits.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to create an authorized access point entry with a manufacturer-installed certificate on MAC address 00:0b:85:02:0d:20:


(Cisco Controller) > config auth-list add 00:0b:85:02:0d:20

Related Commands

config auth-list delete

config auth-list ap-policy

config auth-list ap-policy

To configure an access point authorization policy, use the config auth-list ap-policy command.

config auth-list ap-policy { authorize-ap { enable | disable} | ssc { enable | disable}}

Syntax Description

authorize-ap enable

Enables the authorization policy.

authorize-ap disable

Disables the AP authorization policy.

ssc enable

Allows the APs with self-signed certificates to connect.

ssc disable

Disallows the APs with self-signed certificates to connect.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable an access point authorization policy:


(Cisco Controller) > config auth-list ap-policy authorize-ap enable

The following example shows how to enable an access point with a self-signed certificate to connect:


(Cisco Controller) > config auth-list ap-policy ssc disable

Related Commands

config auth-list delete

config auth-list add

config auth-list delete

To delete an access point entry, use the config auth-list delete command.

config auth-list delete AP_MAC

Syntax Description

AP_MAC

MAC address of a Cisco lightweight access point.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to delete an access point entry for MAC address 00:1f:ca:cf:b6:60:


(Cisco Controller) > config auth-list delete 00:1f:ca:cf:b6:60

Related Commands

config auth-list delete

config auth-list add

config auth-list ap-policy

config advanced eap

To configure advanced extensible authentication protocol (EAP) settings, use the config advanced eap command.

config advanced eap { bcast-key-interval seconds | eapol-key-timeout timeout | eapol-key-retries retries | identity-request-timeout timeout | identity-request-retries retries | key-index index | max-login-ignore-identity-response
{ enable | disable} request-timeout timeout | request-retries retries}

Syntax Description

bcast-key-interval seconds

Specifies the EAP-broadcast key renew interval time in seconds.

The range is from 120 to 86400 seconds.

eapol-key-timeout timeout

Specifies the amount of time (200 to 5000 milliseconds) that the controller waits before retransmitting an EAPOL (WPA) key message to a wireless client using EAP or WPA/WPA-2 PSK.

The default value is 1000 milliseconds.

eapol-key-retries retries

Specifies the maximum number of times (0 to 4 retries) that the controller retransmits an EAPOL (WPA) key message to a wireless client.

The default value is 2.

identity-request-
timeout timeout

Specifies the amount of time (1 to 120 seconds) that the controller waits before retransmitting an EAP Identity Request message to a wireless client.

The default value is 30 seconds.

identity-request-
retries

Specifies the maximum number of times (0 to 4 retries) that the controller retransmits an EAPOL (WPA) key message to a wireless client.

The default value is 2.

key-index index

Specifies the key index (0 or 3) used for dynamic wired equivalent privacy (WEP).

max-login-ignore-
identity-response

When enabled, this command ignores the limit set for the number of devices that can be connected to the controller with the same username using 802.1xauthentication. When disabled, this command limits the number of devices that can be connected to the controller with the same username. This option is not applicable for Web auth user.

Use the command config netuser maxUserLogin to set the limit of maximum number of devices per same username

enable

Ignores the same username reaching the maximum EAP identity response.

disable

Checks the same username reaching the maximum EAP identity response.

request-timeout

For EAP messages other than Identity Requests or EAPOL (WPA) key messages, specifies the amount of time (1 to 120 seconds) that the controller waits before retransmitting the message to a wireless client.

The default value is 30 seconds.

request-retries

(Optional) For EAP messages other than Identity Requests or EAPOL (WPA) key messages, specifies the maximum number of times (0 to 20 retries) that the controller retransmits the message to a wireless client.

The default value is 2.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the key index used for dynamic wired equivalent privacy (WEP):


(Cisco Controller) > config advanced eap key-index 0

Related Commands

show advanced eap

config advanced timers auth-timeout

To configure the authentication timeout, use the config advanced timers auth-timeout command.

config advanced timers auth-timeout seconds

Syntax Description

seconds

Authentication response timeout value in seconds between 10 and 600.

Command Default

The default authentication timeout value is 10 seconds.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the authentication timeout to 20 seconds:

(Cisco Controller) >config advanced timers auth-timeout 20

config advanced timers eap-timeout

To configure the Extensible Authentication Protocol (EAP) expiration timeout, use the config advanced timers eap-timeout command.

config advanced timers eap-timeout seconds

Syntax Description

seconds

EAP timeout value in seconds between 8 and 120.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the EAP expiration timeout to 10 seconds:

(Cisco Controller) >config advanced timers eap-timeout 10

config advanced timers eap-identity-request-delay

To configure the advanced Extensible Authentication Protocol (EAP) identity request delay in seconds, use the config advanced timers eap-identity-request-delay command.

config advanced timers eap-identity-request-delay seconds

Syntax Description

seconds

Advanced EAP identity request delay in number of seconds between 0 and 10.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the advanced EAP identity request delay to 8 seconds:

(Cisco Controller) >config advanced timers eap-identity-request-delay 8

config database size

To configure the local database, use the config database size command.

config database size count

Syntax Description

count

Database size value between 512 and 2040

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

Use the show database command to display local database configuration.

Examples

The following example shows how to configure the size of the local database:


(Cisco Controller) > config database size 1024

Related Commands

show database

config exclusionlist

To create or delete an exclusion list entry, use the config exclusionlist command.

config exclusionlist { add MAC [ description] | delete MAC | description MAC [ description]}

Syntax Description

config exclusionlist

Configures the exclusion list.

add

Creates a local exclusion-list entry.

delete

Deletes a local exclusion-list entry

description

Specifies the description for an exclusion-list entry.

MAC

MAC address of the local Excluded entry.

description

(Optional) Description, up to 32 characters, for an excluded entry.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to create a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:

(Cisco Controller) > config exclusionlist add xx:xx:xx:xx:xx:xx lab

The following example shows how to delete a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:

(Cisco Controller) > config exclusionlist delete xx:xx:xx:xx:xx:xx lab

Related Commands

show exclusionlist

config local-auth active-timeout

To specify the amount of time in which the controller attempts to authenticate wireless clients using local Extensible Authentication Protocol (EAP) after any pair of configured RADIUS servers fails, use the config local-auth active-timeout command.

config local-auth active-timeout timeout

Syntax Description

timeout

Timeout measured in seconds. The range is from 1 to 3600.

Command Default

The default timeout value is 100 seconds.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to specify the active timeout to authenticate wireless clients using EAP to 500 seconds:


(Cisco Controller) > config local-auth active-timeout 500

Related Commands

clear stats local-auth

config local-auth eap-profile

config local-auth method fast

config local-auth user-credentials

debug aaa local-auth

show local-auth certificates



show local-auth config

show local-auth statistics

config local-auth eap-profile

To configure local Extensible Authentication Protocol (EAP) authentication profiles, use the config local-auth eap-profile command.

config local-auth eap-profile {[ add | delete] profile_name | cert-issuer { cisco | vendor} | method method local-cert { enable | disable} profile_name | method method client-cert { enable | disable} profile_name | method method peer-verify ca-issuer { enable | disable} | method method peer-verify cn-verify{ enable | disable} | method method peer-verify date-valid { enable | disable}

Syntax Description

add

(Optional) Specifies that an EAP profile or method is being added.

delete

(Optional) Specifies that an EAP profile or method is being deleted.

profile_name

EAP profile name (up to 63 alphanumeric characters). Do not include spaces within a profile name.

cert-issuer

(For use with EAP-TLS, PEAP, or EAP-FAST with certificates) Specifies the issuer of the certificates that will be sent to the client. The supported certificate issuers are Cisco or a third-party vendor.

cisco

Specifies the Cisco certificate issuer.

vendor

Specifies the third-party vendor.

method

Configures an EAP profile method.

method

EAP profile method name. The supported methods are leap, fast, tls, and peap.

local-cert

(For use with EAP-FAST) Specifies whether the device certificate on the controller is required for authentication.

enable

Specifies that the parameter is enabled.

disable

Specifies that the parameter is disabled.

client-cert

(For use with EAP-FAST) Specifies whether wireless clients are required to send their device certificates to the controller in order to authenticate.

peer-verify

Configures the peer certificate verification options.

ca-issuer

(For use with EAP-TLS or EAP-FAST with certificates) Specifies whether the incoming certificate from the client is to be validated against the Certificate Authority (CA) certificates on the controller.

cn-verify

(For use with EAP-TLS or EAP-FAST with certificates) Specifies whether the common name (CN) in the incoming certificate is to be validated against the CA certificates’ CN on the controller.

date-valid

(For use with EAP-TLS or EAP-FAST with certificates) Specifies whether the controller is to verify that the incoming device certificate is still valid and has not expired.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to create a local EAP profile named FAST01:


(Cisco Controller) > config local-auth eap-profile add FAST01

The following example shows how to add the EAP-FAST method to a local EAP profile:

(Cisco Controller) > config local-auth eap-profile method add fast FAST01

The following example shows how to specify Cisco as the issuer of the certificates that will be sent to the client for an EAP-FAST profile:

(Cisco Controller) > config local-auth eap-profile method fast cert-issuer cisco

The following example shows how to specify that the incoming certificate from the client be validated against the CA certificates on the controller:

(Cisco Controller) > config local-auth eap-profile method fast peer-verify ca-issuer enable

Related Commands

config local-auth active-timeout

config local-auth method fast

config local-auth user-credentials

debug aaa local-auth

show local-auth certificates



show local-auth config

show local-auth statistics

config local-auth method fast

To configure an EAP-FAST profile, use the config local-auth method fast command.

config local-auth method fast { anon-prov [ enable | disable] | authority-id auth_id pac-ttl days | server-key key_value}

Syntax Description

anon-prov

Configures the controller to allow anonymous provisioning, which allows PACs to be sent automatically to clients that do not have one during Protected Access Credentials (PAC) provisioning.

enable

(Optional) Specifies that the parameter is enabled.

disable

(Optional) Specifies that the parameter is disabled.

authority-id

Configures the authority identifier of the local EAP-FAST server.

auth_id

Authority identifier of the local EAP-FAST server (2 to 32 hexadecimal digits).

pac-ttl

Configures the number of days for the Protected Access Credentials (PAC) to remain viable (also known as the time-to-live [TTL] value).

days

Time-to-live value (TTL) value (1 to 1000 days).

server-key

Configures the server key to encrypt or decrypt PACs.

key_value

Encryption key value (2 to 32 hexadecimal digits).

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to disable the controller to allows anonymous provisioning:

(Cisco Controller) > config local-auth method fast anon-prov disable

The following example shows how to configure the authority identifier 0125631177 of the local EAP-FAST server:

(Cisco Controller) > config local-auth method fast authority-id 0125631177

The following example shows how to configure the number of days to 10 for the PAC to remain viable:

(Cisco Controller) > config local-auth method fast pac-ttl 10

Related Commands

clear stats local-auth

config local-auth eap-profile

config local-auth active-timeout

config local-auth user-credentials

debug aaa local-auth

show local-auth certificates



show local-auth config

show local-auth statistics

config local-auth user-credentials

To configure the local Extensible Authentication Protocol (EAP) authentication database search order for user credentials, use the config local-auth user credentials command.

config local-auth user-credentials { local [ ldap] | ldap [ local] }

Syntax Description

local

Specifies that the local database is searched for the user credentials.

ldap

(Optional) Specifies that the Lightweight Directory Access Protocol (LDAP) database is searched for the user credentials.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

The order of the specified database parameters indicate the database search order.

Examples

The following example shows how to specify the order in which the local EAP authentication database is searched:

(Cisco Controller) > config local-auth user credentials local lda

In the above example, the local database is searched first and then the LDAP database.

Related Commands

clear stats local-auth

config local-auth eap-profile

config local-auth method fast

config local-auth active-timeout

debug aaa local-auth

show local-auth certificates



show local-auth config

show local-auth statistics

config netuser add

To add a guest user on a WLAN or wired guest LAN to the local user database on the controller, use the config netuser add command.

config netuser add username password { wlan wlan_id | guestlan guestlan_id} userType guest lifetime lifetime description description

Syntax Description

username

Guest username. The username can be up to 50 alphanumeric characters.

password

User password. The password can be up to 24 alphanumeric characters.

wlan

Specifies the wireless LAN identifier to associate with or zero for any wireless LAN.

wlan_id

Wireless LAN identifier assigned to the user. A zero value associates the user with any wireless LAN.

guestlan

Specifies the guest LAN identifier to associate with or zero for any wireless LAN.

guestlan_id

Guest LAN ID.

userType

Specifies the user type.

guest

Specifies the guest for the guest user.

lifetime

Specifies the lifetime.

lifetime

Lifetime value (60 to 259200 or 0) in seconds for the guest user.

Note   

A value of 0 indicates an unlimited lifetime.

description

Short description of user. The description can be up to 32 characters enclosed in double-quotes.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

Local network usernames must be unique because they are stored in the same database.

Examples

The following example shows how to add a permanent username Jane to the wireless network for 1 hour:


(Cisco Controller) > config netuser add jane able2 1 wlan_id 1 userType permanent

The following example shows how to add a guest username George to the wireless network for 1 hour:


(Cisco Controller) > config netuser add george able1 guestlan 1 3600

Related Commands

show netuser

config netuser delete

config netuser delete

To delete an existing user from the local network, use the config netuser delete command.

config netuser delete { username username | wlan-id wlan-id}

Syntax Description

username

Network username. The username can be up to 24 alphanumeric characters.

wlan-id

WLAN identification number.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

Local network usernames must be unique because they are stored in the same database.

Note


When a WLAN associated with network users is deleted, the system prompts to delete all network users associated with the WLAN first. After deleting the network users, you can delete the WLAN.


Examples

The following example shows how to delete an existing username named able1 from the network:


(Cisco Controller) > config netuser delete able1
Deleted user able1

Related Commands

show netuser

config netuser description

To add a description to an existing net user, use the config netuser description command.

config netuser description username description

Syntax Description

username

Network username. The username can contain up to 24 alphanumeric characters.

description

(Optional) User description. The description can be up to 32 alphanumeric characters enclosed in double quotes.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to add a user description “HQ1 Contact” to an existing network user named able 1:


(Cisco Controller) > config netuser description able1 “HQ1 Contact”

Related Commands

show netuser

config network web-auth captive-bypass

To configure the controller to support bypass of captive portals at the network level, use the config network web-auth captive-bypass command.

config network web-auth captive-bypass { enable | disable}

Syntax Description

enable

Allows the controller to support bypass of captive portals.

disable

Disallows the controller to support bypass of captive portals.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the controller to support bypass of captive portals:


(Cisco Controller) > config network web-auth captive-bypass enable

Related Commands

show network summary

config network web-auth cmcc-support

config network web-auth secureweb

To configure the secure web (https) authentication for clients, use the config network web-auth secureweb command.

config network web-auth secureweb { enable | disable}

Syntax Description

enable

Allows secure web (https) authentication for clients.

disable

Disallows secure web (https) authentication for clients. Enables http web authentication for clients.

Command Default

The default secure web (https) authentication for clients is enabled.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

If you configure the secure web (https) authentication for clients using the config network web-auth secureweb disable command, then you must reboot the Cisco WLC to implement the change.

Examples

The following example shows how to enable the secure web (https) authentication for clients:


(Cisco Controller) > config network web-auth secureweb enable

Related Commands

show network summary

config network webmode

To enable or disable the web mode, use the config network webmode command.

config network webmode { enable | disable}

Syntax Description

enable

Enables the web interface.

disable

Disables the web interface.

Command Default

The default value for the web mode is enable.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to disable the web interface mode:


(Cisco Controller) > config network webmode disable

Related Commands

show network summary

config network web-auth

To configure the network-level web authentication options, use the config network web-auth command.

config network web-auth { port port-number} | { proxy-redirect { enable | disable}}

Syntax Description

port

Configures additional ports for web authentication redirection.

port-number

Port number (between 0 and 65535).

proxy-redirect

Configures proxy redirect support for web authentication clients.

enable

Enables proxy redirect support for web authentication clients.

Note   

Web-auth proxy redirection will be enabled for ports 80, 8080, and 3128, along with user defined port 345.

disable

Disables proxy redirect support for web authentication clients.

Command Default

The default network-level web authentication value is disabled.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

You must reset the system for the configuration to take effect.

Examples

The following example shows how to enable proxy redirect support for web authentication clients:


(Cisco Controller) > config network web-auth proxy-redirect enable

Related Commands

show network summary


show run-config

config qos protocol-type

config radius acct

To configure settings for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct command.

config radius acct{ { add index IP addr port { ascii | hex} secret} | delete index | disable index | enable index | ipsec { authentication { hmac-md5 index | hmac-sha1 index } | disable index | enable index | encryption { 256-aes | 3des | aes | des} index | ike { auth-mode { pre-shared-key index type shared_secret_key | certificate index } | dh-group { 2048bit-group-14 | group-1 | group-2 | group-5} index | lifetime seconds index | phase1 { aggressive | main} index } } | { mac-delimiter { colon | hyphen | none | single-hyphen} } | { network index { disable | enable} } | { region { group | none | provincial} } | retransmit-timeout index seconds | realm { add | delete} index realm-string}

Syntax Description

add

Adds a RADIUS accounting server (IPv4 or IPv6).

index

RADIUS server index (1 to 17).

IP addr

RADIUS server IP address (IPv4 or IPv6).

port

RADIUS server’s UDP port number for the interface protocols.

ascii

Specifies the RADIUS server’s secret type: ascii.

hex

Specifies the RADIUS server’s secret type: hex.

secret

RADIUS server’s secret.

enable

Enables a RADIUS accounting server.

disable

Disables a RADIUS accounting server.

delete

Deletes a RADIUS accounting server.

ipsec

Enables or disables IPSec support for an accounting server.
Note    IPSec is not supported for IPv6.

authentication

Configures IPSec Authentication.

hmac-md5

Enables IPSec HMAC-MD5 authentication.

hmac-sha1

Enables IPSec HMAC-SHA1 authentication.

disable

Disables IPSec support for an accounting server.

enable

Enables IPSec support for an accounting server.

encryption

Configures IPSec encryption.

256-aes

Enables IPSec AES-256 encryption.

3des

Enables IPSec 3DES encryption.

aes

Enables IPSec AES-128 encryption.

des

Enables IPSec DES encryption.

ike

Configures Internet Key Exchange (IKE).

auth-mode

Configures IKE authentication method.

pre-shared-key

Pre-shared key for authentication.

certificate

Certificate used for authentication.

dh-group

Configures IKE Diffie-Hellman group.

2048bit-group-14

Configures DH group 14 (2048 bits).

group-1

Configures DH group 1 (768 bits).

group-2

Configures DH group 2 (1024 bits).

group-5

Configures DH group 5 (1536 bits).

lifetime seconds

Configures IKE lifetime in seconds. The range is from 1800 to 57600 seconds and the default is 28800.

phase1

Configures IKE phase1 mode.

aggressive

Enables IKE aggressive mode.

main

Enables IKE main mode.

mac-delimiter

Configures MAC delimiter for caller station ID and calling station ID.

colon

Sets the delimiter to colon (For example: xx:xx:xx:xx:xx:xx).

hyphen

Sets the delimiter to hyphen (For example: xx-xx-xx-xx-xx-xx).

none

Disables delimiters (For example: xxxxxxxxxx).

single-hyphen

Sets the delimiters to single hyphen (For example: xxxxxx-xxxxxx).

network

Configures a default RADIUS server for network users.

group

Specifies RADIUS server type group.

none

Specifies RADIUS server type none.

provincial

Specifies RADIUS server type provincial.

retransmit-timeout

Changes the default retransmit timeout for the server.

seconds

The number of seconds between retransmissions.

realm

Specifies radius acct realm.

add

Adds radius acct realm.

delete

Deletes radius acct realm.

Command Default

When adding a RADIUS server, the port number defaults to 1813 and the state is enabled.

Usage Guidelines

IPSec is not supported for IPv6.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure a priority 1 RADIUS accounting server at 10.10.10.10 using port 1813 with a login password of admin:


(Cisco Controller) > config radius acct add 1 10.10.10.10 1813 ascii admin

The following example shows how to configure a priority 1 RADIUS accounting server at 2001:9:6:40::623 using port 1813 with a login password of admin:

(Cisco Controller) > config radius acct add 1 2001:9:6:40::623 1813 ascii admin

config radius acct mac-delimiter

To specify the delimiter to be used in the MAC addresses that are sent to the RADIUS accounting server, use the config radius acct mac-delimiter command.

config radius acct mac-delimiter { colon | hyphen | single-hyphen | none}

Syntax Description

colon

Sets the delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).

hyphen

Sets the delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).

single-hyphen

Sets the delimiter to a single hyphen (for example, xxxxxx-xxxxxx).

none

Disables the delimiter (for example, xxxxxxxxxxxx).

Command Default

The default delimiter is a hyphen.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to set the delimiter hyphen to be used in the MAC addresses that are sent to the RADIUS accounting server for the network users:


(Cisco Controller) > config radius acct mac-delimiter hyphen

Related Commands

show radius acct statistics

config radius acct network

To configure a default RADIUS server for network users, use the config radius acct network command.

config radius acct network index { enable | disable}

Syntax Description

index

RADIUS server index.

enable

Enables the server as a network user’s default RADIUS server.

disable

Disables the server as a network user’s default RADIUS server.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure a default RADIUS accounting server for the network users with RADIUS server index1:


(Cisco Controller) > config radius acct network 1 enable

Related Commands

show radius acct statistics

config radius acct realm

To configure realm on RADIUS accounting server, use the config radius acct realm command.

config radius acct realm{ add | delete} radius_index realm_string

Syntax Description

radius_server

Radius server index. The range is from 1 to 17.

add

Add realm to RADIUS accounting server.

delete

Delete realm from RADIUS accounting server.

realm_string

Unique string associated to RADIUS accounting realm.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how add realm to the RADIUS accounting server:

(Cisco Controller) > config radius acct realm add 3 test

config radius acct retransmit-timeout

To change the default transmission timeout for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct retransmit-timeout command.

config radius acct retransmit-timeout index timeout

Syntax Description

index

RADIUS server index.

timeout

Number of seconds (from 2 to 30) between retransmissions.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure retransmission timeout value 5 seconds between the retransmission:


(Cisco Controller) > config radius acct retransmit-timeout 5

Related Commands

show radius acct statistics

config radius auth

To configure settings for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth command.

config radius auth { add index IP addr portascii/hexsecret} | | delete index | 
 disable index | enable index | framed-mtu mtu | { ipsec { authentication { hmac-md5 index | hmac-sha1 index } | disable index | enable index | encryption { 256-aes | 3des | aes | des} index | ike { auth-mode { pre-shared-key index ascii/hex shared_secret | certificate index } | dh-group { 2048bit-group-14 | group-1 | group-2 | group-5} index | lifetime seconds index | phase1 { aggressive | main} index } } | { { keywrap{ add ascii/hex kek mack index } | delete index | 
 disable | enable} } | { mac-delimiter { colon | hyphen | none | single-hyphen} } | { { management index { enable | disable} } | { mgmt-retransmit-timeout index Retransmit Timeout } | { network index { enable | disable} } | { realm { add | delete} radius-index realm-string} } | { region { group | none | provincial} } | { retransmit-timeout index Retransmit Timeout} | { rfc3576 { enable | disable} index }

Syntax Description

enable

Enables a RADIUS authentication server.

disable

Disables a RADIUS authentication server.

delete

Deletes a RADIUS authentication server.

index

RADIUS server index. The controller begins the search with 1. The server index range is from 1 to 17.

add

Adds a RADIUS authentication server. See the “Defaults” section.

IP addr

IP address (IPv4 or IPv6) of the RADIUS server.

port

RADIUS server’s UDP port number for the interface protocols.

ascii/hex

Specifies RADIUS server’s secret type: ascii or hex.

secret

RADIUS server’s secret.

callStationIdType

Configures Called Station Id information sent in RADIUS authentication messages.

framed-mtu

Configures the Framed-MTU for all the RADIUS servers. The framed-mtu range is from 64 to 1300 bytes.

ipsec

Enables or disables IPSEC support for an authentication server.

Note    IPSec is not supported for IPv6.

keywrap

Configures RADIUS keywrap.

ascii/hex

Specifies the input format of the keywrap keys.

kek

Enters the 16-byte key-encryption-key.

mack

Enters the 20-byte message-authenticator-code-key.

mac-delimiter

Configures MAC delimiter for caller station ID and calling station ID.

management

Configures a RADIUS Server for management users.

mgmt-retransmit-timeout

Changes the default management login retransmission timeout for the server.

network

Configures a default RADIUS server for network users.

realm

Configures radius auth realm.

region

Configures RADIUS region property.

retransmit-timeout

Changes the default network login retransmission timeout for the server.

rfc3576

Enables or disables RFC-3576 support for an authentication server.

Command Default

When adding a RADIUS server, the port number defaults to 1812 and the state is enabled.

Usage Guidelines

IPSec is not supported for IPv6.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure a priority 3 RADIUS authentication server at 10.10.10.10 using port 1812 with a login password of admin:


(Cisco Controller) > config radius auth add 3 10.10.10.10 1812 ascii admin

The following example shows how to configure a priority 3 RADIUS authentication server at 2001:9:6:40::623 using port 1812 with a login password of admin:

(Cisco Controller) > config radius auth add 3 2001:9:6:40::623 1812 ascii admin

config radius auth callStationIdType

To configure the RADIUS authentication server, use the config radius auth callStationIdType command.

config radius auth callStationIdType { ap-ethmac-only | ap-ethmac-ssid | ap-group-name | ap-label-address | ap-label-address-ssid| ap-location | ap-macaddr-only | ap-macaddr-ssid | ap-name | ap-name-ssid | flex-group-name | ipaddr | macaddr| vlan-id}

Syntax Description

ipaddr

Configures the Call Station ID type to use the IP address (only Layer 3).

macaddr

Configures the Call Station ID type to use the system’s MAC address (Layers 2 and 3).

ap-macaddr-only

Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3).

ap-macaddr-ssid

Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3) in the format AP MAC address:SSID.

ap-ethmac-only

Configures the Called Station ID type to use the access point’s Ethernet MAC address.

ap-ethmac-ssid

Configures the Called Station ID type to use the access point’s Ethernet MAC address in the format AP Ethernet MAC address:SSID.

ap-group-name

Configures the Call Station ID type to use the AP group name. If the AP is not part of any AP group, default-group is taken as the AP group name.

flex-group-name

Configures the Call Station ID type to use the FlexConnect group name. If the FlexConnect AP is not part of any FlexConnect group, the system MAC address is taken as the Call Station ID.

ap-name

Configures the Call Station ID type to use the access point’s name.

ap-name-ssid

Configures the Call Station ID type to use the access point’s name in the format AP name:SSID

ap-location

Configures the Call Station ID type to use the access point’s location.

vlan-id

Configures the Call Station ID type to use the system’s VLAN-ID.

ap-label-address

Configures the Call Station ID type to the AP MAC address that is printed on the AP label, for the accounting messages.

ap-label-address-ssid

Configures the Call Station ID type to the AP MAC address:SSID format.

Command Default

The MAC address of the system.

Usage Guidelines

The controller sends the Called Station ID attribute to the RADIUS server in all authentication and accounting packets. The Called Station ID attribute can be used to classify users to different groups based on the attribute value. The command is applicable only for the Called Station and not for the Calling Station.

You cannot send only the SSID as the Called-Station-ID, you can only combine the SSID with either the access point MAC address or the access point name.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the call station ID type to use the IP address:


(Cisco Controller) > config radius auth callStationIdType ipAddr

The following example shows how to configure the call station ID type to use the system’s MAC address:


(Cisco Controller) > config radius auth callStationIdType macAddr 

The following example shows how to configure the call station ID type to use the access point’s MAC address:


(Cisco Controller) > config radius auth callStationIdType ap-macAddr 

config radius auth keywrap

To enable and configure Advanced Encryption Standard (AES) key wrap, which makes the shared secret between the controller and the RADIUS server more secure, use the config radius auth keywrap command.

config radius auth keywrap { enable | disable | add { ascii | hex} kek mack | delete} index

Syntax Description

enable

Enables AES key wrap.

disable

Disables AES key wrap.

add

Configures AES key wrap attributes.

ascii

Configures key wrap in an ASCII format.

hex

Configures key wrap in a hexadecimal format.

kek

16-byte Key Encryption Key (KEK).

mack

20-byte Message Authentication Code Key (MACK).

delete

Deletes AES key wrap attributes.

index

Index of the RADIUS authentication server on which to configure the AES key wrap.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable the AES key wrap for a RADIUS authentication server:


(Cisco Controller) > config radius auth keywrap enable

Related Commands

show radius auth statistics

config radius auth mac-delimiter

To specify a delimiter to be used in the MAC addresses that are sent to the RADIUS authentication server, use the config radius auth mac-delimiter command.

config radius auth mac-delimiter { colon | hyphen | single-hyphen | none}

Syntax Description

colon

Sets a delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).

hyphen

Sets a delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).

single-hyphen

Sets a delimiter to a single hyphen (for example, xxxxxx-xxxxxx).

none

Disables the delimiter (for example, xxxxxxxxxxxx).

Command Default

The default delimiter is a hyphen.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to specify a delimiter hyphen to be used for a RADIUS authentication server:


(Cisco Controller) > config radius auth mac-delimiter hyphen

Related Commands

show radius auth statistics

config radius auth management

To configure a default RADIUS server for management users, use the config radius auth management command.

config radius auth management index { enable | disable}

Syntax Description

index

RADIUS server index.

enable

Enables the server as a management user’s default RADIUS server.

disable

Disables the server as a management user’s default RADIUS server.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure a RADIUS server for management users:


(Cisco Controller) > config radius auth management 1 enable

Related Commands

show radius acct statistics

config radius acct network

config radius auth mgmt-retransmit-timeout

config radius auth mgmt-retransmit-timeout

To configure a default RADIUS server retransmission timeout for management users, use the config radius auth mgmt-retransmit-timeout command.

config radius auth mgmt-retransmit-timeout index retransmit-timeout

Syntax Description

index

RADIUS server index.

retransmit-timeout

Timeout value. The range is from 1 to 30 seconds.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure a default RADIUS server retransmission timeout for management users:


(Cisco Controller) > config radius auth mgmt-retransmit-timeout 1 10

Related Commands

config radius auth management

config radius auth network

To configure a default RADIUS server for network users, use the config radius auth network command.

config radius auth network index { enable | disable}

Syntax Description

index

RADIUS server index.

enable

Enables the server as a network user default RADIUS server.

disable

Disables the server as a network user default RADIUS server.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure a default RADIUS server for network users:


(Cisco Controller) > config radius auth network 1 enable

Related Commands

show radius acct statistics

config radius acct network

config radius auth realm

To configure realm on RADIUS authentication server, use the config radius auth realm command.

config radius auth realm{ add | delete} radius_index realm_string

Syntax Description

radius_server

Radius server index. The range is from 1 to 17.

add

Add realm to RADIUS authentication server.

delete

Delete realm from RADIUS authentication server.

realm_string

Unique string associated to RADIUS authentication realm.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how add realm to the RADIUS authentication server:

(Cisco Controller) > config radius auth realm add 3 test

config radius auth retransmit-timeout

To change a default transmission timeout for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth retransmit-timeout command.

config radius auth retransmit-timeout index timeout

Syntax Description

index

RADIUS server index.

timeout

Number of seconds (from 2 to 30) between retransmissions.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure a retransmission timeout of 5 seconds for a RADIUS authentication server:


(Cisco Controller) > config radius auth retransmit-timeout 5

Related Commands

show radius auth statistics

config radius auth rfc3576

To configure RADIUS RFC-3576 support for the authentication server for the Cisco WLC, use the config radius auth rfc3576 command.

config radius auth rfc3576 { enable | disable} index

Syntax Description

enable

Enables RFC-3576 support for an authentication server.

disable

Disables RFC-3576 support for an authentication server.

index

RADIUS server index.

Command Default

Disabled

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

RFC 3576, which is an extension to the RADIUS protocol, allows dynamic changes to a user session. RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session. Disconnect messages cause a user session to be terminated immediately; CoA messages modify session authorization attributes such as data filters.

Examples

The following example shows how to enable the RADIUS RFC-3576 support for a RADIUS authentication server:


(Cisco Controller) > config radius auth rfc3576 enable 2

Related Commands

show radius auth statistics

show radius summary

show radius rfc3576

config radius auth retransmit-timeout

To configure a retransmission timeout value for a RADIUS accounting server, use the config radius auth server-timeout command.

config radius auth retransmit-timeout index timeout

Syntax Description

index

RADIUS server index.

timeout

Timeout value. The range is from 2 to 30 seconds.

Command Default

The default timeout is 2 seconds.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure a server timeout value of 2 seconds for RADIUS authentication server index 10:


(Cisco Controller) > config radius auth retransmit-timeout 2 10

Related Commands

show radius auth statistics

show radius summary

config radius aggressive-failover disabled

To configure the controller to mark a RADIUS server as down (not responding) after the server does not reply to three consecutive clients, use the config radius aggressive-failover disabled command.

config radius aggressive-failover disabled

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the controller to mark a RADIUS server as down:


(Cisco Controller) > config radius aggressive-failover disabled

Related Commands

show radius summary

config radius backward compatibility

To configure RADIUS backward compatibility for the Cisco wireless LAN controller, use the config radius backward compatibility command.

config radius backward compatibility { enable | disable}

Syntax Description

enable

Enables RADIUS vendor ID backward compatibility.

disable

Disables RADIUS vendor ID backward compatibility.

Command Default

Enabled.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable the RADIUS backward compatibility settings:


(Cisco Controller) > config radius backward compatibility disable

Related Commands

show radius summary

config radius callStationIdCase

To configure callStationIdCase information sent in RADIUS messages for the Cisco WLC, use the config radius callStationIdCase command.

config radius callStationIdCase { legacy | lower | upper}

Syntax Description

legacy

Configures Call Station IDs for Layer 2 authentication to RADIUS in uppercase.

lower

Configures all Call Station IDs to RADIUS in lowercase.

upper

Configures all Call Station IDs to RADIUS in uppercase.

Command Default

Enabled.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to send the call station ID in lowercase:


(Cisco Controller) > config radius callStationIdCase lower

Related Commands

show radius summary

config radius callStationIdType

To configure the Called Station ID type information sent in RADIUS accounting messages for the Cisco wireless LAN controller, use the config radius callStationIdType command.

config radius callStationIdType { ap-ethmac-only | ap-ethmac-ssid | ap-group-name | ap-label-address | ap-label-address-ssid| ap-location | ap-macaddr-only | ap-macaddr-ssid | ap-name | ap-name-ssid | flex-group-name | ipaddr | macaddr| vlan-id}

Syntax Description

ipaddr

Configures the Call Station ID type to use the IP address (only Layer 3).

macaddr

Configures the Call Station ID type to use the system’s MAC address (Layers 2 and 3).

ap-macaddr-only

Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3).

ap-macaddr-ssid

Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3) in the format AP MAC address:SSID.

ap-ethmac-only

Configures the Called Station ID type to use the access point’s Ethernet MAC address.

ap-ethmac-ssid

Configures the Called Station ID type to use the access point’s Ethernet MAC address in the format AP Ethernet MAC address:SSID.

ap-group-name

Configures the Call Station ID type to use the AP group name. If the AP is not part of any AP group, default-group is taken as the AP group name.

flex-group-name

Configures the Call Station ID type to use the FlexConnect group name. If the FlexConnect AP is not part of any FlexConnect group, the system MAC address is taken as the Call Station ID.

ap-name

Configures the Call Station ID type to use the access point’s name.

ap-name-ssid

Configures the Call Station ID type to use the access point’s name in the format AP name:SSID

ap-location

Configures the Call Station ID type to use the access point’s location.

ap-mac-ssid-ap-group

Sets Called Station ID type to the format <AP MAC address>:<SSID>:<AP Group>

vlan-id

Configures the Call Station ID type to use the system’s VLAN-ID.

ap-label-address

Configures the Call Station ID type to the AP MAC address that is printed on the AP label, for the accounting messages.

ap-label-address-ssid

Configures the Call Station ID type to the AP MAC address:SSID format.

Command Default

The IP address of the system.

Usage Guidelines

The controller sends the Called Station ID attribute to the RADIUS server in all authentication and accounting packets. The Called Station ID attribute can be used to classify users to different groups based on the attribute value. The command is applicable only for the Called Station and not for the Calling Station.

You cannot send only the SSID as the Called-Station-ID, you can only combine the SSID with either the access point MAC address or the access point name.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the call station ID type to use the IP address:


(Cisco Controller) > config radius callStationIdType ipaddr

The following example shows how to configure the call station ID type to use the system’s MAC address:


(Cisco Controller) > config radius callStationIdType macaddr

The following example shows how to configure the call station ID type to use the access point’s MAC address:


(Cisco Controller) > config radius callStationIdType ap-macaddr-only

config radius dns

To retrieve the RADIUS IP information from a DNS server, use the config radius dns command.

config radius dns { global port { ascii | hex} secret | queryurl timeout | serverip ip_address | disable | enable}

Syntax Description

global

Configures the global port and secret to retrieve the RADIUS IP information from a DNS server.

port

Port number for authentication. The range is from 1 to 65535. All the DNS servers should use the same authentication port.

ascii

Format of the shared secret that you should set to ASCII.

hex

Format of the shared secret that you should set to hexadecimal.

secret

RADIUS server login secret.

query

Configures the fully qualified domain name (FQDN) of the RADIUS server and DNS timeout.

url

FQDN of the RADIUS server. The FQDN can be up to 63 case-sensitive, alphanumeric characters.

timeout

Maximum time that the Cisco WLC waits for, in days, before timing out the request and resending it. The range is from 1 to 180.

serverip

Configures the DNS server IP address.

ip_address

DNS server IP address.

disable

Disables the RADIUS DNS feature. By default, this feature is disabled.

enable

Enables the Cisco WLC to retrieve the RADIUS IP information from a DNS server.

When you enable a DNS query, the static configurations are overridden, that is, the DNS list overrides the static AAA list.

Command Default

You cannot configure the global port and secret to retrieve the RADIUS IP information.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

The accounting port is derived from the authentication port. All the DNS servers should use the same secret.

Examples

The following example shows how to enable the RADIUS DNS feature on the Cisco WLC:

(Cisco Controller) > config radius dns enable

config radius fallback-test

To configure the RADIUS server fallback behavior, use the config radius fallback-test command.

config radius fallback-test mode { off | passive | active} | username username} | { interval interval}

Syntax Description

mode

Specifies the mode.

off

Disables RADIUS server fallback.

passive

Causes the controller to revert to a preferable server (with a lower server index) from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.

active

Causes the controller to revert to a preferable server (with a lower server index) from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller ignores all inactive servers for all active RADIUS requests.

username

Specifies the username.

username

Username. The username can be up to 16 alphanumeric characters.

interval

Specifies the probe interval value.

interval

Probe interval. The range is 180 to 3600.

Command Default

The default probe interval is 300.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to disable the RADIUS accounting server fallback behavior:


(Cisco Controller) > config radius fallback-test mode off

The following example shows how to configure the controller to revert to a preferable server from the available backup servers without using the extraneous probe messages:


(Cisco Controller) > config radius fallback-test mode passive

The following example shows how to configure the controller to revert to a preferable server from the available backup servers by using RADIUS probe messages:


(Cisco Controller) > config radius fallback-test mode active

Related Commands

config advanced probe filter

config advanced probe limit

show advanced probe

show radius acct statistics

config rogue adhoc

To globally or individually configure the status of an Independent Basic Service Set (IBSS or ad-hoc) rogue access point, use the config rogue adhoc command.

config rogue adhoc { enable | disable | external rogue_MAC | alert { rogue_MAC | all} |
 auto-contain [ monitor_ap] | contain rogue_MAC 1234_aps| }

config rogue adhoc { delete { all | mac-address mac-address} | classify { friendly state { external | internal} mac-address | malicious state { alert | contain} mac-address |
 unclassified state { alert | contain } mac-address}

Syntax Description

enable

Globally enables detection and reporting of ad-hoc rogues.

disable

Globally disables detection and reporting of ad-hoc rogues.

external

Configure external state on the rogue access point that is outside the network and poses no threat to WLAN security. The controller acknowledges the presence of this rogue access point.

rogue_MAC

MAC address of the ad-hoc rogue access point.

alert

Generates an SMNP trap upon detection of the ad-hoc rogue, and generates an immediate alert to the system administrator for further action.

all

Enables alerts for all ad-hoc rogue access points.

auto-contain

Contains all wired ad-hoc rogues detected by the controller.

monitor_ap

(Optional) IP address of the ad-hoc rogue access point.

contain

Contains the offending device so that its signals no longer interfere with authorized clients.

1234_aps

Maximum number of Cisco access points assigned to actively contain the ad-hoc rogue access point (1 through 4, inclusive).

delete

Deletes ad-hoc rogue access points.

all

Deletes all ad-hoc rogue access points.

mac-address

Deletes ad-hoc rogue access point with the specified MAC address.

mac-address

MAC address of the ad-hoc rogue access point.

classify

Configures ad-hoc rogue access point classification.

friendly state

Classifies ad-hoc rogue access points as friendly.

internal

Configures alert state on rogue access point that is inside the network and poses no threat to WLAN security. The controller trusts this rogue access point.

malicious state

Classifies ad-hoc rogue access points as malicious.

alert

Configures alert state on the rogue access point that is not in the neighbor list or in the user configured friendly MAC list. The controller forwards an immediate alert to the system administrator for further action.

contain

Configures contain state on the rogue access point. Controller contains the offending device so that its signals no longer interfere with authorized clients.

unclassified state

Classifies ad-hoc rogue access points as unclassified.

Command Default

The default for this command is enabled and is set to alert. The default for auto-containment is disabled.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

The controller continuously monitors all nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses RLDP to determine if the rogue is attached to your wired network.


Note


RLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the DHCP Discover request sent by the RLDP client. Also, RLDP is not supported if the rogue access point channel requires dynamic frequency selection (DFS).


When you enter any of the containment commands, the following warning appears:


Using this feature may have legal consequences. Do you want to continue? (y/n) :

The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.

Enter the auto-contain command with the monitor_ap argument to monitor the rogue access point without containing it. Enter the auto-contain command without the optional monitor_ap to automatically contain all wired ad-hoc rogues detected by the controller.

Examples

The following example shows how to enable the detection and reporting of ad-hoc rogues:


(Cisco Controller) > config rogue adhoc enable

The following example shows how to enable alerts for all ad-hoc rogue access points:


(Cisco Controller) > config rogue adhoc alert all

The following example shows how to classify an ad-hoc rogue access point as friendly and configure external state on it:

(Cisco Controller) > config rogue adhoc classify friendly state internal 11:11:11:11:11:11

Related Commands

config rogue auto-contain level

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

config rogue ap classify

To classify the status of a rogue access point, use the config rogue ap classify command.

config rogue ap classify { friendly state { internal | external} ap_mac
}

config rogue ap classify { malicious | unclassified} state { alert | contain} ap_mac

Syntax Description

friendly

Classifies a rogue access point as friendly.

state

Specifies a response to classification.

internal

Configures the controller to trust this rogue access point.

external

Configures the controller to acknowledge the presence of this access point.

ap_mac

MAC address of the rogue access point.

malicious

Classifies a rogue access point as potentially malicious.

unclassified

Classifies a rogue access point as unknown.

alert

Configures the controller to forward an immediate alert to the system administrator for further action.

contain

Configures the controller to contain the offending device so that its signals no longer interfere with authorized clients.

Command Default

These commands are disabled by default. Therefore, all unknown access points are categorized as unclassified by default.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

A rogue access point cannot be moved to the unclassified class if its current state is contain.

When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.

Examples

The following example shows how to classify a rogue access point as friendly and can be trusted:


(Cisco Controller) > config rogue ap classify friendly state internal 11:11:11:11:11:11

The following example shows how to classify a rogue access point as malicious and to send an alert:


(Cisco Controller) > config rogue ap classify malicious state alert 11:11:11:11:11:11

The following example shows how to classify a rogue access point as unclassified and to contain it:


(Cisco Controller) > config rogue ap classify unclassified state contain 11:11:11:11:11:11

Related Commands

config rogue adhoc

config rogue ap friendly

config rogue ap rldp

config rogue ap ssid

config rogue ap timeout

config rogue ap valid-client

config rogue client

config trapflags rogueap

show rogue ap clients

show rogue ap detailed

show rogue ap summary

show rogue ap friendly summary

show rogue ap malicious summary

show rogue ap unclassified summary

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

config rogue ap friendly

To add a new friendly access point entry to the friendly MAC address list, or delete an existing friendly access point entry from the list, use the config rogue ap friendly command.

config rogue ap friendly { add | delete} ap_mac

Syntax Description

add

Adds this rogue access point from the friendly MAC address list.

delete

Deletes this rogue access point from the friendly MAC address list.

ap_mac

MAC address of the rogue access point that you want to add or delete.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to add a new friendly access point with MAC address 11:11:11:11:11:11 to the friendly MAC address list.


(Cisco Controller) > config rogue ap friendly add 11:11:11:11:11:11

Related Commands

config rogue adhoc

config rogue ap classify

config rogue ap rldp

config rogue ap ssid

config rogue ap timeout

config rogue ap valid-client

config rogue client

config trapflags rogueap

show rogue ap clients

show rogue ap detailed

show rogue ap summary

show rogue ap friendly summary

show rogue ap malicious summary

show rogue ap unclassified summary

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

config rogue ap rldp

To enable, disable, or initiate the Rogue Location Discovery Protocol (RLDP), use the config rogue ap rldp command.

config rogue ap rldp enable { alarm-only | auto-contain} [ monitor_ap_only]

config rogue ap rldp initiate rogue_mac_address


config rogue ap rldp disable

Syntax Description

alarm-only

When entered without the optional argument monitor_ap_only, enables RLDP on all access points.

auto-contain

When entered without the optional argument monitor_ap_only, automatically contains all rogue access points.

monitor_ap_only

(Optional) RLDP is enabled (when used with alarm-only keyword), or automatically contained (when used with auto-contain keyword) is enabled only on the designated monitor access point.

initiate

Initiates RLDP on a specific rogue access point.

rogue_mac_address

MAC address of specific rogue access point.

disable

Disables RLDP on all access points.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.

Examples

The following example shows how to enable RLDP on all access points:


(Cisco Controller) > config rogue ap rldp enable alarm-only 

The following example shows how to enable RLDP on monitor-mode access point ap_1:


(Cisco Controller) > config rogue ap rldp enable alarm-only ap_1

The following example shows how to start RLDP on the rogue access point with MAC address 123.456.789.000:


(Cisco Controller) > config rogue ap rldp initiate 123.456.789.000

The following example shows how to disable RLDP on all access points:


(Cisco Controller) > config rogue ap rldp disable

Related Commands

config rogue adhoc

config rogue ap classify

config rogue ap friendly

config rogue ap ssid

config rogue ap timeout

config rogue ap valid-client

config rogue client

config trapflags rogueap

show rogue ap clients

show rogue ap detailed

show rogue ap summary

show rogue ap friendly summary

show rogue ap malicious summary

show rogue ap unclassified summary

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

config rogue ap ssid

To generate an alarm only, or to automatically contain a rogue access point that is advertising your network’s service set identifier (SSID), use the config rogue ap ssid command.

config rogue ap ssid { alarm | auto-contain}

Syntax Description

alarm

Generates only an alarm when a rogue access point is discovered to be advertising your network’s SSID.

auto-contain

Automatically contains the rogue access point that is advertising your network’s SSID.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.

Examples

The following example shows how to automatically contain a rogue access point that is advertising your network’s SSID:


(Cisco Controller) > config rogue ap ssid auto-contain

Related Commands

config rogue adhoc

config rogue ap classify

config rogue ap friendly

config rogue ap rldp

config rogue ap timeout

config rogue ap valid-client

config rogue client

config trapflags rogueap

show rogue ap clients

show rogue ap detailed

show rogue ap summary

show rogue ap friendly summary

show rogue ap malicious summary

show rogue ap unclassified summary

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

config rogue ap timeout

To specify the number of seconds after which the rogue access point and client entries expire and are removed from the list, use the config rogue ap timeout command.

config rogue ap timeout seconds

Syntax Description

seconds

Value of 240 to 3600 seconds (inclusive), with a default value of 1200 seconds.

Command Default

The default number of seconds after which the rogue access point and client entries expire is 1200 seconds.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to set an expiration time for entries in the rogue access point and client list to 2400 seconds:


(Cisco Controller) > config rogue ap timeout 2400

Related Commands

config rogue ap classify

config rogue ap friendly

config rogue ap rldp

config rogue ap ssid

config rogue rule

config trapflags rogueap

show rogue ap clients

show rogue ap detailed

show rogue ap summary

show rogue ap friendly summary

show rogue ap malicious summary

show rogue ap unclassified summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

config rogue ap valid-client

To generate an alarm only, or to automatically contain a rogue access point to which a trusted client is associated, use the config rogue ap valid-client command.

config rogue ap valid-client { alarm | auto-contain}

Syntax Description

alarm

Generates only an alarm when a rogue access point is discovered to be associated with a valid client.

auto-contain

Automatically contains a rogue access point to which a trusted client is associated.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.

Examples

The following example shows how to automatically contain a rogue access point that is associated with a valid client:


(Cisco Controller) > config rogue ap valid-client auto-contain

Related Commands

config rogue ap classify

config rogue ap friendly

config rogue ap rldp

config rogue ap timeout

config rogue ap ssid

config rogue rule

config trapflags rogueap

show rogue ap clients

show rogue ap detailed

show rogue ap summary

show rogue ap friendly summary

show rogue ap malicious summary

show rogue ap unclassified summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

config rogue client

To configure rogue clients, use the config rogue client command.

config rogue client { aaa { enable | disable} | alert ap_mac | contain client_mac | delete { state { alert | any | contained | contained-pending} | all | mac-address client_mac} | mse{ enable | disable} } }

Syntax Description

aaa

Configures AAA server or local database to validate whether rogue clients are valid clients. The default is disabled.

enable

Enables the AAA server or local database to check rogue client MAC addresses for validity.

disable

Disables the AAA server or local database to check rogue client MAC addresses for validity.

alert

Configures the controller to forward an immediate alert to the system administrator for further action.

ap_mac

Access point MAC address.

contain

Configures the controller to contain the offending device so that its signals no longer interfere with authorized clients.

client_mac

MAC address of the rogue client.

delete

Deletes the rogue client.

state

Deletes the rogue clients according to their state.

alert

Deletes the rogue clients in alert state.

any

Deletes the rogue clients in any state.

contained

Deletes all rogue clients that are in contained state.

contained-pending

Deletes all rogue clients that are in contained pending state.

all

Deletes all rogue clients.

mac-address

Deletes a rogue client with the configured MAC address.

mse

Validates if the rogue clients are valid clients using MSE. The default is disabled.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

You cannot validate rogue clients against MSE and AAA at the same time.

Examples

The following example shows how to enable the AAA server or local database to check MAC addresses:


(Cisco Controller) > config rogue client aaa enable 

The following example shows how to disable the AAA server or local database from checking MAC addresses:


(Cisco Controller) > config rogue client aaa disable 

Related Commands

config rogue rule

config trapflags rogueap

show rogue ap clients

show rogue ap detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

config rogue detection

To enable or disable rogue detection, use the config rogue detection command.


Note


If an AP itself is configured with the keyword all, the all access points case takes precedence over the AP that is with the keyword all.


config rogue detection { enable | disable} { cisco_ap | all}

Syntax Description

enable

Enables rogue detection on this access point.

disable

Disables rogue detection on this access point.

cisco_ap

Cisco access point.

all

Specifies all access points.

Command Default

The default rogue detection value is enabled.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

Rogue detection is enabled by default for all access points joined to the controller except for OfficeExtend access points. OfficeExtend access points are deployed in a home environment and are likely to detect a large number of rogue devices.

Examples

The following example shows how to enable rogue detection on the access point Cisco_AP:


(Cisco Controller) > config rogue detection enable Cisco_AP 

Related Commands

config rogue rule

config trapflags rogueap

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

config rogue detection client-threshold

To configure the rogue client threshold for access points, use the config rogue detection client-threshold command.

config rogue detection client-threshold value

Syntax Description

value

Threshold rogue client count on an access point after which a trap is sent from the Cisco Wireless LAN Controller (WLC). The range is from 1 to 256. Enter 0 to disable the feature.

Command Default

The default rogue client threshold is 0.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the rogue client threshold:

(Cisco Controller) >config rogue detection client-threshold 200

config rogue detection min-rssi

To configure the minimum Received Signal Strength Indicator (RSSI) value at which APs can detect rogues and create a rogue entry in the controller, use the config rogue detection min-rssi command.

config rogue detection min-rssi rssi-in-dBm

Syntax Description

rssi-in-dBm

Minimum RSSI value. The valid range is from –70 dBm to –128 dBm, and the default value is –128 dBm.

Command Default

The default RSSI value to detect rogues in APs is -128 dBm.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

This feature is applicable to all the AP modes.

There can be many rogues with very weak RSSI values that do not provide any valuable information in rogue analysis. Therefore, you can use this option to filter rogues by specifying the minimum RSSI value at which APs should detect rogues.

Examples

The following example shows how to configure the minimum RSSI value:


(Cisco Controller) > config rogue detection min-rssi –80

Related Commands

config rogue detection

show rogue ap clients

config rogue rule

config trapflags rogueap

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

config rogue detection monitor-ap

To configure the rogue report interval for all monitor mode Cisco APs, use the config rogue detection monitor-ap command.

config rogue detection monitor-ap { report-interval | transient-rogue-interval} time-in-seconds

Syntax Description

report-interval

Specifies the interval at which rogue reports are sent.

transient-rogue-interval

Specifies the interval at which rogues are consistently scanned for by APs after the first time the rogues are scanned.

time-in-seconds

Time in seconds. The valid range is as follows:

  • 10 to 300 for report-interval

  • 120 to 1800 for transient-rogue-interval

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

This feature is applicable to APs that are in monitor mode only.

Using the transient interval values, you can control the time interval at which APs should scan for rogues. APs can also filter the rogues based on their transient interval values.

This feature has the following advantages:

  • Rogue reports from APs to the controller are shorter.

  • Transient rogue entries are avoided in the controller.

  • Unnecessary memory allocation for transient rogues are avoided.

Examples

The following example shows how to configure the rogue report interval to 60 seconds:


(Cisco Controller) > config rogue detection monitor-ap report-interval 60

The following example shows how to configure the transient rogue interval to 300 seconds:


(Cisco Controller) > config rogue detection monitor-ap transient-rogue-interval 300

Related Commands

config rogue detection

config rogue detection min-rssi

config rogue rule

config trapflags rogueap

show rogue ap clients

show rogue client detailed

show rogue client summary

show rogue ignore-list

show rogue rule detailed

show rogue rule summary

config rogue detection report-interval

To configure the rogue detection report interval, use the config rogue detection report-interval command.

config rogue detection report-interval time

Syntax Description

time

Time interval, in seconds, at which the access points send the rogue detection report to the controller. The range is from 10 to 300.

Command Default

The default rogue detection report interval is 10 seconds.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

This feature is applicable only to the access points that are in the monitor mode.

Examples

The following example shows how to configure the rogue detection report interval:

(Cisco Controller) >config rogue detection report-interval 60

config rogue detection security-level

To configure the rogue detection security level, use the config rogue detection security-level command.

config rogue detection security-level { critical | custom | high | low}

Syntax Description

critical

Configures the rogue detection security level to critical.

custom

Configures the rogue detection security level to custom, and allows you to configure the rogue policy parameters.

high

Configures the rogue detection security level to high. This security level configures basic rogue detection and auto containment for medium-scale or less critical deployments. The Rogue Location Discovery Protocol (RLDP) is disabled for this security level.

low

Configures the rogue detection security level to low. This security level configures basic rogue detection for small-scale deployments. Auto containment is not supported for this security level.

Command Default

The default rogue detection security level is custom.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the rogue detection security level to high:

(Cisco Controller) > config rogue detection security-level high

config rogue detection transient-rogue-interval

To configure the rogue-detection transient interval, use the config rogue detection transient-rogue-interval command.

config rogue detection transient-rogue-interval time

Syntax Description

time

Time interval, in seconds, at which a rogue should be consistently scanned by the access point after the rogue is scanned for the first time. The range is from 120 to 1800.

Command Default

The default rogue-detection transient interval for each security level is as follows:
  • Low—120 seconds

  • High—300 seconds

  • Critical—600 seconds

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

This feature applies only to the access points that are in the monitor mode.

After the rogue is scanned consistently, updates are sent periodically to the Cisco Wireless LAN Controller (WLC). The access points filter the active transient rogues for a very short period and are then silent.

Examples

The following example shows how to configure the rogue detection transient interval:

(Cisco Controller) > config rogue detection transient-rogue-interval 200

config rogue rule

To add and configure rogue classification rules, use the config rogue rule command.

config rogue rule { add ap priority priority classify { custom severity-score classification-name | friendly | malicious} notify { all | global | none | local} state { alert | contain | delete | internal | external} rule_name | 
 classify { custom severity-score classification-name | friendly | malicious} rule_name | 
 condition ap { set | delete} condition_type condition_value rule_name | 
{ enable | delete | disable} { all | rule_name} | 
 match { all | any} | 
 priority priority| notify { all | global | none | local} rule_name | state { alert | contain | internal | external} rule_name}

Syntax Description

add ap priority

Adds a rule with match any criteria and the priority that you specify.

priority

Priority of this rule within the list of rules.

classify

Specifies the classification of a rule.

custom

Classifies devices matching the rule as custom.

severity-score

Custom classification severity score of the rule. The range is from 1 to 100.

classification-name

Custom classification name. The name can be up to 32 case-sensitive, alphanumeric characters.

friendly

Classifies a rule as friendly.

malicious

Classifies a rule as malicious.

notify

Configures type of notification upon rule match.

all

Notifies the controller and a trap receiver such as Cisco Prime Infrastructure.

global

Notifies only a trap receiver such as Cisco Prime Infrastructure.

local

Notifies only the controller.

none

Notifies neither the controller nor a trap receiver such as Cisco Prime Infrastructure.

state

Configures state of the rogue access point after a rule match.

alert

Configures alert state on the rogue access point that is not in the neighbor list or in the user configured friendly MAC list. The controller forwards an immediate alert to the system administrator for further action.

contain

Configures contain state on the rogue access point. Controller contains the offending device so that its signals no longer interfere with authorized clients.

delete

Configures delete state on the rogue access point.

external

Configures external state on the rogue access point that is outside the network and poses no threat to WLAN security. The controller acknowledges the presence of this rogue access point.

internal

Configures alert state on rogue access point that is inside the network and poses no threat to WLAN security. The controller trusts this rogue access point.

rule_name

Rule to which the command applies, or the name of a new rule.

condition ap

Specifies the conditions for a rule that the rogue access point must meet.

set

Adds conditions to a rule that the rogue access point must meet.

delete

Removes conditions to a rule that the rogue access point must meet.

condition_type

Type of the condition to be configured. The condition types are listed below:

  • client-count—Requires that a minimum number of clients be associated to a rogue access point. The valid range is 1 to 10 (inclusive).

  • duration—Requires that a rogue access point be detected for a minimum period of time. The valid range is 0 to 3600 seconds (inclusive).

  • managed-ssid—Requires that a rogue access point’s SSID be known to the controller.

  • no-encryption—Requires that a rogue access point’s advertised WLAN does not have encryption enabled.

  • rssi—Requires that a rogue access point have a minimum RSSI value. The range is from –95 to –50 dBm (inclusive).

  • ssid—Requires that a rogue access point have a specific SSID.

  • substring-ssid—Requires that a rogue access point have a substring of a user-configured SSID.

condition_value

Value of the condition. This value is dependent upon the condition_type. For instance, if the condition type is ssid, then the condition value is either the SSID name or all.

enable

Enables all rules or a single specific rule.

delete

Deletes all rules or a single specific rule.

disable

Deletes all rules or a single specific rule.

match

Specifies whether a detected rogue access point must meet all or any of the conditions specified by the rule in order for the rule to be matched and the rogue access point to adopt the classification type of the rule.

all

Specifies all rules defined.

any

Specifies any rule meeting certain criteria.

priority

Changes the priority of a specific rule and shifts others in the list accordingly.

Command Default

No rogue rules are configured.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

For your changes to be effective, you must enable the rule. You can configure up to 64 rules.

Reclassification of rogue APs according to the RSSI condition of the rogue rule occurs only when the RSSI changes more than +/- 2 dBm of the configured RSSI value. Manual and automatic classification override custom rogue rules. Rules are applied to manually changed rogues if their class type changes to unclassified and state changes to alert. Adhoc rogues are classified and do not go to the pending state. You can have up to 50 classification types.

Examples

The following example shows how to create a rule called rule_1 with a priority of 1 and a classification as friendly.


(Cisco Controller) > config rogue rule add ap priority 1 classify friendly rule_1

The following example shows how to enable rule_1.


(Cisco Controller) > config rogue rule enable rule_1

The following example shows how to change the priority of the last command.


(Cisco Controller) > config rogue rule priority 2 rule_1

The following example shows how to change the classification of the last command.


(Cisco Controller) > config rogue rule classify malicious rule_1

The following example shows how to disable the last command.


(Cisco Controller) > config rogue rule disable rule_1

The following example shows how to delete SSID_2 from the user-configured SSID list in rule-5.


(Cisco Controller) > config rogue rule condition ap delete ssid ssid_2 rule-5

The following example shows how to create a custom rogue rule.

(Cisco Controller) > config rogue rule classify custom 1 VeryMalicious rule6

config rogue rule condition ap

To configure a condition of a rogue rule for rogue access points, use the config rogue rule condition ap command.

config rogue rule condition ap { set { client-count count | duration time | managed-ssid | no-encryption | rssi rssi | ssid ssid | substring-ssid substring-ssid} | delete { all | client-count | duration | managed-ssid | no-encryption | rssi | ssid | substring-ssid} rule_name

Syntax Description

set

Configures conditions to a rule that the rogue access point must meet.

client-count

Enables a minimum number of clients to be associated to the rogue access point.

count

Minimum number of clients to be associated to the rogue access point. The range is from 1 to 10 (inclusive). For example, if the number of clients associated to a rogue access point is greater than or equal to the configured value, the access point is classified as malicious.

duration

Enables a rogue access point to be detected for a minimum period of time.

time

Minimum time period, in seconds, to detect the rogue access point. The range is from 0 to 3600.

managed-ssid

Enables a rogue access point’s SSID to be known to the controller.

no-encryption

Enables a rogue access point’s advertised WLAN to not have encryption enabled. If a rogue access point has encryption disabled, it is likely that more clients will try to associate to it.

rssi

Enables a rogue access point to have a minimum Received Signal Strength Indicator (RSSI) value.

rssi

Minimum RSSI value, in dBm, required for the access point. The range is from –95 to –50 (inclusive). For example, if the rogue access point has an RSSI that is greater than the configured value, the access point is classified as malicious.

ssid

Enables a rogue access point have a specific SSID.

ssid

SSID of the rogue access point.

substring-ssid

Enables a rogue access point to have a substring of a user-configured SSID.

substring-ssid

Substring of a user-configured SSID. For example, if you have an SSID as ABCDE, you can specify the substring as ABCD or ABC. You can classify multiple SSIDs with matching patterns.

delete

Removes the conditions to a rule that a rogue access point must comply with.

all

Deletes all the rogue rule conditions.

rule_name

Rogue rule to which the command applies.

Command Default

The default value for RSSI is 0 dBm.

The default value for duration is 0 seconds.

The default value for client count is 0.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

You can configure up to 25 SSIDs per rogue rule. You can configure up to 25 SSID substrings per rogue rule.

Examples

The following example shows how to configure the RSSI rogue rule condition:

(Cisco Controller) > config rogue rule condition ap set rssi –50

config tacacs acct

To configure TACACS+ accounting server settings, use the config tacacs acct command.

config tacacs acct { add1-3 IP addr port ascii/hex secret | delete 1-3 | disable 1-3 | enable 1-3 | server-timeout 1-3 seconds}

Syntax Description

add

Adds a new TACACS+ accounting server.

1-3

Specifies TACACS+ accounting server index from 1 to 3.

IP addr

Specifies IPv4 or IPv6 address of the TACACS+ accounting server.

port

Specifies TACACS+ Server's TCP port.

ascii/hex

Specifies type of TACACS+ server's secret being used (ASCII or HEX).

secret

Specifies secret key in ASCII or hexadecimal characters.

delete

Deletes a TACACS+ server.

disable

Disables a TACACS+ server.

enable

Enables a TACACS+ server.

server-timeout

Changes the default server timeout for the TACACS+ server.

seconds

Specifies the number of seconds before the TACACS+ server times out. The server timeout range is from 5 to 30 seconds.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to add a new TACACS+ accounting server index 1 with the IPv4 address 10.0.0.0, port number 49, and secret key 12345678 in ASCII:


(Cisco Controller) > config tacacs acct add 1 10.0.0.0 10 ascii 12345678

The following example shows how to add a new TACACS+ accounting server index 1 with the IPv6 address 2001:9:6:40::623, port number 49, and secret key 12345678 in ASCII:

(Cisco Controller) > config tacacs acct add 1  2001:9:6:40::623 10 ascii 12345678

The following example shows how to configure the server timeout of 5 seconds for the TACACS+ accounting server:


(Cisco Controller) > config tacacs acct server-timeout 1 5

config tacacs athr

To configure TACACS+ authorization server settings, use the config tacacs athr command.

config tacacs athr { add1-3 IP addr port ascii/hex secret | delete 1-3 | disable 1-3 | enable 1-3 | mgmt-server-timeout 1-3 seconds | server-timeout 1-3 seconds}

Syntax Description

add

Adds a new TACACS+ authorization server (IPv4 or IPv6).

1-3

TACACS+ server index from 1 to 3.

IP addr

TACACS+ authorization server IP address (IPv4 or IPv6).

port

TACACS+ server TCP port.

ascii/hex

Type of secret key being used (ASCII or HEX).

secret

Secret key in ASCII or hexadecimal characters.

delete

Deletes a TACACS+ server.

disable

Disables a TACACS+ server.

enable

Enables a TACACS+ server.

mgmt-server-timeout 1-3seconds

Changes the default management login server timeout for the server. The number of seconds before server times out is from 1 to 30 seconds.

server-timeout 1-3 seconds

Changes the default network login server timeout for the server. The number of seconds before server times out is from 5 to 30 seconds.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to add a new TACACS+ authorization server index 1 with the IPv4 address 10.0.0.0, port number 49, and secret key 12345678 in ASCII:


(Cisco Controller) > config tacacs athr add 1 10.0.0.0 49 ascii 12345678

The following example shows how to add a new TACACS+ authorization server index 1 with the IPv6 address 2001:9:6:40::623, port number 49, and secret key 12345678 in ASCII:

(Cisco Controller) > config tacacs athr add 1 2001:9:6:40::623 49 ascii 12345678

The following example shows how to configure the retransmit timeout of 5 seconds for the TACACS+ authorization server:


(Cisco Controller) > config tacacs athr server-timeout 1 5

config tacacs athr mgmt-server-timeout

To configure a default TACACS+ authorization server timeout for management users, use the config tacacs athr mgmt-server-timeout command.

config tacacs athr mgmt-server-timeout index timeout

Syntax Description

index

TACACS+ authorization server index.

timeout

Timeout value. The range is 1 to 30 seconds.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure a default TACACS+ authorization server timeout for management users:


(Cisco Controller) > config tacacs athr mgmt-server-timeout 1 10

config tacacs auth

To configure TACACS+ authentication server settings, use the config tacacs auth command.

config tacacs auth{ add1-3 IP addr port ascii/hex secret | delete 1-3 | disable 1-3 | enable 1-3 | mgmt-server-timeout 1-3 seconds | server-timeout 1-3seconds}

Syntax Description

add

Adds a new TACACS+ accounting server.

1-3

TACACS+ accounting server index from 1 to 3.

IP addr

IP address for the TACACS+ accounting server.

port

Controller port used for the TACACS+ accounting server.

ascii/hex

Type of secret key being used (ASCII or HEX).

secret

Secret key in ASCII or hexadecimal characters.

delete

Deletes a TACACS+ server.

disable

Disables a TACACS+ server.

enable

Enables a TACACS+ server.

mgmt-server-timeout 1-3 seconds

Changes the default management login server timeout for the server. The number of seconds before server times out is from 1 to 30 seconds.

server-timeout 1-3 seconds

Changes the default network login server timeout for the server. The number of seconds before server times out is from 5 to 30 seconds.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to add a new TACACS+ authentication server index 1 with the IPv4 address 10.0.0.3, port number 49, and secret key 12345678 in ASCII:


(Cisco Controller) > config tacacs auth add 1 10.0.0.3 49 ascii 12345678

The following example shows how to add a new TACACS+ authentication server index 1 with the IPv6 address 2001:9:6:40::623, port number 49, and secret key 12345678 in ASCII:

(Cisco Controller) > config tacacs auth add 1 2001:9:6:40::623 49 ascii 12345678

The following example shows how to configure the server timeout for TACACS+ authentication server:


(Cisco Controller) > config tacacs auth server-timeout 1 5

config tacacs auth mgmt-server-timeout

To configure a default TACACS+ authentication server timeout for management users, use the config tacacs auth mgmt-server-timeout command.

config tacacs auth mgmt-server-timeout index timeout

Syntax Description

index

TACACS+ authentication server index.

timeout

Timeout value. The range is 1 to 30 seconds.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure a default TACACS+ authentication server timeout for management users:


(Cisco Controller) > config tacacs auth mgmt-server-timeout 1 10

Related Commands

config tacacs auth

config tacacs dns

To retrieve the TACACS IP information from a DNS server, use the config radius dns command.

config radius dns { global port { ascii | hex} secret | query url timeout | serverip ip_address | disable | enable}

Syntax Description

global

Configures the global port and secret to retrieve the TACACS IP information from a DNS server.

port

Port number for authentication. The range is from 1 to 65535. All the DNS servers should use the same authentication port.

ascii

Format of the shared secret that you should set to ASCII.

hex

Format of the shared secret that you should set to hexadecimal.

secret

TACACS server login secret.

query

Configures the fully qualified domain name (FQDN) of the TACACS server and DNS timeout.

url

FQDN of the TACACS server. The FQDN can be up to 63 case-sensitive, alphanumeric characters.

timeout

Maximum time that the Cisco Wireless LAN Controller (WLC) waits for, in days, before timing out a request and resending it. The range is from 1 to 180.

serverip

Configures the DNS server IP address.

ip_address

DNS server IP address.

disable

Disables the TACACS DNS feature. The default is disabled.

enable

Enables the Cisco WLC to retrieve the TACACS IP information from a DNS server.

Command Default

You cannot retrieve the TACACS IP information from a DNS server.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

The accounting port is derived from the authentication port. All the DNS servers should use the same secret. When you enable a DNS query, the static configurations will be overridden. The DNS list overrides the static AAA list.

Examples

The following example shows how to enable the TACACS DNS feature on the Cisco WLC:

(Cisco Controller) > config tacacs dns enable

config tacacs fallback-test interval

To configure TACACS+ probing interval, use the config tacacs fallback-test interval command.

config tacacs fallback-test interval { seconds }

Syntax Description

seconds

TACACS+ probing interval in seconds. Disable is 0, Range from 180 to 3600 seconds.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure TACACS+ probing interval:


(Cisco Controller) >  config tacacs fallback-test interval 200

config wlan radius_server realm

To configure realm on a WLAN, use the config wlan radius_server realm command.

config wlan radius_serverrealm{ enable | disable} wlan-id

Syntax Description

radius_server

Radius server index. The range is from 1 to 17.

enable

Enable realm on a WLAN.

disable

Disable realm on a WLAN.

wlan-id

WLAN ID. The range is from 1 to 512.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable realm on a WLAN:

(Cisco Controller) > config wlan 2 realm enable 50

config wlan security eap-params

To configure local EAP timers on a WLAN, use the config wlan security eap-params command.

config wlan security eap-params{ { enable| disbale} | eapol-key-timeouttimeout| eap-key-retries retries | identity-request-timeout timeout | identity-request-retries retries | request-timeout timeout | request-retries retries} wlan_id

Syntax Description

{enable |disable }

Specifies to enable or disable SSID specific EAP timeouts or retries. The default value is disabled.

eapol-key-timeout timeout

Specifies the amount of time (200 to 5000 milliseconds) that the controller attempts to send an EAP key over the WLAN to wireless clients using local EAP. The valid range is 200 to 5000 milliseconds.

The default value is 1000 milliseconds.

eapol-key-retries retries

Specifies the maximum number of times (0 to 4 retries) that the controller attempts to send an EAP key over the WLAN to wireless clients using local EAP.

The default value is 2.

identity-request-
timeout timeout

Specifies the amount of time (1 to 120 seconds) that the controller attempts to send an EAP identity request to wireless clients within WLAN using local EAP.

The default value is 30 seconds.

identity-request-retries retries

Specifies the maximum number of times (0 to 4 retries) that the controller attempts to retransmit the EAP identity request to wireless clients within WLAN using local EAP.

The default value is 2.

request-timeout

Specifies the amount of time (1 to 120 seconds) in which the controller attempts to send an EAP parameter request to wireless clients within WLAN using local EAP.

The default value is 30 seconds.

request-retriesretries

Specifies the maximum number of times (0 to 20 retries) that the controller attempts to retransmit the EAP parameter request to wireless clients within WLAN using local EAP.

The default value is 2.

wlan-id

WLAN identification number.

Command Default

The default EAPOL key timeout is 1000 milliseconds.

The default for EAPOL key retries is 2.

The default identity request timeout is 30 seconds.

The default identity request retries is 2.

The default request timeout is 30 seconds.

The default request retries is 2.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable SSID specific EAP parameters on a WLAN:


(Cisco Controller) > config wlan security eap-params enable 4

The following example shows how to set EAPOL key timeout parameter on a WLAN:


(Cisco Controller) > config wlan security eap-params eapol-key-retries 4

The following example shows how to set EAPOL key retries on a WLAN:

(Cisco Controller) > config wlan security eap-params eapol-key-retries 4

clear Commands

This section lists the clear commands to clear existing security configurations of the controller.

clear radius acct statistics

To clear the RADIUS accounting statistics on the controller, use the clear radius acc statistics command.

clear radius acct statistics [ index | all]

Syntax Description

index

(Optional) Specifies the index of the RADIUS accounting server.

all

(Optional) Specifies all RADIUS accounting servers.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to clear the RADIUS accounting statistics:


(Cisco Controller) >clear radius acc statistics

Related Commands

show radius acct statistics

clear tacacs auth statistics

To clear the RADIUS authentication server statistics in the controller, use the clear tacacs auth statistics command.

clear tacacs auth statistics [ index | all]

Syntax Description

index

(Optional) Specifies the index of the RADIUS authentication server.

all

(Optional) Specifies all RADIUS authentication servers.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to clear the RADIUS authentication server statistics:


(Cisco Controller) >clear tacacs auth statistics

Related Commands

show tacacs auth statistics

show tacacs summary

config tacacs auth

clear stats local-auth

To clear the local Extensible Authentication Protocol (EAP) statistics, use the clear stats local-auth command.

clear stats local-auth

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to clear the local EAP statistics:


(Cisco Controller) >clear stats local-auth
Local EAP Authentication Stats Cleared.

Related Commands

config local-auth active-timeout

config local-auth eap-profile

config local-auth method fast

config local-auth user-credentials

debug aaa local-auth

show local-auth certificates

show local-auth config

show local-auth statistics

clear stats radius

To clear the statistics for one or more RADIUS servers, use the clear stats radius command.

clear stats radius { auth | acct} { index | all}

Syntax Description

auth

Clears statistics regarding authentication.

acct

Clears statistics regarding accounting.

index

Specifies the index number of the RADIUS server to be cleared.

all

Clears statistics for all RADIUS servers.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to clear the statistics for all RADIUS authentication servers:


(Cisco Controller) >clear stats radius auth all

Related Commands

clear transfer


clear download datatype


clear download filename


clear download mode

clear download serverip


clear download start

clear upload datatype


clear upload filename


clear upload mode


clear upload path


clear upload serverip


clear upload start


clear stats port

clear stats tacacs

To clear the TACACS+ server statistics on the controller, use the clear stats tacacs command.

clear stats tacacs [ auth | athr | acct] [ index | all]

Syntax Description

auth

(Optional) Clears the TACACS+ authentication server statistics.

athr

(Optional) Clears the TACACS+ authorization server statistics.

acct

(Optional) Clears the TACACS+ accounting server statistics.

index

(Optional) Specifies index of the TACACS+ server.

all

(Optional) Specifies all TACACS+ servers.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to clear the TACACS+ accounting server statistics for index 1:


(Cisco Controller) >clear stats tacacs acct 1

Related Commands

show tacacs summary

debug Commands

This section lists the debug commands to manage debugging of security settings of the controller.


Caution


Debug commands are reserved for use only under the direction of Cisco personnel. Do not use these commands without direction from Cisco-certified staff.


debug 11w-pmf

To configure the debugging of 802.11w, use the debug 11w-pmf command.

debug 11w-pmf { all | events| keys} { enable | disable}

Syntax Description

all

Configures the debugging of all 802.11w messages.

keys

Configures the debugging of 802.11w keys.

events

Configures the debugging of 802.11w events.

enable

Enables the debugging of 802.1w options.

disable

Disables the debugging of 802.1w options.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable the debugging of 802.11w keys:

(Cisco Controller) >debug 11w-pmf keys enable

debug aaa

To configure the debugging of AAA settings, use the debug aaa command.

debug aaa {[ all | detail | events | packet | local-auth | tacacs] [ enable | disable]}

Syntax Description

all

(Optional) Configures the debugging of all AAA messages.

avp-xml

(Optional) Configures debug of AAA Avp xml events.

detail

(Optional) Configures the debugging of AAA errors.

events

(Optional) Configures the debugging of AAA events.

packet

(Optional) Configures the debugging of AAA packets.

local-auth

(Optional) Configures the debugging of the AAA local Extensible Authentication Protocol (EAP) events.

tacacs

(Optional) Configures the debugging of the AAA TACACS+ events.

enable

(Optional) Enables the debugging.

disable

(Optional) Disables the debugging.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.
8.6

The command is enhanced with new keyword. The new keyword is avp-xml.

Related Commands

debug aaa local-auth eap

show running-config

debug aaa events

To configure the debugging related to DNS-based ACLs, use the debug aaa events enable command.

debug aaa events enable

Syntax Description

events

Configures the debugging of DNS-based ACLs.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable the debugging for DNS-based ACLs:

(Cisco Controller) > debug aaa events enble

debug aaa local-auth

To configure the debugging of AAA local authentication on the Cisco WLC, use the debug aaa local-auth command.

debug aaa local-auth { db | shim | eap { framework | method} { all | errors | events | packets | sm}} { enable | disable}

Syntax Description

db

Configures the debugging of the AAA local authentication back-end messages and events.

shim

Configures the debugging of the AAA local authentication shim layer events.

eap

Configures the debugging of the AAA local Extensible Authentication Protocol (EAP) authentication.

framework

Configures the debugging of the local EAP framework.

method

Configures the debugging of local EAP methods.

all

Configures the debugging of local EAP messages.

errors

Configures the debugging of local EAP errors.

events

Configures the debugging of local EAP events.

packets

Configures the debugging of local EAP packets.

sm

Configures the debugging of the local EAP state machine.

enable

Starts the debugging.

disable

Stops the debugging.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable the debugging of the AAA local EAP authentication:


(Cisco Controller) > debug aaa local-auth eap method all enable

Related Commands

clear stats local-auth

config local-auth active-timeout

config local-auth eap-profile

config local-auth method fast

config local-auth user-credentials

show local-auth certificates

show local-auth config

show local-auth statistics

debug bcast

To configure the debugging of broadcast options, use the debug bcast command.

debug bcast { all | error | message | igmp | detail} { enable | disable}

Syntax Description

all

Configures the debugging of all broadcast logs.

error

Configures the debugging of broadcast errors.

message

Configures the debugging of broadcast messages.

igmp

Configures the debugging of broadcast IGMP messages.

detail

Configures the debugging of broadcast detailed messages.

enable

Enables the broadcast debugging.

disable

Disables the broadcast debugging.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable the debugging of broadcast messages:


(Cisco Controller) > debug bcast message enable

The following example shows how to disable the debugging of broadcast mesages:


(Cisco Controller) > debug bcast message disable

Related Commands

debug disable-all

show sysinfo

debug cckm

To configure the debugging of the Cisco Centralized Key Management options, use the debug cckm

debug cckm { client | detailed} { enable| disable}

Syntax Description

client

Configures debugging of the Cisco Centralized Key Management of clients.

detailed

Configures detailed debugging of Cisco Centralized Key Management.

enable

Enables debugging of Cisco Centralized Key Management.

disable

Disables debugging of Cisco Centralized Key Management.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable detailed debugging of Cisco Centralized Key Management:

(Cisco Controller) > debug cckm detailed enable

debug client

To configure the debugging for a specific client, use the debug client command.

debug client mac_address

Syntax Description

mac_address

MAC address of the client.

Command Default

None

Usage Guidelines

After entering the debug client mac_address command, if you enter the debug aaa events enable command, then the AAA events logs are displayed for that particular client MAC address.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to debug a specific client:


(Cisco Controller) > debug client 01:35:6x:yy:21:00

debug dns

To configure debugging of Domain Name System (DNS) options, use the debug dns command.

debug dns { all | detail | error | message} { enable | disable}

Syntax Description

all

Configures debugging of all the DNS options.

detail

Configures debugging of the DNS details.

error

Configures debugging of the DNS errors.

message

Configures debugging of the DNS messages.

enable

Enables debugging of the DNS options.

disable

Disables debugging of the DNS options.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable DNS error debugging:

 (Cisco Controller) > debug dns error enable

debug dot1x

To configure debugging of the 802.1X options, use the debug dot1x command.

debug dot1x { aaa | all | events | packets | states} { enable | disable}

Syntax Description

aaa

Configures debugging of the 802.1X AAA interactions.

all

Configures debugging of all the 802.1X messages.

events

Configures debugging of the 802.1X events.

packets

Configures debugging of the 802.1X packets.

states

Configures debugging of the 802.1X state transitions.

enable

Enables debugging of the 802.1X options.

disable

Disables debugging of the 802.1X options.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable 802.1X state transitions debugging:

(Cisco Controller) > debug dot1x states enable

debug dtls

To configure debugging of the Datagram Transport Layer Security (DTLS) options, use the debug dtls command.

debug dtls { all | event | packet | trace} { enable | disable}

Syntax Description

all

Configures debugging of all the DTLS messages.

event

Configures debugging of the DTLS events.

packet

Configures debugging of the DTLS packets.

trace

Configures debugging of the DTLS trace messages.

enable

Enables debugging of the DTLS options.

disable

Disables debugging of the DTLS options.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

The debug actions described here are used in conjunction with CAPWAP troubleshooting.

Examples

The following example shows how to enable DTLS packet debugging:

(Cisco Controller) > debug dtls packet enable

debug pm

To configure the debugging of the security policy manager module, use the debug pm command.

debug pm { all disable | { config | hwcrypto | ikemsg | init | list | message | pki | rng | rules | 
 sa-export | sa-import | ssh-l2tp | ssh-appgw | ssh-engine | ssh-int | ssh-pmgr | ssh-ppp | ssh-tcp} { enable | disable}}

Syntax Description

all disable

Disables all debugging in the policy manager module.

config

Configures the debugging of the policy manager configuration.

hwcrypto

Configures the debugging of hardware offload events.

ikemsg

Configures the debugging of Internet Key Exchange (IKE) messages.

init

Configures the debugging of policy manager initialization events.

list

Configures the debugging of policy manager list mgmt.

message

Configures the debugging of policy manager message queue events.

pki

Configures the debugging of Public Key Infrastructure (PKI) related events.

rng

Configures the debugging of random number generation.

rules

Configures the debugging of Layer 3 policy events.

sa-export

Configures the debugging of SA export (mobility).

sa-import

Configures the debugging of SA import (mobility).

ssh-l2tp

Configures the debugging of policy manager Layer 2 Tunneling Protocol (l2TP) handling.

ssh-appgw

Configures the debugging of application gateways.

ssh-engine

Configures the debugging of the policy manager engine.

ssh-int

Configures the debugging of the policy manager intercepter.

ssh-pmgr

Configures the debugging of the policy manager.

ssh-ppp

Configures the debugging of policy manager Point To Point Protocol (PPP) handling.

ssh-tcp

Configures the debugging of policy manager TCP handling.

enable

Enables the debugging.

disable

Disables the debugging.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the debugging of PKI-related events:


(Cisco Controller) > debug pm pki enable

Related Commands

debug disable-all

debug web-auth

To configure debugging of web-authenticated clients, use the debug web-auth command.

debug web-auth { redirect{ enable mac mac_address | disable} | webportal-server { enable | disable}}

Syntax Description

redirect

Configures debugging of web-authenticated and redirected clients.

enable

Enables the debugging of web-authenticated clients.

mac

Configures the MAC address of the web-authenticated client.

mac_address

MAC address of the web-authenticated client.

disable

Disables the debugging of web-authenticated clients.

webportal-server

Configures the debugging of portal authentication of clients.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable the debugging of a web authenticated and redirected client:

(Cisco Controller) > debug web-auth redirect enable mac xx:xx:xx:xx:xx:xx